framework-mcp 1.2.0 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,335 @@
1
+ # Microsoft Copilot Integration Guide
2
+
3
+ This guide provides step-by-step instructions for integrating Framework MCP with Microsoft Copilot using custom connectors.
4
+
5
+ ## Overview
6
+
7
+ Framework MCP provides a dual-architecture solution that enables both Model Context Protocol (MCP) integration with Claude Code and HTTP API integration with Microsoft Copilot. This allows security professionals to access CIS Controls capability assessment through their preferred AI platform.
8
+
9
+ ## Prerequisites
10
+
11
+ - **Microsoft Copilot Studio** access (Microsoft 365 Business license or higher)
12
+ - **Deployed Framework MCP HTTP API** (DigitalOcean, Railway, Render, or other cloud platform)
13
+ - **Administrative permissions** in your Microsoft environment
14
+
15
+ ## Quick Start
16
+
17
+ ### 1. Deploy the HTTP API
18
+
19
+ First, deploy Framework MCP to a cloud platform. Choose one of these options:
20
+
21
+ #### Option A: DigitalOcean App Services (Recommended)
22
+ ```bash
23
+ git clone https://github.com/therealcybermattlee/FrameworkMCP.git
24
+ cd FrameworkMCP
25
+ doctl apps create .do/app.yaml
26
+ ```
27
+
28
+ #### Option B: Railway
29
+ ```bash
30
+ railway login
31
+ railway up
32
+ ```
33
+
34
+ #### Option C: Render
35
+ 1. Connect your GitHub repository to Render
36
+ 2. Use these settings:
37
+ - **Build Command**: `npm install && npm run build`
38
+ - **Start Command**: `npm run start:http`
39
+ - **Port**: 8080
40
+
41
+ ### 2. Verify Deployment
42
+
43
+ Test your deployed API:
44
+ ```bash
45
+ curl https://your-api-url.com/health
46
+ ```
47
+
48
+ Expected response:
49
+ ```json
50
+ {
51
+ "status": "healthy",
52
+ "uptime": 1234,
53
+ "totalRequests": 0,
54
+ "errorCount": 0,
55
+ "version": "1.3.1",
56
+ "timestamp": "2025-08-21T01:00:00.000Z"
57
+ }
58
+ ```
59
+
60
+ ### 3. Create Custom Connector in Copilot Studio
61
+
62
+ 1. **Open Microsoft Copilot Studio**
63
+ - Navigate to [https://copilotstudio.microsoft.com](https://copilotstudio.microsoft.com)
64
+ - Sign in with your Microsoft 365 account
65
+
66
+ 2. **Access Custom Connectors**
67
+ - In the left navigation, click **Data**
68
+ - Select **Custom connectors**
69
+
70
+ 3. **Import OpenAPI Specification**
71
+ - Click **+ New custom connector**
72
+ - Choose **Import from OpenAPI file**
73
+ - Upload the `swagger.json` file from the Framework MCP repository
74
+ - Click **Continue**
75
+
76
+ 4. **Configure Connector Details**
77
+ - **Name**: Framework MCP - CIS Controls Capability Assessment
78
+ - **Description**: Validate vendor capability claims against CIS Controls Framework
79
+ - **Host**: Update to your deployed API URL (e.g., `your-app.ondigitalocean.app`)
80
+ - **Base URL**: `/`
81
+
82
+ 5. **Review and Save**
83
+ - Review the imported endpoints
84
+ - Click **Create connector**
85
+
86
+ ### 4. Test the Connection
87
+
88
+ 1. **Create Test Connection**
89
+ - Click **Test** in your custom connector
90
+ - No authentication is required (public API)
91
+ - Click **Create connection**
92
+
93
+ 2. **Test Health Endpoint**
94
+ - Select the `healthCheck` operation
95
+ - Click **Test operation**
96
+ - Verify you receive a 200 response with health status
97
+
98
+ ### 5. Create Your Copilot
99
+
100
+ 1. **Create New Copilot**
101
+ - Go to **Copilots** in Copilot Studio
102
+ - Click **+ New copilot**
103
+ - Choose **Conversational** type
104
+ - Name: "CIS Controls Capability Assessor"
105
+
106
+ 2. **Add Custom Actions**
107
+ - In your copilot, go to **Actions**
108
+ - Click **+ Add action**
109
+ - Select **Custom connector**
110
+ - Choose your Framework MCP connector
111
+
112
+ ## Custom Actions Configuration
113
+
114
+ ### Primary Action: Validate Vendor Capability
115
+
116
+ Configure this action for evidence-based validation:
117
+
118
+ **Action Details:**
119
+ - **Name**: Validate Vendor Capability Mapping
120
+ - **Description**: Validate vendor capability claims against CIS Controls with domain validation and auto-downgrade protection
121
+ - **Connector**: Framework MCP Custom Connector
122
+ - **Operation**: `validateVendorMapping`
123
+
124
+ **Parameters:**
125
+ - **vendor_name** (Required): Name of the vendor/tool being analyzed
126
+ - **safeguard_id** (Required): CIS safeguard ID (e.g., "1.1", "5.1", "12.8")
127
+ - **claimed_capability** (Required): Capability role (full, partial, facilitates, governance, validates)
128
+ - **supporting_text** (Required): Vendor response supporting their capability claim
129
+
130
+ **Sample Input:**
131
+ ```json
132
+ {
133
+ "vendor_name": "CrowdStrike Falcon",
134
+ "safeguard_id": "1.1",
135
+ "claimed_capability": "full",
136
+ "supporting_text": "Our platform provides comprehensive enterprise asset inventory with real-time discovery, automated classification, and continuous monitoring of all hardware and software assets across the organization."
