framework-mcp 1.1.0 ā 1.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +155 -9
- package/dist/index.d.ts +13 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +459 -12
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
- package/src/index.ts +581 -11
package/README.md
CHANGED
|
@@ -44,6 +44,17 @@ The server uses the CIS Controls visual framework with color-coded categorizatio
|
|
|
44
44
|
npm install -g framework-mcp
|
|
45
45
|
```
|
|
46
46
|
|
|
47
|
+
### Update to Latest Version
|
|
48
|
+
```bash
|
|
49
|
+
npm update -g framework-mcp
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
Or reinstall to get the latest version:
|
|
53
|
+
```bash
|
|
54
|
+
npm uninstall -g framework-mcp
|
|
55
|
+
npm install -g framework-mcp
|
|
56
|
+
```
|
|
57
|
+
|
|
47
58
|
### Install from source
|
|
48
59
|
```bash
|
|
49
60
|
git clone https://github.com/therealcybermattlee/FrameworkMCP.git
|
|
@@ -115,8 +126,21 @@ claude-code "Analyze the vendor responses in vendors.csv and provide recommendat
|
|
|
115
126
|
claude-code "Show me the detailed breakdown of safeguard 5.1 including all sub-elements"
|
|
116
127
|
```
|
|
117
128
|
|
|
129
|
+
### Validate Vendor Capability Claims
|
|
130
|
+
|
|
131
|
+
**NEW**: Validate whether a vendor's stated capability mapping is actually supported by their explanatory text.
|
|
132
|
+
|
|
133
|
+
```bash
|
|
134
|
+
claude-code "Validate this vendor capability claim:
|
|
135
|
+
Vendor: SecureAssets Corp
|
|
136
|
+
Safeguard: 1.1
|
|
137
|
+
Claimed Capability: FULL
|
|
138
|
+
Supporting Text: 'Our comprehensive asset management platform performs automated discovery of all enterprise devices, maintains detailed hardware and software inventories, tracks ownership and location data, provides real-time asset status monitoring, and includes documented inventory procedures with bi-annual review capabilities.'"
|
|
139
|
+
```
|
|
140
|
+
|
|
118
141
|
## š Sample Output
|
|
119
142
|
|
|
143
|
+
### Standard Analysis Output
|
|
120
144
|
```json
|
|
121
145
|
{
|
|
122
146
|
"vendor": "SecureIAM Corp",
|
|
@@ -146,16 +170,82 @@ claude-code "Show me the detailed breakdown of safeguard 5.1 including all sub-e
|
|
|
146
170
|
}
|
|
147
171
|
```
|
|
148
172
|
|
|
173
|
+
### Validation Tool Output
|
|
174
|
+
```json
|
|
175
|
+
{
|
|
176
|
+
"vendor": "SecureAssets Corp",
|
|
177
|
+
"safeguard_id": "1.1",
|
|
178
|
+
"safeguard_title": "Establish and Maintain a Detailed Enterprise Asset Inventory",
|
|
179
|
+
"claimed_capability": "full",
|
|
180
|
+
"validation_status": "SUPPORTED",
|
|
181
|
+
"confidence_score": 85,
|
|
182
|
+
"evidence_analysis": {
|
|
183
|
+
"core_requirements_coverage": 100,
|
|
184
|
+
"sub_elements_coverage": 47,
|
|
185
|
+
"governance_alignment": 80,
|
|
186
|
+
"language_consistency": 90
|
|
187
|
+
},
|
|
188
|
+
"domain_validation": {
|
|
189
|
+
"required_tool_type": "inventory",
|
|
190
|
+
"detected_tool_type": "inventory",
|
|
191
|
+
"domain_match": true,
|
|
192
|
+
"capability_adjusted": false
|
|
193
|
+
},
|
|
194
|
+
"gaps_identified": [],
|
|
195
|
+
"strengths_identified": [
|
|
196
|
+
"High coverage of core requirements and sub-elements",
|
|
197
|
+
"Strong implementation language consistency",
|
|
198
|
+
"Appropriate tool type for safeguard domain"
|
|
199
|
+
],
|
|
200
|
+
"recommendations": [],
|
|
201
|
+
"detailed_feedback": "Validation of FULL capability claim: SUPPORTED (85% alignment)\n\nSTRENGTHS:\n⢠High coverage of core requirements and sub-elements\n⢠Strong implementation language consistency\n⢠Appropriate tool type for safeguard domain\n\nASSESSMENT: The vendor's supporting evidence strongly aligns with their claimed capability."
