framework-mcp 1.1.0 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -44,6 +44,17 @@ The server uses the CIS Controls visual framework with color-coded categorizatio
44
44
  npm install -g framework-mcp
45
45
  ```
46
46
 
47
+ ### Update to Latest Version
48
+ ```bash
49
+ npm update -g framework-mcp
50
+ ```
51
+
52
+ Or reinstall to get the latest version:
53
+ ```bash
54
+ npm uninstall -g framework-mcp
55
+ npm install -g framework-mcp
56
+ ```
57
+
47
58
  ### Install from source
48
59
  ```bash
49
60
  git clone https://github.com/therealcybermattlee/FrameworkMCP.git
@@ -115,8 +126,21 @@ claude-code "Analyze the vendor responses in vendors.csv and provide recommendat
115
126
  claude-code "Show me the detailed breakdown of safeguard 5.1 including all sub-elements"
116
127
  ```
117
128
 
129
+ ### Validate Vendor Capability Claims
130
+
131
+ **NEW**: Validate whether a vendor's stated capability mapping is actually supported by their explanatory text.
132
+
133
+ ```bash
134
+ claude-code "Validate this vendor capability claim:
135
+ Vendor: SecureAssets Corp
136
+ Safeguard: 1.1
137
+ Claimed Capability: FULL
138
+ Supporting Text: 'Our comprehensive asset management platform performs automated discovery of all enterprise devices, maintains detailed hardware and software inventories, tracks ownership and location data, provides real-time asset status monitoring, and includes documented inventory procedures with bi-annual review capabilities.'"
139
+ ```
140
+
118
141
  ## šŸ“Š Sample Output
119
142
 
143
+ ### Standard Analysis Output
120
144
  ```json
121
145
  {
122
146
  "vendor": "SecureIAM Corp",
@@ -146,16 +170,40 @@ claude-code "Show me the detailed breakdown of safeguard 5.1 including all sub-e
146
170
  }
147
171
  ```
148
172
 
173
+ ### Validation Tool Output
174
+ ```json
175
+ {
176
+ "vendor": "SecureAssets Corp",
177
+ "safeguard_id": "1.1",
178
+ "safeguard_title": "Establish and Maintain a Detailed Enterprise Asset Inventory",
179
+ "claimed_capability": "full",
180
+ "validation_status": "SUPPORTED",
181
+ "confidence_score": 85,
182
+ "evidence_analysis": {
183
+ "core_requirements_coverage": 100,
184
+ "sub_elements_coverage": 47,
185
+ "governance_alignment": 80,
186
+ "language_consistency": 90
187
+ },
188
+ "gaps_identified": [],
189
+ "strengths_identified": [
190
+ "High coverage of core requirements and sub-elements",
191
+ "Strong implementation language consistency"
192
+ ],
193
+ "recommendations": [],
194
+ "detailed_feedback": "Validation of FULL capability claim: SUPPORTED (85% alignment)\n\nSTRENGTHS:\n• High coverage of core requirements and sub-elements\n• Strong implementation language consistency\n\nASSESSMENT: The vendor's supporting evidence strongly aligns with their claimed capability."
195
+ }
196
+ ```
197
+
149
198
  ## šŸ”§ Available Tools
150
199
 
151
200
  | Tool | Description |
152
201
  |------|-------------|
153
202
  | `analyze_vendor_response` | Analyze vendor response for specific safeguard |
203
+ | `validate_vendor_mapping` | **NEW** Validate vendor's claimed capability against supporting evidence |
154
204
  | `validate_coverage_claim` | Validate FULL/PARTIAL coverage claims |
155
205
  | `get_safeguard_details` | Get detailed safeguard breakdown |
156
206
  | `list_available_safeguards` | List all available CIS safeguards |
157
- | `generate_coverage_report` | Generate detailed coverage analysis |
158
- | `export_analysis` | Export results to JSON/CSV/Markdown |
159
207
 
160
208
  ## šŸ“ File Formats Supported
161
209
 
@@ -185,16 +233,51 @@ Vendor: AnotherVendor - Safeguard: 6.3
185
233
  Another response...
