iso27001-mcp 0.8.3 → 0.8.5

package/README.md

@@ -2,7 +2,7 @@
 
 **Turn Claude into an ISO 27001 compliance assistant** — controls, risk register, policies, evidence tracking, SoA generation, and full audit workflows in one local encrypted MCP server.
 
-[![Socket Badge](https://badge.socket.dev/npm/package/iso27001-mcp/0.8.3)](https://socket.dev/npm/package/iso27001-mcp/overview/0.8.3)
+[![Socket Badge](https://badge.socket.dev/npm/package/iso27001-mcp/0.8.5)](https://socket.dev/npm/package/iso27001-mcp/overview/0.8.5)
 [![npm version](https://img.shields.io/npm/v/iso27001-mcp.svg)](https://npmjs.com/package/iso27001-mcp)
 [![npm downloads](https://img.shields.io/npm/dt/iso27001-mcp.svg)](https://npmjs.com/package/iso27001-mcp)
 [![CI](https://github.com/Sushegaad/MCP-Server-for-ISO27001/actions/workflows/ci.yml/badge.svg)](https://github.com/Sushegaad/MCP-Server-for-ISO27001/actions/workflows/ci.yml)

package/dist/index.js

@@ -24797,7 +24797,8 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "iso27001-mcp",
-      version: "0.8.3",
+      version: "0.8.5",
+      mcpName: "io.github.Sushegaad/iso27001-mcp",
       description: "ISO 27001 compliance workspace for Claude \u2014 controls, risks, policies, evidence, audits, and SoA in one local encrypted MCP server",
       license: "MIT",
       repository: {
@@ -26259,13 +26260,24 @@ var MIGRATION_0006 = `-- =======================================================
 -- without a default; prev_hash is nullable (NULL = first in chain).
 ALTER TABLE audit_log ADD COLUMN prev_hash TEXT;
 `;
+var MIGRATION_0007 = `-- ============================================================
+-- iso27001-mcp  Migration 0007 \u2014 Organisation Profile Branding
+-- Adds optional branding and document personalisation fields.
+-- !! Never edit this file after it has been applied !!
+-- ============================================================
+ALTER TABLE organization_profile ADD COLUMN logo_url TEXT;
+ALTER TABLE organization_profile ADD COLUMN primary_color TEXT;
+ALTER TABLE organization_profile ADD COLUMN document_footer TEXT;
+ALTER TABLE organization_profile ADD COLUMN certification_body TEXT;
+`;
 var MIGRATIONS = [
   { filename: "0001_initial.sql", sql: MIGRATION_0001 },
   { filename: "0002_fts_index.sql", sql: MIGRATION_0002 },
   { filename: "0003_org_profile_procedures.sql", sql: MIGRATION_0003 },
   { filename: "0004_management_review_improvement.sql", sql: MIGRATION_0004 },
   { filename: "0005_evidence_documents.sql", sql: MIGRATION_0005 },
-  { filename: "0006_audit_log_hmac.sql", sql: MIGRATION_0006 }
+  { filename: "0006_audit_log_hmac.sql", sql: MIGRATION_0006 },
+  { filename: "0007_org_profile_branding.sql", sql: MIGRATION_0007 }
 ];
 
