{"id":46082878,"url":"https://github.com/markac007/mcp-server-scf","last_synced_at":"2026-04-18T17:12:20.700Z","repository":{"id":339379220,"uuid":"1161648508","full_name":"MarkAC007/mcp-server-scf","owner":"MarkAC007","description":"MCP server for SCF Controls Platform — security compliance controls, frameworks, evidence, and risk management for AI agents","archived":false,"fork":false,"pushed_at":"2026-03-27T18:18:55.000Z","size":151,"stargazers_count":1,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-27T22:53:23.150Z","etag":null,"topics":["ai-agent","claude","compliance","fedramp","grc","iso-27001","mcp","model-context-protocol","nist","risk-management","scf","security","soc-2"],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MarkAC007.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-19T10:59:36.000Z","updated_at":"2026-03-27T18:18:43.000Z","dependencies_parsed_at":"2026-02-19T16:01:15.074Z","dependency_job_id":null,"html_url":"https://github.com/MarkAC007/mcp-server-scf","commit_stats":null,"previous_names":["markac007/mcp-server-scf"],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/MarkAC007/mcp-server-scf","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarkAC007%2Fmcp-server-scf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarkAC007%2Fmcp-server-scf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarkAC007%2Fmcp-server-scf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarkAC007%2Fmcp-server-scf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MarkAC007","download_url":"https://codeload.github.com/MarkAC007/mcp-server-scf/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarkAC007%2Fmcp-server-scf/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31567274,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-08T14:31:17.711Z","status":"ssl_error","status_checked_at":"2026-04-08T14:31:17.202Z","response_time":54,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agent","claude","compliance","fedramp","grc","iso-27001","mcp","model-context-protocol","nist","risk-management","scf","security","soc-2"],"created_at":"2026-03-01T16:09:01.110Z","updated_at":"2026-04-08T18:05:42.757Z","avatar_url":"https://github.com/MarkAC007.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# mcp-server-scf\n\n\u003c!-- Build \u0026 Security --\u003e\n[![CI](https://github.com/MarkAC007/mcp-server-scf/actions/workflows/ci.yml/badge.svg)](https://github.com/MarkAC007/mcp-server-scf/actions/workflows/ci.yml)\n[![Security](https://github.com/MarkAC007/mcp-server-scf/actions/workflows/security.yml/badge.svg)](https://github.com/MarkAC007/mcp-server-scf/actions/workflows/security.yml)\n\n\u003c!-- Package \u0026 License --\u003e\n[![npm version](https://img.shields.io/npm/v/mcp-server-scf.svg)](https://www.npmjs.com/package/mcp-server-scf)\n[![npm downloads](https://img.shields.io/npm/dm/mcp-server-scf)](https://www.npmjs.com/package/mcp-server-scf)\n[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)\n[![MCP](https://img.shields.io/badge/MCP-compatible-green.svg)](https://modelcontextprotocol.io)\n\n\u003c!-- Tech Stack --\u003e\n![TypeScript](https://img.shields.io/badge/TypeScript-5-blue?logo=typescript\u0026logoColor=white)\n![Node.js](https://img.shields.io/badge/node-%3E%3D18-brightgreen?logo=node.js\u0026logoColor=white)\n\n**Security compliance controls, frameworks, and risk management for AI agents.**\n\nGive your AI assistant access to 1,451 SCF security controls, 354+ framework mappings (NIST 800-53, ISO 27001, SOC 2, FedRAMP, GDPR), evidence tracking, risk registers, and vendor risk management — all through the [Model Context Protocol](https://modelcontextprotocol.io).\n\nBuilt and maintained by [ComplianceGenie.io](https://compliancegenie.io) | Platform: [SCF Controls Platform](https://scfcontrolsplatform.com/)\n\n---\n\n## Overview\n\n`mcp-server-scf` connects AI assistants to the [SCF Controls Platform](https://scfcontrolsplatform.com/) via MCP, enabling natural language interaction with your compliance program. Your AI can browse the full SCF control catalog, track implementation progress, manage evidence collection, assess risks, and monitor third-party vendors — all without leaving your editor or chat.