framework-mcp 1.3.7 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/COPILOT_INTEGRATION.md +49 -62
- package/DEPLOYMENT_GUIDE.md +46 -47
- package/MCP_INTEGRATION_GUIDE.md +96 -129
- package/MIGRATION_GUIDE_v1.4.0.md +190 -0
- package/README.md +148 -173
- package/RELEASE_NOTES_v1.4.0.md +178 -0
- package/dist/core/safeguard-manager.d.ts.map +1 -1
- package/dist/core/safeguard-manager.js +2271 -153
- package/dist/core/safeguard-manager.js.map +1 -1
- package/dist/index.d.ts +0 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -2
- package/dist/index.js.map +1 -1
- package/dist/interfaces/http/http-server.d.ts +0 -4
- package/dist/interfaces/http/http-server.d.ts.map +1 -1
- package/dist/interfaces/http/http-server.js +6 -85
- package/dist/interfaces/http/http-server.js.map +1 -1
- package/dist/interfaces/mcp/mcp-server.d.ts +0 -4
- package/dist/interfaces/mcp/mcp-server.d.ts.map +1 -1
- package/dist/interfaces/mcp/mcp-server.js +4 -71
- package/dist/interfaces/mcp/mcp-server.js.map +1 -1
- package/dist/shared/types.d.ts +7 -0
- package/dist/shared/types.d.ts.map +1 -1
- package/examples/llm-analysis-patterns.md +553 -0
- package/package.json +2 -2
- package/scripts/validate-documentation.sh +4 -4
- package/src/core/safeguard-manager.ts +2271 -153
- package/src/index.ts +1 -2
- package/src/interfaces/http/http-server.ts +6 -101
- package/src/interfaces/mcp/mcp-server.ts +4 -85
- package/src/shared/types.ts +7 -0
- package/swagger.json +43 -168
- package/dist/core/capability-analyzer.d.ts +0 -23
- package/dist/core/capability-analyzer.d.ts.map +0 -1
- package/dist/core/capability-analyzer.js +0 -333
- package/dist/core/capability-analyzer.js.map +0 -1
- package/src/core/capability-analyzer.ts +0 -417
package/README.md
CHANGED
|
@@ -5,25 +5,25 @@
|
|
|
5
5
|
[](https://github.com/therealcybermattlee/FrameworkMCP)
|
|
6
6
|
[](https://cyberrise.org)
|
|
7
7
|
|
|
8
|
-
A Model Context Protocol (MCP) server
|
|
8
|
+
A Model Context Protocol (MCP) server providing **authoritative CIS Controls Framework data** to empower LLMs with sophisticated, context-aware vendor capability analysis. This Pure Data Provider architecture enables security professionals to perform flexible, intelligent assessment of vendor tool capabilities against specific CIS Control safeguards.
|
|
9
9
|
|
|
10
10
|
## 🎯 Purpose
|
|
11
11
|
|
|
12
|
-
This MCP server
|
|
13
|
-
- **
|
|
14
|
-
- **
|
|
15
|
-
- **
|
|
16
|
-
- **
|
|
12
|
+
This MCP server empowers security teams to:
|
|
13
|
+
- **Access authoritative CIS Controls data** for all 153 safeguards across 18 controls
|
|
14
|
+
- **Leverage LLM intelligence** for sophisticated, context-aware vendor capability analysis
|
|
15
|
+
- **Perform flexible assessment** across 5 capability types: Full, Partial, Facilitates, Governance, and Validates
|
|
16
|
+
- **Apply custom analysis methodologies** with complete transparency and reasoning
|
|
17
17
|
|
|
18
18
|
## 🎯 The 5 Capability Roles
|
|
19
19
|
|
|
20
|
-
| Capability Role | Description |
|
|
21
|
-
|
|
22
|
-
| **FULL** | Complete implementation of safeguard requirements |
|
|
23
|
-
| **PARTIAL** | Limited scope implementation with clear boundaries |
|
|
24
|
-
| **FACILITATES** | Enhancement capabilities that enable others to implement safeguards better/faster/stronger |
|
|
25
|
-
| **GOVERNANCE** | Policy/process management and oversight capabilities |
|
|
26
|
-
| **VALIDATES** | Verification capabilities providing evidence and reporting |
|
|
20
|
+
| Capability Role | Description | LLM Analysis Approach |
|
|
21
|
+
|-----------------|-------------|----------------------|
|
|
22
|
+
| **FULL** | Complete implementation of safeguard requirements | LLMs assess comprehensive coverage against detailed safeguard data |
|
|
23
|
+
| **PARTIAL** | Limited scope implementation with clear boundaries | LLMs identify scope limitations and coverage gaps |
|
|
24
|
+
| **FACILITATES** | Enhancement capabilities that enable others to implement safeguards better/faster/stronger | LLMs recognize facilitation patterns and indirect support capabilities |
|
|
25
|
+
| **GOVERNANCE** | Policy/process management and oversight capabilities | LLMs evaluate governance elements and process management features |
|
|
26
|
+
| **VALIDATES** | Verification capabilities providing evidence and reporting | LLMs assess audit, monitoring, and reporting capabilities |
|
|
27
27
|
|
|
28
28
|
## 🎨 CIS Controls Framework Integration
|
|
29
29
|
|
|
@@ -177,27 +177,27 @@ curl -X POST https://your-api-url.com/api/validate-vendor-mapping \
|
|
|
177
177
|
-d '{"vendor_name":"Test Vendor","safeguard_id":"1.1","claimed_capability":"facilitates","supporting_text":"We provide supplemental asset tracking capabilities that enhance existing inventory systems."}'
|
|
178
178
|
```
|
|
179
179
|
|
|
180
|
-
## 📋
|
|
180
|
+
## 📋 LLM-Driven Analysis Examples
|
|
181
181
|
|
|
182
|
-
###
|
|
182
|
+
### Basic Vendor Capability Assessment
|
|
183
183
|
|
|
184
184
|
```bash
|
|
185
|
-
claude-code "
|
|
186
|
-
Vendor: SecureIAM Corp
|
|
187
|
-
Response: 'Our tool is a full identity provider with comprehensive account management. We maintain detailed user inventories including names, usernames, departments, and access rights. Automated quarterly reviews ensure all accounts are authorized and compliant.'"
