npm - iso27001-mcp - Versions diffs - 0.8.0 → 0.8.2 - Mend

iso27001-mcp 0.8.0 → 0.8.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -1,7 +1,8 @@
 # iso27001-mcp
-[![Socket Badge](https://badge.socket.dev/npm/package/iso27001-mcp/0.7.9)](https://socket.dev/npm/package/iso27001-mcp/overview/0.7.9)
+[![Socket Badge](https://badge.socket.dev/npm/package/iso27001-mcp/0.8.2)](https://socket.dev/npm/package/iso27001-mcp/overview/0.8.2)
 [![npm version](https://img.shields.io/npm/v/iso27001-mcp.svg)](https://npmjs.com/package/iso27001-mcp)
+[![npm downloads](https://img.shields.io/npm/dt/iso27001-mcp.svg)](https://npmjs.com/package/iso27001-mcp)
 [![Live Demo](https://img.shields.io/badge/demo-live-blue)](https://sushegaad.github.io/MCP-Server-for-ISO27001/)
 **[▶ Live Interactive Demo](https://sushegaad.github.io/MCP-Server-for-ISO27001/)**
@@ -31,12 +32,28 @@ Claude ──MCP──► iso27001-mcp ──► encrypted SQLite (isms.db)
 - [Configuration](#configuration)
 - [Connecting to Claude](#connecting-to-claude)
 - [Tools Reference](#tools-reference)
+  - [Group 1 — Control Registry](#group-1--control-registry-minimum-role-viewer)
+  - [Group 2 — Gap Analysis](#group-2--gap-analysis-reads-viewer-writes-analyst)
+  - [Group 3 — Risk Management](#group-3--risk-management-reads-viewer-writes-analyst)
+  - [Group 4 — Policy Management](#group-4--policy-management-reads-viewer-create-analyst-update-admin)
+  - [Group 5 — Statement of Applicability](#group-5--statement-of-applicability-minimum-role-analyst)
+  - [Group 6 — Audit Management](#group-6--audit-management-reads-viewer-writes-admin)
+  - [Group 7 — Evidence Tracking](#group-7--evidence-tracking-reads-viewer-writes-analyst)
+  - [Group 8 — Server Info](#group-8--server-info-minimum-role-viewer)
+  - [Group 9 — Admin & Key Management](#group-9--admin--key-management-minimum-role-admin)
+  - [Group 10 — Organisation Profile](#group-10--organisation-profile-minimum-role-admin-for-writes-viewer-for-reads)
+  - [Group 11 — Procedure Management](#group-11--procedure-management-reads-viewer-createexport-analyst-update-admin)
+  - [Group 12 — Management Review](#group-12--management-review-reads-viewer-writes-admin--clause-93)
+  - [Group 13 — Improvement Plan](#group-13--improvement-plan-reads-viewer-writes-analyst--clause-101)
+  - [Group 14 — Evidence Templates](#group-14--evidence-templates-reads-viewer-generate-analyst)
 - [MCP Resources](#mcp-resources)
 - [Architecture](#architecture)
 - [Modes](#modes)
 - [Integrations](#integrations)
+- [Sample Outputs](#sample-outputs)
 - [Development](#development)
 - [Security](#security)
+  - [Trust Center](https://github.com/Sushegaad/MCP-Server-for-ISO27001/tree/main/docs/security/) — threat model · hardening guide · data flow · supply chain · audit log integrity
 ---
@@ -90,7 +107,7 @@ iso27001-mcp keygen --label "Me" --role admin
 The raw key (`iso27001_...`) is printed **once** and never stored in plaintext. Copy it immediately.
-> Three roles are available: `viewer` (25 read-only tools), `analyst` (40 tools), `admin` (all 50 tools). Use `admin` for your personal key.
+> Three roles are available: `viewer` (31 read-only tools), `analyst` (49 tools), `admin` (all 63 tools). Use `admin` for your personal key.
 ### Step 4 — Add to Claude Desktop
@@ -121,7 +138,7 @@ Add the following block, substituting your values from Steps 2 and 3:
 ### Step 5 — Restart Claude Desktop and verify
-Fully quit and reopen Claude Desktop. You should see 50 tools in the MCP tools panel (hammer icon). Then ask Claude:
+Fully quit and reopen Claude Desktop. You should see 63 tools in the MCP tools panel (hammer icon). Then ask Claude:
 > *"Use get_server_info to check the server is running."*
@@ -287,11 +304,12 @@ Full variable reference:
 | `HMAC_SECRET` | ✅ | — | 32-byte hex secret for HMAC-signing API keys |
 | `DB_ENCRYPTION_KEY` | ✅ | — | 32-byte hex key for AES-256 SQLite encryption |
 | `DB_PATH` | | `./isms.db` | Path to the encrypted database file |
-| `AUDIT_LOG_PATH` | | `./audit.log` | Path for the append-only JSON-L audit log |
+| `AUDIT_LOG_PATH` | | `./audit.jsonl` | Path for the append-only JSON-L audit log (`.jsonl` or `.log` only) |
 | `RATE_LIMIT_RPM` | | `500` | Tool calls per minute per API key |
 | `SESSION_TTL_HOURS` | | `4` | SSE session TTL (hosted/team modes) |
 | `SSE_PORT` | | `3000` | Port for the SSE server (hosted/team modes) |
 | `BEHIND_TLS_PROXY` | | `false` | Set `true` when behind nginx/Caddy in production |
+| `CORS_ORIGIN` | | `http://localhost` (dev) / `https://claude.ai` (prod) | Allowed CORS origin for the SSE server — never set to `*` |
 | `JIRA_BASE_URL` | | — | e.g. `https://your-org.atlassian.net` |
 | `JIRA_API_TOKEN` | | — | Jira API token for the integration |
 | `JIRA_PROJECT_KEY` | | — | e.g. `SEC` |
@@ -307,10 +325,10 @@ The server requires an API key on every tool call. Generate one for yourself:
 # Viewer — read-only access to 25 tools
 iso27001-mcp keygen --label "Alice" --role viewer
-# Analyst — read + write for gap/risk/policy/procedure/evidence tools (40 tools)
+# Analyst — read + write for gap/risk/policy/procedure/evidence tools (49 tools)
 iso27001-mcp keygen --label "Bob" --role analyst --expires 90d
-# Admin — all 50 tools including audit log and key management
+# Admin — all 63 tools including audit log and key management
 iso27001-mcp keygen --label "CISO" --role admin --expires 1y
 ```
@@ -375,7 +393,7 @@ export DB_PATH=$HOME/.iso27001/isms.db
 ## Tools Reference
-The server exposes **50 tools** across 11 groups. All tools require a valid API key. The minimum role required is noted per group; `✅` marks required parameters, `—` marks optional ones.
