framework-mcp 1.1.0 ā 1.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +92 -9
- package/dist/index.d.ts +11 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +312 -12
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
- package/src/index.ts +399 -11
package/README.md
CHANGED
|
@@ -44,6 +44,17 @@ The server uses the CIS Controls visual framework with color-coded categorizatio
|
|
|
44
44
|
npm install -g framework-mcp
|
|
45
45
|
```
|
|
46
46
|
|
|
47
|
+
### Update to Latest Version
|
|
48
|
+
```bash
|
|
49
|
+
npm update -g framework-mcp
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
Or reinstall to get the latest version:
|
|
53
|
+
```bash
|
|
54
|
+
npm uninstall -g framework-mcp
|
|
55
|
+
npm install -g framework-mcp
|
|
56
|
+
```
|
|
57
|
+
|
|
47
58
|
### Install from source
|
|
48
59
|
```bash
|
|
49
60
|
git clone https://github.com/therealcybermattlee/FrameworkMCP.git
|
|
@@ -115,8 +126,21 @@ claude-code "Analyze the vendor responses in vendors.csv and provide recommendat
|
|
|
115
126
|
claude-code "Show me the detailed breakdown of safeguard 5.1 including all sub-elements"
|
|
116
127
|
```
|
|
117
128
|
|
|
129
|
+
### Validate Vendor Capability Claims
|
|
130
|
+
|
|
131
|
+
**NEW**: Validate whether a vendor's stated capability mapping is actually supported by their explanatory text.
|
|
132
|
+
|
|
133
|
+
```bash
|
|
134
|
+
claude-code "Validate this vendor capability claim:
|
|
135
|
+
Vendor: SecureAssets Corp
|
|
136
|
+
Safeguard: 1.1
|
|
137
|
+
Claimed Capability: FULL
|
|
138
|
+
Supporting Text: 'Our comprehensive asset management platform performs automated discovery of all enterprise devices, maintains detailed hardware and software inventories, tracks ownership and location data, provides real-time asset status monitoring, and includes documented inventory procedures with bi-annual review capabilities.'"
|
|
139
|
+
```
|
|
140
|
+
|
|
118
141
|
## š Sample Output
|
|
119
142
|
|
|
143
|
+
### Standard Analysis Output
|
|
120
144
|
```json
|
|
121
145
|
{
|
|
122
146
|
"vendor": "SecureIAM Corp",
|
|
@@ -146,16 +170,40 @@ claude-code "Show me the detailed breakdown of safeguard 5.1 including all sub-e
|
|
|
146
170
|
}
|
|
147
171
|
```
|
|
148
172
|
|
|
173
|
+
### Validation Tool Output
|
|
174
|
+
```json
|
|
175
|
+
{
|
|
176
|
+
"vendor": "SecureAssets Corp",
|
|
177
|
+
"safeguard_id": "1.1",
|
|
178
|
+
"safeguard_title": "Establish and Maintain a Detailed Enterprise Asset Inventory",
|
|
179
|
+
"claimed_capability": "full",
|
|
180
|
+
"validation_status": "SUPPORTED",
|
|
181
|
+
"confidence_score": 85,
|
|
182
|
+
"evidence_analysis": {
|
|
183
|
+
"core_requirements_coverage": 100,
|
|
184
|
+
"sub_elements_coverage": 47,
|
|
185
|
+
"governance_alignment": 80,
|
|
186
|
+
"language_consistency": 90
|
|
187
|
+
},
|
|
188
|
+
"gaps_identified": [],
|
|
189
|
+
"strengths_identified": [
|
|
190
|
+
"High coverage of core requirements and sub-elements",
|
|
191
|
+
"Strong implementation language consistency"
|
|
192
|
+
],
|
|
193
|
+
"recommendations": [],
|
|
194
|
+
"detailed_feedback": "Validation of FULL capability claim: SUPPORTED (85% alignment)\n\nSTRENGTHS:\n⢠High coverage of core requirements and sub-elements\n⢠Strong implementation language consistency\n\nASSESSMENT: The vendor's supporting evidence strongly aligns with their claimed capability."
|
|
195
|
+
}
|
|
196
|
+
```
|
|
197
|
+
|
|
149
198
|
## š§ Available Tools
|
|
150
199
|
|
|
151
200
|
| Tool | Description |
|
|
152
201
|
|------|-------------|
|
|
153
202
|
| `analyze_vendor_response` | Analyze vendor response for specific safeguard |
|
|
203
|
+
| `validate_vendor_mapping` | **NEW** Validate vendor's claimed capability against supporting evidence |
|
|
154
204
|
| `validate_coverage_claim` | Validate FULL/PARTIAL coverage claims |
|
|
155
205
|
| `get_safeguard_details` | Get detailed safeguard breakdown |
|
|
156
206
|
| `list_available_safeguards` | List all available CIS safeguards |
|
|
157
|
-
| `generate_coverage_report` | Generate detailed coverage analysis |
|
|
158
|
-
| `export_analysis` | Export results to JSON/CSV/Markdown |
|
|
159
207
|
|
|
160
208
|
## š File Formats Supported
|
|
161
209
|
|
|
@@ -185,16 +233,51 @@ Vendor: AnotherVendor - Safeguard: 6.3
|
|
|
185
233
|
Another response...
