framework-mcp 1.0.0 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,11 @@
1
+ {
2
+ "mcpServers": {
3
+ "sequential-thinking": {
4
+ "command": "npx",
5
+ "args": [
6
+ "-y",
7
+ "@modelcontextprotocol/server-sequential-thinking"
8
+ ]
9
+ }
10
+ }
11
+ }
@@ -0,0 +1,11 @@
1
+ {
2
+ "mcpServers": {
3
+ "sequential-thinking": {
4
+ "command": "npx",
5
+ "args": [
6
+ "-y",
7
+ "@modelcontextprotocol/server-sequential-thinking"
8
+ ]
9
+ }
10
+ }
11
+ }
@@ -0,0 +1,30 @@
1
+ name: Release
2
+
3
+ on:
4
+ push:
5
+ tags:
6
+ - 'v*'
7
+
8
+ jobs:
9
+ publish:
10
+ runs-on: ubuntu-latest
11
+
12
+ steps:
13
+ - uses: actions/checkout@v4
14
+
15
+ - name: Use Node.js
16
+ uses: actions/setup-node@v4
17
+ with:
18
+ node-version: '20.x'
19
+ registry-url: 'https://registry.npmjs.org'
20
+
21
+ - name: Install dependencies
22
+ run: npm ci
23
+
24
+ - name: Build
25
+ run: npm run build
26
+
27
+ - name: Publish to npm
28
+ run: npm publish
29
+ env:
30
+ NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
package/.mcp.json ADDED
@@ -0,0 +1,11 @@
1
+ {
2
+ "mcpServers": {
3
+ "sequential-thinking": {
4
+ "command": "npx",
5
+ "args": [
6
+ "-y",
7
+ "@modelcontextprotocol/server-sequential-thinking"
8
+ ]
9
+ }
10
+ }
11
+ }
@@ -0,0 +1,220 @@
1
+ # CIS Controls v8.1 Implementation Plan
2
+
3
+ ## Current Status
4
+ - **Completed**: 59 safeguards implemented (Controls 1-7 complete)
5
+ - **Remaining**: Controls 8-18 (11 controls, estimated 40+ additional safeguards)
6
+ - **Available Resources**: Individual PDF documents for each control in docs/ folder
7
+
8
+ ## Implementation Strategy
9
+
10
+ ### Sequential Processing Order
11
+ Process controls in this specific order for optimal dependency management:
12
+
13
+ #### Phase 1: Technical Infrastructure Controls (High Priority)
14
+ 1. **Control 8: Audit Log Management**
15
+ - Foundation for security monitoring and detection
16
+ - PDF: `CISv8.1-Control 8.pdf`
17
+ - Estimated safeguards: 6-8
18
+
19
+ 2. **Control 10: Malware Defenses**
20
+ - Critical protection control
21
+ - PDF: `CISv8.1-Control 10.pdf`
22
+ - Estimated safeguards: 6-8
23
+
24
+ 3. **Control 12: Network Infrastructure Management**
25
+ - Network security foundation
26
+ - PDF: `CISv8.1-Control 12.pdf`
27
+ - Estimated safeguards: 6-8
28
+
29
+ 4. **Control 13: Network Monitoring and Defense**
30
+ - Builds on Control 12, detection capabilities
31
+ - PDF: `CISv8.1-Control 13.pdf`
32
+ - Estimated safeguards: 6-8
33
+
34
+ #### Phase 2: Data and Application Controls (Medium-High Priority)
35
+ 5. **Control 9: Email and Web Browser Protections**
36
+ - Common attack vectors
37
+ - PDF: `CISv8.1-Control 9.pdf`
38
+ - Estimated safeguards: 4-6
39
+
40
+ 6. **Control 11: Data Recovery**
41
+ - Business continuity foundation
42
+ - PDF: `CISv8.1-Control 11.pdf`
43
+ - Estimated safeguards: 3-5
44
+
45
+ 7. **Control 16: Application Software Security**
46
+ - Application layer security
47
+ - PDF: `CISv8.1-Control 16.pdf`
48
+ - Estimated safeguards: 6-8
49
+
50
+ #### Phase 3: Process and Governance Controls (Medium Priority)
51
+ 8. **Control 14: Security Awareness and Skills Training**
52
+ - Human element, process-focused
53
+ - PDF: `CISv8.1-Control 14.pdf`
54
+ - Estimated safeguards: 4-6
55
+
56
+ 9. **Control 15: Service Provider Management**
57
+ - Third-party risk management
58
+ - PDF: `CISv8.1-Control 15.pdf`
59
+ - Estimated safeguards: 4-6
60
+
61
+ 10. **Control 17: Incident Response Management**
62
+ - Response processes and capabilities
63
+ - PDF: `CISv8.1-Control 17.pdf`
64
+ - Estimated safeguards: 6-8
65
+
66
+ 11. **Control 18: Penetration Testing**
67
+ - Validation and testing processes
68
+ - PDF: `CISv8.1-Control 18.pdf`
69
+ - Estimated safeguards: 3-5
70
+
71
+ ## Standard Session Template
72
+
73
+ For each control, follow this systematic approach:
74
+
75
+ ### 1. Initialize Session
76
+ ```bash
77
+ # Update todo list with current control
78
+ # Example: "Process Control 8: Audit Log Management"
79
+ ```
80
+
81
+ ### 2. Read and Analyze PDF
82
+ - Read the complete control PDF document
83
+ - Identify all safeguards in the control (e.g., 8.1, 8.2, 8.3, etc.)