186
234
  ```
187
235
 
236
+ ## šŸ†• Vendor Mapping Validation
237
+
238
+ The **validate_vendor_mapping** tool provides evidence-based validation of vendor capability claims. This addresses a critical need: vendors often self-assess their capabilities, but practitioners need to verify whether the supporting evidence actually justifies the claimed mapping.
239
+
240
+ ### Validation Criteria
241
+
242
+ | Capability | Requirements | Validation Thresholds |
243
+ |------------|-------------|----------------------|
244
+ | **FULL** | Complete implementation within scope | ≄70% core requirements + ≄40% sub-elements |
245
+ | **PARTIAL** | Limited scope with clear boundaries | ≄30% core requirements OR some core + ≄20% sub-elements |
246
+ | **FACILITATES** | Enables/enhances implementation | Facilitation language present, no direct implementation claims |
247
+ | **GOVERNANCE** | Policy/process management | ≄60% governance elements + policy language |
248
+ | **VALIDATES** | Evidence collection & reporting | Audit/monitoring/reporting capabilities present |
249
+
250
+ ### Validation Statuses
251
+
252
+ - **SUPPORTED** (70-100%): Evidence strongly supports the claimed capability
253
+ - **QUESTIONABLE** (40-69%): Evidence partially supports but has notable gaps
254
+ - **UNSUPPORTED** (0-39%): Evidence does not adequately support the claim
255
+
256
+ ### Usage Examples
257
+
258
+ ```bash
259
+ # Validate a FULL coverage claim
260
+ claude-code "Use validate_vendor_mapping for vendor 'AssetMax Pro', safeguard '1.1', claimed capability 'full', with supporting text: 'Our platform provides comprehensive automated discovery, detailed inventory management, and complete asset lifecycle tracking for all enterprise devices including servers, workstations, and network equipment.'"
261
+
262
+ # Validate a FACILITATES claim
263
+ claude-code "Use validate_vendor_mapping for vendor 'ThreatIntel Feed', safeguard '1.1', claimed capability 'facilitates', with supporting text: 'Our threat intelligence service provides supplemental risk data that enriches existing asset management systems, enabling organizations to prioritize asset security based on threat exposure.'"
264
+
265
+ # Validate a questionable claim
266
+ claude-code "Use validate_vendor_mapping for vendor 'BasicTracker', safeguard '1.1', claimed capability 'full', with supporting text: 'We help track computers and provide some visibility into your IT environment.'"
267
+ ```
268
+
188
269
  ## šŸŽÆ CIS Controls Coverage
189
270
 
190
- Currently supports key safeguards including:
191
- - **1.1** - Enterprise Asset Inventory
192
- - **1.2** - Address Unauthorized Assets
193
- - **5.1** - Inventory of Accounts
194
- - **6.3** - MFA for Externally-Exposed Applications
195
- - **7.1** - Vulnerability Management Process
271
+ **Complete CIS Controls v8.1 Framework Implementation**
272
+ - **153 total safeguards** across all 18 controls
273
+ - **Full framework coverage** from Controls 1-18
274
+ - **Comprehensive vendor analysis** capability for all CIS safeguards
196
275
 
197
- *Additional safeguards can be easily added to the framework.*
276
+ ### Current Version Highlights
277
+ - āœ… **All 18 Controls** implemented (Enterprise Assets through Penetration Testing)
278
