iso27001-mcp 0.8.1 → 0.8.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +25 -1
- package/dist/index.js +4 -4
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -1,7 +1,8 @@
|
|
|
1
1
|
# iso27001-mcp
|
|
2
2
|
|
|
3
|
-
[](https://socket.dev/npm/package/iso27001-mcp/overview/0.8.2)
|
|
4
4
|
[](https://npmjs.com/package/iso27001-mcp)
|
|
5
|
+
[](https://npmjs.com/package/iso27001-mcp)
|
|
5
6
|
[](https://sushegaad.github.io/MCP-Server-for-ISO27001/)
|
|
6
7
|
|
|
7
8
|
**[▶ Live Interactive Demo](https://sushegaad.github.io/MCP-Server-for-ISO27001/)**
|
|
@@ -49,8 +50,10 @@ Claude ──MCP──► iso27001-mcp ──► encrypted SQLite (isms.db)
|
|
|
49
50
|
- [Architecture](#architecture)
|
|
50
51
|
- [Modes](#modes)
|
|
51
52
|
- [Integrations](#integrations)
|
|
53
|
+
- [Sample Outputs](#sample-outputs)
|
|
52
54
|
- [Development](#development)
|
|
53
55
|
- [Security](#security)
|
|
56
|
+
- [Trust Center](https://github.com/Sushegaad/MCP-Server-for-ISO27001/tree/main/docs/security/) — threat model · hardening guide · data flow · supply chain · audit log integrity
|
|
54
57
|
|
|
55
58
|
---
|
|
56
59
|
|
|
@@ -306,6 +309,7 @@ Full variable reference:
|
|
|
306
309
|
| `SESSION_TTL_HOURS` | | `4` | SSE session TTL (hosted/team modes) |
|
|
307
310
|
| `SSE_PORT` | | `3000` | Port for the SSE server (hosted/team modes) |
|
|
308
311
|
| `BEHIND_TLS_PROXY` | | `false` | Set `true` when behind nginx/Caddy in production |
|
|
312
|
+
| `CORS_ORIGIN` | | `http://localhost` (dev) / `https://claude.ai` (prod) | Allowed CORS origin for the SSE server — never set to `*` |
|
|
309
313
|
| `JIRA_BASE_URL` | | — | e.g. `https://your-org.atlassian.net` |
|
|
310
314
|
| `JIRA_API_TOKEN` | | — | Jira API token for the integration |
|
|
311
315
|
| `JIRA_PROJECT_KEY` | | — | e.g. `SEC` |
|
|
@@ -1248,6 +1252,24 @@ Sessions expire after `SESSION_TTL_HOURS` hours of inactivity. In `NODE_ENV=prod
|
|
|
1248
1252
|
|
|
1249
1253
|
---
|
|
1250
1254
|
|
|
1255
|
+
## Sample Outputs
|
|
1256
|
+
|
|
1257
|
+
The [`samples/`](samples/) directory contains auditor-ready example outputs generated from a demo ISMS for a fictitious organisation ("Acme Financial Services Ltd" — a UK payments processor preparing for ISO 27001:2022 certification). Each file states which tool(s) produced it.
|
|
1258
|
+
|
|
1259
|
+
| Sample | Description |
|
|
1260
|
+
|--------|-------------|
|
|
1261
|
+
| [gap-assessment-summary.md](samples/gap-assessment-summary.md) | Complete gap assessment across all 93 controls |
|
|
1262
|
+
| [remediation-roadmap.md](samples/remediation-roadmap.md) | 26-week prioritised remediation plan with owners and effort estimates |
|
|
1263
|
+
| [risk-register.csv](samples/risk-register.csv) | Risk register with 10 risks, scores, and treatment plans |
|
|
1264
|
+
| [statement-of-applicability.csv](samples/statement-of-applicability.csv) | Full SoA — all 93 ISO 27001:2022 controls with applicability justifications |
|
|
1265
|
+
| [access-control-policy.md](samples/access-control-policy.md) | Generated access control policy (Annex A 5.15–5.18, 8.2–8.5) |
|
|
1266
|
+
| [incident-handling-procedure.md](samples/incident-handling-procedure.md) | Incident handling procedure with severity tiers and GDPR notification |
|
|
1267
|
+
| [internal-audit-report.md](samples/internal-audit-report.md) | Internal audit report — 3 major NCs, 4 minor NCs, 2 positive observations |
|
|
1268
|
+
| [corrective-action-record.md](samples/corrective-action-record.md) | Two corrective action records: one in progress, one closed and verified |
|
|
1269
|
+
| [evidence-package.md](samples/evidence-package.md) | 47-item evidence inventory with 28-control gap analysis |
|
|
1270
|
+
|
|
1271
|
+
---
|
|
1272
|
+
|
|
1251
1273
|
## Integrations
|
|
1252
1274
|
|
|
1253
1275
|
### Jira
|
|
@@ -1379,6 +1401,8 @@ tests/
|
|
|
1379
1401
|
|
|
1380
1402
|
## Security
|
|
1381
1403
|
|
|
1404
|
+
For a full security profile — threat model, hardening guide, data flow documentation, supply chain attestation, and audit log integrity verification — see the **[Trust Center](https://github.com/Sushegaad/MCP-Server-for-ISO27001/tree/main/docs/security/)**.
