framework-mcp 1.5.3 → 2.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (75) hide show
  1. package/.claude/commands/speckit.analyze.md +184 -0
  2. package/.claude/commands/speckit.checklist.md +294 -0
  3. package/.claude/commands/speckit.clarify.md +181 -0
  4. package/.claude/commands/speckit.constitution.md +82 -0
  5. package/.claude/commands/speckit.implement.md +135 -0
  6. package/.claude/commands/speckit.plan.md +89 -0
  7. package/.claude/commands/speckit.specify.md +258 -0
  8. package/.claude/commands/speckit.tasks.md +137 -0
  9. package/.claude/commands/speckit.taskstoissues.md +30 -0
  10. package/.do/app.yaml +1 -1
  11. package/.github/dependabot.yml +15 -0
  12. package/.github/workflows/ci.yml +31 -2
  13. package/.specify/memory/constitution.md +50 -0
  14. package/.specify/scripts/bash/check-prerequisites.sh +166 -0
  15. package/.specify/scripts/bash/common.sh +156 -0
  16. package/.specify/scripts/bash/create-new-feature.sh +297 -0
  17. package/.specify/scripts/bash/setup-plan.sh +61 -0
  18. package/.specify/scripts/bash/update-agent-context.sh +799 -0
  19. package/.specify/templates/agent-file-template.md +28 -0
  20. package/.specify/templates/checklist-template.md +40 -0
  21. package/.specify/templates/plan-template.md +104 -0
  22. package/.specify/templates/spec-template.md +115 -0
  23. package/.specify/templates/tasks-template.md +251 -0
  24. package/README.md +84 -435
  25. package/dist/core/safeguard-manager.d.ts.map +1 -1
  26. package/dist/core/safeguard-manager.js +7105 -2543
  27. package/dist/core/safeguard-manager.js.map +1 -1
  28. package/dist/interfaces/http/http-server.d.ts +2 -0
  29. package/dist/interfaces/http/http-server.d.ts.map +1 -1
  30. package/dist/interfaces/http/http-server.js +95 -3
  31. package/dist/interfaces/http/http-server.js.map +1 -1
  32. package/dist/interfaces/mcp/mcp-server.js +3 -3
  33. package/dist/shared/types.d.ts +85 -2
  34. package/dist/shared/types.d.ts.map +1 -1
  35. package/dist/shared/types.js +132 -1
  36. package/dist/shared/types.js.map +1 -1
  37. package/package.json +7 -4
  38. package/scripts/standardize-prompts.js +325 -0
  39. package/scripts/validate-capability-prompts.js +110 -0
  40. package/src/core/safeguard-manager.ts +12387 -2630
  41. package/src/interfaces/http/http-server.ts +109 -4
  42. package/src/interfaces/mcp/mcp-server.ts +3 -3
  43. package/src/shared/types.ts +268 -2
  44. package/swagger.json +56 -36
  45. package/CAPABILITY_TRANSFORMATION_SUMMARY.md +0 -158
  46. package/CIS_CONTROLS_IMPLEMENTATION_PLAN.md +0 -220
  47. package/COPILOT_INTEGRATION.md +0 -322
  48. package/DAYS_5_6_COMPLETION_SUMMARY.md +0 -178
  49. package/DEPLOYMENT_GUIDE.md +0 -334
  50. package/DEPLOYMENT_SUMMARY_v1.1.3.md +0 -211
  51. package/MCP_INTEGRATION_GUIDE.md +0 -285
  52. package/MIGRATION_GUIDE_v1.4.0.md +0 -190
  53. package/RELEASE_NOTES_v1.1.3.md +0 -321
  54. package/RELEASE_NOTES_v1.2.0.md +0 -396
  55. package/RELEASE_NOTES_v1.3.7.md +0 -275
  56. package/RELEASE_NOTES_v1.4.0.md +0 -178
  57. package/SAFEGUARDS_VERIFICATION_LOG.md +0 -157
  58. package/coordinator-bot-compact.txt +0 -33
  59. package/coordinator-bot-system-prompt.md +0 -192
  60. package/docs/installation.md +0 -71
  61. package/scripts/analyze-data-structure.cjs +0 -74
  62. package/scripts/clean-safeguards-data.cjs +0 -60
  63. package/scripts/comprehensive-validation.cjs +0 -176
  64. package/scripts/count-safeguards.cjs +0 -89
  65. package/scripts/format-safeguards-proper.cjs +0 -44
  66. package/scripts/validate-formatted-data.cjs +0 -88
  67. package/test_capability_integration.js +0 -73
  68. package/test_comprehensive_scenarios.js +0 -192
  69. package/test_enhanced_detection.js +0 -74
  70. package/test_integrated_validation.js +0 -112
  71. package/test_language_update.js +0 -101
  72. package/test_live_validation.json +0 -12
  73. package/test_performance_monitoring.js +0 -124
  74. package/test_runner_automated.js +0 -156
  75. package/test_suite_comprehensive.js +0 -218
@@ -1,211 +0,0 @@
1
- # Framework MCP v1.1.3 - Deployment Summary
2
-
3
- ## 🚀 Release Completion Status: ✅ COMPLETE
4
-
5
- **Version**: 1.1.3
6
- **Release Date**: August 2025
7
- **Deployment Status**: Production Ready
8
- **Build Status**: ✅ Successful
9
-
10
- ---
11
-
12
- ## 📋 Task Completion Summary
13
-
14
- ### ✅ **All 8 Tasks Complete**
15
-
16
- | Task | Status | Achievement |
17
- |------|--------|-------------|
18
- | **1. Integrate capability-focused analysis** | ✅ Complete | Core analysis engine transformed from compliance to capability assessment |