+ - āœ… **Color-coded element categorization** (Orange/Green/Yellow/Gray)
279
+ - āœ… **Enhanced capability detection** (Governance, Facilitates, Coverage, Validates)
280
+ - āœ… **Production-ready** vendor analysis for complete compliance assessments
198
281
 
199
282
  ## šŸ› ļø Development
200
283
 
package/dist/index.d.ts CHANGED
@@ -15,6 +15,17 @@ export declare class GRCAnalysisServer {
15
15
  private generateEnhancedReasoning;
16
16
  private generateCapabilityReasoning;
17
17
  private validateClaim;
18
+ private validateVendorMapping;
19
+ private validateCapabilityClaim;
20
+ private assessClaimAlignment;
21
+ private hasFacilitationLanguage;
22
+ private hasScopeBoundaries;
23
+ private hasDirectImplementationLanguage;
24
+ private assessImplementationLanguage;
25
+ private assessFacilitationLanguage;
26
+ private assessGovernanceLanguage;
27
+ private assessValidationLanguage;
28
+ private generateValidationFeedback;
18
29
  run(): Promise<void>;
19
30
  }
20
31
  //# sourceMappingURL=index.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAo5KA,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAAS;;IAavB,OAAO,CAAC,iBAAiB;YAkIX,mBAAmB;YA8CnB,uBAAuB;YAuCvB,qBAAqB;YAoBrB,qBAAqB;IA8BnC,OAAO,CAAC,gCAAgC;IAqJxC,OAAO,CAAC,qBAAqB;IAgB7B,OAAO,CAAC,sBAAsB;IA0C9B,OAAO,CAAC,4BAA4B;IAwCpC,OAAO,CAAC,uBAAuB;IA6B/B,OAAO,CAAC,yBAAyB;IA4BjC,OAAO,CAAC,2BAA2B;IAuEnC,OAAO,CAAC,aAAa;IAsFf,GAAG;CAKV"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAu6KA,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAAS;;IAavB,OAAO,CAAC,iBAAiB;YAiKX,mBAAmB;YA8CnB,uBAAuB;YAuCvB,qBAAqB;YAoBrB,qBAAqB;IA8BnC,OAAO,CAAC,gCAAgC;IAkKxC,OAAO,CAAC,qBAAqB;IAgB7B,OAAO,CAAC,sBAAsB;IA0C9B,OAAO,CAAC,4BAA4B;IAwCpC,OAAO,CAAC,uBAAuB;IA6B/B,OAAO,CAAC,yBAAyB;IA4BjC,OAAO,CAAC,2BAA2B;IAuEnC,OAAO,CAAC,aAAa;YAsFP,qBAAqB;IAyBnC,OAAO,CAAC,uBAAuB;IAqD/B,OAAO,CAAC,oBAAoB;IA4J5B,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,kBAAkB;IAQ1B,OAAO,CAAC,+BAA+B;IAQvC,OAAO,CAAC,4BAA4B;IAQpC,OAAO,CAAC,0BAA0B;IAQlC,OAAO,CAAC,wBAAwB;IAQhC,OAAO,CAAC,wBAAwB;IAShC,OAAO,CAAC,0BAA0B;IAiC5B,GAAG;CAKV"}
package/dist/index.js CHANGED
@@ -5537,6 +5537,35 @@ export class GRCAnalysisServer {
5537
5537
  }
5538
5538
  }
5539
5539
  }
5540
+ },
5541
+ {
5542
+ name: 'validate_vendor_mapping',
5543
+ description: 'Validate whether a vendor\'s stated capability mapping (Full/Partial/Facilitates/Governance/Validates) is actually supported by their explanatory text for a specific CIS safeguard',
5544
+ inputSchema: {
5545
+ type: 'object',
5546
+ properties: {
5547
+ vendor_name: {
5548
+ type: 'string',
5549
+ description: 'Name of the vendor (optional)',
5550
+ default: 'Unknown Vendor'
5551
+ },
5552
+ safeguard_id: {
5553
+ type: 'string',
5554
+ description: 'CIS Control safeguard ID (e.g., "5.1", "1.1", "6.3")',
5555
+ pattern: '^[0-9]+\\.[0-9]+$'
5556
+ },
5557
+ claimed_capability: {
5558
+ type: 'string',
5559
+ enum: ['full', 'partial', 'facilitates', 'governance', 'validates'],
5560
+ description: 'Vendor\'s claimed capability mapping for this safeguard'
5561
+ },
5562
+ supporting_text: {
5563
+ type: 'string',
5564
+ description: 'Vendor\'s supporting text blob explaining how they meet the claimed capability'
5565
+ }
5566
+ },
5567
+ required: ['safeguard_id', 'claimed_capability', 'supporting_text']
5568
+ }
5540