|
|
185
|
+
claude-code "Get safeguard details for 5.1, then analyze this vendor response: SecureIAM Corp - 'Our tool is a full identity provider with comprehensive account management. We maintain detailed user inventories including names, usernames, departments, and access rights. Automated quarterly reviews ensure all accounts are authorized and compliant.' Determine appropriate capability role and provide confidence assessment."
|
|
188
186
|
```
|
|
189
187
|
|
|
190
|
-
###
|
|
188
|
+
### Context-Aware Analysis
|
|
191
189
|
|
|
192
190
|
```bash
|
|
193
|
-
claude-code "
|
|
194
|
-
Vendor: ComplianceBot
|
|
195
|
-
Safeguard: 5.1
|
|
196
|
-
Claimed Capability: FULL
|
|
197
|
-
Response: 'We provide automated account lifecycle management with real-time inventory tracking and compliance reporting.'"
|
|
191
|
+
claude-code "Get safeguard 8.2 details. For a high-risk financial services environment, analyze this logging solution: 'We collect endpoint telemetry and forward logs to SIEM platforms.' Consider regulatory requirements (SOX, PCI-DSS) and determine capability role with implementation recommendations."
|
|
198
192
|
```
|
|
199
193
|
|
|
200
|
-
###
|
|
194
|
+
### Multi-Vendor Comparative Analysis
|
|
195
|
+
|
|
196
|
+
```bash
|
|
197
|
+
claude-code "Get safeguard 1.1 details. Compare these asset management solutions and rank by implementation completeness for a 500-employee company: 1) Lansweeper: 'Complete network discovery and automated inventory' 2) ServiceNow: 'CMDB with manual asset entry workflows' 3) Microsoft Intune: 'Managed device tracking with Azure AD integration'. Provide deployment complexity assessment."
|
|
198
|
+
```
|
|
199
|
+
|
|
200
|
+
### Bulk Analysis from File
|
|
201
201
|
|
|
202
202
|
Create `vendors.csv`:
|
|
203
203
|
```csv
|
|
@@ -208,130 +208,114 @@ VendorC,6.3,"MFA enforcement for all external applications with SSO integration"
|
|
|
208
208
|
```
|
|
209
209
|
|
|
210
210
|
```bash
|
|
211
|
-
claude-code "
|
|
211
|
+
claude-code "Get details for safeguards referenced in vendors.csv. Analyze each vendor response, determine capability roles, and provide implementation roadmap recommendations based on organizational gaps."
|
|
212
212
|
```
|
|
213
213
|
|
|
214
|
-
###
|
|
214
|
+
### Claim Validation Assessment
|
|
215
215
|
|
|
216
216
|
```bash
|
|
217
|
-
claude-code "
|
|
217
|
+
claude-code "Get safeguard 12.4 details. This vendor claims FULL capability for network boundary monitoring: 'We monitor all network traffic, identify unauthorized devices, and generate real-time alerts.' Validate this claim against the specific safeguard requirements and provide evidence-based assessment."
|
|
218
218
|
```
|
|
219
219
|
|
|
220
|
-
###
|
|
221
|
-
|
|
222
|
-
**PRIMARY TOOL**: Validate whether a vendor's stated capability mapping is actually supported by their explanatory text.
|
|
220
|
+
### Risk-Based Analysis
|
|
223
221
|
|
|
224
222
|
```bash
|
|
225
|
-
claude-code "
|
|
223
|
+
claude-code "Get safeguard 11.1 details. For a healthcare organization with HIPAA requirements, assess Veeam Backup's capability: 'Automated daily backups with 99.9% recovery success rate and quarterly recovery testing.' Focus on governance and validation aspects."