|
|
202
|
+
}
|
|
203
|
+
```
|
|
204
|
+
|
|
205
|
+
### Domain Mismatch Example Output
|
|
206
|
+
```json
|
|
207
|
+
{
|
|
208
|
+
"vendor": "ThreatIntel Pro",
|
|
209
|
+
"safeguard_id": "1.1",
|
|
210
|
+
"safeguard_title": "Establish and Maintain a Detailed Enterprise Asset Inventory",
|
|
211
|
+
"claimed_capability": "facilitates",
|
|
212
|
+
"validation_status": "QUESTIONABLE",
|
|
213
|
+
"confidence_score": 45,
|
|
214
|
+
"evidence_analysis": {
|
|
215
|
+
"core_requirements_coverage": 65,
|
|
216
|
+
"sub_elements_coverage": 20,
|
|
217
|
+
"governance_alignment": 30,
|
|
218
|
+
"language_consistency": 75
|
|
219
|
+
},
|
|
220
|
+
"domain_validation": {
|
|
221
|
+
"required_tool_type": "inventory",
|
|
222
|
+
"detected_tool_type": "threat_intelligence",
|
|
223
|
+
"domain_match": false,
|
|
224
|
+
"capability_adjusted": true,
|
|
225
|
+
"original_claim": "full"
|
|
226
|
+
},
|
|
227
|
+
"gaps_identified": [
|
|
228
|
+
"Tool type mismatch: threat_intelligence tools cannot provide FULL coverage for Asset Inventory safeguards"
|
|
229
|
+
],
|
|
230
|
+
"strengths_identified": [
|
|
231
|
+
"Good language consistency in supporting text"
|
|
232
|
+
],
|
|
233
|
+
"recommendations": [
|
|
234
|
+
"Consider repositioning as FACILITATES capability to align with tool type"
|
|
235
|
+
],
|
|
236
|
+
"detailed_feedback": "DOMAIN VALIDATION: Tool type 'threat_intelligence' cannot provide FULL coverage for safeguard 1.1 (Asset Inventory). Capability automatically adjusted from FULL to FACILITATES.\n\nThe vendor's claim has been downgraded due to domain mismatch, though evidence quality is reasonable for facilitation capabilities."
|
|
237
|
+
}
|
|
238
|
+
```
|
|
239
|
+
|
|
149
240
|
## š§ Available Tools
|
|
150
241
|
|
|
151
242
|
| Tool | Description |
|
|
152
243
|
|------|-------------|
|
|
153
244
|
| `analyze_vendor_response` | Analyze vendor response for specific safeguard |
|
|
245
|
+
| `validate_vendor_mapping` | **NEW** Validate vendor's claimed capability against supporting evidence |
|
|
154
246
|
| `validate_coverage_claim` | Validate FULL/PARTIAL coverage claims |
|
|
155
247
|
| `get_safeguard_details` | Get detailed safeguard breakdown |
|
|
156
248
|
| `list_available_safeguards` | List all available CIS safeguards |
|
|
157
|
-
| `generate_coverage_report` | Generate detailed coverage analysis |
|
|
158
|
-
| `export_analysis` | Export results to JSON/CSV/Markdown |
|
|
159
249
|
|
|
160
250
|
## š File Formats Supported
|
|
161
251
|
|
|
@@ -185,16 +275,72 @@ Vendor: AnotherVendor - Safeguard: 6.3
|
|
|
185
275
|
Another response...
|
|
186
276
|
```
|
|
187
277
|
|
|
278
|
+
## š Vendor Mapping Validation
|
|
279
|
+
|
|
280
|
+
The **validate_vendor_mapping** tool provides evidence-based validation of vendor capability claims. This addresses a critical need: vendors often self-assess their capabilities, but practitioners need to verify whether the supporting evidence actually justifies the claimed mapping.
