framework-mcp 1.5.2 → 2.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/commands/speckit.analyze.md +184 -0
- package/.claude/commands/speckit.checklist.md +294 -0
- package/.claude/commands/speckit.clarify.md +181 -0
- package/.claude/commands/speckit.constitution.md +82 -0
- package/.claude/commands/speckit.implement.md +135 -0
- package/.claude/commands/speckit.plan.md +89 -0
- package/.claude/commands/speckit.specify.md +258 -0
- package/.claude/commands/speckit.tasks.md +137 -0
- package/.claude/commands/speckit.taskstoissues.md +30 -0
- package/.do/app.yaml +1 -1
- package/.github/dependabot.yml +15 -0
- package/.github/workflows/ci.yml +19 -1
- package/.specify/memory/constitution.md +50 -0
- package/.specify/scripts/bash/check-prerequisites.sh +166 -0
- package/.specify/scripts/bash/common.sh +156 -0
- package/.specify/scripts/bash/create-new-feature.sh +297 -0
- package/.specify/scripts/bash/setup-plan.sh +61 -0
- package/.specify/scripts/bash/update-agent-context.sh +799 -0
- package/.specify/templates/agent-file-template.md +28 -0
- package/.specify/templates/checklist-template.md +40 -0
- package/.specify/templates/plan-template.md +104 -0
- package/.specify/templates/spec-template.md +115 -0
- package/.specify/templates/tasks-template.md +251 -0
- package/README.md +84 -435
- package/dist/core/safeguard-manager.d.ts.map +1 -1
- package/dist/core/safeguard-manager.js +7295 -2700
- package/dist/core/safeguard-manager.js.map +1 -1
- package/dist/interfaces/http/http-server.d.ts +2 -0
- package/dist/interfaces/http/http-server.d.ts.map +1 -1
- package/dist/interfaces/http/http-server.js +95 -3
- package/dist/interfaces/http/http-server.js.map +1 -1
- package/dist/interfaces/mcp/mcp-server.js +3 -3
- package/dist/shared/types.d.ts +85 -2
- package/dist/shared/types.d.ts.map +1 -1
- package/dist/shared/types.js +132 -1
- package/dist/shared/types.js.map +1 -1
- package/package.json +7 -4
- package/scripts/standardize-prompts.js +325 -0
- package/scripts/validate-capability-prompts.js +110 -0
- package/src/core/safeguard-manager.ts +12376 -2586
- package/src/interfaces/http/http-server.ts +109 -4
- package/src/interfaces/mcp/mcp-server.ts +3 -3
- package/src/shared/types.ts +268 -2
- package/swagger.json +58 -38
- package/CAPABILITY_TRANSFORMATION_SUMMARY.md +0 -158
- package/CIS_CONTROLS_IMPLEMENTATION_PLAN.md +0 -220
- package/COPILOT_INTEGRATION.md +0 -322
- package/DAYS_5_6_COMPLETION_SUMMARY.md +0 -178
- package/DEPLOYMENT_GUIDE.md +0 -334
- package/DEPLOYMENT_SUMMARY_v1.1.3.md +0 -211
- package/MCP_INTEGRATION_GUIDE.md +0 -285
- package/MIGRATION_GUIDE_v1.4.0.md +0 -190
- package/RELEASE_NOTES_v1.1.3.md +0 -321
- package/RELEASE_NOTES_v1.2.0.md +0 -396
- package/RELEASE_NOTES_v1.3.7.md +0 -275
- package/RELEASE_NOTES_v1.4.0.md +0 -178
- package/SAFEGUARDS_VERIFICATION_LOG.md +0 -157
- package/coordinator-bot-compact.txt +0 -33
- package/coordinator-bot-system-prompt.md +0 -192
- package/docs/installation.md +0 -71
- package/scripts/analyze-data-structure.cjs +0 -74
- package/scripts/clean-safeguards-data.cjs +0 -60
- package/scripts/comprehensive-validation.cjs +0 -176
- package/scripts/count-safeguards.cjs +0 -89
- package/scripts/format-safeguards-proper.cjs +0 -44
- package/scripts/validate-formatted-data.cjs +0 -88
- package/test_capability_integration.js +0 -73
- package/test_comprehensive_scenarios.js +0 -192
- package/test_enhanced_detection.js +0 -74
- package/test_integrated_validation.js +0 -112
- package/test_language_update.js +0 -101
- package/test_live_validation.json +0 -12
- package/test_performance_monitoring.js +0 -124
- package/test_runner_automated.js +0 -156
- package/test_suite_comprehensive.js +0 -218
package/README.md
CHANGED
|
@@ -1,99 +1,43 @@
|
|
|
1
|
-
#
|
|
1
|
+
# Framework MCP
|
|
2
2
|
|
|
3
3
|
[](https://badge.fury.io/js/framework-mcp)
|
|
4
4
|
[](https://creativecommons.org/licenses/by/4.0/)
|
|
5
|
-
[](https://github.com/therealcybermattlee/FrameworkMCP)
|
|
6
|
-
[](https://cyberrise.org)
|
|
7
5
|
|
|
8
|
-
A Model Context Protocol (MCP) server providing **authoritative CIS Controls Framework data**
|
|
6
|
+
A Model Context Protocol (MCP) server providing **authoritative CIS Controls Framework data** for LLM-driven vendor capability analysis. Access all 153 CIS v8.1 safeguards through MCP or HTTP API.