137
+ }
138
+ ```
139
+
140
+ ### Secondary Action: Analyze Vendor Response
141
+
142
+ Configure this action for capability determination:
143
+
144
+ **Action Details:**
145
+ - **Name**: Analyze Vendor Response
146
+ - **Description**: Determine appropriate capability role for vendor response text
147
+ - **Connector**: Framework MCP Custom Connector
148
+ - **Operation**: `analyzeVendorResponse`
149
+
150
+ **Parameters:**
151
+ - **vendor_name** (Required): Name of the vendor
152
+ - **safeguard_id** (Required): CIS safeguard ID
153
+ - **response_text** (Required): Vendor response text to analyze
154
+
155
+ ### Additional Actions: Safeguard Information
156
+
157
+ **Get Safeguard Details:**
158
+ - **Operation**: `getSafeguardDetails`
159
+ - **Parameters**: safeguard_id, include_examples (optional)
160
+
161
+ **List Available Safeguards:**
162
+ - **Operation**: `listSafeguards`
163
+ - **Parameters**: None
164
+
165
+ ## Example User Interactions
166
+
167
+ Once configured, users can interact with your Copilot using natural language:
168
+
169
+ ### Capability Validation Examples
170
+
171
+ ```
172
+ "Validate this vendor capability: Microsoft Defender for Endpoint claims FULL coverage for safeguard 1.1. Their response: 'Microsoft Defender provides comprehensive asset discovery, detailed hardware and software inventory, and real-time asset status monitoring across all enterprise endpoints.'"
173
+
174
+ "Check if CrowdStrike Falcon can provide PARTIAL coverage for safeguard 5.1 based on this: 'We offer centralized identity integration with detailed user account tracking and automated access reviews.'"
175
+
176
+ "Validate this FACILITATES claim: Qualys VMDR for safeguard 1.1 - 'Our vulnerability scanner enhances existing asset management by providing additional device discovery and detailed software inventory during security assessments.'"
177
+ ```
178
+
179
+ ### Response Analysis Examples
180
+
181
+ ```
182
+ "Analyze this vendor response for safeguard 6.3: Okta - 'We provide comprehensive multi-factor authentication for all external applications with adaptive authentication policies, risk-based assessments, and SSO integration.'"
183
+
184
+ "What capability role should we assign to this response for safeguard 7.1: Rapid7 InsightVM - 'Our platform performs continuous vulnerability scanning, provides automated remediation guidance, and tracks patch deployment across the infrastructure.'"
185
+ ```
186
+
187
+ ### Information Requests
188
+
189
+ ```
190
+ "What are the requirements for CIS safeguard 1.1?"
191
+
192
+ "Show me all available CIS safeguards in the inventory domain."
193
+
194
+ "What's the difference between FULL and PARTIAL capability roles?"
195
+ ```
196
+
197
+ ## Advanced Configuration
198
+
199
+ ### Custom Prompts and Instructions
200
+
201
+ Add these instructions to your Copilot's system message:
202
+
203
+ ```
204
+ You are a CIS Controls capability assessment expert. You help security professionals evaluate vendor tool capabilities against specific CIS Control safeguards.
205
+
206
+ Key Principles:
207
+ 1. Use validate_vendor_mapping for evidence-based validation of capability claims
208
+ 2. Use analyze_vendor_response when the capability role is unknown
209
+ 3. Always explain the 5 capability roles: FULL, PARTIAL, FACILITATES, GOVERNANCE, VALIDATES
210
+ 4. Highlight domain validation results and auto-downgrade protection
211
+ 5. Provide actionable recommendations for capability improvements
212
+
213
+ When users provide vendor responses:
214
+ 1. Ask for the specific CIS safeguard ID if not provided
215
+ 2. Determine if they want validation (they have a claimed capability) or analysis (no claimed capability)
216
+ 3. Use the appropriate action and explain the results in plain language
217
+ 4. Highlight any domain mismatches or auto-downgrades that occurred
218
+ ```
219
+
220
+ ### Environment Variables
221
+
222
+ If deploying with authentication or custom configuration:
223
+
224
+ ```bash
225
+ # Optional environment variables for your deployed API
226
+ NODE_ENV=production
227
+ PORT=8080
228
+ ALLOWED_ORIGINS=https://copilotstudio.microsoft.com,https://your-domain.com
229
+ ```
230
+
231
+ ### Rate Limiting and Monitoring
232
+
233
+ Monitor your API usage through the `/api/metrics` endpoint:
234
+
235
+ ```bash
236
+ curl https://your-api-url.com/api/metrics
237
+ ```
238
+
239
+ Response includes:
240
+ - Request counts by endpoint
241
+ - Error rates
242
+ - Uptime statistics
243
+ - Performance metrics
244
+
245
+ ## Troubleshooting
246
+
247
+ ### Common Issues
248
+
249
+ **Connection Failed:**
250
+ - Verify your API URL is accessible publicly
251
+ - Check that the `/health` endpoint returns 200
252
+ - Ensure no authentication is required
253
+
254
+ **Operations Not Working:**
255
+ - Verify the `swagger.json` was imported correctly
256
+ - Check that operation IDs match: `validateVendorMapping`, `analyzeVendorResponse`, etc.
