mcp-server-scf 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Compliance Genie
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,255 @@
+# mcp-server-scf
+
+[![npm version](https://img.shields.io/npm/v/mcp-server-scf.svg)](https://www.npmjs.com/package/mcp-server-scf)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+[![MCP](https://img.shields.io/badge/MCP-compatible-green.svg)](https://modelcontextprotocol.io)
+
+**Security compliance controls, frameworks, and risk management for AI agents.**
+
+Give your AI assistant access to 1,451 SCF security controls, 354+ framework mappings (NIST 800-53, ISO 27001, SOC 2, FedRAMP, GDPR), evidence tracking, risk registers, and vendor risk management — all through the [Model Context Protocol](https://modelcontextprotocol.io).
+
+## Quick Start
+
+### Claude Desktop
+
+Add to `~/Library/Application Support/Claude/claude_desktop_config.json`:
+
+```json
+{
+  "mcpServers": {
+    "scf": {
+      "command": "npx",
+      "args": ["-y", "mcp-server-scf"],
+      "env": {
+        "SCF_API_KEY": "scf_your_api_key_here",
+        "SCF_API_URL": "https://eu.scfcontrolsplatform.app"
+      }
+    }
+  }
+}
+```
+
+### Claude Code
+
+```bash
+claude mcp add scf -- npx -y mcp-server-scf
+```
+
+Then set environment variables in your shell:
+
+```bash
+export SCF_API_KEY="scf_your_api_key_here"
+export SCF_API_URL="https://eu.scfcontrolsplatform.app"
+```
+
+### Cursor / Windsurf
+
+Add to your MCP config (`.cursor/mcp.json` or equivalent):
+
+```json
+{
+  "mcpServers": {
+    "scf": {
+      "command": "npx",
+      "args": ["-y", "mcp-server-scf"],
+      "env": {
+        "SCF_API_KEY": "scf_your_api_key_here",
+        "SCF_API_URL": "https://eu.scfcontrolsplatform.app"
+      }
+    }
+  }
+}
+```
+
+### Docker
+
+```json
+{
+  "mcpServers": {
+    "scf": {
+      "command": "docker",
+      "args": ["run", "-i", "--rm", "-e", "SCF_API_KEY", "markac007/mcp-server-scf"],
+      "env": {
+        "SCF_API_KEY": "scf_your_api_key_here"
+      }
+    }
+  }
+}
+```
+
+## Getting an API Key
+
+1. Sign up at [scfcontrolsplatform.app](https://eu.scfcontrolsplatform.app)
+2. Go to **Settings > API Keys**
+3. Click **Generate New Key**
+4. Copy the key (shown once) and add it to your MCP config
+
+## Tools
+
+### Catalog (Read-Only Reference Data)
+
+| Tool | Description |
+|------|-------------|
+| `list_controls` | List SCF security controls with search, domain, and framework filters |
+| `get_control` | Get control details with assessment objectives and evidence items |
+| `list_frameworks` | List all 354+ mapped compliance frameworks |
+| `list_domains` | List compliance domains (Asset Management, IAC, etc.) |
+| `list_evidence_catalog` | List 272 standard evidence types |
+| `list_assessment_objectives` | List 5,736 assessment test criteria |
+
+### Control Scoping (Implementation Tracking)
+
+| Tool | Description |
+|------|-------------|
+| `list_scoped_controls` | List controls scoped to your org with implementation status |
+| `get_scoped_control` | Get detailed implementation status, owner, and audit history |
+| `update_scoped_control` | Update status, owner, or notes (validated state transitions) |
+| `get_scoping_stats` | Implementation progress — counts by status, completion % |
+| `scope_framework` | Bulk-scope all controls from a framework |
+| `batch_update_controls` | Batch update up to 500 controls in one transaction |
+
+### Evidence Collection
+
+| Tool | Description |
+|------|-------------|
+| `list_evidence` | List evidence items tracked for controls |
+| `create_evidence` | Create evidence linked to a control |
+| `get_evidence_maturity` | Evidence maturity scores across controls |
+| `list_evidence_tasks` | Evidence collection work queue |
+
+### Risk Management
+
+| Tool | Description |
+|------|-------------|
+| `list_risks` | List risk register entries with scores and treatment status |
+| `get_risk` | Get detailed risk assessment (inherent + residual scores) |
+| `create_risk` | Create risk in the 5x5 matrix with likelihood and impact |
+| `get_risk_matrix` | 5x5 risk matrix visualization data |
