framework-mcp 1.3.1 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (32) hide show
  1. package/backups/README.md +31 -0
  2. package/backups/safeguard-manager-5-safeguards.ts +343 -0
  3. package/dist/core/safeguard-manager.backup.d.ts +15 -0
  4. package/dist/core/safeguard-manager.backup.d.ts.map +1 -0
  5. package/dist/core/safeguard-manager.backup.js +318 -0
  6. package/dist/core/safeguard-manager.backup.js.map +1 -0
  7. package/dist/core/safeguard-manager.d.ts +17 -0
  8. package/dist/core/safeguard-manager.d.ts.map +1 -1
  9. package/dist/core/safeguard-manager.js +5321 -44
  10. package/dist/core/safeguard-manager.js.map +1 -1
  11. package/dist/index.d.ts +0 -1
  12. package/dist/index.d.ts.map +1 -1
  13. package/dist/index.js +1 -62
  14. package/dist/index.js.map +1 -1
  15. package/dist/interfaces/mcp/mcp-server.d.ts +0 -1
  16. package/dist/interfaces/mcp/mcp-server.d.ts.map +1 -1
  17. package/dist/interfaces/mcp/mcp-server.js +0 -49
  18. package/dist/interfaces/mcp/mcp-server.js.map +1 -1
  19. package/migration/README.md +66 -0
  20. package/migration/integration-ready-safeguards.ts +5457 -0
  21. package/package.json +1 -1
  22. package/scripts/analyze-data-structure.cjs +74 -0
  23. package/scripts/clean-safeguards-data.cjs +60 -0
  24. package/scripts/comprehensive-validation.cjs +176 -0
  25. package/scripts/count-safeguards.cjs +89 -0
  26. package/scripts/format-safeguards-proper.cjs +44 -0
  27. package/scripts/validate-formatted-data.cjs +88 -0
  28. package/src/core/safeguard-manager.backup.ts +343 -0
  29. package/src/core/safeguard-manager.ts +5510 -216
  30. package/src/core/safeguard-manager.ts.backup-20250821_085347 +343 -0
  31. package/src/index.ts +1 -66
  32. package/src/interfaces/mcp/mcp-server.ts +0 -61
@@ -0,0 +1,343 @@
1
+ import { SafeguardElement, CacheEntry } from '../shared/types.js';
2
+
3
+ export class SafeguardManager {
4
+ private cache: Map<string, CacheEntry<any>>;
5
+ private safeguards: Record<string, SafeguardElement> = {};
6
+
7
+ constructor() {
8
+ this.cache = new Map();
9
+ this.initializeSafeguards();
10
+ }
11
+
12
+ public getSafeguardDetails(safeguardId: string, includeExamples: boolean = false): SafeguardElement | null {
13
+ // Check cache first
14
+ const cacheKey = `${safeguardId}_${includeExamples}`;
15
+ const cached = this.getCachedSafeguardDetails(cacheKey);
16
+ if (cached) {
17
+ return cached;
18
+ }
19
+
20
+ const safeguard = this.safeguards[safeguardId];
21
+ if (!safeguard) {
22
+ return null;
23
+ }
24
+
25
+ // Add examples if requested
26
+ let result = { ...safeguard };
27
+ if (includeExamples) {
28
+ result = this.addImplementationExamples(result);
29
+ }
30
+
31
+ // Cache the result
32
+ this.cache.set(cacheKey, {
33
+ data: result,
34
+ timestamp: Date.now()
35
+ });
36
+
37
+ return result;
38
+ }
39
+
40
+ public listAvailableSafeguards(): string[] {
41
+ // Check cache first
42
+ const cached = this.cache.get('safeguard_list');
43
+ if (cached && (Date.now() - cached.timestamp < 10 * 60 * 1000)) { // 10 minute cache
44
+ return cached.data;
45
+ }
46
+
47
+ const safeguardList = Object.keys(this.safeguards).sort((a, b) => {
48
+ const [aMajor, aMinor] = a.split('.').map(Number);
49
+ const [bMajor, bMinor] = b.split('.').map(Number);
50
+ return aMajor - bMajor || aMinor - bMinor;
51
+ });
52
+
53
+ // Cache the result
