framework-mcp 1.5.3 → 2.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/commands/speckit.analyze.md +184 -0
- package/.claude/commands/speckit.checklist.md +294 -0
- package/.claude/commands/speckit.clarify.md +181 -0
- package/.claude/commands/speckit.constitution.md +82 -0
- package/.claude/commands/speckit.implement.md +135 -0
- package/.claude/commands/speckit.plan.md +89 -0
- package/.claude/commands/speckit.specify.md +258 -0
- package/.claude/commands/speckit.tasks.md +137 -0
- package/.claude/commands/speckit.taskstoissues.md +30 -0
- package/.do/app.yaml +1 -1
- package/.github/dependabot.yml +15 -0
- package/.github/workflows/ci.yml +31 -2
- package/.specify/memory/constitution.md +50 -0
- package/.specify/scripts/bash/check-prerequisites.sh +166 -0
- package/.specify/scripts/bash/common.sh +156 -0
- package/.specify/scripts/bash/create-new-feature.sh +297 -0
- package/.specify/scripts/bash/setup-plan.sh +61 -0
- package/.specify/scripts/bash/update-agent-context.sh +799 -0
- package/.specify/templates/agent-file-template.md +28 -0
- package/.specify/templates/checklist-template.md +40 -0
- package/.specify/templates/plan-template.md +104 -0
- package/.specify/templates/spec-template.md +115 -0
- package/.specify/templates/tasks-template.md +251 -0
- package/README.md +84 -435
- package/dist/core/safeguard-manager.d.ts.map +1 -1
- package/dist/core/safeguard-manager.js +7105 -2543
- package/dist/core/safeguard-manager.js.map +1 -1
- package/dist/interfaces/http/http-server.d.ts +2 -0
- package/dist/interfaces/http/http-server.d.ts.map +1 -1
- package/dist/interfaces/http/http-server.js +95 -3
- package/dist/interfaces/http/http-server.js.map +1 -1
- package/dist/interfaces/mcp/mcp-server.js +3 -3
- package/dist/shared/types.d.ts +85 -2
- package/dist/shared/types.d.ts.map +1 -1
- package/dist/shared/types.js +132 -1
- package/dist/shared/types.js.map +1 -1
- package/package.json +7 -4
- package/scripts/standardize-prompts.js +325 -0
- package/scripts/validate-capability-prompts.js +110 -0
- package/src/core/safeguard-manager.ts +12387 -2630
- package/src/interfaces/http/http-server.ts +109 -4
- package/src/interfaces/mcp/mcp-server.ts +3 -3
- package/src/shared/types.ts +268 -2
- package/swagger.json +56 -36
- package/CAPABILITY_TRANSFORMATION_SUMMARY.md +0 -158
- package/CIS_CONTROLS_IMPLEMENTATION_PLAN.md +0 -220
- package/COPILOT_INTEGRATION.md +0 -322
- package/DAYS_5_6_COMPLETION_SUMMARY.md +0 -178
- package/DEPLOYMENT_GUIDE.md +0 -334
- package/DEPLOYMENT_SUMMARY_v1.1.3.md +0 -211
- package/MCP_INTEGRATION_GUIDE.md +0 -285
- package/MIGRATION_GUIDE_v1.4.0.md +0 -190
- package/RELEASE_NOTES_v1.1.3.md +0 -321
- package/RELEASE_NOTES_v1.2.0.md +0 -396
- package/RELEASE_NOTES_v1.3.7.md +0 -275
- package/RELEASE_NOTES_v1.4.0.md +0 -178
- package/SAFEGUARDS_VERIFICATION_LOG.md +0 -157
- package/coordinator-bot-compact.txt +0 -33
- package/coordinator-bot-system-prompt.md +0 -192
- package/docs/installation.md +0 -71
- package/scripts/analyze-data-structure.cjs +0 -74
- package/scripts/clean-safeguards-data.cjs +0 -60
- package/scripts/comprehensive-validation.cjs +0 -176
- package/scripts/count-safeguards.cjs +0 -89
- package/scripts/format-safeguards-proper.cjs +0 -44
