framework-mcp 1.1.3 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. package/.do/app.yaml +78 -0
  2. package/COPILOT_INTEGRATION.md +335 -0
  3. package/DEPLOYMENT_GUIDE.md +335 -0
  4. package/README.md +96 -3
  5. package/RELEASE_NOTES_v1.2.0.md +396 -0
  6. package/dist/core/capability-analyzer.d.ts +29 -0
  7. package/dist/core/capability-analyzer.d.ts.map +1 -0
  8. package/dist/core/capability-analyzer.js +568 -0
  9. package/dist/core/capability-analyzer.js.map +1 -0
  10. package/dist/core/safeguard-manager.d.ts +15 -0
  11. package/dist/core/safeguard-manager.d.ts.map +1 -0
  12. package/dist/core/safeguard-manager.js +315 -0
  13. package/dist/core/safeguard-manager.js.map +1 -0
  14. package/dist/index.d.ts +4 -0
  15. package/dist/index.d.ts.map +1 -1
  16. package/dist/index.js +13 -0
  17. package/dist/index.js.map +1 -1
  18. package/dist/interfaces/http/http-server.d.ts +17 -0
  19. package/dist/interfaces/http/http-server.d.ts.map +1 -0
  20. package/dist/interfaces/http/http-server.js +285 -0
  21. package/dist/interfaces/http/http-server.js.map +1 -0
  22. package/dist/interfaces/mcp/mcp-server.d.ts +18 -0
  23. package/dist/interfaces/mcp/mcp-server.d.ts.map +1 -0
  24. package/dist/interfaces/mcp/mcp-server.js +299 -0
  25. package/dist/interfaces/mcp/mcp-server.js.map +1 -0
  26. package/dist/shared/types.d.ts +89 -0
  27. package/dist/shared/types.d.ts.map +1 -0
  28. package/dist/shared/types.js +3 -0
  29. package/dist/shared/types.js.map +1 -0
  30. package/package.json +23 -7
  31. package/src/core/capability-analyzer.ts +708 -0
  32. package/src/core/safeguard-manager.ts +339 -0
  33. package/src/index.ts +17 -0
  34. package/src/interfaces/http/http-server.ts +360 -0
  35. package/src/interfaces/mcp/mcp-server.ts +367 -0
  36. package/src/shared/types.ts +104 -0
  37. package/swagger.json +718 -0
package/.do/app.yaml ADDED
@@ -0,0 +1,78 @@
1
+ # DigitalOcean App Services Configuration
2
+ # Solves the stdio vs HTTP architecture mismatch
3
+
4
+ name: framework-mcp-api
5
+ region: nyc
6
+
7
+ services:
8
+ - name: api
9
+ source_dir: /
10
+ github:
11
+ repo: therealcybermattlee/FrameworkMCP
12
+ branch: feature/dual-architecture-http-api
13
+ deploy_on_push: true
14
+
15
+ # HTTP server configuration (NOT stdio)
16
+ run_command: npm run start:http
17
+
18
+ # DigitalOcean App Services requirements
19
+ environment_slug: node-js
20
+ instance_count: 1
21
+ instance_size_slug: basic-xxs
22
+
23
+ # HTTP port configuration (required for DigitalOcean)
24
+ http_port: 8080
25
+
26
+ # Health check configuration (required)
27
+ health_check:
28
+ http_path: /health
29
+ initial_delay_seconds: 60
30
+ period_seconds: 10
31
+ timeout_seconds: 5
32
+ success_threshold: 1
33
+ failure_threshold: 3
34
+
35
+ # Environment variables
36
+ envs:
37
+ - key: NODE_ENV
38
+ value: production
39
+ - key: PORT
40
+ value: "8080"
41
+ - key: ALLOWED_ORIGINS
42
+ value: "https://your-domain.com,https://app.your-domain.com"
43
+
44
+ # Resource allocation
45
+ cpu_count: 1
46
+ memory_mb: 512
47
+
48
+ # Auto-scaling configuration
49
+ instance_count: 1
50
+ instance_size_slug: basic-xxs
51
+
52
+ # Logging configuration
53
+ logs:
54
+ - name: app
55
+ location: /var/log/app.log
56
+
57
+ # Optional: Custom domain configuration
58
+ # domains:
59
+ # - domain: api.your-domain.com
60
+ # type: PRIMARY
61
+
62
+ # Database configuration (if needed in future)
63
+ # databases:
64
+ # - name: framework-db
65
+ # engine: PG
66
+ # version: "14"
67
+ # production: false
68
+ # size: basic-xxs
69
+
70
+ # Static site for documentation (optional)
71
+ # static_sites:
72
+ # - name: docs
73
+ # source_dir: /docs
74
+ # github:
75
+ # repo: therealcybermattlee/FrameworkMCP
76
+ # branch: main
77
+ # build_command: npm run build:docs
78
+ # output_dir: /dist
@@ -0,0 +1,335 @@
1
+ # Microsoft Copilot Integration Guide
2
+
3
+ This guide provides step-by-step instructions for integrating Framework MCP with Microsoft Copilot using custom connectors.
