framework-mcp 1.3.6 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (43) hide show
  1. package/.claude/agents/mcp-developer.md +41 -0
  2. package/.claude/agents/project-orchestrator.md +43 -0
  3. package/.claude/agents/version-consistency-reviewer.md +50 -0
  4. package/COPILOT_INTEGRATION.md +49 -62
  5. package/DEPLOYMENT_GUIDE.md +48 -49
  6. package/MCP_INTEGRATION_GUIDE.md +96 -129
  7. package/MIGRATION_GUIDE_v1.4.0.md +190 -0
  8. package/README.md +149 -173
  9. package/RELEASE_NOTES_v1.3.7.md +275 -0
  10. package/RELEASE_NOTES_v1.4.0.md +178 -0
  11. package/SAFEGUARDS_VERIFICATION_LOG.md +157 -0
  12. package/dist/core/safeguard-manager.d.ts.map +1 -1
  13. package/dist/core/safeguard-manager.js +747 -1191
  14. package/dist/core/safeguard-manager.js.map +1 -1
  15. package/dist/index.d.ts +0 -1
  16. package/dist/index.d.ts.map +1 -1
  17. package/dist/index.js +1 -2
  18. package/dist/index.js.map +1 -1
  19. package/dist/interfaces/http/http-server.d.ts +0 -4
  20. package/dist/interfaces/http/http-server.d.ts.map +1 -1
  21. package/dist/interfaces/http/http-server.js +6 -113
  22. package/dist/interfaces/http/http-server.js.map +1 -1
  23. package/dist/interfaces/mcp/mcp-server.d.ts +0 -5
  24. package/dist/interfaces/mcp/mcp-server.d.ts.map +1 -1
  25. package/dist/interfaces/mcp/mcp-server.js +4 -120
  26. package/dist/interfaces/mcp/mcp-server.js.map +1 -1
  27. package/dist/shared/types.d.ts +0 -37
  28. package/dist/shared/types.d.ts.map +1 -1
  29. package/examples/example-usage.md +43 -38
  30. package/examples/llm-analysis-patterns.md +553 -0
  31. package/package.json +2 -3
  32. package/scripts/validate-documentation.sh +4 -4
  33. package/src/core/safeguard-manager.ts +729 -1173
  34. package/src/index.ts +1 -2
  35. package/src/interfaces/http/http-server.ts +6 -139
  36. package/src/interfaces/mcp/mcp-server.ts +4 -145
  37. package/src/shared/types.ts +0 -40
  38. package/swagger.json +64 -313
  39. package/dist/core/capability-analyzer.d.ts +0 -29
  40. package/dist/core/capability-analyzer.d.ts.map +0 -1
  41. package/dist/core/capability-analyzer.js +0 -568
  42. package/dist/core/capability-analyzer.js.map +0 -1
  43. package/src/core/capability-analyzer.ts +0 -708
package/src/index.ts CHANGED
@@ -11,8 +11,7 @@ if (import.meta.url === `file://${process.argv[1]}`) {
11
11
 
12
12
  export { FrameworkMcpServer } from './interfaces/mcp/mcp-server.js';
13
13
  export { FrameworkHttpServer } from './interfaces/http/http-server.js';
14
- export { CapabilityAnalyzer } from './core/capability-analyzer.js';
15
14
  export { SafeguardManager } from './core/safeguard-manager.js';
16
15
 
17
- // Clean architecture - all safeguards data moved to SafeguardManager
16
+ // Pure Data Provider architecture - authentic CIS Controls data via SafeguardManager
18
17
 
@@ -4,7 +4,6 @@ import express from 'express';
4
4
  import cors from 'cors';
5
5
  import helmet from 'helmet';
6
6
  import compression from 'compression';
7
- import { CapabilityAnalyzer } from '../../core/capability-analyzer.js';
8
7
  import { SafeguardManager } from '../../core/safeguard-manager.js';
9
8
 
10
9
  interface ErrorResponse {
@@ -15,13 +14,11 @@ interface ErrorResponse {
15
14
 
16
15
  export class FrameworkHttpServer {
17
16
  private app: express.Application;
18
- private capabilityAnalyzer: CapabilityAnalyzer;
19
17
  private safeguardManager: SafeguardManager;
20
18
  private port: number;
21
19
 
22
20
  constructor(port: number = 8080) {
23
21
  this.app = express();
24
- this.capabilityAnalyzer = new CapabilityAnalyzer();
25
22
  this.safeguardManager = new SafeguardManager();
26
23
  this.port = port;
27
24
 
