framework-mcp 1.3.7 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. package/COPILOT_INTEGRATION.md +49 -62
  2. package/DEPLOYMENT_GUIDE.md +46 -47
  3. package/MCP_INTEGRATION_GUIDE.md +96 -129
  4. package/MIGRATION_GUIDE_v1.4.0.md +190 -0
  5. package/README.md +148 -173
  6. package/RELEASE_NOTES_v1.4.0.md +178 -0
  7. package/dist/core/safeguard-manager.d.ts.map +1 -1
  8. package/dist/core/safeguard-manager.js +2271 -153
  9. package/dist/core/safeguard-manager.js.map +1 -1
  10. package/dist/index.d.ts +0 -1
  11. package/dist/index.d.ts.map +1 -1
  12. package/dist/index.js +1 -2
  13. package/dist/index.js.map +1 -1
  14. package/dist/interfaces/http/http-server.d.ts +0 -4
  15. package/dist/interfaces/http/http-server.d.ts.map +1 -1
  16. package/dist/interfaces/http/http-server.js +6 -85
  17. package/dist/interfaces/http/http-server.js.map +1 -1
  18. package/dist/interfaces/mcp/mcp-server.d.ts +0 -4
  19. package/dist/interfaces/mcp/mcp-server.d.ts.map +1 -1
  20. package/dist/interfaces/mcp/mcp-server.js +4 -71
  21. package/dist/interfaces/mcp/mcp-server.js.map +1 -1
  22. package/dist/shared/types.d.ts +7 -0
  23. package/dist/shared/types.d.ts.map +1 -1
  24. package/examples/llm-analysis-patterns.md +553 -0
  25. package/package.json +2 -2
  26. package/scripts/validate-documentation.sh +4 -4
  27. package/src/core/safeguard-manager.ts +2271 -153
  28. package/src/index.ts +1 -2
  29. package/src/interfaces/http/http-server.ts +6 -101
  30. package/src/interfaces/mcp/mcp-server.ts +4 -85
  31. package/src/shared/types.ts +7 -0
  32. package/swagger.json +43 -168
  33. package/dist/core/capability-analyzer.d.ts +0 -23
  34. package/dist/core/capability-analyzer.d.ts.map +0 -1
  35. package/dist/core/capability-analyzer.js +0 -333
  36. package/dist/core/capability-analyzer.js.map +0 -1
  37. package/src/core/capability-analyzer.ts +0 -417
@@ -1,10 +1,10 @@
1
1
  # Microsoft Copilot Integration Guide
2
2
 
3
- This guide provides step-by-step instructions for integrating Framework MCP with Microsoft Copilot using custom connectors.
3
+ This guide provides step-by-step instructions for integrating Framework MCP v1.4.0's Pure Data Provider architecture with Microsoft Copilot using custom connectors.
4
4
 
5
5
  ## Overview
6
6
 
7
- Framework MCP provides a dual-architecture solution that enables both Model Context Protocol (MCP) integration with Claude Code and HTTP API integration with Microsoft Copilot. This allows security professionals to access CIS Controls capability assessment through their preferred AI platform.
7
+ Framework MCP v1.4.0 provides a **Pure Data Provider architecture** with dual interfaces enabling both Model Context Protocol (MCP) integration with Claude Code and HTTP API integration with Microsoft Copilot. This empowers security professionals to access authoritative CIS Controls data through their preferred AI platform for sophisticated, LLM-driven vendor capability analysis.
8
8
 