|
|
9
7
|
|
|
10
|
-
##
|
|
11
|
-
|
|
12
|
-
This MCP server empowers security teams to:
|
|
13
|
-
- **Access authoritative CIS Controls data** for all 153 safeguards across 18 controls
|
|
14
|
-
- **Leverage LLM intelligence** for sophisticated, context-aware vendor capability analysis
|
|
15
|
-
- **Perform flexible assessment** across 5 capability types: Full, Partial, Facilitates, Governance, and Validates
|
|
16
|
-
- **Apply custom analysis methodologies** with complete transparency and reasoning
|
|
17
|
-
|
|
18
|
-
## 🎯 The 5 Capability Roles
|
|
19
|
-
|
|
20
|
-
| Capability Role | Description | LLM Analysis Approach |
|
|
21
|
-
|-----------------|-------------|----------------------|
|
|
22
|
-
| **FULL** | Complete implementation of safeguard requirements | LLMs assess comprehensive coverage against detailed safeguard data |
|
|
23
|
-
| **PARTIAL** | Limited scope implementation with clear boundaries | LLMs identify scope limitations and coverage gaps |
|
|
24
|
-
| **FACILITATES** | Enhancement capabilities that enable others to implement safeguards better/faster/stronger | LLMs recognize facilitation patterns and indirect support capabilities |
|
|
25
|
-
| **GOVERNANCE** | Policy/process management and oversight capabilities | LLMs evaluate governance elements and process management features |
|
|
26
|
-
| **VALIDATES** | Verification capabilities providing evidence and reporting | LLMs assess audit, monitoring, and reporting capabilities |
|
|
27
|
-
|
|
28
|
-
## 🎨 CIS Controls Framework Integration
|
|
29
|
-
|
|
30
|
-
The server uses the CIS Controls visual framework with color-coded categorization:
|
|
31
|
-
|
|
32
|
-
- **🟠 Orange Elements**: Governance requirements that MUST be met
|
|
33
|
-
- **🟢 Green Elements**: Core "what" of the safeguard
|
|
34
|
-
- **🟡 Yellow Elements**: Sub-taxonomical components
|
|
35
|
-
- **⚫ Gray Elements**: Implementation suggestions and methods
|
|
36
|
-
|
|
37
|
-
## 🚀 Installation & Deployment
|
|
38
|
-
|
|
39
|
-
### Prerequisites
|
|
40
|
-
- Node.js 18+
|
|
41
|
-
- Claude Code CLI tool (for MCP usage)
|
|
42
|
-
- Microsoft Copilot Studio (for custom connector usage)
|
|
8
|
+
## Quick Start
|
|
43
9
|
|
|
44
10
|
### Install from npm
|
|
45
11
|
```bash
|
|
46
12
|
npm install -g framework-mcp
|
|
47
13
|
```
|
|
48
14
|
|
|
49
|
-
### Update to Latest Version
|
|
50
|
-
```bash
|
|
51
|
-
npm update -g framework-mcp
|
|
52
|
-
```
|
|
53
|
-
|
|
54
|
-
Or reinstall to get the latest version:
|
|
55
|
-
```bash
|
|
56
|
-
npm uninstall -g framework-mcp
|
|
57
|
-
npm install -g framework-mcp
|
|
58
|
-
```
|
|
59
|
-
|
|
60
15
|
### Install from source
|
|
61
16
|
```bash
|
|
62
17
|
git clone https://github.com/therealcybermattlee/FrameworkMCP.git
|
|
63
18
|
cd FrameworkMCP
|
|
64
|
-
npm install
|
|
65
|
-
npm run build
|
|
66
|
-
```
|
|
67
|
-
|
|
68
|
-
### Cloud Deployment Options
|
|
69
|
-
|
|
70
|
-
#### Option 1: DigitalOcean App Services
|
|
71
|
-
```bash
|
|
72
|
-
# Deploy using the included configuration
|
|
73
|
-
doctl apps create .do/app.yaml
|
|
19
|
+
npm install && npm run build
|
|
74
20
|
```
|
|
75
21
|
|
|
76
|
-
|
|
77
|
-
```bash
|
|
78
|
-
railway login
|
|
79
|
-
railway up
|
|
80
|
-
```
|
|
22
|
+
## Configuration
|
|
81
23
|
|
|
82
|
-
|
|
83
|
-
Connect your GitHub repository and use:
|
|
84
|
-
- **Build Command**: `npm install && npm run build`
|
|
85
|
-
- **Start Command**: `npm run start:http`
|
|
86
|
-
- **Port**: 8080
|
|
24
|
+
### MCP Integration (Claude Code)
|
|
87
25
|
|
|
88
|
-
|
|
89
|
-
Deploy to any cloud platform and use the included `swagger.json` for Copilot integration.
