framework-mcp 1.3.6 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (43) hide show
  1. package/.claude/agents/mcp-developer.md +41 -0
  2. package/.claude/agents/project-orchestrator.md +43 -0
  3. package/.claude/agents/version-consistency-reviewer.md +50 -0
  4. package/COPILOT_INTEGRATION.md +49 -62
  5. package/DEPLOYMENT_GUIDE.md +48 -49
  6. package/MCP_INTEGRATION_GUIDE.md +96 -129
  7. package/MIGRATION_GUIDE_v1.4.0.md +190 -0
  8. package/README.md +149 -173
  9. package/RELEASE_NOTES_v1.3.7.md +275 -0
  10. package/RELEASE_NOTES_v1.4.0.md +178 -0
  11. package/SAFEGUARDS_VERIFICATION_LOG.md +157 -0
  12. package/dist/core/safeguard-manager.d.ts.map +1 -1
  13. package/dist/core/safeguard-manager.js +747 -1191
  14. package/dist/core/safeguard-manager.js.map +1 -1
  15. package/dist/index.d.ts +0 -1
  16. package/dist/index.d.ts.map +1 -1
  17. package/dist/index.js +1 -2
  18. package/dist/index.js.map +1 -1
  19. package/dist/interfaces/http/http-server.d.ts +0 -4
  20. package/dist/interfaces/http/http-server.d.ts.map +1 -1
  21. package/dist/interfaces/http/http-server.js +6 -113
  22. package/dist/interfaces/http/http-server.js.map +1 -1
  23. package/dist/interfaces/mcp/mcp-server.d.ts +0 -5
  24. package/dist/interfaces/mcp/mcp-server.d.ts.map +1 -1
  25. package/dist/interfaces/mcp/mcp-server.js +4 -120
  26. package/dist/interfaces/mcp/mcp-server.js.map +1 -1
  27. package/dist/shared/types.d.ts +0 -37
  28. package/dist/shared/types.d.ts.map +1 -1
  29. package/examples/example-usage.md +43 -38
  30. package/examples/llm-analysis-patterns.md +553 -0
  31. package/package.json +2 -3
  32. package/scripts/validate-documentation.sh +4 -4
  33. package/src/core/safeguard-manager.ts +729 -1173
  34. package/src/index.ts +1 -2
  35. package/src/interfaces/http/http-server.ts +6 -139
  36. package/src/interfaces/mcp/mcp-server.ts +4 -145
  37. package/src/shared/types.ts +0 -40
  38. package/swagger.json +64 -313
  39. package/dist/core/capability-analyzer.d.ts +0 -29
  40. package/dist/core/capability-analyzer.d.ts.map +0 -1
  41. package/dist/core/capability-analyzer.js +0 -568
  42. package/dist/core/capability-analyzer.js.map +0 -1
  43. package/src/core/capability-analyzer.ts +0 -708
@@ -0,0 +1,41 @@
1
+ ---
2
+ name: mcp-developer
3
+ description: Use this agent when implementing code changes, developing new features, or writing code according to sprint requirements. Examples: <example>Context: The project manager has assigned a sprint task to implement a new MCP tool for data validation. user: 'I need to implement the validate_data_format tool according to the sprint requirements' assistant: 'I'll use the mcp-developer agent to implement this new MCP tool according to the sprint specifications' <commentary>Since the user needs to implement code according to sprint requirements, use the mcp-developer agent to write the implementation.</commentary></example> <example>Context: A new feature needs to be added to the MCP server based on sprint planning. user: 'The project manager wants me to add support for CSV file processing in the next sprint' assistant: 'I'll use the mcp-developer agent to implement the CSV processing feature according to the sprint requirements' <commentary>Since this involves implementing new functionality according to sprint planning, use the mcp-developer agent.</commentary></example>
4
+ model: sonnet
5
+ color: orange
6
+ ---
7
+
8
+ You are an expert MCP (Model Context Protocol) developer with deep expertise in JSON APIs, TypeScript, and Node.js development. You specialize in implementing MCP servers and tools according to sprint requirements and project specifications.
9
+
10
+ Your core responsibilities:
11
+ - Implement code changes and new features according to sprint requirements provided by the project manager
12
+ - Write clean, maintainable TypeScript code following established project patterns
13
+ - Develop MCP tools and server functionality with proper JSON schema validation
14
+ - Follow the existing codebase architecture and coding standards from CLAUDE.md
15
+ - Ensure all implementations align with MCP protocol specifications
16
+ - Write production-ready code with proper error handling and type safety
17
+
18
+ When implementing code:
19
+ 1. **Analyze Sprint Requirements**: Carefully review the sprint specifications and acceptance criteria
20
+ 2. **Follow Project Patterns**: Adhere to existing code structure, naming conventions, and architectural patterns
21
+ 3. **Implement with Precision**: Write code that exactly meets the specified requirements without over-engineering
22
+ 4. **Ensure Type Safety**: Use strict TypeScript typing and proper interface definitions
23
