framework-mcp 1.5.3 → 2.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (75) hide show
  1. package/.claude/commands/speckit.analyze.md +184 -0
  2. package/.claude/commands/speckit.checklist.md +294 -0
  3. package/.claude/commands/speckit.clarify.md +181 -0
  4. package/.claude/commands/speckit.constitution.md +82 -0
  5. package/.claude/commands/speckit.implement.md +135 -0
  6. package/.claude/commands/speckit.plan.md +89 -0
  7. package/.claude/commands/speckit.specify.md +258 -0
  8. package/.claude/commands/speckit.tasks.md +137 -0
  9. package/.claude/commands/speckit.taskstoissues.md +30 -0
  10. package/.do/app.yaml +1 -1
  11. package/.github/dependabot.yml +15 -0
  12. package/.github/workflows/ci.yml +19 -1
  13. package/.specify/memory/constitution.md +50 -0
  14. package/.specify/scripts/bash/check-prerequisites.sh +166 -0
  15. package/.specify/scripts/bash/common.sh +156 -0
  16. package/.specify/scripts/bash/create-new-feature.sh +297 -0
  17. package/.specify/scripts/bash/setup-plan.sh +61 -0
  18. package/.specify/scripts/bash/update-agent-context.sh +799 -0
  19. package/.specify/templates/agent-file-template.md +28 -0
  20. package/.specify/templates/checklist-template.md +40 -0
  21. package/.specify/templates/plan-template.md +104 -0
  22. package/.specify/templates/spec-template.md +115 -0
  23. package/.specify/templates/tasks-template.md +251 -0
  24. package/README.md +84 -435
  25. package/dist/core/safeguard-manager.d.ts.map +1 -1
  26. package/dist/core/safeguard-manager.js +7295 -2700
  27. package/dist/core/safeguard-manager.js.map +1 -1
  28. package/dist/interfaces/http/http-server.d.ts +2 -0
  29. package/dist/interfaces/http/http-server.d.ts.map +1 -1
  30. package/dist/interfaces/http/http-server.js +95 -3
  31. package/dist/interfaces/http/http-server.js.map +1 -1
  32. package/dist/interfaces/mcp/mcp-server.js +3 -3
  33. package/dist/shared/types.d.ts +85 -2
  34. package/dist/shared/types.d.ts.map +1 -1
  35. package/dist/shared/types.js +132 -1
  36. package/dist/shared/types.js.map +1 -1
  37. package/package.json +7 -4
  38. package/scripts/standardize-prompts.js +325 -0
  39. package/scripts/validate-capability-prompts.js +110 -0
  40. package/src/core/safeguard-manager.ts +12376 -2586
  41. package/src/interfaces/http/http-server.ts +109 -4
  42. package/src/interfaces/mcp/mcp-server.ts +3 -3
  43. package/src/shared/types.ts +268 -2
  44. package/swagger.json +56 -36
  45. package/CAPABILITY_TRANSFORMATION_SUMMARY.md +0 -158
  46. package/CIS_CONTROLS_IMPLEMENTATION_PLAN.md +0 -220
  47. package/COPILOT_INTEGRATION.md +0 -322
  48. package/DAYS_5_6_COMPLETION_SUMMARY.md +0 -178
  49. package/DEPLOYMENT_GUIDE.md +0 -334
  50. package/DEPLOYMENT_SUMMARY_v1.1.3.md +0 -211
  51. package/MCP_INTEGRATION_GUIDE.md +0 -285
  52. package/MIGRATION_GUIDE_v1.4.0.md +0 -190
  53. package/RELEASE_NOTES_v1.1.3.md +0 -321
  54. package/RELEASE_NOTES_v1.2.0.md +0 -396
  55. package/RELEASE_NOTES_v1.3.7.md +0 -275
  56. package/RELEASE_NOTES_v1.4.0.md +0 -178
  57. package/SAFEGUARDS_VERIFICATION_LOG.md +0 -157
  58. package/coordinator-bot-compact.txt +0 -33
  59. package/coordinator-bot-system-prompt.md +0 -192
  60. package/docs/installation.md +0 -71
  61. package/scripts/analyze-data-structure.cjs +0 -74
  62. package/scripts/clean-safeguards-data.cjs +0 -60
  63. package/scripts/comprehensive-validation.cjs +0 -176
  64. package/scripts/count-safeguards.cjs +0 -89
  65. package/scripts/format-safeguards-proper.cjs +0 -44
  66. package/scripts/validate-formatted-data.cjs +0 -88
  67. package/test_capability_integration.js +0 -73
  68. package/test_comprehensive_scenarios.js +0 -192
  69. package/test_enhanced_detection.js +0 -74
  70. package/test_integrated_validation.js +0 -112
  71. package/test_language_update.js +0 -101
  72. package/test_live_validation.json +0 -12
  73. package/test_performance_monitoring.js +0 -124