+The server exposes **63 tools** across 14 groups. All tools require a valid API key. The minimum role required is noted per group; `✅` marks required parameters, `—` marks optional ones.
 ---
@@ -913,6 +931,147 @@ Export a procedure as Markdown or JSON.
 ---
+### Group 12 — Management Review *(reads: viewer+, writes: admin)* — Clause 9.3
+#### `create_management_review`
+Schedule a management review meeting.
+| Parameter | Req | Type | Values / Notes |
+|-----------|-----|------|----------------|
+| `title` | ✅ | string | Review title |
+| `review_date` | ✅ | string | `YYYY-MM-DD` |
+| `chair` | ✅ | string | Review chair / CISO name |
+| `attendees` | — | array | List of attendee names |
+| `agenda` | — | string | Meeting agenda |
+#### `record_review_input`
+Record an input item to a management review (e.g. audit results, risk summary, performance metrics).
+| Parameter | Req | Type | Values / Notes |
+|-----------|-----|------|----------------|
+| `review_id` | ✅ | string (UUID) | |
+| `input_type` | ✅ | enum | `audit_results` \| `risk_summary` \| `objective_performance` \| `nonconformities` \| `previous_actions` \| `changes` \| `resources` \| `stakeholder_feedback` \| `other` |
+| `summary` | ✅ | string | |
+| `detail` | — | string | Supporting detail |
+#### `record_review_output`
+Record a decision or action item from a management review.
+| Parameter | Req | Type | Values / Notes |
+|-----------|-----|------|----------------|
+| `review_id` | ✅ | string (UUID) | |
+| `output_type` | ✅ | enum | `improvement_opportunity` \| `resource_decision` \| `policy_change` \| `objective_change` \| `other` |
+| `description` | ✅ | string | |
+| `owner` | — | string | |
+| `due_date` | — | string | `YYYY-MM-DD` |
+#### `complete_management_review`
+Mark a management review as complete and record the outcome.
+| Parameter | Req | Type | Values / Notes |
+|-----------|-----|------|----------------|
+| `review_id` | ✅ | string (UUID) | |
+| `outcome_summary` | ✅ | string | |
+#### `get_management_review`
+Fetch a management review with all inputs, outputs, and status.
+| Parameter | Req | Type | Values / Notes |
+|-----------|-----|------|----------------|
+| `review_id` | ✅ | string (UUID) | |
+#### `list_management_reviews`
+List management reviews with optional status filter.
+| Parameter | Req | Type | Values / Notes |
+|-----------|-----|------|----------------|
+| `status` | — | enum | `scheduled` \| `in_progress` \| `completed` |
+| `limit` | — | integer | Default: `20`, max `100` |
+| `offset` | — | integer | Default: `0` |
+---
+### Group 13 — Improvement Plan *(reads: viewer+, writes: analyst+)* — Clause 10.1
+#### `create_improvement_opportunity`
+Register an improvement opportunity, typically identified during a management review or audit.
+| Parameter | Req | Type | Values / Notes |
+|-----------|-----|------|----------------|
+| `title` | ✅ | string | |
+| `description` | ✅ | string | |
+| `source` | ✅ | enum | `audit` \| `management_review` \| `incident` \| `risk_assessment` \| `self_assessment` \| `other` |
+| `priority` | — | enum | `low` \| `medium` \| `high` \| `critical` — default: `medium` |
+| `owner` | — | string | |
+| `due_date` | — | string | `YYYY-MM-DD` |
+| `related_controls` | — | array | Control IDs |
+| `review_id` | — | string (UUID) | Link to a management review output |
+#### `update_improvement_opportunity`
+Update the status, owner, or due date of an improvement opportunity.
+| Parameter | Req | Type | Values / Notes |
+|-----------|-----|------|----------------|
+| `opportunity_id` | ✅ | string (UUID) | |
+| `status` | — | enum | `open` \| `in_progress` \| `completed` \| `cancelled` |
+| `owner` | — | string | |
+| `due_date` | — | string | `YYYY-MM-DD` |
+| `resolution_notes` | — | string | Required when closing |
+#### `get_improvement_opportunity`
+Fetch a single improvement opportunity by ID.
+| Parameter | Req | Type | Values / Notes |
+|-----------|-----|------|----------------|
+| `opportunity_id` | ✅ | string (UUID) | |
+#### `list_improvement_opportunities`
+List improvement opportunities with optional filters.
+| Parameter | Req | Type | Values / Notes |
+|-----------|-----|------|----------------|
+| `status` | — | enum | `open` \| `in_progress` \| `completed` \| `cancelled` |
+| `priority` | — | enum | `low` \| `medium` \| `high` \| `critical` |
+| `source` | — | enum | Any source enum value above |
+| `limit` | — | integer | Default: `50`, max `100` |
+| `offset` | — | integer | Default: `0` |
+---
+### Group 14 — Evidence Templates *(reads: viewer+, generate: analyst+)*
+#### `generate_evidence_document`
+Render a Mustache evidence template and store it. The document is dual-written to both the `evidence` table and the `generated_evidence` table for tracking and version history.
+| Parameter | Req | Type | Values / Notes |
+|-----------|-----|------|----------------|
+| `template_type` | ✅ | enum | `access_review_attestation` \| `bcp_test_report` \| `incident_post_mortem` \| `risk_treatment_sign_off` \| `supplier_security_questionnaire` \| `training_acknowledgement` |
+| `title` | ✅ | string | Document title |
+| `generated_by` | ✅ | string | Author or system that generated the document |
+| `organisation_name` | — | string | Auto-injected from org profile if set |
+| `control_id` | — | string | Link to a specific control (default: `general`) |
+| `vars` | — | object | Additional Mustache template variables |
+#### `get_evidence_document`
+Fetch a generated evidence document by ID, including rendered content and clause/control mappings.
+| Parameter | Req | Type | Values / Notes |
+|-----------|-----|------|----------------|
+| `document_id` | ✅ | string (UUID) | |
+#### `list_evidence_documents`
+List generated evidence documents with optional filters.