+ 5. **Handle Errors Gracefully**: Implement comprehensive error handling and validation
24
+ 6. **Optimize Performance**: Consider caching, efficiency, and scalability in your implementations
25
+ 7. **Document Code**: Include clear comments for complex logic and maintain JSDoc standards
26
+
27
+ For MCP-specific implementations:
28
+ - Follow MCP protocol standards for tool definitions and responses
29
+ - Implement proper JSON schema validation for all inputs and outputs
30
+ - Ensure tools are properly registered and exported
31
+ - Handle MCP error responses according to protocol specifications
32
+ - Maintain consistency with existing tool patterns in the codebase
33
+
34
+ Code quality standards:
35
+ - Use existing project dependencies and avoid introducing unnecessary new ones
36
+ - Follow the established file structure and organization
37
+ - Implement comprehensive input validation and sanitization
38
+ - Write code that integrates seamlessly with existing functionality
39
+ - Ensure backward compatibility unless explicitly specified otherwise
40
+
41
+ You work collaboratively with the project manager who provides sprint requirements and the consistency reviewer who will review your code before release. Always implement exactly what is specified in the sprint requirements - no more, no less.
@@ -0,0 +1,43 @@
1
+ ---
2
+ name: project-orchestrator
3
+ description: Use this agent when you need to evaluate, approve, or disapprove project plans, coordinate multiple agents, or ensure system-wide coherence. Examples: <example>Context: User is planning to refactor the CIS safeguards data structure. user: 'I want to change how we store safeguard data from objects to arrays for better performance' assistant: 'Let me use the project-orchestrator agent to evaluate this architectural change and its system-wide impacts' <commentary>Since this is a significant architectural decision that could affect multiple parts of the system, use the project-orchestrator to assess the plan holistically.</commentary></example> <example>Context: Multiple agents are being deployed for different tasks. user: 'I've created three new agents for code review, testing, and documentation. Should I deploy them all at once?' assistant: 'I'll use the project-orchestrator agent to coordinate this multi-agent deployment strategy' <commentary>The orchestrator should evaluate the deployment plan and ensure proper sequencing and resource allocation.</commentary></example>
4
+ model: sonnet
5
+ color: green
6
+ ---
7
+
8
+ You are the Project Orchestrator, the strategic overseer responsible for evaluating and coordinating all project plans and agent activities. Your role is to ensure system-wide coherence, prevent conflicts, and maintain project integrity through thoughtful analysis and decision-making.
9
+
10
+ Your core responsibilities:
11
+
12
+ **Plan Evaluation Framework:**
13
+ 1. **Sequential Impact Analysis** - Trace how proposed changes will ripple through the system, identifying all affected components, dependencies, and downstream effects
14
+ 2. **Zen Principle Application** - Seek the path of least resistance that achieves maximum benefit with minimal disruption
15
+ 3. **Conflict Detection** - Identify potential conflicts with existing systems, ongoing work, or planned initiatives
16
+ 4. **Resource Assessment** - Evaluate whether the plan aligns with available resources and project constraints
17
+ 5. **Risk-Benefit Analysis** - Weigh potential gains against implementation costs and risks
18
+
19
+ **Decision-Making Process:**
20
+ - **APPROVE** plans that demonstrate clear value, minimal risk, and proper consideration of system impacts
21
+ - **CONDITIONAL APPROVAL** for plans requiring modifications or specific sequencing
22
+ - **DISAPPROVE** plans that pose unacceptable risks, conflicts, or resource demands
23
+ - **DEFER** plans requiring additional information or stakeholder input
24
+
25
+ **Agent Fleet Management:**
26
+ - Coordinate agent deployment sequences to prevent resource conflicts
27
+ - Ensure agents have complementary rather than overlapping responsibilities
28
+ - Monitor for agent interaction patterns that could cause system instability
29
+ - Establish clear escalation paths and communication protocols between agents
30
+
31
+ **Communication Style:**
32
+ - Provide clear, reasoned decisions with supporting rationale
33
+ - Identify specific concerns and suggest concrete modifications when needed
34
+ - Use structured thinking to break down complex decisions into manageable components
35
+ - Maintain a calm, authoritative tone that inspires confidence in your oversight
36
+
37
+ **Quality Assurance:**
38
+ - Always consider the long-term implications of decisions, not just immediate effects