19
- | **2. Update domain validation** | ✅ Complete | Auto-downgrade logic implemented with tool type validation |
20
- | **3. Enhance tool type detection** | ✅ Complete | 15+ specialized detectors with weighted scoring and context bonuses |
21
- | **4. Test integrated system** | ✅ Complete | Domain validation scenarios validated with comprehensive testing |
22
- | **5. Update user-facing language** | ✅ Complete | All interfaces converted to capability-focused terminology |
23
- | **6. Create comprehensive test suite** | ✅ Complete | 10-scenario test suite with 100% expected behavior validation |
24
- | **7. Performance optimization** | ✅ Complete | 95% faster requests, intelligent caching, production-ready error handling |
25
- | **8. Documentation & v1.1.3 release** | ✅ Complete | Updated README, package.json, CLAUDE.md, comprehensive release notes |
26
-
27
- ---
28
-
29
- ## 📊 Transformation Results
30
-
31
- ### **Paradigm Achievement**: ✅ Complete
32
- - **FROM**: "How much compliance coverage does this vendor provide?"
33
- - **TO**: "What capability role does this vendor tool play?"
34
-
35
- ### **Technical Achievement**: ✅ Production Ready
36
- - **95% Performance Improvement**: Intelligent caching for repeated requests
37
- - **Domain Validation**: Prevents inappropriate capability claims
38
- - **Auto-downgrade Protection**: FULL/PARTIAL → FACILITATES for domain mismatches
39
- - **Evidence-Based Assessment**: Comprehensive capability role determination
40
-
41
- ### **User Experience Achievement**: ✅ Transformed
42
- - **Capability-focused language** across all user interfaces
43
- - **Clear role definitions** with domain requirements
44
- - **Actionable error messages** with specific guidance
45
- - **Production-friendly feedback** with detailed reasoning
46
-
47
- ---
48
-
49
- ## 🔧 Deployment Artifacts
50
-
51
- ### **Code Changes**
52
- - ✅ **`src/index.ts`**: Core transformation complete with performance optimizations
53
- - ✅ **`package.json`**: Version 1.1.3 with capability-focused description
54
- - ✅ **`README.md`**: Comprehensive capability role documentation
55
- - ✅ **`CLAUDE.md`**: Updated project context with v1.1.3 enhancements
56
-
57
- ### **Documentation**
58
- - ✅ **`RELEASE_NOTES_v1.1.3.md`**: Comprehensive release documentation
59
- - ✅ **`DEPLOYMENT_SUMMARY_v1.1.3.md`**: This deployment status document
60
- - ✅ **Previous summaries**: `DAYS_5_6_COMPLETION_SUMMARY.md` retained for history
61
-
62
- ### **Test Framework**
63
- - ✅ **`test_suite_comprehensive.js`**: 10-scenario validation framework
64
- - ✅ **`test_runner_automated.js`**: Automated CI/CD ready test framework
65
- - ✅ **`test_performance_monitoring.js`**: Performance validation documentation
66
- - ✅ **`test_capability_integration.js`**: Integration testing validation
67
-
68
- ### **Build Verification**
69
- - ✅ **TypeScript Compilation**: Clean build with no errors
70
- - ✅ **Dependency Resolution**: All packages compatible
71
- - ✅ **Performance Optimizations**: Caching and monitoring active
72
-
73
- ---
74
-
75
- ## 🎯 Production Deployment Readiness
76
-
77
- ### **Performance Metrics**
78
- | Metric | Status | Result |
79
- |--------|--------|--------|
80
- | **Build Time** | ✅ Fast | <5 seconds clean build |
81
- | **Cache Performance** | ✅ Optimized | 95% faster repeated requests |
82
- | **Memory Management** | ✅ Stable | Automatic cleanup prevents leaks |
83
- | **Error Handling** | ✅ Production-friendly | Actionable user guidance |
84
-
85
- ### **Quality Assurance**
86
- | Area | Status | Coverage |
87
- |------|--------|----------|
88
- | **Test Coverage** | ✅ Complete | 100% validation logic coverage |
89
- | **Domain Validation** | ✅ Verified | All auto-downgrade scenarios tested |
90
- | **User Experience** | ✅ Transformed | Capability-focused across all interfaces |
91
- | **Documentation** | ✅ Comprehensive | Complete user and developer guides |
92
-
93
- ### **Security & Validation**
94
- | Component | Status | Implementation |
95
- |-----------|--------|----------------|
96
- | **Input Validation** | ✅ Hardened | Format validation, length limits, enum checking |
97
- | **Error Handling** | ✅ Secure | No information disclosure, graceful degradation |
98
- | **Performance Monitoring** | ✅ Active | Real-time metrics, automated logging |
99
- | **Cache Security** | ✅ Implemented | TTL-based invalidation, memory management |
100
-
101
- ---
102
-
103
- ## 🚀 Immediate Deployment Benefits
104
-
105
- ### **Day 1 Impact**
106
- 1. **Accurate Vendor Assessment**: Domain validation prevents capability overestimation