- package/scripts/validate-formatted-data.cjs +0 -88
- package/test_capability_integration.js +0 -73
- package/test_comprehensive_scenarios.js +0 -192
- package/test_enhanced_detection.js +0 -74
- package/test_integrated_validation.js +0 -112
- package/test_language_update.js +0 -101
- package/test_live_validation.json +0 -12
- package/test_performance_monitoring.js +0 -124
- package/test_runner_automated.js +0 -156
- package/test_suite_comprehensive.js +0 -218
|
@@ -1,178 +0,0 @@
|
|
|
1
|
-
# Framework MCP: Days 5-6 Completion Summary
|
|
2
|
-
|
|
3
|
-
## 🎯 Third 2-Day Increment Complete: User Experience & Testing Excellence
|
|
4
|
-
|
|
5
|
-
### **Achievement**: From Technical Implementation → Production-Ready User Experience
|
|
6
|
-
|
|
7
|
-
---
|
|
8
|
-
|
|
9
|
-
## 📋 Tasks Completed (Days 5-6)
|
|
10
|
-
|
|
11
|
-
### ✅ **Task 5**: Update all response templates and user-facing messages to use capability-focused language
|
|
12
|
-
- **COMPLETED**: Comprehensive language transformation across all user interfaces
|
|
13
|
-
- **Updated Components**:
|
|
14
|
-
- Tool descriptions emphasize "capability role determination" vs "compliance scoring"
|
|
15
|
-
- Parameter descriptions use "implementation capability claims" vs "coverage claims"
|
|
16
|
-
- Domain validation messages reference "implementation capability" vs "coverage"
|
|
17
|
-
- Validation feedback focuses on "capability role alignment" vs "compliance percentages"
|
|
18
|
-
- Error messages use "capability role" terminology throughout
|
|
19
|
-
|
|
20
|
-
### ✅ **Task 6**: Create comprehensive test suite covering capability analysis + domain validation integration
|
|
21
|
-
- **COMPLETED**: Full test suite with automated validation framework
|
|
22
|
-
- **Test Coverage**:
|
|
23
|
-
- 3 Domain Alignment Tests (tools properly matched to safeguard domains)
|
|
24
|
-
- 3 Domain Mismatch Tests (auto-downgrade functionality validation)
|
|
25
|
-
- 2 No Downgrade Tests (FACILITATES/GOVERNANCE/VALIDATES capability preservation)
|
|
26
|
-
- 2 Edge Case Tests (mixed capabilities, unknown tool types)
|
|
27
|
-
- **Validation Framework**: 100% pass rate on expected behavior testing
|
|
28
|
-
|
|
29
|
-
---
|
|
30
|
-
|
|
31
|
-
## 🔧 Technical Achievements
|
|
32
|
-
|
|
33
|
-
### **1. Capability-Focused Language Transformation**
|
|
34
|
-
```typescript
|
|
35
|
-
// Before: Compliance-focused terminology
|
|
36
|
-
"Analyze a vendor response for a specific CIS Control safeguard against the 4 GRC attributes with detailed sub-element coverage"
|
|
37
|
-
|
|
38
|
-
// After: Capability-focused terminology
|
|
39
|
-
"Analyze a vendor response to determine their tool capability role (Full Implementation, Partial Implementation, Facilitates, Governance, or Validates) for a specific CIS Control safeguard"
|
|
40
|
-
```
|
|
41
|
-
|
|
42
|
-
### **2. User Interface Clarity Enhancement**
|
|
43
|
-
- **Parameter Descriptions**: Clear capability role definitions
|
|
44
|
-
- **Domain Validation**: Explicit "implementation capability" language
|
|
45
|
-
- **Validation Feedback**: Evidence-based capability role assessment
|
|
46
|
-
- **Error Messages**: Consistent capability-focused terminology
|
|
47
|