+| `get_risk_summary` | Aggregated risk summary by severity |
+
+### Vendor Risk (TPRM)
+
+| Tool | Description |
+|------|-------------|
+| `list_vendors` | List vendors with status and criticality filters |
+| `get_vendor` | Get vendor details, certs, assessments, and risk scores |
+| `create_vendor` | Add vendor to TPRM registry |
+| `trigger_vendor_research` | AI-powered security research (HIBP, NVD, breach history) |
+| `get_vendor_research` | Get latest vendor research results |
+| `trigger_dpsia` | Data Protection Security Impact Assessment |
+
+### Organization & Platform
+
+| Tool | Description |
+|------|-------------|
+| `get_current_user` | Current user profile and organizations |
+| `list_organizations` | Organizations you have access to |
+| `get_organization` | Org details, tier, usage, and settings |
+| `list_members` | Organization members and roles |
+| `get_work_queue` | Your prioritized task queue |
+| `get_audit_log` | Field-level change audit trail (SOC 2) |
+| `get_notifications` | User notifications and alerts |
+
+### Capabilities & Systems
+
+| Tool | Description |
+|------|-------------|
+| `list_capability_themes` | 11 KSI-aligned capability themes |
+| `list_capabilities` | Security capabilities mapped to systems |
+| `list_systems` | Infrastructure systems inventory |
+| `create_system` | Add system to inventory |
+
+## Configuration
+
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| `SCF_API_KEY` | Yes | — | Your SCF platform API key (`scf_` prefix) |
+| `SCF_API_URL` | No | `https://eu.scfcontrolsplatform.app` | Platform API URL |
+
+## Example Prompts
+
+Once connected, try asking your AI assistant:
+
+- "What NIST 800-53 controls apply to access control?"
+- "Show me my organization's control implementation progress"
+- "List all critical vendors and their risk scores"
+- "Create a risk assessment for our cloud migration"
+- "What evidence do I need to collect for SOC 2 audit?"
+- "Show the 5x5 risk matrix for my organization"
+- "What's in my compliance work queue today?"
+
+## Architecture
+
+```
+mcp-server-scf
+├── src/
+│   ├── index.ts              # Server entry point (stdio transport)
+│   ├── tools/
+│   │   ├── catalog.ts        # SCF reference data (read-only)
+│   │   ├── scoped-controls.ts # Control implementation tracking
+│   │   ├── evidence.ts       # Evidence collection
+│   │   ├── risk.ts           # Risk register
+│   │   ├── vendors.ts        # Third-party risk management
+│   │   ├── organization.ts   # Org, users, audit, notifications
+│   │   └── capabilities.ts   # KSI themes, systems
+│   └── lib/
+│       ├── api-client.ts     # HTTP client with auth
+│       └── errors.ts         # Structured error handling
+├── build/                    # Compiled output
+├── package.json
+└── tsconfig.json
+```
+
+## Development
+
+```bash
+# Clone
+git clone https://github.com/MarkAC007/mcp-server-scf.git
+cd mcp-server-scf
+
+# Install
+npm install
+
+# Build
+npm run build
+
+# Development (watch mode)
+npm run dev
+
+# Test with MCP Inspector
+npm run inspector
+```
+
+## Testing with MCP Inspector
+
+```bash
+SCF_API_KEY=scf_your_key npx @modelcontextprotocol/inspector node build/index.js
+```
+
+## Security
+
+- API keys are never logged or included in error messages
+- All communication uses HTTPS
+- Keys are SHA-256 hashed server-side
+- Rate limiting: 100 req/min (read), 20 req/min (write)
+- Multi-tenant: All operations scoped to your organization
+
+## Contributing
+
+Contributions welcome! Please read [CONTRIBUTING.md](CONTRIBUTING.md) before submitting PRs.
+
+1. Fork the repository
+2. Create your feature branch (`git checkout -b feature/amazing-feature`)
+3. Commit your changes (`git commit -m 'Add amazing feature'`)
+4. Push to the branch (`git push origin feature/amazing-feature`)
+5. Open a Pull Request
+
+## License
+
+MIT - see [LICENSE](LICENSE)
+
+## Links
+
+- [SCF Controls Platform](https://eu.scfcontrolsplatform.app) - The compliance platform
+- [Model Context Protocol](https://modelcontextprotocol.io) - MCP specification
+- [SCF Framework](https://securecontrolsframework.com) - Secure Controls Framework