257
+ - Test operations individually in the connector test interface
258
+
259
+ **Invalid Responses:**
260
+ - Check request body format matches the schema
261
+ - Verify required fields are provided
262
+ - Review API error messages for validation details
263
+
264
+ **Performance Issues:**
265
+ - Monitor the `/api/metrics` endpoint for high error rates
266
+ - Consider upgrading your cloud deployment plan
267
+ - Check network connectivity from Microsoft's servers
268
+
269
+ ### Testing Checklist
270
+
271
+ Before going live, test these scenarios:
272
+
273
+ - [ ] Health check endpoint responds correctly
274
+ - [ ] Validate vendor mapping with FULL claim (domain match)
275
+ - [ ] Validate vendor mapping with FULL claim (domain mismatch - should auto-downgrade)
276
+ - [ ] Analyze vendor response for capability determination
277
+ - [ ] Get safeguard details for a specific safeguard
278
+ - [ ] List all available safeguards
279
+ - [ ] Handle invalid inputs gracefully
280
+
281
+ ### Support Resources
282
+
283
+ - **Framework MCP Issues**: [GitHub Issues](https://github.com/therealcybermattlee/FrameworkMCP/issues)
284
+ - **Microsoft Copilot Studio Docs**: [Microsoft Documentation](https://docs.microsoft.com/en-us/microsoft-copilot-studio/)
285
+ - **OpenAPI Connector Guide**: [Custom Connectors in Copilot Studio](https://docs.microsoft.com/en-us/connectors/custom-connectors/)
286
+
287
+ ## Best Practices
288
+
289
+ ### Security Considerations
290
+
291
+ 1. **Deploy with HTTPS**: Always use HTTPS for production deployments
292
+ 2. **Monitor Usage**: Regularly check the `/api/metrics` endpoint
293
+ 3. **Rate Limiting**: Consider implementing rate limiting for high-traffic scenarios
294
+ 4. **Access Logs**: Enable logging in production for audit trails
295
+
296
+ ### Performance Optimization
297
+
298
+ 1. **CDN**: Consider using a CDN for global deployments
299
+ 2. **Caching**: The API includes intelligent caching for repeated requests
300
+ 3. **Scaling**: Use cloud platform auto-scaling for high demand
301
+ 4. **Monitoring**: Set up health check monitoring with your cloud provider
302
+
303
+ ### User Experience
304
+
305
+ 1. **Clear Instructions**: Provide users with example prompts
306
+ 2. **Error Handling**: Explain what to do when validation fails
307
+ 3. **Capability Education**: Help users understand the 5 capability roles
308
+ 4. **Domain Validation**: Explain why auto-downgrades occur
309
+
310
+ ## Success Metrics
311
+
312
+ Track these metrics to measure integration success:
313
+
314
+ - **Request Volume**: Total API calls per day/week
315
+ - **Error Rate**: Percentage of failed requests (target: <5%)
316
+ - **Response Time**: Average API response time (target: <500ms)
317
+ - **User Satisfaction**: Feedback on capability assessment accuracy
318
+ - **Coverage**: Number of unique safeguards being assessed
319
+
320
+ ## Next Steps
321
+
322
+ After successful integration:
323
+
324
+ 1. **Train Users**: Provide training on the 5 capability roles and domain validation
325
+ 2. **Create Templates**: Develop standard prompts for common assessment scenarios
326
+ 3. **Integration Workflows**: Connect with existing GRC tools and processes
327
+ 4. **Feedback Loop**: Collect user feedback for continuous improvement
328
+ 5. **Scale Usage**: Expand to additional teams and use cases
329
+
330
+ ---
331
+
332
+ **Questions or Issues?**
333
+ - 📧 Create an issue: [GitHub Issues](https://github.com/therealcybermattlee/FrameworkMCP/issues)
334
+ - 💬 Start a discussion: [GitHub Discussions](https://github.com/therealcybermattlee/FrameworkMCP/discussions)
335
+ - 🐦 Follow updates: [@cybermattlee](https://twitter.com/cybermattlee)
package/README.md CHANGED
@@ -34,11 +34,12 @@ The server uses the CIS Controls visual framework with color-coded categorizatio
34
34
  - **🟡 Yellow Elements**: Sub-taxonomical components
35
35
  - **⚫ Gray Elements**: Implementation suggestions and methods
36
36
 
37
- ## 🚀 Installation
37
+ ## 🚀 Installation & Deployment
38
38
 
39
39
  ### Prerequisites
40
40
  - Node.js 18+
41
- - Claude Code CLI tool
41
+ - Claude Code CLI tool (for MCP usage)
42
+ - Microsoft Copilot Studio (for custom connector usage)
42
43
 
43
44
  ### Install from npm
44
45
  ```bash
@@ -64,9 +65,32 @@ npm install
64
65
  npm run build
65
66
  ```
66
67
 
68
+ ### Cloud Deployment Options
69
+
70
+ #### Option 1: DigitalOcean App Services
71
+ ```bash
72
+ # Deploy using the included configuration
73
+ doctl apps create .do/app.yaml
74
+ ```
75
+
76
+ #### Option 2: Railway
77
+ ```bash
78
+ railway login
79
+ railway up
80
+ ```
81
+
82
+ #### Option 3: Render
83
+ Connect your GitHub repository and use:
84
+ - **Build Command**: `npm install && npm run build`
85
+ - **Start Command**: `npm run start:http`
86
+ - **Port**: 8080
87
+
88
+ #### Option 4: Microsoft Copilot Custom Connector
89
+ Deploy to any cloud platform and use the included `swagger.json` for Copilot integration.
90
+
67
91
  ## ⚙️ Configuration
68
92
 
69
- ### Claude Code Integration
93
+ ### Claude Code MCP Integration
70
94
 
71
95
  Add to your MCP configuration file (`~/.config/claude-code/mcp.json`):
72
96
 
@@ -82,9 +106,75 @@ Add to your MCP configuration file (`~/.config/claude-code/mcp.json`):
82
106
  }
83
107
  ```
84
108
 
109
+ ### Microsoft Copilot Custom Connector Setup
110
+
111
+ #### Step 1: Deploy HTTP API
112
+ Deploy the Framework MCP HTTP API to any cloud platform (DigitalOcean, Railway, Render, etc.)
113
+
114
+ #### Step 2: Create Custom Connector in Copilot Studio
115
+ 1. Open **Microsoft Copilot Studio**
116
+ 2. Navigate to **Data** → **Custom connectors**
117
+ 3. Click **+ New custom connector** → **Import from OpenAPI file**
118
+ 4. Upload the `swagger.json` file from this repository
119
+ 5. Update the **Host** field to your deployed API URL
120
+ 6. Save and test the connector
121
+
122
+ #### Step 3: Configure Connection
123
+ 1. Create a new connection using your custom connector
124
+ 2. No authentication required (public API)
125
+ 3. Test with the `/health` endpoint to verify connectivity
126
+
127
+ #### Step 4: Create Copilot Actions
128
+ In your Copilot, create actions for capability assessment:
129
+
130
+ **Primary Action - Validate Vendor Capability:**
131
+ ```
132
+ Action: Validate Vendor Mapping
133
+ Description: Validate vendor capability claims against CIS Controls with domain validation
134
+ Connector: Framework MCP Custom Connector
135
+ Operation: validateVendorMapping
136
+ Parameters:
137
+ - vendor_name: {User provided vendor name}
138
+ - safeguard_id: {CIS safeguard ID like "1.1"}
139
+ - claimed_capability: {full|partial|facilitates|governance|validates}
140
+ - supporting_text: {Vendor response text}
141
+ ```
142
+
143
+ **Secondary Action - Analyze Response:**
144
+ ```
145
+ Action: Analyze Vendor Response
146
+ Description: Determine appropriate capability role for vendor response
147
+ Connector: Framework MCP Custom Connector
148
+ Operation: analyzeVendorResponse
149
+ Parameters:
150
+ - vendor_name: {User provided vendor name}
151
+ - safeguard_id: {CIS safeguard ID}
152
+ - response_text: {Vendor response to analyze}
153
+ ```
154
+
155
+ #### Step 5: Example Copilot Prompts
156
+ Once configured, users can interact with your Copilot:
157
+
158
+ ```
159
+ "Validate this vendor capability: CrowdStrike Falcon claims FULL coverage for safeguard 1.1 with this response: 'Our platform provides comprehensive enterprise asset inventory with real-time discovery, automated classification, and continuous monitoring of all hardware and software assets.'"