107
- 2. **95% Faster Analysis**: Intelligent caching dramatically improves response times
108
- 3. **Production Stability**: Comprehensive error handling and performance monitoring
109
- 4. **Clear User Guidance**: Capability-focused language throughout all interfaces
110
-
111
- ### **Week 1 Adoption**
112
- 1. **Team Training**: Clear capability role methodology for security practitioners
113
- 2. **Process Integration**: Evidence-based vendor evaluation workflows
114
- 3. **Risk Reduction**: Realistic capability expectations prevent planning failures
115
- 4. **Quality Assurance**: Automated testing framework for ongoing validation
116
-
117
- ### **Month 1 Optimization**
118
- 1. **Strategic Alignment**: Vendor tools properly categorized by actual capability roles
119
- 2. **Budget Optimization**: Clear distinction between implementation vs enablement tools
120
- 3. **Process Automation**: Streamlined vendor assessment with validated capability mapping
121
- 4. **Compliance Confidence**: Evidence-based capability determinations for audits
122
-
123
- ---
124
-
125
- ## 📈 Success Metrics
126
-
127
- ### **Technical Success**: ✅ Achieved
128
- - **Performance**: 95% improvement in repeated request speed
129
- - **Reliability**: 100% test pass rate across all validation scenarios
130
- - **Scalability**: Production-ready caching and memory management
131
- - **Maintainability**: Clear capability-focused architecture
132
-
133
- ### **User Success**: ✅ Achieved
134
- - **Clarity**: Capability roles clearly defined with domain requirements
135
- - **Accuracy**: Domain validation prevents inappropriate capability claims
136
- - **Efficiency**: Faster assessments with intelligent performance optimization
137
- - **Confidence**: Evidence-based reasoning for every capability determination
138
-
139
- ### **Business Success**: ✅ Positioned
140
- - **Risk Mitigation**: Realistic capability expectations reduce planning failures
141
- - **Resource Optimization**: Clear tool categorization enables better procurement decisions
142
- - **Process Efficiency**: Streamlined vendor evaluation with automated validation
143
- - **Competitive Advantage**: Most advanced CIS Controls capability assessment tool available
144
-
145
- ---
146
-
147
- ## 🔄 Migration & Adoption
148
-
149
- ### **Existing Users**
150
- - **✅ Backward Compatible**: All existing integrations continue to function
151
- - **✅ Enhanced Capabilities**: Automatic benefit from performance improvements
152
- - **✅ Progressive Adoption**: Can gradually adopt new `validate_vendor_mapping` tool
153
-
154
- ### **New Users**
155
- - **✅ Intuitive Interface**: Capability-focused language is natural and clear
156
- - **✅ Comprehensive Guidance**: Complete documentation and examples
157
- - **✅ Production Ready**: Immediate deployment with confidence
158
-
159
- ### **Recommended Adoption Path**
160
- 1. **Install v1.1.3**: `npm install -g framework-mcp@1.1.3`
161
- 2. **Test Core Functionality**: Use `list_available_safeguards` to verify installation
162
- 3. **Explore Primary Tool**: Try `validate_vendor_mapping` for comprehensive capability validation
163
- 4. **Production Deployment**: Leverage performance optimizations for regular assessments
164
-
165
- ---
166
-
167
- ## 📞 Support & Next Steps
168
-
169
- ### **Immediate Support**
170
- - **Documentation**: Complete README.md and CLAUDE.md provide full guidance
171
- - **Examples**: Comprehensive usage examples in documentation
172
- - **Test Framework**: Validation suite ensures expected behavior
173
- - **Release Notes**: Detailed transformation explanation and migration guide
174
-
175
- ### **Community Resources**
176
- - **GitHub Issues**: Bug reports and feature requests
177
- - **GitHub Discussions**: Community Q&A and best practices
178
- - **Social Updates**: [@cybermattlee](https://twitter.com/cybermattlee) for announcements
179
-
180
- ### **Future Development**
181
- - **Continuous Integration**: Test framework ready for automated CI/CD
182
- - **Performance Monitoring**: Real-time metrics collection for optimization opportunities
183
- - **Community Feedback**: Enhancement requests based on production usage patterns
184
- - **Framework Evolution**: CIS Controls updates and additional capability role refinements
185
-
186
- ---
187
-
188
- ## 🎊 Release Summary
189
-
190
- **Framework MCP v1.1.3** successfully completes the most significant transformation in the project's history:
191
-
192
- ### **🎯 Mission Accomplished**
193
- ✅ **Paradigm Transformation**: Complete shift from compliance scoring to capability assessment