|
|
226
224
|
```
|
|
227
225
|
|
|
228
|
-
## 📊 Sample
|
|
226
|
+
## 📊 Sample LLM Analysis Patterns
|
|
229
227
|
|
|
230
|
-
###
|
|
231
|
-
```json
|
|
232
|
-
{
|
|
233
|
-
"vendor": "SecureIAM Corp",
|
|
234
|
-
"safeguardId": "5.1",
|
|
235
|
-
"safeguardTitle": "Establish and Maintain an Inventory of Accounts",
|
|
236
|
-
"capabilityRole": "full",
|
|
237
|
-
"additionalRoles": ["governance", "validates"],
|
|
238
|
-
"confidence": 87,
|
|
239
|
-
"contentAnalysis": {
|
|
240
|
-
"implementationLanguage": "strong",
|
|
241
|
-
"scopeDefinition": "comprehensive",
|
|
242
|
-
"evidenceQuality": "high"
|
|
243
|
-
},
|
|
244
|
-
"evidenceAnalysis": {
|
|
245
|
-
"coreRequirements": 85,
|
|
246
|
-
"subElements": 75,
|
|
247
|
-
"governance": 90,
|
|
248
|
-
"languageConsistency": 88
|
|
249
|
-
},
|
|
250
|
-
"evidence": [
|
|
251
|
-
"comprehensive account management",
|
|
252
|
-
"detailed user inventories",
|
|
253
|
-
"automated quarterly reviews"
|
|
254
|
-
]
|
|
255
|
-
}
|
|
228
|
+
### Context-Aware Assessment Response
|
|
256
229
|
```
|
|
230
|
+
ASSESSMENT: SecureIAM Corp - Safeguard 5.1 Analysis
|
|
257
231
|
|
|
258
|
-
|
|
259
|
-
|
|
260
|
-
|
|
261
|
-
|
|
262
|
-
|
|
263
|
-
|
|
264
|
-
|
|
265
|
-
|
|
266
|
-
|
|
267
|
-
|
|
268
|
-
|
|
269
|
-
|
|
270
|
-
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
|
|
274
|
-
|
|
275
|
-
|
|
276
|
-
|
|
277
|
-
|
|
278
|
-
|
|
279
|
-
|
|
280
|
-
|
|
281
|
-
|
|
282
|
-
|
|
283
|
-
"Comprehensive coverage with clear implementation details"
|
|
284
|
-
],
|
|
285
|
-
"recommendations": [],
|
|
286
|
-
"detailed_feedback": "Validation of FULL capability claim: SUPPORTED (85% alignment)\n\nSTRENGTHS:\n• High coverage of core requirements and sub-elements\n• Strong implementation language consistency\n• Comprehensive coverage with clear implementation details\n\nASSESSMENT: The vendor's supporting evidence strongly aligns with their claimed capability."
|
|
287
|
-
}
|
|
232
|
+
CAPABILITY DETERMINATION: FULL + GOVERNANCE + VALIDATES
|
|
233
|
+
CONFIDENCE: 87%
|
|
234
|
+
|
|
235
|
+
ANALYSIS:
|
|
236
|
+
Based on safeguard 5.1 requirements for comprehensive account inventory management:
|
|
237
|
+
|
|
238
|
+
✅ CORE REQUIREMENTS COVERAGE:
|
|
239
|
+
- Complete user inventory (names, usernames, departments)
|
|
240
|
+
- Access rights tracking and management
|
|
241
|
+
- Identity provider capabilities with centralized management
|
|
242
|
+
|
|
243
|
+
✅ GOVERNANCE ELEMENTS:
|
|
244
|
+
- Automated quarterly review processes
|
|
245
|
+
- Compliance verification workflows
|
|
246
|
+
- Policy enforcement capabilities
|
|
247
|
+
|
|
248
|
+
✅ VALIDATION CAPABILITIES:
|
|
249
|
+
- Continuous monitoring and reporting
|
|
250
|
+
- Authorization verification
|
|
251
|
+
- Compliance status tracking
|
|
252
|
+
|
|
253
|
+
EVIDENCE QUALITY: High - Specific implementation details provided
|
|
254
|
+
SCOPE DEFINITION: Comprehensive enterprise account management
|
|
255
|
+
|
|
256
|
+
RECOMMENDATION: Strong FULL capability alignment with additional governance and validation roles. Suitable for enterprise Implementation Group 2-3 deployments.