|
|
186
234
|
```
|
|
187
235
|
|
|
236
|
+
## š Vendor Mapping Validation
|
|
237
|
+
|
|
238
|
+
The **validate_vendor_mapping** tool provides evidence-based validation of vendor capability claims. This addresses a critical need: vendors often self-assess their capabilities, but practitioners need to verify whether the supporting evidence actually justifies the claimed mapping.
|
|
239
|
+
|
|
240
|
+
### Validation Criteria
|
|
241
|
+
|
|
242
|
+
| Capability | Requirements | Validation Thresholds |
|
|
243
|
+
|------------|-------------|----------------------|
|
|
244
|
+
| **FULL** | Complete implementation within scope | ā„70% core requirements + ā„40% sub-elements |
|
|
245
|
+
| **PARTIAL** | Limited scope with clear boundaries | ā„30% core requirements OR some core + ā„20% sub-elements |
|
|
246
|
+
| **FACILITATES** | Enables/enhances implementation | Facilitation language present, no direct implementation claims |
|
|
247
|
+
| **GOVERNANCE** | Policy/process management | ā„60% governance elements + policy language |
|
|
248
|
+
| **VALIDATES** | Evidence collection & reporting | Audit/monitoring/reporting capabilities present |
|
|
249
|
+
|
|
250
|
+
### Validation Statuses
|
|
251
|
+
|
|
252
|
+
- **SUPPORTED** (70-100%): Evidence strongly supports the claimed capability
|
|
253
|
+
- **QUESTIONABLE** (40-69%): Evidence partially supports but has notable gaps
|
|
254
|
+
- **UNSUPPORTED** (0-39%): Evidence does not adequately support the claim
|
|
255
|
+
|
|
256
|
+
### Usage Examples
|
|
257
|
+
|
|
258
|
+
```bash
|
|
259
|
+
# Validate a FULL coverage claim
|
|
260
|
+
claude-code "Use validate_vendor_mapping for vendor 'AssetMax Pro', safeguard '1.1', claimed capability 'full', with supporting text: 'Our platform provides comprehensive automated discovery, detailed inventory management, and complete asset lifecycle tracking for all enterprise devices including servers, workstations, and network equipment.'"
|
|
261
|
+
|
|
262
|
+
# Validate a FACILITATES claim
|
|
263
|
+
claude-code "Use validate_vendor_mapping for vendor 'ThreatIntel Feed', safeguard '1.1', claimed capability 'facilitates', with supporting text: 'Our threat intelligence service provides supplemental risk data that enriches existing asset management systems, enabling organizations to prioritize asset security based on threat exposure.'"
|
|
264
|
+
|
|
265
|
+
# Validate a questionable claim
|
|
266
|
+
claude-code "Use validate_vendor_mapping for vendor 'BasicTracker', safeguard '1.1', claimed capability 'full', with supporting text: 'We help track computers and provide some visibility into your IT environment.'"