 // src/security/secrets.ts
@@ -33674,8 +33686,6 @@ var paginationLimit = import_zod.z.number().int().min(1).max(100).optional().def
 var paginationOffset = import_zod.z.number().int().min(0).optional().default(0);
 var versionEnum = import_zod.z.enum(["2022", "2013"]);
 var formatMarkdownCsvJson = import_zod.z.enum(["markdown", "csv", "json"]);
-var formatMarkdownCsv = import_zod.z.enum(["markdown", "csv"]);
-var formatMarkdownJson = import_zod.z.enum(["markdown", "json"]);
 var riskLevelEnum = import_zod.z.enum(["Low", "Medium", "High", "Critical"]);
 var likelihood1to5 = import_zod.z.number().int().min(1).max(5);
 var roleEnum = import_zod.z.enum(["viewer", "analyst", "admin"]);
@@ -33934,7 +33944,7 @@ var UpdateSoaEntrySchema = import_zod.z.object({
 });
 var ExportSoaSchema = import_zod.z.object({
   soa_id: uuid,
-  format: formatMarkdownCsv
+  format: import_zod.z.enum(["markdown", "csv", "html"])
 });
 var CreateAuditSchema = import_zod.z.object({
   name: shortText(200),
@@ -33971,7 +33981,7 @@ var UpdateCorrectiveActionSchema = import_zod.z.object({
 });
 var GenerateAuditReportSchema = import_zod.z.object({
   audit_id: uuid,
-  format: formatMarkdownJson
+  format: import_zod.z.enum(["markdown", "json", "html"])
 });
 var RegisterEvidenceSchema = import_zod.z.object({
   control_id: import_zod.z.string().min(1).max(20),
@@ -34036,7 +34046,11 @@ var SetOrganizationProfileSchema = import_zod.z.object({
     isms_manager: shortText(200).optional(),
     internal_auditor: shortText(200).optional()
   }).optional(),
-  review_cadence_months: import_zod.z.number().int().min(1).max(36).optional().default(12)
+  review_cadence_months: import_zod.z.number().int().min(1).max(36).optional().default(12),
+  logo_url: import_zod.z.string().url().max(2e3).optional(),
+  primary_color: import_zod.z.string().regex(/^#[0-9a-fA-F]{6}$/, "must be 6-digit hex e.g. #1e3a5f").optional(),
+  document_footer: import_zod.z.string().max(500).optional(),
+  certification_body: import_zod.z.string().max(200).optional()
 });
 var GetOrganizationProfileSchema = import_zod.z.object({});
 var procedureTypeEnum = import_zod.z.enum([
@@ -34090,7 +34104,7 @@ var ListProceduresSchema = import_zod.z.object({
 });
 var ExportProcedureSchema = import_zod.z.object({
   procedure_id: uuid,
-  format: formatMarkdownJson
+  format: import_zod.z.enum(["markdown", "json", "html"])
 });
 var reviewStatusEnum = import_zod.z.enum(["planned", "in_progress", "completed"]);
 var reviewInputCategoryEnum = import_zod.z.enum([
@@ -35415,6 +35429,171 @@ function stripFrontmatter(raw) {
   }
   return { template, clauseMappings, controlMappings };
 }
+function markdownToHtml(md) {
+  const lines = md.split("\n");
+  const out = [];
+  let inTable = false;
+  let inList = false;
+  let tableHeaderDone = false;
+  const esc = (s) => s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+  const inline = (s) => s.replace(/\*\*([^*]+)\*\*/g, "<strong>$1</strong>").replace(/\*([^*]+)\*/g, "<em>$1</em>").replace(/`([^`]+)`/g, "<code>$1</code>");
+  for (const line of lines) {
+    const h1 = line.match(/^# (.+)/);
+    const h2 = line.match(/^## (.+)/);
+    const h3 = line.match(/^### (.+)/);
+    if (h1 || h2 || h3) {
+      if (inList) {
+        out.push("</ul>");
+        inList = false;
+      }
+      if (inTable) {
+        out.push("</tbody></table>");
+        inTable = false;
+        tableHeaderDone = false;
+      }
+      if (h1) {
+        out.push(`<h1>${inline(esc(h1[1]))}</h1>`);
+        continue;
+      }
+      if (h2) {
+        out.push(`<h2>${inline(esc(h2[1]))}</h2>`);
+        continue;
+      }
+      if (h3) {
+        out.push(`<h3>${inline(esc(h3[1]))}</h3>`);
+        continue;
+      }
+    }
+    if (/^---+$/.test(line.trim())) {
+      if (inList) {
+        out.push("</ul>");
+        inList = false;
+      }
+      if (inTable) {
+        out.push("</tbody></table>");
+        inTable = false;
+        tableHeaderDone = false;
+      }
+      out.push("<hr>");
+      continue;
+    }
+    if (line.trim().startsWith("|")) {
+      if (inList) {
+        out.push("</ul>");
+        inList = false;
+      }
+      if (/^\|[-| :]+\|$/.test(line.trim())) {
+        if (!tableHeaderDone) {
+          out.push("<tbody>");
+          tableHeaderDone = true;
+        }
+        continue;
+      }