+| Parameter | Req | Type | Values / Notes |
+|-----------|-----|------|----------------|
+| `template_type` | — | enum | Filter to a specific template type |
+| `generated_by` | — | string | Filter by author |
+| `control_id` | — | string | Filter by linked control |
+| `limit` | — | integer | Default: `20`, max `100` |
+| `offset` | — | integer | Default: `0` |
+---
 ## MCP Resources
 In addition to tools, the server exposes ISMS artefacts as browseable **MCP Resources** under the `iso27001://` URI scheme. Claude can reference these directly without a tool call — ideal for inline document review, cross-referencing controls, and long-context analysis.
@@ -967,34 +1126,37 @@ Resources are read-only. Write operations always go through tools (which enforce
 │                     Claude (LLM)                        │
 └──────────┬───────────────────────────────┬──────────────┘
            │  MCP Tools (read/write)        │  MCP Resources (read-only)
-           │  50 tools, RBAC enforced       │  12 iso27001:// URIs
+           │  63 tools, RBAC enforced       │  12 iso27001:// URIs
 ┌──────────▼───────────────────────────────▼──────────────┐
 │                   iso27001-mcp server                   │
 │                                                         │
 │  ┌─────────────────────────────────────────────────┐    │
-│  │             9-Step Security Pipeline            │    │
+│  │             7-Step Security Pipeline            │    │
 │  │                                                 │    │
-│  │  1. Extract API key (meta or MCP_API_KEY env)   │    │
-│  │  2. validateKey()    HMAC-SHA256, timing-safe   │    │
+│  │  1. Extract credential (_meta.apiKey / env)     │    │
+│  │  2. Auth — session token OR validateKey()       │    │
+│  │     SSE sessions use opaque token (no raw key)  │    │
 │  │  3. checkRateLimit() sliding 60s window (RPM)   │    │
-│  │  4. loadRole()       viewer | analyst | admin   │    │
-│  │  5. assertPermission() RBAC check               │    │
-│  │  6. sanitiseParams() strip injection patterns   │    │
-│  │  7. Domain handler   business logic             │    │
-│  │  8. writeAuditEvent() tamper-evident row_hash   │    │
-│  │  9. Return result or structured McpError        │    │
+│  │  4. assertPermission() RBAC check               │    │
+│  │  5. sanitiseParams() strip injection patterns   │    │
+│  │  6. Domain handler   business logic             │    │
+│  │  7. writeAuditEvent() HMAC chain + row_hash     │    │
 │  └─────────────────────────────────────────────────┘    │
 │                                                         │
 │  ┌─────────────┐  ┌──────────┐  ┌────────────────────┐  │
 │  │  Controls   │  │  Risks   │  │  Policies &        │  │
 │  │  Gap Assess │  │ Register │  │  Procedures        │  │
-│  │  SoA        │  │ Treatmts │  │  (Mustache tmpl)   │  │
+│  │  SoA        │  │ Treatmts │  │  (Mustache+partls) │  │
 │  └─────────────┘  └──────────┘  └────────────────────┘  │
 │  ┌─────────────┐  ┌──────────┐  ┌────────────────────┐  │
-│  │   Audits    │  │ Evidence │  │  Org Profile &     │  │
-│  │  Findings   │  │  Jira/GH │  │  Audit Log         │  │
-│  │  CARs       │  │  Gaps    │  │  (tamper-evident)  │  │
+│  │   Audits    │  │ Evidence │  │  Mgmt Review &     │  │
+│  │  Findings   │  │  Jira/GH │  │  Improvement Plan  │  │
+│  │  CARs       │  │  Tmplts  │  │  (Clauses 9.3/10.1)│  │
 │  └─────────────┘  └──────────┘  └────────────────────┘  │
+│  ┌─────────────────────────────────────────────────┐    │
+│  │  Org Profile · Audit Log (HMAC-SHA256 chain)    │    │
+│  │  Session Token Store · API Key RBAC (63 tools)  │    │
+│  └─────────────────────────────────────────────────┘    │
 │                                                         │
 │  ┌─────────────────────────────────────────────────┐    │
 │  │    AES-256 encrypted SQLite  (isms.db)          │    │
@@ -1006,11 +1168,14 @@ Resources are read-only. Write operations always go through tools (which enforce
 ### Database
-All data is stored in a single encrypted SQLite file (`isms.db`) using AES-256 via `better-sqlite3-multiple-ciphers`. The schema is managed by three SQL migrations applied automatically on first startup:
+All data is stored in a single encrypted SQLite file (`isms.db`) using AES-256 via `better-sqlite3-multiple-ciphers`. The schema is managed by six SQL migrations applied automatically on first startup:
 - `0001_initial.sql` — 17 tables covering every ISMS domain (controls, gap assessments, risks, policies, audits, evidence, API keys, audit log, and more)
 - `0002_fts_index.sql` — FTS5 full-text search index on controls, plus 12 performance indexes
 - `0003_org_profile_procedures.sql` — `organization_profile` singleton table, `procedures` table, and `procedure_versions` history table
+- `0004_management_review_improvement.sql` — `management_reviews`, `review_inputs`, `review_outputs`, and `improvement_opportunities` tables (Clauses 9.3 and 10.1)
+- `0005_evidence_documents.sql` — `generated_evidence` table for Mustache-rendered evidence documents with dual-write to `evidence`
+- `0006_audit_log_hmac.sql` — adds `prev_hash` column to `audit_log` for HMAC chain integrity
 ### Seed Data
@@ -1023,7 +1188,7 @@ On first startup, `seedAll()` inserts all ISO 27001 reference data and verifies
 ### Security Pipeline
-Every tool call passes through the same 9-step pipeline before any business logic runs. Audit events are always written — including on authentication failure and RBAC denial — so the log is a complete record of all attempts, not just successful ones.
+Every tool call passes through the same 7-step pipeline before any business logic runs. SSE sessions use an opaque session token so the raw API key is never retained in server memory after the initial `/sse` handshake. Audit events are always written — including on authentication failure and RBAC denial — so the log is a complete record of all attempts, not just successful ones.
