framework-mcp 1.3.7 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. package/COPILOT_INTEGRATION.md +49 -62
  2. package/DEPLOYMENT_GUIDE.md +46 -47
  3. package/MCP_INTEGRATION_GUIDE.md +96 -129
  4. package/MIGRATION_GUIDE_v1.4.0.md +190 -0
  5. package/README.md +148 -173
  6. package/RELEASE_NOTES_v1.4.0.md +178 -0
  7. package/dist/core/safeguard-manager.d.ts.map +1 -1
  8. package/dist/core/safeguard-manager.js +2271 -153
  9. package/dist/core/safeguard-manager.js.map +1 -1
  10. package/dist/index.d.ts +0 -1
  11. package/dist/index.d.ts.map +1 -1
  12. package/dist/index.js +1 -2
  13. package/dist/index.js.map +1 -1
  14. package/dist/interfaces/http/http-server.d.ts +0 -4
  15. package/dist/interfaces/http/http-server.d.ts.map +1 -1
  16. package/dist/interfaces/http/http-server.js +6 -85
  17. package/dist/interfaces/http/http-server.js.map +1 -1
  18. package/dist/interfaces/mcp/mcp-server.d.ts +0 -4
  19. package/dist/interfaces/mcp/mcp-server.d.ts.map +1 -1
  20. package/dist/interfaces/mcp/mcp-server.js +4 -71
  21. package/dist/interfaces/mcp/mcp-server.js.map +1 -1
  22. package/dist/shared/types.d.ts +7 -0
  23. package/dist/shared/types.d.ts.map +1 -1
  24. package/examples/llm-analysis-patterns.md +553 -0
  25. package/package.json +2 -2
  26. package/scripts/validate-documentation.sh +4 -4
  27. package/src/core/safeguard-manager.ts +2271 -153
  28. package/src/index.ts +1 -2
  29. package/src/interfaces/http/http-server.ts +6 -101
  30. package/src/interfaces/mcp/mcp-server.ts +4 -85
  31. package/src/shared/types.ts +7 -0
  32. package/swagger.json +43 -168
  33. package/dist/core/capability-analyzer.d.ts +0 -23
  34. package/dist/core/capability-analyzer.d.ts.map +0 -1
  35. package/dist/core/capability-analyzer.js +0 -333
  36. package/dist/core/capability-analyzer.js.map +0 -1
  37. package/src/core/capability-analyzer.ts +0 -417
package/README.md CHANGED
@@ -5,25 +5,25 @@
5
5
  [![GitHub](https://img.shields.io/github/stars/therealcybermattlee/FrameworkMCP?style=social)](https://github.com/therealcybermattlee/FrameworkMCP)
6
6
  [![Website](https://img.shields.io/badge/Website-cyberrise.org-blue)](https://cyberrise.org)
7
7
 
8
- A Model Context Protocol (MCP) server that determines vendor tool **capability roles** (Full Implementation, Partial Implementation, Facilitates, Governance, Validates) against the **CIS Controls Framework**. This tool helps security professionals accurately categorize vendor capabilities for specific CIS Control safeguards through comprehensive content-based analysis.
8
+ A Model Context Protocol (MCP) server providing **authoritative CIS Controls Framework data** to empower LLMs with sophisticated, context-aware vendor capability analysis. This Pure Data Provider architecture enables security professionals to perform flexible, intelligent assessment of vendor tool capabilities against specific CIS Control safeguards.
9
9
 
10
10
  ## 🎯 Purpose
11
11
 
12
- This MCP server enables security teams to:
13
- - **Determine vendor tool capability roles** for specific CIS Control safeguards (1.1, 5.1, 6.3, etc.)