5569
  }
5541
5570
  ],
5542
5571
  }));
@@ -5552,6 +5581,8 @@ export class GRCAnalysisServer {
5552
5581
  return await this.validateCoverageClaim(args);
5553
5582
  case 'list_available_safeguards':
5554
5583
  return await this.listAvailableSafeguards(args);
5584
+ case 'validate_vendor_mapping':
5585
+ return await this.validateVendorMapping(args);
5555
5586
  default:
5556
5587
  throw new Error(`Unknown tool: ${name}`);
5557
5588
  }
@@ -5698,6 +5729,11 @@ export class GRCAnalysisServer {
5698
5729
  'improve', 'enhance', 'optimize', 'faster', 'better', 'stronger', 'automate',
5699
5730
  'streamline', 'efficiency', 'facilitate', 'support', 'enable', 'accelerate',
5700
5731
  'api', 'integration', 'data', 'export', 'import', 'sync', 'feed',
5732
+ // Data provision and enrichment
5733
+ 'provides data', 'data source', 'data feeds', 'enrichment', 'data enrichment',
5734
+ 'supplemental data', 'additional data', 'contextual data', 'threat data',
5735
+ 'intelligence feeds', 'data aggregation', 'data collection', 'data gathering',
5736
+ 'feeds data', 'populates', 'informs', 'enriches', 'supplements',
5701
5737
  // Governance/process facilitation (new keywords for tools like Upolicy)
5702
5738
  'enables compliance', 'facilitates implementation', 'supports compliance',
5703
5739
  'creates framework', 'enables organizations', 'infrastructure', 'foundation',
@@ -5707,9 +5743,9 @@ export class GRCAnalysisServer {
5707
5743
  ];
5708
5744
  const validatesKeywords = [
5709
5745
  'audit', 'report', 'evidence', 'verify', 'validate', 'check', 'monitor',
5710
- 'compliance report', 'assessment', 'logging', 'tracking', 'review', 'attest',
5746
+ 'compliance', 'compliance report', 'assessment', 'logging', 'tracking', 'review', 'attest',
5711
5747
  'dashboard', 'metrics', 'analytics', 'visibility', 'alert', 'attestation',
5712
- 'compliance tracking', 'audit trail', 'reporting capabilities'
5748
+ 'compliance tracking', 'audit trail', 'reporting capabilities', 'audit capabilities'
5713
5749
  ];
5714
5750
  // Analyze element coverage (binary: covered or not)
5715
5751
  const coreCoverage = this.analyzeBinaryElementCoverage(text, safeguard.coreRequirements);
@@ -5739,18 +5775,22 @@ export class GRCAnalysisServer {
5739
5775
  'rather than direct', 'instead of direct'
5740
5776
  ];
5741
5777
  const hasNonImplementationLanguage = nonImplementationPatterns.some(pattern => text.includes(pattern));
5742
- // Determine if full or partial coverage (based on core + sub-taxonomical elements)
5743
- const totalCoreAndSubElements = safeguard.coreRequirements.length + safeguard.subTaxonomicalElements.length;
5744
- const coveredCoreAndSubElements = coreCoverage.coveredElements.length + subElementCoverage.coveredElements.length;
5778
+ // Determine if full or partial coverage (based on core + sub-taxonomical elements WITHIN SCOPE)
5779
+ // Full = addresses majority of core requirements + substantial sub-elements within their stated scope
5780
+ // Partial = addresses some core requirements with clear scope boundaries
5781
+ const corePercentage = safeguard.coreRequirements.length > 0 ?
5782
+ (coreCoverage.coveredElements.length / safeguard.coreRequirements.length) * 100 : 0;
5783
+ const subElementPercentage = safeguard.subTaxonomicalElements.length > 0 ?