|
|
26
|
+
Add to `~/.config/claude-code/mcp.json`:
|
|
90
27
|
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
28
|
+
```json
|
|
29
|
+
{
|
|
30
|
+
"mcpServers": {
|
|
31
|
+
"framework-analyzer": {
|
|
32
|
+
"command": "framework-mcp",
|
|
33
|
+
"args": [],
|
|
34
|
+
"env": {}
|
|
35
|
+
}
|
|
36
|
+
}
|
|
37
|
+
}
|
|
38
|
+
```
|
|
96
39
|
|
|
40
|
+
Or if installed from source:
|
|
97
41
|
```json
|
|
98
42
|
{
|
|
99
43
|
"mcpServers": {
|
|
@@ -106,402 +50,107 @@ Add to your MCP configuration file (`~/.config/claude-code/mcp.json`):
|
|
|
106
50
|
}
|
|
107
51
|
```
|
|
108
52
|
|
|
109
|
-
###
|
|
110
|
-
|
|
111
|
-
#### Step 1: Deploy HTTP API
|
|
112
|
-
Deploy the Framework MCP HTTP API to any cloud platform (DigitalOcean, Railway, Render, etc.)
|
|
113
|
-
|
|
114
|
-
#### Step 2: Create Custom Connector in Copilot Studio
|
|
115
|
-
1. Open **Microsoft Copilot Studio**
|
|
116
|
-
2. Navigate to **Data** → **Custom connectors**
|
|
117
|
-
3. Click **+ New custom connector** → **Import from OpenAPI file**
|
|
118
|
-
4. Upload the `swagger.json` file from this repository
|
|
119
|
-
5. Update the **Host** field to your deployed API URL
|
|
120
|
-
6. Save and test the connector
|
|
53
|
+
### HTTP API (Local)
|
|
121
54
|
|
|
122
|
-
#### Step 3: Configure Connection
|
|
123
|
-
1. Create a new connection using your custom connector
|
|
124
|
-
2. No authentication required (public API)
|
|
125
|
-
3. Test with the `/health` endpoint to verify connectivity
|
|
126
|
-
|
|
127
|
-
#### Step 4: Create Copilot Actions
|
|
128
|
-
In your Copilot, create actions for capability assessment:
|
|
129
|
-
|
|
130
|
-
**Primary Action - Validate Vendor Capability:**
|
|
131
|
-
```
|
|
132
|
-
Action: Validate Vendor Mapping
|
|
133
|
-
Description: Validate vendor capability claims against CIS Controls through content analysis
|
|
134
|
-
Connector: Framework MCP Custom Connector
|
|
135
|
-
Operation: validateVendorMapping
|
|
136
|
-
Parameters:
|
|
137
|
-
- vendor_name: {User provided vendor name}
|
|
138
|
-
- safeguard_id: {CIS safeguard ID like "1.1"}
|
|
139
|
-
- claimed_capability: {full|partial|facilitates|governance|validates}
|
|
140
|
-
- supporting_text: {Vendor response text}
|
|
141
|
-
```
|
|
142
|
-
|
|
143
|
-
**Secondary Action - Analyze Response:**
|
|
144
|
-
```
|
|
145
|
-
Action: Analyze Vendor Response
|
|
146
|
-
Description: Determine appropriate capability role for vendor response
|
|
147
|
-
Connector: Framework MCP Custom Connector
|
|
148
|
-
Operation: analyzeVendorResponse
|
|
149
|
-
Parameters:
|
|
150
|
-
- vendor_name: {User provided vendor name}
|
|
151
|
-
- safeguard_id: {CIS safeguard ID}
|
|
152
|
-
- response_text: {Vendor response to analyze}
|
|
153
|
-
```
|
|
154
|
-
|
|
155
|
-
#### Step 5: Example Copilot Prompts
|
|
156
|
-
Once configured, users can interact with your Copilot:
|
|
157
|
-
|
|
158
|
-
```
|
|
159
|
-
"Validate this vendor capability: CrowdStrike Falcon claims FULL coverage for safeguard 1.1 with this response: 'Our platform provides comprehensive enterprise asset inventory with real-time discovery, automated classification, and continuous monitoring of all hardware and software assets.'"
|
|
160
|
-
|
|
161
|
-
"Analyze this vendor response for safeguard 5.1: Microsoft Entra ID - 'We provide centralized identity management with automated user provisioning, role-based access controls, and integration with all major business applications.'"
|
|
162
|
-
|
|
163
|
-
"What are the requirements for CIS safeguard 6.3?"