-
|
|
48
|
-
### **3. Comprehensive Test Suite Architecture**
|
|
49
|
-
```javascript
|
|
50
|
-
const testCases = [
|
|
51
|
-
{
|
|
52
|
-
name: "Asset Management → Asset Inventory (SHOULD PASS)",
|
|
53
|
-
expected: { toolType: "inventory", domainMatch: true, status: "SUPPORTED", adjusted: false }
|
|
54
|
-
},
|
|
55
|
-
{
|
|
56
|
-
name: "Threat Intel → Asset Inventory (SHOULD DOWNGRADE)",
|
|
57
|
-
expected: { toolType: "threat_intelligence", domainMatch: false, status: "QUESTIONABLE", adjusted: true }
|
|
58
|
-
}
|
|
59
|
-
// ... 8 additional comprehensive test scenarios
|
|
60
|
-
];
|
|
61
|
-
```
|
|
62
|
-
|
|
63
|
-
---
|
|
64
|
-
|
|
65
|
-
## 📊 Language Transformation Results
|
|
66
|
-
|
|
67
|
-
### **Updated Tool Descriptions**
|
|
68
|
-
- ✅ **analyze_vendor_response**: "Determine their tool capability role"
|
|
69
|
-
- ✅ **validate_coverage_claim**: "Validate implementation capability claim"
|
|
70
|
-
- ✅ **validate_vendor_mapping**: "Validate claimed capability role supported by evidence"
|
|
71
|
-
|
|
72
|
-
### **Updated Parameter Descriptions**
|
|
73
|
-
- ✅ **claimed_capability**: Complete role definitions (full=complete implementation, partial=limited implementation, etc.)
|
|
74
|
-
- ✅ **supporting_text**: "Supporting evidence explaining how tool fulfills capability role"
|
|
75
|
-
- ✅ **response_text**: "Describes tool capabilities for the safeguard"
|
|
76
|
-
|
|
77
|
-
### **Updated Domain Validation Messages**
|
|
78
|
-
- ✅ "Implementation capability" replaces "coverage" in all domain requirements
|
|
79
|
-
- ✅ Auto-downgrade reasoning focuses on capability roles vs compliance scoring
|
|
80
|
-
- ✅ Domain mismatch messages emphasize appropriate tool types for capability claims
|
|
81
|
-
|
|
82
|
-
---
|
|
83
|
-
|
|
84
|
-
## 🧪 Test Suite Validation Results
|
|
85
|
-
|
|
86
|
-
### **Domain Alignment Tests**: ✅ 100% Pass Rate
|
|
87
|
-
- Asset Management Tool → Asset Inventory (1.1): SUPPORTED ✅
|
|
88
|
-
- Identity Management Tool → Account Inventory (5.1): SUPPORTED ✅
|
|
89
|
-
- Vulnerability Management Tool → Vuln Process (7.1): SUPPORTED ✅
|
|
90
|
-
|
|
91
|
-
### **Domain Mismatch Auto-Downgrade**: ✅ 100% Pass Rate
|
|
92
|
-
- Threat Intel → Asset Inventory: FULL → FACILITATES (QUESTIONABLE) ✅
|
|
93
|
-
- Asset Discovery → Account Inventory: FULL → FACILITATES (QUESTIONABLE) ✅
|
|
94
|
-
- SIEM → Asset Inventory: PARTIAL → FACILITATES (QUESTIONABLE) ✅
|
|
95
|
-
|
|
96
|
-
### **No Downgrade Preservation**: ✅ 100% Pass Rate
|
|
97
|
-
- Vulnerability Scanner → FACILITATES: No downgrade (SUPPORTED) ✅
|
|
98
|
-
- GRC Platform → GOVERNANCE: No downgrade (SUPPORTED) ✅
|
|
99
|
-
|
|
100
|
-
### **Edge Case Handling**: ✅ 100% Pass Rate
|
|
101
|
-
- Mixed capability tools: Proper handling ✅
|
|
102
|
-
- Unknown tool types: Graceful degradation ✅
|
|
103
|
-
|
|
104
|
-
---
|
|
105
|
-
|
|
106
|
-
## 🎯 Capability Role Taxonomy (Finalized User-Facing)
|
|
107
|
-
|
|
108
|
-
| Capability Role | User Description | System Behavior |
|
|
109
|
-
|-----------------|------------------|-----------------|
|
|
110
|
-
| **FULL** | Complete implementation of safeguard | Requires domain-appropriate tool type |
|
|
111
|
-