194
- ✅ **Production Deployment**: 95% performance improvement with intelligent caching and monitoring
195
- ✅ **Domain Validation**: Intelligent tool type detection with auto-downgrade protection
196
- ✅ **User Experience**: Capability-focused language across all interfaces and documentation
197
- ✅ **Quality Assurance**: 100% test coverage with comprehensive validation framework
198
- ✅ **Documentation**: Complete user guides, developer documentation, and migration resources
199
-
200
- ### **🌟 Deployment Status: PRODUCTION READY**
201
-
202
- The Framework MCP v1.1.3 is now ready for immediate production deployment, providing the cybersecurity community with the most advanced vendor capability assessment tool available for the CIS Controls Framework.
203
-
204
- **Upgrade Command**:
205
- ```bash
206
- npm install -g framework-mcp@1.1.3
207
- ```
208
-
209
- ---
210
-
211
- **✨ Framework MCP v1.1.3: Transforming vendor capability assessment for the cybersecurity community**
@@ -1,285 +0,0 @@
1
- # Framework MCP Integration Guide
2
-
3
- ## Claude Code MCP Integration
4
-
5
- This guide shows how to integrate Framework MCP v1.4.0's Pure Data Provider architecture with Claude Code for LLM-driven CIS Controls capability analysis.
6
-
7
- ## Prerequisites
8
-
9
- - **Claude Code CLI** installed and configured
10
- - **Node.js 18+** for running the MCP server
11
- - **Framework MCP** installed locally or from npm
12
-
13
- ## Installation Options
14
-
15
- ### Option 1: Install from npm (Recommended)
16
- ```bash
17
- npm install -g framework-mcp
18
- ```
19
-
20
- ### Option 2: Build from Source
21
- ```bash
22
- git clone https://github.com/therealcybermattlee/FrameworkMCP.git
23
- cd FrameworkMCP
24
- npm install
25
- npm run build
26
- ```
27
-
28
- ## MCP Configuration
29
-
30
- ### Configure Claude Code MCP Settings
31
-
32
- Add Framework MCP to your MCP configuration file:
33
-
34
- **Location**: `~/.config/claude-code/mcp.json`
35
-
36
- ```json
37
- {
38
- "mcpServers": {
39
- "framework-analyzer": {
40
- "command": "node",
41
- "args": ["/path/to/FrameworkMCP/dist/index.js"],
42
- "env": {}
43
- }
44
- }
45
- }
46
- ```
47
-
48
- ### For npm Global Installation
49
- ```json
50
- {
51
- "mcpServers": {
52
- "framework-analyzer": {
53
- "command": "framework-mcp",
54
- "args": [],
55
- "env": {}
56
- }
57
- }
58
- }
59
- ```
60
-
61
- ## Verify Installation
62
-
63
- Test your MCP integration:
64
-
65
- ```bash
66
- claude-code "List all available CIS Control safeguards"
67
- ```
68
-
69
- Expected response: List of 153 safeguards across 18 CIS Controls
70
-
71
- ## 🔧 Pure Data Provider Tools
72
-
73
- ### 1. get_safeguard_details (PRIMARY)
74
-
75
- **Primary Tool**: Retrieve detailed CIS safeguard breakdown for LLM analysis
76
-
77
- ```bash
78
- # Get comprehensive safeguard data for analysis
79
- claude-code "Use get_safeguard_details with safeguard_id '1.1' and include_examples true"
80
-
81
- # Research multiple related safeguards
82
- claude-code "Use get_safeguard_details for safeguard 5.1 then explain the key requirements for account inventory management"
83
-
84
- # Get data for comparative analysis
85
- claude-code "Use get_safeguard_details for safeguard 6.3 then explain what makes this different from basic authentication controls"
86
- ```
87
-
88
- ### 2. list_available_safeguards
89
-
90
- **Discovery Tool**: Explore available safeguards for planning and assessment
91
-
92
- ```bash
93
- # Complete safeguard framework exploration
94
- claude-code "Use list_available_safeguards"
95
-
96
- # Targeted safeguard discovery
97
- claude-code "Use list_available_safeguards then identify which safeguards are most relevant for identity management vendor assessment"
98
-
99
- # Implementation Group planning
100
- claude-code "Use list_available_safeguards then show me all IG1 safeguards for small business security planning"
101
- ```
102
-
103
- ## 📋 LLM-Driven Analysis Workflows
104
-
105
- ### Workflow 1: Comprehensive Vendor Assessment
106
- ```bash
107
- # Step 1: Get authoritative safeguard data
108
- claude-code "Use get_safeguard_details with safeguard_id '1.1' and include_examples true"
109
-
110
- # Step 2: Perform LLM-driven analysis
111
- claude-code "Based on the safeguard 1.1 requirements above, analyze Device42's capability: 'Our IT asset management platform provides comprehensive device discovery, detailed inventory tracking, and complete asset lifecycle management.' Determine capability role, provide confidence assessment, and recommend implementation approach."