|
|
267
|
+
```
|
|
268
|
+
|
|
188
269
|
## šÆ CIS Controls Coverage
|
|
189
270
|
|
|
190
|
-
|
|
191
|
-
- **
|
|
192
|
-
- **
|
|
193
|
-
- **
|
|
194
|
-
- **6.3** - MFA for Externally-Exposed Applications
|
|
195
|
-
- **7.1** - Vulnerability Management Process
|
|
271
|
+
**Complete CIS Controls v8.1 Framework Implementation**
|
|
272
|
+
- **153 total safeguards** across all 18 controls
|
|
273
|
+
- **Full framework coverage** from Controls 1-18
|
|
274
|
+
- **Comprehensive vendor analysis** capability for all CIS safeguards
|
|
196
275
|
|
|
197
|
-
|
|
276
|
+
### Current Version Highlights
|
|
277
|
+
- ā
**All 18 Controls** implemented (Enterprise Assets through Penetration Testing)
|
|
278
|
+
- ā
**Color-coded element categorization** (Orange/Green/Yellow/Gray)
|
|
279
|
+
- ā
**Enhanced capability detection** (Governance, Facilitates, Coverage, Validates)
|
|
280
|
+
- ā
**Production-ready** vendor analysis for complete compliance assessments
|
|
198
281
|
|
|
199
282
|
## š ļø Development
|
|
200
283
|
|
package/dist/index.d.ts
CHANGED
|
@@ -15,6 +15,17 @@ export declare class GRCAnalysisServer {
|
|
|
15
15
|
private generateEnhancedReasoning;
|
|
16
16
|
private generateCapabilityReasoning;
|
|
17
17
|
private validateClaim;
|
|
18
|
+
private validateVendorMapping;
|
|
19
|
+
private validateCapabilityClaim;
|
|
20
|
+
private assessClaimAlignment;
|
|
21
|
+
private hasFacilitationLanguage;
|
|
22
|
+
private hasScopeBoundaries;
|
|
23
|
+
private hasDirectImplementationLanguage;
|
|
24
|
+
private assessImplementationLanguage;
|
|
25
|
+
private assessFacilitationLanguage;
|
|
26
|
+
private assessGovernanceLanguage;
|
|
27
|
+
private assessValidationLanguage;
|
|
28
|
+
private generateValidationFeedback;
|
|
18
29
|
run(): Promise<void>;
|
|
19
30
|
}
|
|
20
31
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAu6KA,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAAS;;IAavB,OAAO,CAAC,iBAAiB;YAiKX,mBAAmB;YA8CnB,uBAAuB;YAuCvB,qBAAqB;YAoBrB,qBAAqB;IA8BnC,OAAO,CAAC,gCAAgC;IAkKxC,OAAO,CAAC,qBAAqB;IAgB7B,OAAO,CAAC,sBAAsB;IA0C9B,OAAO,CAAC,4BAA4B;IAwCpC,OAAO,CAAC,uBAAuB;IA6B/B,OAAO,CAAC,yBAAyB;IA4BjC,OAAO,CAAC,2BAA2B;IAuEnC,OAAO,CAAC,aAAa;YAsFP,qBAAqB;IAyBnC,OAAO,CAAC,uBAAuB;IAqD/B,OAAO,CAAC,oBAAoB;IA4J5B,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,kBAAkB;IAQ1B,OAAO,CAAC,+BAA+B;IAQvC,OAAO,CAAC,4BAA4B;IAQpC,OAAO,CAAC,0BAA0B;IAQlC,OAAO,CAAC,wBAAwB;IAQhC,OAAO,CAAC,wBAAwB;IAShC,OAAO,CAAC,0BAA0B;IAiC5B,GAAG;CAKV"}
|
package/dist/index.js
CHANGED
|
@@ -5537,6 +5537,35 @@ export class GRCAnalysisServer {
|
|
|
5537
5537
|
}
|
|
5538
5538
|
}
|
|
5539
5539
|
}
|
|
5540
|
+
},
|
|
5541
|
+
{
|
|
5542
|
+
name: 'validate_vendor_mapping',
|
|
5543
|
+
description: 'Validate whether a vendor\'s stated capability mapping (Full/Partial/Facilitates/Governance/Validates) is actually supported by their explanatory text for a specific CIS safeguard',
|
|
5544
|
+
inputSchema: {
|
|
5545
|
+
type: 'object',
|
|
5546
|
+
properties: {
|
|
5547
|
+
vendor_name: {
|
|
5548
|
+
type: 'string',
|
|
5549
|
+
description: 'Name of the vendor (optional)',
|
|
5550
|
+
default: 'Unknown Vendor'
|
|
5551
|
+
},
|
|
5552
|
+
safeguard_id: {
|
|
5553
|
+
type: 'string',
|
|
5554
|
+
description: 'CIS Control safeguard ID (e.g., "5.1", "1.1", "6.3")',
|
|
5555
|
+
pattern: '^[0-9]+\\.[0-9]+$'
|
|
5556
|
+
},
|
|
5557
|
+
claimed_capability: {
|
|
5558
|
+
type: 'string',
|
|
5559
|
+
enum: ['full', 'partial', 'facilitates', 'governance', 'validates'],
|
|
5560
|
+
description: 'Vendor\'s claimed capability mapping for this safeguard'
|
|
5561
|
+
},
|
|
5562
|
+
supporting_text: {
|
|
5563
|
+
type: 'string',
|
|
5564
|
+
description: 'Vendor\'s supporting text blob explaining how they meet the claimed capability'
|
|
5565
|
+
}
|
|
5566
|
+
},
|
|
5567
|
+
required: ['safeguard_id', 'claimed_capability', 'supporting_text']
|
|
5568
|
+
}
|
|
5540
5569
|
}
|
|
5541
5570
|
],
|
|
5542
5571
|
}));
|
|
@@ -5552,6 +5581,8 @@ export class GRCAnalysisServer {
|
|
|
5552
5581
|
return await this.validateCoverageClaim(args);
|
|
5553
5582
|
case 'list_available_safeguards':
|
|
5554
5583
|
return await this.listAvailableSafeguards(args);
|
|
5584
|
+
case 'validate_vendor_mapping':
|
|
5585
|
+
return await this.validateVendorMapping(args);
|
|
5555
5586
|
default:
|
|
5556
5587
|
throw new Error(`Unknown tool: ${name}`);
