framework-mcp 1.5.2 → 2.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (75) hide show
  1. package/.claude/commands/speckit.analyze.md +184 -0
  2. package/.claude/commands/speckit.checklist.md +294 -0
  3. package/.claude/commands/speckit.clarify.md +181 -0
  4. package/.claude/commands/speckit.constitution.md +82 -0
  5. package/.claude/commands/speckit.implement.md +135 -0
  6. package/.claude/commands/speckit.plan.md +89 -0
  7. package/.claude/commands/speckit.specify.md +258 -0
  8. package/.claude/commands/speckit.tasks.md +137 -0
  9. package/.claude/commands/speckit.taskstoissues.md +30 -0
  10. package/.do/app.yaml +1 -1
  11. package/.github/dependabot.yml +15 -0
  12. package/.github/workflows/ci.yml +19 -1
  13. package/.specify/memory/constitution.md +50 -0
  14. package/.specify/scripts/bash/check-prerequisites.sh +166 -0
  15. package/.specify/scripts/bash/common.sh +156 -0
  16. package/.specify/scripts/bash/create-new-feature.sh +297 -0
  17. package/.specify/scripts/bash/setup-plan.sh +61 -0
  18. package/.specify/scripts/bash/update-agent-context.sh +799 -0
  19. package/.specify/templates/agent-file-template.md +28 -0
  20. package/.specify/templates/checklist-template.md +40 -0
  21. package/.specify/templates/plan-template.md +104 -0
  22. package/.specify/templates/spec-template.md +115 -0
  23. package/.specify/templates/tasks-template.md +251 -0
  24. package/README.md +84 -435
  25. package/dist/core/safeguard-manager.d.ts.map +1 -1
  26. package/dist/core/safeguard-manager.js +7295 -2700
  27. package/dist/core/safeguard-manager.js.map +1 -1
  28. package/dist/interfaces/http/http-server.d.ts +2 -0
  29. package/dist/interfaces/http/http-server.d.ts.map +1 -1
  30. package/dist/interfaces/http/http-server.js +95 -3
  31. package/dist/interfaces/http/http-server.js.map +1 -1
  32. package/dist/interfaces/mcp/mcp-server.js +3 -3
  33. package/dist/shared/types.d.ts +85 -2
  34. package/dist/shared/types.d.ts.map +1 -1
  35. package/dist/shared/types.js +132 -1
  36. package/dist/shared/types.js.map +1 -1
  37. package/package.json +7 -4
  38. package/scripts/standardize-prompts.js +325 -0
  39. package/scripts/validate-capability-prompts.js +110 -0
  40. package/src/core/safeguard-manager.ts +12376 -2586
  41. package/src/interfaces/http/http-server.ts +109 -4
  42. package/src/interfaces/mcp/mcp-server.ts +3 -3
  43. package/src/shared/types.ts +268 -2
  44. package/swagger.json +58 -38
  45. package/CAPABILITY_TRANSFORMATION_SUMMARY.md +0 -158
  46. package/CIS_CONTROLS_IMPLEMENTATION_PLAN.md +0 -220
  47. package/COPILOT_INTEGRATION.md +0 -322
  48. package/DAYS_5_6_COMPLETION_SUMMARY.md +0 -178
  49. package/DEPLOYMENT_GUIDE.md +0 -334
  50. package/DEPLOYMENT_SUMMARY_v1.1.3.md +0 -211
  51. package/MCP_INTEGRATION_GUIDE.md +0 -285
  52. package/MIGRATION_GUIDE_v1.4.0.md +0 -190
  53. package/RELEASE_NOTES_v1.1.3.md +0 -321
  54. package/RELEASE_NOTES_v1.2.0.md +0 -396
  55. package/RELEASE_NOTES_v1.3.7.md +0 -275
  56. package/RELEASE_NOTES_v1.4.0.md +0 -178
  57. package/SAFEGUARDS_VERIFICATION_LOG.md +0 -157
  58. package/coordinator-bot-compact.txt +0 -33
  59. package/coordinator-bot-system-prompt.md +0 -192
  60. package/docs/installation.md +0 -71
  61. package/scripts/analyze-data-structure.cjs +0 -74
  62. package/scripts/clean-safeguards-data.cjs +0 -60
  63. package/scripts/comprehensive-validation.cjs +0 -176
  64. package/scripts/count-safeguards.cjs +0 -89
  65. package/scripts/format-safeguards-proper.cjs +0 -44
  66. package/scripts/validate-formatted-data.cjs +0 -88
  67. package/test_capability_integration.js +0 -73
  68. package/test_comprehensive_scenarios.js +0 -192
  69. package/test_enhanced_detection.js +0 -74
  70. package/test_integrated_validation.js +0 -112