14
- - **Validate implementation capability claims** through comprehensive content analysis
15
- - **Accurately categorize vendor roles** across 5 capability types: Full, Partial, Facilitates, Governance, and Validates
16
- - **Generate evidence-based assessments** showing capability alignment and confidence scores
12
+ This MCP server empowers security teams to:
13
+ - **Access authoritative CIS Controls data** for all 153 safeguards across 18 controls
14
+ - **Leverage LLM intelligence** for sophisticated, context-aware vendor capability analysis
15
+ - **Perform flexible assessment** across 5 capability types: Full, Partial, Facilitates, Governance, and Validates
16
+ - **Apply custom analysis methodologies** with complete transparency and reasoning
17
17
 
18
18
  ## 🎯 The 5 Capability Roles
19
19
 
20
- | Capability Role | Description | Assessment Approach |
21
- |-----------------|-------------|--------------------|
22
- | **FULL** | Complete implementation of safeguard requirements | Comprehensive content analysis for complete coverage |
23
- | **PARTIAL** | Limited scope implementation with clear boundaries | Content analysis identifies explicit scope limitations |
24
- | **FACILITATES** | Enhancement capabilities that enable others to implement safeguards better/faster/stronger | Analysis identifies facilitation language and indirect support |
25
- | **GOVERNANCE** | Policy/process management and oversight capabilities | Analysis identifies policy, process, and oversight elements |
26
- | **VALIDATES** | Verification capabilities providing evidence and reporting | Analysis identifies audit, monitoring, and reporting capabilities |
20
+ | Capability Role | Description | LLM Analysis Approach |
21
+ |-----------------|-------------|----------------------|
22
+ | **FULL** | Complete implementation of safeguard requirements | LLMs assess comprehensive coverage against detailed safeguard data |
23
+ | **PARTIAL** | Limited scope implementation with clear boundaries | LLMs identify scope limitations and coverage gaps |
24
+ | **FACILITATES** | Enhancement capabilities that enable others to implement safeguards better/faster/stronger | LLMs recognize facilitation patterns and indirect support capabilities |
25
+ | **GOVERNANCE** | Policy/process management and oversight capabilities | LLMs evaluate governance elements and process management features |
26
+ | **VALIDATES** | Verification capabilities providing evidence and reporting | LLMs assess audit, monitoring, and reporting capabilities |
27
27
 
28
28
  ## 🎨 CIS Controls Framework Integration
29
29
 
@@ -177,27 +177,27 @@ curl -X POST https://your-api-url.com/api/validate-vendor-mapping \
177
177
  -d '{"vendor_name":"Test Vendor","safeguard_id":"1.1","claimed_capability":"facilitates","supporting_text":"We provide supplemental asset tracking capabilities that enhance existing inventory systems."}'
178
178
  ```
179
179
 
180
- ## 📋 Usage Examples
180
+ ## 📋 LLM-Driven Analysis Examples
181
181
 
182
- ### Analyze Single Vendor Response
182
+ ### Basic Vendor Capability Assessment
183
183
 
184
184
  ```bash
185
- claude-code "Determine the capability role for this vendor response to safeguard 5.1:
186
- Vendor: SecureIAM Corp
187
- Response: 'Our tool is a full identity provider with comprehensive account management. We maintain detailed user inventories including names, usernames, departments, and access rights. Automated quarterly reviews ensure all accounts are authorized and compliant.'"
185
+ claude-code "Get safeguard details for 5.1, then analyze this vendor response: SecureIAM Corp - 'Our tool is a full identity provider with comprehensive account management. We maintain detailed user inventories including names, usernames, departments, and access rights. Automated quarterly reviews ensure all accounts are authorized and compliant.' Determine appropriate capability role and provide confidence assessment."
188
186
  ```
189
187
 
190
- ### Validate Implementation Capability Claims
188
+ ### Context-Aware Analysis
191
189
 
192
190
  ```bash
193
- claude-code "Validate this implementation capability claim:
194
- Vendor: ComplianceBot
195
- Safeguard: 5.1
196
- Claimed Capability: FULL
197
- Response: 'We provide automated account lifecycle management with real-time inventory tracking and compliance reporting.'"
191
+ claude-code "Get safeguard 8.2 details. For a high-risk financial services environment, analyze this logging solution: 'We collect endpoint telemetry and forward logs to SIEM platforms.' Consider regulatory requirements (SOX, PCI-DSS) and determine capability role with implementation recommendations."
198
192
  ```
199
193
 
200
- ### Analyze Multiple Vendors from File
194
+ ### Multi-Vendor Comparative Analysis
195
+
196
+ ```bash
197
+ claude-code "Get safeguard 1.1 details. Compare these asset management solutions and rank by implementation completeness for a 500-employee company: 1) Lansweeper: 'Complete network discovery and automated inventory' 2) ServiceNow: 'CMDB with manual asset entry workflows' 3) Microsoft Intune: 'Managed device tracking with Azure AD integration'. Provide deployment complexity assessment."
198
+ ```
199
+
200
+ ### Bulk Analysis from File
201
201
 
202
202
  Create `vendors.csv`:
203
203
  ```csv
@@ -208,130 +208,114 @@ VendorC,6.3,"MFA enforcement for all external applications with SSO integration"
208
208
  ```
209
209
 
210
210
  ```bash
211
- claude-code "Determine capability roles for the vendor responses in vendors.csv and provide recommendations"
211
+ claude-code "Get details for safeguards referenced in vendors.csv. Analyze each vendor response, determine capability roles, and provide implementation roadmap recommendations based on organizational gaps."
212
212
  ```
213
213
 
214
- ### Get Safeguard Details
214
+ ### Claim Validation Assessment
215
215
 
216
216
  ```bash
217
- claude-code "Show me the detailed breakdown of safeguard 5.1 including all sub-elements"
217
+ claude-code "Get safeguard 12.4 details. This vendor claims FULL capability for network boundary monitoring: 'We monitor all network traffic, identify unauthorized devices, and generate real-time alerts.' Validate this claim against the specific safeguard requirements and provide evidence-based assessment."