+      const cells = line.split("|").slice(1, -1).map((c) => c.trim());
+      if (!inTable) {
+        out.push("<table><thead><tr>");
+        cells.forEach((c) => out.push(`<th>${inline(esc(c))}</th>`));
+        out.push("</tr></thead>");
+        inTable = true;
+        tableHeaderDone = false;
+        continue;
+      }
+      out.push("<tr>");
+      cells.forEach((c) => out.push(`<td>${inline(esc(c))}</td>`));
+      out.push("</tr>");
+      continue;
+    }
+    if (inTable) {
+      out.push("</tbody></table>");
+      inTable = false;
+      tableHeaderDone = false;
+    }
+    if (/^[-*] /.test(line)) {
+      if (!inList) {
+        out.push("<ul>");
+        inList = true;
+      }
+      out.push(`<li>${inline(esc(line.replace(/^[-*] /, "")))}</li>`);
+      continue;
+    }
+    if (inList && line.trim() === "") {
+      out.push("</ul>");
+      inList = false;
+    }
+    if (line.trim() === "") {
+      out.push("");
+      continue;
+    }
+    if (!inList) out.push(`<p>${inline(esc(line))}</p>`);
+  }
+  if (inList) out.push("</ul>");
+  if (inTable) out.push("</tbody></table>");
+  return out.join("\n");
+}
+function renderHtmlDocument(bodyHtml, meta) {
+  const color = meta.primary_color ?? "#1e3a5f";
+  const footer = meta.document_footer ?? meta.organisation_name;
+  const today = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width,initial-scale=1.0">
+  <title>${meta.title} \u2014 ${meta.organisation_name}</title>
+  <style>
+    *,*::before,*::after{box-sizing:border-box}
+    body{font-family:'Segoe UI',Arial,sans-serif;font-size:11pt;line-height:1.6;color:#1a1a1a;margin:0;padding:0;background:#fff}
+    .doc-header{background:${color};color:#fff;padding:24px 40px 18px;display:flex;align-items:center;gap:20px}
+    .doc-header-logo{max-height:48px;max-width:160px;object-fit:contain}
+    .doc-header-text{flex:1}
+    .doc-header h1{margin:0 0 4px;font-size:18pt;font-weight:700;color:#fff}
+    .doc-header-sub{font-size:10pt;opacity:0.85}
+    .doc-meta-bar{background:#f5f7fa;border-bottom:2px solid ${color};padding:10px 40px;display:flex;gap:32px;font-size:9pt;color:#444}
+    .doc-meta-item strong{color:#111}
+    .doc-body{padding:28px 40px;max-width:900px}
+    h1{font-size:16pt;color:${color};margin-top:24px;border-bottom:2px solid ${color};padding-bottom:4px}
+    h2{font-size:13pt;color:${color};margin-top:20px}
+    h3{font-size:11pt;color:#333;margin-top:16px}
+    table{width:100%;border-collapse:collapse;margin:14px 0;font-size:10pt}
+    th{background:${color};color:#fff;padding:7px 10px;text-align:left;font-weight:600}
+    td{padding:6px 10px;border-bottom:1px solid #e0e4ea;vertical-align:top}
+    tr:nth-child(even) td{background:#f8f9fb}
+    ul{padding-left:20px;margin:8px 0}
+    li{margin:3px 0}
+    hr{border:none;border-top:1px solid #dce1ea;margin:20px 0}
+    p{margin:8px 0}
+    code{background:#f0f2f5;padding:1px 5px;border-radius:3px;font-family:monospace;font-size:10pt}
+    .doc-footer{margin-top:40px;padding:14px 40px;background:#f5f7fa;border-top:2px solid ${color};font-size:9pt;color:#666;display:flex;justify-content:space-between}
+    @media print{
+      body{font-size:10pt}
+      .doc-header,.doc-meta-bar,th,.doc-footer{-webkit-print-color-adjust:exact;print-color-adjust:exact}
+      h1,h2{page-break-after:avoid}
+      table{page-break-inside:avoid}
+    }
+  </style>
+</head>
+<body>
+  <div class="doc-header">
+    ${meta.logo_url ? `<img class="doc-header-logo" src="${meta.logo_url}" alt="${meta.organisation_name} logo">` : ""}
+    <div class="doc-header-text">
+      <h1>${meta.title}</h1>
+      <div class="doc-header-sub">${meta.organisation_name}${meta.doc_type ? ` \xB7 ${meta.doc_type}` : ""}</div>
+    </div>
+  </div>
+  <div class="doc-meta-bar">
+    ${meta.version ? `<span><strong>Version:</strong> ${meta.version}</span>` : ""}
+    ${meta.effective_date ? `<span><strong>Effective:</strong> ${meta.effective_date}</span>` : ""}
+    ${meta.owner ? `<span><strong>Owner:</strong> ${meta.owner}</span>` : ""}
+    <span><strong>Generated:</strong> ${today}</span>
+  </div>
+  <div class="doc-body">${bodyHtml}</div>
+  <div class="doc-footer">
+    <span>${footer}</span>
+    <span>INTERNAL \u2014 ISMS Controlled Document \xB7 Generated ${today}</span>
+  </div>
+</body>
+</html>`;
+}
 