|
|
5557
5588
|
}
|
|
@@ -5698,6 +5729,11 @@ export class GRCAnalysisServer {
|
|
|
5698
5729
|
'improve', 'enhance', 'optimize', 'faster', 'better', 'stronger', 'automate',
|
|
5699
5730
|
'streamline', 'efficiency', 'facilitate', 'support', 'enable', 'accelerate',
|
|
5700
5731
|
'api', 'integration', 'data', 'export', 'import', 'sync', 'feed',
|
|
5732
|
+
// Data provision and enrichment
|
|
5733
|
+
'provides data', 'data source', 'data feeds', 'enrichment', 'data enrichment',
|
|
5734
|
+
'supplemental data', 'additional data', 'contextual data', 'threat data',
|
|
5735
|
+
'intelligence feeds', 'data aggregation', 'data collection', 'data gathering',
|
|
5736
|
+
'feeds data', 'populates', 'informs', 'enriches', 'supplements',
|
|
5701
5737
|
// Governance/process facilitation (new keywords for tools like Upolicy)
|
|
5702
5738
|
'enables compliance', 'facilitates implementation', 'supports compliance',
|
|
5703
5739
|
'creates framework', 'enables organizations', 'infrastructure', 'foundation',
|
|
@@ -5707,9 +5743,9 @@ export class GRCAnalysisServer {
|
|
|
5707
5743
|
];
|
|
5708
5744
|
const validatesKeywords = [
|
|
5709
5745
|
'audit', 'report', 'evidence', 'verify', 'validate', 'check', 'monitor',
|
|
5710
|
-
'compliance report', 'assessment', 'logging', 'tracking', 'review', 'attest',
|
|
5746
|
+
'compliance', 'compliance report', 'assessment', 'logging', 'tracking', 'review', 'attest',
|
|
5711
5747
|
'dashboard', 'metrics', 'analytics', 'visibility', 'alert', 'attestation',
|
|
5712
|
-
'compliance tracking', 'audit trail', 'reporting capabilities'
|
|
5748
|
+
'compliance tracking', 'audit trail', 'reporting capabilities', 'audit capabilities'
|
|
5713
5749
|
];
|
|
5714
5750
|
// Analyze element coverage (binary: covered or not)
|
|
5715
5751
|
const coreCoverage = this.analyzeBinaryElementCoverage(text, safeguard.coreRequirements);
|
|
@@ -5739,18 +5775,22 @@ export class GRCAnalysisServer {
|
|
|
5739
5775
|
'rather than direct', 'instead of direct'
|
|
5740
5776
|
];
|
|
5741
5777
|
const hasNonImplementationLanguage = nonImplementationPatterns.some(pattern => text.includes(pattern));
|
|
5742
|
-
// Determine if full or partial coverage (based on core + sub-taxonomical elements)
|
|
5743
|
-
|
|
5744
|
-
|
|
5778
|
+
// Determine if full or partial coverage (based on core + sub-taxonomical elements WITHIN SCOPE)
|
|
5779
|
+
// Full = addresses majority of core requirements + substantial sub-elements within their stated scope
|
|
5780
|
+
// Partial = addresses some core requirements with clear scope boundaries
|
|
5781
|
+
const corePercentage = safeguard.coreRequirements.length > 0 ?
|
|
5782
|
+
(coreCoverage.coveredElements.length / safeguard.coreRequirements.length) * 100 : 0;
|
|
5783
|
+
const subElementPercentage = safeguard.subTaxonomicalElements.length > 0 ?
|
|
5784
|
+
(subElementCoverage.coveredElements.length / safeguard.subTaxonomicalElements.length) * 100 : 0;
|
|
5745
5785
|
let fullCapability = false;
|
|
5746
5786
|
let partialCapability = false;
|
|
5747
|
-
|
|
5748
|
-
|
|
5749
|
-
|
|
5750
|
-
|
|
5751
|
-
|
|
5752
|
-
|
|
5753
|
-
|
|
5787
|
+
// Full capability: High coverage of core requirements + reasonable sub-element coverage
|
|
5788
|
+
if (corePercentage >= 70 && subElementPercentage >= 50) {
|
|
5789
|
+
fullCapability = true;
|
|
5790
|
+
}
|
|
5791
|
+
// Partial capability: Moderate core coverage OR clear scope-limited implementation
|
|
5792
|
+
else if (corePercentage >= 30 || (coreCoverage.coveredElements.length > 0 && subElementPercentage >= 20)) {
|
|
5793
|
+
partialCapability = true;
|
|
5754
5794
|
}
|
|
5755
5795
|
// Enhanced primary capability logic
|
|
5756
5796
|
let primaryCapability = 'none';
|
|
@@ -5788,6 +5828,8 @@ export class GRCAnalysisServer {
|
|
|
5788
5828
|
const evidence = this.extractEnhancedEvidence(responseText, safeguard);
|
|
5789
5829
|
// Calculate confidence based on evidence strength and keyword matches
|
|
5790
5830
|
const keywordConfidence = (governanceScore + facilitatesScore + validatesScore) / 3;
|
|
5831
|
+
const totalCoreAndSubElements = safeguard.coreRequirements.length + safeguard.subTaxonomicalElements.length;
|
|
5832
|
+
const coveredCoreAndSubElements = coreCoverage.coveredElements.length + subElementCoverage.coveredElements.length;
|
|
5791
5833
|
const coverageConfidence = totalCoreAndSubElements > 0 ?