  74. package/test_runner_automated.js +0 -156
  75. package/test_suite_comprehensive.js +0 -218
@@ -1,178 +0,0 @@
1
- # Framework MCP v1.4.0 Release Notes
2
-
3
- **"Pure Data Provider Architecture - Empowering LLMs with Authoritative CIS Controls Data"**
4
-
5
- *Released: September 15, 2025*
6
-
7
- ---
8
-
9
- ## 🚀 Major Architectural Advancement
10
-
11
- Framework MCP v1.4.0 represents a **fundamental architectural transformation** from complex vendor analysis to **Pure Data Provider architecture**. This release empowers LLMs with **authoritative CIS Controls v8.1 data** while maximizing analytical flexibility and simplicity.
12
-
13
- ## ✨ What's New
14
-
15
- ### 🏗️ Pure Data Provider Architecture
16
- - **Dramatically simplified codebase**: Removed 500+ lines of complex vendor analysis logic
17
- - **Clean 2-tool architecture**: Focus on authoritative data provision, not analysis
18
- - **Enhanced LLM integration**: Maximum flexibility for sophisticated analysis approaches
19
- - **Maintained data authenticity**: Complete CIS Controls v8.1 dataset (153 safeguards) preserved
20
-
21
- ### 🔧 Simplified Tool Interface
22
- - **`get_safeguard_details`**: Rich, comprehensive safeguard data with full context
23
- - **`list_available_safeguards`**: Complete inventory of available CIS safeguards
24
- - **Removed complexity**: Eliminated confusing `analyze_vendor_response` tool that constrained LLM capabilities
25
-
26
- ### 🧠 LLM Empowerment Benefits
27
- - **Natural analysis workflow**: LLMs can perform vendor capability analysis using native reasoning
28
- - **Context-rich data**: Each safeguard includes governance elements, core requirements, sub-taxonomical elements
29
- - **Flexible approaches**: Support for any analysis methodology or framework
30
- - **Sophisticated reasoning**: Enable complex, multi-step analysis without tool constraints
31
-
32
- ### 🔗 Enhanced Microsoft Copilot Integration
33
- - **Updated custom connector**: Optimized swagger.json for Copilot workflows
34
- - **Data-focused endpoints**: Clean API structure for seamless integration
35
- - **Production-ready**: DigitalOcean App Services deployment support
36
- - **Developer-friendly**: Comprehensive examples and documentation
37
-
38
- ## 🛠️ Technical Improvements
39
-
40
- ### Performance & Reliability
41
- - **Optimized caching**: Intelligent safeguard data caching for faster response times
42
- - **Reduced complexity**: Simplified codebase for better maintainability
43
- - **Error handling**: Robust error management and graceful degradation
44
- - **Type safety**: Strict TypeScript implementation throughout
45
-
46
- ### Developer Experience
47
- - **Cleaner API**: Simplified endpoint structure
48
- - **Better documentation**: Updated examples and integration guides
49
- - **Migration support**: Clear migration path from v1.3.x
50
- - **Testing coverage**: Comprehensive validation suite
51
-
52
- ## 📋 Complete Feature Matrix
53
-
54
- | Feature | v1.3.7 | v1.4.0 | Status |
55
- |---------|---------|---------|---------|
56
- | **Core Functionality** | | | |
57
- | CIS Controls v8.1 Data | ✅ (153 safeguards) | ✅ (153 safeguards) | **Preserved** |
58
- | MCP Server Interface | ✅ | ✅ | **Enhanced** |
59
- | HTTP API Server | ✅ | ✅ | **Simplified** |
60
- | **Tool Interface** | | | |
61
- | get_safeguard_details | ✅ | ✅ | **Enhanced with richer context** |
62
- | list_available_safeguards | ✅ | ✅ | **Maintained** |
63
- | analyze_vendor_response | ✅ | ❌ | **Removed** - LLMs handle analysis natively |
64
- | **Integration Support** | | | |
65
- | Microsoft Copilot | ✅ | ✅ | **Improved with updated connector** |
66
- | DigitalOcean Deployment | ✅ | ✅ | **Maintained** |
67
- | Local Development | ✅ | ✅ | **Simplified** |
68
-
69
- ## 🔄 Migration Guide
70
-
71
- ### From v1.3.x to v1.4.0
72
-
73
- #### **Breaking Changes**
74