4
+
5
+ ## Overview
6
+
7
+ Framework MCP provides a dual-architecture solution that enables both Model Context Protocol (MCP) integration with Claude Code and HTTP API integration with Microsoft Copilot. This allows security professionals to access CIS Controls capability assessment through their preferred AI platform.
8
+
9
+ ## Prerequisites
10
+
11
+ - **Microsoft Copilot Studio** access (Microsoft 365 Business license or higher)
12
+ - **Deployed Framework MCP HTTP API** (DigitalOcean, Railway, Render, or other cloud platform)
13
+ - **Administrative permissions** in your Microsoft environment
14
+
15
+ ## Quick Start
16
+
17
+ ### 1. Deploy the HTTP API
18
+
19
+ First, deploy Framework MCP to a cloud platform. Choose one of these options:
20
+
21
+ #### Option A: DigitalOcean App Services (Recommended)
22
+ ```bash
23
+ git clone https://github.com/therealcybermattlee/FrameworkMCP.git
24
+ cd FrameworkMCP
25
+ doctl apps create .do/app.yaml
26
+ ```
27
+
28
+ #### Option B: Railway
29
+ ```bash
30
+ railway login
31
+ railway up
32
+ ```
33
+
34
+ #### Option C: Render
35
+ 1. Connect your GitHub repository to Render
36
+ 2. Use these settings:
37
+ - **Build Command**: `npm install && npm run build`
38
+ - **Start Command**: `npm run start:http`
39
+ - **Port**: 8080
40
+
41
+ ### 2. Verify Deployment
42
+
43
+ Test your deployed API:
44
+ ```bash
45
+ curl https://your-api-url.com/health
46
+ ```
47
+
48
+ Expected response:
49
+ ```json
50
+ {
51
+ "status": "healthy",
52
+ "uptime": 1234,
53
+ "totalRequests": 0,
54
+ "errorCount": 0,
55
+ "version": "1.2.0",
56
+ "timestamp": "2025-08-21T01:00:00.000Z"
57
+ }
58
+ ```
59
+
60
+ ### 3. Create Custom Connector in Copilot Studio
61
+
62
+ 1. **Open Microsoft Copilot Studio**
63
+ - Navigate to [https://copilotstudio.microsoft.com](https://copilotstudio.microsoft.com)
64
+ - Sign in with your Microsoft 365 account
65
+
66
+ 2. **Access Custom Connectors**
67
+ - In the left navigation, click **Data**
68
+ - Select **Custom connectors**
69
+
70
+ 3. **Import OpenAPI Specification**
71
+ - Click **+ New custom connector**
72
+ - Choose **Import from OpenAPI file**
73
+ - Upload the `swagger.json` file from the Framework MCP repository
74
+ - Click **Continue**
75
+
76
+ 4. **Configure Connector Details**
77
+ - **Name**: Framework MCP - CIS Controls Capability Assessment
78
+ - **Description**: Validate vendor capability claims against CIS Controls Framework
79
+ - **Host**: Update to your deployed API URL (e.g., `your-app.ondigitalocean.app`)
80
+ - **Base URL**: `/`
81
+
82
+ 5. **Review and Save**
83
+ - Review the imported endpoints
84
+ - Click **Create connector**
85
+
86
+ ### 4. Test the Connection
87
+
88
+ 1. **Create Test Connection**
89
+ - Click **Test** in your custom connector
90
+ - No authentication is required (public API)
91
+ - Click **Create connection**
92
+
93
+ 2. **Test Health Endpoint**
94
+ - Select the `healthCheck` operation
95
+ - Click **Test operation**
96
+ - Verify you receive a 200 response with health status
97
+
98
+ ### 5. Create Your Copilot