 // src/tools/org-profile.ts
 var ORG_PROFILE_ID = "00000000-0000-4000-8000-000000000001";
@@ -35422,11 +35601,15 @@ function ok4(data) {
   return { content: [{ type: "text", text: JSON.stringify(data, null, 2) }], isError: false };
 }
 function loadOrgProfileDefaults(db) {
-  const row = db.prepare("SELECT legal_entity_name, isms_scope_statement FROM organization_profile WHERE id = ?").get(ORG_PROFILE_ID);
+  const row = db.prepare("SELECT legal_entity_name, isms_scope_statement, logo_url, primary_color, document_footer, certification_body FROM organization_profile WHERE id = ?").get(ORG_PROFILE_ID);
   if (!row) return null;
   return {
     organisation_name: row.legal_entity_name,
-    scope: row.isms_scope_statement
+    scope: row.isms_scope_statement,
+    logo_url: row.logo_url,
+    primary_color: row.primary_color,
+    document_footer: row.document_footer,
+    certification_body: row.certification_body
   };
 }
 function handleSetOrganizationProfile(args2) {
@@ -35438,17 +35621,22 @@ function handleSetOrganizationProfile(args2) {
     isms_scope_statement,
     declared_exclusions,
     raci_roles,
-    review_cadence_months = 12
+    review_cadence_months = 12,
+    logo_url,
+    primary_color,
+    document_footer,
+    certification_body
   } = args2;
   const ts = now();
   getDb().prepare(`
     INSERT OR REPLACE INTO organization_profile
       (id, legal_entity_name, registered_jurisdiction, regulatory_licences,
        in_scope_activities, isms_scope_statement, declared_exclusions,
-       raci_roles, review_cadence_months, created_at, updated_at)
+       raci_roles, review_cadence_months, created_at, updated_at,
+       logo_url, primary_color, document_footer, certification_body)
     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, COALESCE(
       (SELECT created_at FROM organization_profile WHERE id = ?), ?
-    ), ?)
+    ), ?, ?, ?, ?, ?)
   `).run(
     ORG_PROFILE_ID,
     legal_entity_name,
@@ -35461,7 +35649,11 @@ function handleSetOrganizationProfile(args2) {
     review_cadence_months,
     ORG_PROFILE_ID,
     ts,
-    ts
+    ts,
+    logo_url ?? null,
+    primary_color ?? null,
+    document_footer ?? null,
+    certification_body ?? null
   );
   return ok4({
     id: ORG_PROFILE_ID,
@@ -35829,6 +36021,44 @@ function handleExportSoa(args2) {
   `).all(soa.isms_version, soa_id);
   const includedCount = entries.filter((e) => e.included === 1).length;
   const excludedCount = entries.filter((e) => e.included === 0).length;
+  const ORG_PROFILE_ID_SOA = "00000000-0000-4000-8000-000000000001";
+  if (format === "html") {
+    const profileRow = db.prepare(
+      "SELECT legal_entity_name, logo_url, primary_color, document_footer FROM organization_profile WHERE id = ?"
+    ).get(ORG_PROFILE_ID_SOA);
+    const tableRows = entries.map((e) => {
+      const inc = e.included === 1;
+      return `<tr>
+        <td><strong>${e.control_id}</strong></td>
+        <td>${e.control_name ?? "\u2014"}</td>
+        <td>${e.theme ?? "\u2014"}</td>
+        <td style="color:${inc ? "#065f46" : "#991b1b"};font-weight:600">${inc ? "\u2713 Yes" : "\u2717 No"}</td>
+        <td>${e.justification}</td>
+        <td>${e.status ?? "\u2014"}</td>
+        <td>${e.responsible_party ?? "\u2014"}</td>
+      </tr>`;
+    }).join("\n");
+    const bodyHtml = `
+      <p><strong>ISMS Version:</strong> ISO 27001:${soa.isms_version} &nbsp;\xB7&nbsp;
+         <strong>Total:</strong> ${entries.length} &nbsp;\xB7&nbsp;
+         <strong>Included:</strong> ${includedCount} &nbsp;\xB7&nbsp;
+         <strong>Excluded:</strong> ${excludedCount}</p>
+      <table>
+        <thead>
+          <tr><th>Control ID</th><th>Name</th><th>Theme</th><th>Included</th><th>Justification</th><th>Status</th><th>Responsible Party</th></tr>
+        </thead>
+        <tbody>${tableRows}</tbody>
+      </table>`;
+    const html = renderHtmlDocument(bodyHtml, {
+      title: "Statement of Applicability",
+      organisation_name: profileRow?.legal_entity_name ?? "Organisation",
+      logo_url: profileRow?.logo_url,
+      primary_color: profileRow?.primary_color,
+      document_footer: profileRow?.document_footer,
+      doc_type: `ISO 27001:${soa.isms_version}`