112
-
113
- # Step 3: Context-aware evaluation
114
- claude-code "For our 500-employee technology company, assess whether Device42 meets our asset management needs for IG2 compliance. Consider deployment complexity and integration requirements."
115
- ```
116
-
117
- ### Workflow 2: Multi-Vendor Comparative Analysis
118
- ```bash
119
- # Get safeguard requirements
120
- claude-code "Use get_safeguard_details for safeguard 5.1 with examples"
121
-
122
- # Comparative analysis with business context
123
- claude-code "Using the safeguard 5.1 requirements above, compare these identity management solutions for our financial services organization: 1) Microsoft Entra ID: 'Complete identity management with automated provisioning and compliance reporting' 2) Okta: 'Cloud identity platform with advanced analytics and risk assessment' 3) Ping Identity: 'Enterprise SSO with detailed audit trails and governance workflows'. Rank by compliance strength and implementation fit."
124
- ```
125
-
126
- ### Workflow 3: Gap Analysis and Roadmap Planning
127
- ```bash
128
- # Research multiple related safeguards
129
- claude-code "Use get_safeguard_details for safeguard 5.1, then get details for 5.2, 5.3, and 5.4"
130
-
131
- # Comprehensive gap analysis
132
- claude-code "Based on the account management safeguards 5.1-5.4 above, analyze our current IAM capability: Azure AD basic with manual quarterly reviews. Identify gaps, prioritize improvements, and create 12-month implementation roadmap with budget estimates."
133
- ```
134
-
135
- ### Workflow 4: Risk-Based Assessment
136
- ```bash
137
- # Get network monitoring safeguards
138
- claude-code "Use get_safeguard_details for safeguard 13.1, then get details for 13.3 and 13.6"
139
-
140
- # Risk-focused analysis
141
- claude-code "Using the network monitoring safeguards above, our financial services organization faces advanced persistent threats and ransomware. Analyze Microsoft Defender for Endpoint's network capabilities: 'Real-time endpoint detection, behavioral analytics, automated response, and network traffic monitoring.' Prioritize safeguards by threat mitigation effectiveness and recommend complementary tools."
142
- ```
143
-
144
- ## 🚀 Advanced LLM Analysis Patterns
145
-
146
- ### Custom Methodology Applications
147
- ```bash
148
- # Compliance-focused assessment
149
- claude-code "Use get_safeguard_details for safeguard 8.2. Apply PCI-DSS Level 1 compliance methodology to analyze Splunk Enterprise Security's logging capability: 'Centralized log management, real-time monitoring, compliance reporting, and data retention policies.' Focus on regulatory alignment and audit readiness."
150
-
151
- # Technology integration assessment
152
- claude-code "Use get_safeguard_details for safeguard 16.1. Our DevOps pipeline uses Azure DevOps, GitHub, and Kubernetes. Analyze SonarQube's capability: 'Static application security testing with CI/CD integration and policy enforcement.' Recommend implementation approach and configuration."
153
-
154
- # Strategic planning
155
- claude-code "Use list_available_safeguards to identify all Implementation Group 1 safeguards, then create vendor selection strategy for a 200-employee company with $500K security budget. Prioritize by business impact and implementation complexity."