99
+
100
+ 1. **Create New Copilot**
101
+ - Go to **Copilots** in Copilot Studio
102
+ - Click **+ New copilot**
103
+ - Choose **Conversational** type
104
+ - Name: "CIS Controls Capability Assessor"
105
+
106
+ 2. **Add Custom Actions**
107
+ - In your copilot, go to **Actions**
108
+ - Click **+ Add action**
109
+ - Select **Custom connector**
110
+ - Choose your Framework MCP connector
111
+
112
+ ## Custom Actions Configuration
113
+
114
+ ### Primary Action: Validate Vendor Capability
115
+
116
+ Configure this action for evidence-based validation:
117
+
118
+ **Action Details:**
119
+ - **Name**: Validate Vendor Capability Mapping
120
+ - **Description**: Validate vendor capability claims against CIS Controls with domain validation and auto-downgrade protection
121
+ - **Connector**: Framework MCP Custom Connector
122
+ - **Operation**: `validateVendorMapping`
123
+
124
+ **Parameters:**
125
+ - **vendor_name** (Required): Name of the vendor/tool being analyzed
126
+ - **safeguard_id** (Required): CIS safeguard ID (e.g., "1.1", "5.1", "12.8")
127
+ - **claimed_capability** (Required): Capability role (full, partial, facilitates, governance, validates)
128
+ - **supporting_text** (Required): Vendor response supporting their capability claim
129
+
130
+ **Sample Input:**
131
+ ```json
132
+ {
133
+ "vendor_name": "CrowdStrike Falcon",
134
+ "safeguard_id": "1.1",
135
+ "claimed_capability": "full",
136
+ "supporting_text": "Our platform provides comprehensive enterprise asset inventory with real-time discovery, automated classification, and continuous monitoring of all hardware and software assets across the organization."
137
+ }
138
+ ```
139
+
140
+ ### Secondary Action: Analyze Vendor Response
141
+
142
+ Configure this action for capability determination:
143
+
144
+ **Action Details:**
145
+ - **Name**: Analyze Vendor Response
146
+ - **Description**: Determine appropriate capability role for vendor response text
147
+ - **Connector**: Framework MCP Custom Connector
148
+ - **Operation**: `analyzeVendorResponse`
149
+
150
+ **Parameters:**
151
+ - **vendor_name** (Required): Name of the vendor
152
+ - **safeguard_id** (Required): CIS safeguard ID
153
+ - **response_text** (Required): Vendor response text to analyze
154
+
155
+ ### Additional Actions: Safeguard Information
156
+
157
+ **Get Safeguard Details:**
158
+ - **Operation**: `getSafeguardDetails`
159
+ - **Parameters**: safeguard_id, include_examples (optional)
160
+
161
+ **List Available Safeguards:**
162
+ - **Operation**: `listSafeguards`
163
+ - **Parameters**: None
164
+
165
+ ## Example User Interactions
166
+
167
+ Once configured, users can interact with your Copilot using natural language:
168
+
169
+ ### Capability Validation Examples
170
+
171
+ ```
172
+ "Validate this vendor capability: Microsoft Defender for Endpoint claims FULL coverage for safeguard 1.1. Their response: 'Microsoft Defender provides comprehensive asset discovery, detailed hardware and software inventory, and real-time asset status monitoring across all enterprise endpoints.'"