|
|
164
|
-
```
|
|
165
|
-
|
|
166
|
-
### Verify Installation
|
|
167
55
|
```bash
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
# For HTTP API usage
|
|
172
|
-
curl https://your-api-url.com/health
|
|
173
|
-
|
|
174
|
-
# For Copilot testing
|
|
175
|
-
curl -X POST https://your-api-url.com/api/validate-vendor-mapping \
|
|
176
|
-
-H "Content-Type: application/json" \
|
|
177
|
-
-d '{"vendor_name":"Test Vendor","safeguard_id":"1.1","claimed_capability":"facilitates","supporting_text":"We provide supplemental asset tracking capabilities that enhance existing inventory systems."}'
|
|
56
|
+
npm run start:http
|
|
57
|
+
# Server runs on http://localhost:8080
|
|
178
58
|
```
|
|
179
59
|
|
|
180
|
-
##
|
|
60
|
+
## API Reference
|
|
181
61
|
|
|
182
|
-
###
|
|
183
|
-
|
|
184
|
-
```bash
|
|
185
|
-
claude-code "Get safeguard details for 5.1, then analyze this vendor response: SecureIAM Corp - 'Our tool is a full identity provider with comprehensive account management. We maintain detailed user inventories including names, usernames, departments, and access rights. Automated quarterly reviews ensure all accounts are authorized and compliant.' Determine appropriate capability role and provide confidence assessment."
|
|
186
|
-
```
|
|
187
|
-
|
|
188
|
-
### Context-Aware Analysis
|
|
189
|
-
|
|
190
|
-
```bash
|
|
191
|
-
claude-code "Get safeguard 8.2 details. For a high-risk financial services environment, analyze this logging solution: 'We collect endpoint telemetry and forward logs to SIEM platforms.' Consider regulatory requirements (SOX, PCI-DSS) and determine capability role with implementation recommendations."
|
|
192
|
-
```
|
|
193
|
-
|
|
194
|
-
### Multi-Vendor Comparative Analysis
|
|
195
|
-
|
|
196
|
-
```bash
|
|
197
|
-
claude-code "Get safeguard 1.1 details. Compare these asset management solutions and rank by implementation completeness for a 500-employee company: 1) Lansweeper: 'Complete network discovery and automated inventory' 2) ServiceNow: 'CMDB with manual asset entry workflows' 3) Microsoft Intune: 'Managed device tracking with Azure AD integration'. Provide deployment complexity assessment."
|
|
198
|
-
```
|
|
199
|
-
|
|
200
|
-
### Bulk Analysis from File
|
|
201
|
-
|
|
202
|
-
Create `vendors.csv`:
|
|
203
|
-
```csv
|
|
204
|
-
vendor,safeguard,response
|
|
205
|
-
VendorA,5.1,"Complete IAM solution with policy management and quarterly reviews"
|
|
206
|
-
VendorB,5.1,"Basic user directory with manual account tracking"
|
|
207
|
-
VendorC,6.3,"MFA enforcement for all external applications with SSO integration"
|
|
208
|
-
```
|
|
209
|
-
|
|
210
|
-
```bash
|
|
211
|
-
claude-code "Get details for safeguards referenced in vendors.csv. Analyze each vendor response, determine capability roles, and provide implementation roadmap recommendations based on organizational gaps."
|
|
212
|
-
```
|
|
213
|
-
|
|
214
|
-
### Claim Validation Assessment
|
|
215
|
-
|
|
216
|
-
```bash
|
|
217
|
-
claude-code "Get safeguard 12.4 details. This vendor claims FULL capability for network boundary monitoring: 'We monitor all network traffic, identify unauthorized devices, and generate real-time alerts.' Validate this claim against the specific safeguard requirements and provide evidence-based assessment."
|
|
218
|
-
```
|
|
219
|
-
|
|
220
|
-
### Risk-Based Analysis
|
|
221
|
-
|
|
222
|
-
```bash
|
|
223
|
-
claude-code "Get safeguard 11.1 details. For a healthcare organization with HIPAA requirements, assess Veeam Backup's capability: 'Automated daily backups with 99.9% recovery success rate and quarterly recovery testing.' Focus on governance and validation aspects."
|
|
224
|
-
```
|
|
225
|
-
|
|
226
|
-
## 📊 Sample LLM Analysis Patterns
|
|
227
|
-
|
|
228
|
-
### Context-Aware Assessment Response
|
|
229
|
-
```
|
|
230
|
-
ASSESSMENT: SecureIAM Corp - Safeguard 5.1 Analysis
|
|
231
|
-
|
|
232
|
-
CAPABILITY DETERMINATION: FULL + GOVERNANCE + VALIDATES
|
|
233
|
-
CONFIDENCE: 87%
|
|
234
|
-
|
|
235
|
-
ANALYSIS:
|
|
236
|
-
Based on safeguard 5.1 requirements for comprehensive account inventory management:
|
|
237
|
-
|
|
238
|
-
✅ CORE REQUIREMENTS COVERAGE:
|
|
239
|
-
- Complete user inventory (names, usernames, departments)
|
|
240
|
-
- Access rights tracking and management
|
|
241
|
-
- Identity provider capabilities with centralized management
|
|
242
|
-
|
|
243
|
-
✅ GOVERNANCE ELEMENTS:
|
|
244
|
-
- Automated quarterly review processes
|
|
245
|
-
- Compliance verification workflows
|
|
246
|
-
- Policy enforcement capabilities
|
|
247
|
-
|
|
248
|
-
✅ VALIDATION CAPABILITIES:
|
|
249
|
-
- Continuous monitoring and reporting
|
|
250
|
-
- Authorization verification
|
|
251
|
-
- Compliance status tracking
|
|
252
|
-
|
|
253
|
-
EVIDENCE QUALITY: High - Specific implementation details provided
|
|
254
|
-
SCOPE DEFINITION: Comprehensive enterprise account management
|
|
255
|
-
|
|
256
|
-
RECOMMENDATION: Strong FULL capability alignment with additional governance and validation roles. Suitable for enterprise Implementation Group 2-3 deployments.