|
|
288
257
|
```
|
|
289
258
|
|
|
290
|
-
###
|
|
291
|
-
```
|
|
292
|
-
|
|
293
|
-
|
|
294
|
-
|
|
295
|
-
|
|
296
|
-
|
|
297
|
-
|
|
298
|
-
|
|
299
|
-
|
|
300
|
-
|
|
301
|
-
|
|
302
|
-
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
|
|
306
|
-
|
|
307
|
-
|
|
308
|
-
|
|
309
|
-
|
|
310
|
-
|
|
311
|
-
|
|
312
|
-
|
|
313
|
-
|
|
314
|
-
|
|
315
|
-
|
|
316
|
-
|
|
317
|
-
|
|
318
|
-
|
|
319
|
-
|
|
320
|
-
|
|
321
|
-
|
|
322
|
-
|
|
323
|
-
|
|
324
|
-
|
|
259
|
+
### Multi-Vendor Comparison Response
|
|
260
|
+
```
|
|
261
|
+
COMPARATIVE ANALYSIS: Asset Management Solutions for Safeguard 1.1
|
|
262
|
+
|
|
263
|
+
RANKING BY IMPLEMENTATION COMPLETENESS:
|
|
264
|
+
|
|
265
|
+
1. 🥇 LANSWEEPER (FULL + VALIDATES)
|
|
266
|
+
- Comprehensive automated discovery
|
|
267
|
+
- Network-wide asset visibility
|
|
268
|
+
- Strong for 500-employee deployment
|
|
269
|
+
- Implementation: Medium complexity
|
|
270
|
+
|
|
271
|
+
2. 🥈 MICROSOFT INTUNE (PARTIAL + GOVERNANCE)
|
|
272
|
+
- Managed device focus (limited scope)
|
|
273
|
+
- Strong Azure AD integration
|
|
274
|
+
- Governance capabilities present
|
|
275
|
+
- Implementation: Low complexity (if using Microsoft stack)
|
|
276
|
+
|
|
277
|
+
3. 🥉 SERVICENOW (FACILITATES + GOVERNANCE)
|
|
278
|
+
- CMDB foundation requires manual processes
|
|
279
|
+
- Strong workflow and governance features
|
|
280
|
+
- Facilitates comprehensive asset management
|
|
281
|
+
- Implementation: High complexity
|
|
282
|
+
|
|
283
|
+
RECOMMENDATION: Lansweeper provides best immediate coverage for IG1 requirements. Consider Intune if Microsoft-centric environment, ServiceNow for complex enterprise with mature processes.
|
|
284
|
+
```
|
|
285
|
+
|
|
286
|
+
### Risk-Based Healthcare Analysis
|
|
287
|
+
```
|
|
288
|
+
HIPAA-FOCUSED ANALYSIS: Veeam Backup vs Safeguard 11.1
|
|
289
|
+
|
|
290
|
+
CAPABILITY: FULL + VALIDATES
|
|
291
|
+
COMPLIANCE CONFIDENCE: 92%
|
|
292
|
+
|
|
293
|
+
HIPAA CONSIDERATIONS:
|
|
294
|
+
✅ Recovery time objectives meet healthcare uptime requirements
|
|
295
|
+
✅ Quarterly testing demonstrates due diligence
|
|
296
|
+
✅ 99.9% success rate supports business continuity
|
|
297
|
+
|
|
298
|
+
GOVERNANCE ALIGNMENT:
|
|
299
|
+
- Documented recovery procedures (required for HIPAA)
|
|
300
|
+
- Regular testing and validation processes
|
|
301
|
+
- Performance metrics and reporting
|
|
302
|
+
|
|
303
|
+
GAPS TO ADDRESS:
|
|
304
|
+
- Verify encryption at rest/in transit for PHI
|
|
305
|
+
- Confirm audit logging capabilities
|
|
306
|
+
- Validate access controls for backup systems
|
|
307
|
+
|
|
308
|
+
IMPLEMENTATION RECOMMENDATION: Strong foundation for HIPAA compliance. Supplement with documented encryption policies and access control procedures.
|
|
325
309
|
```
|
|
326
310
|
|
|
327
311
|
## 🔧 Available Tools
|
|
328
312
|
|
|
329
313
|
| Tool | Description |
|
|
330
314
|
|------|-------------|
|
|
331
|
-
| `
|
|
332
|
-
| `
|
|
333
|
-
|
|
334
|
-
|
|
315
|
+
| `get_safeguard_details` | **PRIMARY** Get detailed safeguard breakdown with structured CIS data for LLM analysis |
|
|
316
|
+
| `list_available_safeguards` | List all available CIS safeguards (153 total) for framework exploration |
|
|
317
|
+
|
|
318
|
+
**Pure Data Provider Architecture**: Framework MCP provides authoritative CIS Controls data while LLMs perform sophisticated, context-aware capability analysis with unlimited flexibility.
|
|
335
319
|
|
|
336
320
|
## 📁 File Formats Supported
|
|
337
321
|
|
|
@@ -361,57 +345,47 @@ Vendor: AnotherVendor - Safeguard: 6.3
|
|
|
361
345
|
Another response...
|
|
362
346
|
```
|
|
363
347
|
|
|
364
|
-
##
|
|
348
|
+
## 🚀 LLM-Driven Analysis Advantages
|
|
365
349
|
|
|
366
|
-
|
|
350
|
+
Framework MCP v1.4.0's **Pure Data Provider architecture** empowers LLMs to perform sophisticated vendor capability analysis with unprecedented flexibility and intelligence.