\n\n**38 tools** across 7 domains:\n\n| Domain | Tools | Description |\n|--------|-------|-------------|\n| [Catalog](#catalog-reference-data) | 6 | Browse 1,451 controls, 354+ frameworks, 5,736 assessment objectives |\n| [Control Scoping](#control-scoping) | 6 | Track implementation status across an 8-state workflow |\n| [Evidence](#evidence-collection) | 4 | Manage evidence collection and maturity scoring |\n| [Risk Management](#risk-management) | 5 | 5x5 risk matrix, risk register, severity summaries |\n| [Vendor Risk (TPRM)](#vendor-risk-tprm) | 7 | Vendor registry, AI-powered security research, DPSIA |\n| [Organization](#organization--platform) | 7 | Users, orgs, audit trail, work queue, notifications |\n| [Capabilities](#capabilities--systems) | 4 | KSI capability themes, systems inventory |\n\n---\n\n## Quick Start\n\n### Getting an API Key\n\n1. Sign up at [scfcontrolsplatform.com](https://scfcontrolsplatform.com/)\n2. Go to **Settings \u003e API Keys**\n3. Click **Generate New Key**\n4. Copy the key (shown once) — it starts with `scf_`\n\n### Claude Desktop\n\nAdd to `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\\Claude\\claude_desktop_config.json` (Windows):\n\n```json\n{\n  \"mcpServers\": {\n    \"scf\": {\n      \"command\": \"npx\",\n      \"args\": [\"-y\", \"mcp-server-scf\"],\n      \"env\": {\n        \"SCF_API_KEY\": \"scf_your_api_key_here\",\n        \"SCF_API_URL\": \"https://eu.scfcontrolsplatform.app\"\n      }\n    }\n  }\n}\n```\n\n### Claude Code\n\n```bash\nclaude mcp add scf -- npx -y mcp-server-scf\n```\n\nThen set environment variables in your shell:\n\n```bash\nexport SCF_API_KEY=\"scf_your_api_key_here\"\nexport SCF_API_URL=\"https://eu.scfcontrolsplatform.app\"\n```\n\n### Cursor / Windsurf\n\nAdd to your MCP config (`.cursor/mcp.json` or equivalent):\n\n```json\n{\n  \"mcpServers\": {\n    \"scf\": {\n      \"command\": \"npx\",\n      \"args\": [\"-y\", \"mcp-server-scf\"],\n      \"env\": {\n        \"SCF_API_KEY\": \"scf_your_api_key_here\",\n        \"SCF_API_URL\": \"https://eu.scfcontrolsplatform.app\"\n      }\n    }\n  }\n}\n```\n\n### Docker\n\n```json\n{\n  \"mcpServers\": {\n    \"scf\": {\n      \"command\": \"docker\",\n      \"args\": [\"run\", \"-i\", \"--rm\", \"-e\", \"SCF_API_KEY\", \"markac007/mcp-server-scf\"],\n      \"env\": {\n        \"SCF_API_KEY\": \"scf_your_api_key_here\"\n      }\n    }\n  }\n}\n```\n\n---\n\n## Configuration\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `SCF_API_KEY` | Yes | — | Your SCF platform API key (starts with `scf_`) |\n| `SCF_API_URL` | No | `https://eu.scfcontrolsplatform.app` | Platform API endpoint |\n\n---\n\n## Tools\n\n### Catalog (Reference Data)\n\nRead-only access to the full SCF control catalog — 1,451 controls, 354+ frameworks, 272 evidence types, and 5,736 assessment objectives.\n\n#### `list_controls`\n\nList SCF security controls with search, domain, and framework filters.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `search` | string | No | Search by control title or description |\n| `domain` | string | No | Filter by domain identifier (e.g., `GOV`, `AST`, `IAC`) |\n| `framework` | string | No | Filter by framework (e.g., `nist-800-53`, `iso-27001`) |\n| `limit` | number | No | Results to return (default: 25, max: 100) |\n| `offset` | number | No | Results to skip for pagination (default: 0) |\n\n#### `get_control`\n\nGet detailed information about a specific SCF control including description, mapped frameworks, assessment objectives, and linked evidence items.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `scf_id` | string | Yes | SCF control identifier (e.g., `AST-01`, `IAC-15`, `GOV-02`) |\n\n#### `list_frameworks`\n\nList all 354+ compliance frameworks mapped in the SCF catalog (NIST 800-53, ISO 27001, SOC 2, FedRAMP, GDPR, and more).\n\n*No parameters.*\n\n#### `list_domains`\n\nList all compliance domains in the SCF taxonomy. Domains group related security controls (e.g., GOV = Governance, AST = Asset Management, IAC = Identity \u0026 Access Control).\n\n*No parameters.*\n\n#### `list_evidence_catalog`\n\nList the 272 standard evidence types from the SCF reference catalog that can be collected to demonstrate control implementation.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `search` | string | No | Search by evidence title or description |\n| `limit` | number | No | Results to return (default: 25, max: 100) |\n| `offset` | number | No | Results to skip for pagination (default: 0) |\n\n#### `list_assessment_objectives`\n\nList the 5,736 assessment test criteria used to evaluate control implementation. Can filter by specific control ID.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `control_id` | string | No | Filter by SCF control ID (e.g., `GOV-01`, `AST-02`) |\n| `search` | string | No | Search term to filter objectives |\n| `limit` | number | No | Results to return (default: 25, max: 100) |\n| `offset` | number | No | Results to skip for pagination (default: 0) |\n\n---\n\n### Control Scoping\n\nTrack implementation status of controls scoped to your organization. Supports an 8-state workflow: `not_started`, `in_progress`, `implemented`, `ready_for_review`, `monitored`, `not_applicable`, `at_risk`, `deferred`.