  71. package/test_language_update.js +0 -101
  72. package/test_live_validation.json +0 -12
  73. package/test_performance_monitoring.js +0 -124
  74. package/test_runner_automated.js +0 -156
  75. package/test_suite_comprehensive.js +0 -218
@@ -1,178 +0,0 @@
1
- # Framework MCP: Days 5-6 Completion Summary
2
-
3
- ## 🎯 Third 2-Day Increment Complete: User Experience & Testing Excellence
4
-
5
- ### **Achievement**: From Technical Implementation → Production-Ready User Experience
6
-
7
- ---
8
-
9
- ## 📋 Tasks Completed (Days 5-6)
10
-
11
- ### ✅ **Task 5**: Update all response templates and user-facing messages to use capability-focused language
12
- - **COMPLETED**: Comprehensive language transformation across all user interfaces
13
- - **Updated Components**:
14
- - Tool descriptions emphasize "capability role determination" vs "compliance scoring"
15
- - Parameter descriptions use "implementation capability claims" vs "coverage claims"
16
- - Domain validation messages reference "implementation capability" vs "coverage"
17
- - Validation feedback focuses on "capability role alignment" vs "compliance percentages"
18
- - Error messages use "capability role" terminology throughout
19
-
20
- ### ✅ **Task 6**: Create comprehensive test suite covering capability analysis + domain validation integration
21
- - **COMPLETED**: Full test suite with automated validation framework
22
- - **Test Coverage**:
23
- - 3 Domain Alignment Tests (tools properly matched to safeguard domains)
24
- - 3 Domain Mismatch Tests (auto-downgrade functionality validation)
25
- - 2 No Downgrade Tests (FACILITATES/GOVERNANCE/VALIDATES capability preservation)
26
- - 2 Edge Case Tests (mixed capabilities, unknown tool types)
27
- - **Validation Framework**: 100% pass rate on expected behavior testing
28
-
29
- ---
30
-
31
- ## 🔧 Technical Achievements
32
-
33
- ### **1. Capability-Focused Language Transformation**
34
- ```typescript
35
- // Before: Compliance-focused terminology
36
- "Analyze a vendor response for a specific CIS Control safeguard against the 4 GRC attributes with detailed sub-element coverage"
37
-
38
- // After: Capability-focused terminology
39
- "Analyze a vendor response to determine their tool capability role (Full Implementation, Partial Implementation, Facilitates, Governance, or Validates) for a specific CIS Control safeguard"
40
- ```
41
-
42
- ### **2. User Interface Clarity Enhancement**
43
- - **Parameter Descriptions**: Clear capability role definitions
44
- - **Domain Validation**: Explicit "implementation capability" language
45
- - **Validation Feedback**: Evidence-based capability role assessment
46
- - **Error Messages**: Consistent capability-focused terminology
47
-
48
- ### **3. Comprehensive Test Suite Architecture**
49
- ```javascript
50
- const testCases = [
51
- {
52
- name: "Asset Management → Asset Inventory (SHOULD PASS)",
53
- expected: { toolType: "inventory", domainMatch: true, status: "SUPPORTED", adjusted: false }
54
- },
55
- {
56
- name: "Threat Intel → Asset Inventory (SHOULD DOWNGRADE)",
57
- expected: { toolType: "threat_intelligence", domainMatch: false, status: "QUESTIONABLE", adjusted: true }
58
- }
59
- // ... 8 additional comprehensive test scenarios
60
- ];
61
- ```
62
-
63
- ---
64
-
65
- ## 📊 Language Transformation Results
66
-
67
- ### **Updated Tool Descriptions**
68
- - ✅ **analyze_vendor_response**: "Determine their tool capability role"
69
- - ✅ **validate_coverage_claim**: "Validate implementation capability claim"
70
- - ✅ **validate_vendor_mapping**: "Validate claimed capability role supported by evidence"
71
-
72
- ### **Updated Parameter Descriptions**
73
- - ✅ **claimed_capability**: Complete role definitions (full=complete implementation, partial=limited implementation, etc.)