|
|
367
351
|
|
|
368
|
-
###
|
|
352
|
+
### Key Benefits Over Hardcoded Analysis
|
|
369
353
|
|
|
370
|
-
|
|
|
371
|
-
|
|
372
|
-
| **
|
|
373
|
-
| **
|
|
374
|
-
| **
|
|
375
|
-
| **
|
|
376
|
-
| **
|
|
354
|
+
| Advantage | Description | LLM Capability |
|
|
355
|
+
|-----------|-------------|----------------|
|
|
356
|
+
| **Context Awareness** | Analysis considers industry, risk profile, and organizational needs | LLMs understand sector-specific requirements and compliance frameworks |
|
|
357
|
+
| **Analytical Flexibility** | Apply custom methodologies and assessment criteria | Multiple analysis approaches: strict compliance, risk-based, comparative |
|
|
358
|
+
| **Transparent Reasoning** | Complete visibility into analysis logic and evidence evaluation | LLMs explain their reasoning and provide detailed justifications |
|
|
359
|
+
| **Adaptive Intelligence** | Dynamic assessment based on evolving requirements | LLMs can adjust analysis based on new information or changing priorities |
|
|
360
|
+
| **Natural Language** | Complex analysis requests in plain English | No need for rigid tool parameters or predefined validation rules |
|
|
377
361
|
|
|
378
|
-
###
|
|
362
|
+
### Enhanced Analysis Capabilities
|
|
379
363
|
|
|
380
|
-
**
|
|
364
|
+
**Multi-Dimensional Assessment**: LLMs can simultaneously evaluate:
|
|
365
|
+
- Technical capability alignment with safeguard requirements
|
|
366
|
+
- Deployment complexity and organizational fit
|
|
367
|
+
- Risk mitigation effectiveness and compliance coverage
|
|
368
|
+
- Integration potential with existing technology stacks
|
|
369
|
+
- Cost-benefit analysis and implementation roadmaps
|
|
381
370
|
|
|
382
|
-
|
|
383
|
-
|
|
384
|
-
|
|
385
|
-
|
|
386
|
-
|
|
387
|
-
|
|
388
|
-
| **Language Consistency** | Alignment between claim and evidence | Consistency between stated capability and supporting text |
|
|
371
|
+
**Advanced Analysis Patterns**:
|
|
372
|
+
- **Comparative Vendor Evaluation**: Rank multiple solutions against specific criteria
|
|
373
|
+
- **Gap Analysis**: Identify coverage gaps and recommend complementary tools
|
|
374
|
+
- **Risk-Based Assessment**: Prioritize capability importance based on threat landscape
|
|
375
|
+
- **Compliance Mapping**: Align vendor capabilities with regulatory requirements
|
|
376
|
+
- **Implementation Planning**: Generate deployment strategies and success metrics
|
|
389
377
|
|
|
390
|
-
|
|
391
|
-
- **Strong Evidence**: Detailed implementation specifics with comprehensive coverage
|
|
392
|
-
- **Moderate Evidence**: Good coverage with some gaps or general language
|
|
393
|
-
- **Weak Evidence**: Limited specifics or scope, vague implementation details
|
|
394
|
-
|
|
395
|
-
### Validation Statuses
|
|
396
|
-
|
|
397
|
-
- **SUPPORTED** (70-100%): Evidence strongly supports the claimed capability
|
|
398
|
-
- **QUESTIONABLE** (40-69%): Evidence partially supports but has notable gaps or inconsistencies
|
|
399
|
-
- **UNSUPPORTED** (0-39%): Evidence does not adequately support the claim
|
|
400
|
-
|
|
401
|
-
### Usage Examples
|
|
378
|
+
### Flexibility Examples
|
|
402
379
|
|
|
403
380
|
```bash
|
|
404
|
-
#
|
|
405
|
-
claude-code "
|
|
406
|
-
|
|
407
|
-
# Validate a FACILITATES claim
|
|
408
|
-
claude-code "Use validate_vendor_mapping for vendor 'ThreatIntel Feed', safeguard '1.1', claimed capability 'facilitates', with supporting text: 'Our threat intelligence service provides supplemental risk data that enriches existing asset management systems, enabling organizations to prioritize asset security based on threat exposure.'"
|
|
381
|
+
# Custom compliance-focused analysis
|
|
382
|
+
claude-code "Get safeguard 8.3 details. For PCI-DSS Level 1 compliance, assess Splunk Enterprise Security considering cardholder data environment requirements and provide implementation timeline recommendations."
|
|
409
383
|
|
|
410
|
-
#
|
|
411
|
-
claude-code "
|
|
384
|
+
# Technology stack integration assessment
|
|
385
|
+
claude-code "Get safeguard 16.1 details. We use Azure DevOps and GitHub. Analyze how SonarQube integrates with our pipeline for secure code analysis and recommend configuration best practices."
|
|
412
386
|
|
|
413
|
-
#
|
|
414
|
-
claude-code "
|
|
387
|
+
# Risk-based prioritization
|
|
388
|
+
claude-code "Get details for safeguards 13.1, 13.3, and 13.6. Our organization faces advanced persistent threats. Rank these network monitoring vendors by threat detection capability: 1) CrowdStrike Falcon 2) SentinelOne 3) Microsoft Defender for Endpoint."