|
|
257
|
-
```
|
|
258
|
-
|
|
259
|
-
### Multi-Vendor Comparison Response
|
|
260
|
-
```
|
|
261
|
-
COMPARATIVE ANALYSIS: Asset Management Solutions for Safeguard 1.1
|
|
262
|
-
|
|
263
|
-
RANKING BY IMPLEMENTATION COMPLETENESS:
|
|
264
|
-
|
|
265
|
-
1. 🥇 LANSWEEPER (FULL + VALIDATES)
|
|
266
|
-
- Comprehensive automated discovery
|
|
267
|
-
- Network-wide asset visibility
|
|
268
|
-
- Strong for 500-employee deployment
|
|
269
|
-
- Implementation: Medium complexity
|
|
270
|
-
|
|
271
|
-
2. 🥈 MICROSOFT INTUNE (PARTIAL + GOVERNANCE)
|
|
272
|
-
- Managed device focus (limited scope)
|
|
273
|
-
- Strong Azure AD integration
|
|
274
|
-
- Governance capabilities present
|
|
275
|
-
- Implementation: Low complexity (if using Microsoft stack)
|
|
276
|
-
|
|
277
|
-
3. 🥉 SERVICENOW (FACILITATES + GOVERNANCE)
|
|
278
|
-
- CMDB foundation requires manual processes
|
|
279
|
-
- Strong workflow and governance features
|
|
280
|
-
- Facilitates comprehensive asset management
|
|
281
|
-
- Implementation: High complexity
|
|
282
|
-
|
|
283
|
-
RECOMMENDATION: Lansweeper provides best immediate coverage for IG1 requirements. Consider Intune if Microsoft-centric environment, ServiceNow for complex enterprise with mature processes.
|
|
284
|
-
```
|
|
285
|
-
|
|
286
|
-
### Risk-Based Healthcare Analysis
|
|
287
|
-
```
|
|
288
|
-
HIPAA-FOCUSED ANALYSIS: Veeam Backup vs Safeguard 11.1
|
|
289
|
-
|
|
290
|
-
CAPABILITY: FULL + VALIDATES
|
|
291
|
-
COMPLIANCE CONFIDENCE: 92%
|
|
292
|
-
|
|
293
|
-
HIPAA CONSIDERATIONS:
|
|
294
|
-
✅ Recovery time objectives meet healthcare uptime requirements
|
|
295
|
-
✅ Quarterly testing demonstrates due diligence
|
|
296
|
-
✅ 99.9% success rate supports business continuity
|
|
297
|
-
|
|
298
|
-
GOVERNANCE ALIGNMENT:
|
|
299
|
-
- Documented recovery procedures (required for HIPAA)
|
|
300
|
-
- Regular testing and validation processes
|
|
301
|
-
- Performance metrics and reporting
|
|
302
|
-
|
|
303
|
-
GAPS TO ADDRESS:
|
|
304
|
-
- Verify encryption at rest/in transit for PHI
|
|
305
|
-
- Confirm audit logging capabilities
|
|
306
|
-
- Validate access controls for backup systems
|
|
307
|
-
|
|
308
|
-
IMPLEMENTATION RECOMMENDATION: Strong foundation for HIPAA compliance. Supplement with documented encryption policies and access control procedures.
|
|
309
|
-
```
|
|
310
|
-
|
|
311
|
-
## 🔧 Available Tools
|
|
62
|
+
### MCP Tools
|
|
312
63
|
|
|
313
64
|
| Tool | Description |
|
|
314
65
|
|------|-------------|
|
|
315
|
-
| `get_safeguard_details` |
|
|
316
|
-
| `list_available_safeguards` | List all
|
|
317
|
-
|
|
318
|
-
**Pure Data Provider Architecture**: Framework MCP provides authoritative CIS Controls data while LLMs perform sophisticated, context-aware capability analysis with unlimited flexibility.
|
|
66
|
+
| `get_safeguard_details` | Get detailed safeguard breakdown with capability-specific prompts |
|
|
67
|
+
| `list_available_safeguards` | List all 153 CIS safeguards |
|
|
319
68
|
|
|
320
|
-
|
|
69
|
+
### HTTP Endpoints
|
|
321
70
|
|
|
322
|
-
|
|
323
|
-
|
|
324
|
-
|
|
325
|
-
|
|
326
|
-
|
|
327
|
-
|
|
328
|
-
|
|
329
|
-
}
|
|
330
|
-
]
|
|
331
|
-
```
|
|
71
|
+
| Endpoint | Description |
|
|
72
|
+
|----------|-------------|
|
|
73
|
+
| `GET /health` | Health check |
|
|
74
|
+
| `GET /api` | API documentation |
|
|
75
|
+
| `GET /api/safeguards` | List all safeguards |
|
|
76
|
+
| `GET /api/safeguards/:id` | Get safeguard details |
|
|
77
|
+
| `GET /api/safeguards/:id?include_examples=true` | Include implementation examples |
|
|
332
78
|
|
|
333
|
-
|
|
334
|
-
```csv
|
|
335
|
-
vendor,safeguard,response
|
|
336
|
-
VendorName,5.1,"Response text..."
