security-controls-mcp 0.3.2__tar.gz → 0.3.3__tar.gz

{security_controls_mcp-0.3.2 → security_controls_mcp-0.3.3}/.gitleaks.toml

@@ -31,8 +31,6 @@ regexes = [
 
 # Stop words that indicate a false positive
 stopwords = [
-  # Add stop words, e.g.:
-  # '''fake''',
-  # '''example''',
-  # '''test''',
+  '''example''',
+  '''test''',
 ]

{security_controls_mcp-0.3.2 → security_controls_mcp-0.3.3}/CHANGELOG.md

@@ -5,6 +5,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.3.3] - 2026-01-31
+
+### Changed
+- Repository cleanup: Removed LLM-generated documentation bloat
+- Simplified documentation from 18 to 6 essential files
+- Cleaned up README (524→256 lines), removed excessive emojis and verbosity
+- Simplified PAID_STANDARDS_GUIDE (342→251 lines)
+- Updated .gitignore to exclude Claude artifacts (.claude/, .serena/, test_venv/)
+
+### Removed
+- 11 redundant documentation files (CLAUDE_CODE_SETUP.md, DEPLOYMENT_CHECKLIST.md, CI-CD-PIPELINE.md, QUICK_START.md, INSTALL.md, TESTING.md, SECURITY-TOOLS.md, LEGAL_COMPLIANCE.md, RELEASE_NOTES_v0.3.1.md)
+- 7 development files from root (duplicate data files, test scripts)
+
+### Technical
+- No functional changes to MCP server or controls data
+- All 103 tests passing
+- Production readiness: 7/7 checks passed
+
 ## [0.3.2] - 2026-01-31
 
 ### Changed

{security_controls_mcp-0.3.2 → security_controls_mcp-0.3.3}/PAID_STANDARDS_GUIDE.md

@@ -1,21 +1,17 @@
-# Paid Standards Guide
+# Paid Standards Import Guide
 
-This guide explains how to add your purchased security standards (ISO 27001, NIST SP 800-53, etc.) to the Security Controls MCP Server for enhanced compliance research.
-
----
+Import your purchased security standards (ISO 27001, NIST SP 800-53, etc.) to get official text alongside SCF descriptions.
 
 ## Overview
 
-The Security Controls MCP Server includes **1,451 free SCF controls** that map across 28 frameworks. When you add your **purchased standards**, you get:
+The Security Controls MCP Server includes 1,451 free SCF controls that map across 28 frameworks. When you add purchased standards:
 
-- ✅ **Official text** from your licensed copies
-- ✅ **Full clauses** with page numbers
-- ✅ **Enhanced SCF queries** showing both SCF descriptions AND official requirements
-- ✅ **Framework mapping** with real standard text on both sides
+- Get official text from your licensed copies
+- See full clauses with page numbers
+- Enhanced queries showing both SCF descriptions and official requirements
+- Framework mapping with real standard text on both sides
 
-**Your paid content stays private** - it's stored locally in `~/.security-controls-mcp/` and never committed to git.
-
----
+Your paid content stays private in `~/.security-controls-mcp/` (never committed to git).
 
 ## Quick Start
 
@@ -25,17 +21,17 @@ The Security Controls MCP Server includes **1,451 free SCF controls** that map a
 pip install -e '.[import-tools]'
 ```
 
-This installs PDF extraction dependencies (pdfplumber, Pillow, Click).
+Installs PDF extraction dependencies (pdfplumber, Pillow, Click).
 
 ### 2. Purchase a Standard
 
-Buy the standard from the official source:
+Buy from official source:
 
 - **ISO 27001**: [iso.org](https://www.iso.org/standard/27001)
 - **NIST SP 800-53**: [csrc.nist.gov](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)
 - **PCI DSS**: [pcisecuritystandards.org](https://www.pcisecuritystandards.org/)
 
-Download the PDF to your computer.
+Download the PDF.
 
 ### 3. Import the Standard
 
@@ -48,7 +44,7 @@ scf-mcp import-standard \
   --purchase-date "2026-01-29"
 ```
 
-**What happens:**
+What happens:
 - Extracts text from PDF
 - Detects sections and clauses (e.g., "5.1.2 Cryptographic controls")
 - Saves to `~/.security-controls-mcp/standards/iso_27001_2022/`
@@ -56,46 +52,31 @@ scf-mcp import-standard \
 
 ### 4. Restart MCP Server
 
-The server loads paid standards on startup. Restart it to see your new content.
+Restart to load the new content.
 