9
9
  ## Prerequisites
10
10
 
@@ -52,7 +52,7 @@ Expected response:
52
52
  "uptime": 1234,
53
53
  "totalRequests": 0,
54
54
  "errorCount": 0,
55
- "version": "1.3.7",
55
+ "version": "1.4.0",
56
56
  "timestamp": "2025-08-21T01:00:00.000Z"
57
57
  }
58
58
  ```
@@ -74,8 +74,8 @@ Expected response:
74
74
  - Click **Continue**
75
75
 
76
76
  4. **Configure Connector Details**
77
- - **Name**: Framework MCP - CIS Controls Capability Assessment
78
- - **Description**: Validate vendor capability claims against CIS Controls Framework
77
+ - **Name**: Framework MCP - Pure Data Provider
78
+ - **Description**: Authoritative CIS Controls Framework data for LLM-driven analysis
79
79
  - **Host**: Update to your deployed API URL (e.g., `your-app.ondigitalocean.app`)
80
80
  - **Base URL**: `/`
81
81
 
@@ -109,89 +109,72 @@ Expected response:
109
109
  - Select **Custom connector**
110
110
  - Choose your Framework MCP connector
111
111
 
112
- ## Custom Actions Configuration
112
+ ## Data Actions Configuration
113
113
 
114
- ### Primary Action: Validate Vendor Capability
114
+ ### Primary Action: Get Safeguard Details
115
115
 
116
- Configure this action for evidence-based validation:
116
+ Configure this action for detailed CIS safeguard information:
117
117
 
118
118
  **Action Details:**
119
- - **Name**: Validate Vendor Capability Mapping
120
- - **Description**: Validate vendor capability claims against CIS Controls with domain validation and auto-downgrade protection
119
+ - **Name**: Get CIS Safeguard Details
120
+ - **Description**: Retrieve detailed CIS Controls safeguard breakdown for LLM analysis
121
121
  - **Connector**: Framework MCP Custom Connector
122
- - **Operation**: `validateVendorMapping`
122
+ - **Operation**: `getSafeguardDetails`
123
123
 
124
124
  **Parameters:**
125
- - **vendor_name** (Required): Name of the vendor/tool being analyzed
126
- - **safeguard_id** (Required): CIS safeguard ID (e.g., "1.1", "5.1", "12.8")
127
- - **claimed_capability** (Required): Capability role (full, partial, facilitates, governance, validates)
128
- - **supporting_text** (Required): Vendor response supporting their capability claim
125
+ - **safeguardId** (Required): CIS safeguard ID (e.g., "1.1", "5.1", "12.8")
126
+ - **include_examples** (Optional): Include implementation examples (true/false)
129
127
 
130
128
  **Sample Input:**
131
129
  ```json
132
130
  {
133
- "vendor_name": "CrowdStrike Falcon",
134
- "safeguard_id": "1.1",
135
- "claimed_capability": "full",
136
- "supporting_text": "Our platform provides comprehensive enterprise asset inventory with real-time discovery, automated classification, and continuous monitoring of all hardware and software assets across the organization."
131
+ "safeguardId": "5.1",
132
+ "include_examples": true
137
133
  }
138
134
  ```
139
135
 
140
- ### Secondary Action: Analyze Vendor Response
136
+ ### Secondary Action: List All Safeguards
141
137
 
142
- Configure this action for capability determination:
138
+ Configure this action for safeguard discovery:
143
139
 
144
140
  **Action Details:**
145
- - **Name**: Analyze Vendor Response
146
- - **Description**: Determine appropriate capability role for vendor response text
141
+ - **Name**: List CIS Safeguards
142
+ - **Description**: Get complete list of available CIS Controls safeguards
147
143
  - **Connector**: Framework MCP Custom Connector
148
- - **Operation**: `analyzeVendorResponse`
149
-
150
- **Parameters:**
151
- - **vendor_name** (Required): Name of the vendor
152
- - **safeguard_id** (Required): CIS safeguard ID
153
- - **response_text** (Required): Vendor response text to analyze
154
-
155
- ### Additional Actions: Safeguard Information
156
-
157
- **Get Safeguard Details:**
158
- - **Operation**: `getSafeguardDetails`
159
- - **Parameters**: safeguard_id, include_examples (optional)
144
+ - **Operation**: `listSafeguards`
160
145
 
161
- **List Available Safeguards:**
162
- - **Operation**: `listAvailableSafeguards`
163
- - **Parameters**: None
146
+ **No Parameters Required**
164
147
 
165
148
  ## Example User Interactions
166
149
 
167
- Once configured, users can interact with your Copilot using natural language:
150
+ Once configured, users can interact with your Copilot using natural language for LLM-driven analysis:
168
151
 
169
- ### Capability Validation Examples
152
+ ### LLM-Driven Capability Assessment
170
153
 
171
154
  ```
172
- "Validate this vendor capability: Microsoft Defender for Endpoint claims FULL coverage for safeguard 1.1. Their response: 'Microsoft Defender provides comprehensive asset discovery, detailed hardware and software inventory, and real-time asset status monitoring across all enterprise endpoints.'"
155
+ "Get details for safeguard 1.1, then analyze Microsoft Defender for Endpoint's capability: 'Microsoft Defender provides comprehensive asset discovery, detailed hardware and software inventory, and real-time asset status monitoring across all enterprise endpoints.' Determine appropriate capability role and provide confidence assessment."
173
156
 