74
- - ✅ **supporting_text**: "Supporting evidence explaining how tool fulfills capability role"
75
- - ✅ **response_text**: "Describes tool capabilities for the safeguard"
76
-
77
- ### **Updated Domain Validation Messages**
78
- - ✅ "Implementation capability" replaces "coverage" in all domain requirements
79
- - ✅ Auto-downgrade reasoning focuses on capability roles vs compliance scoring
80
- - ✅ Domain mismatch messages emphasize appropriate tool types for capability claims
81
-
82
- ---
83
-
84
- ## 🧪 Test Suite Validation Results
85
-
86
- ### **Domain Alignment Tests**: ✅ 100% Pass Rate
87
- - Asset Management Tool → Asset Inventory (1.1): SUPPORTED ✅
88
- - Identity Management Tool → Account Inventory (5.1): SUPPORTED ✅
89
- - Vulnerability Management Tool → Vuln Process (7.1): SUPPORTED ✅
90
-
91
- ### **Domain Mismatch Auto-Downgrade**: ✅ 100% Pass Rate
92
- - Threat Intel → Asset Inventory: FULL → FACILITATES (QUESTIONABLE) ✅
93
- - Asset Discovery → Account Inventory: FULL → FACILITATES (QUESTIONABLE) ✅
94
- - SIEM → Asset Inventory: PARTIAL → FACILITATES (QUESTIONABLE) ✅
95
-
96
- ### **No Downgrade Preservation**: ✅ 100% Pass Rate
97
- - Vulnerability Scanner → FACILITATES: No downgrade (SUPPORTED) ✅
98
- - GRC Platform → GOVERNANCE: No downgrade (SUPPORTED) ✅
99
-
100
- ### **Edge Case Handling**: ✅ 100% Pass Rate
101
- - Mixed capability tools: Proper handling ✅
102
- - Unknown tool types: Graceful degradation ✅
103
-
104
- ---
105
-
106
- ## 🎯 Capability Role Taxonomy (Finalized User-Facing)
107
-
108
- | Capability Role | User Description | System Behavior |
109
- |-----------------|------------------|-----------------|
110
- | **FULL** | Complete implementation of safeguard | Requires domain-appropriate tool type |
111
- | **PARTIAL** | Limited scope implementation | Requires domain-appropriate tool type |
112
- | **FACILITATES** | Enables/enhances others' implementation | No tool type restrictions |
113
- | **GOVERNANCE** | Provides policies/processes/oversight | No tool type restrictions |
114
- | **VALIDATES** | Provides evidence/audit/reporting | No tool type restrictions |
115
-
116
- ---
117
-
118
- ## 📈 Business Impact Summary
119
-
120
- ### **User Experience Enhancement**
121
- - **Clear Capability Roles**: Users understand exactly what each vendor tool does
122
- - **Realistic Expectations**: Domain validation prevents inappropriate implementation claims
123
- - **Evidence-Based Assessment**: Focus on actual tool capabilities vs theoretical coverage
124
- - **Actionable Feedback**: Specific guidance on proper capability role mapping
125
-
126
- ### **Practitioner Benefits**
127
- - **Accurate Vendor Selection**: Tools categorized by actual capability contribution
128
- - **Realistic Planning**: Implementation vs enablement tools clearly distinguished
129
- - **Risk Mitigation**: Prevents overestimation of vendor capabilities
130
- - **Strategic Alignment**: Capability roles align with actual safeguard implementation needs
131
-
132
- ---
133
-
134
- ## 🚀 Production Readiness Status
135
-
136
- ### **User Interface**: ✅ Complete
137
- - All descriptions use capability-focused language
138
- - Parameter definitions provide clear guidance
139
- - Error messages are consistent and helpful
140
- - Validation feedback is actionable and precise
141
-
142
- ### **Test Coverage**: ✅ Complete
143
- - 10 comprehensive test scenarios covering all validation logic
144
- - 100% expected behavior validation
145
- - Automated test framework ready for CI/CD integration
146
- - Edge cases and error conditions properly handled
147
-
148
- ### **Core Functionality**: ✅ Complete
149
- - Capability-focused analysis engine fully operational
150
- - Domain validation with auto-downgrade working correctly
151
- - Enhanced tool type detection with context awareness
152
- - Evidence-based confidence scoring functioning properly
153
-
154
- ---
155
-
156
- ## 🎊 Days 5-6 Achievement Summary
157
-
158
- **🎯 Mission Accomplished**: The Framework MCP now provides a **production-ready user experience** with:
159
-
160
- 1. **Crystal Clear Interface**: Every user-facing message uses capability-focused language
161
- 2. **Comprehensive Testing**: 10-scenario test suite validates entire transformation
162
- 3. **User Guidance**: Clear capability role definitions and evidence requirements
163
- 4. **Quality Assurance**: Automated testing framework ready for continuous integration
164
-
165
- **The paradigm shift is now complete at the user experience level** - practitioners interact with a tool that clearly asks "What capability role does this vendor play?" instead of "How much compliance coverage do they provide?"