package/build/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/build/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}

package/build/index.js

@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { registerCatalogTools } from "./tools/catalog.js";
+import { registerScopedControlTools } from "./tools/scoped-controls.js";
+import { registerEvidenceTools } from "./tools/evidence.js";
+import { registerRiskTools } from "./tools/risk.js";
+import { registerVendorTools } from "./tools/vendors.js";
+import { registerOrganizationTools } from "./tools/organization.js";
+import { registerCapabilityTools } from "./tools/capabilities.js";
+const server = new McpServer({
+    name: "mcp-server-scf",
+    version: "0.1.0",
+});
+// Register all tool groups
+registerCatalogTools(server);
+registerScopedControlTools(server);
+registerEvidenceTools(server);
+registerRiskTools(server);
+registerVendorTools(server);
+registerOrganizationTools(server);
+registerCapabilityTools(server);
+// Start server
+async function main() {
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+    console.error("SCF MCP Server running on stdio");
+}
+main().catch((error) => {
+    console.error("Fatal error:", error);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/build/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,0BAA0B,EAAE,MAAM,4BAA4B,CAAC;AACxE,OAAO,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAC5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AACpE,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAElE,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;IAC3B,IAAI,EAAE,gBAAgB;IACtB,OAAO,EAAE,OAAO;CACjB,CAAC,CAAC;AAEH,2BAA2B;AAC3B,oBAAoB,CAAC,MAAM,CAAC,CAAC;AAC7B,0BAA0B,CAAC,MAAM,CAAC,CAAC;AACnC,qBAAqB,CAAC,MAAM,CAAC,CAAC;AAC9B,iBAAiB,CAAC,MAAM,CAAC,CAAC;AAC1B,mBAAmB,CAAC,MAAM,CAAC,CAAC;AAC5B,yBAAyB,CAAC,MAAM,CAAC,CAAC;AAClC,uBAAuB,CAAC,MAAM,CAAC,CAAC;AAEhC,eAAe;AACf,KAAK,UAAU,IAAI;IACjB,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;AACnD,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IACrB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC;IACrC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/build/lib/api-client.d.ts

@@ -0,0 +1,24 @@
+export interface ApiClientConfig {
+    baseUrl: string;
+    apiKey: string;
+}
+export interface PaginatedResponse<T> {
+    items: T[];
+    total: number;
+    page: number;
+    per_page: number;
+    pages: number;
+}
+export declare class ScfApiClient {
+    private baseUrl;
+    private apiKey;
+    constructor(config: ApiClientConfig);
+    private request;
+    get<T>(path: string, params?: Record<string, string | number | boolean | undefined>): Promise<T>;
+    post<T>(path: string, body?: unknown): Promise<T>;
+    patch<T>(path: string, body?: unknown): Promise<T>;
+    delete<T>(path: string): Promise<T>;
+    put<T>(path: string, body?: unknown): Promise<T>;
+}
+export declare function getClient(): ScfApiClient;
+//# sourceMappingURL=api-client.d.ts.map

package/build/lib/api-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-client.d.ts","sourceRoot":"","sources":["../../src/lib/api-client.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,iBAAiB,CAAC,CAAC;IAClC,KAAK,EAAE,CAAC,EAAE,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,qBAAa,YAAY;IACvB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,MAAM,CAAS;gBAEX,MAAM,EAAE,eAAe;YAKrB,OAAO;IA+Cf,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;IAIhG,IAAI,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAIjD,KAAK,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAIlD,MAAM,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC;IAInC,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;CAGvD;AAID,wBAAgB,SAAS,IAAI,YAAY,CAexC"}