 ### Business Rules Enforced
@@ -1044,9 +1209,9 @@ Three roles with strict hierarchy. A key can only call tools at or below its ass
 | Role | Tools available | Typical user |
 |------|----------------|--------------|
-| `viewer` | 25 (all read-only tools) | Auditor, stakeholder |
-| `analyst` | 40 (reads + gap/risk/policy/procedure/evidence writes) | ISMS practitioner, consultant |
-| `admin` | 50 (all tools, including org profile, audit log and key management) | CISO, ISMS owner |
+| `viewer` | 31 (all read-only tools) | Auditor, stakeholder |
+| `analyst` | 49 (reads + gap/risk/policy/procedure/evidence/improvement writes) | ISMS practitioner, consultant |
+| `admin` | 63 (all tools, including org profile, audit management, audit log and key management) | CISO, ISMS owner |
 ---
@@ -1087,6 +1252,24 @@ Sessions expire after `SESSION_TTL_HOURS` hours of inactivity. In `NODE_ENV=prod
 ---
+## Sample Outputs
+The [`samples/`](samples/) directory contains auditor-ready example outputs generated from a demo ISMS for a fictitious organisation ("Acme Financial Services Ltd" — a UK payments processor preparing for ISO 27001:2022 certification). Each file states which tool(s) produced it.
+| Sample | Description |
+|--------|-------------|
+| [gap-assessment-summary.md](samples/gap-assessment-summary.md) | Complete gap assessment across all 93 controls |
+| [remediation-roadmap.md](samples/remediation-roadmap.md) | 26-week prioritised remediation plan with owners and effort estimates |
+| [risk-register.csv](samples/risk-register.csv) | Risk register with 10 risks, scores, and treatment plans |
+| [statement-of-applicability.csv](samples/statement-of-applicability.csv) | Full SoA — all 93 ISO 27001:2022 controls with applicability justifications |
+| [access-control-policy.md](samples/access-control-policy.md) | Generated access control policy (Annex A 5.15–5.18, 8.2–8.5) |
+| [incident-handling-procedure.md](samples/incident-handling-procedure.md) | Incident handling procedure with severity tiers and GDPR notification |
+| [internal-audit-report.md](samples/internal-audit-report.md) | Internal audit report — 3 major NCs, 4 minor NCs, 2 positive observations |
+| [corrective-action-record.md](samples/corrective-action-record.md) | Two corrective action records: one in progress, one closed and verified |
+| [evidence-package.md](samples/evidence-package.md) | 47-item evidence inventory with 28-control gap analysis |
+---
 ## Integrations
 ### Jira
@@ -1123,7 +1306,7 @@ npm run typecheck
 # Build dist/
 npm run build
-# Run all tests (404 unit + integration tests)
+# Run all tests (470 unit + integration tests)
 npm test
 # Watch mode
@@ -1147,12 +1330,13 @@ src/
 ├── server.ts                 McpServer factory — registers tools + resources
 ├── auth/
 │   ├── api-key.ts            Key generation, HMAC validation, expiry, revocation
-│   └── rbac.ts               Permission matrix (50 tools × 3 roles)
+│   ├── rbac.ts               Permission matrix (63 tools × 3 roles)
+│   └── session-store.ts      SSE session token store (opaque token → keyHash + role)
 ├── security/
 │   ├── sanitise.ts           Prompt-injection stripping for free-text fields
 │   ├── rate-limiter.ts       Sliding-window RPM counter per key hash
 │   ├── secrets.ts            Env var validation (fail-fast on startup)
-│   └── validate.ts           Zod schemas for all 50 tool inputs
+│   └── validate.ts           Zod schemas for all 63 tool inputs
 ├── audit/
 │   └── logger.ts             Tamper-evident audit event writer
 ├── db/
@@ -1166,7 +1350,9 @@ src/
 │   ├── version-mapping.json  125 cross-version mappings
 │   ├── clause-requirements.json  41 clause requirements (clauses 4–10)
 │   ├── policy-templates/     12 Mustache .md policy templates
-│   └── procedure-templates/  12 Mustache .md procedure templates
+│   ├── procedure-templates/  12 Mustache .md procedure templates
+│   ├── evidence-templates/   6 Mustache .md evidence document templates
+│   └── partials/             Shared Mustache partials (org_header, revision_block, approver_signature)
 ├── tools/
 │   ├── index.ts              Tool registry and security pipeline
 │   ├── controls.ts           Group 1: Control Registry (7 tools)
@@ -1179,7 +1365,10 @@ src/
 │   ├── server-info.ts        Group 8: Server Info (1 tool)
 │   ├── org-profile.ts        Group 10: Organisation Profile (2 tools) + loadOrgProfileDefaults helper
 │   ├── procedures.ts         Group 11: Procedure Management (5 tools)
-│   └── template-utils.ts     Shared loadTemplate / stripFrontmatter helpers
+│   ├── management-review.ts  Group 12: Management Review — Clause 9.3 (6 tools)
+│   ├── improvement-plan.ts   Group 13: Improvement Plan — Clause 10.1 (4 tools)
+│   ├── evidence-templates.ts Group 14: Evidence Templates (3 tools)
+│   └── template-utils.ts     Shared loadTemplate / stripFrontmatter / loadPartials helpers
 ├── resources/
 │   ├── index.ts              Registers all 12 MCP Resources
 │   ├── resource-auth.ts      Slim auth helper for resource callbacks
@@ -1212,6 +1401,8 @@ tests/
 ## Security
+For a full security profile — threat model, hardening guide, data flow documentation, supply chain attestation, and audit log integrity verification — see the **[Trust Center](https://github.com/Sushegaad/MCP-Server-for-ISO27001/tree/main/docs/security/)**.
 ### API Key Storage
 API keys are never stored in plaintext. Only an HMAC-SHA256 hash is persisted in the database. The raw `iso27001_...` key is printed once to stdout at generation time — there is no way to retrieve it afterwards.
@@ -1225,10 +1416,11 @@ The SQLite database (`isms.db`) is encrypted at rest using AES-256 via `better-s
 Every tool call writes a row to `audit_log` with a `row_hash` computed as:
 ```
-SHA-256(timestamp | tool | key_hash | outcome)
+HMAC-SHA256(HMAC_SECRET, id | timestamp | tool | key_hash | role |
+            params_json | outcome | error_message | duration_ms | prev_hash)
 ```
-Any modification to an audit row after insertion will cause `verifyRowHash()` to fail. The same events are also appended in JSON-L format to `AUDIT_LOG_PATH` for off-database retention and SIEM ingestion.
+The `prev_hash` field chains each row to its predecessor — insertion, deletion, or reordering of rows is detectable via `verifyRowHash()` and `verifyChain()`. The same events are appended in JSON-L format to `AUDIT_LOG_PATH` for off-database retention and SIEM ingestion. The log path is validated on write to reject paths inside system directories (`/etc`, `/proc`, `/sys`, `/dev`).