160
+
161
+ "Analyze this vendor response for safeguard 5.1: Microsoft Entra ID - 'We provide centralized identity management with automated user provisioning, role-based access controls, and integration with all major business applications.'"
162
+
163
+ "What are the requirements for CIS safeguard 6.3?"
164
+ ```
165
+
85
166
  ### Verify Installation
86
167
  ```bash
168
+ # For MCP usage
87
169
  claude-code "List available CIS Control safeguards"
170
+
171
+ # For HTTP API usage
172
+ curl https://your-api-url.com/health
173
+
174
+ # For Copilot testing
175
+ curl -X POST https://your-api-url.com/api/validate-vendor-mapping \
176
+ -H "Content-Type: application/json" \
177
+ -d '{"vendor_name":"Test Vendor","safeguard_id":"1.1","claimed_capability":"facilitates","supporting_text":"We provide supplemental asset tracking capabilities that enhance existing inventory systems."}'
88
178
  ```
89
179
 
90
180
  ## 📋 Usage Examples
@@ -393,6 +483,9 @@ npm test
393
483
  - [API Reference](docs/api-reference.md)
394
484
  - [CIS Safeguards Reference](docs/safeguards-reference.md)
395
485
  - [Example Usage](examples/example-usage.md)
486
+ - **[Microsoft Copilot Integration Guide](COPILOT_INTEGRATION.md)** - Complete setup guide for custom connectors
487
+ - [Deployment Guide](DEPLOYMENT_GUIDE.md) - Cloud deployment instructions
488
+ - [OpenAPI Specification](swagger.json) - Complete API schema for integrations
396
489
 
397
490
  ## 🐛 Troubleshooting
398
491
 
@@ -55,7 +55,7 @@ export class FrameworkHttpServer {
55
55
  uptime: Math.round((Date.now() - metrics.uptime) / 1000),
56
56
  totalRequests: metrics.totalRequests,
57
57
  errorCount: metrics.errorCount,
58
- version: '1.2.0',
58
+ version: '1.3.1',
59
59
  timestamp: new Date().toISOString()
60
60
  });
61
61
  });
@@ -181,7 +181,7 @@ export class FrameworkHttpServer {
181
181
  this.app.get('/api', (req, res) => {
182
182
  res.json({
183
183
  name: 'Framework MCP HTTP API',
184
- version: '1.2.0',
184
+ version: '1.3.1',
185
185
  description: 'Dual-architecture HTTP API for vendor capability assessment against CIS Controls Framework',
186
186
  endpoints: {
187
187
  'POST /api/validate-vendor-mapping': 'Primary capability validation with domain validation',
@@ -259,7 +259,7 @@ export class FrameworkHttpServer {
259
259
  }
260
260
  start() {
261
261
  this.app.listen(this.port, '0.0.0.0', () => {
262
- console.log(`🚀 Framework MCP HTTP Server v1.2.0 running on port ${this.port}`);
262
+ console.log(`🚀 Framework MCP HTTP Server v1.3.1 running on port ${this.port}`);
263
263
  console.log(`📊 Health check: http://localhost:${this.port}/health`);
264
264
  console.log(`📖 API docs: http://localhost:${this.port}/api`);
265
265
  console.log(`🔧 Environment: ${process.env.NODE_ENV || 'development'}`);
@@ -8,7 +8,7 @@ export class FrameworkMcpServer {
8
8
  constructor() {
9
9
  this.server = new Server({
10
10
  name: 'framework-analyzer',
11
- version: '1.2.0',
11
+ version: '1.3.1',
12
12
  });
13
13
  this.capabilityAnalyzer = new CapabilityAnalyzer();
14
14
  this.safeguardManager = new SafeguardManager();
@@ -245,7 +245,7 @@ export class FrameworkMcpServer {
245
245
  safeguards,
246
246
  total: safeguards.length,
247
247
  framework: 'CIS Controls v8.1',
248
- version: '1.2.0'
248
+ version: '1.3.1'
249
249
  }, null, 2),
250
250
  },
251
251
  ],
@@ -287,7 +287,7 @@ export class FrameworkMcpServer {
287
287
  async run() {
288
288
  const transport = new StdioServerTransport();
289
289
  await this.server.connect(transport);
290
- console.error('🤖 Framework MCP Server v1.2.0 running via stdio');
290
+ console.error('🤖 Framework MCP Server v1.3.1 running via stdio');
291
291
  console.error('📊 Capability assessment with domain validation enabled');
292
292
  }
293
293
  }
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "framework-mcp",
3
- "version": "1.2.0",
4
- "description": "Dual-architecture server (MCP + HTTP API) for determining vendor tool capability roles against CIS Controls Framework with intelligent domain validation. DigitalOcean App Services compatible.",
3
+ "version": "1.3.1",
4
+ "description": "Dual-architecture server (MCP + HTTP API) for determining vendor tool capability roles against CIS Controls Framework with intelligent domain validation. Supports Microsoft Copilot custom connectors and DigitalOcean App Services deployment.",
5
5
  "main": "dist/interfaces/http/http-server.js",
6
6
  "type": "module",
7
7
  "scripts": {
@@ -41,7 +41,13 @@
41
41
  "vendor-analysis",
42
42
  "capability-assessment",
43
43
  "cybersecurity",
44
- "framework"
44
+ "framework",
45
+ "microsoft-copilot",
46
+ "openapi",
47
+ "swagger",
48
+ "custom-connector",
49
+ "http-api",
50
+ "cloud-deployment"
45
51
  ],
46
52
  "author": "Matt Lee <cybermattlee@gmail.com> (https://github.com/therealcybermattlee)",
47
53
  "license": "CC-BY-4.0",
@@ -74,7 +74,7 @@ export class FrameworkHttpServer {
74
74
  uptime: Math.round((Date.now() - metrics.uptime) / 1000),
75
75
  totalRequests: metrics.totalRequests,
76
76
  errorCount: metrics.errorCount,
77
- version: '1.2.0',
77
+ version: '1.3.1',
78
78
  timestamp: new Date().toISOString()
79
79
  });
80
80
  });
@@ -235,7 +235,7 @@ export class FrameworkHttpServer {
235
235
  this.app.get('/api', (req, res) => {
236
236
  res.json({
237
237
  name: 'Framework MCP HTTP API',
238
- version: '1.2.0',
238
+ version: '1.3.1',
239
239