 ### 5. Query Your Standards
 
-Use the MCP tools in Claude:
-
 ```
 list_available_standards()
-→ Shows SCF + your ISO 27001
-
 get_control("GOV-01")
-→ Shows SCF description + ISO 27001 A.5.1 official text
-
 query_standard("iso_27001_2022", "encryption key management")
-→ Searches within your ISO 27001
-
 get_clause("iso_27001_2022", "5.1.2")
-→ Shows full text of clause 5.1.2 with page number
 ```
 
----
-
 ## Supported Standards
 
-The import tool works best with:
-
-### ✅ Well-Structured PDFs
+**Works best with:**
 - **ISO 27001/27002** - Numbered clauses, Annex A controls
 - **NIST SP 800-53** - Control families (AC-1, SC-7, etc.)
 - **PCI DSS** - Numbered requirements
 - **CIS Controls** - Numbered controls and safeguards
 
-### ⚠️ May Need Adjustments
+**May need adjustments:**
 - Scanned PDFs (poor text extraction)
 - Image-heavy documents
 - Non-standard numbering schemes
 
-**Tip:** The generic extractor uses heuristics (numbered sections like "1.2.3 Title"). It handles most standards reasonably well, but extraction quality varies by PDF.
-
----
+The generic extractor uses heuristics for numbered sections. Extraction quality varies by PDF.
 
 ## Standard IDs
 
@@ -110,14 +91,10 @@ Use these IDs for the `--type` parameter:
 | NIST CSF 2.0 | `nist_csf_2.0` | PR.DS-2 |
 | SOC 2 (TSC) | `soc_2_tsc` | CC6.1 |
 
-**Note:** IDs should match the SCF framework keys for automatic integration.
-
----
+IDs should match SCF framework keys for automatic integration.
 
 ## Directory Structure
 
-After importing, your files live here:
-
 ```
 ~/.security-controls-mcp/
 ├── config.json                     # Which standards are enabled
@@ -130,136 +107,97 @@ After importing, your files live here:
         └── full_text.json
 ```
 
-**Important:** This directory is gitignored by default. Never commit it!
-
----
+**Important:** This directory is gitignored by default. Never commit it.
 
 ## Advanced Usage
 
-### List Imported Standards
-
+**List imported standards:**
 ```bash
 scf-mcp list-standards
 ```
 
-Shows all available standards (SCF + your imports).
-
-### Re-Import (Overwrite)
-
+**Re-import (overwrite):**
 ```bash
 scf-mcp import-standard --file new-version.pdf --type iso_27001_2022 --force
 ```
 
-Overwrites existing import with new PDF.
-
-### Disable a Standard
-
+**Disable a standard:**
 Edit `~/.security-controls-mcp/config.json`:
-
 ```json
 {
   "standards": {
     "iso_27001_2022": {
-      "enabled": false,  // Change to false
+      "enabled": false,
       "path": "iso_27001_2022"
     }
   }
 }
 ```
 
-Restart server to apply.
-
-### Remove a Standard
-
+**Remove a standard:**
 ```bash
 rm -rf ~/.security-controls-mcp/standards/iso_27001_2022
 ```
-
 Then edit `config.json` to remove the entry.
 
----
-
 ## License Compliance
 
-### ⚠️ Important Restrictions
-
 **Your purchased standards are licensed for PERSONAL USE ONLY.**
 
-✅ **You MAY:**
+**You MAY:**
 - Import standards you've purchased
 - Query them via MCP for your own compliance research
 - Reference them in your work (with attribution)
 - Use get_control() to see official text alongside SCF
 
-✗ **You MAY NOT:**
+**You MAY NOT:**
 - Share extracted JSON files with others
 - Redistribute PDFs or extracted content
 - Use AI to generate policies/procedures from SCF (SCF license restriction)
 - Create derivative frameworks for distribution
 
-### Automatic Safeguards
+**Automatic safeguards:**
+- Git safety checks warn if standards directory isn't gitignored
+- Attribution on every response shows source and license info
+- Startup warnings list loaded paid standards and restrictions
+- Local-only storage - content never leaves your machine
 