- - **`analyze_vendor_response` tool removed**: LLMs now perform analysis using native reasoning with `get_safeguard_details` data
75
- - **Simplified API**: Vendor analysis endpoints removed from HTTP API
76
-
77
- #### **Migration Steps**
78
-
79
- 1. **Update Dependencies**
80
- ```bash
81
- npm update framework-mcp
82
- ```
83
-
84
- 2. **Modify Analysis Workflows**
85
- ```javascript
86
- // OLD v1.3.x approach
87
- await mcp.call("analyze_vendor_response", {
88
- vendor_name: "Example Corp",
89
- safeguard_id: "1.1",
90
- vendor_response: "We provide asset management..."
91
- });
92
-
93
- // NEW v1.4.0 approach - Let LLM analyze with full context
94
- const safeguard = await mcp.call("get_safeguard_details", {
95
- safeguard_id: "1.1",
96
- include_examples: true
97
- });
98
-
99
- // LLM then analyzes vendor response against safeguard data
100
- // Using natural reasoning and sophisticated analysis approaches
101
- ```
102
-
103
- 3. **Update Microsoft Copilot Connectors**
104
- - Import updated `swagger.json`
105
- - Remove vendor analysis action references
106
- - Focus on data retrieval and LLM-driven analysis
107
-
108
- #### **Benefits of Migration**
109
- - **Increased flexibility**: LLMs can use any analysis methodology
110
- - **Better accuracy**: Access to complete safeguard context
111
- - **Reduced complexity**: Simpler tool interface
112
- - **Enhanced reasoning**: Natural language analysis capabilities
113
-
114
- ## 🏆 Success Criteria Achieved
115
-
116
- ✅ **Dramatically simplified codebase** (~500+ lines removed)
117
- ✅ **Clean 2-tool architecture** focused on data provision
118
- ✅ **Maintained authentic CIS Controls data integrity**
119
- ✅ **Enhanced LLM integration capabilities**
120
- ✅ **Comprehensive migration documentation**
121
- ✅ **Updated integration guides for all platforms**
122
-
123
- ## 🔮 Strategic Vision
124
-
125
- **"Data Authenticity + LLM Intelligence = Superior Analysis"**
126
-
127
- Framework MCP v1.4.0 positions the project as the **authoritative source for CIS Controls data** while unleashing the full analytical power of modern LLMs. This architecture:
128
-
129
- - **Preserves authenticity**: Official CIS Controls v8.1 data integrity maintained
130
- - **Maximizes intelligence**: LLMs apply sophisticated reasoning without constraints
131
- - **Ensures scalability**: Simple, clean architecture supports future enhancements
132
- - **Enables innovation**: Foundation for advanced analysis methodologies
133
-
134
- ## 🚀 Getting Started
135
-
136
- ### Quick Installation
137
- ```bash
138
- npm install framework-mcp@1.4.0
139
- ```
140
-
141
- ### MCP Server Usage
142
- ```javascript
143
- import { FrameworkMcpServer } from 'framework-mcp';
144
-
145
- const server = new FrameworkMcpServer();
146
- server.run();
147
- ```
148
-
149
- ### HTTP API Usage
150
- ```javascript
151
- import { FrameworkHttpServer } from 'framework-mcp';
152
-
153
- const server = new FrameworkHttpServer(8080);
154
- server.start();
155
- ```
156
-
157
- ### Microsoft Copilot Integration
158
- 1. Import updated `swagger.json` as custom connector
159
- 2. Use data endpoints to retrieve safeguard information
160
- 3. Let Copilot analyze vendor responses against CIS Controls
161
-
162
- ## 🔗 Resources
163
-
164
- - **Repository**: https://github.com/therealcybermattlee/FrameworkMCP
165
- - **Documentation**: See `/docs` directory for comprehensive guides
166
- - **Migration Guide**: Complete transition documentation included
167
- - **Examples**: Updated integration examples for all platforms
168
- - **Support**: GitHub Issues for questions and feedback
169
-
170
- ## 🙏 Acknowledgments
171
-
172
- This release represents the culmination of extensive architectural evaluation and the recognition that **LLMs perform better analysis when given rich data rather than constrained tools**. We thank the community for feedback that led to this important architectural evolution.
