framework-mcp 2.4.6 → 2.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. package/README.md +35 -10
  2. package/dist/core/safeguard-manager.d.ts.map +1 -1
  3. package/dist/core/safeguard-manager.js +164 -7066
  4. package/dist/core/safeguard-manager.js.map +1 -1
  5. package/dist/index.d.ts +1 -0
  6. package/dist/index.d.ts.map +1 -1
  7. package/dist/index.js.map +1 -1
  8. package/dist/interfaces/http/http-server.d.ts.map +1 -1
  9. package/dist/interfaces/http/http-server.js +6 -40
  10. package/dist/interfaces/http/http-server.js.map +1 -1
  11. package/dist/interfaces/mcp/mcp-server.js +3 -3
  12. package/dist/shared/types.d.ts +49 -60
  13. package/dist/shared/types.d.ts.map +1 -1
  14. package/dist/shared/types.js.map +1 -1
  15. package/package.json +9 -3
  16. package/swagger.json +10 -133
  17. package/.claude/agents/mcp-developer.md +0 -41
  18. package/.claude/agents/project-orchestrator.md +0 -43
  19. package/.claude/agents/version-consistency-reviewer.md +0 -50
  20. package/.claude/commands/speckit.analyze.md +0 -184
  21. package/.claude/commands/speckit.checklist.md +0 -294
  22. package/.claude/commands/speckit.clarify.md +0 -181
  23. package/.claude/commands/speckit.constitution.md +0 -82
  24. package/.claude/commands/speckit.implement.md +0 -135
  25. package/.claude/commands/speckit.plan.md +0 -89
  26. package/.claude/commands/speckit.specify.md +0 -258
  27. package/.claude/commands/speckit.tasks.md +0 -137
  28. package/.claude/commands/speckit.taskstoissues.md +0 -30
  29. package/.claude/config.json +0 -11
  30. package/.claude_config.json +0 -11
  31. package/.do/app.yaml +0 -78
  32. package/.github/dependabot.yml +0 -15
  33. package/.github/workflows/ci.yml +0 -90
  34. package/.github/workflows/release.yml +0 -30
  35. package/.mcp.json +0 -11
  36. package/.specify/memory/constitution.md +0 -50
  37. package/.specify/scripts/bash/check-prerequisites.sh +0 -166
  38. package/.specify/scripts/bash/common.sh +0 -156
  39. package/.specify/scripts/bash/create-new-feature.sh +0 -297
  40. package/.specify/scripts/bash/setup-plan.sh +0 -61
  41. package/.specify/scripts/bash/update-agent-context.sh +0 -799
  42. package/.specify/templates/agent-file-template.md +0 -28
  43. package/.specify/templates/checklist-template.md +0 -40
  44. package/.specify/templates/plan-template.md +0 -104
  45. package/.specify/templates/spec-template.md +0 -115
  46. package/.specify/templates/tasks-template.md +0 -251
  47. package/examples/example-usage.md +0 -293
  48. package/examples/llm-analysis-patterns.md +0 -553
  49. package/examples/vendors.csv +0 -9
  50. package/examples/vendors.json +0 -32
  51. package/scripts/standardize-prompts.js +0 -325
  52. package/scripts/validate-capability-prompts.js +0 -110
  53. package/scripts/validate-documentation.sh +0 -150
  54. package/src/core/safeguard-manager.ts +0 -16891
  55. package/src/index.ts +0 -17
  56. package/src/interfaces/http/http-server.ts +0 -301
  57. package/src/interfaces/mcp/mcp-server.ts +0 -165
  58. package/src/shared/types.ts +0 -337
  59. package/tsconfig.json +0 -23
@@ -1,293 +0,0 @@
1
- # Framework MCP Usage Examples
2
-
3
- ## 🔧 Available Tools (4 Total)
4
-
5
- | Tool | Purpose | Example Use Case |
6
- |------|---------|------------------|
7
- | `validate_vendor_mapping` | **PRIMARY** - Validate claimed capabilities | "Does CrowdStrike really provide FULL coverage for asset inventory?" |
8
- | `analyze_vendor_response` | Determine appropriate capability role | "What capability should we assign to this vendor response?" |
9
- | `get_safeguard_details` | Get safeguard breakdown | "Show me all requirements for safeguard 5.1" |
10
- | `list_available_safeguards` | List all CIS safeguards | "What safeguards are available for analysis?" |
11
-
12
- ---
13
-
14
- ## 1. validate_vendor_mapping (PRIMARY Tool)
15
-
16
- **Purpose**: Evidence-based validation of vendor capability claims through comprehensive content analysis
17
-
18
- ### Example 1: FULL Capability Validation (Strong Evidence)
19
- ```bash
20
- claude-code "Use validate_vendor_mapping to validate:
21
- Vendor: AssetMax Pro
22
- Safeguard: 1.1
23
- Claimed Capability: full
24
- Supporting Text: Our platform provides comprehensive automated discovery, detailed inventory management with hardware/software tracking, enterprise asset ownership records, departmental assignments, network address management, and documented bi-annual review processes for all enterprise devices."