  description: 'Dual-architecture HTTP API for vendor capability assessment against CIS Controls Framework',
240
240
  endpoints: {
241
241
  'POST /api/validate-vendor-mapping': 'Primary capability validation with domain validation',
@@ -332,7 +332,7 @@ export class FrameworkHttpServer {
332
332
 
333
333
  public start(): void {
334
334
  this.app.listen(this.port, '0.0.0.0', () => {
335
- console.log(`🚀 Framework MCP HTTP Server v1.2.0 running on port ${this.port}`);
335
+ console.log(`🚀 Framework MCP HTTP Server v1.3.1 running on port ${this.port}`);
336
336
  console.log(`📊 Health check: http://localhost:${this.port}/health`);
337
337
  console.log(`📖 API docs: http://localhost:${this.port}/api`);
338
338
  console.log(`🔧 Environment: ${process.env.NODE_ENV || 'development'}`);
@@ -20,7 +20,7 @@ export class FrameworkMcpServer {
20
20
  this.server = new Server(
21
21
  {
22
22
  name: 'framework-analyzer',
23
- version: '1.2.0',
23
+ version: '1.3.1',
24
24
  }
25
25
  );
26
26
 
@@ -301,7 +301,7 @@ export class FrameworkMcpServer {
301
301
  safeguards,
302
302
  total: safeguards.length,
303
303
  framework: 'CIS Controls v8.1',
304
- version: '1.2.0'
304
+ version: '1.3.1'
305
305
  }, null, 2),
306
306
  },
307
307
  ],
@@ -355,7 +355,7 @@ export class FrameworkMcpServer {
355
355
  const transport = new StdioServerTransport();
356
356
  await this.server.connect(transport);
357
357
 
358
- console.error('🤖 Framework MCP Server v1.2.0 running via stdio');
358
+ console.error('🤖 Framework MCP Server v1.3.1 running via stdio');
359
359
  console.error('📊 Capability assessment with domain validation enabled');
360
360
  }
361
361
  }
package/swagger.json ADDED
@@ -0,0 +1,718 @@
1
+ {
2
+ "openapi": "3.0.3",
3
+ "info": {
4
+ "title": "Framework MCP API - CIS Controls Capability Assessment",
5
+ "description": "Microsoft Copilot-compatible API for vendor capability assessment against CIS Controls Framework. Determines vendor tool roles (FULL, PARTIAL, FACILITATES, GOVERNANCE, VALIDATES) with domain validation and auto-downgrade protection.",
6
+ "version": "1.3.1",
7
+ "contact": {
8
+ "name": "Framework MCP Support",
9
+ "url": "https://github.com/therealcybermattlee/FrameworkMCP"
10
+ },
11
+ "license": {
12
+ "name": "MIT",
13
+ "url": "https://opensource.org/licenses/MIT"
14
+ }
15
+ },
16
+ "servers": [
17
+ {
18
+ "url": "https://your-deployment.ondigitalocean.app",
19
+ "description": "Production DigitalOcean App Services deployment"
20
+ },
21
+ {
22
+ "url": "http://localhost:8080",
23
+ "description": "Local development server"
24
+ }
25
+ ],
26
+ "paths": {
27
+ "/health": {
28
+ "get": {
29
+ "summary": "Health Check",
30
+ "description": "Check API health status and performance metrics",
31
+ "operationId": "healthCheck",
32
+ "tags": ["Monitoring"],
33
+ "responses": {
34
+ "200": {
35
+ "description": "Service is healthy",
36
+ "content": {
37
+ "application/json": {
38
+ "schema": {
39
+ "$ref": "#/components/schemas/HealthResponse"
40
+ }
41
+ }
42
+ }
43
+ }
44
+ }
45
+ }
46
+ },
47
+ "/api/validate-vendor-mapping": {
48
+ "post": {
49
+ "summary": "Validate Vendor Capability Mapping (PRIMARY)",
50
+ "description": "Primary endpoint for validating vendor capability claims against CIS safeguards with domain validation and auto-downgrade protection. Use this for evidence-based capability assessment.",
51
+ "operationId": "validateVendorMapping",
52
+ "tags": ["Capability Assessment"],
53
+ "requestBody": {
54
+ "required": true,
55
+ "content": {
56
+ "application/json": {
57
+ "schema": {
58
+ "$ref": "#/components/schemas/VendorMappingRequest"
59
+ }
60
+ }
61
+ }
62
+ },
63
+ "responses": {
64
+ "200": {
65
+ "description": "Validation completed successfully",
66
+ "content": {
67
+ "application/json": {
68
+ "schema": {
69
+ "$ref": "#/components/schemas/ValidationResponse"
70
+ }
71
+ }
72
+ }
73
+ },
74
+ "400": {
75
+ "description": "Invalid request parameters",
76
+ "content": {
77
+ "application/json": {
78
+ "schema": {
79
+ "$ref": "#/components/schemas/ErrorResponse"
80
+ }
81
+ }
82
+ }
83
+ },
84
+ "404": {
85
+ "description": "Safeguard not found",
86
+ "content": {
87
+ "application/json": {
88
+ "schema": {
89
+ "$ref": "#/components/schemas/ErrorResponse"
90
+ }
91
+ }
92
+ }
93
+ }
94
+ }
95
+ }
96
+ },
97
+ "/api/analyze-vendor-response": {
98
+ "post": {
99
+ "summary": "Analyze Vendor Response",
100
+ "description": "Analyze vendor response text to determine appropriate capability role with domain validation",
101
+ "operationId": "analyzeVendorResponse",
102
+ "tags": ["Capability Assessment"],
103
+ "requestBody": {
104
+ "required": true,
105
+ "content": {
106
+ "application/json": {
107
+ "schema": {
108
+ "$ref": "#/components/schemas/AnalysisRequest"
109
+ }
110
+ }
111
+ }
112
+ },
113
+ "responses": {
114
+ "200": {
115
+ "description": "Analysis completed successfully",
116
+ "content": {
117
+ "application/json": {
118
+ "schema": {
119
+ "$ref": "#/components/schemas/AnalysisResponse"
120
+ }
121
+ }
122
+ }
123
+ },
124
+ "400": {
125
+ "description": "Invalid request parameters",
126
+ "content": {
127
+ "application/json": {
128
+ "schema": {
129
+ "$ref": "#/components/schemas/ErrorResponse"
130
+ }
131
+ }
132
+ }
133
+ },
134
+ "404": {
135
+ "description": "Safeguard not found",
136
+ "content": {
137
+ "application/json": {
138
+ "schema": {
139
+ "$ref": "#/components/schemas/ErrorResponse"
140
+ }
141
+ }