39
+ - Verify that approved plans align with project goals and architectural principles
40
+ - Ensure decisions maintain system stability and user experience
41
+ - Document key decision points and rationale for future reference
42
+
43
+ When evaluating plans, think step-by-step through the sequential impacts, apply zen principles to find elegant solutions, and make decisions that serve the overall project health. Your approval carries weight - use it wisely to guide the project toward success while preventing costly mistakes.
@@ -0,0 +1,50 @@
1
+ ---
2
+ name: version-consistency-reviewer
3
+ description: Use this agent when you need to review code before committing to GitHub or releasing to NPM to ensure version consistency across all components. Examples: <example>Context: The user has just finished implementing a new feature in their MCP server and is ready to commit the changes. user: 'I've finished adding the new authentication feature to the MCP server. Here's the updated code for review before I commit it.' assistant: 'I'll use the version-consistency-reviewer agent to check that all version numbers are properly aligned before this code is committed.' <commentary>Since the user is preparing to commit code, use the version-consistency-reviewer agent to verify version consistency across package.json, server configuration, and any version tags.</commentary></example> <example>Context: The user is preparing to release a new version of their NPM package. user: 'Ready to publish version 2.1.0 to NPM. Can you review everything is set up correctly?' assistant: 'Let me use the version-consistency-reviewer agent to ensure all version numbers are consistent before publishing.' <commentary>Since the user is preparing for NPM publication, use the version-consistency-reviewer agent to verify CI/CD requirements are met.</commentary></example>
4
+ model: sonnet
5
+ color: yellow
6
+ ---
7
+
8
+ You are a Version Consistency Reviewer, an expert in MCP (Model Context Protocol) server development, NPM package management, and CI/CD pipeline requirements. Your primary responsibility is ensuring version consistency across all components before code commits and package releases.
9
+
10
+ Your expertise includes:
11
+ - MCP server architecture and configuration patterns
12
+ - NPM package.json structure and versioning semantics
13
+ - Git tagging strategies and repository management
14
+ - CI/CD pipeline requirements for automated publishing
15
+ - Version synchronization across distributed systems
16
+
17
+ When reviewing code, you will systematically verify:
18
+
19
+ **Version Consistency Checks:**
20
+ 1. **package.json version** - Verify the version field matches intended release
21
+ 2. **MCP server configuration** - Check server version declarations in code
22
+ 3. **Git repository tags** - Ensure tag versions align with package versions
23
+ 4. **HTTP server version headers** - Validate version reporting in server responses
24
+ 5. **Documentation version references** - Check README, CHANGELOG, and API docs
25
+ 6. **Dependency version compatibility** - Verify dependency ranges are appropriate
26
+
27
+ **CI/CD Compliance Verification:**
28
+ - Confirm version increments follow semantic versioning (semver)
29
+ - Validate that Git tags exist and match package.json version
30
+ - Check for version conflicts that would block automated publishing
31
+ - Verify pre-release identifiers are properly formatted
32
+ - Ensure version consistency across monorepo packages if applicable
33
+
34
+ **Review Process:**
35
+ 1. **Extract all version declarations** from the codebase
36
+ 2. **Cross-reference versions** across package.json, server code, and tags
37
+ 3. **Identify discrepancies** and potential CI/CD blocking issues
38
+ 4. **Validate semantic versioning** compliance for the intended change type
39
+ 5. **Check dependency compatibility** for version updates
40
+ 6. **Provide specific remediation steps** for any issues found
41
+
42
+ **Output Format:**
43
+ Provide a structured review with:
44
+ - **Version Summary**: Current versions found across all components
45
+ - **Consistency Status**: PASS/FAIL with specific issues identified
46
+ - **CI/CD Readiness**: Assessment of automated publishing requirements
47
+ - **Recommendations**: Specific actions needed before commit/release
48
+ - **Risk Assessment**: Potential impacts of version mismatches
49
+
50
+ You will be thorough but efficient, focusing on critical version consistency issues that could break CI/CD pipelines or cause deployment failures. Always provide actionable guidance for resolving any version conflicts before code release.
@@ -1,10 +1,10 @@
1
1
  # Microsoft Copilot Integration Guide
2
2
 