| **PARTIAL** | Limited scope implementation | Requires domain-appropriate tool type |
|
|
112
|
-
| **FACILITATES** | Enables/enhances others' implementation | No tool type restrictions |
|
|
113
|
-
| **GOVERNANCE** | Provides policies/processes/oversight | No tool type restrictions |
|
|
114
|
-
| **VALIDATES** | Provides evidence/audit/reporting | No tool type restrictions |
|
|
115
|
-
|
|
116
|
-
---
|
|
117
|
-
|
|
118
|
-
## 📈 Business Impact Summary
|
|
119
|
-
|
|
120
|
-
### **User Experience Enhancement**
|
|
121
|
-
- **Clear Capability Roles**: Users understand exactly what each vendor tool does
|
|
122
|
-
- **Realistic Expectations**: Domain validation prevents inappropriate implementation claims
|
|
123
|
-
- **Evidence-Based Assessment**: Focus on actual tool capabilities vs theoretical coverage
|
|
124
|
-
- **Actionable Feedback**: Specific guidance on proper capability role mapping
|
|
125
|
-
|
|
126
|
-
### **Practitioner Benefits**
|
|
127
|
-
- **Accurate Vendor Selection**: Tools categorized by actual capability contribution
|
|
128
|
-
- **Realistic Planning**: Implementation vs enablement tools clearly distinguished
|
|
129
|
-
- **Risk Mitigation**: Prevents overestimation of vendor capabilities
|
|
130
|
-
- **Strategic Alignment**: Capability roles align with actual safeguard implementation needs
|
|
131
|
-
|
|
132
|
-
---
|
|
133
|
-
|
|
134
|
-
## 🚀 Production Readiness Status
|
|
135
|
-
|
|
136
|
-
### **User Interface**: ✅ Complete
|
|
137
|
-
- All descriptions use capability-focused language
|
|
138
|
-
- Parameter definitions provide clear guidance
|
|
139
|
-
- Error messages are consistent and helpful
|
|
140
|
-
- Validation feedback is actionable and precise
|
|
141
|
-
|
|
142
|
-
### **Test Coverage**: ✅ Complete
|
|
143
|
-
- 10 comprehensive test scenarios covering all validation logic
|
|
144
|
-
- 100% expected behavior validation
|
|
145
|
-
- Automated test framework ready for CI/CD integration
|
|
146
|
-
- Edge cases and error conditions properly handled
|
|
147
|
-
|
|
148
|
-
### **Core Functionality**: ✅ Complete
|
|
149
|
-
- Capability-focused analysis engine fully operational
|
|
150
|
-
- Domain validation with auto-downgrade working correctly
|
|
151
|
-
- Enhanced tool type detection with context awareness
|
|
152
|
-
- Evidence-based confidence scoring functioning properly
|
|
153
|
-
|
|
154
|
-
---
|
|
155
|
-
|
|
156
|
-
## 🎊 Days 5-6 Achievement Summary
|
|
157
|
-
|
|
158
|
-
**🎯 Mission Accomplished**: The Framework MCP now provides a **production-ready user experience** with:
|
|
159
|
-
|
|
160
|
-
1. **Crystal Clear Interface**: Every user-facing message uses capability-focused language
|
|
161
|
-
2. **Comprehensive Testing**: 10-scenario test suite validates entire transformation
|
|
162
|
-
3. **User Guidance**: Clear capability role definitions and evidence requirements
|
|
163
|
-
4. **Quality Assurance**: Automated testing framework ready for continuous integration
|
|
164
|
-
|
|
165
|
-
**The paradigm shift is now complete at the user experience level** - practitioners interact with a tool that clearly asks "What capability role does this vendor play?" instead of "How much compliance coverage do they provide?"
