framework-mcp 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,61 @@
1
+ name: CI
2
+
3
+ on:
4
+ push:
5
+ branches: [ main, develop ]
6
+ pull_request:
7
+ branches: [ main ]
8
+
9
+ jobs:
10
+ test:
11
+ runs-on: ubuntu-latest
12
+
13
+ strategy:
14
+ matrix:
15
+ node-version: [18.x, 20.x]
16
+
17
+ steps:
18
+ - uses: actions/checkout@v4
19
+
20
+ - name: Use Node.js ${{ matrix.node-version }}
21
+ uses: actions/setup-node@v4
22
+ with:
23
+ node-version: ${{ matrix.node-version }}
24
+ cache: 'npm'
25
+
26
+ - name: Install dependencies
27
+ run: npm ci
28
+
29
+ - name: Run linter
30
+ run: npm run lint --if-present
31
+
32
+ - name: Build
33
+ run: npm run build
34
+
35
+ - name: Run tests
36
+ run: npm test --if-present
37
+
38
+ publish:
39
+ needs: test
40
+ runs-on: ubuntu-latest
41
+ if: github.ref == 'refs/heads/main'
42
+
43
+ steps:
44
+ - uses: actions/checkout@v4
45
+
46
+ - name: Use Node.js
47
+ uses: actions/setup-node@v4
48
+ with:
49
+ node-version: '20.x'
50
+ registry-url: 'https://registry.npmjs.org'
51
+
52
+ - name: Install dependencies
53
+ run: npm ci
54
+
55
+ - name: Build
56
+ run: npm run build
57
+
58
+ - name: Publish to npm
59
+ run: npm publish --if-present
60
+ env:
61
+ NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
package/LICENSE ADDED
@@ -0,0 +1,26 @@
1
+ Creative Commons Attribution 4.0 International License
2
+
3
+ Copyright (c) 2025 Cyber RISE, Inc
4
+
5
+ This work is licensed under the Creative Commons Attribution 4.0 International License.
6
+
7
+ You are free to:
8
+
9
+ Share — copy and redistribute the material in any medium or format
10
+ Adapt — remix, transform, and build upon the material for any purpose, even commercially.
11
+
12
+ The licensor cannot revoke these freedoms as long as you follow the license terms.
13
+
14
+ Under the following terms:
15
+
16
+ Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
17
+
18
+ No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.
19
+
20
+ Notices:
21
+
22
+ You do not have to comply with the license for elements of the material in the public domain or where your use is permitted by an applicable exception or limitation.
23
+
24
+ No warranties are given. The license may not give you all of the permissions necessary for your intended use. For example, other rights such as publicity, privacy, or moral rights may limit how you use the material.
25
+
26
+ Full license text: https://creativecommons.org/licenses/by/4.0/legalcode
package/README.md ADDED
@@ -0,0 +1,298 @@
1
+ # Vendor Framework Analyzer MCP Server
2
+
3
+ [![npm version](https://badge.fury.io/js/framework-mcp.svg)](https://badge.fury.io/js/framework-mcp)
4
+ [![License: CC BY 4.0](https://img.shields.io/badge/License-CC%20BY%204.0-lightgrey.svg)](https://creativecommons.org/licenses/by/4.0/)
5
+ [![GitHub](https://img.shields.io/github/stars/therealcybermattlee/FrameworkMCP?style=social)](https://github.com/therealcybermattlee/FrameworkMCP)
6
+ [![Website](https://img.shields.io/badge/Website-cyberrise.org-blue)](https://cyberrise.org)
7
+
8
+ A Model Context Protocol (MCP) server that analyzes vendor responses against the **CIS Controls Framework** using a 4-attribute methodology. This tool helps security professionals evaluate vendor capabilities against specific CIS Control safeguards with detailed sub-taxonomical analysis.
9
+
10
+ ## 🎯 Purpose
11
+
12
+ This MCP server enables security teams to:
13
+ - **Analyze vendor responses** against specific CIS Control safeguards (1.1, 5.1, 6.3, etc.)