25
- ```
26
-
27
- **Expected Result**: SUPPORTED (high confidence with strong evidence coverage)
28
-
29
- ### Example 2: PARTIAL Capability Validation (Limited Scope)
30
- ```bash
31
- claude-code "Use validate_vendor_mapping to validate:
32
- Vendor: NetworkScanner Pro
33
- Safeguard: 1.1
34
- Claimed Capability: partial
35
- Supporting Text: Our network scanner provides comprehensive discovery and detailed inventory of network-connected devices including hardware specifications and operating systems, but is limited to devices accessible via network protocols and does not track software installations or offline systems."
36
- ```
37
-
38
- **Expected Result**: SUPPORTED (partial coverage with clearly defined scope limitations)
39
-
40
- ### Example 3: FACILITATES Capability Validation
41
- ```bash
42
- claude-code "Use validate_vendor_mapping to validate:
43
- Vendor: SecureAudit Plus
44
- Safeguard: 5.1
45
- Claimed Capability: facilitates
46
- Supporting Text: Our audit platform enhances existing identity management by providing detailed account usage analytics, compliance reporting, and risk-based account prioritization that strengthens account inventory processes."
47
- ```
48
-
49
- **Expected Result**: SUPPORTED (clear facilitation language and enhancement capabilities)
50
-
51
- ---
52
-
53
- ## 2. analyze_vendor_response
54
-
55
- **Purpose**: Determine appropriate capability role when unknown
56
-
57
- ### Example 1: Identity Management Analysis
58
- ```bash
59
- claude-code "Use analyze_vendor_response to analyze:
60
- Vendor: Microsoft Entra ID
61
- Safeguard: 5.1
62
- Response Text: We provide centralized identity management with automated user provisioning, comprehensive account lifecycle management, role-based access controls, detailed user directories with departmental tracking, and automated quarterly access reviews with compliance reporting."
63
- ```
64
-
65
- **Expected Result**: FULL capability (comprehensive identity management with strong evidence)
66
-
67
- ### Example 2: Secondary Capability Analysis
68
- ```bash
69
- claude-code "Use analyze_vendor_response to analyze:
70
- Vendor: Nessus Vulnerability Scanner
71
- Safeguard: 1.1
72
- Response Text: During vulnerability assessments, we perform comprehensive network discovery and maintain detailed device databases with operating system detection, service enumeration, and hardware fingerprinting."
