framework-mcp 1.1.0 → 1.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -44,6 +44,17 @@ The server uses the CIS Controls visual framework with color-coded categorizatio
44
44
  npm install -g framework-mcp
45
45
  ```
46
46
 
47
+ ### Update to Latest Version
48
+ ```bash
49
+ npm update -g framework-mcp
50
+ ```
51
+
52
+ Or reinstall to get the latest version:
53
+ ```bash
54
+ npm uninstall -g framework-mcp
55
+ npm install -g framework-mcp
56
+ ```
57
+
47
58
  ### Install from source
48
59
  ```bash
49
60
  git clone https://github.com/therealcybermattlee/FrameworkMCP.git
@@ -115,8 +126,21 @@ claude-code "Analyze the vendor responses in vendors.csv and provide recommendat
115
126
  claude-code "Show me the detailed breakdown of safeguard 5.1 including all sub-elements"
116
127
  ```
117
128
 
129
+ ### Validate Vendor Capability Claims
130
+
131
+ **NEW**: Validate whether a vendor's stated capability mapping is actually supported by their explanatory text.
132
+
133
+ ```bash
134
+ claude-code "Validate this vendor capability claim:
135
+ Vendor: SecureAssets Corp
136
+ Safeguard: 1.1
137
+ Claimed Capability: FULL
138
+ Supporting Text: 'Our comprehensive asset management platform performs automated discovery of all enterprise devices, maintains detailed hardware and software inventories, tracks ownership and location data, provides real-time asset status monitoring, and includes documented inventory procedures with bi-annual review capabilities.'"
139
+ ```
140
+
118
141
  ## šŸ“Š Sample Output
119
142
 
143
+ ### Standard Analysis Output
120
144
  ```json
121
145
  {
122
146
  "vendor": "SecureIAM Corp",
@@ -146,16 +170,82 @@ claude-code "Show me the detailed breakdown of safeguard 5.1 including all sub-e
146
170
  }
147
171
  ```
148
172
 
173
+ ### Validation Tool Output
174
+ ```json
175
+ {
176
+ "vendor": "SecureAssets Corp",
177
+ "safeguard_id": "1.1",
178
+ "safeguard_title": "Establish and Maintain a Detailed Enterprise Asset Inventory",
179
+ "claimed_capability": "full",
180
+ "validation_status": "SUPPORTED",
181
+ "confidence_score": 85,
182
+ "evidence_analysis": {
183
+ "core_requirements_coverage": 100,
184
+ "sub_elements_coverage": 47,
185
+ "governance_alignment": 80,
186
+ "language_consistency": 90
187
+ },
188
+ "domain_validation": {
189
+ "required_tool_type": "inventory",
190
+ "detected_tool_type": "inventory",
191
+ "domain_match": true,
192
+ "capability_adjusted": false
193
+ },
194
+ "gaps_identified": [],
195
+ "strengths_identified": [
196
+ "High coverage of core requirements and sub-elements",
197
+ "Strong implementation language consistency",
198
+ "Appropriate tool type for safeguard domain"
199
+ ],
200
+ "recommendations": [],
201
+ "detailed_feedback": "Validation of FULL capability claim: SUPPORTED (85% alignment)\n\nSTRENGTHS:\n• High coverage of core requirements and sub-elements\n• Strong implementation language consistency\n• Appropriate tool type for safeguard domain\n\nASSESSMENT: The vendor's supporting evidence strongly aligns with their claimed capability."
202
+ }
203
+ ```
204
+
205
+ ### Domain Mismatch Example Output
206
+ ```json
207
+ {
208
+ "vendor": "ThreatIntel Pro",
209
+ "safeguard_id": "1.1",
210
+ "safeguard_title": "Establish and Maintain a Detailed Enterprise Asset Inventory",
211
+ "claimed_capability": "facilitates",
212
+ "validation_status": "QUESTIONABLE",
213
+ "confidence_score": 45,
214
+ "evidence_analysis": {
215
+ "core_requirements_coverage": 65,
216
+ "sub_elements_coverage": 20,
217
+ "governance_alignment": 30,
218
+ "language_consistency": 75
219
+ },
220
+ "domain_validation": {
221
+ "required_tool_type": "inventory",
222
+ "detected_tool_type": "threat_intelligence",
223
+ "domain_match": false,
224
+ "capability_adjusted": true,
225
+ "original_claim": "full"
226
+ },
227
+ "gaps_identified": [
228
+ "Tool type mismatch: threat_intelligence tools cannot provide FULL coverage for Asset Inventory safeguards"
229
+ ],
230
+ "strengths_identified": [
231
+ "Good language consistency in supporting text"
232
+ ],
233
+ "recommendations": [
234
+ "Consider repositioning as FACILITATES capability to align with tool type"
235
+ ],
236
+ "detailed_feedback": "DOMAIN VALIDATION: Tool type 'threat_intelligence' cannot provide FULL coverage for safeguard 1.1 (Asset Inventory). Capability automatically adjusted from FULL to FACILITATES.\n\nThe vendor's claim has been downgraded due to domain mismatch, though evidence quality is reasonable for facilitation capabilities."
237
+ }
238
+ ```
239
+
149
240
  ## šŸ”§ Available Tools
150
241
 
151
242
  | Tool | Description |
152
243
  |------|-------------|
153
244
  | `analyze_vendor_response` | Analyze vendor response for specific safeguard |
245
+ | `validate_vendor_mapping` | **NEW** Validate vendor's claimed capability against supporting evidence |
154
246
  | `validate_coverage_claim` | Validate FULL/PARTIAL coverage claims |
155
247
  | `get_safeguard_details` | Get detailed safeguard breakdown |
156
248
  | `list_available_safeguards` | List all available CIS safeguards |
157
- | `generate_coverage_report` | Generate detailed coverage analysis |
158
- | `export_analysis` | Export results to JSON/CSV/Markdown |
159
249
 
160
250
  ## šŸ“ File Formats Supported
161
251
 
@@ -185,16 +275,72 @@ Vendor: AnotherVendor - Safeguard: 6.3
185
275
  Another response...
186
276
  ```
187
277
 