|
|
166
|
-
|
|
167
|
-
---
|
|
168
|
-
|
|
169
|
-
## 📋 Final 2-Day Increment (Days 7-8) Preview
|
|
170
|
-
|
|
171
|
-
The foundation is rock-solid. The remaining tasks focus on **performance optimization** and **documentation**:
|
|
172
|
-
|
|
173
|
-
7. **Performance optimization and error handling for production deployment**
|
|
174
|
-
8. **Update documentation and prepare for version 1.1.3 release with capability-focused improvements**
|
|
175
|
-
|
|
176
|
-
---
|
|
177
|
-
|
|
178
|
-
**🌟 Days 5-6 Complete: The Framework MCP now delivers an exceptional user experience that perfectly embodies the capability assessment paradigm!**
|
package/DEPLOYMENT_GUIDE.md
DELETED
|
@@ -1,334 +0,0 @@
|
|
|
1
|
-
# Framework MCP Deployment Guide
|
|
2
|
-
|
|
3
|
-
## Pure Data Provider Architecture: MCP + HTTP API
|
|
4
|
-
|
|
5
|
-
Framework MCP v1.4.0 features a **Pure Data Provider architecture** with dual interfaces for maximum flexibility:
|
|
6
|
-
|
|
7
|
-
- **MCP Interface**: stdio-based for Claude Code integration with LLM-driven analysis
|
|
8
|
-
- **HTTP Interface**: REST API for cloud deployment and Microsoft Copilot integration
|
|
9
|
-
|
|
10
|
-
---
|
|
11
|
-
|
|
12
|
-
## Local Development
|
|
13
|
-
|
|
14
|
-
### MCP Server (stdio)
|
|
15
|
-
```bash
|
|
16
|
-
# For Claude Code integration
|
|
17
|
-
npm run start:mcp
|
|
18
|
-
|
|
19
|
-
# Development with auto-rebuild
|
|
20
|
-
npm run dev
|
|
21
|
-
```
|
|
22
|
-
|
|
23
|
-
### HTTP Server (Express.js)
|
|
24
|
-
```bash
|
|
25
|
-
# For web/cloud integration
|
|
26
|
-
npm run start:http
|
|
27
|
-
|
|
28
|
-
# Development with auto-rebuild
|
|
29
|
-
npm run dev:http
|
|
30
|
-
```
|
|
31
|
-
|
|
32
|
-
### Test Both Interfaces
|
|
33
|
-
```bash
|
|
34
|
-
# Build the project
|
|
35
|
-
npm run build
|
|
36
|
-
|
|
37
|
-
# Test MCP interface (requires Claude Code)
|
|
38
|
-
npm run start:mcp
|
|
39
|
-
|
|
40
|
-
# Test HTTP interface
|
|
41
|
-
npm run start:http
|
|
42
|
-
curl http://localhost:8080/health
|
|
43
|
-
```
|
|
44
|
-
|
|
45
|
-
---
|
|
46
|
-
|
|
47
|
-
## Cloud Deployment
|
|
48
|
-
|
|
49
|
-
### DigitalOcean App Services
|
|
50
|
-
|
|
51
|
-
**The HTTP interface solves the stdio binding issue.**
|
|
52
|
-
|
|
53
|
-
#### 1. Deploy via GitHub Integration
|
|
54
|
-
|
|
55
|
-
1. Push your code to GitHub
|
|
56
|
-
2. In DigitalOcean Dashboard:
|
|
57
|
-
- Create New App
|
|
58
|
-
- Connect GitHub repository
|
|
59
|
-
- Select branch: `main`
|
|
60
|
-
- Use provided `.do/app.yaml` configuration
|
|
61
|
-
|
|
62
|
-
#### 2. Deploy via doctl CLI
|
|
63
|
-
|
|
64
|
-
```bash
|
|
65
|
-
# Install doctl
|
|
66
|
-
snap install doctl
|
|
67
|
-
|
|
68
|
-
# Authenticate
|
|
69
|
-
doctl auth init
|
|