package/build/lib/api-client.js

@@ -0,0 +1,72 @@
+import { ScfApiError } from "./errors.js";
+export class ScfApiClient {
+    baseUrl;
+    apiKey;
+    constructor(config) {
+        this.baseUrl = config.baseUrl.replace(/\/+$/, "");
+        this.apiKey = config.apiKey;
+    }
+    async request(method, path, options) {
+        const url = new URL(`${this.baseUrl}/api${path}`);
+        if (options?.params) {
+            for (const [key, value] of Object.entries(options.params)) {
+                if (value !== undefined && value !== null) {
+                    url.searchParams.set(key, String(value));
+                }
+            }
+        }
+        const headers = {
+            Authorization: `Bearer ${this.apiKey}`,
+            Accept: "application/json",
+        };
+        if (options?.body) {
+            headers["Content-Type"] = "application/json";
+        }
+        const response = await fetch(url.toString(), {
+            method,
+            headers,
+            body: options?.body ? JSON.stringify(options.body) : undefined,
+        });
+        if (!response.ok) {
+            let detail = response.statusText;
+            try {
+                const errorBody = (await response.json());
+                detail = errorBody.detail || errorBody.error || detail;
+            }
+            catch {
+                // Use status text as fallback
+            }
+            throw new ScfApiError(detail, response.status);
+        }
+        return response.json();
+    }
+    async get(path, params) {
+        return this.request("GET", path, { params });
+    }
+    async post(path, body) {
+        return this.request("POST", path, { body });
+    }
+    async patch(path, body) {
+        return this.request("PATCH", path, { body });
+    }
+    async delete(path) {
+        return this.request("DELETE", path);
+    }
+    async put(path, body) {
+        return this.request("PUT", path, { body });
+    }
+}
+let _client = null;
+export function getClient() {
+    if (!_client) {
+        const apiKey = process.env.SCF_API_KEY;
+        const baseUrl = process.env.SCF_API_URL || "https://eu.scfcontrolsplatform.app";
+        if (!apiKey) {
+            throw new Error("SCF_API_KEY environment variable is required. " +
+                "Generate one at https://eu.scfcontrolsplatform.app/settings/api-keys");
+        }
+        _client = new ScfApiClient({ baseUrl, apiKey });
+    }
+    return _client;
+}
+//# sourceMappingURL=api-client.js.map

package/build/lib/api-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../../src/lib/api-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAe1C,MAAM,OAAO,YAAY;IACf,OAAO,CAAS;IAChB,MAAM,CAAS;IAEvB,YAAY,MAAuB;QACjC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAClD,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IAC9B,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,MAAc,EACd,IAAY,EACZ,OAGC;QAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,OAAO,OAAO,IAAI,EAAE,CAAC,CAAC;QAElD,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;YACpB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC1D,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;oBAC1C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;gBAC3C,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAA2B;YACtC,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,EAAE;YACtC,MAAM,EAAE,kBAAkB;SAC3B,CAAC;QAEF,IAAI,OAAO,EAAE,IAAI,EAAE,CAAC;YAClB,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;QAC/C,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE;YAC3C,MAAM;YACN,OAAO;YACP,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;SAC/D,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,MAAM,GAAG,QAAQ,CAAC,UAAU,CAAC;YACjC,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;gBACrE,MAAM,GAAI,SAAS,CAAC,MAAiB,IAAK,SAAS,CAAC,KAAgB,IAAI,MAAM,CAAC;YACjF,CAAC;YAAC,MAAM,CAAC;gBACP,8BAA8B;YAChC,CAAC;YACD,MAAM,IAAI,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;QACjD,CAAC;QAED,OAAO,QAAQ,CAAC,IAAI,EAAgB,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,GAAG,CAAI,IAAY,EAAE,MAA8D;QACvF,OAAO,IAAI,CAAC,OAAO,CAAI,KAAK,EAAE,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,IAAI,CAAI,IAAY,EAAE,IAAc;QACxC,OAAO,IAAI,CAAC,OAAO,CAAI,MAAM,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,KAAK,CAAI,IAAY,EAAE,IAAc;QACzC,OAAO,IAAI,CAAC,OAAO,CAAI,OAAO,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,MAAM,CAAI,IAAY;QAC1B,OAAO,IAAI,CAAC,OAAO,CAAI,QAAQ,EAAE,IAAI,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,GAAG,CAAI,IAAY,EAAE,IAAc;QACvC,OAAO,IAAI,CAAC,OAAO,CAAI,KAAK,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IAChD,CAAC;CACF;AAED,IAAI,OAAO,GAAwB,IAAI,CAAC;AAExC,MAAM,UAAU,SAAS;IACvB,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;QACvC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,oCAAoC,CAAC;QAEhF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,gDAAgD;gBAC9C,sEAAsE,CACzE,CAAC;QACJ,CAAC;QAED,OAAO,GAAG,IAAI,YAAY,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/build/lib/errors.d.ts