278
+ ## šŸ†• Vendor Mapping Validation
279
+
280
+ The **validate_vendor_mapping** tool provides evidence-based validation of vendor capability claims. This addresses a critical need: vendors often self-assess their capabilities, but practitioners need to verify whether the supporting evidence actually justifies the claimed mapping.
281
+
282
+ ### Validation Criteria
283
+
284
+ | Capability | Requirements | Validation Thresholds |
285
+ |------------|-------------|----------------------|
286
+ | **FULL** | Complete implementation within scope | ≄70% core requirements + ≄40% sub-elements |
287
+ | **PARTIAL** | Limited scope with clear boundaries | ≄30% core requirements OR some core + ≄20% sub-elements |
288
+ | **FACILITATES** | Enables/enhances implementation | Facilitation language present, no direct implementation claims |
289
+ | **GOVERNANCE** | Policy/process management | ≄60% governance elements + policy language |
290
+ | **VALIDATES** | Evidence collection & reporting | Audit/monitoring/reporting capabilities present |
291
+
292
+ ### Domain-Specific Validation Rules
293
+
294
+ **CRITICAL**: The validation tool enforces domain-specific requirements for capability claims:
295
+
296
+ | Safeguard | Domain | Required Tool Types | Rule |
297
+ |-----------|--------|-------------------|------|
298
+ | **1.1** | Asset Inventory | inventory, asset_management, cmdb, discovery | Only inventory tools can claim FULL/PARTIAL |
299
+ | **1.2** | Unauthorized Assets | inventory, asset_management, cmdb, discovery | Only inventory tools can claim FULL/PARTIAL |
300
+ | **5.1** | Account Inventory | identity_management, governance | Only identity/governance tools can claim FULL/PARTIAL |
301
+ | **6.3** | External MFA | identity_management | Only identity management tools can claim FULL/PARTIAL |
302
+ | **7.1** | Vulnerability Process | vulnerability_management, governance | Only vulnerability/governance tools can claim FULL/PARTIAL |
303
+
304
+ **Auto-Downgrade Logic**: When a tool type doesn't match the safeguard domain:
305
+ - **FULL/PARTIAL** claims → Automatically downgraded to **FACILITATES**
306
+ - **FACILITATES/GOVERNANCE/VALIDATES** claims → Remain unchanged
307
+ - Validation status becomes **QUESTIONABLE** with explanation
308
+
309
+ ### Validation Statuses
310
+
311
+ - **SUPPORTED** (70-100%): Evidence strongly supports the claimed capability
312
+ - **QUESTIONABLE** (40-69%): Evidence partially supports but has notable gaps OR domain mismatch occurred
313
+ - **UNSUPPORTED** (0-39%): Evidence does not adequately support the claim
314
+
315
+ ### Usage Examples
316
+
317
+ ```bash
318
+ # Validate a FULL coverage claim (matching domain)
319
+ claude-code "Use validate_vendor_mapping for vendor 'AssetMax Pro', safeguard '1.1', claimed capability 'full', with supporting text: 'Our platform provides comprehensive automated discovery, detailed inventory management, and complete asset lifecycle tracking for all enterprise devices including servers, workstations, and network equipment.'"
320
+
321
+ # Validate a FACILITATES claim
322
+ claude-code "Use validate_vendor_mapping for vendor 'ThreatIntel Feed', safeguard '1.1', claimed capability 'facilitates', with supporting text: 'Our threat intelligence service provides supplemental risk data that enriches existing asset management systems, enabling organizations to prioritize asset security based on threat exposure.'"
323
+
324
+ # Domain mismatch example (auto-downgraded)
325
+ claude-code "Use validate_vendor_mapping for vendor 'VulnScanner Pro', safeguard '1.1', claimed capability 'full', with supporting text: 'Our vulnerability scanner performs comprehensive network discovery and maintains detailed device databases with complete visibility into enterprise infrastructure.'"
326
+ # Result: Downgraded from FULL to FACILITATES (vulnerability_management ≠ inventory tool)
327
+
328
+ # Questionable claim (insufficient evidence)
329
+ claude-code "Use validate_vendor_mapping for vendor 'BasicTracker', safeguard '1.1', claimed capability 'full', with supporting text: 'We help track computers and provide some visibility into your IT environment.'"
330
+ ```
331
+
188
332
  ## šŸŽÆ CIS Controls Coverage
189
333
 