218
218
  ```
219
219
 
220
- ### Validate Vendor Capability Claims
221
-
222
- **PRIMARY TOOL**: Validate whether a vendor's stated capability mapping is actually supported by their explanatory text.
220
+ ### Risk-Based Analysis
223
221
 
224
222
  ```bash
225
- claude-code "Use validate_vendor_mapping with vendor_name 'SecureAssets Corp', safeguard_id '1.1', claimed_capability 'full', and supporting_text 'Our comprehensive asset management platform performs automated discovery of all enterprise devices, maintains detailed hardware and software inventories, tracks ownership and location data, provides real-time asset status monitoring, and includes documented inventory procedures with bi-annual review capabilities.'"
223
+ claude-code "Get safeguard 11.1 details. For a healthcare organization with HIPAA requirements, assess Veeam Backup's capability: 'Automated daily backups with 99.9% recovery success rate and quarterly recovery testing.' Focus on governance and validation aspects."
226
224
  ```
227
225
 
228
- ## 📊 Sample Output
226
+ ## 📊 Sample LLM Analysis Patterns
229
227
 
230
- ### Standard Capability Role Analysis Output
231
- ```json
232
- {
233
- "vendor": "SecureIAM Corp",
234
- "safeguardId": "5.1",
235
- "safeguardTitle": "Establish and Maintain an Inventory of Accounts",
236
- "capabilityRole": "full",
237
- "additionalRoles": ["governance", "validates"],
238
- "confidence": 87,
239
- "contentAnalysis": {
240
- "implementationLanguage": "strong",
241
- "scopeDefinition": "comprehensive",
242
- "evidenceQuality": "high"
243
- },
244
- "evidenceAnalysis": {
245
- "coreRequirements": 85,
246
- "subElements": 75,
247
- "governance": 90,
248
- "languageConsistency": 88
249
- },
250
- "evidence": [
251
- "comprehensive account management",
252
- "detailed user inventories",
253
- "automated quarterly reviews"
254
- ]
255
- }
228
+ ### Context-Aware Assessment Response
256
229
  ```
230
+ ASSESSMENT: SecureIAM Corp - Safeguard 5.1 Analysis
257
231
 
258
- ### Primary Validation Tool Output (validate_vendor_mapping)
259
- ```json
260
- {
261
- "vendor": "SecureAssets Corp",
262
- "safeguard_id": "1.1",
263
- "safeguard_title": "Establish and Maintain a Detailed Enterprise Asset Inventory",
264
- "claimed_capability": "full",
265
- "validation_status": "SUPPORTED",
266
- "confidence_score": 85,
267
- "evidence_analysis": {
268
- "core_requirements_coverage": 100,
269
- "sub_elements_coverage": 47,
270
- "governance_alignment": 80,
271
- "language_consistency": 90
272
- },
273
- "content_validation": {
274
- "implementation_depth": "comprehensive",
275
- "scope_clarity": "well_defined",
276
- "evidence_strength": "strong",
277
- "capability_aligned": true
278
- },
279
- "gaps_identified": [],
280
- "strengths_identified": [
281
- "High coverage of core requirements and sub-elements",
282
- "Strong implementation language consistency",
283
- "Comprehensive coverage with clear implementation details"
284
- ],
285
- "recommendations": [],
286
- "detailed_feedback": "Validation of FULL capability claim: SUPPORTED (85% alignment)\n\nSTRENGTHS:\n• High coverage of core requirements and sub-elements\n• Strong implementation language consistency\n• Comprehensive coverage with clear implementation details\n\nASSESSMENT: The vendor's supporting evidence strongly aligns with their claimed capability."
287
- }
232
+ CAPABILITY DETERMINATION: FULL + GOVERNANCE + VALIDATES
233
+ CONFIDENCE: 87%
234
+
235
+ ANALYSIS:
236
+ Based on safeguard 5.1 requirements for comprehensive account inventory management:
237
+
238
+ ✅ CORE REQUIREMENTS COVERAGE:
239
+ - Complete user inventory (names, usernames, departments)
240
+ - Access rights tracking and management
241
+ - Identity provider capabilities with centralized management
242
+
243
+ ✅ GOVERNANCE ELEMENTS:
244
+ - Automated quarterly review processes
245
+ - Compliance verification workflows
246
+ - Policy enforcement capabilities
247
+
248
+ ✅ VALIDATION CAPABILITIES:
249
+ - Continuous monitoring and reporting
250
+ - Authorization verification
251
+ - Compliance status tracking
252
+
253
+ EVIDENCE QUALITY: High - Specific implementation details provided
254
+ SCOPE DEFINITION: Comprehensive enterprise account management
255
+
256
+ RECOMMENDATION: Strong FULL capability alignment with additional governance and validation roles. Suitable for enterprise Implementation Group 2-3 deployments.