54
+ this.cache.set('safeguard_list', {
55
+ data: safeguardList,
56
+ timestamp: Date.now()
57
+ });
58
+
59
+ return safeguardList;
60
+ }
61
+
62
+ public getAllSafeguards(): Record<string, SafeguardElement> {
63
+ return { ...this.safeguards };
64
+ }
65
+
66
+ public validateSafeguardId(safeguardId: string): void {
67
+ if (!safeguardId || typeof safeguardId !== 'string') {
68
+ throw new Error('Safeguard ID is required and must be a string');
69
+ }
70
+
71
+ if (!/^[0-9]+\.[0-9]+$/.test(safeguardId)) {
72
+ throw new Error('Safeguard ID must be in format "X.Y" (e.g., "1.1", "5.1")');
73
+ }
74
+
75
+ if (!this.safeguards[safeguardId]) {
76
+ const availableSafeguards = this.listAvailableSafeguards();
77
+ throw new Error(`Safeguard ${safeguardId} not found. Available safeguards: ${availableSafeguards.join(', ')}`);
78
+ }
79
+ }
80
+
81
+ private getCachedSafeguardDetails(cacheKey: string): SafeguardElement | null {
82
+ const cached = this.cache.get(cacheKey);
83
+
84
+ if (cached && (Date.now() - cached.timestamp < 5 * 60 * 1000)) { // 5 minute cache
85
+ return cached.data;
86
+ }
87
+
88
+ return null;
89
+ }
90
+
91
+ private addImplementationExamples(safeguard: SafeguardElement): SafeguardElement {
92
+ // Add implementation examples based on safeguard type
93
+ const examples = this.getImplementationExamples(safeguard.id);
94
+
95
+ return {
96
+ ...safeguard,
97
+ implementationSuggestions: [
98
+ ...safeguard.implementationSuggestions,
99
+ ...examples
100
+ ]
101
+ };
102
+ }
103
+
104
+ private getImplementationExamples(safeguardId: string): string[] {
105
+ const exampleMap: Record<string, string[]> = {
106
+ "1.1": [
107
+ "Example: Use Lansweeper for automated asset discovery",
108
+ "Example: Implement ServiceNow CMDB for centralized tracking",
109
+ "Example: Deploy Microsoft SCCM for Windows asset management"
110
+ ],
111
+ "5.1": [
112
+ "Example: Use Azure AD for centralized account management",
113
+ "Example: Implement Okta for identity lifecycle management",
114
+ "Example: Deploy JumpCloud for directory services"
115
+ ],
116
+ "6.3": [
117
+ "Example: Enable Azure MFA for all external applications",
118
+ "Example: Implement Duo Security for multi-factor authentication",
119
+ "Example: Use Google Workspace SSO with MFA enforcement"
120
+ ],
121
+ "7.1": [
122
+ "Example: Establish Nessus vulnerability scanning schedule",
123
+ "Example: Implement Qualys VMDR for continuous monitoring",
124
+ "Example: Use Rapid7 InsightVM for vulnerability management"
125
+ ]
126
+ };
127
+
128
+ return exampleMap[safeguardId] || [];
129
+ }
130
+
131
+ private initializeSafeguards(): void {
132
+ // Initialize the complete CIS Controls Framework data
133
+ // TODO: Replace with complete 153 safeguards dataset - currently using temporary placeholder
134
+ // The complete dataset will be loaded from the original implementation
135
+ console.warn('⚠️ KNOWN BUG: SafeguardManager only loads 5 sample safeguards instead of complete 153 CIS Controls v8.1 dataset');
136
+
137
+ this.safeguards = {
138
+ "1.1": {
139
+ id: "1.1",
140
+ title: "Establish and Maintain a Detailed Enterprise Asset Inventory",
141
+ description: "Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data",
142
+ implementationGroup: "IG1",
143
+ assetType: ["end-user devices", "network devices", "IoT devices", "servers"],
144