@@ -0,0 +1,14 @@
+export declare class ScfApiError extends Error {
+    statusCode: number;
+    errorCode?: string | undefined;
+    constructor(message: string, statusCode: number, errorCode?: string | undefined);
+}
+export declare function formatError(error: unknown): string;
+export declare function errorResult(error: unknown): {
+    content: {
+        type: "text";
+        text: string;
+    }[];
+    isError: boolean;
+};
+//# sourceMappingURL=errors.d.ts.map

package/build/lib/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/lib/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,WAAY,SAAQ,KAAK;IAG3B,UAAU,EAAE,MAAM;IAClB,SAAS,CAAC,EAAE,MAAM;gBAFzB,OAAO,EAAE,MAAM,EACR,UAAU,EAAE,MAAM,EAClB,SAAS,CAAC,EAAE,MAAM,YAAA;CAK5B;AAED,wBAAgB,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAWlD;AAED,wBAAgB,WAAW,CAAC,KAAK,EAAE,OAAO;;;;;;EAKzC"}

package/build/lib/errors.js

@@ -0,0 +1,35 @@
+export class ScfApiError extends Error {
+    statusCode;
+    errorCode;
+    constructor(message, statusCode, errorCode) {
+        super(message);
+        this.statusCode = statusCode;
+        this.errorCode = errorCode;
+        this.name = "ScfApiError";
+    }
+}
+export function formatError(error) {
+    if (error instanceof ScfApiError) {
+        if (error.statusCode === 401)
+            return "Authentication failed. Check your SCF_API_KEY.";
+        if (error.statusCode === 403)
+            return "Access denied. Your API key may lack permissions for this operation.";
+        if (error.statusCode === 404)
+            return `Not found: ${error.message}`;
+        if (error.statusCode === 429)
+            return "Rate limited. Please wait before retrying.";
+        if (error.statusCode === 402)
+            return "Subscription limit reached. Upgrade your plan to continue.";
+        return `API error (${error.statusCode}): ${error.message}`;
+    }
+    if (error instanceof Error)
+        return error.message;
+    return String(error);
+}
+export function errorResult(error) {
+    return {
+        content: [{ type: "text", text: formatError(error) }],
+        isError: true,
+    };
+}
+//# sourceMappingURL=errors.js.map

package/build/lib/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/lib/errors.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,WAAY,SAAQ,KAAK;IAG3B;IACA;IAHT,YACE,OAAe,EACR,UAAkB,EAClB,SAAkB;QAEzB,KAAK,CAAC,OAAO,CAAC,CAAC;QAHR,eAAU,GAAV,UAAU,CAAQ;QAClB,cAAS,GAAT,SAAS,CAAS;QAGzB,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC5B,CAAC;CACF;AAED,MAAM,UAAU,WAAW,CAAC,KAAc;IACxC,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;QACjC,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG;YAAE,OAAO,gDAAgD,CAAC;QACtF,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG;YAAE,OAAO,sEAAsE,CAAC;QAC5G,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG;YAAE,OAAO,cAAc,KAAK,CAAC,OAAO,EAAE,CAAC;QACnE,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG;YAAE,OAAO,4CAA4C,CAAC;QAClF,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG;YAAE,OAAO,4DAA4D,CAAC;QAClG,OAAO,cAAc,KAAK,CAAC,UAAU,MAAM,KAAK,CAAC,OAAO,EAAE,CAAC;IAC7D,CAAC;IACD,IAAI,KAAK,YAAY,KAAK;QAAE,OAAO,KAAK,CAAC,OAAO,CAAC;IACjD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;AACvB,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,KAAc;IACxC,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9D,OAAO,EAAE,IAAI;KACd,CAAC;AACJ,CAAC"}

package/build/tools/capabilities.d.ts

@@ -0,0 +1,3 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+export declare function registerCapabilityTools(server: McpServer): void;
+//# sourceMappingURL=capabilities.d.ts.map

package/build/tools/capabilities.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capabilities.d.ts","sourceRoot":"","sources":["../../src/tools/capabilities.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAKpE,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,SAAS,QAmFxD"}