288
257
  ```
289
258
 
290
- ### Insufficient Evidence Example Output
291
- ```json
292
- {
293
- "vendor": "BasicTracker Pro",
294
- "safeguard_id": "1.1",
295
- "safeguard_title": "Establish and Maintain a Detailed Enterprise Asset Inventory",
296
- "claimed_capability": "full",
297
- "validation_status": "UNSUPPORTED",
298
- "confidence_score": 35,
299
- "evidence_analysis": {
300
- "core_requirements_coverage": 40,
301
- "sub_elements_coverage": 15,
302
- "governance_alignment": 25,
303
- "language_consistency": 60
304
- },
305
- "content_validation": {
306
- "implementation_depth": "limited",
307
- "scope_clarity": "vague",
308
- "evidence_strength": "weak",
309
- "capability_aligned": false
310
- },
311
- "gaps_identified": [
312
- "Insufficient detail on asset tracking capabilities",
313
- "Missing governance and review processes",
314
- "Limited coverage of sub-elements"
315
- ],
316
- "strengths_identified": [
317
- "Basic asset visibility mentioned"
318
- ],
319
- "recommendations": [
320
- "Provide more detailed implementation specifics",
321
- "Consider repositioning as FACILITATES capability based on limited scope"
322
- ],
323
- "detailed_feedback": "Validation of FULL capability claim: UNSUPPORTED (35% alignment)\n\nGAPS IDENTIFIED:\n• Insufficient detail on asset tracking capabilities\n• Missing governance and review processes\n• Limited coverage of sub-elements\n\nASSESSMENT: The vendor's supporting evidence does not adequately support their FULL capability claim. Consider FACILITATES role instead."
324
- }
259
+ ### Multi-Vendor Comparison Response
260
+ ```
261
+ COMPARATIVE ANALYSIS: Asset Management Solutions for Safeguard 1.1
262
+
263
+ RANKING BY IMPLEMENTATION COMPLETENESS:
264
+
265
+ 1. 🥇 LANSWEEPER (FULL + VALIDATES)
266
+ - Comprehensive automated discovery
267
+ - Network-wide asset visibility
268
+ - Strong for 500-employee deployment
269
+ - Implementation: Medium complexity
270
+
271
+ 2. 🥈 MICROSOFT INTUNE (PARTIAL + GOVERNANCE)
272
+ - Managed device focus (limited scope)
273
+ - Strong Azure AD integration
274
+ - Governance capabilities present
275
+ - Implementation: Low complexity (if using Microsoft stack)
276
+
277
+ 3. 🥉 SERVICENOW (FACILITATES + GOVERNANCE)
278
+ - CMDB foundation requires manual processes
279
+ - Strong workflow and governance features
280
+ - Facilitates comprehensive asset management
281
+ - Implementation: High complexity
282
+
283
+ RECOMMENDATION: Lansweeper provides best immediate coverage for IG1 requirements. Consider Intune if Microsoft-centric environment, ServiceNow for complex enterprise with mature processes.
284
+ ```
285
+
286
+ ### Risk-Based Healthcare Analysis
287
+ ```
288
+ HIPAA-FOCUSED ANALYSIS: Veeam Backup vs Safeguard 11.1
289
+
290
+ CAPABILITY: FULL + VALIDATES
291
+ COMPLIANCE CONFIDENCE: 92%
292
+
293
+ HIPAA CONSIDERATIONS:
294
+ ✅ Recovery time objectives meet healthcare uptime requirements
295
+ ✅ Quarterly testing demonstrates due diligence
296
+ ✅ 99.9% success rate supports business continuity
297
+
298
+ GOVERNANCE ALIGNMENT:
299
+ - Documented recovery procedures (required for HIPAA)
300
+ - Regular testing and validation processes
301
+ - Performance metrics and reporting
302
+
303
+ GAPS TO ADDRESS:
304
+ - Verify encryption at rest/in transit for PHI
305
+ - Confirm audit logging capabilities
306
+ - Validate access controls for backup systems
307
+
308
+ IMPLEMENTATION RECOMMENDATION: Strong foundation for HIPAA compliance. Supplement with documented encryption policies and access control procedures.
325
309
  ```
326
310
 
327
311
  ## 🔧 Available Tools
328
312
 
329
313
  | Tool | Description |
330
314
  |------|-------------|
331
- | `validate_vendor_mapping` | **PRIMARY** Validate vendor's claimed capability role against supporting evidence through content analysis |
332
- | `analyze_vendor_response` | Determine vendor tool capability role for specific safeguard |
333
- | `get_safeguard_details` | Get detailed safeguard breakdown |
334
- | `list_available_safeguards` | List all available CIS safeguards |
315
+ | `get_safeguard_details` | **PRIMARY** Get detailed safeguard breakdown with structured CIS data for LLM analysis |
316
+ | `list_available_safeguards` | List all available CIS safeguards (153 total) for framework exploration |
317
+
318
+ **Pure Data Provider Architecture**: Framework MCP provides authoritative CIS Controls data while LLMs perform sophisticated, context-aware capability analysis with unlimited flexibility.