73
- ```
74
-
75
- **Expected Result**: FACILITATES capability (indirect support through discovery capabilities)
76
-
77
- ---
78
-
79
- ## 3. get_safeguard_details
80
-
81
- **Purpose**: Understand safeguard requirements and structure
82
-
83
- ### Example 1: Basic Safeguard Details
84
- ```bash
85
- claude-code "Use get_safeguard_details for safeguard 1.1"
86
- ```
87
-
88
- ### Example 2: Detailed Safeguard with Examples
89
- ```bash
90
- claude-code "Use get_safeguard_details for safeguard 5.1 with include_examples set to true"
91
- ```
92
-
93
- ### Example 3: Multiple Safeguards Research
94
- ```bash
95
- claude-code "Use get_safeguard_details to show me the requirements for safeguards 1.1, 5.1, and 6.3, then explain the differences in their governance elements"
96
- ```
97
-
98
- ---
99
-
100
- ## 4. list_available_safeguards
101
-
102
- **Purpose**: Discover available CIS safeguards for analysis
103
-
104
- ### Example 1: Complete Safeguard List
105
- ```bash
106
- claude-code "Use list_available_safeguards to show all available CIS safeguards"
107
- ```
108
-
109
- ### Example 2: Safeguard Discovery for Planning
110
- ```bash
111
- claude-code "Use list_available_safeguards then identify which safeguards are most relevant for endpoint security vendor assessment"
112
- ```
113
-
114
- ---
115
-
116
- ## 🎯 Advanced Workflow Examples
117
-
118
- ### Comprehensive Vendor Assessment
119
- ```bash
120
- # Step 1: Research the safeguard
121
- claude-code "Use get_safeguard_details for safeguard 1.1 to understand requirements"
122
-
123
- # Step 2: Analyze vendor response
124
- claude-code "Use analyze_vendor_response for vendor 'Lansweeper' and safeguard '1.1' with response: 'Our IT asset management platform provides automated network discovery, comprehensive hardware and software inventory, detailed asset tracking with ownership and location data, and customizable reporting for compliance requirements.'"
125
-
126
- # Step 3: Validate specific capability claim
127
- claude-code "Use validate_vendor_mapping to validate Lansweeper's claim of 'full' capability for safeguard 1.1 with the same response text"
128
- ```
129
-
130
- ### Bulk Vendor Analysis
131
- ```bash
132
- # Create vendors.json file first
133
- claude-code "Use analyze_vendor_response for each vendor in this list:
134
- 1. Vendor: CrowdStrike, Safeguard: 1.1, Response: 'Falcon provides real-time asset visibility...'
135
- 2. Vendor: Qualys VMDR, Safeguard: 1.1, Response: 'Our scanner discovers and inventories...'
136
- 3. Vendor: ServiceNow CMDB, Safeguard: 1.1, Response: 'Complete asset lifecycle management...'"
137
- ```
138
-
139
- ### Insufficient Evidence Testing
140
- ```bash
141
- # Test validation with insufficient evidence
142
- claude-code "Use validate_vendor_mapping to test evidence analysis:
143
- Vendor: BasicTracker
144
- Safeguard: 1.1 (Asset Inventory)
145
- Claimed: full
146
- Supporting Text: We help track computers and provide some visibility into your IT environment."
147
- ```
148
-
149
- **Expected**: UNSUPPORTED (insufficient evidence for FULL capability claim)
150
-
151
- ---
152
-
153
- ## 📊 Sample Responses
154
-
155
- ### Successful FULL Validation
156
- ```json
157
- {
158
- "vendor_name": "ServiceNow CMDB",
159
- "safeguard_id": "1.1",
160
- "validation_status": "SUPPORTED",
161
- "confidence_score": 92,
162
- "validated_capability": "full",
163
- "content_validation": {
164
- "implementation_depth": "comprehensive",
165
- "scope_clarity": "well_defined",
166
- "evidence_strength": "strong",
167
- "capability_aligned": true
168
- },
169
- "evidence_analysis": {
170
- "core_requirements_score": 95,
171
- "sub_elements_score": 85,
172
- "governance_elements_score": 90,
173
- "language_consistency_score": 98
174
- }
175
- }
176
- ```
177
-
178
- ### Insufficient Evidence Example
179
- ```json
180
- {
181
- "vendor_name": "BasicTracker",
182
- "safeguard_id": "1.1",
183
- "validation_status": "UNSUPPORTED",
184
- "confidence_score": 35,
185
- "claimed_capability": "full",
186
- "validated_capability": "facilitates",
187
- "content_validation": {
188
- "implementation_depth": "limited",
189
- "scope_clarity": "vague",
190
- "evidence_strength": "weak",
191
- "capability_aligned": false
192
- },
193
- "gaps_identified": [
194
- "Insufficient detail on asset tracking capabilities",
195
- "Missing governance and review processes"
196
- ]
197
- }
198
- ```
199
-
200
- ---
201
-
202
- ## 🔍 Real-World Scenarios
203
-
204
- ### GRC Team Assessment
205
- ```bash
206
- # Scenario: Evaluating vendors for CIS Control 5 (Account Management)
207
- claude-code "Use get_safeguard_details for safeguard 5.1 then analyze these vendor responses for capability roles:
208
-
209
- 1. Okta: 'Comprehensive identity lifecycle management with automated provisioning, detailed user directories, and quarterly access reviews'
210
- 2. Active Directory: 'Centralized user account management with group policies and basic reporting'
211
- 3. SailPoint: 'Identity governance with automated access reviews, certification campaigns, and detailed account analytics'"
212
- ```
213
-
214
- ### Security Tool Validation
215
- ```bash
216
- # Scenario: Vendor claims validation for compliance audit
217
- claude-code "Use validate_vendor_mapping to validate these capability claims:
218
-
219
- Vendor: CyberArk PAM
220
- Safeguard: 5.1
221
- Claimed: full
222
- Supporting Text: Our privileged access management solution maintains comprehensive inventories of all privileged accounts, implements automated lifecycle management, provides detailed access tracking with ownership records, and includes quarterly certification processes with full audit trails."