\n\n#### `list_scoped_controls`\n\nList controls scoped to your organization with implementation status. Supports filtering by status, domain, framework, and search.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) — use `list_organizations` to find |\n| `scope_status` | string | No | Filter by status: `not_started`, `in_progress`, `implemented`, `ready_for_review`, `monitored`, `not_applicable`, `at_risk`, `deferred` |\n| `domain` | string | No | Filter by SCF domain (e.g., `GOV`, `AST`, `IAC`) |\n| `framework` | string | No | Filter by framework |\n| `search` | string | No | Search by control ID or title |\n| `limit` | number | No | Results to return (default: 25, max: 100) |\n| `offset` | number | No | Results to skip for pagination (default: 0) |\n\n#### `get_scoped_control`\n\nGet detailed implementation status of a specific scoped control, including owner, notes, evidence links, and audit history.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n| `scf_id` | string | Yes | SCF control identifier (e.g., `AST-01`, `GOV-02`) |\n\n#### `update_scoped_control`\n\nUpdate a scoped control's implementation tracking fields. Only provided fields are updated.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n| `scf_id` | string | Yes | SCF control identifier (e.g., `AST-01`, `GOV-02`) |\n| `implementation_status` | string | No | New status (lowercase): `not_started`, `in_progress`, `implemented`, `ready_for_review`, `monitored`, `not_applicable`, `at_risk`, `deferred` |\n| `priority` | string | No | Priority: `high`, `medium`, `low` |\n| `maturity_level` | string | No | Control maturity level |\n| `owner` | string | No | Control owner (person accountable) |\n| `assigned_to` | string | No | Assignee (person responsible for implementation) |\n| `implementation_notes` | string | No | Implementation notes and context |\n| `target_date` | string | No | Target completion date (`YYYY-MM-DD`) |\n| `completion_date` | string | No | Actual completion date (`YYYY-MM-DD`) |\n| `selection_reason` | string | No | Justification for status (required for `not_applicable`, `deferred`) |\n\n#### `get_scoping_stats`\n\nGet implementation statistics — counts by status, completion percentage, and framework coverage breakdown.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n\n#### `scope_framework`\n\nBulk-scope all controls from a framework to your organization. Creates scoped control entries for every control in the selected framework.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n| `framework_id` | string | Yes | Framework ID to scope (e.g., `nist-800-53-r5`) |\n\n#### `batch_update_controls`\n\nBatch update up to 500 scoped controls in a single transaction.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n| `operations` | array | Yes | Array of update operations (max 500). Each operation: |\n\nEach operation in the `operations` array accepts:\n\n| Field | Type | Required | Description |\n|-------|------|----------|-------------|\n| `scf_id` | string | Yes | SCF control identifier (e.g., `AST-01`) |\n| `selected` | boolean | No | Whether the control is in scope |\n| `implementation_status` | string | No | Implementation status (lowercase) |\n| `selection_reason` | string | No | Justification for selection or status |\n| `priority` | string | No | Implementation priority |\n| `owner` | string | No | Control owner |\n| `assigned_to` | string | No | Assignee |\n| `maturity_level` | string | No | Control maturity level |\n| `target_date` | string | No | Target date (`YYYY-MM-DD`) |\n| `completion_date` | string | No | Completion date (`YYYY-MM-DD`) |\n| `implementation_notes` | string | No | Implementation notes |\n\n---\n\n### Evidence Collection\n\nTrack evidence artifacts that demonstrate control implementation for audit readiness.\n\n#### `list_evidence`\n\nList evidence items tracked for an organization's controls.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n| `system_id` | string | No | Filter by system ID |\n\n#### `create_evidence`\n\nCreate a new evidence item linked to a control.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n| `title` | string | Yes | Evidence title |\n| `control_id` | string | No | Scoped control ID to link evidence to |\n| `description` | string | No | Evidence description |\n| `evidence_type` | string | No | Type: `document`, `screenshot`, `log`, etc. |\n\n#### `get_evidence_maturity`\n\nGet evidence maturity summary — average maturity score, automation percentage, distribution by maturity level, and improvement opportunities.