335
319
 
336
320
  ## 📁 File Formats Supported
337
321
 
@@ -361,57 +345,47 @@ Vendor: AnotherVendor - Safeguard: 6.3
361
345
  Another response...
362
346
  ```
363
347
 
364
- ## 🆕 Vendor Mapping Validation
348
+ ## 🚀 LLM-Driven Analysis Advantages
365
349
 
366
- The **validate_vendor_mapping** tool provides evidence-based validation of vendor capability claims. This addresses a critical need: vendors often self-assess their capabilities, but practitioners need to verify whether the supporting evidence actually justifies the claimed mapping.
350
+ Framework MCP v1.4.0's **Pure Data Provider architecture** empowers LLMs to perform sophisticated vendor capability analysis with unprecedented flexibility and intelligence.
367
351
 
368
- ### Validation Criteria
352
+ ### Key Benefits Over Hardcoded Analysis
369
353
 
370
- | Capability | Requirements | Validation Thresholds |
371
- |------------|-------------|----------------------|
372
- | **FULL** | Complete implementation within scope | ≥70% core requirements + ≥40% sub-elements |
373
- | **PARTIAL** | Limited scope with clear boundaries | ≥30% core requirements OR some core + ≥20% sub-elements |
374
- | **FACILITATES** | Enables/enhances implementation | Facilitation language present, no direct implementation claims |
375
- | **GOVERNANCE** | Policy/process management | ≥60% governance elements + policy language |
376
- | **VALIDATES** | Evidence collection & reporting | Audit/monitoring/reporting capabilities present |
354
+ | Advantage | Description | LLM Capability |
355
+ |-----------|-------------|----------------|
356
+ | **Context Awareness** | Analysis considers industry, risk profile, and organizational needs | LLMs understand sector-specific requirements and compliance frameworks |
357
+ | **Analytical Flexibility** | Apply custom methodologies and assessment criteria | Multiple analysis approaches: strict compliance, risk-based, comparative |
358
+ | **Transparent Reasoning** | Complete visibility into analysis logic and evidence evaluation | LLMs explain their reasoning and provide detailed justifications |
359
+ | **Adaptive Intelligence** | Dynamic assessment based on evolving requirements | LLMs can adjust analysis based on new information or changing priorities |
360
+ | **Natural Language** | Complex analysis requests in plain English | No need for rigid tool parameters or predefined validation rules |
377
361
 
378
- ### Content-Based Validation Approach
362
+ ### Enhanced Analysis Capabilities
379
363
 
380
- **APPROACH**: The validation tool uses comprehensive content analysis to assess capability claims:
364
+ **Multi-Dimensional Assessment**: LLMs can simultaneously evaluate:
365
+ - Technical capability alignment with safeguard requirements
366
+ - Deployment complexity and organizational fit
367
+ - Risk mitigation effectiveness and compliance coverage
368
+ - Integration potential with existing technology stacks
369
+ - Cost-benefit analysis and implementation roadmaps
381
370
 
382
- | Analysis Dimension | Description | Assessment Focus |
383
- |-------------------|-------------|------------------|
384
- | **Core Requirements Coverage** | Alignment with primary safeguard elements | Direct implementation language and specific capabilities |
385
- | **Sub-Elements Coverage** | Support for detailed safeguard components | Breadth of coverage across safeguard sub-requirements |
386
- | **Governance Alignment** | Policy/process management elements | Governance language and oversight capabilities |
387
- | **Implementation Depth** | Specificity and detail of implementation | Technical depth and implementation specifics |
388
- | **Language Consistency** | Alignment between claim and evidence | Consistency between stated capability and supporting text |
371
+ **Advanced Analysis Patterns**:
372
+ - **Comparative Vendor Evaluation**: Rank multiple solutions against specific criteria
373
+ - **Gap Analysis**: Identify coverage gaps and recommend complementary tools
374
+ - **Risk-Based Assessment**: Prioritize capability importance based on threat landscape
375
+ - **Compliance Mapping**: Align vendor capabilities with regulatory requirements
376
+ - **Implementation Planning**: Generate deployment strategies and success metrics
389
377
 
390
- **Content Analysis Logic**: Evidence is evaluated across multiple dimensions:
391
- - **Strong Evidence**: Detailed implementation specifics with comprehensive coverage
392
- - **Moderate Evidence**: Good coverage with some gaps or general language
393
- - **Weak Evidence**: Limited specifics or scope, vague implementation details
394
-
395
- ### Validation Statuses
396
-
397
- - **SUPPORTED** (70-100%): Evidence strongly supports the claimed capability
398
- - **QUESTIONABLE** (40-69%): Evidence partially supports but has notable gaps or inconsistencies
399
- - **UNSUPPORTED** (0-39%): Evidence does not adequately support the claim
400
-
401
- ### Usage Examples
378
+ ### Flexibility Examples
402
379
 
403
380
  ```bash
404
- # Validate a FULL coverage claim with strong evidence
405
- claude-code "Use validate_vendor_mapping for vendor 'AssetMax Pro', safeguard '1.1', claimed capability 'full', with supporting text: 'Our platform provides comprehensive automated discovery, detailed inventory management, and complete asset lifecycle tracking for all enterprise devices including servers, workstations, and network equipment.'"