|
|
281
|
+
|
|
282
|
+
### Validation Criteria
|
|
283
|
+
|
|
284
|
+
| Capability | Requirements | Validation Thresholds |
|
|
285
|
+
|------------|-------------|----------------------|
|
|
286
|
+
| **FULL** | Complete implementation within scope | ā„70% core requirements + ā„40% sub-elements |
|
|
287
|
+
| **PARTIAL** | Limited scope with clear boundaries | ā„30% core requirements OR some core + ā„20% sub-elements |
|
|
288
|
+
| **FACILITATES** | Enables/enhances implementation | Facilitation language present, no direct implementation claims |
|
|
289
|
+
| **GOVERNANCE** | Policy/process management | ā„60% governance elements + policy language |
|
|
290
|
+
| **VALIDATES** | Evidence collection & reporting | Audit/monitoring/reporting capabilities present |
|
|
291
|
+
|
|
292
|
+
### Domain-Specific Validation Rules
|
|
293
|
+
|
|
294
|
+
**CRITICAL**: The validation tool enforces domain-specific requirements for capability claims:
|
|
295
|
+
|
|
296
|
+
| Safeguard | Domain | Required Tool Types | Rule |
|
|
297
|
+
|-----------|--------|-------------------|------|
|
|
298
|
+
| **1.1** | Asset Inventory | inventory, asset_management, cmdb, discovery | Only inventory tools can claim FULL/PARTIAL |
|
|
299
|
+
| **1.2** | Unauthorized Assets | inventory, asset_management, cmdb, discovery | Only inventory tools can claim FULL/PARTIAL |
|
|
300
|
+
| **5.1** | Account Inventory | identity_management, governance | Only identity/governance tools can claim FULL/PARTIAL |
|
|
301
|
+
| **6.3** | External MFA | identity_management | Only identity management tools can claim FULL/PARTIAL |
|
|
302
|
+
| **7.1** | Vulnerability Process | vulnerability_management, governance | Only vulnerability/governance tools can claim FULL/PARTIAL |
|
|
303
|
+
|
|
304
|
+
**Auto-Downgrade Logic**: When a tool type doesn't match the safeguard domain:
|
|
305
|
+
- **FULL/PARTIAL** claims ā Automatically downgraded to **FACILITATES**
|
|
306
|
+
- **FACILITATES/GOVERNANCE/VALIDATES** claims ā Remain unchanged
|
|
307
|
+
- Validation status becomes **QUESTIONABLE** with explanation
|
|
308
|
+
|
|
309
|
+
### Validation Statuses
|
|
310
|
+
|
|
311
|
+
- **SUPPORTED** (70-100%): Evidence strongly supports the claimed capability
|
|
312
|
+
- **QUESTIONABLE** (40-69%): Evidence partially supports but has notable gaps OR domain mismatch occurred
|
|
313
|
+
- **UNSUPPORTED** (0-39%): Evidence does not adequately support the claim
|
|
314
|
+
|
|
315
|
+
### Usage Examples
|
|
316
|
+
|
|
317
|
+
```bash
|
|
318
|
+
# Validate a FULL coverage claim (matching domain)
|
|
319
|
+
claude-code "Use validate_vendor_mapping for vendor 'AssetMax Pro', safeguard '1.1', claimed capability 'full', with supporting text: 'Our platform provides comprehensive automated discovery, detailed inventory management, and complete asset lifecycle tracking for all enterprise devices including servers, workstations, and network equipment.'"
|
|
320
|
+
|
|
321
|
+
# Validate a FACILITATES claim
|
|
322
|
+
claude-code "Use validate_vendor_mapping for vendor 'ThreatIntel Feed', safeguard '1.1', claimed capability 'facilitates', with supporting text: 'Our threat intelligence service provides supplemental risk data that enriches existing asset management systems, enabling organizations to prioritize asset security based on threat exposure.'"
|
|
323
|
+
|
|
324
|
+
# Domain mismatch example (auto-downgraded)
|
|
325
|
+
claude-code "Use validate_vendor_mapping for vendor 'VulnScanner Pro', safeguard '1.1', claimed capability 'full', with supporting text: 'Our vulnerability scanner performs comprehensive network discovery and maintains detailed device databases with complete visibility into enterprise infrastructure.'"