|
|
415
389
|
```
|
|
416
390
|
|
|
417
391
|
## 🎯 CIS Controls Coverage
|
|
@@ -421,11 +395,12 @@ claude-code "Use validate_vendor_mapping for vendor 'BasicTracker', safeguard '1
|
|
|
421
395
|
- **Full framework coverage** from Controls 1-18
|
|
422
396
|
- **Comprehensive vendor analysis** capability for all CIS safeguards
|
|
423
397
|
|
|
424
|
-
###
|
|
425
|
-
- ✅ **
|
|
426
|
-
- ✅ **
|
|
427
|
-
- ✅ **Enhanced
|
|
428
|
-
- ✅ **
|
|
398
|
+
### v1.4.0 Pure Data Provider Highlights
|
|
399
|
+
- ✅ **Simplified Architecture** - Clean data provision without analysis complexity
|
|
400
|
+
- ✅ **LLM-Powered Analysis** - Sophisticated, context-aware capability assessment
|
|
401
|
+
- ✅ **Enhanced Flexibility** - Custom methodologies and unlimited analysis approaches
|
|
402
|
+
- ✅ **Complete Framework** - All 18 Controls with 153 safeguards for comprehensive evaluation
|
|
403
|
+
- ✅ **Transparent Reasoning** - Full visibility into analysis logic and evidence evaluation
|
|
429
404
|
|
|
430
405
|
## 🛠️ Development
|
|
431
406
|
|
|
@@ -0,0 +1,178 @@
|
|
|
1
|
+
# Framework MCP v1.4.0 Release Notes
|
|
2
|
+
|
|
3
|
+
**"Pure Data Provider Architecture - Empowering LLMs with Authoritative CIS Controls Data"**
|
|
4
|
+
|
|
5
|
+
*Released: September 15, 2025*
|
|
6
|
+
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## 🚀 Major Architectural Advancement
|
|
10
|
+
|
|
11
|
+
Framework MCP v1.4.0 represents a **fundamental architectural transformation** from complex vendor analysis to **Pure Data Provider architecture**. This release empowers LLMs with **authoritative CIS Controls v8.1 data** while maximizing analytical flexibility and simplicity.
|
|
12
|
+
|
|
13
|
+
## ✨ What's New
|
|
14
|
+
|
|
15
|
+
### 🏗️ Pure Data Provider Architecture
|
|
16
|
+
- **Dramatically simplified codebase**: Removed 500+ lines of complex vendor analysis logic
|
|
17
|
+
- **Clean 2-tool architecture**: Focus on authoritative data provision, not analysis
|
|
18
|
+
- **Enhanced LLM integration**: Maximum flexibility for sophisticated analysis approaches
|
|
19
|
+
- **Maintained data authenticity**: Complete CIS Controls v8.1 dataset (153 safeguards) preserved
|
|
20
|
+
|
|
21
|
+
### 🔧 Simplified Tool Interface
|
|
22
|
+
- **`get_safeguard_details`**: Rich, comprehensive safeguard data with full context
|
|
23
|
+
- **`list_available_safeguards`**: Complete inventory of available CIS safeguards
|
|
24
|
+
- **Removed complexity**: Eliminated confusing `analyze_vendor_response` tool that constrained LLM capabilities
|
|
25
|
+
|
|
26
|
+
### 🧠 LLM Empowerment Benefits
|
|
27
|
+
- **Natural analysis workflow**: LLMs can perform vendor capability analysis using native reasoning
|
|
28
|
+
- **Context-rich data**: Each safeguard includes governance elements, core requirements, sub-taxonomical elements
|
|
29
|
+
- **Flexible approaches**: Support for any analysis methodology or framework
|
|
30
|
+
- **Sophisticated reasoning**: Enable complex, multi-step analysis without tool constraints
|
|
31
|
+
|
|
32
|
+
### 🔗 Enhanced Microsoft Copilot Integration
|
|
33
|
+
- **Updated custom connector**: Optimized swagger.json for Copilot workflows
|
|
34
|
+
- **Data-focused endpoints**: Clean API structure for seamless integration
|
|
35
|
+
- **Production-ready**: DigitalOcean App Services deployment support
|
|
36
|
+
- **Developer-friendly**: Comprehensive examples and documentation
|
|
37
|
+
|
|
38
|
+
## 🛠️ Technical Improvements
|
|
39
|
+
|
|
40
|
+
### Performance & Reliability
|
|
41
|
+
- **Optimized caching**: Intelligent safeguard data caching for faster response times
|
|
42
|
+
- **Reduced complexity**: Simplified codebase for better maintainability
|
|
43
|
+
- **Error handling**: Robust error management and graceful degradation
|
|
44
|
+
- **Type safety**: Strict TypeScript implementation throughout
|
|
45
|
+
|
|
46
|
+
### Developer Experience
|
|
47
|
+
- **Cleaner API**: Simplified endpoint structure
|
|
48
|
+
- **Better documentation**: Updated examples and integration guides