 ### Production Checklist

package/dist/index.js CHANGED Viewed

@@ -4947,10 +4947,10 @@ var require_raw_body = __commonJS({
       if (done) {
         return readStream(stream, encoding, length, limit, wrap(done));
       }
-      return new Promise(function executor(resolve, reject) {
+      return new Promise(function executor(resolve2, reject) {
         readStream(stream, encoding, length, limit, function onRead(err, buf) {
           if (err) return reject(err);
-          resolve(buf);
+          resolve2(buf);
         });
       });
     }
@@ -14034,7 +14034,7 @@ var require_mime_types = __commonJS({
   "node_modules/mime-types/index.js"(exports2) {
     "use strict";
     var db = require_mime_db();
-    var extname = require("path").extname;
+    var extname2 = require("path").extname;
     var EXTRACT_TYPE_REGEXP = /^\s*([^;\s]*)(?:;|\s|$)/;
     var TEXT_TYPE_REGEXP = /^text\//i;
     exports2.charset = charset;
@@ -14088,7 +14088,7 @@ var require_mime_types = __commonJS({
       if (!path || typeof path !== "string") {
         return false;
       }
-      var extension2 = extname("x." + path).toLowerCase().substr(1);
+      var extension2 = extname2("x." + path).toLowerCase().substr(1);
       if (!extension2) {
         return false;
       }
@@ -20181,14 +20181,14 @@ var require_view = __commonJS({
     var fs = require("fs");
     var dirname = path.dirname;
     var basename = path.basename;
-    var extname = path.extname;
+    var extname2 = path.extname;
     var join2 = path.join;
-    var resolve = path.resolve;
+    var resolve2 = path.resolve;
     module2.exports = View;
     function View(name, options) {
       var opts = options || {};
       this.defaultEngine = opts.defaultEngine;
-      this.ext = extname(name);
+      this.ext = extname2(name);
       this.name = name;
       this.root = opts.root;
       if (!this.ext && !this.defaultEngine) {
@@ -20217,7 +20217,7 @@ var require_view = __commonJS({
       debug('lookup "%s"', name);
       for (var i = 0; i < roots.length && !path2; i++) {
         var root = roots[i];
-        var loc = resolve(root, name);
+        var loc = resolve2(root, name);
         var dir = dirname(loc);
         var file = basename(loc);
         path2 = this.resolve(dir, file);
@@ -20228,7 +20228,7 @@ var require_view = __commonJS({
       debug('render "%s"', this.path);
       this.engine(this.path, options, callback);
     };
-    View.prototype.resolve = function resolve2(dir, file) {
+    View.prototype.resolve = function resolve3(dir, file) {
       var ext = this.ext;
       var path2 = join2(dir, file);
       var stat = tryStat(path2);
@@ -21299,10 +21299,10 @@ var require_send = __commonJS({
     var statuses = require_statuses();
     var Stream = require("stream");
     var util = require("util");
-    var extname = path.extname;
+    var extname2 = path.extname;
     var join2 = path.join;
     var normalize = path.normalize;
-    var resolve = path.resolve;
+    var resolve2 = path.resolve;
     var sep = path.sep;
     var BYTES_RANGE_REGEXP = /^ *bytes=/;
     var MAX_MAXAGE = 60 * 60 * 24 * 365 * 1e3;
@@ -21339,7 +21339,7 @@ var require_send = __commonJS({
       this._maxage = opts.maxAge || opts.maxage;
       this._maxage = typeof this._maxage === "string" ? ms(this._maxage) : Number(this._maxage);
       this._maxage = !isNaN(this._maxage) ? Math.min(Math.max(0, this._maxage), MAX_MAXAGE) : 0;
-      this._root = opts.root ? resolve(opts.root) : null;
+      this._root = opts.root ? resolve2(opts.root) : null;
       if (!this._root && opts.from) {
         this.from(opts.from);
       }
@@ -21363,7 +21363,7 @@ var require_send = __commonJS({
       return this;
     }, "send.index: pass index as option");
     SendStream.prototype.root = function root(path2) {
-      this._root = resolve(String(path2));
+      this._root = resolve2(String(path2));
       debug("root %s", this._root);
       return this;
     };
@@ -21527,7 +21527,7 @@ var require_send = __commonJS({
           return res;
         }
         parts = normalize(path2).split(sep);
-        path2 = resolve(path2);
+        path2 = resolve2(path2);
       }
       if (containsDotFile(parts)) {
         var access = this._dotfiles;
@@ -21624,7 +21624,7 @@ var require_send = __commonJS({
       var self = this;
       debug('stat "%s"', path2);
       fs.stat(path2, function onstat(err, stat) {
-        if (err && err.code === "ENOENT" && !extname(path2) && path2[path2.length - 1] !== sep) {
+        if (err && err.code === "ENOENT" && !extname2(path2) && path2[path2.length - 1] !== sep) {
           return next(err);
         }
         if (err) return self.onStatError(err);
@@ -22807,7 +22807,7 @@ var require_application = __commonJS({
     var deprecate = require_depd()("express");
     var flatten = require_array_flatten();
     var merge = require_utils_merge();
-    var resolve = require("path").resolve;
+    var resolve2 = require("path").resolve;
     var setPrototypeOf = require_setprototypeof();
     var hasOwnProperty = Object.prototype.hasOwnProperty;
     var slice = Array.prototype.slice;
@@ -22846,7 +22846,7 @@ var require_application = __commonJS({
       this.mountpath = "/";
       this.locals.settings = this.settings;
       this.set("view", View);
-      this.set("views", resolve("views"));
+      this.set("views", resolve2("views"));
       this.set("jsonp callback name", "callback");
       if (env === "production") {
         this.enable("view cache");
@@ -24090,9 +24090,9 @@ var require_response = __commonJS({
     var setCharset = require_utils3().setCharset;
     var cookie = require_cookie();
     var send = require_send();
-    var extname = path.extname;
+    var extname2 = path.extname;
     var mime = send.mime;
-    var resolve = path.resolve;
+    var resolve2 = path.resolve;
     var vary = require_vary();
     var res = Object.create(http.ServerResponse.prototype);