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n\n#### `list_evidence_tasks`\n\nList evidence collection tasks — the work queue for gathering evidence. Shows what needs to be collected, by whom, and by when.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | No | Organization ID (UUID) |\n| `assignee` | string | No | Filter by assigned user |\n| `status` | string | No | Filter by task status |\n\n---\n\n### Risk Management\n\n5x5 risk matrix with inherent and residual scoring, treatment tracking, and severity summaries.\n\n#### `list_risks`\n\nList risk assessments in the organization's risk register.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n| `status` | string | No | Filter by treatment status |\n| `page` | number | No | Page number (default: 1) |\n| `per_page` | number | No | Results per page (default: 25, max: 100) |\n\n#### `get_risk`\n\nGet detailed risk assessment including inherent and residual scores, treatment plan, owner, and review date.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n| `risk_id` | string | Yes | Risk assessment ID |\n\n#### `create_risk`\n\nCreate a new risk assessment in the 5x5 risk matrix.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n| `title` | string | Yes | Risk title |\n| `description` | string | Yes | Risk description |\n| `likelihood` | number | Yes | Inherent likelihood (1-5) |\n| `impact` | number | Yes | Inherent impact (1-5) |\n| `owner` | string | No | Risk owner |\n| `treatment_status` | string | No | Treatment: `mitigate`, `accept`, `transfer`, `avoid` |\n| `control_id` | string | No | Linked control ID |\n\n#### `get_risk_matrix`\n\nGet the 5x5 risk matrix visualization data showing risk distribution across likelihood and impact.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n\n#### `get_risk_summary`\n\nGet aggregated risk summary — total risks by severity, treatment status breakdown, and trend data.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n\n---\n\n### Vendor Risk (TPRM)\n\nThird-party risk management with AI-powered security research, breach detection, and data protection impact assessments.\n\n#### `list_vendors`\n\nList vendors in the TPRM registry with status and criticality filters.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n| `status` | string | No | Filter: `active`, `inactive`, `under_review` |\n| `criticality` | string | No | Filter: `critical`, `high`, `medium`, `low` |\n| `page` | number | No | Page number (default: 1) |\n| `per_page` | number | No | Results per page (default: 25, max: 100) |\n\n#### `get_vendor`\n\nGet detailed vendor information including certifications, assessments, risk score, and research results.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n| `vendor_id` | string | Yes | Vendor ID |\n\n#### `create_vendor`\n\nAdd a new vendor to the TPRM registry.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n| `name` | string | Yes | Vendor name |\n| `description` | string | No | Vendor description |\n| `category` | string | No | Category: `SaaS`, `Infrastructure`, `Consulting`, etc. |\n| `criticality` | string | No | Criticality: `critical`, `high`, `medium` (default), `low` |\n| `website` | string | No | Vendor website URL |\n| `contact_email` | string | No | Primary contact email |\n\n#### `trigger_vendor_research`\n\nTrigger AI-powered security research for a vendor — checks HIBP (breach databases), NVD (vulnerability databases), and public security posture.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n| `vendor_id` | string | Yes | Vendor ID |\n\n#### `get_vendor_research`\n\nGet the latest AI-powered research results for a vendor, including breach history, known vulnerabilities, and security posture analysis.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n| `vendor_id` | string | Yes | Vendor ID |\n\n#### `trigger_dpsia`\n\nTrigger a Data Protection Security Impact Assessment (DPSIA) for a vendor. Evaluates security posture against CIA triad and certification requirements.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n| `vendor_id` | string | Yes | Vendor ID |\n\n---\n\n### Organization \u0026 Platform\n\nUser management, audit trail, work queue, and notifications.\n\n#### `get_current_user`\n\nGet the current authenticated user's profile, including name, email, organizations, and role.\n\n*No parameters.*\n\n#### `list_organizations`\n\nList organizations the current user has access to. Returns org ID, name, tier, and member count.\n\n*No parameters.