84
+ - Note control title, description, and overall purpose
85
+ - Extract Implementation Group classifications
86
+
87
+ ### 3. Extract Safeguard Elements
88
+ For each safeguard, categorize elements using the color-coding system:
89
+
90
+ - **🟠 Orange (Governance Elements)**: Process/policy requirements that MUST be met
91
+ - **🟢 Green (Core Requirements)**: The essential "what" of the safeguard
92
+ - **🟔 Yellow (Sub-taxonomical Elements)**: Detailed sub-components
93
+ - **⚫ Gray (Implementation Suggestions)**: Suggested methods and tools
94
+
95
+ Additional metadata:
96
+ - Asset types (devices, applications, users, etc.)
97
+ - Security functions (Identify, Protect, Detect, Respond, Recover)
98
+ - Relevant keywords for analysis engine
99
+
100
+ ### 4. Implement in Code
101
+ ```typescript
102
+ // Add to CIS_SAFEGUARDS object in src/index.ts
103
+ "X.Y": {
104
+ id: "X.Y",
105
+ title: "Safeguard Title",
106
+ description: "Description...",
107
+ implementationGroup: "IG1" | "IG2" | "IG3",
108
+ assetType: [...],
109
+ securityFunction: [...],
110
+ governanceElements: [...], // Orange
111
+ coreRequirements: [...], // Green
112
+ subTaxonomicalElements: [...], // Yellow
113
+ implementationSuggestions: [...], // Gray
114
+ relatedSafeguards: [...],
115
+ keywords: [...]
116
+ }
117
+ ```
118
+
119
+ ### 5. Test and Validate
120
+ ```bash
121
+ npm run build # Verify compilation
122
+ # Test with sample vendor responses
123
+ # Verify analysis engine processes new safeguards correctly
124
+ ```
125
+
126
+ ### 6. Document and Commit
127
+ ```bash
128
+ git add .
129
+ git commit -m "Add Control X: [Control Name] - implemented X.1 through X.Y safeguards
130
+
131
+ - Extracted all safeguards from CISv8.1-Control X.pdf
132
+ - Categorized elements using color-coding system
133
+ - Added appropriate keywords and metadata
134
+ - Tested with analysis engine
135
+
136
+ šŸ¤– Generated with [Claude Code](https://claude.ai/code)
137
+
138
+ Co-Authored-By: Claude <noreply@anthropic.com>"
139
+
140
+ git push origin main
141
+ ```
142
+
143
+ ## Success Criteria for Each Control
144
+
145
+ āœ… **Extraction Complete**
146
+ - [ ] All safeguards identified and extracted from PDF
147
+ - [ ] Elements properly categorized (Orange/Green/Yellow/Gray)
148
+ - [ ] Implementation Groups assigned correctly
149
+
150
+ āœ… **Code Implementation**
151
+ - [ ] All safeguards added to CIS_SAFEGUARDS object
152
+ - [ ] Consistent formatting with existing controls
153
+ - [ ] Code compiles without errors
154
+ - [ ] Proper TypeScript typing maintained
155
+
156
+ āœ… **Testing and Validation**
157
+ - [ ] Analysis engine correctly processes new safeguards
158
+ - [ ] Capability categorization works appropriately
159
+ - [ ] Sample vendor responses produce expected results
160
+
161
+ āœ… **Documentation and Commit**
162
+ - [ ] Progress tracking updated
163
+ - [ ] Detailed commit message with control summary
164
+ - [ ] Changes committed and pushed to repository
165
+
166
+ ## Progress Tracking
167
+
168
+ ### Completed Controls
169
+ - āœ… Control 1: Inventory and Control of Enterprise Assets
170
+ - āœ… Control 2: Inventory and Control of Software Assets
171
+ - āœ… Control 3: Data Protection
172
+ - āœ… Control 4: Secure Configuration of Enterprise Assets and Software
173
+ - āœ… Control 5: Account Management
174
+ - āœ… Control 6: Access Control Management
175
+ - āœ… Control 7: Continuous Vulnerability Management
176
+ - āœ… **Control 8: Audit Log Management** (12 safeguards: 8.1-8.12)
177
+ - āœ… **Control 10: Malware Defenses** (7 safeguards: 10.1-10.7)
178