|
|
337
|
-
```
|
|
79
|
+
## Usage Examples
|
|
338
80
|
|
|
339
|
-
###
|
|
340
|
-
```
|
|
341
|
-
|
|
342
|
-
|
|
343
|
-
|
|
344
|
-
Vendor: AnotherVendor - Safeguard: 6.3
|
|
345
|
-
Another response...
|
|
81
|
+
### MCP (Claude Code)
|
|
82
|
+
```bash
|
|
83
|
+
claude-code "Use get_safeguard_details for safeguard 1.1"
|
|
84
|
+
claude-code "List all available CIS safeguards"
|
|
346
85
|
```
|
|
347
86
|
|
|
348
|
-
|
|
349
|
-
|
|
350
|
-
Framework MCP v1.4.0's **Pure Data Provider architecture** empowers LLMs to perform sophisticated vendor capability analysis with unprecedented flexibility and intelligence.
|
|
351
|
-
|
|
352
|
-
### Key Benefits Over Hardcoded Analysis
|
|
353
|
-
|
|
354
|
-
| Advantage | Description | LLM Capability |
|
|
355
|
-
|-----------|-------------|----------------|
|
|
356
|
-
| **Context Awareness** | Analysis considers industry, risk profile, and organizational needs | LLMs understand sector-specific requirements and compliance frameworks |
|
|
357
|
-
| **Analytical Flexibility** | Apply custom methodologies and assessment criteria | Multiple analysis approaches: strict compliance, risk-based, comparative |
|
|
358
|
-
| **Transparent Reasoning** | Complete visibility into analysis logic and evidence evaluation | LLMs explain their reasoning and provide detailed justifications |
|
|
359
|
-
| **Adaptive Intelligence** | Dynamic assessment based on evolving requirements | LLMs can adjust analysis based on new information or changing priorities |
|
|
360
|
-
| **Natural Language** | Complex analysis requests in plain English | No need for rigid tool parameters or predefined validation rules |
|
|
361
|
-
|
|
362
|
-
### Enhanced Analysis Capabilities
|
|
363
|
-
|
|
364
|
-
**Multi-Dimensional Assessment**: LLMs can simultaneously evaluate:
|
|
365
|
-
- Technical capability alignment with safeguard requirements
|
|
366
|
-
- Deployment complexity and organizational fit
|
|
367
|
-
- Risk mitigation effectiveness and compliance coverage
|
|
368
|
-
- Integration potential with existing technology stacks
|
|
369
|
-
- Cost-benefit analysis and implementation roadmaps
|
|
370
|
-
|
|
371
|
-
**Advanced Analysis Patterns**:
|
|
372
|
-
- **Comparative Vendor Evaluation**: Rank multiple solutions against specific criteria
|
|
373
|
-
- **Gap Analysis**: Identify coverage gaps and recommend complementary tools
|
|
374
|
-
- **Risk-Based Assessment**: Prioritize capability importance based on threat landscape
|
|
375
|
-
- **Compliance Mapping**: Align vendor capabilities with regulatory requirements
|
|
376
|
-
- **Implementation Planning**: Generate deployment strategies and success metrics
|
|
377
|
-
|
|
378
|
-
### Flexibility Examples
|
|
379
|
-
|
|
87
|
+
### HTTP API
|
|
380
88
|
```bash
|
|
381
|
-
|
|
382
|
-
|
|
383
|
-
|
|
384
|
-
# Technology stack integration assessment
|
|
385
|
-
claude-code "Get safeguard 16.1 details. We use Azure DevOps and GitHub. Analyze how SonarQube integrates with our pipeline for secure code analysis and recommend configuration best practices."
|
|
386
|
-
|
|
387
|
-
# Risk-based prioritization
|
|
388
|
-
claude-code "Get details for safeguards 13.1, 13.3, and 13.6. Our organization faces advanced persistent threats. Rank these network monitoring vendors by threat detection capability: 1) CrowdStrike Falcon 2) SentinelOne 3) Microsoft Defender for Endpoint."