|
|
49
|
+
- **Migration support**: Clear migration path from v1.3.x
|
|
50
|
+
- **Testing coverage**: Comprehensive validation suite
|
|
51
|
+
|
|
52
|
+
## 📋 Complete Feature Matrix
|
|
53
|
+
|
|
54
|
+
| Feature | v1.3.7 | v1.4.0 | Status |
|
|
55
|
+
|---------|---------|---------|---------|
|
|
56
|
+
| **Core Functionality** | | | |
|
|
57
|
+
| CIS Controls v8.1 Data | ✅ (153 safeguards) | ✅ (153 safeguards) | **Preserved** |
|
|
58
|
+
| MCP Server Interface | ✅ | ✅ | **Enhanced** |
|
|
59
|
+
| HTTP API Server | ✅ | ✅ | **Simplified** |
|
|
60
|
+
| **Tool Interface** | | | |
|
|
61
|
+
| get_safeguard_details | ✅ | ✅ | **Enhanced with richer context** |
|
|
62
|
+
| list_available_safeguards | ✅ | ✅ | **Maintained** |
|
|
63
|
+
| analyze_vendor_response | ✅ | ❌ | **Removed** - LLMs handle analysis natively |
|
|
64
|
+
| **Integration Support** | | | |
|
|
65
|
+
| Microsoft Copilot | ✅ | ✅ | **Improved with updated connector** |
|
|
66
|
+
| DigitalOcean Deployment | ✅ | ✅ | **Maintained** |
|
|
67
|
+
| Local Development | ✅ | ✅ | **Simplified** |
|
|
68
|
+
|
|
69
|
+
## 🔄 Migration Guide
|
|
70
|
+
|
|
71
|
+
### From v1.3.x to v1.4.0
|
|
72
|
+
|
|
73
|
+
#### **Breaking Changes**
|
|
74
|
+
- **`analyze_vendor_response` tool removed**: LLMs now perform analysis using native reasoning with `get_safeguard_details` data
|
|
75
|
+
- **Simplified API**: Vendor analysis endpoints removed from HTTP API
|
|
76
|
+
|
|
77
|
+
#### **Migration Steps**
|
|
78
|
+
|
|
79
|
+
1. **Update Dependencies**
|
|
80
|
+
```bash
|
|
81
|
+
npm update framework-mcp
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
2. **Modify Analysis Workflows**
|
|
85
|
+
```javascript
|
|
86
|
+
// OLD v1.3.x approach
|
|
87
|
+
await mcp.call("analyze_vendor_response", {
|
|
88
|
+
vendor_name: "Example Corp",
|
|
89
|
+
safeguard_id: "1.1",
|
|
90
|
+
vendor_response: "We provide asset management..."
|
|
91
|
+
});
|
|
92
|
+
|
|
93
|
+
// NEW v1.4.0 approach - Let LLM analyze with full context
|
|
94
|
+
const safeguard = await mcp.call("get_safeguard_details", {
|
|
95
|
+
safeguard_id: "1.1",
|
|
96
|
+
include_examples: true
|
|
97
|
+
});
|
|
98
|
+
|
|
99
|
+
// LLM then analyzes vendor response against safeguard data
|
|
100
|
+
// Using natural reasoning and sophisticated analysis approaches
|
|
101
|
+
```
|
|
102
|
+
|
|
103
|
+
3. **Update Microsoft Copilot Connectors**
|
|
104
|
+
- Import updated `swagger.json`
|
|
105
|
+
- Remove vendor analysis action references
|
|
106
|
+
- Focus on data retrieval and LLM-driven analysis
|
|
107
|
+
|
|
108
|
+
#### **Benefits of Migration**
|
|
109
|
+
- **Increased flexibility**: LLMs can use any analysis methodology
|
|
110
|
+
- **Better accuracy**: Access to complete safeguard context
|
|
111
|
+
- **Reduced complexity**: Simpler tool interface
|
|
112
|
+
- **Enhanced reasoning**: Natural language analysis capabilities
|
|
113
|
+
|
|
114
|
+
## 🏆 Success Criteria Achieved
|
|
115
|
+
|
|
116
|
+
✅ **Dramatically simplified codebase** (~500+ lines removed)
|
|
117
|
+
✅ **Clean 2-tool architecture** focused on data provision
|
|
118
|
+
✅ **Maintained authentic CIS Controls data integrity**
|
|
119
|
+
✅ **Enhanced LLM integration capabilities**
|
|
120
|
+
✅ **Comprehensive migration documentation**
|
|
121
|
+
✅ **Updated integration guides for all platforms**
|
|
122
|
+
|
|
123
|
+
## 🔮 Strategic Vision
|
|
124
|
+
|
|
125
|
+
**"Data Authenticity + LLM Intelligence = Superior Analysis"**
|
|
126
|
+
|
|
127
|
+
Framework MCP v1.4.0 positions the project as the **authoritative source for CIS Controls data** while unleashing the full analytical power of modern LLMs. This architecture:
|
|
128
|
+
|
|
129
|
+
- **Preserves authenticity**: Official CIS Controls v8.1 data integrity maintained
|
|
130
|
+
- **Maximizes intelligence**: LLMs apply sophisticated reasoning without constraints
|
|
131
|
+
- **Ensures scalability**: Simple, clean architecture supports future enhancements
|
|
132