+ securityFunction: ["Identify"],
145
+ governanceElements: [
146
+ "establish inventory process",
147
+ "maintain inventory process",
148
+ "documented process",
149
+ "review and update bi-annually",
150
+ "enterprise asset management policy"
151
+ ],
152
+ coreRequirements: [
153
+ "accurate inventory",
154
+ "detailed inventory",
155
+ "up-to-date inventory",
156
+ "all enterprise assets",
157
+ "potential to store or process data"
158
+ ],
159
+ subTaxonomicalElements: [
160
+ "network address (if static)",
161
+ "hardware address",
162
+ "machine name",
163
+ "enterprise asset owner",
164
+ "department for each asset",
165
+ "approved to connect to network",
166
+ "end-user devices (portable and mobile)",
167
+ "network devices",
168
+ "non-computing/IoT devices",
169
+ "servers",
170
+ "physical connection",
171
+ "virtual connection",
172
+ "remote connection",
173
+ "cloud environments",
174
+ "regularly connected devices not under enterprise control"
175
+ ],
176
+ implementationSuggestions: [
177
+ "MDM type tools for mobile devices",
178
+ "enterprise and software asset management tool",
179
+ "asset discovery tools",
180
+ "DHCP logging",
181
+ "passive discovery tools"
182
+ ],
183
+ relatedSafeguards: ["1.2", "1.3", "1.4", "1.5", "2.1", "3.2", "4.1", "5.1"],
184
+ keywords: ["asset", "inventory", "device", "network", "mobile", "IoT", "server", "detailed", "accurate", "up-to-date"]
185
+ },
186
+ "1.2": {
187
+ id: "1.2",
188
+ title: "Address Unauthorized Assets",
189
+ description: "Ensure that a process exists to address unauthorized assets on a weekly basis",
190
+ implementationGroup: "IG1",
191
+ assetType: ["devices"],
192
+ securityFunction: ["Respond"],
193
+ governanceElements: [
194
+ "ensure process exists",
195
+ "weekly basis requirement",
196
+ "unauthorized asset handling policy"
197
+ ],
198
+ coreRequirements: [
199
+ "address unauthorized assets",
200
+ "process to handle unauthorized devices",
201
+ "weekly execution"
202
+ ],
203
+ subTaxonomicalElements: [
204
+ "unauthorized asset detection",
205
+ "asset classification",
206
+ "response timeline",
207
+ "documentation requirements",
208
+ "quarantine procedures",
209
+ "removal procedures"
210
+ ],
211
+ implementationSuggestions: [
212
+ "network access control (NAC) solutions",
213
+ "automated asset discovery tools",
214
+ "network monitoring systems",
215
+ "SIEM integration"
216
+ ],
217
+ relatedSafeguards: ["1.1", "1.3", "12.1", "13.1"],
218
+ keywords: ["unauthorized", "assets", "weekly", "address", "process", "detection", "quarantine"]
219
+ },
220
+ "5.1": {
221
+ id: "5.1",
222
+ title: "Establish and Maintain an Inventory of Accounts",
223
+ description: "Establish and maintain an inventory of all accounts managed in the enterprise",
224
+ implementationGroup: "IG1",
225
+ assetType: ["users"],
226
+ securityFunction: ["Identify"],
227
+ governanceElements: [
228
+ "establish inventory process",
229
+ "maintain inventory process",
230
+ "validate all active accounts are authorized",
231
+ "recurring schedule minimum quarterly",
232
+ "account management policy"
233
+ ],
234
+ coreRequirements: [
235
+ "inventory of all accounts",
236
+ "user accounts",
237
+ "administrator accounts",
238
+ "managed in the enterprise"
239
+ ],
240
+ subTaxonomicalElements: [
241
+ "person's name",
242
+ "username",
243
+ "start/stop dates",