+ - āœ… **Control 11: Data Recovery** (5 safeguards: 11.1-11.5)
179
+ - āœ… **Control 9: Email and Web Browser Protections** (7 safeguards: 9.1-9.7)
180
+ - āœ… **Control 12: Network Infrastructure Management** (8 safeguards: 12.1-12.8)
181
+ - āœ… **Control 13: Network Monitoring and Defense** (11 safeguards: 13.1-13.11)
182
+ - āœ… **Control 14: Security Awareness and Skills Training** (9 safeguards: 14.1-14.9)
183
+ - āœ… **Control 15: Service Provider Management** (7 safeguards: 15.1-15.7)
184
+ - āœ… **Control 16: Application Software Security** (14 safeguards: 16.1-16.14)
185
+ - āœ… **Control 17: Incident Response Management** (9 safeguards: 17.1-17.9)
186
+ - āœ… **Control 18: Penetration Testing** (5 safeguards: 18.1-18.5)
187
+
188
+ ### āœ… ALL CONTROLS COMPLETE
189
+ **Total Implementation**: 153 safeguards across all 18 CIS Controls v8.1
190
+
191
+ ### Final Status
192
+ - [ ] **COMPLETE**: All CIS Controls v8.1 safeguards implemented
193
+ - [ ] **Framework Ready**: Full vendor analysis capability enabled
194
+
195
+ ## Risk Mitigation
196
+
197
+ ### Context Limit Management
198
+ - Process only one control per session to avoid PDF context limits
199
+ - Use targeted reading with offsets if PDFs are very large
200
+ - Focus on extracting structured information efficiently
201
+
202
+ ### Quality Assurance
203
+ - Reference existing controls 1-7 as formatting templates
204
+ - Validate element categorization against established patterns
205
+ - Test each implementation before moving to next control
206
+
207
+ ### Recovery Strategy
208
+ - Detailed progress tracking enables restart from any point
209
+ - Each control is independent (no cascading failures)
210
+ - Commit after each successful control completion
211
+ - Can skip complex controls and return later if needed
212
+
213
+ ## Estimated Timeline
214
+ - **Per Control**: 1-2 hours (extraction + implementation + testing)
215
+ - **Total Remaining**: ~15-20 hours of focused work
216
+ - **Completion Target**: Can be spread across multiple sessions safely
217
+
218
+ ---
219
+
220
+ **Next Action**: Begin with Control 8 (Audit Log Management) using the standard session template.
package/README.md CHANGED
@@ -44,6 +44,17 @@ The server uses the CIS Controls visual framework with color-coded categorizatio
44
44
  npm install -g framework-mcp
45
45
  ```
46
46
 
47
+ ### Update to Latest Version
48
+ ```bash
49
+ npm update -g framework-mcp
50
+ ```
51
+
52
+ Or reinstall to get the latest version:
53
+ ```bash
54
+ npm uninstall -g framework-mcp
55
+ npm install -g framework-mcp
56
+ ```
57
+
47
58
  ### Install from source
48
59
  ```bash
49
60
  git clone https://github.com/therealcybermattlee/FrameworkMCP.git
@@ -115,8 +126,21 @@ claude-code "Analyze the vendor responses in vendors.csv and provide recommendat
115
126
  claude-code "Show me the detailed breakdown of safeguard 5.1 including all sub-elements"
116
127
  ```
117
128
 
129
+ ### Validate Vendor Capability Claims
130
+
131
+ **NEW**: Validate whether a vendor's stated capability mapping is actually supported by their explanatory text.
132
+
133
+ ```bash
134
+ claude-code "Validate this vendor capability claim:
135
+ Vendor: SecureAssets Corp
136
+ Safeguard: 1.1
137
+ Claimed Capability: FULL
138
+ Supporting Text: 'Our comprehensive asset management platform performs automated discovery of all enterprise devices, maintains detailed hardware and software inventories, tracks ownership and location data, provides real-time asset status monitoring, and includes documented inventory procedures with bi-annual review capabilities.'"