223
- ```
224
-
225
- ### Multi-Safeguard Assessment
226
- ```bash
227
- # Scenario: Comprehensive vendor evaluation across multiple controls
228
- claude-code "Analyze this vendor across multiple safeguards:
229
-
230
- Vendor: Microsoft Defender for Endpoint
231
- Safeguards to assess: 1.1, 1.2, 7.1
232
- Vendor Response: 'Our endpoint protection platform provides comprehensive asset discovery and inventory, unauthorized device detection and blocking, continuous vulnerability assessment with automated patch management, and detailed security reporting across all enterprise endpoints.'"
233
- ```
234
-
235
- ---
236
-
237
- ## 💡 Pro Tips
238
-
239
- ### 1. Understanding Content Analysis
240
- - **Implementation Details**: Look for specific technical capabilities and processes
241
- - **Scope Definition**: Identify clear boundaries and limitations in vendor claims
242
- - **Evidence Quality**: Assess depth and specificity of supporting information
243
- - **Language Consistency**: Ensure alignment between claims and supporting evidence
244
-
245
- ### 2. Optimizing Confidence Scores
246
- - **High scores (80-100%)**: Comprehensive coverage with specific implementation details
247
- - **Medium scores (50-79%)**: Good coverage but missing some elements
248
- - **Low scores (0-49%)**: Limited coverage or vague responses
249
-
250
- ### 3. Common Validation Patterns
251
- - **SUPPORTED**: Evidence strongly aligns with claimed capability
252
- - **QUESTIONABLE**: Partial support with notable gaps or inconsistencies
253
- - **UNSUPPORTED**: Evidence does not support the claimed capability
254
-
255
- ### 4. Best Practices
256
- - Always research safeguard requirements first using `get_safeguard_details`
257
- - Use `analyze_vendor_response` when capability role is unknown
258
- - Use `validate_vendor_mapping` when testing specific capability claims
259
- - Include detailed vendor response text for better analysis accuracy
260
-
261
- ---
262
-
263
- ## 🚀 Integration Examples
264
-
265
- ### Claude Code Commands
266
- ```bash
267
- # Quick capability check
268
- claude-code "What capability role should Rapid7 InsightVM have for safeguard 7.1?"
269
-
270
- # Detailed validation
271
- claude-code "Validate whether Lansweeper can provide FULL coverage for asset inventory (safeguard 1.1)"
272
-
273
- # Comparative analysis
274
- claude-code "Compare the capability roles of ServiceNow CMDB vs Lansweeper vs Device42 for safeguard 1.1"
275
- ```
276
-
277
- ### HTTP API Examples
278
- ```bash
279
- # Health check
280
- curl https://your-api.com/health
281
-
282
- # List safeguards
283
- curl https://your-api.com/api/safeguards
284
-
285
- # Validate capability
286
- curl -X POST https://your-api.com/api/validate-vendor-mapping \
287
- -H "Content-Type: application/json" \
288
- -d '{"vendor_name":"Test Vendor","safeguard_id":"1.1","claimed_capability":"facilitates","supporting_text":"Our tool enhances existing asset management systems with additional discovery capabilities and detailed reporting features."}'
289
- ```
290
-
291
- ---
292
-
293
- **📝 Note**: All examples use real CIS Controls v8.1 safeguards and demonstrate actual vendor assessment scenarios.