166
-
167
- ---
168
-
169
- ## 📋 Final 2-Day Increment (Days 7-8) Preview
170
-
171
- The foundation is rock-solid. The remaining tasks focus on **performance optimization** and **documentation**:
172
-
173
- 7. **Performance optimization and error handling for production deployment**
174
- 8. **Update documentation and prepare for version 1.1.3 release with capability-focused improvements**
175
-
176
- ---
177
-
178
- **🌟 Days 5-6 Complete: The Framework MCP now delivers an exceptional user experience that perfectly embodies the capability assessment paradigm!**
@@ -1,334 +0,0 @@
1
- # Framework MCP Deployment Guide
2
-
3
- ## Pure Data Provider Architecture: MCP + HTTP API
4
-
5
- Framework MCP v1.4.0 features a **Pure Data Provider architecture** with dual interfaces for maximum flexibility:
6
-
7
- - **MCP Interface**: stdio-based for Claude Code integration with LLM-driven analysis
8
- - **HTTP Interface**: REST API for cloud deployment and Microsoft Copilot integration
9
-
10
- ---
11
-
12
- ## Local Development
13
-
14
- ### MCP Server (stdio)
15
- ```bash
16
- # For Claude Code integration
17
- npm run start:mcp
18
-
19
- # Development with auto-rebuild
20
- npm run dev
21
- ```
22
-
23
- ### HTTP Server (Express.js)
24
- ```bash
25
- # For web/cloud integration
26
- npm run start:http
27
-
28
- # Development with auto-rebuild
29
- npm run dev:http
30
- ```
31
-
32
- ### Test Both Interfaces
33
- ```bash
34
- # Build the project
35
- npm run build
36
-
37
- # Test MCP interface (requires Claude Code)
38
- npm run start:mcp
39
-
40
- # Test HTTP interface
41
- npm run start:http
42
- curl http://localhost:8080/health
43
- ```
44
-
45
- ---
46
-
47
- ## Cloud Deployment
48
-
49
- ### DigitalOcean App Services
50
-
51
- **The HTTP interface solves the stdio binding issue.**
52
-
53
- #### 1. Deploy via GitHub Integration
54
-
55
- 1. Push your code to GitHub
56
- 2. In DigitalOcean Dashboard:
57
- - Create New App
58
- - Connect GitHub repository
59
- - Select branch: `main`
60
- - Use provided `.do/app.yaml` configuration
61
-
62
- #### 2. Deploy via doctl CLI
63
-
64
- ```bash
65
- # Install doctl
66
- snap install doctl
67
-
68
- # Authenticate
69
- doctl auth init
70
-
71
- # Deploy app
72
- doctl apps create .do/app.yaml
73
- ```
74
-
75
- #### 3. Manual Configuration
76
-
77
- If not using app.yaml:
78
-
79
- ```yaml
80
- name: framework-mcp-api
81
- services:
82
- - name: api
83
- run_command: npm run start:http
84
- environment_slug: node-js
85
- http_port: 8080
86
- health_check:
87
- http_path: /health
88
- envs:
89
- - key: NODE_ENV
90
- value: production
91
- ```
92
-
93
- ### Alternative Cloud Platforms
94
-
95
- The HTTP interface is compatible with any Node.js cloud platform:
96
-
97
- #### Railway
98
- ```bash
99
- railway login
100
- railway init
101
- railway up
102
- ```
103
-
104
- #### Render
105
- 1. Connect GitHub repository
106
- 2. Environment: Node.js
107
- 3. Build Command: `npm run build`
108
- 4. Start Command: `npm run start:http`
109
-
110
- #### AWS App Runner
111
- 1. Source: GitHub repository
112
- 2. Runtime: Node.js 18
113
- 3. Build command: `npm run build`
114
- 4. Start command: `npm run start:http`
115
-
116
- ---
117
-
118
- ## Environment Variables
119
-
120
- ### Production Configuration
121
-
122
- ```bash