|
|
5792
5834
|
coveredCoreAndSubElements / totalCoreAndSubElements : 0;
|
|
5793
5835
|
const confidence = Math.min((keywordConfidence * 0.4 + coverageConfidence * 0.6) * 100, 100);
|
|
@@ -6074,6 +6116,264 @@ export class GRCAnalysisServer {
|
|
|
6074
6116
|
}
|
|
6075
6117
|
return validation;
|
|
6076
6118
|
}
|
|
6119
|
+
async validateVendorMapping(args) {
|
|
6120
|
+
const { vendor_name = 'Unknown Vendor', safeguard_id, claimed_capability, supporting_text } = args;
|
|
6121
|
+
const safeguard = CIS_SAFEGUARDS[safeguard_id];
|
|
6122
|
+
if (!safeguard) {
|
|
6123
|
+
throw new Error(`Safeguard ${safeguard_id} not found. Available safeguards: ${Object.keys(CIS_SAFEGUARDS).join(', ')}`);
|
|
6124
|
+
}
|
|
6125
|
+
const validation = this.validateCapabilityClaim(vendor_name, safeguard, claimed_capability, supporting_text);
|
|
6126
|
+
return {
|
|
6127
|
+
content: [
|
|
6128
|
+
{
|
|
6129
|
+
type: 'text',
|
|
6130
|
+
text: JSON.stringify(validation, null, 2),
|
|
6131
|
+
},
|
|
6132
|
+
],
|
|
6133
|
+
};
|
|
6134
|
+
}
|
|
6135
|
+
validateCapabilityClaim(vendorName, safeguard, claimedCapability, supportingText) {
|
|
6136
|
+
const text = supportingText.toLowerCase();
|
|
6137
|
+
// Perform actual analysis of the supporting text
|
|
6138
|
+
const actualAnalysis = this.performEnhancedSafeguardAnalysis(vendorName, safeguard, supportingText);
|
|
6139
|
+
// Calculate coverage percentages
|
|
6140
|
+
const coreCoverage = this.analyzeBinaryElementCoverage(text, safeguard.coreRequirements);
|
|
6141
|
+
const subElementCoverage = this.analyzeBinaryElementCoverage(text, safeguard.subTaxonomicalElements);
|
|
6142
|
+
const governanceCoverage = this.analyzeBinaryElementCoverage(text, safeguard.governanceElements);
|
|
6143
|
+
const corePercentage = safeguard.coreRequirements.length > 0 ?
|
|
6144
|
+
(coreCoverage.coveredElements.length / safeguard.coreRequirements.length) * 100 : 0;
|
|
6145
|
+
const subElementPercentage = safeguard.subTaxonomicalElements.length > 0 ?
|
|
6146
|
+
(subElementCoverage.coveredElements.length / safeguard.subTaxonomicalElements.length) * 100 : 0;
|
|
6147
|
+
const governancePercentage = safeguard.governanceElements.length > 0 ?
