UNPKG

framework-mcp

Version:

Dual-architecture server (MCP + HTTP API) for determining vendor tool capability roles against CIS Controls Framework. Supports Microsoft Copilot custom connectors and DigitalOcean App Services deployment.

github.com/therealcybermattlee/FrameworkMCP

therealcybermattlee/FrameworkMCP

101 lines (90 loc) ā€¢ 4.93 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/usr/bin/env node /** * Test the updated capability-focused language in user-facing messages */ console.log("šŸ“ CAPABILITY-FOCUSED LANGUAGE UPDATE VALIDATION\n"); const languageUpdates = [ { category: "šŸ”§ Tool Descriptions", updates: [ "analyze_vendor_response: 'Analyze a vendor response to determine their tool capability role'", "validate_coverage_claim: 'Validate a vendor's implementation capability claim (FULL/PARTIAL)'", "validate_vendor_mapping: 'Validate whether a vendor's claimed capability role is supported by evidence'" ] }, { category: "šŸ“Š Parameter Descriptions", updates: [ "response_text: 'Vendor response text describing their tool capabilities for the safeguard'", "claimed_capability: 'Vendor's claimed capability role: full (complete implementation), partial (limited implementation), facilitates (enables/enhances), governance (policies/processes), validates (evidence/reporting)'", "supporting_text: 'Vendor's supporting evidence explaining how their tool fulfills the claimed capability role'" ] }, { category: "šŸ·ļø Domain Validation Messages", updates: [ "Required tool types for FULL/PARTIAL implementation capability (not coverage)", "Domain mismatch reasoning uses 'implementation capability' instead of 'coverage'", "Auto-downgrade messages focus on capability roles rather than compliance percentages" ] }, { category: "šŸ“‹ Validation Feedback", updates: [ "FULL/PARTIAL implementation capability claims (not coverage claims)", "Capability role validation instead of compliance scoring", "Evidence alignment with claimed capability role", "Strengths/gaps identified in capability evidence quality" ] }, { category: "šŸŽÆ Core Terminology Changes", changes: [ "āŒ 'Coverage claim' ā†’ āœ… 'Implementation capability claim'", "āŒ 'Compliance validation' ā†’ āœ… 'Validation reporting'", "āŒ 'Element coverage scoring' ā†’ āœ… 'Capability role assessment'", "āŒ 'Vendor coverage' ā†’ āœ… 'Vendor capabilities'", "āŒ 'Capability mapping' ā†’ āœ… 'Capability role'" ] } ]; console.log("šŸ“ˆ LANGUAGE TRANSFORMATION SUMMARY"); console.log("=" .repeat(70)); languageUpdates.forEach((update, i) => { console.log(`\n${i + 1}. ${update.category}`); console.log("-".repeat(50)); if (update.updates) { update.updates.forEach(item => { console.log(` ā€¢ ${item}`); }); } if (update.changes) { update.changes.forEach(change => { console.log(` ${change}`); }); } }); console.log("\nšŸŽÆ CAPABILITY ROLE TAXONOMY (User-Facing):"); console.log("ā”Œā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”¬ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”"); console.log("ā”‚ Capability Role ā”‚ Description ā”‚"); console.log("ā”œā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”¼ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”¤"); console.log("ā”‚ FULL ā”‚ Complete implementation of safeguard ā”‚"); console.log("ā”‚ PARTIAL ā”‚ Limited scope implementation of safeguard ā”‚"); console.log("ā”‚ FACILITATES ā”‚ Enables/enhances others' implementation ā”‚"); console.log("ā”‚ GOVERNANCE ā”‚ Provides policies/processes/oversight ā”‚"); console.log("ā”‚ VALIDATES ā”‚ Provides evidence/audit/reporting ā”‚"); console.log("ā””ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”“ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”˜"); console.log("\nāœ… PARADIGM SHIFT COMPLETION:"); console.log("šŸ”„ FROM: 'How much compliance coverage does this vendor provide?'"); console.log("šŸŽÆ TO: 'What capability role does this vendor tool play?'"); console.log("\nšŸ“Š MESSAGING IMPACT:"); console.log("ā€¢ Tool descriptions clearly explain capability role determination"); console.log("ā€¢ Parameter descriptions emphasize evidence-based validation"); console.log("ā€¢ Domain validation messages focus on appropriate tool types"); console.log("ā€¢ Validation feedback emphasizes capability role alignment"); console.log("ā€¢ All user-facing text uses capability-focused terminology"); console.log("\nšŸš€ CAPABILITY-FOCUSED LANGUAGE IMPLEMENTATION COMPLETE!"); console.log("šŸ“ All user-facing messages now reflect the tool's true purpose:") console.log(" šŸ”§ Categorizing vendor tools by their actual capability roles") console.log(" šŸ›”ļø Preventing inappropriate implementation claims") console.log(" šŸ“ˆ Enabling realistic capability planning and vendor selection");