139
+ ```
140
+
118
141
  ## šŸ“Š Sample Output
119
142
 
143
+ ### Standard Analysis Output
120
144
  ```json
121
145
  {
122
146
  "vendor": "SecureIAM Corp",
@@ -146,16 +170,40 @@ claude-code "Show me the detailed breakdown of safeguard 5.1 including all sub-e
146
170
  }
147
171
  ```
148
172
 
173
+ ### Validation Tool Output
174
+ ```json
175
+ {
176
+ "vendor": "SecureAssets Corp",
177
+ "safeguard_id": "1.1",
178
+ "safeguard_title": "Establish and Maintain a Detailed Enterprise Asset Inventory",
179
+ "claimed_capability": "full",
180
+ "validation_status": "SUPPORTED",
181
+ "confidence_score": 85,
182
+ "evidence_analysis": {
183
+ "core_requirements_coverage": 100,
184
+ "sub_elements_coverage": 47,
185
+ "governance_alignment": 80,
186
+ "language_consistency": 90
187
+ },
188
+ "gaps_identified": [],
189
+ "strengths_identified": [
190
+ "High coverage of core requirements and sub-elements",
191
+ "Strong implementation language consistency"
192
+ ],
193
+ "recommendations": [],
194
+ "detailed_feedback": "Validation of FULL capability claim: SUPPORTED (85% alignment)\n\nSTRENGTHS:\n• High coverage of core requirements and sub-elements\n• Strong implementation language consistency\n\nASSESSMENT: The vendor's supporting evidence strongly aligns with their claimed capability."
195
+ }
196
+ ```
197
+
149
198
  ## šŸ”§ Available Tools
150
199
 
151
200
  | Tool | Description |
152
201
  |------|-------------|
153
202
  | `analyze_vendor_response` | Analyze vendor response for specific safeguard |
203
+ | `validate_vendor_mapping` | **NEW** Validate vendor's claimed capability against supporting evidence |
154
204
  | `validate_coverage_claim` | Validate FULL/PARTIAL coverage claims |
155
205
  | `get_safeguard_details` | Get detailed safeguard breakdown |
156
206
  | `list_available_safeguards` | List all available CIS safeguards |
157
- | `generate_coverage_report` | Generate detailed coverage analysis |
158
- | `export_analysis` | Export results to JSON/CSV/Markdown |
159
207
 
160
208
  ## šŸ“ File Formats Supported
161
209
 
@@ -185,16 +233,51 @@ Vendor: AnotherVendor - Safeguard: 6.3
185
233
  Another response...
186
234
  ```
187
235
 
236
+ ## šŸ†• Vendor Mapping Validation
237
+
238
+ The **validate_vendor_mapping** tool provides evidence-based validation of vendor capability claims. This addresses a critical need: vendors often self-assess their capabilities, but practitioners need to verify whether the supporting evidence actually justifies the claimed mapping.
239
+
240
+ ### Validation Criteria
241
+
242
+ | Capability | Requirements | Validation Thresholds |
243
+ |------------|-------------|----------------------|
244
+ | **FULL** | Complete implementation within scope | ≄70% core requirements + ≄40% sub-elements |
245
+ | **PARTIAL** | Limited scope with clear boundaries | ≄30% core requirements OR some core + ≄20% sub-elements |
246
+ | **FACILITATES** | Enables/enhances implementation | Facilitation language present, no direct implementation claims |
247
+ | **GOVERNANCE** | Policy/process management | ≄60% governance elements + policy language |
248
+ | **VALIDATES** | Evidence collection & reporting | Audit/monitoring/reporting capabilities present |
249
+
250
+ ### Validation Statuses
251
+
252
+ - **SUPPORTED** (70-100%): Evidence strongly supports the claimed capability
253
+ - **QUESTIONABLE** (40-69%): Evidence partially supports but has notable gaps
254
+ - **UNSUPPORTED** (0-39%): Evidence does not adequately support the claim
255
+
256
+ ### Usage Examples
257
+
258
+ ```bash
259
+ # Validate a FULL coverage claim
260
+ claude-code "Use validate_vendor_mapping for vendor 'AssetMax Pro', safeguard '1.1', claimed capability 'full', with supporting text: 'Our platform provides comprehensive automated discovery, detailed inventory management, and complete asset lifecycle tracking for all enterprise devices including servers, workstations, and network equipment.'"