3
- This guide provides step-by-step instructions for integrating Framework MCP with Microsoft Copilot using custom connectors.
3
+ This guide provides step-by-step instructions for integrating Framework MCP v1.4.0's Pure Data Provider architecture with Microsoft Copilot using custom connectors.
4
4
 
5
5
  ## Overview
6
6
 
7
- Framework MCP provides a dual-architecture solution that enables both Model Context Protocol (MCP) integration with Claude Code and HTTP API integration with Microsoft Copilot. This allows security professionals to access CIS Controls capability assessment through their preferred AI platform.
7
+ Framework MCP v1.4.0 provides a **Pure Data Provider architecture** with dual interfaces enabling both Model Context Protocol (MCP) integration with Claude Code and HTTP API integration with Microsoft Copilot. This empowers security professionals to access authoritative CIS Controls data through their preferred AI platform for sophisticated, LLM-driven vendor capability analysis.
8
8
 
9
9
  ## Prerequisites
10
10
 
@@ -52,7 +52,7 @@ Expected response:
52
52
  "uptime": 1234,
53
53
  "totalRequests": 0,
54
54
  "errorCount": 0,
55
- "version": "1.3.6",
55
+ "version": "1.4.0",
56
56
  "timestamp": "2025-08-21T01:00:00.000Z"
57
57
  }
58
58
  ```
@@ -74,8 +74,8 @@ Expected response:
74
74
  - Click **Continue**
75
75
 
76
76
  4. **Configure Connector Details**
77
- - **Name**: Framework MCP - CIS Controls Capability Assessment
78
- - **Description**: Validate vendor capability claims against CIS Controls Framework
77
+ - **Name**: Framework MCP - Pure Data Provider
78
+ - **Description**: Authoritative CIS Controls Framework data for LLM-driven analysis
79
79
  - **Host**: Update to your deployed API URL (e.g., `your-app.ondigitalocean.app`)
80
80
  - **Base URL**: `/`
81
81
 
@@ -109,89 +109,72 @@ Expected response:
109
109
  - Select **Custom connector**
110
110
  - Choose your Framework MCP connector
111
111
 
112
- ## Custom Actions Configuration
112
+ ## Data Actions Configuration
113
113
 
114
- ### Primary Action: Validate Vendor Capability
114
+ ### Primary Action: Get Safeguard Details
115
115
 
116
- Configure this action for evidence-based validation:
116
+ Configure this action for detailed CIS safeguard information:
117
117
 
118
118
  **Action Details:**
119
- - **Name**: Validate Vendor Capability Mapping
120
- - **Description**: Validate vendor capability claims against CIS Controls with domain validation and auto-downgrade protection
119
+ - **Name**: Get CIS Safeguard Details
120
+ - **Description**: Retrieve detailed CIS Controls safeguard breakdown for LLM analysis
121
121
  - **Connector**: Framework MCP Custom Connector
122
- - **Operation**: `validateVendorMapping`
122
+ - **Operation**: `getSafeguardDetails`
123
123
 
124
124
  **Parameters:**
125
- - **vendor_name** (Required): Name of the vendor/tool being analyzed
126
- - **safeguard_id** (Required): CIS safeguard ID (e.g., "1.1", "5.1", "12.8")
127
- - **claimed_capability** (Required): Capability role (full, partial, facilitates, governance, validates)
128
- - **supporting_text** (Required): Vendor response supporting their capability claim
125
+ - **safeguardId** (Required): CIS safeguard ID (e.g., "1.1", "5.1", "12.8")
126