244
+ "department",
245
+ "account status",
246
+ "account type",
247
+ "access rights",
248
+ "last login date"
249
+ ],
250
+ implementationSuggestions: [
251
+ "identity and access management tool",
252
+ "directory services",
253
+ "automated account provisioning",
254
+ "account lifecycle management",
255
+ "role-based access control system"
256
+ ],
257
+ relatedSafeguards: ["1.1", "2.1", "5.2", "5.3", "5.4", "5.5", "5.6", "6.1", "6.2"],
258
+ keywords: ["accounts", "inventory", "user", "administrator", "name", "username", "dates", "department", "quarterly"]
259
+ },
260
+ "6.3": {
261
+ id: "6.3",
262
+ title: "Require MFA for Externally-Exposed Applications",
263
+ description: "Require all externally-exposed enterprise or third-party applications to enforce MFA",
264
+ implementationGroup: "IG1",
265
+ assetType: ["users"],
266
+ securityFunction: ["Protect"],
267
+ governanceElements: [
268
+ "require MFA enforcement",
269
+ "policy for externally-exposed applications",
270
+ "MFA compliance verification"
271
+ ],
272
+ coreRequirements: [
273
+ "multi-factor authentication",
274
+ "all externally-exposed applications",
275
+ "enterprise applications",
276
+ "third-party applications",
277
+ "enforce MFA where supported"
278
+ ],
279
+ subTaxonomicalElements: [
280
+ "authentication factors",
281
+ "something you know (password)",
282
+ "something you have (token)",
283
+ "something you are (biometric)",
284
+ "external access points",
285
+ "application inventory",
286
+ "exposure assessment"
287
+ ],
288
+ implementationSuggestions: [
289
+ "directory service enforcement",
290
+ "SSO provider enforcement",
291
+ "multi-factor authentication tools",
292
+ "SAML integration",
293
+ "OAuth implementation",
294
+ "conditional access policies"
295
+ ],
296
+ relatedSafeguards: ["2.1", "4.1", "5.1", "6.1", "6.2"],
297
+ keywords: ["MFA", "multi-factor", "authentication", "externally-exposed", "applications", "third-party", "SSO", "directory"]
298
+ },
299
+ "7.1": {
300
+ id: "7.1",
301
+ title: "Establish and Maintain a Vulnerability Management Process",
302
+ description: "Establish and maintain a documented vulnerability management process for enterprise assets",
303
+ implementationGroup: "IG1",
304
+ assetType: ["documentation"],
305
+ securityFunction: ["Govern"],
306
+ governanceElements: [
307
+ "establish documented process",
308
+ "maintain vulnerability management process",
309
+ "review and update documentation annually",
310
+ "update when significant enterprise changes occur",
311
+ "vulnerability management policy"
312
+ ],
313
+ coreRequirements: [
314
+ "vulnerability management process",
315
+ "enterprise assets scope",
316
+ "documented procedures",
317
+ "vulnerability identification",
318
+ "vulnerability assessment"
319
+ ],
320
+ subTaxonomicalElements: [
321
+ "vulnerability scanning procedures",
322
+ "risk assessment criteria",
323
+ "remediation prioritization",
324
+ "patch management integration",
325
+ "vulnerability tracking",
326
+ "reporting requirements",
327
+ "roles and responsibilities",
328
+ "escalation procedures"
329
+ ],
330
+ implementationSuggestions: [
331
+ "vulnerability scanning tools",
332
+ "patch management systems",
333
+ "vulnerability databases",
334
+ "CVSS scoring",
335
+ "automated scanning",
336
+ "vulnerability management platforms"
337
+ ],