     module2.exports = res;
@@ -24351,7 +24351,7 @@ var require_response = __commonJS({
       }
       opts = Object.create(opts);
       opts.headers = headers;
-      var fullPath = !opts.root ? resolve(path2) : path2;
+      var fullPath = !opts.root ? resolve2(path2) : path2;
       return this.sendFile(fullPath, opts, done);
     };
     res.contentType = res.type = function contentType(type) {
@@ -24382,7 +24382,7 @@ var require_response = __commonJS({
     };
     res.attachment = function attachment(filename) {
       if (filename) {
-        this.type(extname(filename));
+        this.type(extname2(filename));
       }
       this.set("Content-Disposition", contentDisposition(filename));
       return this;
@@ -24617,7 +24617,7 @@ var require_serve_static = __commonJS({
     var encodeUrl = require_encodeurl();
     var escapeHtml = require_escape_html();
     var parseUrl = require_parseurl();
-    var resolve = require("path").resolve;
+    var resolve2 = require("path").resolve;
     var send = require_send();
     var url = require("url");
     module2.exports = serveStatic;
@@ -24637,7 +24637,7 @@ var require_serve_static = __commonJS({
         throw new TypeError("option setHeaders must be function");
       }
       opts.maxage = opts.maxage || opts.maxAge || 0;
-      opts.root = resolve(root);
+      opts.root = resolve2(root);
       var onDirectory = redirect ? createRedirectDirectoryListener() : createNotFoundDirectoryListener();
       return function serveStatic2(req, res, next) {
         if (req.method !== "GET" && req.method !== "HEAD") {
@@ -24797,7 +24797,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "iso27001-mcp",
-      version: "0.8.0",
+      version: "0.8.2",
       description: "Stateful ISO 27001:2022 ISMS management for Claude \u2014 gap analysis, risk register, policies, audits, and evidence tracking via the Model Context Protocol",
       license: "MIT",
       repository: {
@@ -24840,7 +24840,6 @@ var require_package = __commonJS({
         postbuild: "rm -rf dist/seed && mkdir -p dist/seed && cp -r src/seed/policy-templates dist/seed/policy-templates && cp -r src/seed/procedure-templates dist/seed/procedure-templates && cp -r src/seed/evidence-templates dist/seed/evidence-templates && cp -r src/seed/partials dist/seed/partials",
         prepack: "npm run build",
         prepublishOnly: "npm run typecheck && npm test && npm run build",
-        postinstall: `node -e "require('better-sqlite3-multiple-ciphers')" 2>/dev/null || echo "\\n\u26A0\uFE0F  iso27001-mcp: Native SQLite module failed to load. You may need build tools installed.\\n   macOS: xcode-select --install\\n   Ubuntu/Debian: sudo apt-get install build-essential python3\\n   Windows: https://visualstudio.microsoft.com/downloads/ \u2192 Build Tools for Visual Studio \u2192 Desktop development with C++\\n   See: https://github.com/Sushegaad/MCP-Server-for-ISO27001#prerequisites\\n"`,
         typecheck: "tsc --noEmit",
         lint: "eslint src --ext .ts",
         test: "vitest run --coverage",
@@ -25063,15 +25062,15 @@ var validations = {
   /**
    * Ensures a single store instance is not used with multiple express-rate-limit instances
    */
-  unsharedStore(store) {
-    if (usedStores.has(store)) {
-      const maybeUniquePrefix = store?.localKeys ? "" : " (with a unique prefix)";
+  unsharedStore(store2) {
+    if (usedStores.has(store2)) {
+      const maybeUniquePrefix = store2?.localKeys ? "" : " (with a unique prefix)";
       throw new ValidationError(
         "ERR_ERL_STORE_REUSE",
-        `A Store instance must not be shared across multiple rate limiters. Create a new instance of ${store.constructor.name}${maybeUniquePrefix} for each limiter instead.`
+        `A Store instance must not be shared across multiple rate limiters. Create a new instance of ${store2.constructor.name}${maybeUniquePrefix} for each limiter instead.`
       );
     }
-    usedStores.add(store);
+    usedStores.add(store2);
   },
   /**
    * Ensures a given key is incremented only once per request.
@@ -25082,19 +25081,19 @@ var validations = {
    *
    * @returns {void}
    */
-  singleCount(request, store, key) {
+  singleCount(request, store2, key) {
     let storeKeys = singleCountKeys.get(request);
     if (!storeKeys) {
       storeKeys = /* @__PURE__ */ new Map();
       singleCountKeys.set(request, storeKeys);
     }
-    const storeKey = store.localKeys ? store : store.constructor.name;
+    const storeKey = store2.localKeys ? store2 : store2.constructor.name;
     let keys = storeKeys.get(storeKey);
     if (!keys) {
       keys = [];
       storeKeys.set(storeKey, keys);
     }
-    const prefixedKey = `${store.prefix ?? ""}${key}`;
+    const prefixedKey = `${store2.prefix ?? ""}${key}`;
     if (keys.includes(prefixedKey)) {
       throw new ValidationError(
         "ERR_ERL_DOUBLE_COUNT",
@@ -25212,12 +25211,12 @@ var validations = {
    * which would prevent it from working correctly, with the default memory
    * store (or any other store with localKeys.)
    */
-  creationStack(store) {
+  creationStack(store2) {
     const { stack } = new Error(
       "express-rate-limit validation check (set options.validate.creationStack=false to disable)"
     );
     if (stack?.includes("Layer.handle [as handle_request]")) {
-      if (!store.localKeys) {
+      if (!store2.localKeys) {
         throw new ValidationError(
           "ERR_ERL_CREATED_IN_REQUEST_HANDLER",
           "express-rate-limit instance should *usually* be created at app initialization, not when responding to a request."
@@ -25403,10 +25402,10 @@ var MemoryStore = class {
     this.current = /* @__PURE__ */ new Map();
   }
 };
-var isLegacyStore = (store) => (
+var isLegacyStore = (store2) => (
   // Check that `incr` exists but `increment` does not - store authors might want
   // to keep both around for backwards compatibility.