173
+
174
+ "Check if CrowdStrike Falcon can provide PARTIAL coverage for safeguard 5.1 based on this: 'We offer centralized identity integration with detailed user account tracking and automated access reviews.'"
175
+
176
+ "Validate this FACILITATES claim: Qualys VMDR for safeguard 1.1 - 'Our vulnerability scanner enhances existing asset management by providing additional device discovery and detailed software inventory during security assessments.'"
177
+ ```
178
+
179
+ ### Response Analysis Examples
180
+
181
+ ```
182
+ "Analyze this vendor response for safeguard 6.3: Okta - 'We provide comprehensive multi-factor authentication for all external applications with adaptive authentication policies, risk-based assessments, and SSO integration.'"
183
+
184
+ "What capability role should we assign to this response for safeguard 7.1: Rapid7 InsightVM - 'Our platform performs continuous vulnerability scanning, provides automated remediation guidance, and tracks patch deployment across the infrastructure.'"
185
+ ```
186
+
187
+ ### Information Requests
188
+
189
+ ```
190
+ "What are the requirements for CIS safeguard 1.1?"
191
+
192
+ "Show me all available CIS safeguards in the inventory domain."
193
+
194
+ "What's the difference between FULL and PARTIAL capability roles?"
195
+ ```
196
+
197
+ ## Advanced Configuration
198
+
199
+ ### Custom Prompts and Instructions
200
+
201
+ Add these instructions to your Copilot's system message:
202
+
203
+ ```
204
+ You are a CIS Controls capability assessment expert. You help security professionals evaluate vendor tool capabilities against specific CIS Control safeguards.
205
+
206
+ Key Principles:
207
+ 1. Use validate_vendor_mapping for evidence-based validation of capability claims
208
+ 2. Use analyze_vendor_response when the capability role is unknown
209
+ 3. Always explain the 5 capability roles: FULL, PARTIAL, FACILITATES, GOVERNANCE, VALIDATES
210
+ 4. Highlight domain validation results and auto-downgrade protection
211
+ 5. Provide actionable recommendations for capability improvements
212
+
213
+ When users provide vendor responses:
214
+ 1. Ask for the specific CIS safeguard ID if not provided
215
+ 2. Determine if they want validation (they have a claimed capability) or analysis (no claimed capability)
216
+ 3. Use the appropriate action and explain the results in plain language
217
+ 4. Highlight any domain mismatches or auto-downgrades that occurred
218
+ ```
219
+
220
+ ### Environment Variables
221
+
222
+ If deploying with authentication or custom configuration:
223
+
224
+ ```bash
225
+ # Optional environment variables for your deployed API
226
+ NODE_ENV=production
227
+ PORT=8080
228
+ ALLOWED_ORIGINS=https://copilotstudio.microsoft.com,https://your-domain.com
229
+ ```
230
+
231
+ ### Rate Limiting and Monitoring
232
+
233
+ Monitor your API usage through the `/api/metrics` endpoint:
234
+
235
+ ```bash
236
+ curl https://your-api-url.com/api/metrics
237
+ ```
238
+
239
+ Response includes:
240
+ - Request counts by endpoint
241
+ - Error rates
242
+ - Uptime statistics
243
+ - Performance metrics
244
+
245
+ ## Troubleshooting
246
+
247
+ ### Common Issues
248
+
249
+ **Connection Failed:**
250
+ - Verify your API URL is accessible publicly
251
+ - Check that the `/health` endpoint returns 200
252
+ - Ensure no authentication is required
253
+
254
+ **Operations Not Working:**
255
+ - Verify the `swagger.json` was imported correctly
256
+ - Check that operation IDs match: `validateVendorMapping`, `analyzeVendorResponse`, etc.