173
-
174
- ---
175
-
176
- **Framework MCP v1.4.0: Where Data Authenticity Meets LLM Intelligence** 🚀
177
-
178
- *For support and questions, please visit our [GitHub repository](https://github.com/therealcybermattlee/FrameworkMCP).*
@@ -1,157 +0,0 @@
1
- # Safeguards Data Verification Log - Sprint 2
2
-
3
- ## MISSION: Verify all 153 safeguards contain ONLY exact elements from CIS Controls PDFs
4
-
5
- ### EXTRACTION RULES:
6
- - 🟠 Orange Elements → Governance requirements (MUST be met)
7
- - 🟢 Green Elements → Core "what" requirements
8
- - 🟡 Yellow Elements → Sub-taxonomical components
9
- - ⚫ Gray Elements → Implementation suggestions/methods
10
- - **ABSOLUTELY NO AI-generated additions, interpretations, or expansions**
11
- - **ONLY extract text exactly as it appears in colored sections**
12
-
13
- ---
14
-
15
- ## VERIFICATION STATUS
16
-
17
- ### CONTROL 1: Inventory and Control of Enterprise Assets
18
-
19
- #### ✅ Safeguard 1.1: Establish and Maintain a Detailed Enterprise Asset Inventory
20
-
21
- **PDF Review Date:** 2025-08-21
22
-
23
- **🟠 Orange Elements (Governance) - FROM PDF:**
24
- - "Establish"
25
- - "Maintain"
26
- - "Enterprise Asset Management Policy / Process"
27
- - "Review and update the inventory of all enterprise assets bi-annually, or more frequently"
28
-
29
- **CURRENT CODE (Governance Elements):**
30
- ```
31
- "establish inventory process",
32
- "maintain inventory process",
33
- "documented process",
34
- "review and update bi-annually",
35
- "enterprise asset management policy"
36
- ```
37
-
38
- **❌ ISSUES FOUND:**
39
- 1. "documented process" - NOT found in PDF orange elements
40
- 2. Missing "or more frequently" from the bi-annual requirement
41
- 3. Elements are paraphrased rather than exact text
42
-
43
- **🟢 Green Elements (Core Requirements) - FROM PDF:**
44
- - "accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data"
45
- - Individual green boxes: "Detailed", "Accurate", "Potential to store or process data"
46
-
47
- **CURRENT CODE (Core Requirements):**
48
- ```
49
- "accurate inventory",
50
- "detailed inventory",
51
- "up-to-date inventory",
52
- "all enterprise assets",
53
- "potential to store or process data"
54
- ```
55
-
56
- **❌ ISSUES FOUND:**
57
- 1. Elements are broken down artificially - should be the complete phrase from the safeguard description
58
- 2. Missing "up-to-date" as a standalone element from the PDF
59
-
60
- **🟡 Yellow Elements (Sub-taxonomical) - FROM PDF:**
61
- From yellow hexagons and boxes:
62
- - "Network Address (IF STATIC)"
63
- - "Hardware Address"
64
- - "Machine Name"
65
- - "Enterprise asset owner"
66
- - "Department for each asset"
67
- - "Asset has been approved to connect to the network"
68
- - "End-User Devices" → "Mobile", "Portable"
69
- - "Network Devices"
70
- - "IOT Devices"
71
- - "Servers"
72
- - "Connected to Infrastructure" → "Physically", "Virtually", "Remotely"
73
- - "Those within cloud environments"
74
- - "Regularly Connected Devices - NOT Under Control of Enterprise"
75
-
76
- **CURRENT CODE (Sub-taxonomical Elements):**
77
- ```
78
- "network address (if static)",
79
- "hardware address",
80
- "machine name",
81
- "enterprise asset owner",
82
- "department for each asset",
83
- "approved to connect to network",
84
- "end-user devices (portable and mobile)",
85
- "network devices",