|
|
89
|
+
curl http://localhost:8080/api/safeguards
|
|
90
|
+
curl http://localhost:8080/api/safeguards/1.1
|
|
91
|
+
curl http://localhost:8080/api/safeguards/5.1?include_examples=true
|
|
389
92
|
```
|
|
390
93
|
|
|
391
|
-
##
|
|
94
|
+
## The 5 Capability Roles
|
|
392
95
|
|
|
393
|
-
|
|
394
|
-
- **153 total safeguards** across all 18 controls
|
|
395
|
-
- **Full framework coverage** from Controls 1-18
|
|
396
|
-
- **Comprehensive vendor analysis** capability for all CIS safeguards
|
|
96
|
+
Each safeguard includes prompts for five assessment types:
|
|
397
97
|
|
|
398
|
-
|
|
399
|
-
|
|
400
|
-
|
|
401
|
-
|
|
402
|
-
|
|
403
|
-
|
|
98
|
+
| Role | Field | Use Case |
|
|
99
|
+
|------|-------|----------|
|
|
100
|
+
| **Full** | `systemPromptFull` | Vendor claims complete implementation |
|
|
101
|
+
| **Partial** | `systemPromptPartial` | Vendor provides limited features |
|
|
102
|
+
| **Facilitates** | `systemPromptFacilitates` | Tool enables others to implement |
|
|
103
|
+
| **Governance** | `systemPromptGovernance` | Policy/process/oversight capabilities |
|
|
104
|
+
| **Validates** | `systemPromptValidates` | Audit/evidence/reporting capabilities |
|
|
404
105
|
|
|
405
|
-
##
|
|
106
|
+
## Cloud Deployment
|
|
406
107
|
|
|
407
|
-
###
|
|
108
|
+
### DigitalOcean App Services
|
|
408
109
|
```bash
|
|
409
|
-
|
|
410
|
-
cd FrameworkMCP
|
|
411
|
-
npm install
|
|
412
|
-
npm run build
|
|
413
|
-
```
|
|
414
|
-
|
|
415
|
-
### Add New Safeguards
|
|
416
|
-
Edit `src/core/safeguard-manager.ts` and add to the `initializeSafeguards()` method:
|
|
417
|
-
|
|
418
|
-
```typescript
|
|
419
|
-
"X.Y": {
|
|
420
|
-
id: "X.Y",
|
|
421
|
-
title: "Safeguard Title",
|
|
422
|
-
description: "Description...",
|
|
423
|
-
implementationGroup: "IG1",
|
|
424
|
-
governanceElements: [...], // Orange - MUST be met
|
|
425
|
-
coreRequirements: [...], // Green - The "what"
|
|
426
|
-
subTaxonomicalElements: [...], // Yellow - Sub-elements
|
|
427
|
-
implementationSuggestions: [...], // Gray - Suggestions
|
|
428
|
-
// ...
|
|
429
|
-
}
|
|
110
|
+
doctl apps create .do/app.yaml
|
|
430
111
|
```
|
|
431
112
|
|
|
432
|
-
###
|
|
113
|
+
### Railway
|
|
433
114
|
```bash
|
|
434
|
-
|
|
115
|
+
railway login && railway up
|
|
435
116
|
```
|
|
436
117
|
|
|
437
|
-
|
|
438
|
-
|
|
439
|
-
|
|
440
|
-
|
|
441
|
-
3. Commit your changes (`git commit -m 'Add amazing feature'`)
|
|
442
|
-
4. Push to the branch (`git push origin feature/amazing-feature`)
|
|
443
|
-
5. Open a Pull Request
|
|
118
|
+
### Render
|
|
119
|
+
- **Build**: `npm install && npm run build`
|
|
120
|
+
- **Start**: `npm run start:http`
|
|
121
|
+
- **Port**: 8080
|
|
444
122
|
|
|
445
|
-
###
|
|
446
|
-
- Follow the existing code style
|
|
447
|
-
- Add tests for new features
|
|
448
|
-
- Update documentation
|
|
449
|
-
- Ensure all tests pass
|
|
123
|
+
### Environment Variables
|
|
450
124
|
|
|
451
|
-
|
|
125
|
+
| Variable | Default | Description |
|
|
126
|
+
|----------|---------|-------------|
|
|
127
|
+
| `PORT` | 8080 | HTTP server port |
|
|
128
|
+
| `NODE_ENV` | development | Environment mode |
|
|
129
|
+
| `ALLOWED_ORIGINS` | localhost:3000 | CORS allowed origins (comma-separated) |
|
|
130
|
+
| `RATE_LIMIT_WINDOW_MS` | 60000 | Rate limit window (ms) |
|
|
131
|
+
| `RATE_LIMIT_MAX` | 100 | Max requests per window |
|
|
452
132
|
|
|
453
|
-
|
|
454
|
-
- [API Reference](docs/api-reference.md)
|
|
455
|
-
- [CIS Safeguards Reference](docs/safeguards-reference.md)
|
|
456
|
-
- [Example Usage](examples/example-usage.md)
|
|
457
|
-
- **[Microsoft Copilot Integration Guide](COPILOT_INTEGRATION.md)** - Complete setup guide for custom connectors
|
|
458
|
-
- [Deployment Guide](DEPLOYMENT_GUIDE.md) - Cloud deployment instructions
|
|
459
|
-
- [OpenAPI Specification](swagger.json) - Complete API schema for integrations
|
|
133
|
+
## CIS Controls Coverage
|
|
460
134
|
|
|
461
|
-
|
|
135
|
+
- **153 safeguards** across 18 controls
|
|
136
|
+
- **CIS Controls v8.1** framework
|
|
137
|
+
- **Color-coded elements**: Governance (orange), Core (green), Sub-elements (yellow), Suggestions (gray)
|
|
462
138
|
|
|
463
|
-
|
|
139
|
+
## Development
|
|
464
140
|
|
|
465
|
-
**Permission denied:**
|
|
466
141
|
```bash
|
|
467
|
-
|
|
142
|
+
npm run build # Compile TypeScript
|
|
143
|
+
npm run start:mcp # Run MCP server
|
|
144
|
+
npm run start:http # Run HTTP server
|
|
145
|
+
npm run dev # Build + run MCP
|
|
146
|
+
npm run dev:http # Build + run HTTP
|
|
468
147
|
```
|
|
469
148
|
|
|
470
|
-
|
|
471
|
-
```bash
|
|
472
|
-
npm install
|
|
473
|
-
npm run build
|
|
474
|
-
```
|
|
475
|
-
|
|
476
|
-
**MCP server not connecting:**
|
|
477
|
-
- Check Claude Code MCP configuration
|
|
478
|
-
- Verify file paths are absolute
|
|
479
|
-
- Ensure Node.js version compatibility
|
|
480
|
-
|
|
481
|
-
## 📄 License
|
|
482
|
-
|
|
483
|
-
This project is licensed under the Creative Commons Attribution 4.0 International License by Cyber RISE, Inc - see the [LICENSE](LICENSE) file for details.