142
+ }
143
+ }
144
+ }
145
+ }
146
+ },
147
+ "/api/validate-coverage-claim": {
148
+ "post": {
149
+ "summary": "Validate Coverage Claim",
150
+ "description": "Validate specific FULL or PARTIAL capability claims with supporting evidence",
151
+ "operationId": "validateCoverageClaim",
152
+ "tags": ["Capability Assessment"],
153
+ "requestBody": {
154
+ "required": true,
155
+ "content": {
156
+ "application/json": {
157
+ "schema": {
158
+ "$ref": "#/components/schemas/CoverageClaimRequest"
159
+ }
160
+ }
161
+ }
162
+ },
163
+ "responses": {
164
+ "200": {
165
+ "description": "Coverage claim validation completed",
166
+ "content": {
167
+ "application/json": {
168
+ "schema": {
169
+ "$ref": "#/components/schemas/ValidationResponse"
170
+ }
171
+ }
172
+ }
173
+ },
174
+ "400": {
175
+ "description": "Invalid request parameters",
176
+ "content": {
177
+ "application/json": {
178
+ "schema": {
179
+ "$ref": "#/components/schemas/ErrorResponse"
180
+ }
181
+ }
182
+ }
183
+ },
184
+ "404": {
185
+ "description": "Safeguard not found",
186
+ "content": {
187
+ "application/json": {
188
+ "schema": {
189
+ "$ref": "#/components/schemas/ErrorResponse"
190
+ }
191
+ }
192
+ }
193
+ }
194
+ }
195
+ }
196
+ },
197
+ "/api/safeguards": {
198
+ "get": {
199
+ "summary": "List Available Safeguards",
200
+ "description": "Get a list of all available CIS Controls v8.1 safeguards (153 total)",
201
+ "operationId": "listSafeguards",
202
+ "tags": ["Safeguards"],
203
+ "responses": {
204
+ "200": {
205
+ "description": "List of available safeguards",
206
+ "content": {
207
+ "application/json": {
208
+ "schema": {
209
+ "$ref": "#/components/schemas/SafeguardListResponse"
210
+ }
211
+ }
212
+ }
213
+ }
214
+ }
215
+ }
216
+ },
217
+ "/api/safeguards/{safeguardId}": {
218
+ "get": {
219
+ "summary": "Get Safeguard Details",
220
+ "description": "Get detailed information about a specific CIS safeguard including governance elements, core requirements, and implementation suggestions",
221
+ "operationId": "getSafeguardDetails",
222
+ "tags": ["Safeguards"],
223
+ "parameters": [
224
+ {
225
+ "name": "safeguardId",
226
+ "in": "path",
227
+ "required": true,
228
+ "description": "CIS safeguard ID (e.g., '1.1', '5.1', '12.8')",
229
+ "schema": {
230
+ "type": "string",
231
+ "pattern": "^[0-9]+\\.[0-9]+$",
232
+ "example": "1.1"
233
+ }
234
+ },
235
+ {
236
+ "name": "include_examples",
237
+ "in": "query",
238
+ "required": false,
239
+ "description": "Include implementation examples in response",
240
+ "schema": {
241
+ "type": "boolean",
242
+ "default": false
243
+ }
244
+ }
245
+ ],
246
+ "responses": {
247
+ "200": {
248
+ "description": "Safeguard details retrieved successfully",
249
+ "content": {
250
+ "application/json": {
251
+ "schema": {
252
+ "$ref": "#/components/schemas/SafeguardDetails"
253
+ }
254
+ }
255
+ }
256
+ },
257
+ "400": {
258
+ "description": "Invalid safeguard ID format",
259
+ "content": {
260
+ "application/json": {
261
+ "schema": {
262
+ "$ref": "#/components/schemas/ErrorResponse"
263
+ }
264
+ }
265
+ }
266
+ },
267
+ "404": {
268
+ "description": "Safeguard not found",
269
+ "content": {
270
+ "application/json": {
271
+ "schema": {
272
+ "$ref": "#/components/schemas/ErrorResponse"
273
+ }
274
+ }
275
+ }
276
+ }
277
+ }
278
+ }
279
+ },
280
+ "/api/metrics": {
281
+ "get": {
282
+ "summary": "Performance Metrics",
283
+ "description": "Get API performance metrics and usage statistics",
284
+ "operationId": "getMetrics",
285
+ "tags": ["Monitoring"],
286
+ "responses": {
287
+ "200": {
288
+ "description": "Performance metrics",
289
+ "content": {
290
+ "application/json": {
291
+ "schema": {
292
+ "$ref": "#/components/schemas/MetricsResponse"
293
+ }
294
+ }
295
+ }
296
+ }
297
+ }
298
+ }
299
+ }
300
+ },
301
+ "components": {
302
+ "schemas": {
303
+ "CapabilityRole": {
304
+ "type": "string",
305
+ "enum": ["full", "partial", "facilitates", "governance", "validates"],
306
+ "description": "Vendor tool capability roles:\n- FULL: Complete implementation of safeguard (requires domain-appropriate tool)\n- PARTIAL: Limited scope implementation (requires domain-appropriate tool)\n- FACILITATES: Enhancement capabilities (no tool type restrictions)\n- GOVERNANCE: Policy/process management (no tool type restrictions)\n- VALIDATES: Evidence collection and reporting (no tool type restrictions)"
307
+ },
308
+ "VendorMappingRequest": {
309
+ "type": "object",
310
+ "required": ["vendor_name", "safeguard_id", "claimed_capability", "supporting_text"],
311
+ "properties": {
312
+ "vendor_name": {
313
+ "type": "string",
314
+ "description": "Name of the vendor or tool being analyzed",
315
+ "minLength": 1,
316
+ "maxLength": 100,
317
+ "example": "CrowdStrike Falcon"
318
+ },
319
+ "safeguard_id": {
320
+ "type": "string",
321
+ "pattern": "^[0-9]+\\.[0-9]+$",
322
+ "description": "CIS safeguard ID (format: X.Y)",
323
+ "example": "1.1"
324
+ },
325
+ "claimed_capability": {
326
+ "$ref": "#/components/schemas/CapabilityRole"
327
+ },
328
+ "supporting_text": {
329
+ "type": "string",
330
+ "description": "Vendor response or documentation supporting their capability claim",
331
+ "minLength": 10,
332
+ "maxLength": 10000,
333
+ "example": "Our platform provides comprehensive enterprise asset inventory with real-time discovery, automated classification, and continuous monitoring of all hardware and software assets across the organization."