+    });
+    return ok6({ format: "html", content: html });
+  }
   if (format === "csv") {
     const header = "control_id,name,theme,included,justification,status,responsible_party";
     const rows = entries.map(
@@ -36062,6 +36292,46 @@ function handleGenerateAuditReport(args2) {
     carsByFinding.set(car.finding_id, existing);
   }
   const countByType = (type) => findings.filter((f) => f.type === type).length;
+  if (args2.format === "html") {
+    const mdLines = [
+      `# ${audit.name}`,
+      ``,
+      `**Auditor:** ${audit.auditor}  `,
+      `**Planned Date:** ${audit.planned_date}  `,
+      `**Status:** ${audit.status}  `,
+      `**Scope:** ${audit.scope}`,
+      ``,
+      `## Findings (${findings.length})`,
+      ``,
+      `| ID | Type | Severity | Clause/Control | Description |`,
+      `|---|---|---|---|---|`,
+      ...findings.map(
+        (f) => `| ${f.id.slice(-8)} | ${f.type.toUpperCase()} | ${f.severity ?? "\u2014"} | ${f.clause_or_control} | ${f.description.slice(0, 80)} |`
+      ),
+      ``,
+      `## Corrective Actions (${cars.length})`,
+      ``,
+      `| CAR ID | Finding | Owner | Due Date | Status | Verified |`,
+      `|---|---|---|---|---|---|`,
+      ...cars.map(
+        (c) => `| ${c.id.slice(-8)} | ${c.finding_id.slice(-8)} | ${c.owner} | ${c.due_date} | ${c.status} | ${c.effectiveness_verified ? "\u2713 Yes" : "No"} |`
+      )
+    ];
+    const db2 = getDb();
+    const ORG_PROFILE_ID_AUDIT = "00000000-0000-4000-8000-000000000001";
+    const profileRow = db2.prepare(
+      "SELECT legal_entity_name, logo_url, primary_color, document_footer FROM organization_profile WHERE id = ?"
+    ).get(ORG_PROFILE_ID_AUDIT);
+    const html = renderHtmlDocument(markdownToHtml(mdLines.join("\n")), {
+      title: audit.name,
+      organisation_name: profileRow?.legal_entity_name ?? "Organisation",
+      logo_url: profileRow?.logo_url,
+      primary_color: profileRow?.primary_color,
+      document_footer: profileRow?.document_footer,
+      doc_type: "Internal Audit Report"
+    });
+    return ok7({ format: "html", content: html });
+  }
   if (format === "json") {
     return ok7({
       audit: shapeAudit(audit),
@@ -36657,6 +36927,23 @@ function handleExportProcedure(args2) {
   const db = getDb();
   const row = db.prepare("SELECT * FROM procedures WHERE id = ?").get(procedure_id);
   if (!row) throw notFound("procedure", procedure_id);
+  if (format === "html") {
+    const db2 = getDb();
+    const defaults = loadOrgProfileDefaults(db2);
+    const bodyHtml = markdownToHtml(row.content);
+    const html = renderHtmlDocument(bodyHtml, {
+      title: row.procedure_type.replace(/_/g, " ").replace(/\b\w/g, (l) => l.toUpperCase()) + " Procedure",
+      organisation_name: row.organisation_name,
+      logo_url: defaults?.logo_url,
+      primary_color: defaults?.primary_color,
+      document_footer: defaults?.document_footer,
+      version: String(row.version),
+      effective_date: row.effective_date,
+      owner: row.owner,
+      doc_type: "Procedure"
+    });
+    return ok9({ format: "html", content: html });
+  }
   if (format === "markdown") {
     const relatedControls = fromJsonArray(row.related_controls);
     const controlsSection = relatedControls.length > 0 ? `
@@ -38626,12 +38913,12 @@ ${divider}
   } else {
     try {
       const rows = openDb(dbPath2).prepare("SELECT filename FROM _migrations ORDER BY id").all();
-      const passed2 = rows.length >= 6;
+      const passed2 = rows.length >= 7;
       check(
         "Migrations",
         passed2,
         false,
-        `${rows.length}/6 applied${passed2 ? "" : " \u2014 DB may need re-initialisation"}`
+        `${rows.length}/7 applied${passed2 ? "" : " \u2014 DB may need re-initialisation"}`
       );
       record(passed2);
     } catch {

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "iso27001-mcp",
-  "version": "0.8.3",
+  "version": "0.8.5",
+  "mcpName": "io.github.Sushegaad/iso27001-mcp",
   "description": "ISO 27001 compliance workspace for Claude — controls, risks, policies, evidence, audits, and SoA in one local encrypted MCP server",
   "license": "MIT",
   "repository": {