|
|
6148
|
+
(governanceCoverage.coveredElements.length / safeguard.governanceElements.length) * 100 : 0;
|
|
6149
|
+
// Validate claim against criteria
|
|
6150
|
+
const validation = this.assessClaimAlignment(claimedCapability, actualAnalysis, corePercentage, subElementPercentage, governancePercentage, text);
|
|
6151
|
+
return {
|
|
6152
|
+
vendor: vendorName,
|
|
6153
|
+
safeguard_id: safeguard.id,
|
|
6154
|
+
safeguard_title: safeguard.title,
|
|
6155
|
+
claimed_capability: claimedCapability,
|
|
6156
|
+
validation_status: validation.status,
|
|
6157
|
+
confidence_score: validation.confidence,
|
|
6158
|
+
evidence_analysis: {
|
|
6159
|
+
core_requirements_coverage: Math.round(corePercentage),
|
|
6160
|
+
sub_elements_coverage: Math.round(subElementPercentage),
|
|
6161
|
+
governance_alignment: Math.round(governancePercentage),
|
|
6162
|
+
language_consistency: validation.languageConsistency
|
|
6163
|
+
},
|
|
6164
|
+
gaps_identified: validation.gaps,
|
|
6165
|
+
strengths_identified: validation.strengths,
|
|
6166
|
+
recommendations: validation.recommendations,
|
|
6167
|
+
detailed_feedback: validation.feedback
|
|
6168
|
+
};
|
|
6169
|
+
}
|
|
6170
|
+
assessClaimAlignment(claimedCapability, actualAnalysis, corePercentage, subElementPercentage, governancePercentage, text) {
|
|
6171
|
+
const gaps = [];
|
|
6172
|
+
const strengths = [];
|
|
6173
|
+
const recommendations = [];
|
|
6174
|
+
let languageConsistency = 0;
|
|
6175
|
+
let alignmentScore = 0;
|
|
6176
|
+
switch (claimedCapability.toLowerCase()) {
|
|
6177
|
+
case 'full':
|
|
6178
|
+
// Validate FULL claim
|
|
6179
|
+
if (corePercentage >= 70 && subElementPercentage >= 40) {
|
|
6180
|
+
alignmentScore = 85;
|
|
6181
|
+
strengths.push('High coverage of core requirements and sub-elements');
|
|
6182
|
+
}
|
|
6183
|
+
else if (corePercentage >= 80 && subElementPercentage >= 30) {
|
|
6184
|
+
// Alternative path: very high core with moderate sub-elements
|
|
6185
|
+
alignmentScore = 80;
|
|
6186
|
+
strengths.push('Very high core requirements coverage with adequate sub-element coverage');
|
|
6187
|
+
}
|
|
6188
|
+
else {
|
|
6189
|
+
alignmentScore = Math.max(0, (corePercentage + subElementPercentage) / 2 - 15);
|
|
6190
|
+
if (corePercentage < 70)
|
|
6191
|
+
gaps.push(`Core requirements coverage (${Math.round(corePercentage)}%) below FULL threshold (70%)`);
|
|
6192
|
+
if (subElementPercentage < 40)
|
|
6193
|
+
gaps.push(`Sub-element coverage (${Math.round(subElementPercentage)}%) below FULL threshold (40%)`);
|
|
6194
|
+
}
|
|
6195
|
+
// Check for conflicting facilitation language
|
|
6196
|
+
if (this.hasFacilitationLanguage(text)) {
|
|
6197
|
+
alignmentScore -= 30;
|
|
6198
|
+
gaps.push('Contains facilitation language inconsistent with FULL implementation claim');
|
|
6199
|
+
}
|
|
6200
|
+
languageConsistency = this.assessImplementationLanguage(text);
|
|
6201
|
+
break;
|
|
6202
|
+
case 'partial':
|
|
6203
|
+
// Validate PARTIAL claim
|
|
6204
|
+
if (corePercentage >= 30 || (corePercentage > 0 && subElementPercentage >= 20)) {
|
|
6205
|
+
alignmentScore = 75;
|
|
6206
|
+
strengths.push('Appropriate coverage level for PARTIAL implementation');
|
|
6207
|
+
}
|
|
6208
|
+
else {
|
|
6209
|
+
alignmentScore = Math.max(0, corePercentage + subElementPercentage - 10);
|
|
6210
|
+
gaps.push(`Coverage too low even for PARTIAL claim: ${Math.round(corePercentage)}% core, ${Math.round(subElementPercentage)}% sub-elements`);
|
|
6211
|
+
}
|
|
6212
|
+
// Check for scope boundary definition
|
|
6213
|
+
if (this.hasScopeBoundaries(text)) {
|
|
6214
|
+
strengths.push('Clearly defines scope boundaries and limitations');
|
|
6215
|
+
alignmentScore += 10;
|
|
6216
|
+
}
|
|
6217
|
+
else {
|
|
6218
|
+
gaps.push('Should clearly define scope boundaries for PARTIAL implementation');
|
|
6219
|
+