-  typeof store.incr === "function" && typeof store.increment !== "function"
+  typeof store2.incr === "function" && typeof store2.increment !== "function"
 );
 var promisifyStore = (passedStore) => {
   if (!isLegacyStore(passedStore)) {
@@ -25415,12 +25414,12 @@ var promisifyStore = (passedStore) => {
   const legacyStore = passedStore;
   class PromisifiedStore {
     async increment(key) {
-      return new Promise((resolve, reject) => {
+      return new Promise((resolve2, reject) => {
         legacyStore.incr(
           key,
           (error, totalHits, resetTime) => {
             if (error) reject(error);
-            resolve({ totalHits, resetTime });
+            resolve2({ totalHits, resetTime });
           }
         );
       });
@@ -26605,6 +26604,25 @@ function parseExpiresFlag(value) {
   );
 }
+// src/auth/session-store.ts
+var import_node_crypto5 = require("crypto");
+var SESSION_TOKEN_PREFIX = "iso27001_sess_";
+var store = /* @__PURE__ */ new Map();
+function createSessionToken(keyHash, role) {
+  const token = `${SESSION_TOKEN_PREFIX}${(0, import_node_crypto5.randomUUID)()}`;
+  store.set(token, { keyHash, role });
+  return token;
+}
+function lookupSessionToken(token) {
+  return store.get(token);
+}
+function removeSessionToken(token) {
+  store.delete(token);
+}
+function isSessionToken(value) {
+  return value.startsWith(SESSION_TOKEN_PREFIX);
+}
 // src/transport/sse.ts
 var sessions = /* @__PURE__ */ new Map();
 var ttlMs = parseInt(process.env["SESSION_TTL_HOURS"] ?? "4") * 60 * 60 * 1e3;
@@ -26616,6 +26634,7 @@ setInterval(() => {
         entry.transport.res?.end();
       } catch {
       }
+      removeSessionToken(entry.sessionToken);
       sessions.delete(sessionId);
       console.error(`[iso27001-mcp] Session ${sessionId} expired and removed.`);
     }
@@ -26631,7 +26650,7 @@ function startSseServer(server) {
   }
   const app = (0, import_express.default)();
   app.use((req, res, next) => {
-    const allowedOrigin = isProduction ? "https://claude.ai" : "*";
+    const allowedOrigin = process.env["CORS_ORIGIN"] ?? (isProduction ? "https://claude.ai" : "http://localhost");
     res.setHeader("Access-Control-Allow-Origin", allowedOrigin);
     res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
     res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
@@ -26656,32 +26675,34 @@ function startSseServer(server) {
   });
   app.get("/sse", async (req, res) => {
     const authHeader = req.headers["authorization"];
-    const rawKey = (authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null) ?? process.env["MCP_API_KEY"] ?? "";
+    const rawKey = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : "";
     let keyHash;
+    let role;
     try {
       keyHash = validateKey(rawKey);
-      loadRole(keyHash);
+      role = loadRole(keyHash);
     } catch (err) {
       const msg = err instanceof McpError ? err.message : "Invalid or missing API key";
       res.status(401).json({
         error: "Unauthorized",
         message: msg,
-        hint: "Pass Authorization: Bearer <iso27001_...> header at connect time."
+        hint: "Pass 'Authorization: Bearer <iso27001_...>' header at /sse connect time. MCP_API_KEY env fallback is not accepted over SSE."
       });
       return;
     }
+    const sessionToken = createSessionToken(keyHash, role);
     const sessionId = (0, import_crypto.randomUUID)();
     const transport = new import_sse.SSEServerTransport("/messages", res);
     sessions.set(sessionId, {
       transport,
       createdAt: Date.now(),
       lastActivity: Date.now(),
-      keyHash,
-      rawKey
+      sessionToken
     });
     res.on("close", () => {
+      removeSessionToken(sessionToken);
       sessions.delete(sessionId);
-      console.error(`[iso27001-mcp] SSE connection closed for session ${sessionId}.`);
+      console.error(`[iso27001-mcp] SSE session ${sessionId} closed.`);
     });
     await server.connect(transport);
     res.write("data: " + JSON.stringify({ type: "session", sessionId }) + "\n\n");
@@ -26698,11 +26719,11 @@ function startSseServer(server) {
       return;
     }
     entry.lastActivity = Date.now();
-    if (entry.rawKey && req.body && typeof req.body === "object") {
+    if (req.body && typeof req.body === "object") {
       const body = req.body;
       if (body.params && typeof body.params === "object") {
         const meta = body.params["_meta"] ?? {};
-        meta["apiKey"] = entry.rawKey;
+        meta["apiKey"] = entry.sessionToken;
         body.params["_meta"] = meta;
       }
     }
@@ -26714,7 +26735,7 @@ function startSseServer(server) {
 }
 // src/seed/seeder.ts
-var import_node_crypto5 = require("crypto");
+var import_node_crypto6 = require("crypto");
 // src/seed/controls-2022.json
 var controls_2022_default = [
@@ -33154,7 +33175,7 @@ var checksums_default = {
 // src/seed/seeder.ts
 function sha256(data) {
-  return (0, import_node_crypto5.createHash)("sha256").update(JSON.stringify(data, null, 2)).digest("hex");
+  return (0, import_node_crypto6.createHash)("sha256").update(JSON.stringify(data, null, 2)).digest("hex");
 }
 function verifyChecksums() {
   const checks = [
@@ -33183,7 +33204,7 @@ Seed data may have been modified. Run "npm run generate-checksums" to update che
   console.error("[seeder] Checksum verification passed.");
 }
 function stableId(key) {
-  const h = (0, import_node_crypto5.createHash)("sha256").update(key).digest("hex");
+  const h = (0, import_node_crypto6.createHash)("sha256").update(key).digest("hex");
   return `${h.slice(0, 8)}-${h.slice(8, 12)}-4${h.slice(13, 16)}-${h.slice(16, 20)}-${h.slice(20, 32)}`;
 }
 function seedAll(db) {
@@ -33542,11 +33563,30 @@ function sanitiseParams(params) {
 }
 // src/audit/logger.ts
-var import_node_crypto6 = require("crypto");
+var import_node_crypto7 = require("crypto");
 var import_node_fs = require("fs");
+var import_node_path = require("path");
+function resolveAuditLogPath(raw) {
+  const abs = (0, import_node_path.resolve)(raw);
+  const FORBIDDEN_PREFIXES = ["/etc/", "/proc/", "/sys/", "/dev/"];
+  for (const prefix of FORBIDDEN_PREFIXES) {
+    if (abs.startsWith(prefix)) {
+      throw new Error(
+        `[audit] AUDIT_LOG_PATH "${abs}" points to a system directory. Use a writable application directory instead.`