+ - **include_examples** (Optional): Include implementation examples (true/false)
129
127
 
130
128
  **Sample Input:**
131
129
  ```json
132
130
  {
133
- "vendor_name": "CrowdStrike Falcon",
134
- "safeguard_id": "1.1",
135
- "claimed_capability": "full",
136
- "supporting_text": "Our platform provides comprehensive enterprise asset inventory with real-time discovery, automated classification, and continuous monitoring of all hardware and software assets across the organization."
131
+ "safeguardId": "5.1",
132
+ "include_examples": true
137
133
  }
138
134
  ```
139
135
 
140
- ### Secondary Action: Analyze Vendor Response
136
+ ### Secondary Action: List All Safeguards
141
137
 
142
- Configure this action for capability determination:
138
+ Configure this action for safeguard discovery:
143
139
 
144
140
  **Action Details:**
145
- - **Name**: Analyze Vendor Response
146
- - **Description**: Determine appropriate capability role for vendor response text
141
+ - **Name**: List CIS Safeguards
142
+ - **Description**: Get complete list of available CIS Controls safeguards
147
143
  - **Connector**: Framework MCP Custom Connector
148
- - **Operation**: `analyzeVendorResponse`
149
-
150
- **Parameters:**
151
- - **vendor_name** (Required): Name of the vendor
152
- - **safeguard_id** (Required): CIS safeguard ID
153
- - **response_text** (Required): Vendor response text to analyze
154
-
155
- ### Additional Actions: Safeguard Information
156
-
157
- **Get Safeguard Details:**
158
- - **Operation**: `getSafeguardDetails`
159
- - **Parameters**: safeguard_id, include_examples (optional)
144
+ - **Operation**: `listSafeguards`
160
145
 
161
- **List Available Safeguards:**
162
- - **Operation**: `listAvailableSafeguards`
163
- - **Parameters**: None
146
+ **No Parameters Required**
164
147
 
165
148
  ## Example User Interactions
166
149
 
167
- Once configured, users can interact with your Copilot using natural language:
150
+ Once configured, users can interact with your Copilot using natural language for LLM-driven analysis:
168
151
 
169
- ### Capability Validation Examples
152
+ ### LLM-Driven Capability Assessment
170
153
 
171
154
  ```
172
- "Validate this vendor capability: Microsoft Defender for Endpoint claims FULL coverage for safeguard 1.1. Their response: 'Microsoft Defender provides comprehensive asset discovery, detailed hardware and software inventory, and real-time asset status monitoring across all enterprise endpoints.'"
155
+ "Get details for safeguard 1.1, then analyze Microsoft Defender for Endpoint's capability: 'Microsoft Defender provides comprehensive asset discovery, detailed hardware and software inventory, and real-time asset status monitoring across all enterprise endpoints.' Determine appropriate capability role and provide confidence assessment."
173
156
 
174
- "Check if CrowdStrike Falcon can provide PARTIAL coverage for safeguard 5.1 based on this: 'We offer centralized identity integration with detailed user account tracking and automated access reviews.'"
157
+ "Retrieve safeguard 5.1 requirements and assess CrowdStrike Falcon: 'We offer centralized identity integration with detailed user account tracking and automated access reviews.' Consider enterprise environment and provide implementation recommendations."
175
158
 