recommendations.push('Specify exactly which elements are covered and which are not');
|
|
6220
|
+
}
|
|
6221
|
+
languageConsistency = this.assessImplementationLanguage(text);
|
|
6222
|
+
break;
|
|
6223
|
+
case 'facilitates':
|
|
6224
|
+
// Validate FACILITATES claim
|
|
6225
|
+
if (this.hasFacilitationLanguage(text) || actualAnalysis.capabilities.facilitates) {
|
|
6226
|
+
alignmentScore = 80;
|
|
6227
|
+
strengths.push('Contains appropriate facilitation and enablement language');
|
|
6228
|
+
}
|
|
6229
|
+
else {
|
|
6230
|
+
alignmentScore = 40;
|
|
6231
|
+
gaps.push('Lacks clear facilitation language (enables, supports, provides framework)');
|
|
6232
|
+
}
|
|
6233
|
+
// Check that it doesn't claim direct implementation
|
|
6234
|
+
if (this.hasDirectImplementationLanguage(text)) {
|
|
6235
|
+
// Special handling: If it lacks facilitation language AND claims implementation, stay QUESTIONABLE
|
|
6236
|
+
if (alignmentScore <= 40) {
|
|
6237
|
+
alignmentScore = 45; // Keep it in QUESTIONABLE range
|
|
6238
|
+
}
|
|
6239
|
+
else {
|
|
6240
|
+
alignmentScore -= 15;
|
|
6241
|
+
}
|
|
6242
|
+
gaps.push('Claims direct implementation, inconsistent with FACILITATES capability');
|
|
6243
|
+
}
|
|
6244
|
+
languageConsistency = this.assessFacilitationLanguage(text);
|
|
6245
|
+
break;
|
|
6246
|
+
case 'governance':
|
|
6247
|
+
// Validate GOVERNANCE claim
|
|
6248
|
+
if (governancePercentage >= 60 || actualAnalysis.capabilities.governance) {
|
|
6249
|
+
alignmentScore = 85;
|
|
6250
|
+
strengths.push('Strong governance element coverage and policy management language');
|
|
6251
|
+
}
|
|
6252
|
+
else {
|
|
6253
|
+
alignmentScore = Math.max(30, governancePercentage);
|
|
6254
|
+
gaps.push(`Governance element coverage (${Math.round(governancePercentage)}%) below expected threshold (60%)`);
|
|
6255
|
+
}
|
|
6256
|
+
languageConsistency = this.assessGovernanceLanguage(text);
|
|
6257
|
+
break;
|
|
6258
|
+
case 'validates':
|
|
6259
|
+
// Validate VALIDATES claim
|
|
6260
|
+
if (actualAnalysis.capabilities.validates) {
|
|
6261
|
+
alignmentScore = 85;
|
|
6262
|
+
strengths.push('Contains evidence collection and reporting capabilities');
|
|
6263
|
+
}
|
|
6264
|
+
else {
|
|
6265
|
+
alignmentScore = 30;
|
|
6266
|
+
gaps.push('Lacks validation language (audit, report, evidence, verify, monitor)');
|
|
6267
|
+
}
|
|
6268
|
+
languageConsistency = this.assessValidationLanguage(text);
|
|
6269
|
+
break;
|
|
6270
|
+
default:
|
|
6271
|
+
alignmentScore = 0;
|
|
6272
|
+
gaps.push(`Unknown capability type: ${claimedCapability}`);
|
|
6273
|
+
languageConsistency = 0;
|
|
6274
|
+
}
|
|
6275
|
+
// Determine overall status
|
|
6276
|
+
let status;
|
|
6277
|
+
if (alignmentScore >= 70) {
|
|
6278
|
+
status = 'SUPPORTED';
|
|
6279
|
+
}
|
|
6280
|
+
else if (alignmentScore >= 40) {
|
|
6281
|
+
status = 'QUESTIONABLE';
|
|
6282
|
+
}
|
|
6283
|
+
else {
|
|
6284
|
+
status = 'UNSUPPORTED';
|
|
6285
|
+
}
|
|
6286
|
+
// Generate recommendations
|
|
6287
|
+
if (gaps.length > 0) {
|
|
6288
|
+
recommendations.push('Address identified gaps to strengthen capability claim');
|
|
6289
|
+
}
|
|
6290
|
+
if (status === 'QUESTIONABLE') {
|
|
6291
|
+
recommendations.push('Provide additional evidence or clarify scope to support claim');
|
|
6292
|
+
}
|
|
6293
|
+
const feedback = this.generateValidationFeedback(claimedCapability, status, gaps, strengths, alignmentScore);
|
|
6294
|
+
return {
|
|
6295
|
+
status,
|
|
6296
|
+
confidence: Math.round(alignmentScore),
|
|
6297
|
+
languageConsistency: Math.round(languageConsistency),
|
|
6298
|
+
gaps,
|
|
6299
|
+
strengths,
|
|
6300
|
+
recommendations,
|
|
6301
|
+
feedback
|
|
6302
|
+
};
|
|
6303
|
+
}
|
|
6304
|
+
hasFacilitationLanguage(text) {
|
|
6305
|
+
const facilitationPatterns = [
|
|
6306
|
+
'enables', 'facilitates', 'supports', 'helps', 'provides framework',