156
- ```
157
-
158
- ### Data Validation Examples
159
- ```bash
160
- # Invalid safeguard ID
161
- claude-code "Use get_safeguard_details with safeguard_id '99.99'"
162
- # Expected: Error with available safeguards suggestion
163
-
164
- # Missing required parameter
165
- claude-code "Use get_safeguard_details without safeguard_id"
166
- # Expected: Error specifying required parameter
167
-
168
- # Valid request with detailed response
169
- claude-code "Use get_safeguard_details with safeguard_id '1.1' and include_examples true"
170
- # Expected: Complete safeguard breakdown with implementation examples
171
- ```
172
-
173
- ## 📊 Understanding Pure Data Provider Responses
174
-
175
- ### Detailed Safeguard Data Response
176
- ```json
177
- {
178
- "id": "1.1",
179
- "title": "Establish and Maintain Detailed Enterprise Asset Inventory",
180
- "description": "Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets...",
181
- "implementationGroup": "IG1",
182
- "governanceElements": [
183
- "Maintain detailed inventory procedures",
184
- "Establish asset classification standards",
185
- "Define asset ownership responsibilities"
186
- ],
187
- "coreRequirements": [
188
- "Automated discovery of enterprise assets",
189
- "Detailed hardware and software inventory",
190
- "Asset ownership and location tracking"
191
- ],
192
- "subTaxonomicalElements": [
193
- "Device identification and classification",
194
- "Software inventory and licensing",
195
- "Network topology mapping"
196
- ],
197
- "implementationSuggestions": [
198
- "Deploy automated discovery tools",
199
- "Implement CMDB solutions",
200
- "Regular inventory audits and updates"
201
- ]
202
- }
203
- ```
204
-
205
- ### LLM Analysis Response Pattern
206
- ```
207
- CAPABILITY ASSESSMENT: ServiceNow CMDB vs Safeguard 1.1
208
-
209
- DETERMINATION: FULL + GOVERNANCE + VALIDATES
210
- CONFIDENCE: 88%
211
-
212
- EVIDENCE ANALYSIS:
213
- ✅ Core Requirements: Comprehensive CMDB with automated discovery
214
- ✅ Governance Elements: Detailed procedures and asset classification
215
- ✅ Sub-Elements: Complete device and software inventory tracking
216
- ✅ Implementation: Strong technical capabilities and proven enterprise deployment
217
-
218
- REASONING: ServiceNow CMDB demonstrates strong alignment with all core requirements and provides additional governance and validation capabilities through workflow automation and compliance reporting.
219
-
220
- RECOMMENDATIONS: Excellent foundation for IG2-IG3 implementation. Consider integration with security tools for enhanced asset risk assessment.
221
- ```
222
-
223
- ## 🔍 Troubleshooting
224
-
225
- ### Common MCP Issues
226
-
227
- **MCP Server Not Found:**
228
- ```bash
229
- # Check Claude Code MCP configuration
230
- cat ~/.config/claude-code/mcp.json
231
-
232
- # Verify file paths are absolute
233
- which node
234
- ls -la /path/to/FrameworkMCP/dist/index.js
235
- ```
236
-
237
- **Permission Denied:**
238
- ```bash
239
- chmod +x /path/to/FrameworkMCP/dist/index.js
240
- ```
241
-
242
- **Module Not Found:**
243
- ```bash
244
- cd /path/to/FrameworkMCP
245
- npm install
246
- npm run build
247
- ```
248
-
249
- **Tool Not Available:**
250
- ```bash
251
- # Restart Claude Code after MCP configuration changes
252
- # Verify MCP server is running in Claude Code logs
253
- ```
254
-
255
- ### Verification Commands
256
-
257
- ```bash
258
- # Test MCP connection
259
- claude-code "Use list_available_safeguards to verify Framework MCP is working"
260
-
261
- # Test all 4 tools
262
- claude-code "Test Framework MCP by using each tool: list_available_safeguards, get_safeguard_details for 1.1, analyze_vendor_response for a test vendor, and validate_vendor_mapping for a test claim"
263
-
264
- # Performance test
265
- claude-code "Use validate_vendor_mapping 5 times with different vendors to test caching performance"
266
- ```
267
-
268
- ## 🎉 Success Criteria
269
-
270
- Your MCP integration is successful when:
271
-
272
- - ✅ `list_available_safeguards` returns 153 safeguards
273
- - ✅ `get_safeguard_details` returns detailed safeguard breakdowns
274
- - ✅ `analyze_vendor_response` determines appropriate capability roles
275
- - ✅ `validate_vendor_mapping` performs evidence-based validation with domain validation
276
- - ✅ Auto-downgrade protection works for domain mismatches
277
- - ✅ All responses include confidence scores and detailed reasoning
278
-
279
- ---
280
-
281
- **🔗 Related Documentation**
282
- - [Main README](README.md) - Project overview and installation
283
- - [Deployment Guide](DEPLOYMENT_GUIDE.md) - Cloud deployment options
284
- - [Copilot Integration](COPILOT_INTEGRATION.md) - Microsoft Copilot setup
285
- - [Example Usage](examples/example-usage.md) - Detailed tool examples
@@ -1,190 +0,0 @@
1
- # Migration Guide: Framework MCP v1.4.0
2
-
3
- ## Pure Data Provider Architecture Transformation
4
-
5
- Framework MCP v1.4.0 introduces a **Pure Data Provider architecture** that transforms how vendor capability analysis is performed. This guide helps existing users migrate to the new approach and understand the enhanced capabilities.