@@ -68,80 +65,14 @@ export class FrameworkHttpServer {
68
65
  private setupRoutes(): void {
69
66
  // Health check endpoint (required for DigitalOcean App Services)
70
67
  this.app.get('/health', (req, res) => {
71
- const metrics = this.capabilityAnalyzer.getPerformanceMetrics();
72
68
  res.json({
73
69
  status: 'healthy',
74
- uptime: Math.round((Date.now() - metrics.uptime) / 1000),
75
- totalRequests: metrics.totalRequests,
76
- errorCount: metrics.errorCount,
77
- version: '1.3.6',
70
+ uptime: Math.round(process.uptime()),
71
+ version: '1.4.0',
78
72
  timestamp: new Date().toISOString()
79
73
  });
80
74
  });
81
75
 
82
- // Primary validation endpoint
83
- this.app.post('/api/validate-vendor-mapping', async (req, res) => {
84
- try {
85
- const { vendor_name, safeguard_id, claimed_capability, supporting_text } = req.body;
86
-
87
- // Input validation
88
- this.validateInput(req.body, [
89
- 'vendor_name',
90
- 'safeguard_id',
91
- 'claimed_capability',
92
- 'supporting_text'
93
- ]);
94
-
95
- this.validateTextInput(supporting_text, 'Supporting text');
96
- this.validateCapability(claimed_capability);
97
- this.safeguardManager.validateSafeguardId(safeguard_id);
98
-
99
- const safeguard = this.safeguardManager.getSafeguardDetails(safeguard_id);
100
- if (!safeguard) {
101
- return res.status(404).json(this.createErrorResponse('Safeguard not found'));
102
- }
103
-
104
- const result = this.capabilityAnalyzer.validateVendorMapping(
105
- vendor_name,
106
- safeguard_id,
107
- claimed_capability,
108
- supporting_text,
109
- safeguard
110
- );
111
-
112
- res.json(result);
113
- } catch (error) {
114
- console.error('[HTTP Server] validate-vendor-mapping error:', error);
115
- res.status(400).json(this.createErrorResponse(error instanceof Error ? error.message : 'Unknown error'));
116
- }
117
- });
118
-
119
- // Capability analysis endpoint
120
- this.app.post('/api/analyze-vendor-response', async (req, res) => {
121
- try {
122
- const { vendor_name, safeguard_id, response_text } = req.body;
123
-
124
- this.validateInput(req.body, ['vendor_name', 'safeguard_id', 'response_text']);
125
- this.validateTextInput(response_text, 'Response text');
126
- this.safeguardManager.validateSafeguardId(safeguard_id);
127
-
128
- const safeguard = this.safeguardManager.getSafeguardDetails(safeguard_id);
129
- if (!safeguard) {
130
- return res.status(404).json(this.createErrorResponse('Safeguard not found'));
131
- }
132
-
133
- const result = this.capabilityAnalyzer.performCapabilityAnalysis(
134
- vendor_name,
135
- safeguard,
136
- response_text
137
- );
138
-
139
- res.json(result);
140
- } catch (error) {
141
- console.error('[HTTP Server] analyze-vendor-response error:', error);
142
- res.status(400).json(this.createErrorResponse(error instanceof Error ? error.message : 'Unknown error'));
143
- }
144
- });
145
76
 
146
77
 
147
78
  // Get safeguard details endpoint
@@ -181,49 +112,19 @@ export class FrameworkHttpServer {
181
112
  }
182
113
  });
183
114
 
184
- // Performance metrics endpoint
185
- this.app.get('/api/metrics', (req, res) => {
186
- try {
187
- const metrics = this.capabilityAnalyzer.getPerformanceMetrics();
188
-
189
- res.json({
190
- uptime_seconds: Math.round((Date.now() - metrics.uptime) / 1000),
191
- total_requests: metrics.totalRequests,
192
- error_count: metrics.errorCount,
193
- error_rate: metrics.totalRequests > 0 ?
194
- ((metrics.errorCount / metrics.totalRequests) * 100).toFixed(2) + '%' : '0%',
195
- request_counts: Object.fromEntries(metrics.requestCounts),
196
- timestamp: new Date().toISOString()
197
- });
198
- } catch (error) {
199
- console.error('[HTTP Server] metrics error:', error);
200
- res.status(500).json(this.createErrorResponse('Metrics unavailable'));
201
- }
202
- });
203
115
 