-The tool includes:
-- **Git safety checks** - Warns if standards directory isn't gitignored
-- **Attribution on every response** - Shows source and license info
-- **Startup warnings** - Lists loaded paid standards and restrictions
-- **Local-only storage** - Content never leaves your machine
+**Your responsibility:**
+- Purchase standards from authorized sources
+- Comply with your purchase agreement
+- Don't redistribute content
+- Consult legal counsel for compliance questions
 
-### Your Responsibility
-
-**You are responsible for:**
-- Purchasing standards from authorized sources
-- Complying with your purchase agreement
-- Not redistributing content
-- Consulting legal counsel for compliance questions
-
-**This tool facilitates querying - it doesn't grant licenses.**
-
----
+This tool facilitates querying - it doesn't grant licenses.
 
 ## Troubleshooting
 
-### "No text extracted from PDF"
-
-**Cause:** PDF is scanned or image-based.
-
-**Solution:** The PDF needs searchable text. Try:
-1. Check if PDF has selectable text (not just images)
-2. Use OCR software to create searchable version
-3. Purchase a different format (Word, HTML) if available
-
-### "Warning: standards directory not gitignored"
-
-**Cause:** You're in a git repo and the standards directory could be committed.
+**"No text extracted from PDF"**
+- PDF is scanned or image-based
+- Check if PDF has selectable text
+- Use OCR software to create searchable version
+- Purchase different format (Word, HTML) if available
 
-**Solution:**
+**"Warning: standards directory not gitignored"**
 ```bash
 echo ".security-controls-mcp/" >> .gitignore
 git add .gitignore
 git commit -m "Gitignore paid standards directory"
 ```
 
-### "Section detection found 0 sections"
-
-**Cause:** PDF doesn't match expected numbering patterns.
-
-**Solution:**
+**"Section detection found 0 sections"**
+- PDF doesn't match expected numbering patterns
 - Check if PDF uses standard numbering (1, 1.2, 1.2.3)
-- The extractor looks for patterns like "5.1.2 Title"
-- Contact us if you need help with a specific standard format
-
-### "Standard 'xyz' not found" after import
-
-**Cause:** MCP server hasn't reloaded.
+- Extractor looks for patterns like "5.1.2 Title"
+- Contact us for help with specific standard formats
 
-**Solution:** Restart your MCP server to load new standards.
-
----
+**"Standard 'xyz' not found" after import**
+- MCP server hasn't reloaded
+- Restart your MCP server to load new standards
 
 ## Examples
 
-### Complete Workflow: ISO 27001
-
+**Complete workflow:**
 ```bash
 # 1. Buy ISO 27001 from ISO.org (download PDF)
 
@@ -272,8 +210,7 @@ scf-mcp import-standard \
   --type iso_27001_2022 \
   --title "ISO/IEC 27001:2022" \
   --purchased-from "ISO.org" \
-  --purchase-date "2026-01-29" \
-  --version "2022"
+  --purchase-date "2026-01-29"
 
 # 4. Restart MCP server
 
@@ -283,38 +220,13 @@ scf-mcp import-standard \
 #    "Map ISO 27001 to DORA with official text"
 ```
 
-### Query Examples
-
-**Get SCF control with official text:**
-```
-User: Get control GOV-01
-Claude: [Shows SCF description]
-        [Shows ISO 27001 A.5.1 official text with page number]
-```
-
-**Search within your standard:**
-```
-User: Search for "encryption key management" in ISO 27001
-Claude: [Shows matching clauses with page numbers]
-```
-
-**Framework mapping with official text:**
-```
-User: Map ISO 27001 to DORA
-Claude: [Shows SCF mapping]
-        [Shows ISO 27001 A.5.15 official text]
-        [Shows DORA Article 9 official text if you have it]
-```
-
----
-
 ## FAQ
 
 **Q: How many standards can I import?**
 A: Unlimited. Each standard you purchase can be imported.
 
 **Q: Do I need to keep the original PDF?**
-A: No, after import you can delete it. The extracted JSON has everything.
+A: No, after import you can delete it.
 
 **Q: Can I share my imported standards with my team?**
 A: No. Each person must purchase and import their own licensed copy.
@@ -323,18 +235,15 @@ A: No. Each person must purchase and import their own licensed copy.
 A: Maybe. If it's in PDF with numbered sections, the generic extractor might work. Contact us for custom extractors.
 