|
+
- **Enables innovation**: Foundation for advanced analysis methodologies
|
|
133
|
+
|
|
134
|
+
## 🚀 Getting Started
|
|
135
|
+
|
|
136
|
+
### Quick Installation
|
|
137
|
+
```bash
|
|
138
|
+
npm install framework-mcp@1.4.0
|
|
139
|
+
```
|
|
140
|
+
|
|
141
|
+
### MCP Server Usage
|
|
142
|
+
```javascript
|
|
143
|
+
import { FrameworkMcpServer } from 'framework-mcp';
|
|
144
|
+
|
|
145
|
+
const server = new FrameworkMcpServer();
|
|
146
|
+
server.run();
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
### HTTP API Usage
|
|
150
|
+
```javascript
|
|
151
|
+
import { FrameworkHttpServer } from 'framework-mcp';
|
|
152
|
+
|
|
153
|
+
const server = new FrameworkHttpServer(8080);
|
|
154
|
+
server.start();
|
|
155
|
+
```
|
|
156
|
+
|
|
157
|
+
### Microsoft Copilot Integration
|
|
158
|
+
1. Import updated `swagger.json` as custom connector
|
|
159
|
+
2. Use data endpoints to retrieve safeguard information
|
|
160
|
+
3. Let Copilot analyze vendor responses against CIS Controls
|
|
161
|
+
|
|
162
|
+
## 🔗 Resources
|
|
163
|
+
|
|
164
|
+
- **Repository**: https://github.com/therealcybermattlee/FrameworkMCP
|
|
165
|
+
- **Documentation**: See `/docs` directory for comprehensive guides
|
|
166
|
+
- **Migration Guide**: Complete transition documentation included
|
|
167
|
+
- **Examples**: Updated integration examples for all platforms
|
|
168
|
+
- **Support**: GitHub Issues for questions and feedback
|
|
169
|
+
|
|
170
|
+
## 🙏 Acknowledgments
|
|
171
|
+
|
|
172
|
+
This release represents the culmination of extensive architectural evaluation and the recognition that **LLMs perform better analysis when given rich data rather than constrained tools**. We thank the community for feedback that led to this important architectural evolution.
|
|
173
|
+
|
|
174
|
+
---
|
|
175
|
+
|
|
176
|
+
**Framework MCP v1.4.0: Where Data Authenticity Meets LLM Intelligence** 🚀
|
|
177
|
+
|
|
178
|
+
*For support and questions, please visit our [GitHub repository](https://github.com/therealcybermattlee/FrameworkMCP).*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"safeguard-manager.d.ts","sourceRoot":"","sources":["../../src/core/safeguard-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAc,MAAM,oBAAoB,CAAC;AAElE,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAA+B;IAC5C,OAAO,CAAC,UAAU,CAAwC;IAC1D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAQ;IAC9C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAkB;IAChE,OAAO,CAAC,kBAAkB,CAAyB;IACnD,OAAO,CAAC,WAAW,CAAa;;IAQzB,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,eAAe,GAAE,OAAe,GAAG,gBAAgB,GAAG,IAAI;IA4BnG,uBAAuB,IAAI,MAAM,EAAE;IAgBnC,gBAAgB,IAAI,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAIpD,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAerD,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,2BAA2B;IAmCnC;;OAEG;IACI,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE;IAO7D;;OAEG;IACI,UAAU,IAAI,IAAI;IAKzB,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,yBAAyB;IA2BjC,OAAO,CAAC,oBAAoB;
|
|
1
|
+
{"version":3,"file":"safeguard-manager.d.ts","sourceRoot":"","sources":["../../src/core/safeguard-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAc,MAAM,oBAAoB,CAAC;AAElE,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAA+B;IAC5C,OAAO,CAAC,UAAU,CAAwC;IAC1D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAQ;IAC9C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAkB;IAChE,OAAO,CAAC,kBAAkB,CAAyB;IACnD,OAAO,CAAC,WAAW,CAAa;;IAQzB,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,eAAe,GAAE,OAAe,GAAG,gBAAgB,GAAG,IAAI;IA4BnG,uBAAuB,IAAI,MAAM,EAAE;IAgBnC,gBAAgB,IAAI,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAIpD,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAerD,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,2BAA2B;IAmCnC;;OAEG;IACI,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE;IAO7D;;OAEG;IACI,UAAU,IAAI,IAAI;IAKzB,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,yBAAyB;IA2BjC,OAAO,CAAC,oBAAoB;CAw8N7B"}
|