261
+
262
+ # Validate a FACILITATES claim
263
+ claude-code "Use validate_vendor_mapping for vendor 'ThreatIntel Feed', safeguard '1.1', claimed capability 'facilitates', with supporting text: 'Our threat intelligence service provides supplemental risk data that enriches existing asset management systems, enabling organizations to prioritize asset security based on threat exposure.'"
264
+
265
+ # Validate a questionable claim
266
+ claude-code "Use validate_vendor_mapping for vendor 'BasicTracker', safeguard '1.1', claimed capability 'full', with supporting text: 'We help track computers and provide some visibility into your IT environment.'"
267
+ ```
268
+
188
269
  ## šŸŽÆ CIS Controls Coverage
189
270
 
190
- Currently supports key safeguards including:
191
- - **1.1** - Enterprise Asset Inventory
192
- - **1.2** - Address Unauthorized Assets
193
- - **5.1** - Inventory of Accounts
194
- - **6.3** - MFA for Externally-Exposed Applications
195
- - **7.1** - Vulnerability Management Process
271
+ **Complete CIS Controls v8.1 Framework Implementation**
272
+ - **153 total safeguards** across all 18 controls
273
+ - **Full framework coverage** from Controls 1-18
274
+ - **Comprehensive vendor analysis** capability for all CIS safeguards
196
275
 
197
- *Additional safeguards can be easily added to the framework.*
276
+ ### Current Version Highlights
277
+ - āœ… **All 18 Controls** implemented (Enterprise Assets through Penetration Testing)
278
+ - āœ… **Color-coded element categorization** (Orange/Green/Yellow/Gray)
279
+ - āœ… **Enhanced capability detection** (Governance, Facilitates, Coverage, Validates)
280
+ - āœ… **Production-ready** vendor analysis for complete compliance assessments
198
281
 
199
282
  ## šŸ› ļø Development
200
283
 
package/dist/index.d.ts CHANGED
@@ -1,3 +1,31 @@
1
1
  #!/usr/bin/env node
2
- export {};
2
+ export declare class GRCAnalysisServer {
3
+ private server;
4
+ constructor();
5
+ private setupToolHandlers;
6
+ private getSafeguardDetails;
7
+ private listAvailableSafeguards;
8
+ private analyzeVendorResponse;
9
+ private validateCoverageClaim;
10
+ private performEnhancedSafeguardAnalysis;
11
+ private calculateKeywordScore;
12
+ private analyzeElementCoverage;
13
+ private analyzeBinaryElementCoverage;
14
+ private extractEnhancedEvidence;
15
+ private generateEnhancedReasoning;
16
+ private generateCapabilityReasoning;
17
+ private validateClaim;
18
+ private validateVendorMapping;
19
+ private validateCapabilityClaim;
20
+ private assessClaimAlignment;
21
+ private hasFacilitationLanguage;
22
+ private hasScopeBoundaries;
23
+ private hasDirectImplementationLanguage;
24
+ private assessImplementationLanguage;
25
+ private assessFacilitationLanguage;
26
+ private assessGovernanceLanguage;
27
+ private assessValidationLanguage;
28
+ private generateValidationFeedback;
29
+ run(): Promise<void>;
30
+ }
3
31
  //# sourceMappingURL=index.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAu6KA,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAAS;;IAavB,OAAO,CAAC,iBAAiB;YAiKX,mBAAmB;YA8CnB,uBAAuB;YAuCvB,qBAAqB;YAoBrB,qBAAqB;IA8BnC,OAAO,CAAC,gCAAgC;IAkKxC,OAAO,CAAC,qBAAqB;IAgB7B,OAAO,CAAC,sBAAsB;IA0C9B,OAAO,CAAC,4BAA4B;IAwCpC,OAAO,CAAC,uBAAuB;IA6B/B,OAAO,CAAC,yBAAyB;IA4BjC,OAAO,CAAC,2BAA2B;IAuEnC,OAAO,CAAC,aAAa;YAsFP,qBAAqB;IAyBnC,OAAO,CAAC,uBAAuB;IAqD/B,OAAO,CAAC,oBAAoB;IA4J5B,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,kBAAkB;IAQ1B,OAAO,CAAC,+BAA+B;IAQvC,OAAO,CAAC,4BAA4B;IAQpC,OAAO,CAAC,0BAA0B;IAQlC,OAAO,CAAC,wBAAwB;IAQhC,OAAO,CAAC,wBAAwB;IAShC,OAAO,CAAC,0BAA0B;IAiC5B,GAAG;CAKV"}