package/build/tools/capabilities.js

@@ -0,0 +1,69 @@
+import { z } from "zod";
+import { getClient } from "../lib/api-client.js";
+import { errorResult } from "../lib/errors.js";
+export function registerCapabilityTools(server) {
+    server.tool("list_capability_themes", "List the 11 KSI-aligned capability themes that group NIST 800-53 controls into security capability areas. Provides a high-level view of your security posture by capability.", {}, async () => {
+        try {
+            const client = getClient();
+            const data = await client.get("/capability-themes");
+            return { content: [{ type: "text", text: JSON.stringify(data, null, 2) }] };
+        }
+        catch (error) {
+            return errorResult(error);
+        }
+    });
+    server.tool("list_capabilities", "List capabilities for an organization. Capabilities map to systems and evidence, showing what security functions your infrastructure supports.", {
+        org_id: z.string().describe("Organization ID"),
+        page: z.number().min(1).default(1).describe("Page number"),
+        per_page: z.number().min(1).max(100).default(25).describe("Results per page"),
+    }, async ({ org_id, page, per_page }) => {
+        try {
+            const client = getClient();
+            const data = await client.get(`/organizations/${org_id}/capabilities`, { page, per_page });
+            return { content: [{ type: "text", text: JSON.stringify(data, null, 2) }] };
+        }
+        catch (error) {
+            return errorResult(error);
+        }
+    });
+    server.tool("list_systems", "List infrastructure systems in the organization's inventory. Systems are the tools and platforms that implement security capabilities.", {
+        org_id: z.string().describe("Organization ID"),
+    }, async ({ org_id }) => {
+        try {
+            const client = getClient();
+            const data = await client.get(`/organizations/${org_id}/systems`);
+            return { content: [{ type: "text", text: JSON.stringify(data, null, 2) }] };
+        }
+        catch (error) {
+            return errorResult(error);
+        }
+    });
+    server.tool("create_system", "Add a system to the organization's infrastructure inventory. Systems can be linked to capabilities and evidence.", {
+        org_id: z.string().describe("Organization ID"),
+        name: z.string().describe("System name"),
+        description: z.string().optional().describe("System description"),
+        system_type: z
+            .enum([
+            "cloud_provider",
+            "identity_provider",
+            "ticketing",
+            "logging",
+            "security_tool",
+            "code_repository",
+            "document_management",
+            "custom",
+        ])
+            .describe("System type"),
+        status: z.enum(["active", "inactive", "deprecated"]).default("active").describe("System status"),
+    }, async ({ org_id, ...body }) => {
+        try {
+            const client = getClient();
+            const data = await client.post(`/organizations/${org_id}/systems`, body);
+            return { content: [{ type: "text", text: JSON.stringify(data, null, 2) }] };
+        }
+        catch (error) {
+            return errorResult(error);
+        }
+    });
+}
+//# sourceMappingURL=capabilities.js.map

package/build/tools/capabilities.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"capabilities.js","sourceRoot":"","sources":["../../src/tools/capabilities.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAE/C,MAAM,UAAU,uBAAuB,CAAC,MAAiB;IACvD,MAAM,CAAC,IAAI,CACT,wBAAwB,EACxB,8KAA8K,EAC9K,EAAE,EACF,KAAK,IAAI,EAAE;QACT,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;YACpD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;QAC9E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,mBAAmB,EACnB,gJAAgJ,EAChJ;QACE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,iBAAiB,CAAC;QAC9C,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC;QAC1D,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,kBAAkB,CAAC;KAC9E,EACD,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE;QACnC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,kBAAkB,MAAM,eAAe,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC3F,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;QAC9E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,cAAc,EACd,wIAAwI,EACxI;QACE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,iBAAiB,CAAC;KAC/C,EACD,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;QACnB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,kBAAkB,MAAM,UAAU,CAAC,CAAC;YAClE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;QAC9E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,eAAe,EACf,kHAAkH,EAClH;QACE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,iBAAiB,CAAC;QAC9C,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,aAAa,CAAC;QACxC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,oBAAoB,CAAC;QACjE,WAAW,EAAE,CAAC;aACX,IAAI,CAAC;YACJ,gBAAgB;YAChB,mBAAmB;YACnB,WAAW;YACX,SAAS;YACT,eAAe;YACf,iBAAiB;YACjB,qBAAqB;YACrB,QAAQ;SACT,CAAC;aACD,QAAQ,CAAC,aAAa,CAAC;QAC1B,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,eAAe,CAAC;KACjG,EACD,KAAK,EAAE,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE;QAC5B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,kBAAkB,MAAM,UAAU,EAAE,IAAI,CAAC,CAAC;YACzE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;QAC9E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/build/tools/catalog.d.ts

@@ -0,0 +1,3 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+export declare function registerCatalogTools(server: McpServer): void;
+//# sourceMappingURL=catalog.d.ts.map

package/build/tools/catalog.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"catalog.d.ts","sourceRoot":"","sources":["../../src/tools/catalog.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAKpE,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,SAAS,QAsHrD"}