+      );
+    }
+  }
+  const ext = (0, import_node_path.extname)(abs).toLowerCase();
+  if (ext !== "" && ext !== ".jsonl" && ext !== ".log") {
+    throw new Error(
+      `[audit] AUDIT_LOG_PATH "${abs}" has an unexpected extension "${ext}". Only .jsonl or .log files are permitted.`
+    );
+  }
+  return abs;
+}
 function writeAuditEvent(event) {
   const db = getDb();
-  const id = (0, import_node_crypto6.randomUUID)();
+  const id = (0, import_node_crypto7.randomUUID)();
   const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace("T", " ").split(".")[0] + "Z";
   const prevRow = db.prepare(
     "SELECT row_hash FROM audit_log ORDER BY rowid DESC LIMIT 1"
@@ -33565,7 +33605,7 @@ function writeAuditEvent(event) {
     String(event.duration_ms),
     prev_hash ?? "GENESIS"
   ].join("|");
-  const row_hash = (0, import_node_crypto6.createHmac)("sha256", hmacSecret).update(hashInput).digest("hex");
+  const row_hash = (0, import_node_crypto7.createHmac)("sha256", hmacSecret).update(hashInput).digest("hex");
   db.prepare(`
     INSERT INTO audit_log
       (id, timestamp, tool, key_hash, role, params_json,
@@ -33586,7 +33626,7 @@ function writeAuditEvent(event) {
   );
   const full = { id, timestamp, prev_hash, row_hash, ...event };
   try {
-    const logPath = getEnv("AUDIT_LOG_PATH", "./audit.jsonl");
+    const logPath = resolveAuditLogPath(getEnv("AUDIT_LOG_PATH", "./audit.jsonl"));
     (0, import_node_fs.appendFileSync)(logPath, JSON.stringify(full) + "\n", "utf8");
   } catch (err) {
     console.error("[audit] Warning: failed to write to AUDIT_LOG_PATH:", err);
@@ -34310,9 +34350,9 @@ function handleGetServerInfo() {
 }
 // src/db/dal.ts
-var import_node_crypto7 = require("crypto");
+var import_node_crypto8 = require("crypto");
 function newId() {
-  return (0, import_node_crypto7.randomUUID)();
+  return (0, import_node_crypto8.randomUUID)();
 }
 function toJson(value) {
   if (value === void 0 || value === null) return null;
@@ -35303,15 +35343,15 @@ var import_mustache = __toESM(require("mustache"));
 // src/tools/template-utils.ts
 var import_node_fs2 = require("fs");
-var import_node_path = require("path");
+var import_node_path2 = require("path");
 function loadTemplate(type, dir) {
   const candidates = [
     // dist/tools → dist/seed/<dir>  (compiled CJS bundle)
-    (0, import_node_path.join)(__dirname, `../seed/${dir}`, `${type}.md`),
+    (0, import_node_path2.join)(__dirname, `../seed/${dir}`, `${type}.md`),
     // Running tests directly from source
-    (0, import_node_path.join)(process.cwd(), `src/seed/${dir}`, `${type}.md`),
+    (0, import_node_path2.join)(process.cwd(), `src/seed/${dir}`, `${type}.md`),
     // Running after npm run build
-    (0, import_node_path.join)(process.cwd(), `dist/seed/${dir}`, `${type}.md`)
+    (0, import_node_path2.join)(process.cwd(), `dist/seed/${dir}`, `${type}.md`)
   ];
   for (const candidate of candidates) {
     try {
@@ -35329,9 +35369,9 @@ function loadPartials() {
   const partials = {};
   for (const name of PARTIAL_NAMES) {
     const candidates = [
-      (0, import_node_path.join)(__dirname, `../seed/partials`, `${name}.md`),
-      (0, import_node_path.join)(process.cwd(), `src/seed/partials`, `${name}.md`),
-      (0, import_node_path.join)(process.cwd(), `dist/seed/partials`, `${name}.md`)
+      (0, import_node_path2.join)(__dirname, `../seed/partials`, `${name}.md`),
+      (0, import_node_path2.join)(process.cwd(), `src/seed/partials`, `${name}.md`),
+      (0, import_node_path2.join)(process.cwd(), `dist/seed/partials`, `${name}.md`)
     ];
     for (const candidate of candidates) {
       try {
@@ -37415,16 +37455,25 @@ function registerAllTools(server) {
     const shape = extractShape(schema);
     server.tool(toolName, description, shape, async (args2, extra) => {
       const startMs = Date.now();
-      const rawKey = extra._meta?.apiKey ?? process.env["MCP_API_KEY"] ?? "";
+      const credential = extra._meta?.apiKey ?? process.env["MCP_API_KEY"] ?? "";
       let keyHash = "";
       let role = "unknown";
       let outcome = "error";
       let errorMessage = null;
       let result;
       try {
-        keyHash = validateKey(rawKey);
+        if (isSessionToken(credential)) {
+          const session = lookupSessionToken(credential);
+          if (!session) {
+            throw new McpError({ error_code: "AUTH_INVALID", message: "Session token is invalid or expired" });
+          }
+          keyHash = session.keyHash;
+          role = session.role;
+        } else {
+          keyHash = validateKey(credential);
+          role = loadRole(keyHash);
+        }
         checkRateLimit(keyHash);
-        role = loadRole(keyHash);
         assertPermission(role, toolName);
         const { sanitisedFields } = sanitiseParams(args2);
         result = await handler(args2);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "iso27001-mcp",
-  "version": "0.8.0",
+  "version": "0.8.2",
   "description": "Stateful ISO 27001:2022 ISMS management for Claude — gap analysis, risk register, policies, audits, and evidence tracking via the Model Context Protocol",
   "license": "MIT",
   "repository": {
@@ -43,7 +43,6 @@
     "postbuild": "rm -rf dist/seed && mkdir -p dist/seed && cp -r src/seed/policy-templates dist/seed/policy-templates && cp -r src/seed/procedure-templates dist/seed/procedure-templates && cp -r src/seed/evidence-templates dist/seed/evidence-templates && cp -r src/seed/partials dist/seed/partials",
     "prepack": "npm run build",
     "prepublishOnly": "npm run typecheck && npm test && npm run build",
-    "postinstall": "node -e \"require('better-sqlite3-multiple-ciphers')\" 2>/dev/null || echo \"\\n⚠️  iso27001-mcp: Native SQLite module failed to load. You may need build tools installed.\\n   macOS: xcode-select --install\\n   Ubuntu/Debian: sudo apt-get install build-essential python3\\n   Windows: https://visualstudio.microsoft.com/downloads/ → Build Tools for Visual Studio → Desktop development with C++\\n   See: https://github.com/Sushegaad/MCP-Server-for-ISO27001#prerequisites\\n\"",
     "typecheck": "tsc --noEmit",
     "lint": "eslint src --ext .ts",
     "test": "vitest run --coverage",