174
- "Check if CrowdStrike Falcon can provide PARTIAL coverage for safeguard 5.1 based on this: 'We offer centralized identity integration with detailed user account tracking and automated access reviews.'"
157
+ "Retrieve safeguard 5.1 requirements and assess CrowdStrike Falcon: 'We offer centralized identity integration with detailed user account tracking and automated access reviews.' Consider enterprise environment and provide implementation recommendations."
175
158
 
176
- "Validate this FACILITATES claim: Qualys VMDR for safeguard 1.1 - 'Our vulnerability scanner enhances existing asset management by providing additional device discovery and detailed software inventory during security assessments.'"
159
+ "Get safeguard 6.3 details. For a financial services organization with strict compliance requirements, analyze Okta's MFA solution: 'We provide comprehensive multi-factor authentication for all external applications with adaptive authentication policies, risk-based assessments, and SSO integration.'"
177
160
  ```
178
161
 
179
- ### Response Analysis Examples
162
+ ### Comparative Analysis Examples
180
163
 
181
164
  ```
182
- "Analyze this vendor response for safeguard 6.3: Okta - 'We provide comprehensive multi-factor authentication for all external applications with adaptive authentication policies, risk-based assessments, and SSO integration.'"
165
+ "Get safeguard 7.1 details and compare these vulnerability management solutions: 1) Rapid7 InsightVM: 'Continuous vulnerability scanning with automated remediation guidance' 2) Qualys VMDR: 'Cloud-based vulnerability scanning with patch prioritization' 3) Tenable Nessus: 'Comprehensive vulnerability assessment with compliance reporting'. Rank by implementation completeness."
183
166
 
184
- "What capability role should we assign to this response for safeguard 7.1: Rapid7 InsightVM - 'Our platform performs continuous vulnerability scanning, provides automated remediation guidance, and tracks patch deployment across the infrastructure.'"
167
+ "Retrieve details for safeguards 13.1, 13.3, and 13.6. Analyze how SentinelOne addresses these network monitoring requirements and identify any coverage gaps."
185
168
  ```
186
169
 
187
- ### Information Requests
170
+ ### Data Discovery Requests
188
171
 
189
172
  ```
190
- "What are the requirements for CIS safeguard 1.1?"
173
+ "Show me all available CIS safeguards related to identity and access management."
191
174
 
192
- "Show me all available CIS safeguards in the inventory domain."
175
+ "Get detailed breakdown of safeguard 11.1 including all sub-elements and governance requirements."
193
176
 
194
- "What's the difference between FULL and PARTIAL capability roles?"
177
+ "List all Implementation Group 1 (IG1) safeguards for a small business security assessment."
195
178
  ```
196
179
 
197
180
  ## Advanced Configuration
@@ -201,20 +184,24 @@ Once configured, users can interact with your Copilot using natural language:
201
184
  Add these instructions to your Copilot's system message:
202
185
 
203
186
  ```
204
- You are a CIS Controls capability assessment expert. You help security professionals evaluate vendor tool capabilities against specific CIS Control safeguards.
187
+ You are a CIS Controls expert powered by Framework MCP's Pure Data Provider architecture. You help security professionals perform sophisticated vendor capability analysis using authoritative CIS Controls data.
205
188
 