123
- # Required
124
- NODE_ENV=production
125
- PORT=8080
126
-
127
- # Optional
128
- ALLOWED_ORIGINS=https://your-domain.com,https://app.your-domain.com
129
- ```
130
-
131
- ### Local Development
132
-
133
- ```bash
134
- # Optional
135
- NODE_ENV=development
136
- PORT=8080
137
- ```
138
-
139
- ---
140
-
141
- ## API Endpoints
142
-
143
- ### Health Check
144
- ```bash
145
- GET /health
146
- # Returns server status and metrics
147
- ```
148
-
149
- ### Data Endpoints (Pure Provider Architecture)
150
- ```bash
151
- GET /api/safeguards # List all 153 CIS safeguards
152
- GET /api/safeguards/1.1 # Get detailed safeguard breakdown
153
- GET /api/safeguards/1.1?include_examples=true # Include implementation examples
154
- ```
155
-
156
- ### Monitoring
157
- ```bash
158
- GET /api/metrics # Performance metrics and statistics
159
- GET /api # API documentation and capabilities
160
- ```
161
-
162
- **LLM-Driven Analysis**: The Pure Data Provider architecture supplies authoritative CIS data while LLMs perform sophisticated vendor capability analysis with unlimited flexibility.
163
-
164
- ---
165
-
166
- ## Architecture Benefits
167
-
168
- ### HTTP Interface Advantages
169
- - ✅ **DigitalOcean Compatible**: Uses HTTP instead of stdio
170
- - ✅ **REST API**: Standard HTTP endpoints for data access
171
- - ✅ **Health Checks**: Platform monitoring support
172
- - ✅ **CORS Enabled**: Web application integration
173
- - ✅ **Production Ready**: Error handling, security, compression
174
- - ✅ **Microsoft Copilot**: Custom connector compatibility
175
-
176
- ### MCP Interface Advantages
177
- - ✅ **Claude Code Integration**: Native stdio communication
178
- - ✅ **Tool Discovery**: Automatic tool registration
179
- - ✅ **Type Safety**: Full MCP schema validation
180
- - ✅ **LLM-Driven Analysis**: Direct access to safeguards data for intelligent analysis
181
-
182
- ### Pure Data Provider Benefits
183
- - ✅ **Clean Architecture**: Simple data provision without analysis complexity
184
- - ✅ **LLM Flexibility**: Unlimited analysis approaches and methodologies
185
- - ✅ **Performance Optimized**: Fast data retrieval for real-time analysis
186
- - ✅ **Context-Aware**: LLMs can apply industry, risk, and organizational context
187
- - ✅ **Transparent Reasoning**: Full visibility into analysis logic and evidence
188
-
189
- ---
190
-
191
- ## Migration Guide
192
-
193
- ### Migrating to Pure Data Provider v1.4.0
194
-
195
- 1. **Simplified Architecture**: Analysis logic moved to LLM capability
196
- 2. **Enhanced Flexibility**: Unlimited analysis approaches and methodologies
197
- 3. **Maintained Compatibility**: Both interfaces continue providing data access
198
- 4. **Improved Performance**: Optimized for fast data retrieval
199
-
200
- ### Use Case Guidelines
201
-
202
- **Use MCP Interface When:**
203
- - Integrating with Claude Code for LLM-driven analysis
204
- - Local development and testing
205
- - Direct tool-based interactions with LLMs
206
-
207
- **Use HTTP Interface When:**
208
- - Cloud deployment required (DigitalOcean, Railway, Render)
209
- - Microsoft Copilot custom connector integration
210
- - Web application or API-based access needed
211
- - Distributed team access to CIS Controls data
212
-
213
- ### Analysis Pattern Migration
214
-
215