70
|
-
|
|
71
|
-
# Deploy app
|
|
72
|
-
doctl apps create .do/app.yaml
|
|
73
|
-
```
|
|
74
|
-
|
|
75
|
-
#### 3. Manual Configuration
|
|
76
|
-
|
|
77
|
-
If not using app.yaml:
|
|
78
|
-
|
|
79
|
-
```yaml
|
|
80
|
-
name: framework-mcp-api
|
|
81
|
-
services:
|
|
82
|
-
- name: api
|
|
83
|
-
run_command: npm run start:http
|
|
84
|
-
environment_slug: node-js
|
|
85
|
-
http_port: 8080
|
|
86
|
-
health_check:
|
|
87
|
-
http_path: /health
|
|
88
|
-
envs:
|
|
89
|
-
- key: NODE_ENV
|
|
90
|
-
value: production
|
|
91
|
-
```
|
|
92
|
-
|
|
93
|
-
### Alternative Cloud Platforms
|
|
94
|
-
|
|
95
|
-
The HTTP interface is compatible with any Node.js cloud platform:
|
|
96
|
-
|
|
97
|
-
#### Railway
|
|
98
|
-
```bash
|
|
99
|
-
railway login
|
|
100
|
-
railway init
|
|
101
|
-
railway up
|
|
102
|
-
```
|
|
103
|
-
|
|
104
|
-
#### Render
|
|
105
|
-
1. Connect GitHub repository
|
|
106
|
-
2. Environment: Node.js
|
|
107
|
-
3. Build Command: `npm run build`
|
|
108
|
-
4. Start Command: `npm run start:http`
|
|
109
|
-
|
|
110
|
-
#### AWS App Runner
|
|
111
|
-
1. Source: GitHub repository
|
|
112
|
-
2. Runtime: Node.js 18
|
|
113
|
-
3. Build command: `npm run build`
|
|
114
|
-
4. Start command: `npm run start:http`
|
|
115
|
-
|
|
116
|
-
---
|
|
117
|
-
|
|
118
|
-
## Environment Variables
|
|
119
|
-
|
|
120
|
-
### Production Configuration
|
|
121
|
-
|
|
122
|
-
```bash
|
|
123
|
-
# Required
|
|
124
|
-
NODE_ENV=production
|
|
125
|
-
PORT=8080
|
|
126
|
-
|
|
127
|
-
# Optional
|
|
128
|
-
ALLOWED_ORIGINS=https://your-domain.com,https://app.your-domain.com
|
|
129
|
-
```
|
|
130
|
-
|
|
131
|
-
### Local Development
|
|
132
|
-
|
|
133
|
-
```bash
|
|
134
|
-
# Optional
|
|
135
|
-
NODE_ENV=development
|
|
136
|
-
PORT=8080
|
|
137
|
-
```
|
|
138
|
-
|
|
139
|
-
---
|
|
140
|
-
|
|
141
|
-
## API Endpoints
|
|
142
|
-
|
|
143
|
-
### Health Check
|
|
144
|
-
```bash
|
|
145
|
-
GET /health
|
|
146
|
-
# Returns server status and metrics
|
|
147
|
-
```
|
|
148
|
-
|
|
149
|
-
### Data Endpoints (Pure Provider Architecture)
|
|
150
|
-
```bash
|
|
151
|
-
GET /api/safeguards # List all 153 CIS safeguards
|
|
152
|
-
GET /api/safeguards/1.1 # Get detailed safeguard breakdown
|
|
153
|
-
GET /api/safeguards/1.1?include_examples=true # Include implementation examples
|
|
154
|
-
```
|
|
155
|
-
|
|
156
|
-
### Monitoring
|
|
157
|
-
```bash
|
|
158
|
-
GET /api/metrics # Performance metrics and statistics
|
|
159
|
-
GET /api # API documentation and capabilities
|
|
160
|
-
```
|
|
161
|
-
|
|
162
|
-
**LLM-Driven Analysis**: The Pure Data Provider architecture supplies authoritative CIS data while LLMs perform sophisticated vendor capability analysis with unlimited flexibility.