338
+ relatedSafeguards: ["1.1", "2.1", "7.2", "7.3", "7.4", "7.5", "7.6", "7.7"],
339
+ keywords: ["vulnerability", "management", "process", "documented", "annual", "review", "enterprise", "assets"]
340
+ }
341
+ };
342
+ }
343
+ }
package/src/index.ts CHANGED
@@ -5648,39 +5648,6 @@ export class GRCAnalysisServer {
5648
5648
  required: ['safeguard_id']
5649
5649
  }
5650
5650
  } as Tool,
5651
- {
5652
- name: 'validate_coverage_claim',
5653
- description: 'Validate a vendor\'s implementation capability claim (FULL/PARTIAL) against specific safeguard requirements and evidence quality',
5654
- inputSchema: {
5655
- type: 'object',
5656
- properties: {
5657
- vendor_name: {
5658
- type: 'string',
5659
- description: 'Name of the vendor'
5660
- },
5661
- safeguard_id: {
5662
- type: 'string',
5663
- description: 'CIS Control safeguard ID',
5664
- pattern: '^[0-9]+\\.[0-9]+$'
5665
- },
5666
- coverage_claim: {
5667
- type: 'string',
5668
- enum: ['FULL', 'PARTIAL'],
5669
- description: 'Vendor\'s implementation capability claim (FULL = complete implementation, PARTIAL = limited scope implementation)'
5670
- },
5671
- response_text: {
5672
- type: 'string',
5673
- description: 'Vendor response explaining their implementation capabilities'
5674
- },
5675
- capabilities: {
5676
- type: 'array',
5677
- items: { type: 'string' },
5678
- description: 'List of additional vendor capability types (Governance, Facilitates, Validates)'
5679
- }
5680
- },
5681
- required: ['vendor_name', 'safeguard_id', 'coverage_claim', 'response_text', 'capabilities']
5682
- }
5683
- } as Tool,
5684
5651
  {
5685
5652
  name: 'list_available_safeguards',
5686
5653
  description: 'List all available CIS Control safeguards with their categorization',
@@ -5745,9 +5712,6 @@ export class GRCAnalysisServer {
5745
5712
  case 'get_safeguard_details':
5746
5713
  result = await this.getSafeguardDetails(args);
5747
5714
  break;
5748
- case 'validate_coverage_claim':
5749
- result = await this.validateCoverageClaim(args);
5750
- break;
5751
5715
  case 'list_available_safeguards':
5752
5716
  result = await this.listAvailableSafeguards(args);
5753
5717
  break;
@@ -5923,35 +5887,6 @@ export class GRCAnalysisServer {
5923
5887
  };
5924
5888
  }
5925
5889
 
5926
- private async validateCoverageClaim(args: any) {
5927
- const { vendor_name, safeguard_id, coverage_claim, response_text, capabilities } = args;
5928
-
5929
- const safeguard = CIS_SAFEGUARDS[safeguard_id];
5930
- if (!safeguard) {
5931
- throw new Error(`Safeguard ${safeguard_id} not found`);
5932
- }
5933
-
5934
- const analysis = this.performCapabilityAnalysis(vendor_name, safeguard, response_text);
5935
-
5936
- // Validate the coverage claim
5937
- const validation = this.validateClaim(coverage_claim, analysis, capabilities, safeguard);
5938
-
5939
- return {
5940
- content: [
5941
- {
5942
- type: 'text',
5943
- text: JSON.stringify({
5944
- vendor: vendor_name,
5945
- safeguardId: safeguard_id,
5946
- claimedCoverage: coverage_claim,
5947
- claimedCapabilities: capabilities,
5948
- analysis,
5949
- validation
5950
- }, null, 2),
5951
- },
5952
- ],
5953
- };
5954
- }
5955
5890
 
5956
5891
  private performCapabilityAnalysis(vendorName: string, safeguard: SafeguardElement, responseText: string): VendorAnalysis {
5957
5892
  const text = responseText.toLowerCase();