86
- "non-computing/IoT devices",
87
- "servers",
88
- "physical connection",
89
- "virtual connection",
90
- "remote connection",
91
- "cloud environments",
92
- "regularly connected devices not under enterprise control"
93
- ```
94
-
95
- **❌ ISSUES FOUND:**
96
- 1. "non-computing/IoT devices" should be "IOT Devices" (exact from PDF)
97
- 2. "approved to connect to network" missing "Asset has been" prefix
98
- 3. Connection types are paraphrased ("physical connection" vs "Physically")
99
- 4. "cloud environments" should be "Those within cloud environments"
100
-
101
- **⚫ Gray Elements (Implementation Suggestions) - FROM PDF:**
102
- - "For mobile end-user devices, MDM type tools can support this process, where appropriate"
103
-
104
- **CURRENT CODE (Implementation Suggestions):**
105
- ```
106
- "MDM type tools for mobile devices",
107
- "enterprise and software asset management tool",
108
- "asset discovery tools",
109
- "DHCP logging",
110
- "passive discovery tools"
111
- ```
112
-
113
- **❌ ISSUES FOUND:**
114
- 1. Only includes partial text from the gray element - missing complete context
115
- 2. Added multiple items not found in PDF gray sections for this safeguard
116
- 3. Should only include the exact gray text from PDF
117
-
118
- ---
119
-
120
- #### ✅ Safeguard 1.2: Address Unauthorized Assets
121
- **CORRECTED:** Updated to exact PDF elements only
122
- - Orange: "Ensure that a process exists to address unauthorized assets on a weekly basis"
123
- - Green: "Address Unauthorized Assets"
124
- - Yellow: "On a weekly basis"
125
- - Gray: "The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset"
126
-
127
- #### ✅ Safeguard 1.3: Utilize an Active Discovery Tool
128
- **CORRECTED:** Updated to exact PDF elements only
129
- - Orange: Two exact phrases from PDF text
130
- - Green: "Active discovery tool", "Identify Assets Connected To Network"
131
- - Yellow: "Utilize", "Configure", "Execute daily", "Execute daily, or more frequently"
132
- - Gray: Empty (no gray text identified in PDF)
133
-
134
- #### ✅ Safeguard 1.4: Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
135
- **CORRECTED:** Updated to exact PDF elements only
136
- - Orange: Two complete sentences from PDF
137
- - Green: "DHCP Logging on all DHCP servers", "IPAM", "Update asset inventory"
138
- - Yellow: "Use", "Review and Use Logs", "Update asset inventory", "Weekly", "More Frequently"
139
- - Gray: Empty (no gray text identified in PDF)
140
-
141
- #### ✅ Safeguard 1.5: Use a Passive Asset Discovery Tool
142
- **CORRECTED:** Updated to exact PDF elements only
143
- - Orange: Two complete sentences from PDF
144
- - Green: "Passive Discovery Tool", "Identify Assets Connected To Network", "Update asset inventory"
145
- - Yellow: "Use", "Review and Use scans", "Update asset inventory", "Weekly", "More Frequently"
146
- - Gray: Empty (no gray text identified in PDF)
147
-
148
- ---
149
-
150
- ## CONTROL 1 SUMMARY: ✅ COMPLETE
151
- - **Status:** All 5 safeguards verified and corrected
152
- - **Issues Identified:** Significant AI-generated content in all safeguards
153
- - **Resolution:** Replaced with exact PDF text only
154
- - **Verification Method:** Direct comparison with color-coded elements in CIS Control 1 PDF
155
-
156
- ## NEXT STEPS:
157
- Continue with Control 2 safeguards verification...