204
116
  // API documentation endpoint
205
117
  this.app.get('/api', (req, res) => {
206
118
  res.json({
207
119
  name: 'Framework MCP HTTP API',
208
- version: '1.3.6',
209
- description: 'Dual-architecture HTTP API for vendor capability assessment against CIS Controls Framework',
120
+ version: '1.4.0',
121
+ description: 'Pure Data Provider serving authentic CIS Controls Framework data',
210
122
  endpoints: {
211
- 'POST /api/validate-vendor-mapping': 'Primary capability validation with domain validation',
212
- 'POST /api/analyze-vendor-response': 'Capability role determination for vendor responses',
213
123
  'GET /api/safeguards': 'List all available CIS safeguards',
214
124
  'GET /api/safeguards/:id': 'Get detailed safeguard breakdown',
215
125
  'GET /health': 'Health check endpoint',
216
- 'GET /api/metrics': 'Performance metrics',
217
126
  'GET /api': 'This documentation'
218
127
  },
219
- capabilities: [
220
- 'FULL - Complete implementation of safeguard',
221
- 'PARTIAL - Limited scope implementation',
222
- 'FACILITATES - Enhancement capabilities',
223
- 'GOVERNANCE - Policy/process management',
224
- 'VALIDATES - Evidence collection and reporting'
225
- ],
226
- domain_validation: 'Auto-downgrade protection for inappropriate capability claims',
227
128
  framework: 'CIS Controls v8.1 (153 safeguards)',
228
129
  deployment: 'DigitalOcean App Services compatible'
229
130
  });
@@ -257,40 +158,6 @@ export class FrameworkHttpServer {
257
158
  });
258
159
  }
259
160
 
260
- private validateInput(body: any, requiredFields: string[]): void {
261
- if (!body || typeof body !== 'object') {
262
- throw new Error('Request body is required and must be valid JSON');
263
- }
264
-
265
- for (const field of requiredFields) {
266
- if (!body[field] || typeof body[field] !== 'string') {
267
- throw new Error(`Field '${field}' is required and must be a non-empty string`);
268
- }
269
- }
270
- }
271
-
272
- private validateTextInput(text: string, fieldName: string): void {
273
- if (typeof text !== 'string') {
274
- throw new Error(`${fieldName} must be a string`);
275
- }
276
-
277
- if (text.length < 10) {
278
- throw new Error(`${fieldName} must be at least 10 characters long`);
279
- }
280
-
281
- if (text.length > 10000) {
282
- throw new Error(`${fieldName} must be less than 10,000 characters`);
283
- }
284
- }
285
-
286
- private validateCapability(capability: string): void {
287
- const validCapabilities = ['full', 'partial', 'facilitates', 'governance', 'validates'];
288
-
289
- if (!validCapabilities.includes(capability.toLowerCase())) {
290
- throw new Error(`Invalid capability '${capability}'. Valid options: ${validCapabilities.join(', ')}`);
291
- }
292
- }
293
-
294
161
  private createErrorResponse(error: string, details?: string): ErrorResponse {
295
162
  return {
296
163
  error,
@@ -301,11 +168,11 @@ export class FrameworkHttpServer {
301
168
 
302
169
  public start(): void {
303
170
  this.app.listen(this.port, '0.0.0.0', () => {
304
- console.log(`🚀 Framework MCP HTTP Server v1.3.4 running on port ${this.port}`);
171
+ console.log(`🚀 Framework MCP HTTP Server v1.4.0 running on port ${this.port}`);
305
172
  console.log(`📊 Health check: http://localhost:${this.port}/health`);
306
173
  console.log(`📖 API docs: http://localhost:${this.port}/api`);
307
174
  console.log(`🔧 Environment: ${process.env.NODE_ENV || 'development'}`);
308
- console.log(`⚡ DigitalOcean App Services compatible`);
175
+ console.log(`📊 Pure Data Provider - CIS Controls v8.1`);
309
176
  });
310
177
 
311
178
  // Graceful shutdown handling
@@ -8,23 +8,20 @@ import {
8
8
  Tool,
9
9
  } from '@modelcontextprotocol/sdk/types.js';
10
10
 
11
- import { CapabilityAnalyzer } from '../../core/capability-analyzer.js';
12
11
  import { SafeguardManager } from '../../core/safeguard-manager.js';
13
12
 
14
13
  export class FrameworkMcpServer {
15
14
  private server: Server;
16
- private capabilityAnalyzer: CapabilityAnalyzer;
17
15
  private safeguardManager: SafeguardManager;
18
16
 
19
17
  constructor() {
20
18
  this.server = new Server(
21
19
  {
22
20
  name: 'framework-analyzer',
23
- version: '1.3.6',
21
+ version: '1.4.0',
24
22
  }
25
23
  );
26
24
 