5784
+ (subElementCoverage.coveredElements.length / safeguard.subTaxonomicalElements.length) * 100 : 0;
5745
5785
  let fullCapability = false;
5746
5786
  let partialCapability = false;
5747
- if (totalCoreAndSubElements > 0) {
5748
- if (coveredCoreAndSubElements === totalCoreAndSubElements) {
5749
- fullCapability = true;
5750
- }
5751
- else if (coveredCoreAndSubElements > 0) {
5752
- partialCapability = true;
5753
- }
5787
+ // Full capability: High coverage of core requirements + reasonable sub-element coverage
5788
+ if (corePercentage >= 70 && subElementPercentage >= 50) {
5789
+ fullCapability = true;
5790
+ }
5791
+ // Partial capability: Moderate core coverage OR clear scope-limited implementation
5792
+ else if (corePercentage >= 30 || (coreCoverage.coveredElements.length > 0 && subElementPercentage >= 20)) {
5793
+ partialCapability = true;
5754
5794
  }
5755
5795
  // Enhanced primary capability logic
5756
5796
  let primaryCapability = 'none';
@@ -5788,6 +5828,8 @@ export class GRCAnalysisServer {
5788
5828
  const evidence = this.extractEnhancedEvidence(responseText, safeguard);
5789
5829
  // Calculate confidence based on evidence strength and keyword matches
5790
5830
  const keywordConfidence = (governanceScore + facilitatesScore + validatesScore) / 3;
5831
+ const totalCoreAndSubElements = safeguard.coreRequirements.length + safeguard.subTaxonomicalElements.length;
5832
+ const coveredCoreAndSubElements = coreCoverage.coveredElements.length + subElementCoverage.coveredElements.length;
5791
5833
  const coverageConfidence = totalCoreAndSubElements > 0 ?
5792
5834
  coveredCoreAndSubElements / totalCoreAndSubElements : 0;
5793
5835
  const confidence = Math.min((keywordConfidence * 0.4 + coverageConfidence * 0.6) * 100, 100);
@@ -6074,6 +6116,264 @@ export class GRCAnalysisServer {
6074
6116
  }
6075
6117
  return validation;
6076
6118
  }
6119
+ async validateVendorMapping(args) {
6120
+ const { vendor_name = 'Unknown Vendor', safeguard_id, claimed_capability, supporting_text } = args;
6121
+ const safeguard = CIS_SAFEGUARDS[safeguard_id];
6122
+ if (!safeguard) {
6123
+ throw new Error(`Safeguard ${safeguard_id} not found. Available safeguards: ${Object.keys(CIS_SAFEGUARDS).join(', ')}`);
6124
+ }
6125
+ const validation = this.validateCapabilityClaim(vendor_name, safeguard, claimed_capability, supporting_text);
6126
+ return {
6127
+ content: [
6128
+ {
6129
+ type: 'text',
6130
+ text: JSON.stringify(validation, null, 2),
6131
+ },
6132
+ ],
6133
+ };
6134
+ }
6135
+ validateCapabilityClaim(vendorName, safeguard, claimedCapability, supportingText) {
6136
+ const text = supportingText.toLowerCase();
6137
+ // Perform actual analysis of the supporting text
6138
+ const actualAnalysis = this.performEnhancedSafeguardAnalysis(vendorName, safeguard, supportingText);
6139
+ // Calculate coverage percentages
6140
+ const coreCoverage = this.analyzeBinaryElementCoverage(text, safeguard.coreRequirements);
6141
+ const subElementCoverage = this.analyzeBinaryElementCoverage(text, safeguard.subTaxonomicalElements);
6142
+ const governanceCoverage = this.analyzeBinaryElementCoverage(text, safeguard.governanceElements);
6143
+ const corePercentage = safeguard.coreRequirements.length > 0 ?
6144
+ (coreCoverage.coveredElements.length / safeguard.coreRequirements.length) * 100 : 0;
6145
+ const subElementPercentage = safeguard.subTaxonomicalElements.length > 0 ?
6146
+ (subElementCoverage.coveredElements.length / safeguard.subTaxonomicalElements.length) * 100 : 0;
6147
+ const governancePercentage = safeguard.governanceElements.length > 0 ?