176
- "Validate this FACILITATES claim: Qualys VMDR for safeguard 1.1 - 'Our vulnerability scanner enhances existing asset management by providing additional device discovery and detailed software inventory during security assessments.'"
159
+ "Get safeguard 6.3 details. For a financial services organization with strict compliance requirements, analyze Okta's MFA solution: 'We provide comprehensive multi-factor authentication for all external applications with adaptive authentication policies, risk-based assessments, and SSO integration.'"
177
160
  ```
178
161
 
179
- ### Response Analysis Examples
162
+ ### Comparative Analysis Examples
180
163
 
181
164
  ```
182
- "Analyze this vendor response for safeguard 6.3: Okta - 'We provide comprehensive multi-factor authentication for all external applications with adaptive authentication policies, risk-based assessments, and SSO integration.'"
165
+ "Get safeguard 7.1 details and compare these vulnerability management solutions: 1) Rapid7 InsightVM: 'Continuous vulnerability scanning with automated remediation guidance' 2) Qualys VMDR: 'Cloud-based vulnerability scanning with patch prioritization' 3) Tenable Nessus: 'Comprehensive vulnerability assessment with compliance reporting'. Rank by implementation completeness."
183
166
 
184
- "What capability role should we assign to this response for safeguard 7.1: Rapid7 InsightVM - 'Our platform performs continuous vulnerability scanning, provides automated remediation guidance, and tracks patch deployment across the infrastructure.'"
167
+ "Retrieve details for safeguards 13.1, 13.3, and 13.6. Analyze how SentinelOne addresses these network monitoring requirements and identify any coverage gaps."
185
168
  ```
186
169
 
187
- ### Information Requests
170
+ ### Data Discovery Requests
188
171
 
189
172
  ```
190
- "What are the requirements for CIS safeguard 1.1?"
173
+ "Show me all available CIS safeguards related to identity and access management."
191
174
 
192
- "Show me all available CIS safeguards in the inventory domain."
175
+ "Get detailed breakdown of safeguard 11.1 including all sub-elements and governance requirements."
193
176
 
194
- "What's the difference between FULL and PARTIAL capability roles?"
177
+ "List all Implementation Group 1 (IG1) safeguards for a small business security assessment."
195
178
  ```
196
179
 
197
180
  ## Advanced Configuration
@@ -201,20 +184,24 @@ Once configured, users can interact with your Copilot using natural language:
201
184
  Add these instructions to your Copilot's system message:
202
185
 
203
186
  ```
204
- You are a CIS Controls capability assessment expert. You help security professionals evaluate vendor tool capabilities against specific CIS Control safeguards.
187
+ You are a CIS Controls expert powered by Framework MCP's Pure Data Provider architecture. You help security professionals perform sophisticated vendor capability analysis using authoritative CIS Controls data.
205
188
 