27
- this.capabilityAnalyzer = new CapabilityAnalyzer();
28
25
  this.safeguardManager = new SafeguardManager();
29
26
 
30
27
  this.setupHandlers();
@@ -35,55 +32,6 @@ export class FrameworkMcpServer {
35
32
  this.server.setRequestHandler(ListToolsRequestSchema, async () => {
36
33
  return {
37
34
  tools: [
38
- {
39
- name: 'validate_vendor_mapping',
40
- description: 'PRIMARY: Validate vendor capability claims with domain validation and evidence analysis',
41
- inputSchema: {
42
- type: 'object',
43
- properties: {
44
- vendor_name: {
45
- type: 'string',
46
- description: 'Name of the vendor/tool being analyzed'
47
- },
48
- safeguard_id: {
49
- type: 'string',
50
- description: 'CIS safeguard ID (e.g., "1.1", "5.1")'
51
- },
52
- claimed_capability: {
53
- type: 'string',
54
- description: 'Claimed capability role',
55
- enum: ['full', 'partial', 'facilitates', 'governance', 'validates']
56
- },
57
- supporting_text: {
58
- type: 'string',
59
- description: 'Vendor text supporting their capability claim'
60
- }
61
- },
62
- required: ['vendor_name', 'safeguard_id', 'claimed_capability', 'supporting_text']
63
- }
64
- } as Tool,
65
- {
66
- name: 'analyze_vendor_response',
67
- description: 'Determine vendor tool capability role for specific safeguard',
68
- inputSchema: {
69
- type: 'object',
70
- properties: {
71
- vendor_name: {
72
- type: 'string',
73
- description: 'Name of the vendor'
74
- },
75
- safeguard_id: {
76
- type: 'string',
77
- description: 'CIS safeguard ID (e.g., "1.1", "5.1")'
78
- },
79
- response_text: {
80
- type: 'string',
81
- description: 'Vendor response text to analyze'
82
- }
83
- },
84
- required: ['vendor_name', 'safeguard_id', 'response_text']
85
- }
86
- } as Tool,
87
35
  {
88
36
  name: 'get_safeguard_details',
89
37
  description: 'Get detailed safeguard breakdown',
@@ -121,12 +69,6 @@ export class FrameworkMcpServer {
121
69
 
122
70
  try {
123
71
  switch (name) {
124
- case 'validate_vendor_mapping':
125
- return await this.validateVendorMapping(args);
126
-
127
- case 'analyze_vendor_response':
128
- return await this.analyzeVendorResponse(args);
129
-
130
72
  case 'get_safeguard_details':
131
73
  return await this.getSafeguardDetails(args);
132
74
 
@@ -155,59 +97,6 @@ export class FrameworkMcpServer {
155
97
  });
156
98
  }
157
99
 
158
- private async validateVendorMapping(args: any) {
159
- const { vendor_name = 'Unknown Vendor', safeguard_id, claimed_capability, supporting_text } = args;
160
-
161
- // Input validation
162
- this.validateTextInput(supporting_text, 'Supporting text');
163
- this.validateCapability(claimed_capability);
164
- this.safeguardManager.validateSafeguardId(safeguard_id);
165
-
166
- const safeguard = this.safeguardManager.getSafeguardDetails(safeguard_id);
167
- if (!safeguard) {
168
- throw new Error(`Safeguard ${safeguard_id} not found`);
169
- }
170
-
171
- const validation = this.capabilityAnalyzer.validateVendorMapping(
172
- vendor_name,
173
- safeguard_id,
174
- claimed_capability,
175
- supporting_text,
176
- safeguard
177
- );
178
-
179
- return {
180
- content: [
181
- {
182
- type: 'text',
183
- text: JSON.stringify(validation, null, 2),
184
- },
185
- ],
186
- };
187
- }
188
-
189
- private async analyzeVendorResponse(args: any) {
190
- const { vendor_name = 'Unknown Vendor', safeguard_id, response_text } = args;
191
-
192
- this.validateTextInput(response_text, 'Response text');
193
- this.safeguardManager.validateSafeguardId(safeguard_id);
194
-
195
- const safeguard = this.safeguardManager.getSafeguardDetails(safeguard_id);
196
- if (!safeguard) {
197
- throw new Error(`Safeguard ${safeguard_id} not found`);
198
- }
199
-
200
- const analysis = this.capabilityAnalyzer.performCapabilityAnalysis(vendor_name, safeguard, response_text);
201
-
202
- return {
203
- content: [
204
- {
205
- type: 'text',
206
- text: JSON.stringify(analysis, null, 2),
207
- },
208
- ],
209
- };
210
- }
211
100
 