6148
+ (governanceCoverage.coveredElements.length / safeguard.governanceElements.length) * 100 : 0;
6149
+ // Validate claim against criteria
6150
+ const validation = this.assessClaimAlignment(claimedCapability, actualAnalysis, corePercentage, subElementPercentage, governancePercentage, text);
6151
+ return {
6152
+ vendor: vendorName,
6153
+ safeguard_id: safeguard.id,
6154
+ safeguard_title: safeguard.title,
6155
+ claimed_capability: claimedCapability,
6156
+ validation_status: validation.status,
6157
+ confidence_score: validation.confidence,
6158
+ evidence_analysis: {
6159
+ core_requirements_coverage: Math.round(corePercentage),
6160
+ sub_elements_coverage: Math.round(subElementPercentage),
6161
+ governance_alignment: Math.round(governancePercentage),
6162
+ language_consistency: validation.languageConsistency
6163
+ },
6164
+ gaps_identified: validation.gaps,
6165
+ strengths_identified: validation.strengths,
6166
+ recommendations: validation.recommendations,
6167
+ detailed_feedback: validation.feedback
6168
+ };
6169
+ }
6170
+ assessClaimAlignment(claimedCapability, actualAnalysis, corePercentage, subElementPercentage, governancePercentage, text) {
6171
+ const gaps = [];
6172
+ const strengths = [];
6173
+ const recommendations = [];
6174
+ let languageConsistency = 0;
6175
+ let alignmentScore = 0;
6176
+ switch (claimedCapability.toLowerCase()) {
6177
+ case 'full':
6178
+ // Validate FULL claim
6179
+ if (corePercentage >= 70 && subElementPercentage >= 40) {
6180
+ alignmentScore = 85;
6181
+ strengths.push('High coverage of core requirements and sub-elements');
6182
+ }
6183
+ else if (corePercentage >= 80 && subElementPercentage >= 30) {
6184
+ // Alternative path: very high core with moderate sub-elements
6185
+ alignmentScore = 80;
6186
+ strengths.push('Very high core requirements coverage with adequate sub-element coverage');
6187
+ }
6188
+ else {
6189
+ alignmentScore = Math.max(0, (corePercentage + subElementPercentage) / 2 - 15);
6190
+ if (corePercentage < 70)
6191
+ gaps.push(`Core requirements coverage (${Math.round(corePercentage)}%) below FULL threshold (70%)`);
6192
+ if (subElementPercentage < 40)
6193
+ gaps.push(`Sub-element coverage (${Math.round(subElementPercentage)}%) below FULL threshold (40%)`);
6194
+ }
6195
+ // Check for conflicting facilitation language
6196
+ if (this.hasFacilitationLanguage(text)) {
6197
+ alignmentScore -= 30;
6198
+ gaps.push('Contains facilitation language inconsistent with FULL implementation claim');
6199
+ }
6200
+ languageConsistency = this.assessImplementationLanguage(text);
6201
+ break;
6202
+ case 'partial':
6203
+ // Validate PARTIAL claim
6204
+ if (corePercentage >= 30 || (corePercentage > 0 && subElementPercentage >= 20)) {
6205
+ alignmentScore = 75;
6206
+ strengths.push('Appropriate coverage level for PARTIAL implementation');
6207
+ }
6208
+ else {
6209
+ alignmentScore = Math.max(0, corePercentage + subElementPercentage - 10);
6210
+ gaps.push(`Coverage too low even for PARTIAL claim: ${Math.round(corePercentage)}% core, ${Math.round(subElementPercentage)}% sub-elements`);
6211
+ }
6212
+ // Check for scope boundary definition
6213
+ if (this.hasScopeBoundaries(text)) {
6214
+ strengths.push('Clearly defines scope boundaries and limitations');
6215
+ alignmentScore += 10;
6216
+ }
6217
+ else {
6218
+ gaps.push('Should clearly define scope boundaries for PARTIAL implementation');