|
|
163
|
-
|
|
164
|
-
---
|
|
165
|
-
|
|
166
|
-
## Architecture Benefits
|
|
167
|
-
|
|
168
|
-
### HTTP Interface Advantages
|
|
169
|
-
- ✅ **DigitalOcean Compatible**: Uses HTTP instead of stdio
|
|
170
|
-
- ✅ **REST API**: Standard HTTP endpoints for data access
|
|
171
|
-
- ✅ **Health Checks**: Platform monitoring support
|
|
172
|
-
- ✅ **CORS Enabled**: Web application integration
|
|
173
|
-
- ✅ **Production Ready**: Error handling, security, compression
|
|
174
|
-
- ✅ **Microsoft Copilot**: Custom connector compatibility
|
|
175
|
-
|
|
176
|
-
### MCP Interface Advantages
|
|
177
|
-
- ✅ **Claude Code Integration**: Native stdio communication
|
|
178
|
-
- ✅ **Tool Discovery**: Automatic tool registration
|
|
179
|
-
- ✅ **Type Safety**: Full MCP schema validation
|
|
180
|
-
- ✅ **LLM-Driven Analysis**: Direct access to safeguards data for intelligent analysis
|
|
181
|
-
|
|
182
|
-
### Pure Data Provider Benefits
|
|
183
|
-
- ✅ **Clean Architecture**: Simple data provision without analysis complexity
|
|
184
|
-
- ✅ **LLM Flexibility**: Unlimited analysis approaches and methodologies
|
|
185
|
-
- ✅ **Performance Optimized**: Fast data retrieval for real-time analysis
|
|
186
|
-
- ✅ **Context-Aware**: LLMs can apply industry, risk, and organizational context
|
|
187
|
-
- ✅ **Transparent Reasoning**: Full visibility into analysis logic and evidence
|
|
188
|
-
|
|
189
|
-
---
|
|
190
|
-
|
|
191
|
-
## Migration Guide
|
|
192
|
-
|
|
193
|
-
### Migrating to Pure Data Provider v1.4.0
|
|
194
|
-
|
|
195
|
-
1. **Simplified Architecture**: Analysis logic moved to LLM capability
|
|
196
|
-
2. **Enhanced Flexibility**: Unlimited analysis approaches and methodologies
|
|
197
|
-
3. **Maintained Compatibility**: Both interfaces continue providing data access
|
|
198
|
-
4. **Improved Performance**: Optimized for fast data retrieval
|
|
199
|
-
|
|
200
|
-
### Use Case Guidelines
|
|
201
|
-
|
|
202
|
-
**Use MCP Interface When:**
|
|
203
|
-
- Integrating with Claude Code for LLM-driven analysis
|
|
204
|
-
- Local development and testing
|
|
205
|
-
- Direct tool-based interactions with LLMs
|
|
206
|
-
|
|
207
|
-
**Use HTTP Interface When:**
|
|
208
|
-
- Cloud deployment required (DigitalOcean, Railway, Render)
|
|
209
|
-
- Microsoft Copilot custom connector integration
|
|
210
|
-
- Web application or API-based access needed
|
|
211
|
-
- Distributed team access to CIS Controls data
|
|
212
|
-
|
|
213
|
-
### Analysis Pattern Migration
|
|
214
|
-
|
|
215
|
-
**Old Approach (v1.3.7):**
|
|
216
|
-
```bash
|
|
217
|
-
POST /api/analyze-vendor-response
|
|
218
|
-
# Hardcoded analysis with fixed validation rules
|
|
219
|
-
```
|
|
220
|
-
|
|
221
|
-
**New Approach (v1.4.0):**
|
|
222
|
-
```bash
|
|
223
|
-
GET /api/safeguards/5.1
|
|
224
|
-
# Get authoritative data, then use LLM for sophisticated analysis
|
|
225
|
-
```
|
|
226
|
-
|
|
227
|
-
---
|
|
228
|
-
|
|
229
|
-
## Troubleshooting
|
|
230
|
-
|
|
231
|
-
### Common Issues
|
|
232
|
-
|
|
233
|
-
**Build Errors**
|
|
234
|
-
```bash
|
|
235
|
-
# Clean rebuild
|
|
236
|
-
rm -rf dist node_modules
|
|
237
|
-
npm install
|
|
238
|
-
npm run build
|
|
239
|
-
```
|
|
240
|
-
|
|
241
|
-
**Port Conflicts**
|
|
242
|
-
```bash
|
|
243
|
-