|
|
6307
|
+
'creates infrastructure', 'enables organizations', 'supports compliance',
|
|
6308
|
+
'provides data', 'enriches', 'supplements', 'feeds data'
|
|
6309
|
+
];
|
|
6310
|
+
return facilitationPatterns.some(pattern => text.includes(pattern));
|
|
6311
|
+
}
|
|
6312
|
+
hasScopeBoundaries(text) {
|
|
6313
|
+
const boundaryPatterns = [
|
|
6314
|
+
'covers', 'but not', 'limited to', 'specifically', 'only', 'excludes',
|
|
6315
|
+
'scope includes', 'scope excludes', 'within', 'applies to'
|
|
6316
|
+
];
|
|
6317
|
+
return boundaryPatterns.some(pattern => text.includes(pattern));
|
|
6318
|
+
}
|
|
6319
|
+
hasDirectImplementationLanguage(text) {
|
|
6320
|
+
const implementationPatterns = [
|
|
6321
|
+
'directly implements', 'performs', 'executes', 'scans', 'catalogs',
|
|
6322
|
+
'inventories', 'manages assets', 'controls access', 'blocks threats'
|
|
6323
|
+
];
|
|
6324
|
+
return implementationPatterns.some(pattern => text.includes(pattern));
|
|
6325
|
+
}
|
|
6326
|
+
assessImplementationLanguage(text) {
|
|
6327
|
+
const implementationKeywords = [
|
|
6328
|
+
'implements', 'performs', 'executes', 'manages', 'controls', 'maintains',
|
|
6329
|
+
'establishes', 'configures', 'monitors', 'tracks', 'inventories'
|
|
6330
|
+
];
|
|
6331
|
+
return this.calculateKeywordScore(text, implementationKeywords) * 100;
|
|
6332
|
+
}
|
|
6333
|
+
assessFacilitationLanguage(text) {
|
|
6334
|
+
const facilitationKeywords = [
|
|
6335
|
+
'enables', 'facilitates', 'supports', 'helps', 'enhances', 'improves',
|
|
6336
|
+
'streamlines', 'automates', 'optimizes', 'provides framework'
|
|
6337
|
+
];
|
|
6338
|
+
return this.calculateKeywordScore(text, facilitationKeywords) * 100;
|
|
6339
|
+
}
|
|
6340
|
+
assessGovernanceLanguage(text) {
|
|
6341
|
+
const governanceKeywords = [
|
|
6342
|
+
'policy', 'governance', 'compliance', 'oversight', 'management',
|
|
6343
|
+
'framework', 'procedures', 'processes', 'controls', 'standards'
|
|
6344
|
+
];
|
|
6345
|
+
return this.calculateKeywordScore(text, governanceKeywords) * 100;
|
|
6346
|
+
}
|
|
6347
|
+
assessValidationLanguage(text) {
|
|
6348
|
+
const validationKeywords = [
|
|
6349
|
+
'audit', 'validate', 'verify', 'report', 'evidence', 'monitor',
|
|
6350
|
+
'assess', 'check', 'review', 'attest', 'compliance', 'compliance tracking',
|
|
6351
|
+
'compliance reports', 'audit capabilities', 'audit trail', 'reporting capabilities'
|
|
6352
|
+
];
|
|
6353
|
+
return this.calculateKeywordScore(text, validationKeywords) * 100;
|
|
6354
|
+
}
|
|
6355
|
+
generateValidationFeedback(claimedCapability, status, gaps, strengths, score) {
|
|
6356
|
+
let feedback = `Validation of ${claimedCapability.toUpperCase()} capability claim: ${status} (${Math.round(score)}% alignment)\n\n`;
|
|
6357
|
+
if (strengths.length > 0) {
|
|
6358
|
+
feedback += `STRENGTHS:\n${strengths.map(s => `⢠${s}`).join('\n')}\n\n`;
|
|
6359
|
+
}
|
|
6360
|
+
if (gaps.length > 0) {
|
|
6361
|
+
feedback += `GAPS IDENTIFIED:\n${gaps.map(g => `⢠${g}`).join('\n')}\n\n`;
|
|
6362
|
+
}
|
|
6363
|
+
feedback += `ASSESSMENT: `;
|
|
6364
|
+
switch (status) {
|
|
6365
|
+
case 'SUPPORTED':
|
|
6366
|
+
feedback += 'The vendor\'s supporting evidence strongly aligns with their claimed capability.';
|
|
6367
|
+
break;
|
|
6368
|
+
case 'QUESTIONABLE':
|
|
6369
|
+
feedback += 'The vendor\'s evidence partially supports their claim but has notable gaps or inconsistencies.';
|
|
6370
|
+
break;
|
|
6371
|
+
case 'UNSUPPORTED':
|
|
6372
|
+
feedback += 'The vendor\'s evidence does not adequately support their claimed capability.';
|
|
6373
|
+
break;
|
|
6374
|
+
}
|
|
6375
|
+
return feedback;
|
|
6376
|
+
}
|
|
6077
6377
|
async run() {
|
|
6078
6378
|
const transport = new StdioServerTransport();
|
|
6079
6379
|
await this.server.connect(transport);
|