6219
+ recommendations.push('Specify exactly which elements are covered and which are not');
6220
+ }
6221
+ languageConsistency = this.assessImplementationLanguage(text);
6222
+ break;
6223
+ case 'facilitates':
6224
+ // Validate FACILITATES claim
6225
+ if (this.hasFacilitationLanguage(text) || actualAnalysis.capabilities.facilitates) {
6226
+ alignmentScore = 80;
6227
+ strengths.push('Contains appropriate facilitation and enablement language');
6228
+ }
6229
+ else {
6230
+ alignmentScore = 40;
6231
+ gaps.push('Lacks clear facilitation language (enables, supports, provides framework)');
6232
+ }
6233
+ // Check that it doesn't claim direct implementation
6234
+ if (this.hasDirectImplementationLanguage(text)) {
6235
+ // Special handling: If it lacks facilitation language AND claims implementation, stay QUESTIONABLE
6236
+ if (alignmentScore <= 40) {
6237
+ alignmentScore = 45; // Keep it in QUESTIONABLE range
6238
+ }
6239
+ else {
6240
+ alignmentScore -= 15;
6241
+ }
6242
+ gaps.push('Claims direct implementation, inconsistent with FACILITATES capability');
6243
+ }
6244
+ languageConsistency = this.assessFacilitationLanguage(text);
6245
+ break;
6246
+ case 'governance':
6247
+ // Validate GOVERNANCE claim
6248
+ if (governancePercentage >= 60 || actualAnalysis.capabilities.governance) {
6249
+ alignmentScore = 85;
6250
+ strengths.push('Strong governance element coverage and policy management language');
6251
+ }
6252
+ else {
6253
+ alignmentScore = Math.max(30, governancePercentage);
6254
+ gaps.push(`Governance element coverage (${Math.round(governancePercentage)}%) below expected threshold (60%)`);
6255
+ }
6256
+ languageConsistency = this.assessGovernanceLanguage(text);
6257
+ break;
6258
+ case 'validates':
6259
+ // Validate VALIDATES claim
6260
+ if (actualAnalysis.capabilities.validates) {
6261
+ alignmentScore = 85;
6262
+ strengths.push('Contains evidence collection and reporting capabilities');
6263
+ }
6264
+ else {
6265
+ alignmentScore = 30;
6266
+ gaps.push('Lacks validation language (audit, report, evidence, verify, monitor)');
6267
+ }
6268
+ languageConsistency = this.assessValidationLanguage(text);
6269
+ break;
6270
+ default:
6271
+ alignmentScore = 0;
6272
+ gaps.push(`Unknown capability type: ${claimedCapability}`);
6273
+ languageConsistency = 0;
6274
+ }
6275
+ // Determine overall status
6276
+ let status;
6277
+ if (alignmentScore >= 70) {
6278
+ status = 'SUPPORTED';
6279
+ }
6280
+ else if (alignmentScore >= 40) {
6281
+ status = 'QUESTIONABLE';
6282
+ }
6283
+ else {
6284
+ status = 'UNSUPPORTED';
6285
+ }
6286
+ // Generate recommendations
6287
+ if (gaps.length > 0) {
6288
+ recommendations.push('Address identified gaps to strengthen capability claim');
6289
+ }
6290
+ if (status === 'QUESTIONABLE') {
6291
+ recommendations.push('Provide additional evidence or clarify scope to support claim');
6292
+ }
6293
+ const feedback = this.generateValidationFeedback(claimedCapability, status, gaps, strengths, alignmentScore);
6294
+ return {
6295
+ status,
6296
+ confidence: Math.round(alignmentScore),
6297
+ languageConsistency: Math.round(languageConsistency),
6298
+ gaps,
6299
+ strengths,
6300
+ recommendations,
6301
+ feedback
6302
+ };
6303
+ }
6304
+ hasFacilitationLanguage(text) {
6305
+ const facilitationPatterns = [
6306
+ 'enables', 'facilitates', 'supports', 'helps', 'provides framework',