206
189
  Key Principles:
207
- 1. Use validate_vendor_mapping for evidence-based validation of capability claims
208
- 2. Use analyze_vendor_response when the capability role is unknown
209
- 3. Always explain the 5 capability roles: FULL, PARTIAL, FACILITATES, GOVERNANCE, VALIDATES
210
- 4. Highlight domain validation results and auto-downgrade protection
211
- 5. Provide actionable recommendations for capability improvements
212
-
213
- When users provide vendor responses:
214
- 1. Ask for the specific CIS safeguard ID if not provided
215
- 2. Determine if they want validation (they have a claimed capability) or analysis (no claimed capability)
216
- 3. Use the appropriate action and explain the results in plain language
217
- 4. Highlight any domain mismatches or auto-downgrades that occurred
190
+ 1. Always retrieve detailed safeguard data using get_safeguard_details before analysis
191
+ 2. Apply context-aware analysis considering industry, risk profile, and organizational needs
192
+ 3. Explain the 5 capability roles: FULL, PARTIAL, FACILITATES, GOVERNANCE, VALIDATES
193
+ 4. Provide transparent reasoning with evidence-based assessments
194
+ 5. Offer implementation recommendations and deployment guidance
195
+
196
+ Analysis Approach:
197
+ 1. Get safeguard requirements using the data actions
198
+ 2. Analyze vendor capabilities against detailed CIS requirements
199
+ 3. Consider organizational context (industry, size, risk tolerance)
200
+ 4. Provide capability role determination with confidence assessment
201
+ 5. Include implementation recommendations and integration considerations
202
+ 6. For comparative analysis, rank vendors and explain reasoning
203
+
204
+ Flexibility: Adapt analysis methodology based on user needs - strict compliance, risk-based assessment, technology integration, or custom evaluation criteria.
218
205
  ```
219
206
 
220
207
  ### Environment Variables
@@ -1,11 +1,11 @@
1
1
  # Framework MCP Deployment Guide
2
2
 
3
- ## Dual Architecture: MCP + HTTP API
3
+ ## Pure Data Provider Architecture: MCP + HTTP API
4
4
 
5
- Framework MCP v1.3.6 features a **dual architecture** that solves the DigitalOcean App Services stdio vs HTTP mismatch:
5
+ Framework MCP v1.4.0 features a **Pure Data Provider architecture** with dual interfaces for maximum flexibility:
6
6
 
7
- - **MCP Interface**: stdio-based for Claude Code integration
8
- - **HTTP Interface**: REST API for cloud deployment
7
+ - **MCP Interface**: stdio-based for Claude Code integration with LLM-driven analysis
8
+ - **HTTP Interface**: REST API for cloud deployment and Microsoft Copilot integration
9
9
 
10
10
  ---
11
11
 
@@ -146,38 +146,20 @@ GET /health
146
146
  # Returns server status and metrics
147
147
  ```
148
148
 
149
- ### Primary Validation
149
+ ### Data Endpoints (Pure Provider Architecture)
150
150
  ```bash
151
- POST /api/validate-vendor-mapping
152
- {
153
- "vendor_name": "AssetMax Pro",
154
- "safeguard_id": "1.1",
155
- "claimed_capability": "full",
156
- "supporting_text": "Comprehensive asset management..."
157
- }
151
+ GET /api/safeguards # List all 153 CIS safeguards
152
+ GET /api/safeguards/1.1 # Get detailed safeguard breakdown
153
+ GET /api/safeguards/1.1?include_examples=true # Include implementation examples
158
154
  ```
159
155
 
160
- ### Capability Analysis
161
- ```bash
162
- POST /api/analyze-vendor-response
163
- {
164
- "vendor_name": "VendorName",
165
- "safeguard_id": "5.1",
166
- "response_text": "Our identity management solution..."
167
- }
168
- ```
169
-
170
- ### Safeguards
156
+ ### Monitoring
171
157
  ```bash
172
- GET /api/safeguards # List all safeguards
173
- GET /api/safeguards/1.1 # Get safeguard details
174
- GET /api/safeguards/1.1?include_examples=true
158
+ GET /api/metrics # Performance metrics and statistics
159
+ GET /api # API documentation and capabilities
175
160
  ```
176
161
 
177
- ### Performance
178
- ```bash
179
- GET /api/metrics # Performance metrics
180
- ```
162
+ **LLM-Driven Analysis**: The Pure Data Provider architecture supplies authoritative CIS data while LLMs perform sophisticated vendor capability analysis with unlimited flexibility.
181
163
 
182
164
  ---
183
165
 
@@ -185,45 +167,62 @@ GET /api/metrics # Performance metrics
185
167
 
186
168
  ### HTTP Interface Advantages
187
169
  - ✅ **DigitalOcean Compatible**: Uses HTTP instead of stdio
188
- - ✅ **REST API**: Standard HTTP endpoints
170
+ - ✅ **REST API**: Standard HTTP endpoints for data access
189
171
  - ✅ **Health Checks**: Platform monitoring support
190
172
  - ✅ **CORS Enabled**: Web application integration
191
173
  - ✅ **Production Ready**: Error handling, security, compression
174
+ - ✅ **Microsoft Copilot**: Custom connector compatibility
192
175
 