@@ -6962,7 +6897,7 @@ export class GRCAnalysisServer {
6962
6897
  case /^Safeguard .+ not found/.test(error.message) ? error.message : '':
6963
6898
  return `❌ Invalid safeguard ID. Use 'list_available_safeguards' to see available CIS Control safeguards.`;
6964
6899
  case /^Unknown tool/.test(error.message) ? error.message : '':
6965
- return `❌ Tool '${toolName}' is not available. Available tools: analyze_vendor_response, validate_vendor_mapping, validate_coverage_claim, get_safeguard_details, list_available_safeguards.`;
6900
+ return `❌ Tool '${toolName}' is not available. Available tools: analyze_vendor_response, validate_vendor_mapping, get_safeguard_details, list_available_safeguards.`;
6966
6901
  default:
6967
6902
  return `❌ Error in ${toolName}: ${error.message}`;
6968
6903
  }
@@ -84,33 +84,6 @@ export class FrameworkMcpServer {
84
84
  required: ['vendor_name', 'safeguard_id', 'response_text']
85
85
  }
86
86
  } as Tool,
87
- {
88
- name: 'validate_coverage_claim',
89
- description: 'Validate FULL/PARTIAL implementation capability claims',
90
- inputSchema: {
91
- type: 'object',
92
- properties: {
93
- vendor_name: {
94
- type: 'string',
95
- description: 'Name of the vendor'
96
- },
97
- safeguard_id: {
98
- type: 'string',
99
- description: 'CIS safeguard ID (e.g., "1.1", "5.1")'
100
- },
101
- claimed_capability: {
102
- type: 'string',
103
- description: 'Claimed capability (typically "full" or "partial")',
104
- enum: ['full', 'partial', 'facilitates', 'governance', 'validates']
105
- },
106
- response_text: {
107
- type: 'string',
108
- description: 'Vendor response text supporting the claim'
109
- }
110
- },
111
- required: ['vendor_name', 'safeguard_id', 'claimed_capability', 'response_text']
112
- }
113
- } as Tool,
114
87
  {
115
88
  name: 'get_safeguard_details',
116
89
  description: 'Get detailed safeguard breakdown',
@@ -154,9 +127,6 @@ export class FrameworkMcpServer {
154
127
  case 'analyze_vendor_response':
155
128
  return await this.analyzeVendorResponse(args);
156
129
 
157
- case 'validate_coverage_claim':
158
- return await this.validateCoverageClaim(args);
159
-
160
130
  case 'get_safeguard_details':
161
131
  return await this.getSafeguardDetails(args);
162
132
 
@@ -239,37 +209,6 @@ export class FrameworkMcpServer {
239
209
  };
240
210
  }
241
211
 
242
- private async validateCoverageClaim(args: any) {
243
- const { vendor_name = 'Unknown Vendor', safeguard_id, claimed_capability, response_text } = args;
244
-
245
- this.validateTextInput(response_text, 'Response text');
246
- this.validateCapability(claimed_capability);
247
- this.safeguardManager.validateSafeguardId(safeguard_id);
248
-
249
- const safeguard = this.safeguardManager.getSafeguardDetails(safeguard_id);
250
- if (!safeguard) {
251
- throw new Error(`Safeguard ${safeguard_id} not found`);
252
- }
253
-
254
- // Use the primary validation method for coverage claims
255
- const validation = this.capabilityAnalyzer.validateVendorMapping(
256
- vendor_name,
257
- safeguard_id,
258
- claimed_capability,
259
- response_text,
260
- safeguard
261
- );
262
-
263
- return {
264
- content: [
265
- {
266
- type: 'text',
267
- text: JSON.stringify(validation, null, 2),
268
- },
269
- ],
270
- };
271
- }
272
-
273
212
  private async getSafeguardDetails(args: any) {
274
213
  const { safeguard_id, include_examples = false } = args;
275
214