6307
+ 'creates infrastructure', 'enables organizations', 'supports compliance',
6308
+ 'provides data', 'enriches', 'supplements', 'feeds data'
6309
+ ];
6310
+ return facilitationPatterns.some(pattern => text.includes(pattern));
6311
+ }
6312
+ hasScopeBoundaries(text) {
6313
+ const boundaryPatterns = [
6314
+ 'covers', 'but not', 'limited to', 'specifically', 'only', 'excludes',
6315
+ 'scope includes', 'scope excludes', 'within', 'applies to'
6316
+ ];
6317
+ return boundaryPatterns.some(pattern => text.includes(pattern));
6318
+ }
6319
+ hasDirectImplementationLanguage(text) {
6320
+ const implementationPatterns = [
6321
+ 'directly implements', 'performs', 'executes', 'scans', 'catalogs',
6322
+ 'inventories', 'manages assets', 'controls access', 'blocks threats'
6323
+ ];
6324
+ return implementationPatterns.some(pattern => text.includes(pattern));
6325
+ }
6326
+ assessImplementationLanguage(text) {
6327
+ const implementationKeywords = [
6328
+ 'implements', 'performs', 'executes', 'manages', 'controls', 'maintains',
6329
+ 'establishes', 'configures', 'monitors', 'tracks', 'inventories'
6330
+ ];
6331
+ return this.calculateKeywordScore(text, implementationKeywords) * 100;
6332
+ }
6333
+ assessFacilitationLanguage(text) {
6334
+ const facilitationKeywords = [
6335
+ 'enables', 'facilitates', 'supports', 'helps', 'enhances', 'improves',
6336
+ 'streamlines', 'automates', 'optimizes', 'provides framework'
6337
+ ];
6338
+ return this.calculateKeywordScore(text, facilitationKeywords) * 100;
6339
+ }
6340
+ assessGovernanceLanguage(text) {
6341
+ const governanceKeywords = [
6342
+ 'policy', 'governance', 'compliance', 'oversight', 'management',
6343
+ 'framework', 'procedures', 'processes', 'controls', 'standards'
6344
+ ];
6345
+ return this.calculateKeywordScore(text, governanceKeywords) * 100;
6346
+ }
6347
+ assessValidationLanguage(text) {
6348
+ const validationKeywords = [
6349
+ 'audit', 'validate', 'verify', 'report', 'evidence', 'monitor',
6350
+ 'assess', 'check', 'review', 'attest', 'compliance', 'compliance tracking',
6351
+ 'compliance reports', 'audit capabilities', 'audit trail', 'reporting capabilities'
6352
+ ];
6353
+ return this.calculateKeywordScore(text, validationKeywords) * 100;
6354
+ }
6355
+ generateValidationFeedback(claimedCapability, status, gaps, strengths, score) {
6356
+ let feedback = `Validation of ${claimedCapability.toUpperCase()} capability claim: ${status} (${Math.round(score)}% alignment)\n\n`;
6357
+ if (strengths.length > 0) {
6358
+ feedback += `STRENGTHS:\n${strengths.map(s => `• ${s}`).join('\n')}\n\n`;
6359
+ }
6360
+ if (gaps.length > 0) {
6361
+ feedback += `GAPS IDENTIFIED:\n${gaps.map(g => `• ${g}`).join('\n')}\n\n`;
6362
+ }
6363
+ feedback += `ASSESSMENT: `;
6364
+ switch (status) {
6365
+ case 'SUPPORTED':
6366
+ feedback += 'The vendor\'s supporting evidence strongly aligns with their claimed capability.';
6367
+ break;
6368
+ case 'QUESTIONABLE':
6369
+ feedback += 'The vendor\'s evidence partially supports their claim but has notable gaps or inconsistencies.';
6370
+ break;
6371
+ case 'UNSUPPORTED':
6372
+ feedback += 'The vendor\'s evidence does not adequately support their claimed capability.';
6373
+ break;
6374
+ }
6375
+ return feedback;
6376
+ }
6077
6377
  async run() {
6078
6378
  const transport = new StdioServerTransport();
6079
6379
  await this.server.connect(transport);