 **Q: What if extraction quality is poor?**
-A: You can manually edit `~/.security-controls-mcp/standards/xyz/full_text.json` to fix issues.
+A: You can manually edit `~/.security-controls-mcp/standards/xyz/full_text.json`.
 
 **Q: Does this replace the official standard document?**
-A: No. This tool is for research and queries. Always refer to the official published standard for authoritative guidance.
-
----
+A: No. This tool is for research. Always refer to the official published standard for authoritative guidance.
 
 ## Getting Help
 
 - **Issues:** [GitHub Issues](https://github.com/Ansvar-Systems/security-controls-mcp/issues)
 - **Email:** hello@ansvar.eu
-- **Documentation:** [README.md](README.md)
 
 ---
 

security_controls_mcp-0.3.3/PKG-INFO

@@ -0,0 +1,288 @@
+Metadata-Version: 2.4
+Name: security-controls-mcp
+Version: 0.3.3
+Summary: MCP server for querying security framework controls (SCF) - map between ISO 27001, NIST CSF, DORA, PCI DSS, and more
+Author-email: Ansvar Systems <hello@ansvar.eu>
+License-Expression: Apache-2.0
+Project-URL: Homepage, https://github.com/Ansvar-Systems/security-controls-mcp
+Project-URL: Repository, https://github.com/Ansvar-Systems/security-controls-mcp
+Project-URL: Issues, https://github.com/Ansvar-Systems/security-controls-mcp/issues
+Keywords: mcp,security,compliance,iso27001,nist,dora,pci-dss
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+License-File: LICENSE-DATA.md
+Requires-Dist: mcp>=0.9.0
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0.0; extra == "dev"
+Requires-Dist: pytest-asyncio>=0.21.0; extra == "dev"
+Requires-Dist: black>=23.0.0; extra == "dev"
+Requires-Dist: ruff>=0.1.0; extra == "dev"
+Requires-Dist: pre-commit>=3.0.0; extra == "dev"
+Provides-Extra: import-tools
+Requires-Dist: pdfplumber>=0.11.0; extra == "import-tools"
+Requires-Dist: Pillow>=10.0.0; extra == "import-tools"
+Requires-Dist: click>=8.0.0; extra == "import-tools"
+Dynamic: license-file
+
+# Security Controls MCP Server
+
+[![MCP](https://img.shields.io/badge/MCP-0.9.0+-blue.svg)](https://modelcontextprotocol.io)
+[![Python](https://img.shields.io/badge/Python-3.10+-blue.svg)](https://www.python.org)
+[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](LICENSE)
+[![SCF](https://img.shields.io/badge/SCF-2025.4-orange.svg)](https://securecontrolsframework.com/)
+
+## Overview
+
+Universal translator for security frameworks. Makes 1,451 security controls across 28 frameworks searchable and AI-accessible through Claude, Cursor, or any MCP-compatible client.
+
+Built on the [Secure Controls Framework (SCF)](https://securecontrolsframework.com/) by ComplianceForge.
+
+**Key capabilities:**
+- 1,451 security controls across governance, risk, compliance, and technical domains
+- 28 major frameworks including ISO 27001, NIST CSF, DORA, PCI DSS, CMMC, and more
+- Bidirectional mapping between frameworks via SCF rosetta stone
+- Optional integration with purchased standards (ISO, NIST 800-53) for official text
+- Full-text search across all control descriptions
+- Natural language queries instead of framework-specific IDs
+
+## Why This Exists
+
+Different frameworks describe the same security measures in different ways. ISO 27001 has one control ID, NIST CSF has another, PCI DSS has yet another — but they're all talking about the same thing.
+
+This MCP server provides instant bidirectional mapping between any two frameworks via the SCF rosetta stone. Ask Claude "What DORA controls does ISO 27001 A.5.15 map to?" and get an immediate answer backed by ComplianceForge's framework database.
+
+## Installation
+
+```bash
+# Using pipx (recommended)
+pipx install security-controls-mcp
+
+# Using pip
+pip install security-controls-mcp
+
+# From source
+git clone https://github.com/Ansvar-Systems/security-controls-mcp.git
+cd security-controls-mcp
+pip install -e .
+```
+
+**Requirements:** Python 3.10+