14
+ - **Validate coverage claims** (FULL/PARTIAL) with evidence-based assessment
15
+ - **Categorize vendor capabilities** across 4 key attributes: Governance, Facilitates, Coverage, and Validates
16
+ - **Generate detailed reports** showing sub-element coverage and compliance gaps
17
+
18
+ ## 🔧 The 4 Analysis Attributes
19
+
20
+ | Attribute | Description | Example |
21
+ |-----------|-------------|---------|
22
+ | **Governance** | GRC platform capabilities for policy/process management | Policy management, documented processes, compliance workflows |
23
+ | **Facilitates** | Enhancement capabilities that enable others to implement safeguards better/faster/stronger (does not perform safeguard directly) | Automation tools, optimization platforms, streamlined workflows |
24
+ | **Coverage** | Scope of safeguard elements directly addressed by tools that perform the safeguard (Full/Partial) | Percentage of sub-taxonomical elements actually implemented |
25
+ | **Validates** | Verification capabilities providing evidence and reporting | Audit logs, compliance reports, evidence collection |
26
+
27
+ ## 🎨 CIS Controls Framework Integration
28
+
29
+ The server uses the CIS Controls visual framework with color-coded categorization:
30
+
31
+ - **🟠 Orange Elements**: Governance requirements that MUST be met
32
+ - **🟢 Green Elements**: Core "what" of the safeguard
33
+ - **🟡 Yellow Elements**: Sub-taxonomical components
34
+ - **⚫ Gray Elements**: Implementation suggestions and methods
35
+
36
+ ## 🚀 Installation
37
+
38
+ ### Prerequisites
39
+ - Node.js 18+
40
+ - Claude Code CLI tool
41
+
42
+ ### Install from npm
43
+ ```bash
44
+ npm install -g framework-mcp
45
+ ```
46
+
47
+ ### Install from source
48
+ ```bash
49
+ git clone https://github.com/therealcybermattlee/FrameworkMCP.git
50
+ cd FrameworkMCP
51
+ npm install
52
+ npm run build
53
+ ```
54
+
55
+ ## ⚙️ Configuration
56
+
57
+ ### Claude Code Integration
58
+
59
+ Add to your MCP configuration file (`~/.config/claude-code/mcp.json`):
60
+
61
+ ```json
62
+ {
63
+ "mcpServers": {
64
+ "framework-analyzer": {
65
+ "command": "node",
66
+ "args": ["/path/to/FrameworkMCP/dist/index.js"],
67
+ "env": {}
68
+ }
69
+ }
70
+ }
71
+ ```
72
+
73
+ ### Verify Installation
74
+ ```bash
75
+ claude-code "List available CIS Control safeguards"
76
+ ```
77
+
78
+ ## 📋 Usage Examples
79
+
80
+ ### Analyze Single Vendor Response
81
+
82
+ ```bash
83
+ claude-code "Analyze this vendor response for safeguard 5.1:
84
+ Vendor: SecureIAM Corp
85
+ Response: 'Our tool is a full identity provider with comprehensive account management. We maintain detailed user inventories including names, usernames, departments, and access rights. Automated quarterly reviews ensure all accounts are authorized and compliant.'"
86
+ ```
87
+
88
+ ### Validate Coverage Claims
89
+
90
+ ```bash
91
+ claude-code "Validate this coverage claim:
92
+ Vendor: ComplianceBot
93
+ Safeguard: 5.1
94
+ Claim: FULL coverage with Governance and Validates capabilities
95
+ Response: 'We provide automated account lifecycle management with real-time inventory tracking and compliance reporting.'"
96
+ ```
97
+
98
+ ### Analyze Multiple Vendors from File
99
+
100
+ Create `vendors.csv`:
101
+ ```csv
102
+ vendor,safeguard,response
103
+ VendorA,5.1,"Complete IAM solution with policy management and quarterly reviews"
104
+ VendorB,5.1,"Basic user directory with manual account tracking"
105
+ VendorC,6.3,"MFA enforcement for all external applications with SSO integration"
106
+ ```
107
+
108
+ ```bash
109
+ claude-code "Analyze the vendor responses in vendors.csv and provide recommendations"
110
+ ```
111
+
112
+ ### Get Safeguard Details
113
+
114
+ ```bash
115
+ claude-code "Show me the detailed breakdown of safeguard 5.1 including all sub-elements"
116
+ ```
117
+
118
+ ## 📊 Sample Output
119
+
120
+ ```json
121
+ {
122
+ "vendor": "SecureIAM Corp",
123
+ "safeguardId": "5.1",
124
+ "safeguardTitle": "Establish and Maintain an Inventory of Accounts",
125
+ "governance": true,
126
+ "facilitates": true,
127
+ "coverage": "full",
128
+ "validates": true,
129
+ "confidence": 87,
130
+ "coverageBreakdown": {
131
+ "governance": 90,
132
+ "core": 85,
133
+ "subElements": 75,
134
+ "overall": 83
135
+ },
136
+ "governanceElementsCovered": [
137
+ "establish inventory process",
138
+ "maintain inventory process",
139
+ "validate all active accounts are authorized"
140
+ ],
141
+ "evidence": [
142
+ "comprehensive account management",
143
+ "detailed user inventories",
144
+ "automated quarterly reviews"
145
+ ]
146
+ }
147
+ ```
148
+
149
+ ## 🔧 Available Tools
150
+
151
+ | Tool | Description |
152
+ |------|-------------|
153
+ | `analyze_vendor_response` | Analyze vendor response for specific safeguard |
154
+ | `validate_coverage_claim` | Validate FULL/PARTIAL coverage claims |
155
+ | `get_safeguard_details` | Get detailed safeguard breakdown |
156
+ | `list_available_safeguards` | List all available CIS safeguards |
157
+ | `generate_coverage_report` | Generate detailed coverage analysis |
158
+ | `export_analysis` | Export results to JSON/CSV/Markdown |
159
+
160
+ ## 📁 File Formats Supported
161
+
162
+ ### JSON Format
163
+ ```json
164
+ [
165
+ {
166
+ "name": "VendorName",
167
+ "safeguard_id": "5.1",
168
+ "response": "Vendor response text..."