212
101
  private async getSafeguardDetails(args: any) {
213
102
  const { safeguard_id, include_examples = false } = args;
@@ -240,35 +129,13 @@ export class FrameworkMcpServer {
240
129
  safeguards,
241
130
  total: safeguards.length,
242
131
  framework: 'CIS Controls v8.1',
243
- version: '1.3.4'
132
+ version: '1.4.0'
244
133
  }, null, 2),
245
134
  },
246
135
  ],
247
136
  };
248
137
  }
249
138
 
250
- private validateTextInput(text: string, fieldName: string): void {
251
- if (typeof text !== 'string') {
252
- throw new Error(`${fieldName} must be a string`);
253
- }
254
-
255
- if (text.length < 10) {
256
- throw new Error(`${fieldName} must be at least 10 characters long`);
257
- }
258
-
259
- if (text.length > 10000) {
260
- throw new Error(`${fieldName} must be less than 10,000 characters`);
261
- }
262
- }
263
-
264
- private validateCapability(capability: string): void {
265
- const validCapabilities = ['full', 'partial', 'facilitates', 'governance', 'validates'];
266
-
267
- if (!validCapabilities.includes(capability.toLowerCase())) {
268
- throw new Error(`Invalid capability '${capability}'. Valid options: ${validCapabilities.join(', ')}`);
269
- }
270
- }
271
-
272
139
  private formatErrorMessage(error: unknown, toolName: string): string {
273
140
  if (error instanceof Error) {
274
141
  // Provide helpful guidance for common errors
@@ -276,14 +143,6 @@ export class FrameworkMcpServer {
276
143
  return `${error.message}. Use list_available_safeguards to see all available options.`;
277
144
  }
278
145
 
279
- if (error.message.includes('Invalid capability')) {
280
- return `${error.message}. Capability roles determine what function the vendor tool plays in safeguard implementation.`;
281
- }
282
-
283
- if (error.message.includes('characters')) {
284
- return `${error.message}. Ensure your input text is substantive enough for analysis.`;
285
- }
286
-
287
146
  return error.message;
288
147
  }
289
148
 
@@ -294,8 +153,8 @@ export class FrameworkMcpServer {
294
153
  const transport = new StdioServerTransport();
295
154
  await this.server.connect(transport);
296
155
 
297
- console.error('🤖 Framework MCP Server v1.3.4 running via stdio');
298
- console.error('📊 Capability assessment with domain validation enabled');
156
+ console.error('🤖 Framework MCP Server v1.4.0 running via stdio');
157
+ console.error('📊 Pure Data Provider for CIS Controls v8.1');
299
158
  }
300
159
  }
301
160
 
@@ -38,31 +38,6 @@ export interface VendorAnalysis {
38
38
  recommendedUse: string; // How practitioners should use this tool
39
39
  }
40
40
 
41
- export interface DomainValidationResult {
42
- vendor: string;
43
- safeguard_id: string;
44
- safeguard_title: string;
45
- claimed_capability: string;
46
- validation_status: 'SUPPORTED' | 'QUESTIONABLE' | 'UNSUPPORTED';
47
- confidence_score: number;
48
- evidence_analysis: {
49
- core_requirements_coverage: number;
50
- sub_elements_coverage: number;
51
- governance_alignment: number;
52
- language_consistency: number;
53
- };
54
- domain_validation: {
55
- required_tool_type: string;
56
- detected_tool_type: string;
57
- domain_match: boolean;
58
- capability_adjusted: boolean;
59
- original_claim?: string;
60
- };
61
- gaps_identified: string[];
62
- strengths_identified: string[];
63
- recommendations: string[];
64
- detailed_feedback: string;
65
- }
66
41
 
67
42
  export interface PerformanceMetrics {
68
43
  uptime: number;
@@ -87,18 +62,3 @@ export interface QualityAssessment {
87
62
 
88
63
  export type CapabilityType = 'full' | 'partial' | 'facilitates' | 'governance' | 'validates';
89
64
 
90
- // Domain-specific validation mapping
91
- export interface DomainRequirement {
92
- domain: string;
93
- required_tool_types: string[];
94
- description: string;
95
- }
96
-
97
- // Tool type detection weights
98
- export interface ToolTypeWeights {
99
- [toolType: string]: {
100
- keywords: string[];
101
- baseWeight: number;
102
- contextBonuses: string[];
103
- };
104
- }