206
189
  Key Principles:
207
- 1. Use validate_vendor_mapping for evidence-based validation of capability claims
208
- 2. Use analyze_vendor_response when the capability role is unknown
209
- 3. Always explain the 5 capability roles: FULL, PARTIAL, FACILITATES, GOVERNANCE, VALIDATES
210
- 4. Highlight domain validation results and auto-downgrade protection
211
- 5. Provide actionable recommendations for capability improvements
212
-
213
- When users provide vendor responses:
214
- 1. Ask for the specific CIS safeguard ID if not provided
215
- 2. Determine if they want validation (they have a claimed capability) or analysis (no claimed capability)
216
- 3. Use the appropriate action and explain the results in plain language
217
- 4. Highlight any domain mismatches or auto-downgrades that occurred
190
+ 1. Always retrieve detailed safeguard data using get_safeguard_details before analysis
191
+ 2. Apply context-aware analysis considering industry, risk profile, and organizational needs
192
+ 3. Explain the 5 capability roles: FULL, PARTIAL, FACILITATES, GOVERNANCE, VALIDATES
193
+ 4. Provide transparent reasoning with evidence-based assessments
194
+ 5. Offer implementation recommendations and deployment guidance
195
+
196
+ Analysis Approach:
197
+ 1. Get safeguard requirements using the data actions
198
+ 2. Analyze vendor capabilities against detailed CIS requirements
199
+ 3. Consider organizational context (industry, size, risk tolerance)
200
+ 4. Provide capability role determination with confidence assessment
201
+ 5. Include implementation recommendations and integration considerations
202
+ 6. For comparative analysis, rank vendors and explain reasoning
203
+
204
+ Flexibility: Adapt analysis methodology based on user needs - strict compliance, risk-based assessment, technology integration, or custom evaluation criteria.
218
205
  ```
219
206
 
220
207
  ### Environment Variables
@@ -1,11 +1,11 @@
1
1
  # Framework MCP Deployment Guide
2
2
 
3
- ## Dual Architecture: MCP + HTTP API
3
+ ## Pure Data Provider Architecture: MCP + HTTP API
4
4
 
5
- Framework MCP v1.3.7 features a **dual architecture** that solves the DigitalOcean App Services stdio vs HTTP mismatch:
5
+ Framework MCP v1.4.0 features a **Pure Data Provider architecture** with dual interfaces for maximum flexibility:
6
6
 
7
- - **MCP Interface**: stdio-based for Claude Code integration
8
- - **HTTP Interface**: REST API for cloud deployment
7
+ - **MCP Interface**: stdio-based for Claude Code integration with LLM-driven analysis
8
+ - **HTTP Interface**: REST API for cloud deployment and Microsoft Copilot integration
9
9
 
10
10
  ---
11
11
 
@@ -146,38 +146,20 @@ GET /health
146
146
  # Returns server status and metrics
147
147
  ```
148
148
 
149
- ### Primary Validation
149
+ ### Data Endpoints (Pure Provider Architecture)
150
150
  ```bash
151
- POST /api/validate-vendor-mapping
152
- {
153
- "vendor_name": "AssetMax Pro",
154
- "safeguard_id": "1.1",
155
- "claimed_capability": "full",
156
- "supporting_text": "Comprehensive asset management..."
157
- }
151
+ GET /api/safeguards # List all 153 CIS safeguards
152
+ GET /api/safeguards/1.1 # Get detailed safeguard breakdown
153
+ GET /api/safeguards/1.1?include_examples=true # Include implementation examples
158
154
  ```
159
155
 
160
- ### Capability Analysis
161
- ```bash
162
- POST /api/analyze-vendor-response
163
- {
164
- "vendor_name": "VendorName",
165
- "safeguard_id": "5.1",
166
- "response_text": "Our identity management solution..."
167
- }
168
- ```
169
-
170
- ### Safeguards
156
+ ### Monitoring
171
157
  ```bash
172
- GET /api/safeguards # List all safeguards
173
- GET /api/safeguards/1.1 # Get safeguard details
174
- GET /api/safeguards/1.1?include_examples=true
158
+ GET /api/metrics # Performance metrics and statistics
159
+ GET /api # API documentation and capabilities
175
160
  ```
176
161
 
177
- ### Performance
178
- ```bash
179
- GET /api/metrics # Performance metrics
180
- ```
162
+ **LLM-Driven Analysis**: The Pure Data Provider architecture supplies authoritative CIS data while LLMs perform sophisticated vendor capability analysis with unlimited flexibility.
181
163
 