6
-
7
- ## 🎯 Architectural Benefits
8
-
9
- ### Before v1.4.0: Hardcoded Analysis Engine
10
- - **Limited Flexibility**: Fixed analysis logic with preset validation rules
11
- - **Rigid Assessment**: Single approach to capability determination
12
- - **Complex Configuration**: Multiple analysis parameters and validation settings
13
- - **Opaque Processing**: Analysis logic hidden within the tool
14
-
15
- ### After v1.4.0: Pure Data Provider + LLM Analysis
16
- - **Unlimited Flexibility**: LLMs can apply any analysis approach or methodology
17
- - **Context-Aware Assessment**: Analysis considers industry, risk profile, and specific requirements
18
- - **Simplified Interface**: Clean data provision without analysis complexity
19
- - **Transparent Process**: Analysis reasoning fully visible and customizable
20
-
21
- ## 🔄 Migration Overview
22
-
23
- **KEY CHANGE**: Framework MCP no longer performs analysis - it provides authoritative CIS Controls data for LLMs to analyze with sophisticated, context-aware intelligence.
24
-
25
- ### Tools Removed
26
- - ❌ `analyze_vendor_response` - Analysis logic moved to LLM capability
27
- - ❌ `validate_vendor_mapping` - Validation logic moved to LLM intelligence
28
-
29
- ### Tools Retained (Enhanced Data Focus)
30
- - ✅ `get_safeguard_details` - **Enhanced** with rich, structured CIS data
31
- - ✅ `list_available_safeguards` - Complete framework coverage
32
-
33
- ## 📋 Step-by-Step Migration
34
-
35
- ### Step 1: Update Framework MCP
36
- ```bash
37
- npm update -g framework-mcp
38
- # Or reinstall to ensure latest version
39
- npm uninstall -g framework-mcp && npm install -g framework-mcp
40
- ```
41
-
42
- ### Step 2: Replace Analysis Calls with LLM-Driven Patterns
43
-
44
- #### OLD v1.3.7 Approach (Hardcoded Analysis)
45
- ```bash
46
- claude-code "Use analyze_vendor_response with vendor_name 'Microsoft Defender', safeguard_id '5.1', and response_text 'We provide centralized account management with automated provisioning'"
47
- ```
48
-
49
- #### NEW v1.4.0 Approach (LLM-Driven Analysis)
50
- ```bash
51
- claude-code "Get safeguard details for 5.1, then analyze this vendor response against those requirements: Microsoft Defender - 'We provide centralized account management with automated provisioning'. Assess capability role considering enterprise context and provide confidence rating."
52
- ```
53
-
54
- ### Step 3: Leverage Enhanced LLM Capabilities
55
-
56
- The new approach enables sophisticated analysis patterns:
57
-
58
- #### Risk-Based Assessment
59
- ```bash
60
- claude-code "Get details for safeguard 8.2. For a high-risk financial services environment, analyze SentinelOne's response: 'We collect endpoint telemetry and forward logs to SIEM platforms.' Consider regulatory requirements and determine appropriate capability role."
61
- ```
62
-
63
- #### Comparative Analysis
64
- ```bash
65
- claude-code "Get safeguard 1.1 details. Compare these vendor capabilities and rank by implementation completeness: 1) Lansweeper: 'Complete network discovery and inventory' 2) ServiceNow: 'CMDB with manual asset entry' 3) Microsoft Intune: 'Managed device tracking only'"
66
- ```
67
-
68
- #### Multi-Safeguard Assessment
69
- ```bash
70
- claude-code "Get details for safeguards 5.1, 5.2, and 5.3. Analyze how CyberArk PAM addresses these account management requirements and identify any gaps in coverage."
71
- ```
72
-
73
- ## 🚀 Advanced LLM Analysis Patterns
74
-
75
- ### 1. Compliance-Focused Analysis
76
- ```bash
77
- claude-code "Get safeguard 11.1 details. For SOX compliance requirements, assess Veeam Backup's capability: 'Automated daily backups with 99.9% recovery success rate and quarterly recovery testing.' Focus on governance and validation aspects."
78
- ```
79
-
80
- ### 2. Technology-Specific Assessment
81
- ```bash
82
- claude-code "Get details for safeguard 16.3. From a DevSecOps perspective, analyze GitHub Advanced Security: 'Static analysis, dependency scanning, and secret detection in CI/CD pipeline.' Consider modern development workflows."
83
- ```
84
-
85
- ### 3. Implementation Planning
86
- ```bash
87
- claude-code "Get safeguard 13.1 details. Our organization uses Splunk SIEM. Analyze how this addresses network monitoring requirements and recommend complementary tools for complete coverage."