334
+ }
335
+ }
336
+ },
337
+ "AnalysisRequest": {
338
+ "type": "object",
339
+ "required": ["vendor_name", "safeguard_id", "response_text"],
340
+ "properties": {
341
+ "vendor_name": {
342
+ "type": "string",
343
+ "description": "Name of the vendor",
344
+ "minLength": 1,
345
+ "maxLength": 100,
346
+ "example": "Microsoft Defender"
347
+ },
348
+ "safeguard_id": {
349
+ "type": "string",
350
+ "pattern": "^[0-9]+\\.[0-9]+$",
351
+ "description": "CIS safeguard ID",
352
+ "example": "5.1"
353
+ },
354
+ "response_text": {
355
+ "type": "string",
356
+ "description": "Vendor response text to analyze for capability determination",
357
+ "minLength": 10,
358
+ "maxLength": 10000,
359
+ "example": "We provide centralized account management with role-based access controls, automated provisioning and deprovisioning, and integration with Active Directory for enterprise identity management."
360
+ }
361
+ }
362
+ },
363
+ "CoverageClaimRequest": {
364
+ "type": "object",
365
+ "required": ["vendor_name", "safeguard_id", "claimed_capability", "response_text"],
366
+ "properties": {
367
+ "vendor_name": {
368
+ "type": "string",
369
+ "description": "Name of the vendor",
370
+ "minLength": 1,
371
+ "maxLength": 100,
372
+ "example": "Qualys VMDR"
373
+ },
374
+ "safeguard_id": {
375
+ "type": "string",
376
+ "pattern": "^[0-9]+\\.[0-9]+$",
377
+ "description": "CIS safeguard ID",
378
+ "example": "7.1"
379
+ },
380
+ "claimed_capability": {
381
+ "$ref": "#/components/schemas/CapabilityRole"
382
+ },
383
+ "response_text": {
384
+ "type": "string",
385
+ "description": "Supporting evidence for the capability claim",
386
+ "minLength": 10,
387
+ "maxLength": 10000,
388
+ "example": "Our vulnerability management platform performs continuous scanning, prioritizes vulnerabilities based on risk, provides automated remediation guidance, and tracks remediation progress across the entire infrastructure."
389
+ }
390
+ }
391
+ },
392
+ "ValidationResponse": {
393
+ "type": "object",
394
+ "properties": {
395
+ "vendor_name": {
396
+ "type": "string",
397
+ "example": "CrowdStrike Falcon"
398
+ },
399
+ "safeguard_id": {
400
+ "type": "string",
401
+ "example": "1.1"
402
+ },
403
+ "claimed_capability": {
404
+ "$ref": "#/components/schemas/CapabilityRole"
405
+ },
406
+ "validated_capability": {
407
+ "$ref": "#/components/schemas/CapabilityRole"
408
+ },
409
+ "validation_status": {
410
+ "type": "string",
411
+ "enum": ["SUPPORTED", "QUESTIONABLE", "UNSUPPORTED"],
412
+ "description": "Overall validation result"
413
+ },
414
+ "confidence_score": {
415
+ "type": "number",
416
+ "minimum": 0,
417
+ "maximum": 100,
418
+ "description": "Confidence percentage in the assessment"
419
+ },
420
+ "domain_validation": {
421
+ "type": "object",
422
+ "properties": {
423
+ "tool_type": {
424
+ "type": "string",
425
+ "description": "Detected tool type category"
426
+ },
427
+ "domain_appropriate": {
428
+ "type": "boolean",
429
+ "description": "Whether tool type is appropriate for claimed capability"
430
+ },
431
+ "auto_downgrade_applied": {
432
+ "type": "boolean",
433
+ "description": "Whether capability was auto-downgraded due to domain mismatch"
434
+ }
435
+ }
436
+ },
437
+ "evidence_analysis": {
438
+ "type": "object",
439
+ "properties": {
440
+ "core_requirements_score": {
441
+ "type": "number",
442
+ "minimum": 0,
443
+ "maximum": 100
444
+ },
445
+ "governance_elements_score": {
446
+ "type": "number",
447
+ "minimum": 0,
448
+ "maximum": 100
449
+ },
450
+ "sub_elements_score": {
451
+ "type": "number",
452
+ "minimum": 0,
453
+ "maximum": 100
454
+ },
455
+ "language_consistency_score": {
456
+ "type": "number",
457
+ "minimum": 0,
458
+ "maximum": 100
459
+ }
460
+ }
461
+ },
462
+ "reasoning": {
463
+ "type": "string",
464
+ "description": "Detailed explanation of the validation decision"
465
+ },
466
+ "recommendations": {
467
+ "type": "array",
468
+ "items": {
469
+ "type": "string"
470
+ },
471
+ "description": "Actionable recommendations for capability improvement"
472
+ },
473
+ "timestamp": {
474
+ "type": "string",
475
+ "format": "date-time"
476
+ }
477
+ }
478
+ },
479
+ "AnalysisResponse": {
480
+ "type": "object",
481
+ "properties": {
482
+ "vendor_name": {
483
+ "type": "string"
484
+ },
485
+ "safeguard_id": {
486
+ "type": "string"
487
+ },
488
+ "determined_capability": {
489
+ "$ref": "#/components/schemas/CapabilityRole"
490
+ },
491
+ "confidence_score": {
492
+ "type": "number",
493
+ "minimum": 0,
494
+ "maximum": 100
495
+ },
496
+ "domain_validation": {
497
+ "type": "object",
498
+ "properties": {
499
+ "tool_type": {
500
+ "type": "string"
501
+ },
502
+ "domain_appropriate": {
503
+ "type": "boolean"
504
+ }
505
+ }
506
+ },
507