+
+### Claude Desktop Configuration
+
+Add to `claude_desktop_config.json`:
+
+```json
+{
+  "mcpServers": {
+    "security-controls": {
+      "command": "scf-mcp"
+    }
+  }
+}
+```
+
+**Config location:**
+- macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`
+- Windows: `%APPDATA%\Claude\claude_desktop_config.json`
+
+### Cursor / VS Code
+
+Same configuration under `"mcp.servers"` in your settings.
+
+## Example Queries
+
+- "What does GOV-01 require?"
+- "Search for controls about encryption key management"
+- "What ISO 27001 controls map to DORA?"
+- "List all controls needed for PCI DSS compliance"
+- "Which DORA requirements does ISO 27001 A.5.15 satisfy?"
+- "Show me all NIST CSF 2.0 controls related to incident response"
+
+## Available Frameworks (28)
+
+- **US Government:** NIST 800-53 (777), NIST CSF 2.0 (253), FedRAMP (343), CMMC 2.0 (198/52)
+- **International Standards:** ISO 27001 (51), ISO 27002 (316), CIS CSC v8.1 (234)
+- **US Industry:** PCI DSS v4.0.1 (364), SOC 2 (412), HIPAA (136)
+- **APAC:** Australia Essential Eight (37), Australia ISM (336), Singapore MAS TRM (214)
+- **EU Regulations:** GDPR (42), DORA (103), NIS2 (68)
+- **UK Standards:** NCSC CAF 4.0 (67), Cyber Essentials (26)
+- **European National:** Netherlands (27), Norway (23), Sweden (25), Germany (18/91/239)
+- **Financial:** SWIFT CSCF 2023 (127)
+- **Cloud:** CSA CCM v4 (334)
+
+## Tools
+
+### Core Tools
+
+**`list_frameworks()`** - List all 28 frameworks with control counts
+
+**`get_control(control_id)`** - Get full details for a specific SCF control
+- Returns description, domain, weight, PPTDF category, and mappings to all 28 frameworks
+
+**`search_controls(query, frameworks=[], limit=10)`** - Search controls by keyword
+- Optional framework filtering
+- Full-text search across names and descriptions
+
+**`get_framework_controls(framework)`** - Get all controls for a specific framework
+- Returns controls organized by domain
+
+**`map_frameworks(source_framework, target_framework, source_control=None)`** - Map between frameworks
+- Bidirectional mapping via SCF
+- Optional filtering to specific source control
+
+### Purchased Standards Tools
+
+**`list_available_standards()`** - List all available standards (SCF + imported)
+
+**`query_standard(standard, query, limit=10)`** - Search within purchased standard
+- Requires import first
+- Returns clauses with page numbers
+
+**`get_clause(standard, clause_id)`** - Get full text of specific clause
+- Requires import first
+
+See [PAID_STANDARDS_GUIDE.md](PAID_STANDARDS_GUIDE.md) for import instructions.
+
+## Add Purchased Standards (Optional)
+
+Import your purchased ISO 27001, NIST SP 800-53, or other standards to get official text alongside SCF descriptions:
+
+```bash
+# Install import tools
+pip install -e '.[import-tools]'
+
+# Import purchased PDF
+scf-mcp import-standard \
+  --file ~/Downloads/ISO-27001-2022.pdf \
+  --type iso_27001_2022 \
+  --title "ISO/IEC 27001:2022"
+
+# Restart MCP, then query
+```
+
+Your paid content stays private in `~/.security-controls-mcp/` (never committed to git).
+
+Full guide: [PAID_STANDARDS_GUIDE.md](PAID_STANDARDS_GUIDE.md)
+
+## Technical Architecture
+
+**Data Pipeline:**
+SCF JSON → In-memory index → MCP tools → AI response
+
+**Key principles:**
+- All control text returns verbatim from SCF source with zero LLM paraphrasing
+- Framework mappings use ComplianceForge's authoritative crosswalks
+- Optional purchased standards stored locally (never committed)
+- Search results optimized for AI context windows
+
+**Data integrity:**
+- SCF version locked to 2025.4 for consistency
+- All mappings sourced from official SCF framework crosswalks
+- User-imported standards require valid licenses
+
+## Data Source
+
+Based on **SCF 2025.4** (released December 29, 2025)
+
+- 1,451 controls across all domains