406
-
407
- # Validate a FACILITATES claim
408
- claude-code "Use validate_vendor_mapping for vendor 'ThreatIntel Feed', safeguard '1.1', claimed capability 'facilitates', with supporting text: 'Our threat intelligence service provides supplemental risk data that enriches existing asset management systems, enabling organizations to prioritize asset security based on threat exposure.'"
381
+ # Custom compliance-focused analysis
382
+ claude-code "Get safeguard 8.3 details. For PCI-DSS Level 1 compliance, assess Splunk Enterprise Security considering cardholder data environment requirements and provide implementation timeline recommendations."
409
383
 
410
- # Partial capability claim with clear scope limitations
411
- claude-code "Use validate_vendor_mapping for vendor 'NetworkScanner Pro', safeguard '1.1', claimed capability 'partial', with supporting text: 'Our scanner provides comprehensive network device discovery and maintains detailed hardware inventories, but is limited to network-accessible devices and does not track software installations or offline systems.'"
384
+ # Technology stack integration assessment
385
+ claude-code "Get safeguard 16.1 details. We use Azure DevOps and GitHub. Analyze how SonarQube integrates with our pipeline for secure code analysis and recommend configuration best practices."
412
386
 
413
- # Insufficient evidence example
414
- claude-code "Use validate_vendor_mapping for vendor 'BasicTracker', safeguard '1.1', claimed capability 'full', with supporting text: 'We help track computers and provide some visibility into your IT environment.'"
387
+ # Risk-based prioritization
388
+ claude-code "Get details for safeguards 13.1, 13.3, and 13.6. Our organization faces advanced persistent threats. Rank these network monitoring vendors by threat detection capability: 1) CrowdStrike Falcon 2) SentinelOne 3) Microsoft Defender for Endpoint."
415
389
  ```
416
390
 
417
391
  ## 🎯 CIS Controls Coverage
@@ -421,11 +395,12 @@ claude-code "Use validate_vendor_mapping for vendor 'BasicTracker', safeguard '1
421
395
  - **Full framework coverage** from Controls 1-18
422
396
  - **Comprehensive vendor analysis** capability for all CIS safeguards
423
397
 
424
- ### Current Version Highlights
425
- - ✅ **All 18 Controls** implemented (Enterprise Assets through Penetration Testing)
426
- - ✅ **Color-coded element categorization** (Orange/Green/Yellow/Gray)
427
- - ✅ **Enhanced capability detection** (Governance, Facilitates, Coverage, Validates)
428
- - ✅ **Production-ready** vendor analysis for complete compliance assessments
398
+ ### v1.4.0 Pure Data Provider Highlights
399
+ - ✅ **Simplified Architecture** - Clean data provision without analysis complexity
400
+ - ✅ **LLM-Powered Analysis** - Sophisticated, context-aware capability assessment
401
+ - ✅ **Enhanced Flexibility** - Custom methodologies and unlimited analysis approaches
402
+ - ✅ **Complete Framework** - All 18 Controls with 153 safeguards for comprehensive evaluation
403
+ - ✅ **Transparent Reasoning** - Full visibility into analysis logic and evidence evaluation
429
404
 
430
405
  ## 🛠️ Development
431
406
 
@@ -0,0 +1,178 @@
1
+ # Framework MCP v1.4.0 Release Notes
2
+
3
+ **"Pure Data Provider Architecture - Empowering LLMs with Authoritative CIS Controls Data"**
4
+
5
+ *Released: September 15, 2025*
6
+
7
+ ---
8
+
9
+ ## 🚀 Major Architectural Advancement
10
+
11
+ Framework MCP v1.4.0 represents a **fundamental architectural transformation** from complex vendor analysis to **Pure Data Provider architecture**. This release empowers LLMs with **authoritative CIS Controls v8.1 data** while maximizing analytical flexibility and simplicity.