193
176
  ### MCP Interface Advantages
194
177
  - ✅ **Claude Code Integration**: Native stdio communication
195
178
  - ✅ **Tool Discovery**: Automatic tool registration
196
179
  - ✅ **Type Safety**: Full MCP schema validation
197
- - ✅ **Rich Responses**: Structured tool responses
180
+ - ✅ **LLM-Driven Analysis**: Direct access to safeguards data for intelligent analysis
198
181
 
199
- ### Shared Core Benefits
200
- - ✅ **Identical Functionality**: Both interfaces use same logic
201
- - ✅ **Domain Validation**: Auto-downgrade protection in both
202
- - ✅ **Performance**: 95% cache optimization in both
203
- - ✅ **Consistency**: Same capability assessment results
182
+ ### Pure Data Provider Benefits
183
+ - ✅ **Clean Architecture**: Simple data provision without analysis complexity
184
+ - ✅ **LLM Flexibility**: Unlimited analysis approaches and methodologies
185
+ - ✅ **Performance Optimized**: Fast data retrieval for real-time analysis
186
+ - ✅ **Context-Aware**: LLMs can apply industry, risk, and organizational context
187
+ - ✅ **Transparent Reasoning**: Full visibility into analysis logic and evidence
204
188
 
205
189
  ---
206
190
 
207
191
  ## Migration Guide
208
192
 
209
- ### From MCP-Only to Dual Architecture
193
+ ### Migrating to Pure Data Provider v1.4.0
210
194
 
211
- 1. **No Breaking Changes**: Existing MCP integrations continue working
212
- 2. **New HTTP Option**: Add cloud deployment capability
213
- 3. **Gradual Adoption**: Choose interface based on use case
195
+ 1. **Simplified Architecture**: Analysis logic moved to LLM capability
196
+ 2. **Enhanced Flexibility**: Unlimited analysis approaches and methodologies
197
+ 3. **Maintained Compatibility**: Both interfaces continue providing data access
198
+ 4. **Improved Performance**: Optimized for fast data retrieval
214
199
 
215
200
  ### Use Case Guidelines
216
201
 
217
202
  **Use MCP Interface When:**
218
- - Integrating with Claude Code
203
+ - Integrating with Claude Code for LLM-driven analysis
219
204
  - Local development and testing
220
- - Tool-based LLM interactions
205
+ - Direct tool-based interactions with LLMs
221
206
 
222
207
  **Use HTTP Interface When:**
223
- - Cloud deployment required
224
- - Web application integration
225
- - API-based access needed
226
- - DigitalOcean App Services deployment
208
+ - Cloud deployment required (DigitalOcean, Railway, Render)
209
+ - Microsoft Copilot custom connector integration
210
+ - Web application or API-based access needed
211
+ - Distributed team access to CIS Controls data
212
+
213
+ ### Analysis Pattern Migration
214
+
215
+ **Old Approach (v1.3.7):**
216
+ ```bash
217
+ POST /api/analyze-vendor-response
218
+ # Hardcoded analysis with fixed validation rules
219
+ ```
220
+
221
+ **New Approach (v1.4.0):**
222
+ ```bash
223
+ GET /api/safeguards/5.1
224
+ # Get authoritative data, then use LLM for sophisticated analysis
225
+ ```
227
226
 
228
227
  ---
229
228
 
@@ -320,7 +319,7 @@ npm install express-rate-limit
320
319
  ### HTTP Deployment Successful When:
321
320
  - ✅ Health check returns 200 status
322
321
  - ✅ `/api/validate-vendor-mapping` accepts POST requests
323
- - ✅ Domain validation auto-downgrade works correctly
322
+ - ✅ Content-based capability analysis works correctly
324
323
  - ✅ All 5 capability roles determined accurately
325
324
  - ✅ Performance metrics show >95% cache efficiency
326
325
 
@@ -332,4 +331,4 @@ npm install express-rate-limit
332
331
 
333
332
  ---
334
333
 
335
- **🎉 Framework MCP v1.3.4 solves the DigitalOcean stdio vs HTTP architecture mismatch while preserving full MCP functionality!**
334
+ **🎉 Framework MCP v1.3.7 solves the DigitalOcean stdio vs HTTP architecture mismatch while preserving full MCP functionality!**