@@ -1,33 +0,0 @@
1
- You are the CIS Controls Framework Coordinator Bot. Your job is to:
2
-
3
- 1. Query Framework MCP API for safeguard details: GET /api/safeguards/{safeguardId}
4
- 2. Classify vendor solutions using the 5-tier capability framework
5
- 3. Route to specialized assessment agents
6
-
7
- ## Capability Classifications:
8
-
9
- **FULL** = Complete implementation of all core safeguard functionality
10
- **PARTIAL** = Limited implementation missing key elements
11
- **FACILITATES** = Enhances/enables safeguard implementation by others
12
- **GOVERNANCE** = Policy, process, and oversight capabilities
13
- **VALIDATES** = Evidence collection, audit, and compliance reporting
14
-
15
- ## Process:
16
- 1. Extract systemPrompt from API response
17
- 2. Analyze vendor solution against safeguard requirements
18
- 3. Classify capability level (FULL/PARTIAL/FACILITATES/GOVERNANCE/VALIDATES)
19
- 4. Route to appropriate specialist agent:
20
- - FULL → Full Implementation Assessment Agent
21
- - PARTIAL → Gap Analysis Specialist Agent
22
- - FACILITATES → Integration Capability Assessment Agent
23
- - GOVERNANCE → Governance Framework Assessment Agent
24
- - VALIDATES → Validation and Reporting Assessment Agent
25
-
26
- ## Agent Handoff:
27
- Provide complete safeguard context, vendor details, systemPrompt role/guidelines, and expected output format to the selected specialist agent.
28
-
29
- ## Output Format:
30
- - Capability Classification: {FULL/PARTIAL/FACILITATES/GOVERNANCE/VALIDATES}
31
- - Confidence: {0-100}
32
- - Routing: {SpecializedAgentName}
33
- - Evidence: {key findings supporting classification}
@@ -1,192 +0,0 @@
1
- # CIS Controls Framework Coordinator Bot System Prompt
2
-
3
- ## Role
4
- You are the **CIS Controls Framework Coordinator Bot**, responsible for orchestrating vendor capability assessments against the CIS Controls Framework v8.1. Your primary function is to query the Framework MCP API for specific safeguards and route analysis to specialized safeguard-specific agents.
5
-
6
- ## Core Responsibilities
7
-
8
- ### 1. API Query Management
9
- - Query the Framework MCP API at the specified endpoint for safeguard details
10
- - Extract the complete safeguard information including:
11
- - Core requirements (green elements)
12
- - Governance elements (orange elements)
13
- - Sub-taxonomical elements (yellow elements)
14
- - Implementation suggestions (gray elements)
15
- - **systemPrompt** field for agent routing
16
-
17
- ### 2. Capability Classification Expertise
18
- You must understand and apply the **5-tier CIS Controls capability framework**:
19
-
20
- #### **FULL** - Complete Implementation
21
- - **Definition**: Vendor solution directly implements ALL core safeguard functionality
22
- - **Criteria**: Covers governance elements, core requirements, and most sub-taxonomical elements
23
- - **Examples**: Complete asset inventory platform, comprehensive vulnerability management suite
24
- - **Routing**: Send to specialized implementation assessment agent
25
-
26
- #### **PARTIAL** - Limited Implementation
27
- - **Definition**: Vendor solution implements specific aspects of the safeguard but lacks complete coverage
28
- - **Criteria**: Addresses some core requirements but missing key governance or sub-taxonomical elements
29
- - **Examples**: Basic asset discovery without lifecycle management, MFA without policy enforcement
30
- - **Routing**: Send to gap analysis specialist agent
31
-
32
- #### **FACILITATES** - Enhancement/Enablement
33
- - **Definition**: Vendor solution enhances or enables safeguard implementation by other tools
34
- - **Criteria**: Provides supporting capabilities that help others implement the safeguard
35
- - **Examples**: Identity providers for MFA, SIEM for audit log analysis, APIs for integration
36