|
|
484
|
-
|
|
485
|
-
You are free to:
|
|
486
|
-
- **Share** — copy and redistribute the material in any medium or format
|
|
487
|
-
- **Adapt** — remix, transform, and build upon the material for any purpose, even commercially
|
|
488
|
-
|
|
489
|
-
Under the following terms:
|
|
490
|
-
- **Attribution** — You must give appropriate credit to Cyber RISE, Inc, provide a link to the license, and indicate if changes were made
|
|
491
|
-
|
|
492
|
-
## 🙏 Acknowledgments
|
|
493
|
-
|
|
494
|
-
- **Center for Internet Security (CIS)** for the CIS Controls Framework
|
|
495
|
-
- **Pax8** and community contributors for the CIS Controls visualizations
|
|
496
|
-
- **Anthropic** for the Model Context Protocol and Claude Code
|
|
497
|
-
|
|
498
|
-
## 📞 Support
|
|
149
|
+
## License
|
|
499
150
|
|
|
500
|
-
|
|
501
|
-
- 📖 **Documentation**: [Project Wiki](https://github.com/therealcybermattlee/FrameworkMCP/wiki)
|
|
502
|
-
- 💬 **Discussions**: [GitHub Discussions](https://github.com/therealcybermattlee/FrameworkMCP/discussions)
|
|
503
|
-
- 🐦 **Updates**: Follow [@cybermattlee](https://twitter.com/cybermattlee) for project updates
|
|
151
|
+
Creative Commons Attribution 4.0 International License - [Cyber RISE, Inc](https://cyberrise.org)
|
|
504
152
|
|
|
505
|
-
|
|
153
|
+
## Support
|
|
506
154
|
|
|
507
|
-
|
|
155
|
+
- [GitHub Issues](https://github.com/therealcybermattlee/FrameworkMCP/issues)
|
|
156
|
+
- [GitHub Discussions](https://github.com/therealcybermattlee/FrameworkMCP/discussions)
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"safeguard-manager.d.ts","sourceRoot":"","sources":["../../src/core/safeguard-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAc,MAAM,oBAAoB,CAAC;AAElE,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAA+B;IAC5C,OAAO,CAAC,UAAU,CAAwC;IAC1D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAQ;IAC9C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAkB;IAChE,OAAO,CAAC,kBAAkB,CAAyB;IACnD,OAAO,CAAC,WAAW,CAAa;;IAQzB,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,eAAe,GAAE,OAAe,GAAG,gBAAgB,GAAG,IAAI;IA4BnG,uBAAuB,IAAI,MAAM,EAAE;IAgBnC,gBAAgB,IAAI,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAIpD,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAerD,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,2BAA2B;IAmCnC;;OAEG;IACI,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE;IAO7D;;OAEG;IACI,UAAU,IAAI,IAAI;IAKzB,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,yBAAyB;IA2BjC,OAAO,CAAC,oBAAoB;
|
|
1
|
+
{"version":3,"file":"safeguard-manager.d.ts","sourceRoot":"","sources":["../../src/core/safeguard-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAc,MAAM,oBAAoB,CAAC;AAElE,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAA+B;IAC5C,OAAO,CAAC,UAAU,CAAwC;IAC1D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAQ;IAC9C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAkB;IAChE,OAAO,CAAC,kBAAkB,CAAyB;IACnD,OAAO,CAAC,WAAW,CAAa;;IAQzB,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,eAAe,GAAE,OAAe,GAAG,gBAAgB,GAAG,IAAI;IA4BnG,uBAAuB,IAAI,MAAM,EAAE;IAgBnC,gBAAgB,IAAI,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAIpD,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAerD,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,2BAA2B;IAmCnC;;OAEG;IACI,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE;IAO7D;;OAEG;IACI,UAAU,IAAI,IAAI;IAKzB,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,yBAAyB;IA2BjC,OAAO,CAAC,oBAAoB;CAsghB7B"}
|