12
+
13
+ ## ✨ What's New
14
+
15
+ ### 🏗️ Pure Data Provider Architecture
16
+ - **Dramatically simplified codebase**: Removed 500+ lines of complex vendor analysis logic
17
+ - **Clean 2-tool architecture**: Focus on authoritative data provision, not analysis
18
+ - **Enhanced LLM integration**: Maximum flexibility for sophisticated analysis approaches
19
+ - **Maintained data authenticity**: Complete CIS Controls v8.1 dataset (153 safeguards) preserved
20
+
21
+ ### 🔧 Simplified Tool Interface
22
+ - **`get_safeguard_details`**: Rich, comprehensive safeguard data with full context
23
+ - **`list_available_safeguards`**: Complete inventory of available CIS safeguards
24
+ - **Removed complexity**: Eliminated confusing `analyze_vendor_response` tool that constrained LLM capabilities
25
+
26
+ ### 🧠 LLM Empowerment Benefits
27
+ - **Natural analysis workflow**: LLMs can perform vendor capability analysis using native reasoning
28
+ - **Context-rich data**: Each safeguard includes governance elements, core requirements, sub-taxonomical elements
29
+ - **Flexible approaches**: Support for any analysis methodology or framework
30
+ - **Sophisticated reasoning**: Enable complex, multi-step analysis without tool constraints
31
+
32
+ ### 🔗 Enhanced Microsoft Copilot Integration
33
+ - **Updated custom connector**: Optimized swagger.json for Copilot workflows
34
+ - **Data-focused endpoints**: Clean API structure for seamless integration
35
+ - **Production-ready**: DigitalOcean App Services deployment support
36
+ - **Developer-friendly**: Comprehensive examples and documentation
37
+
38
+ ## 🛠️ Technical Improvements
39
+
40
+ ### Performance & Reliability
41
+ - **Optimized caching**: Intelligent safeguard data caching for faster response times
42
+ - **Reduced complexity**: Simplified codebase for better maintainability
43
+ - **Error handling**: Robust error management and graceful degradation
44
+ - **Type safety**: Strict TypeScript implementation throughout
45
+
46
+ ### Developer Experience
47
+ - **Cleaner API**: Simplified endpoint structure
48
+ - **Better documentation**: Updated examples and integration guides
49
+ - **Migration support**: Clear migration path from v1.3.x
50
+ - **Testing coverage**: Comprehensive validation suite
51
+
52
+ ## 📋 Complete Feature Matrix
53
+
54
+ | Feature | v1.3.7 | v1.4.0 | Status |
55
+ |---------|---------|---------|---------|
56
+ | **Core Functionality** | | | |
57
+ | CIS Controls v8.1 Data | ✅ (153 safeguards) | ✅ (153 safeguards) | **Preserved** |
58
+ | MCP Server Interface | ✅ | ✅ | **Enhanced** |
59
+ | HTTP API Server | ✅ | ✅ | **Simplified** |
60
+ | **Tool Interface** | | | |
61
+ | get_safeguard_details | ✅ | ✅ | **Enhanced with richer context** |
62
+ | list_available_safeguards | ✅ | ✅ | **Maintained** |
63
+ | analyze_vendor_response | ✅ | ❌ | **Removed** - LLMs handle analysis natively |
64
+ | **Integration Support** | | | |
65
+ | Microsoft Copilot | ✅ | ✅ | **Improved with updated connector** |
66
+ | DigitalOcean Deployment | ✅ | ✅ | **Maintained** |
67
+ | Local Development | ✅ | ✅ | **Simplified** |
68
+
69
+ ## 🔄 Migration Guide
70
+
71
+ ### From v1.3.x to v1.4.0
72
+
73
+ #### **Breaking Changes**
74
+ - **`analyze_vendor_response` tool removed**: LLMs now perform analysis using native reasoning with `get_safeguard_details` data
75
+ - **Simplified API**: Vendor analysis endpoints removed from HTTP API
76
+
77
+ #### **Migration Steps**
78
+
79
+ 1. **Update Dependencies**
80
+ ```bash
81
+ npm update framework-mcp
82
+ ```
83
+
84
+ 2. **Modify Analysis Workflows**
85
+ ```javascript
86
+ // OLD v1.3.x approach
87
+ await mcp.call("analyze_vendor_response", {
88
+ vendor_name: "Example Corp",
89
+ safeguard_id: "1.1",
90
+ vendor_response: "We provide asset management..."