182
164
  ---
183
165
 
@@ -185,45 +167,62 @@ GET /api/metrics # Performance metrics
185
167
 
186
168
  ### HTTP Interface Advantages
187
169
  - ✅ **DigitalOcean Compatible**: Uses HTTP instead of stdio
188
- - ✅ **REST API**: Standard HTTP endpoints
170
+ - ✅ **REST API**: Standard HTTP endpoints for data access
189
171
  - ✅ **Health Checks**: Platform monitoring support
190
172
  - ✅ **CORS Enabled**: Web application integration
191
173
  - ✅ **Production Ready**: Error handling, security, compression
174
+ - ✅ **Microsoft Copilot**: Custom connector compatibility
192
175
 
193
176
  ### MCP Interface Advantages
194
177
  - ✅ **Claude Code Integration**: Native stdio communication
195
178
  - ✅ **Tool Discovery**: Automatic tool registration
196
179
  - ✅ **Type Safety**: Full MCP schema validation
197
- - ✅ **Rich Responses**: Structured tool responses
180
+ - ✅ **LLM-Driven Analysis**: Direct access to safeguards data for intelligent analysis
198
181
 
199
- ### Shared Core Benefits
200
- - ✅ **Identical Functionality**: Both interfaces use same logic
201
- - ✅ **Content Analysis**: Comprehensive capability assessment in both
202
- - ✅ **Performance**: 95% cache optimization in both
203
- - ✅ **Consistency**: Same capability assessment results
182
+ ### Pure Data Provider Benefits
183
+ - ✅ **Clean Architecture**: Simple data provision without analysis complexity
184
+ - ✅ **LLM Flexibility**: Unlimited analysis approaches and methodologies
185
+ - ✅ **Performance Optimized**: Fast data retrieval for real-time analysis
186
+ - ✅ **Context-Aware**: LLMs can apply industry, risk, and organizational context
187
+ - ✅ **Transparent Reasoning**: Full visibility into analysis logic and evidence
204
188
 
205
189
  ---
206
190
 
207
191
  ## Migration Guide
208
192
 
209
- ### From MCP-Only to Dual Architecture
193
+ ### Migrating to Pure Data Provider v1.4.0
210
194
 
211
- 1. **No Breaking Changes**: Existing MCP integrations continue working
212
- 2. **New HTTP Option**: Add cloud deployment capability
213
- 3. **Gradual Adoption**: Choose interface based on use case
195
+ 1. **Simplified Architecture**: Analysis logic moved to LLM capability
196
+ 2. **Enhanced Flexibility**: Unlimited analysis approaches and methodologies
197
+ 3. **Maintained Compatibility**: Both interfaces continue providing data access
198
+ 4. **Improved Performance**: Optimized for fast data retrieval
214
199
 
215
200
  ### Use Case Guidelines
216
201
 
217
202
  **Use MCP Interface When:**
218
- - Integrating with Claude Code
203
+ - Integrating with Claude Code for LLM-driven analysis
219
204
  - Local development and testing
220
- - Tool-based LLM interactions
205
+ - Direct tool-based interactions with LLMs
221
206
 
222
207
  **Use HTTP Interface When:**
223
- - Cloud deployment required
224
- - Web application integration
225
- - API-based access needed
226
- - DigitalOcean App Services deployment
208
+ - Cloud deployment required (DigitalOcean, Railway, Render)
209
+ - Microsoft Copilot custom connector integration
210
+ - Web application or API-based access needed
211
+ - Distributed team access to CIS Controls data
212
+
213
+ ### Analysis Pattern Migration
214
+
215
+ **Old Approach (v1.3.7):**
216
+ ```bash
217
+ POST /api/analyze-vendor-response
218
+ # Hardcoded analysis with fixed validation rules
219
+ ```
220
+
221
+ **New Approach (v1.4.0):**
222
+ ```bash
223
+ GET /api/safeguards/5.1
224
+ # Get authoritative data, then use LLM for sophisticated analysis
225
+ ```
227
226
 
228
227
  ---
229
228