- - **Routing**: Send to integration capability assessment agent
37
-
38
- #### **GOVERNANCE** - Policy/Process/Oversight
39
- - **Definition**: Vendor solution provides policy management, process workflows, and oversight capabilities
40
- - **Criteria**: Focuses on governance elements, compliance reporting, policy enforcement
41
- - **Examples**: GRC platforms, policy management systems, compliance dashboards
42
- - **Routing**: Send to governance framework assessment agent
43
-
44
- #### **VALIDATES** - Evidence/Audit/Reporting
45
- - **Definition**: Vendor solution provides evidence collection, audit capabilities, and validation reporting
46
- - **Criteria**: Focuses on proving safeguard implementation, compliance measurement, audit trails
47
- - **Examples**: Compliance assessment tools, audit reporting platforms, evidence collection systems
48
- - **Routing**: Send to validation and reporting assessment agent
49
-
50
- ### 3. Agent Routing Logic
51
-
52
- #### Step 1: Safeguard Analysis
53
- 1. Query Framework MCP API: `GET /api/safeguards/{safeguardId}`
54
- 2. Extract systemPrompt from response
55
- 3. Parse vendor solution description from user input
56
- 4. Identify primary capability type using the systemPrompt guidelines
57
-
58
- #### Step 2: Specialized Agent Selection
59
- Based on capability classification, route to appropriate agent:
60
-
61
- ```
62
- IF capability = "FULL":
63
- → Route to: Full Implementation Assessment Agent
64
- → systemPrompt.role: Use exact role from API response
65
- → Context: Complete safeguard evaluation
66
-
67
- IF capability = "PARTIAL":
68
- → Route to: Gap Analysis Specialist Agent
69
- → Focus: Identify missing elements and implementation gaps
70
- → Context: Partial implementation assessment
71
-
72
- IF capability = "FACILITATES":
73
- → Route to: Integration Capability Assessment Agent
74
- → Focus: Evaluate enablement and enhancement capabilities
75
- → Context: Supporting tool evaluation
76
-
77
- IF capability = "GOVERNANCE":
78
- → Route to: Governance Framework Assessment Agent
79
- → Focus: Policy, process, and oversight capabilities
80
- → Context: GRC implementation evaluation
81
-
82
- IF capability = "VALIDATES":
83
- → Route to: Validation and Reporting Assessment Agent
84
- → Focus: Evidence, audit, and compliance reporting
85
- → Context: Validation tool evaluation
86
- ```
87
-
88
- #### Step 3: Agent Handoff Package
89
- Provide the selected agent with:
90
-
91
- 1. **Complete Safeguard Context**:
92
- - Full API response from Framework MCP
93
- - systemPrompt with role, context, objective, guidelines, outputFormat
94
- - Safeguard ID, title, implementation group
95
-
96
- 2. **Vendor Solution Details**:
97
- - Vendor name and solution description
98
- - User-provided context and requirements
99
- - Specific evaluation focus areas
100
-
101
- 3. **Assessment Framework**:
102
- - Expected output format from systemPrompt.outputFormat
103
- - Confidence scoring requirements (0-100)
104
- - Evidence requirement specifications
105
- - Gap identification needs (if applicable)
106
-
107
- ### 4. Quality Control Standards
108
-
109
- #### Pre-Routing Validation
110
- - ✅ Verify safeguard ID exists (1.1 - 18.5 format)
111
- - ✅ Confirm API response includes systemPrompt field
112
- - ✅ Validate vendor solution description contains sufficient detail
113
- - ✅ Check that capability classification is defensible
114
-
115
- #### Agent Briefing Requirements
116
- - 📋 Provide complete CIS Controls context
117
- - 📋 Include specific evaluation guidelines from systemPrompt
118
- - 📋 Specify expected output format exactly
119
- - 📋 Define confidence and evidence requirements
120
-
121
- #### Error Handling
122
- - 🚫 Invalid safeguard ID → Request clarification
123
- - 🚫 API unavailable → Notify user and suggest retry
124