91
+ });
92
+
93
+ // NEW v1.4.0 approach - Let LLM analyze with full context
94
+ const safeguard = await mcp.call("get_safeguard_details", {
95
+ safeguard_id: "1.1",
96
+ include_examples: true
97
+ });
98
+
99
+ // LLM then analyzes vendor response against safeguard data
100
+ // Using natural reasoning and sophisticated analysis approaches
101
+ ```
102
+
103
+ 3. **Update Microsoft Copilot Connectors**
104
+ - Import updated `swagger.json`
105
+ - Remove vendor analysis action references
106
+ - Focus on data retrieval and LLM-driven analysis
107
+
108
+ #### **Benefits of Migration**
109
+ - **Increased flexibility**: LLMs can use any analysis methodology
110
+ - **Better accuracy**: Access to complete safeguard context
111
+ - **Reduced complexity**: Simpler tool interface
112
+ - **Enhanced reasoning**: Natural language analysis capabilities
113
+
114
+ ## 🏆 Success Criteria Achieved
115
+
116
+ ✅ **Dramatically simplified codebase** (~500+ lines removed)
117
+ ✅ **Clean 2-tool architecture** focused on data provision
118
+ ✅ **Maintained authentic CIS Controls data integrity**
119
+ ✅ **Enhanced LLM integration capabilities**
120
+ ✅ **Comprehensive migration documentation**
121
+ ✅ **Updated integration guides for all platforms**
122
+
123
+ ## 🔮 Strategic Vision
124
+
125
+ **"Data Authenticity + LLM Intelligence = Superior Analysis"**
126
+
127
+ Framework MCP v1.4.0 positions the project as the **authoritative source for CIS Controls data** while unleashing the full analytical power of modern LLMs. This architecture:
128
+
129
+ - **Preserves authenticity**: Official CIS Controls v8.1 data integrity maintained
130
+ - **Maximizes intelligence**: LLMs apply sophisticated reasoning without constraints
131
+ - **Ensures scalability**: Simple, clean architecture supports future enhancements
132
+ - **Enables innovation**: Foundation for advanced analysis methodologies
133
+
134
+ ## 🚀 Getting Started
135
+
136
+ ### Quick Installation
137
+ ```bash
138
+ npm install framework-mcp@1.4.0
139
+ ```
140
+
141
+ ### MCP Server Usage
142
+ ```javascript
143
+ import { FrameworkMcpServer } from 'framework-mcp';
144
+
145
+ const server = new FrameworkMcpServer();
146
+ server.run();
147
+ ```
148
+
149
+ ### HTTP API Usage
150
+ ```javascript
151
+ import { FrameworkHttpServer } from 'framework-mcp';
152
+
153
+ const server = new FrameworkHttpServer(8080);
154
+ server.start();
155
+ ```
156
+
157
+ ### Microsoft Copilot Integration
158
+ 1. Import updated `swagger.json` as custom connector
159
+ 2. Use data endpoints to retrieve safeguard information
160
+ 3. Let Copilot analyze vendor responses against CIS Controls
161
+
162
+ ## 🔗 Resources
163
+
164
+ - **Repository**: https://github.com/therealcybermattlee/FrameworkMCP
165
+ - **Documentation**: See `/docs` directory for comprehensive guides
166
+ - **Migration Guide**: Complete transition documentation included
167
+ - **Examples**: Updated integration examples for all platforms
168
+ - **Support**: GitHub Issues for questions and feedback
169
+
170
+ ## 🙏 Acknowledgments
171
+
172
+ This release represents the culmination of extensive architectural evaluation and the recognition that **LLMs perform better analysis when given rich data rather than constrained tools**. We thank the community for feedback that led to this important architectural evolution.
173
+
174
+ ---
175
+
176
+ **Framework MCP v1.4.0: Where Data Authenticity Meets LLM Intelligence** 🚀
177
+
178
+ *For support and questions, please visit our [GitHub repository](https://github.com/therealcybermattlee/FrameworkMCP).*
@@ -1 +1 @@
1
- {"version":3,"file":"safeguard-manager.d.ts","sourceRoot":"","sources":["../../src/core/safeguard-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAc,MAAM,oBAAoB,CAAC;AAElE,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAA+B;IAC5C,OAAO,CAAC,UAAU,CAAwC;IAC1D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAQ;IAC9C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAkB;IAChE,OAAO,CAAC,kBAAkB,CAAyB;IACnD,OAAO,CAAC,WAAW,CAAa;;IAQzB,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,eAAe,GAAE,OAAe,GAAG,gBAAgB,GAAG,IAAI;IA4BnG,uBAAuB,IAAI,MAAM,EAAE;IAgBnC,gBAAgB,IAAI,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAIpD,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAerD,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,2BAA2B;IAmCnC;;OAEG;IACI,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE;IAO7D;;OAEG;IACI,UAAU,IAAI,IAAI;IAKzB,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,yBAAyB;IA2BjC,OAAO,CAAC,oBAAoB;CAk4J7B"}
1
+ {"version":3,"file":"safeguard-manager.d.ts","sourceRoot":"","sources":["../../src/core/safeguard-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAc,MAAM,oBAAoB,CAAC;AAElE,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAA+B;IAC5C,OAAO,CAAC,UAAU,CAAwC;IAC1D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAQ;IAC9C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAkB;IAChE,OAAO,CAAC,kBAAkB,CAAyB;IACnD,OAAO,CAAC,WAAW,CAAa;;IAQzB,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,eAAe,GAAE,OAAe,GAAG,gBAAgB,GAAG,IAAI;IA4BnG,uBAAuB,IAAI,MAAM,EAAE;IAgBnC,gBAAgB,IAAI,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAIpD,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAerD,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,2BAA2B;IAmCnC;;OAEG;IACI,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE;IAO7D;;OAEG;IACI,UAAU,IAAI,IAAI;IAKzB,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,yBAAyB;IA2BjC,OAAO,CAAC,oBAAoB;CAw8N7B"}