+- 580+ framework mappings (28 frameworks)
+- Licensed under Creative Commons (data)
+- Source: [ComplianceForge SCF](https://securecontrolsframework.com/)
+
+**Included data files:**
+- `scf-controls.json` - All 1,451 controls with framework mappings
+- `framework-to-scf.json` - Reverse index for framework-to-SCF lookups
+
+## Related Projects
+
+Part of **Ansvar's Compliance Suite** - MCP servers that work together for end-to-end compliance:
+
+**EU Regulations MCP** - Query 47 EU regulations (GDPR, AI Act, DORA, NIS2, etc.)
+- `npx @ansvar/eu-regulations-mcp`
+- [github.com/Ansvar-Systems/EU_compliance_MCP](https://github.com/Ansvar-Systems/EU_compliance_MCP)
+
+**US Regulations MCP** - Query US federal and state compliance laws (HIPAA, CCPA, SOX, etc.)
+- `npm install @ansvar/us-regulations-mcp`
+- [github.com/Ansvar-Systems/US_Compliance_MCP](https://github.com/Ansvar-Systems/US_Compliance_MCP)
+
+**OT Security MCP** - Query IEC 62443, NIST 800-82/53, MITRE ATT&CK for ICS
+- `npm install @ansvar/ot-security-mcp`
+- [github.com/Ansvar-Systems/ot-security-mcp](https://github.com/Ansvar-Systems/ot-security-mcp)
+
+### Workflow Example
+
+```
+1. "What DORA requirements apply to ICT risk management?"
+   → EU Regulations MCP returns Article 6 full text
+
+2. "What security controls satisfy DORA Article 6?"
+   → Security Controls MCP maps to ISO 27001, NIST CSF controls
+
+3. "Show me ISO 27001 A.8.1 implementation details"
+   → Security Controls MCP returns control requirements
+```
+
+## Development
+
+```bash
+# Clone and install
+git clone https://github.com/Ansvar-Systems/security-controls-mcp.git
+cd security-controls-mcp
+pip install -e '.[dev]'
+
+# Install pre-commit hooks
+pre-commit install
+
+# Run tests
+pytest tests/ -v
+```
+
+Pre-commit hooks run automatically before each commit:
+- Code formatting (black, ruff)
+- Linting (ruff check, YAML/JSON validation)
+- Tests (pytest, smoke tests, server startup)
+
+Bypass hooks (emergencies only): `git commit --no-verify`
+
+## Important Disclaimers
+
+**Not Legal or Compliance Advice:** Control text is sourced directly from official SCF data, but this tool should not be used as the sole basis for compliance decisions. Always verify against official framework sources and consult qualified compliance professionals.
+
+**AI Content Restrictions:** The SCF license explicitly prohibits using AI systems to generate derivative content such as policies, standards, procedures, metrics, risks, or threats based on SCF data. You may query and analyze controls, but not generate derivative compliance artifacts.
+
+**Purchased Standards:** Optional standards imports require valid licenses. You must own legitimate copies and comply with copyright restrictions. This tool does not include or distribute any copyrighted standards text.
+
+**Framework Coverage:** While SCF provides comprehensive mappings, not all controls map 1:1 across frameworks. Always review official framework documentation for authoritative requirements.
+
+## License
+
+**Code:** Apache License 2.0 (see [LICENSE](LICENSE))
+
+**Data:** Creative Commons Attribution-NoDerivatives 4.0 International (CC BY-ND 4.0) by ComplianceForge
+- Source: [Secure Controls Framework (SCF)](https://securecontrolsframework.com/)
+- Version: SCF 2025.4 (December 29, 2025)
+
+**What you MAY do:**
+- Query and analyze SCF controls
+- Map between frameworks
+- Reference controls in your own work (with attribution)
+- Use this MCP server to understand control requirements
+
+**What you MAY NOT do:**
+- Use AI to generate policies or procedures based on SCF controls
+- Create derivative frameworks or modified versions for distribution
+- Remove or modify control definitions
+
+For complete terms: [SCF Terms & Conditions](https://securecontrolsframework.com/terms-conditions/)
+
+---
+
+**Built by:** [Ansvar Systems](https://ansvar.eu) (Stockholm, Sweden)