|
|
326
|
+
# Result: Downgraded from FULL to FACILITATES (vulnerability_management ā inventory tool)
|
|
327
|
+
|
|
328
|
+
# Questionable claim (insufficient evidence)
|
|
329
|
+
claude-code "Use validate_vendor_mapping for vendor 'BasicTracker', safeguard '1.1', claimed capability 'full', with supporting text: 'We help track computers and provide some visibility into your IT environment.'"
|
|
330
|
+
```
|
|
331
|
+
|
|
188
332
|
## šÆ CIS Controls Coverage
|
|
189
333
|
|
|
190
|
-
|
|
191
|
-
- **
|
|
192
|
-
- **
|
|
193
|
-
- **
|
|
194
|
-
- **6.3** - MFA for Externally-Exposed Applications
|
|
195
|
-
- **7.1** - Vulnerability Management Process
|
|
334
|
+
**Complete CIS Controls v8.1 Framework Implementation**
|
|
335
|
+
- **153 total safeguards** across all 18 controls
|
|
336
|
+
- **Full framework coverage** from Controls 1-18
|
|
337
|
+
- **Comprehensive vendor analysis** capability for all CIS safeguards
|
|
196
338
|
|
|
197
|
-
|
|
339
|
+
### Current Version Highlights
|
|
340
|
+
- ā
**All 18 Controls** implemented (Enterprise Assets through Penetration Testing)
|
|
341
|
+
- ā
**Color-coded element categorization** (Orange/Green/Yellow/Gray)
|
|
342
|
+
- ā
**Enhanced capability detection** (Governance, Facilitates, Coverage, Validates)
|
|
343
|
+
- ā
**Production-ready** vendor analysis for complete compliance assessments
|
|
198
344
|
|
|
199
345
|
## š ļø Development
|
|
200
346
|
|
package/dist/index.d.ts
CHANGED
|
@@ -15,6 +15,19 @@ export declare class GRCAnalysisServer {
|
|
|
15
15
|
private generateEnhancedReasoning;
|
|
16
16
|
private generateCapabilityReasoning;
|
|
17
17
|
private validateClaim;
|
|
18
|
+
private validateVendorMapping;
|
|
19
|
+
private validateCapabilityClaim;
|
|
20
|
+
private assessClaimAlignment;
|
|
21
|
+
private hasFacilitationLanguage;
|
|
22
|
+
private hasScopeBoundaries;
|
|
23
|
+
private hasDirectImplementationLanguage;
|
|
24
|
+
private assessImplementationLanguage;
|
|
25
|
+
private assessFacilitationLanguage;
|
|
26
|
+
private assessGovernanceLanguage;
|
|
27
|
+
private assessValidationLanguage;
|
|
28
|
+
private detectToolType;
|
|
29
|
+
private validateDomainMatch;
|
|
30
|
+
private generateValidationFeedback;
|
|
18
31
|
run(): Promise<void>;
|
|
19
32
|
}
|
|
20
33
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AA+8KA,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAAS;;IAavB,OAAO,CAAC,iBAAiB;YAiKX,mBAAmB;YA8CnB,uBAAuB;YAuCvB,qBAAqB;YAoBrB,qBAAqB;IA8BnC,OAAO,CAAC,gCAAgC;IAkKxC,OAAO,CAAC,qBAAqB;IAgB7B,OAAO,CAAC,sBAAsB;IA0C9B,OAAO,CAAC,4BAA4B;IAwCpC,OAAO,CAAC,uBAAuB;IA6B/B,OAAO,CAAC,yBAAyB;IA4BjC,OAAO,CAAC,2BAA2B;IAuEnC,OAAO,CAAC,aAAa;YAsFP,qBAAqB;IAyBnC,OAAO,CAAC,uBAAuB;IAiF/B,OAAO,CAAC,oBAAoB;IA4J5B,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,kBAAkB;IAQ1B,OAAO,CAAC,+BAA+B;IAQvC,OAAO,CAAC,4BAA4B;IAQpC,OAAO,CAAC,0BAA0B;IAQlC,OAAO,CAAC,wBAAwB;IAQhC,OAAO,CAAC,wBAAwB;IAShC,OAAO,CAAC,cAAc;IAqEtB,OAAO,CAAC,mBAAmB;IA6C3B,OAAO,CAAC,0BAA0B;IAiC5B,GAAG;CAKV"}
|