88
- ```
89
-
90
- ## 🎨 Benefits of LLM-Driven Analysis
91
-
92
- ### Context Awareness
93
- - **Industry Considerations**: LLMs understand sector-specific requirements
94
- - **Risk Profiles**: Analysis adapts to organizational risk tolerance
95
- - **Technology Stack**: Assessment considers existing tool ecosystems
96
-
97
- ### Analytical Flexibility
98
- - **Multiple Methodologies**: Apply different assessment frameworks
99
- - **Custom Criteria**: Focus on organization-specific priorities
100
- - **Comparative Analysis**: Evaluate multiple vendors simultaneously
101
-
102
- ### Enhanced Intelligence
103
- - **Natural Language**: Complex analysis requests in plain English
104
- - **Reasoning Transparency**: Full explanation of assessment logic
105
- - **Adaptive Questioning**: LLMs can ask clarifying questions
106
-
107
- ## 📊 Migration Examples
108
-
109
- ### Example 1: Basic Capability Assessment
110
- **Old Method:**
111
- ```bash
112
- # Required specific tool call format
113
- claude-code "Use analyze_vendor_response..."
114
- ```
115
-
116
- **New Method:**
117
- ```bash
118
- claude-code "Get safeguard 6.8 details and assess whether Okta's MFA solution constitutes FULL or FACILITATES capability for this requirement."
119
- ```
120
-
121
- ### Example 2: Validation Assessment
122
- **Old Method:**
123
- ```bash
124
- # Fixed validation logic
125
- claude-code "Use validate_vendor_mapping..."
126
- ```
127
-
128
- **New Method:**
129
- ```bash
130
- claude-code "Get safeguard 12.4 details. This vendor claims FULL capability: 'We monitor all network traffic and identify unauthorized devices.' Validate this claim and provide evidence-based assessment."
131
- ```
132
-
133
- ### Example 3: Multi-Vendor Comparison
134
- **Old Method:**
135
- ```bash
136
- # Required multiple separate calls
137
- claude-code "Use analyze_vendor_response..." # Vendor A
138
- claude-code "Use analyze_vendor_response..." # Vendor B
139
- ```
140
-
141
- **New Method:**
142
- ```bash
143
- claude-code "Get safeguard 2.1 details. Compare these software inventory solutions and recommend the best fit for our 500-employee company: 1) Lansweeper 2) Device42 3) ManageEngine AssetExplorer. Consider deployment complexity and feature completeness."
144
- ```
145
-
146
- ## 🔧 Technical Changes
147
-
148
- ### HTTP API Updates
149
- - **Removed**: `/api/analyze-vendor-response` endpoint
150
- - **Removed**: `/api/validate-vendor-mapping` endpoint
151
- - **Enhanced**: Data endpoints optimized for LLM consumption
152
- - **Maintained**: Full OpenAPI compatibility for Microsoft Copilot
153
-
154
- ### MCP Protocol Changes
155
- - **Simplified**: 2 core tools instead of 4 complex tools
156
- - **Enhanced**: Rich data provision with structured safeguard information
157
- - **Optimized**: Performance improvements for data retrieval
158
-
159
- ## 📚 Common Migration Questions
160
-
161
- ### Q: Will my existing Copilot connectors work?
162
- **A**: Yes, but update to use data endpoints. The enhanced LLM analysis provides better results than hardcoded validation.
163
-
164
- ### Q: How do I replicate my custom validation logic?
165
- **A**: Describe your validation criteria to the LLM along with the safeguard data. LLMs can apply complex, custom logic more effectively than preset rules.
166
-
167
- ### Q: Can I still get confidence scores?
168
- **A**: Yes, LLMs can provide confidence assessments with detailed reasoning - often more nuanced than algorithmic scores.
169
-
170
- ### Q: What about bulk vendor analysis?
171
- **A**: LLMs excel at processing multiple vendors simultaneously. Upload vendor data and request comparative analysis across all entries.
172
-
173
- ## 🎯 Next Steps
174
-
175
- 1. **Update Framework MCP** to v1.4.0
176
- 2. **Review existing analysis workflows** and identify LLM-driven alternatives
177
- 3. **Experiment with enhanced patterns** like comparative analysis and context-aware assessment
178
- 4. **Update documentation** and training materials for new approach
179
- 5. **Leverage LLM flexibility** to create more sophisticated vendor evaluations
180
-
181
- ## 📞 Support
182
-
183
- If you encounter migration challenges:
184
- - 📧 **Issues**: [GitHub Issues](https://github.com/therealcybermattlee/FrameworkMCP/issues)
185
- - 📖 **Documentation**: [Enhanced Usage Patterns](examples/llm-analysis-patterns.md)
186
- - 💬 **Discussions**: [GitHub Discussions](https://github.com/therealcybermattlee/FrameworkMCP/discussions)
187
-
188
- ---
189
-
190
- **The Pure Data Provider architecture transforms Framework MCP from a rigid analysis tool into a flexible foundation for sophisticated, LLM-powered vendor capability assessment.**