257
+ - Test operations individually in the connector test interface
258
+
259
+ **Invalid Responses:**
260
+ - Check request body format matches the schema
261
+ - Verify required fields are provided
262
+ - Review API error messages for validation details
263
+
264
+ **Performance Issues:**
265
+ - Monitor the `/api/metrics` endpoint for high error rates
266
+ - Consider upgrading your cloud deployment plan
267
+ - Check network connectivity from Microsoft's servers
268
+
269
+ ### Testing Checklist
270
+
271
+ Before going live, test these scenarios:
272
+
273
+ - [ ] Health check endpoint responds correctly
274
+ - [ ] Validate vendor mapping with FULL claim (domain match)
275
+ - [ ] Validate vendor mapping with FULL claim (domain mismatch - should auto-downgrade)
276
+ - [ ] Analyze vendor response for capability determination
277
+ - [ ] Get safeguard details for a specific safeguard
278
+ - [ ] List all available safeguards
279
+ - [ ] Handle invalid inputs gracefully
280
+
281
+ ### Support Resources
282
+
283
+ - **Framework MCP Issues**: [GitHub Issues](https://github.com/therealcybermattlee/FrameworkMCP/issues)
284
+ - **Microsoft Copilot Studio Docs**: [Microsoft Documentation](https://docs.microsoft.com/en-us/microsoft-copilot-studio/)
285
+ - **OpenAPI Connector Guide**: [Custom Connectors in Copilot Studio](https://docs.microsoft.com/en-us/connectors/custom-connectors/)
286
+
287
+ ## Best Practices
288
+
289
+ ### Security Considerations
290
+
291
+ 1. **Deploy with HTTPS**: Always use HTTPS for production deployments
292
+ 2. **Monitor Usage**: Regularly check the `/api/metrics` endpoint
293
+ 3. **Rate Limiting**: Consider implementing rate limiting for high-traffic scenarios
294
+ 4. **Access Logs**: Enable logging in production for audit trails
295
+
296
+ ### Performance Optimization
297
+
298
+ 1. **CDN**: Consider using a CDN for global deployments
299
+ 2. **Caching**: The API includes intelligent caching for repeated requests
300
+ 3. **Scaling**: Use cloud platform auto-scaling for high demand
301
+ 4. **Monitoring**: Set up health check monitoring with your cloud provider
302
+
303
+ ### User Experience
304
+
305
+ 1. **Clear Instructions**: Provide users with example prompts
306
+ 2. **Error Handling**: Explain what to do when validation fails
307
+ 3. **Capability Education**: Help users understand the 5 capability roles
308
+ 4. **Domain Validation**: Explain why auto-downgrades occur
309
+
310
+ ## Success Metrics
311
+
312
+ Track these metrics to measure integration success:
313
+
314
+ - **Request Volume**: Total API calls per day/week
315
+ - **Error Rate**: Percentage of failed requests (target: <5%)
316
+ - **Response Time**: Average API response time (target: <500ms)
317
+ - **User Satisfaction**: Feedback on capability assessment accuracy
318
+ - **Coverage**: Number of unique safeguards being assessed
319
+
320
+ ## Next Steps
321
+
322
+ After successful integration:
323
+
324
+ 1. **Train Users**: Provide training on the 5 capability roles and domain validation
325
+ 2. **Create Templates**: Develop standard prompts for common assessment scenarios
326
+ 3. **Integration Workflows**: Connect with existing GRC tools and processes
327
+ 4. **Feedback Loop**: Collect user feedback for continuous improvement
328
+ 5. **Scale Usage**: Expand to additional teams and use cases
329
+
330
+ ---
331
+
332
+ **Questions or Issues?**
333
+ - 📧 Create an issue: [GitHub Issues](https://github.com/therealcybermattlee/FrameworkMCP/issues)
334
+ - 💬 Start a discussion: [GitHub Discussions](https://github.com/therealcybermattlee/FrameworkMCP/discussions)
335
+ - 🐦 Follow updates: [@cybermattlee](https://twitter.com/cybermattlee)