- **Old Approach (v1.3.7):**
216
- ```bash
217
- POST /api/analyze-vendor-response
218
- # Hardcoded analysis with fixed validation rules
219
- ```
220
-
221
- **New Approach (v1.4.0):**
222
- ```bash
223
- GET /api/safeguards/5.1
224
- # Get authoritative data, then use LLM for sophisticated analysis
225
- ```
226
-
227
- ---
228
-
229
- ## Troubleshooting
230
-
231
- ### Common Issues
232
-
233
- **Build Errors**
234
- ```bash
235
- # Clean rebuild
236
- rm -rf dist node_modules
237
- npm install
238
- npm run build
239
- ```
240
-
241
- **Port Conflicts**
242
- ```bash
243
- # Use different port
244
- PORT=3000 npm run start:http
245
- ```
246
-
247
- **Health Check Failures**
248
- - Ensure `/health` endpoint is accessible
249
- - Check server startup logs
250
- - Verify PORT environment variable
251
-
252
- **CORS Issues**
253
- ```bash
254
- # Update allowed origins
255
- ALLOWED_ORIGINS=https://your-domain.com npm run start:http
256
- ```
257
-
258
- ### DigitalOcean Specific
259
-
260
- **App Won't Start**
261
- - Check build logs for TypeScript errors
262
- - Verify `npm run start:http` command works locally
263
- - Ensure package.json scripts are correct
264
-
265
- **Health Check Fails**
266
- - Verify `/health` endpoint returns 200 status
267
- - Check `http_port: 8080` configuration
268
- - Review app startup time (may need longer initial_delay_seconds)
269
-
270
- **Environment Variables**
271
- - Set `NODE_ENV=production` in app configuration
272
- - Configure `PORT=8080` if not auto-detected
273
-
274
- ---
275
-
276
- ## Performance Optimization
277
-
278
- ### Production Settings
279
- ```bash
280
- NODE_ENV=production # Enables performance logging
281
- ```
282
-
283
- ### Caching
284
- - Safeguard details: 5-minute TTL
285
- - Safeguard lists: 10-minute TTL
286
- - Automatic cleanup: Every 10 minutes
287
-
288
- ### Monitoring
289
- - Built-in performance metrics at `/api/metrics`
290
- - Request counting and error tracking
291
- - Execution time monitoring
292
-
293
- ---
294
-
295
- ## Security
296
-
297
- ### CORS Configuration
298
- ```javascript
299
- // Configurable via environment
300
- ALLOWED_ORIGINS=https://your-domain.com,https://app.your-domain.com
301
- ```
302
-
303
- ### Input Validation
304
- - Request size limits (10MB)
305
- - Text length validation (10-10,000 characters)
306
- - Capability enum validation
307
- - XSS prevention
308
-
309
- ### Rate Limiting
310
- ```javascript
311
- // Add rate limiting middleware (optional)
312
- npm install express-rate-limit
313
- ```
314
-
315
- ---
316
-
317
- ## Success Criteria
318
-
319
- ### HTTP Deployment Successful When:
320
- - ✅ Health check returns 200 status
321
- - ✅ `/api/validate-vendor-mapping` accepts POST requests
322
- - ✅ Content-based capability analysis works correctly
323
- - ✅ All 5 capability roles determined accurately
324
- - ✅ Performance metrics show >95% cache efficiency
325
-
326
- ### Ready for Production When:
327
- - ✅ Build completes without errors
328
- - ✅ Both MCP and HTTP interfaces tested
329
- - ✅ DigitalOcean deployment successful
330
- - ✅ API endpoints return expected capability analysis results
331
-
332
- ---
333
-
334
- **🎉 Framework MCP v1.3.7 solves the DigitalOcean stdio vs HTTP architecture mismatch while preserving full MCP functionality!**