+ "analysis_details": {
508
+ "type": "object",
509
+ "properties": {
510
+ "core_coverage": {
511
+ "type": "number",
512
+ "minimum": 0,
513
+ "maximum": 100
514
+ },
515
+ "implementation_depth": {
516
+ "type": "number",
517
+ "minimum": 0,
518
+ "maximum": 100
519
+ },
520
+ "governance_support": {
521
+ "type": "number",
522
+ "minimum": 0,
523
+ "maximum": 100
524
+ }
525
+ }
526
+ },
527
+ "reasoning": {
528
+ "type": "string"
529
+ },
530
+ "timestamp": {
531
+ "type": "string",
532
+ "format": "date-time"
533
+ }
534
+ }
535
+ },
536
+ "SafeguardListResponse": {
537
+ "type": "object",
538
+ "properties": {
539
+ "safeguards": {
540
+ "type": "array",
541
+ "items": {
542
+ "type": "object",
543
+ "properties": {
544
+ "id": {
545
+ "type": "string",
546
+ "example": "1.1"
547
+ },
548
+ "title": {
549
+ "type": "string",
550
+ "example": "Establish and Maintain Detailed Enterprise Asset Inventory"
551
+ },
552
+ "implementationGroup": {
553
+ "type": "string",
554
+ "enum": ["IG1", "IG2", "IG3"],
555
+ "example": "IG1"
556
+ }
557
+ }
558
+ }
559
+ },
560
+ "total": {
561
+ "type": "integer",
562
+ "example": 153
563
+ },
564
+ "framework": {
565
+ "type": "string",
566
+ "example": "CIS Controls v8.1"
567
+ },
568
+ "timestamp": {
569
+ "type": "string",
570
+ "format": "date-time"
571
+ }
572
+ }
573
+ },
574
+ "SafeguardDetails": {
575
+ "type": "object",
576
+ "properties": {
577
+ "id": {
578
+ "type": "string",
579
+ "example": "1.1"
580
+ },
581
+ "title": {
582
+ "type": "string",
583
+ "example": "Establish and Maintain Detailed Enterprise Asset Inventory"
584
+ },
585
+ "description": {
586
+ "type": "string",
587
+ "description": "Detailed description of the safeguard requirements"
588
+ },
589
+ "implementationGroup": {
590
+ "type": "string",
591
+ "enum": ["IG1", "IG2", "IG3"],
592
+ "example": "IG1"
593
+ },
594
+ "governanceElements": {
595
+ "type": "array",
596
+ "items": {
597
+ "type": "string"
598
+ },
599
+ "description": "Governance requirements that MUST be met (Orange elements)"
600
+ },
601
+ "coreRequirements": {
602
+ "type": "array",
603
+ "items": {
604
+ "type": "string"
605
+ },
606
+ "description": "Core 'what' requirements of the safeguard (Green elements)"
607
+ },
608
+ "subTaxonomicalElements": {
609
+ "type": "array",
610
+ "items": {
611
+ "type": "string"
612
+ },
613
+ "description": "Sub-taxonomical components (Yellow elements)"
614
+ },
615
+ "implementationSuggestions": {
616
+ "type": "array",
617
+ "items": {
618
+ "type": "string"
619
+ },
620
+ "description": "Implementation methods and suggestions (Gray elements)"
621
+ }
622
+ }
623
+ },
624
+ "HealthResponse": {
625
+ "type": "object",
626
+ "properties": {
627
+ "status": {
628
+ "type": "string",
629
+ "example": "healthy"
630
+ },
631
+ "uptime": {
632
+ "type": "integer",
633
+ "description": "Uptime in seconds"
634
+ },
635
+ "totalRequests": {
636
+ "type": "integer",
637
+ "description": "Total requests processed"
638
+ },
639
+ "errorCount": {
640
+ "type": "integer",
641
+ "description": "Total errors encountered"
642
+ },
643
+ "version": {
644
+ "type": "string",
645
+ "example": "1.3.1"
646
+ },
647
+ "timestamp": {
648
+ "type": "string",
649
+ "format": "date-time"
650
+ }
651
+ }
652
+ },
653
+ "MetricsResponse": {
654
+ "type": "object",
655
+ "properties": {
656
+ "uptime_seconds": {
657
+ "type": "integer"
658
+ },
659
+ "total_requests": {
660
+ "type": "integer"
661
+ },
662
+ "error_count": {
663
+ "type": "integer"
664
+ },
665
+ "error_rate": {
666
+ "type": "string",
667
+ "example": "0.5%"
668
+ },
669
+ "request_counts": {
670
+ "type": "object",
671
+ "additionalProperties": {
672
+ "type": "integer"
673
+ }
674
+ },
675
+ "timestamp": {
676
+ "type": "string",
677
+ "format": "date-time"
678
+ }
679
+ }
680
+ },
681
+ "ErrorResponse": {
682
+ "type": "object",
683
+ "properties": {
684
+ "error": {
685
+ "type": "string",
686
+ "description": "Error message"
687
+ },
688
+ "details": {
689
+ "type": "string",
690
+ "description": "Additional error details"
691
+ },
692
+ "timestamp": {
693
+ "type": "string",
694
+ "format": "date-time"
695
+ }
696
+ }
697
+ }
698
+ }
699
+ },
700
+ "tags": [
701
+ {
702
+ "name": "Capability Assessment",
703
+ "description": "Primary API endpoints for vendor capability assessment against CIS Controls"
704
+ },
705
+ {
706
+ "name": "Safeguards",
707
+ "description": "CIS Controls safeguards information and details"
708
+ },
709
+ {
710
+ "name": "Monitoring",
711
+ "description": "Health checks and performance monitoring"
712
+ }
713
+ ],
714
+ "externalDocs": {
715
+ "description": "Framework MCP GitHub Repository",
716
+ "url": "https://github.com/therealcybermattlee/FrameworkMCP"
717
+ }
718
+ }