190
- Currently supports key safeguards including:
191
- - **1.1** - Enterprise Asset Inventory
192
- - **1.2** - Address Unauthorized Assets
193
- - **5.1** - Inventory of Accounts
194
- - **6.3** - MFA for Externally-Exposed Applications
195
- - **7.1** - Vulnerability Management Process
334
+ **Complete CIS Controls v8.1 Framework Implementation**
335
+ - **153 total safeguards** across all 18 controls
336
+ - **Full framework coverage** from Controls 1-18
337
+ - **Comprehensive vendor analysis** capability for all CIS safeguards
196
338
 
197
- *Additional safeguards can be easily added to the framework.*
339
+ ### Current Version Highlights
340
+ - āœ… **All 18 Controls** implemented (Enterprise Assets through Penetration Testing)
341
+ - āœ… **Color-coded element categorization** (Orange/Green/Yellow/Gray)
342
+ - āœ… **Enhanced capability detection** (Governance, Facilitates, Coverage, Validates)
343
+ - āœ… **Production-ready** vendor analysis for complete compliance assessments
198
344
 
199
345
  ## šŸ› ļø Development
200
346
 
package/dist/index.d.ts CHANGED
@@ -15,6 +15,19 @@ export declare class GRCAnalysisServer {
15
15
  private generateEnhancedReasoning;
16
16
  private generateCapabilityReasoning;
17
17
  private validateClaim;
18
+ private validateVendorMapping;
19
+ private validateCapabilityClaim;
20
+ private assessClaimAlignment;
21
+ private hasFacilitationLanguage;
22
+ private hasScopeBoundaries;
23
+ private hasDirectImplementationLanguage;
24
+ private assessImplementationLanguage;
25
+ private assessFacilitationLanguage;
26
+ private assessGovernanceLanguage;
27
+ private assessValidationLanguage;
28
+ private detectToolType;
29
+ private validateDomainMatch;
30
+ private generateValidationFeedback;
18
31
  run(): Promise<void>;
19
32
  }
20
33
  //# sourceMappingURL=index.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAo5KA,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAAS;;IAavB,OAAO,CAAC,iBAAiB;YAkIX,mBAAmB;YA8CnB,uBAAuB;YAuCvB,qBAAqB;YAoBrB,qBAAqB;IA8BnC,OAAO,CAAC,gCAAgC;IAqJxC,OAAO,CAAC,qBAAqB;IAgB7B,OAAO,CAAC,sBAAsB;IA0C9B,OAAO,CAAC,4BAA4B;IAwCpC,OAAO,CAAC,uBAAuB;IA6B/B,OAAO,CAAC,yBAAyB;IA4BjC,OAAO,CAAC,2BAA2B;IAuEnC,OAAO,CAAC,aAAa;IAsFf,GAAG;CAKV"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AA+8KA,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAAS;;IAavB,OAAO,CAAC,iBAAiB;YAiKX,mBAAmB;YA8CnB,uBAAuB;YAuCvB,qBAAqB;YAoBrB,qBAAqB;IA8BnC,OAAO,CAAC,gCAAgC;IAkKxC,OAAO,CAAC,qBAAqB;IAgB7B,OAAO,CAAC,sBAAsB;IA0C9B,OAAO,CAAC,4BAA4B;IAwCpC,OAAO,CAAC,uBAAuB;IA6B/B,OAAO,CAAC,yBAAyB;IA4BjC,OAAO,CAAC,2BAA2B;IAuEnC,OAAO,CAAC,aAAa;YAsFP,qBAAqB;IAyBnC,OAAO,CAAC,uBAAuB;IAiF/B,OAAO,CAAC,oBAAoB;IA4J5B,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,kBAAkB;IAQ1B,OAAO,CAAC,+BAA+B;IAQvC,OAAO,CAAC,4BAA4B;IAQpC,OAAO,CAAC,0BAA0B;IAQlC,OAAO,CAAC,wBAAwB;IAQhC,OAAO,CAAC,wBAAwB;IAShC,OAAO,CAAC,cAAc;IAqEtB,OAAO,CAAC,mBAAmB;IA6C3B,OAAO,CAAC,0BAA0B;IAiC5B,GAAG;CAKV"}