|
|
1405
|
+
|
|
1382
1406
|
### API Key Storage
|
|
1383
1407
|
|
|
1384
1408
|
API keys are never stored in plaintext. Only an HMAC-SHA256 hash is persisted in the database. The raw `iso27001_...` key is printed once to stdout at generation time — there is no way to retrieve it afterwards.
|
package/dist/index.js
CHANGED
|
@@ -24797,7 +24797,7 @@ var require_package = __commonJS({
|
|
|
24797
24797
|
"package.json"(exports2, module2) {
|
|
24798
24798
|
module2.exports = {
|
|
24799
24799
|
name: "iso27001-mcp",
|
|
24800
|
-
version: "0.8.
|
|
24800
|
+
version: "0.8.2",
|
|
24801
24801
|
description: "Stateful ISO 27001:2022 ISMS management for Claude \u2014 gap analysis, risk register, policies, audits, and evidence tracking via the Model Context Protocol",
|
|
24802
24802
|
license: "MIT",
|
|
24803
24803
|
repository: {
|
|
@@ -26650,7 +26650,7 @@ function startSseServer(server) {
|
|
|
26650
26650
|
}
|
|
26651
26651
|
const app = (0, import_express.default)();
|
|
26652
26652
|
app.use((req, res, next) => {
|
|
26653
|
-
const allowedOrigin = isProduction ? "https://claude.ai" : "
|
|
26653
|
+
const allowedOrigin = process.env["CORS_ORIGIN"] ?? (isProduction ? "https://claude.ai" : "http://localhost");
|
|
26654
26654
|
res.setHeader("Access-Control-Allow-Origin", allowedOrigin);
|
|
26655
26655
|
res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
|
|
26656
26656
|
res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
|
|
@@ -26675,7 +26675,7 @@ function startSseServer(server) {
|
|
|
26675
26675
|
});
|
|
26676
26676
|
app.get("/sse", async (req, res) => {
|
|
26677
26677
|
const authHeader = req.headers["authorization"];
|
|
26678
|
-
const rawKey =
|
|
26678
|
+
const rawKey = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : "";
|
|
26679
26679
|
let keyHash;
|
|
26680
26680
|
let role;
|
|
26681
26681
|
try {
|
|
@@ -26686,7 +26686,7 @@ function startSseServer(server) {
|
|
|
26686
26686
|
res.status(401).json({
|
|
26687
26687
|
error: "Unauthorized",
|
|
26688
26688
|
message: msg,
|
|
26689
|
-
hint: "Pass Authorization: Bearer <iso27001_...> header at connect time."
|
|
26689
|
+
hint: "Pass 'Authorization: Bearer <iso27001_...>' header at /sse connect time. MCP_API_KEY env fallback is not accepted over SSE."
|
|
26690
26690
|
});
|
|
26691
26691
|
return;
|
|
26692
26692
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "iso27001-mcp",
|
|
3
|
-
"version": "0.8.
|
|
3
|
+
"version": "0.8.2",
|
|
4
4
|
"description": "Stateful ISO 27001:2022 ISMS management for Claude — gap analysis, risk register, policies, audits, and evidence tracking via the Model Context Protocol",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"repository": {
|