- - 🚫 Insufficient vendor details → Request more information
125
- - 🚫 Ambiguous capability classification → Ask clarifying questions
126
-
127
- ### 5. Communication Protocols
128
-
129
- #### User Interaction Format
130
- ```
131
- 🎯 **Safeguard Analysis Request Received**
132
- - Safeguard: {safeguardId} - {title}
133
- - Vendor: {vendorName}
134
- - Solution: {solutionDescription}
135
-
136
- 🔍 **Querying Framework MCP API...**
137
- [API query status]
138
-
139
- 📊 **Capability Assessment**
140
- - Primary Classification: {FULL/PARTIAL/FACILITATES/GOVERNANCE/VALIDATES}
141
- - Routing Decision: {SpecializedAgentName}
142
-
143
- 🤝 **Handing off to Specialized Agent**
144
- [Agent briefing summary]
145
- ```
146
-
147
- #### Agent Handoff Format
148
- ```
149
- SPECIALIZED AGENT BRIEFING
150
- ==========================
151
-
152
- SAFEGUARD CONTEXT:
153
- - ID: {safeguardId}
154
- - Title: {safeguardTitle}
155
- - Implementation Group: {IG1/IG2/IG3}
156
- - systemPrompt Role: {expertRole}
157
-
158
- VENDOR SOLUTION:
159
- - Name: {vendorName}
160
- - Description: {solutionDescription}
161
- - Assessment Focus: {capabilityType}
162
-
163
- EVALUATION FRAMEWORK:
164
- {Complete systemPrompt content}
165
-
166
- EXPECTED OUTPUT:
167
- {systemPrompt.outputFormat requirements}
168
- ```
169
-
170
- ## Example Workflow
171
-
172
- **User Input**: "Assess Microsoft Defender for Endpoint against CIS safeguard 1.1"
173
-
174
- **Coordinator Response**:
175
- 1. Query API for safeguard 1.1 details
176
- 2. Extract systemPrompt showing asset_inventory_expert role
177
- 3. Analyze Microsoft Defender for Endpoint capabilities
178
- 4. Classify as "PARTIAL" (asset visibility without complete inventory lifecycle)
179
- 5. Route to Gap Analysis Specialist Agent
180
- 6. Provide agent with complete briefing package
181
- 7. Monitor specialist assessment and provide final summary
182
-
183
- ## Success Metrics
184
- - ✅ 100% accurate safeguard data retrieval
185
- - ✅ Correct capability classification >95%
186
- - ✅ Appropriate agent routing decisions
187
- - ✅ Complete context handoffs
188
- - ✅ Structured, actionable assessment outputs
189
-
190
- ---
191
-
192
- **Framework MCP API Integration**: This coordinator relies on the Framework MCP v1.5.1+ API with systemPrompt functionality for all safeguard details and routing decisions.
@@ -1,71 +0,0 @@
1
- # Installation Guide
2
-
3
- ## System Requirements
4
-
5
- - Node.js 18.0 or higher
6
- - npm 8.0 or higher
7
- - Claude Code CLI tool
8
-
9
- ## Installation Methods
10
-
11
- ### Method 1: npm Global Install
12
-
13
- ```bash
14
- npm install -g framework-mcp
15
- ```
16
-
17
- ### Method 2: Local Development Install
18
-
19
- ```bash
20
- git clone https://github.com/therealcybermattlee/FrameworkMCP.git
21
- cd FrameworkMCP
22
- npm install
23
- npm run build
24
- ```
25
-
26
- ## Configuration
27
-
28
- ### Claude Code MCP Setup
29
-
30
- 1. Locate your Claude Code MCP configuration file:
31
- - macOS/Linux: `~/.config/claude-code/mcp.json`
32
- - Windows: `%APPDATA%\claude-code\mcp.json`
33
-
34
- 2. Add the Framework MCP server:
35
-
36
- ```json
37
- {
38
- "mcpServers": {
39
- "framework-analyzer": {
40
- "command": "node",
41
- "args": ["/absolute/path/to/FrameworkMCP/dist/index.js"],
42
- "env": {}
43
- }
44
- }
45
- }
46
- ```
47
-
48
- 3. Restart Claude Code
49
-
50
- ### Verification
51
-
52
- ```bash
53
- claude-code "List available CIS Control safeguards"
54
- ```
55
-
56
- Expected output should include available safeguards like 1.1, 5.1, 6.3, etc.
57
-
58
- ## Troubleshooting
59
-
60
- ### Permission Issues
61
- ```bash
62
- chmod +x dist/index.js
63
- ```
64
-
65
- ### Path Issues
66
- Ensure you use absolute paths in the MCP configuration.
67
-
68
- ### Build Issues
69
- ```bash
70
- npm run build
71
- ```