169
+ }
170
+ ]
171
+ ```
172
+
173
+ ### CSV Format
174
+ ```csv
175
+ vendor,safeguard,response
176
+ VendorName,5.1,"Response text..."
177
+ ```
178
+
179
+ ### Text Format
180
+ ```
181
+ Vendor: VendorName - Safeguard: 5.1
182
+ Response text here...
183
+
184
+ Vendor: AnotherVendor - Safeguard: 6.3
185
+ Another response...
186
+ ```
187
+
188
+ ## 🎯 CIS Controls Coverage
189
+
190
+ Currently supports key safeguards including:
191
+ - **1.1** - Enterprise Asset Inventory
192
+ - **1.2** - Address Unauthorized Assets
193
+ - **5.1** - Inventory of Accounts
194
+ - **6.3** - MFA for Externally-Exposed Applications
195
+ - **7.1** - Vulnerability Management Process
196
+
197
+ *Additional safeguards can be easily added to the framework.*
198
+
199
+ ## 🛠️ Development
200
+
201
+ ### Build from Source
202
+ ```bash
203
+ git clone https://github.com/therealcybermattlee/FrameworkMCP.git
204
+ cd FrameworkMCP
205
+ npm install
206
+ npm run build
207
+ ```
208
+
209
+ ### Add New Safeguards
210
+ Edit `src/index.ts` and add to the `CIS_SAFEGUARDS` object:
211
+
212
+ ```typescript
213
+ "X.Y": {
214
+ id: "X.Y",
215
+ title: "Safeguard Title",
216
+ description: "Description...",
217
+ implementationGroup: "IG1",
218
+ governanceElements: [...], // Orange - MUST be met
219
+ coreRequirements: [...], // Green - The "what"
220
+ subTaxonomicalElements: [...], // Yellow - Sub-elements
221
+ implementationSuggestions: [...], // Gray - Suggestions
222
+ // ...
223
+ }
224
+ ```
225
+
226
+ ### Testing
227
+ ```bash
228
+ npm test
229
+ ```
230
+
231
+ ## 🤝 Contributing
232
+
233
+ 1. Fork the repository
234
+ 2. Create a feature branch (`git checkout -b feature/amazing-feature`)
235
+ 3. Commit your changes (`git commit -m 'Add amazing feature'`)
236
+ 4. Push to the branch (`git push origin feature/amazing-feature`)
237
+ 5. Open a Pull Request
238
+
239
+ ### Guidelines
240
+ - Follow the existing code style
241
+ - Add tests for new features
242
+ - Update documentation
243
+ - Ensure all tests pass
244
+
245
+ ## 📖 Documentation
246
+
247
+ - [Installation Guide](docs/installation.md)
248
+ - [API Reference](docs/api-reference.md)
249
+ - [CIS Safeguards Reference](docs/safeguards-reference.md)
250
+ - [Example Usage](examples/example-usage.md)
251
+
252
+ ## 🐛 Troubleshooting
253
+
254
+ ### Common Issues
255
+
256
+ **Permission denied:**
257
+ ```bash
258
+ chmod +x dist/index.js
259
+ ```
260
+
261
+ **Module not found:**
262
+ ```bash
263
+ npm install
264
+ npm run build
265
+ ```
266
+
267
+ **MCP server not connecting:**
268
+ - Check Claude Code MCP configuration
269
+ - Verify file paths are absolute
270
+ - Ensure Node.js version compatibility
271
+
272
+ ## 📄 License
273
+
274
+ This project is licensed under the Creative Commons Attribution 4.0 International License by Cyber RISE, Inc - see the [LICENSE](LICENSE) file for details.
275
+
276
+ You are free to:
277
+ - **Share** — copy and redistribute the material in any medium or format
278
+ - **Adapt** — remix, transform, and build upon the material for any purpose, even commercially
279
+
280
+ Under the following terms:
281
+ - **Attribution** — You must give appropriate credit to Cyber RISE, Inc, provide a link to the license, and indicate if changes were made
282
+
283
+ ## 🙏 Acknowledgments
284
+
285
+ - **Center for Internet Security (CIS)** for the CIS Controls Framework
286
+ - **Pax8** and community contributors for the CIS Controls visualizations
287
+ - **Anthropic** for the Model Context Protocol and Claude Code
288
+
289
+ ## 📞 Support
290
+
291
+ - 📧 **Issues**: [GitHub Issues](https://github.com/therealcybermattlee/FrameworkMCP/issues)
292
+ - 📖 **Documentation**: [Project Wiki](https://github.com/therealcybermattlee/FrameworkMCP/wiki)
293
+ - 💬 **Discussions**: [GitHub Discussions](https://github.com/therealcybermattlee/FrameworkMCP/discussions)
294
+ - 🐦 **Updates**: Follow [@cybermattlee](https://twitter.com/cybermattlee) for project updates
295
+
296
+ ---
297
+
298
+ **Built with ❤️ for the cybersecurity community by [Matt Lee](https://github.com/therealcybermattlee)**
@@ -0,0 +1,3 @@
1
+ #!/usr/bin/env node
2
+ export {};
3
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}