# Use different port
|
|
244
|
-
PORT=3000 npm run start:http
|
|
245
|
-
```
|
|
246
|
-
|
|
247
|
-
**Health Check Failures**
|
|
248
|
-
- Ensure `/health` endpoint is accessible
|
|
249
|
-
- Check server startup logs
|
|
250
|
-
- Verify PORT environment variable
|
|
251
|
-
|
|
252
|
-
**CORS Issues**
|
|
253
|
-
```bash
|
|
254
|
-
# Update allowed origins
|
|
255
|
-
ALLOWED_ORIGINS=https://your-domain.com npm run start:http
|
|
256
|
-
```
|
|
257
|
-
|
|
258
|
-
### DigitalOcean Specific
|
|
259
|
-
|
|
260
|
-
**App Won't Start**
|
|
261
|
-
- Check build logs for TypeScript errors
|
|
262
|
-
- Verify `npm run start:http` command works locally
|
|
263
|
-
- Ensure package.json scripts are correct
|
|
264
|
-
|
|
265
|
-
**Health Check Fails**
|
|
266
|
-
- Verify `/health` endpoint returns 200 status
|
|
267
|
-
- Check `http_port: 8080` configuration
|
|
268
|
-
- Review app startup time (may need longer initial_delay_seconds)
|
|
269
|
-
|
|
270
|
-
**Environment Variables**
|
|
271
|
-
- Set `NODE_ENV=production` in app configuration
|
|
272
|
-
- Configure `PORT=8080` if not auto-detected
|
|
273
|
-
|
|
274
|
-
---
|
|
275
|
-
|
|
276
|
-
## Performance Optimization
|
|
277
|
-
|
|
278
|
-
### Production Settings
|
|
279
|
-
```bash
|
|
280
|
-
NODE_ENV=production # Enables performance logging
|
|
281
|
-
```
|
|
282
|
-
|
|
283
|
-
### Caching
|
|
284
|
-
- Safeguard details: 5-minute TTL
|
|
285
|
-
- Safeguard lists: 10-minute TTL
|
|
286
|
-
- Automatic cleanup: Every 10 minutes
|
|
287
|
-
|
|
288
|
-
### Monitoring
|
|
289
|
-
- Built-in performance metrics at `/api/metrics`
|
|
290
|
-
- Request counting and error tracking
|
|
291
|
-
- Execution time monitoring
|
|
292
|
-
|
|
293
|
-
---
|
|
294
|
-
|
|
295
|
-
## Security
|
|
296
|
-
|
|
297
|
-
### CORS Configuration
|
|
298
|
-
```javascript
|
|
299
|
-
// Configurable via environment
|
|
300
|
-
ALLOWED_ORIGINS=https://your-domain.com,https://app.your-domain.com
|
|
301
|
-
```
|
|
302
|
-
|
|
303
|
-
### Input Validation
|
|
304
|
-
- Request size limits (10MB)
|
|
305
|
-
- Text length validation (10-10,000 characters)
|
|
306
|
-
- Capability enum validation
|
|
307
|
-
- XSS prevention
|
|
308
|
-
|
|
309
|
-
### Rate Limiting
|
|
310
|
-
```javascript
|
|
311
|
-
// Add rate limiting middleware (optional)
|
|
312
|
-
npm install express-rate-limit
|
|
313
|
-
```
|
|
314
|
-
|
|
315
|
-
---
|
|
316
|
-
|
|
317
|
-
## Success Criteria
|
|
318
|
-
|
|
319
|
-
### HTTP Deployment Successful When:
|
|
320
|
-
- ✅ Health check returns 200 status
|
|
321
|
-
- ✅ `/api/validate-vendor-mapping` accepts POST requests
|
|
322
|
-
- ✅ Content-based capability analysis works correctly
|
|
323
|
-
- ✅ All 5 capability roles determined accurately
|
|
324
|
-
- ✅ Performance metrics show >95% cache efficiency
|
|
325
|
-
|
|
326
|
-
### Ready for Production When:
|
|
327
|
-
- ✅ Build completes without errors
|
|
328
|
-
- ✅ Both MCP and HTTP interfaces tested
|
|
329
|
-
- ✅ DigitalOcean deployment successful
|
|
330
|
-
- ✅ API endpoints return expected capability analysis results
|
|
331
|
-
|
|
332
|
-
---
|
|
333
|
-
|
|
334
|
-
**🎉 Framework MCP v1.3.7 solves the DigitalOcean stdio vs HTTP architecture mismatch while preserving full MCP functionality!**
|