*\n\n#### `get_organization`\n\nGet detailed organization information including subscription tier, member count, usage limits, and settings.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n\n#### `list_members`\n\nList members of an organization with their roles (`admin`, `editor`, `viewer`).\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n\n#### `get_work_queue`\n\nGet the authenticated user's prioritized work queue — pending tasks, assignments, and action items across all organizations.\n\n*No parameters.*\n\n#### `get_audit_log`\n\nGet the field-level audit trail for an organization. Shows changes to controls, evidence, and other entities with actor, timestamp, and before/after values.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n| `limit` | number | No | Results to return (default: 50, max: 100) |\n| `offset` | number | No | Results to skip for pagination (default: 0) |\n\n#### `get_notifications`\n\nGet notifications for the current user — new assignments, comments, status changes, and system alerts.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `unread_only` | boolean | No | Only return unread notifications (default: false) |\n| `limit` | number | No | Notifications to return (default: 25, max: 100) |\n\n---\n\n### Capabilities \u0026 Systems\n\nKSI-aligned capability themes and infrastructure systems inventory.\n\n#### `list_capability_themes`\n\nList the 11 KSI-aligned capability themes for an organization. Capability themes group NIST 800-53 controls into security capability areas.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n\n#### `list_capabilities`\n\nList security capabilities mapped to systems and evidence, showing what security functions your infrastructure supports.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n\n#### `list_systems`\n\nList infrastructure systems in the organization's inventory.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n\n#### `create_system`\n\nAdd a system to the organization's infrastructure inventory. Systems can be linked to capabilities and evidence.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `org_id` | string | Yes | Organization ID (UUID) |\n| `name` | string | Yes | System name |\n| `system_type` | string | Yes | Type: `cloud_provider`, `identity_provider`, `ticketing`, `logging`, `security_tool`, `code_repository`, `document_management`, `custom` |\n| `description` | string | No | System description |\n| `status` | string | No | Status: `active` (default), `inactive`, `deprecated` |\n\n---\n\n## Example Prompts\n\nOnce connected, try asking your AI assistant:\n\n- \"What NIST 800-53 controls apply to access control?\"\n- \"Show me my organization's control implementation progress\"\n- \"List all critical vendors and their risk scores\"\n- \"Create a risk assessment for our cloud migration\"\n- \"What evidence do I need to collect for SOC 2 audit?\"\n- \"Show the 5x5 risk matrix for my organization\"\n- \"Scope the ISO 27001 framework for my org\"\n- \"Batch update all access control controls to in_progress\"\n- \"What's in my compliance work queue today?\"\n- \"Run a DPSIA on our cloud provider vendor\"\n\n---\n\n## Security\n\n- API keys are never logged or included in error messages\n- All communication uses HTTPS\n- Keys are SHA-256 hashed server-side\n- Rate limiting: 100 req/min (read), 20 req/min (write)\n- Multi-tenant: all operations scoped to your organization\n- npm package published with [provenance attestation](https://docs.npmjs.com/generating-provenance-statements) via OIDC trusted publishing\n- CI includes Gitleaks secret detection, CodeQL analysis, and Semgrep SAST\n\n---\n\n## Architecture\n\n```\nsrc/\n├── index.ts              # Server entry point (stdio transport)\n├── tools/\n│   ├── catalog.ts        # SCF reference data (read-only, 6 tools)\n│   ├── scoped-controls.ts # Control implementation tracking (6 tools)\n│   ├── evidence.ts       # Evidence collection (4 tools)\n│   ├── risk.ts           # Risk register (5 tools)\n│   ├── vendors.ts        # Third-party risk management (7 tools)\n│   ├── organization.ts   # Org, users, audit, notifications (7 tools)\n│   └── capabilities.ts   # KSI themes, systems (4 tools)\n└── lib/\n    ├── api-client.ts     # HTTP client with auth\n    └── errors.ts         # Structured error handling\n```\n\n---\n\n## Development\n\n```bash\ngit clone https://github.com/MarkAC007/mcp-server-scf.git\ncd mcp-server-scf\nnpm install\nnpm run build\nnpm run dev        # Watch mode\nnpm run lint       # ESLint\n```\n\n### Testing with MCP Inspector\n\n```bash\nSCF_API_KEY=scf_your_key npx @modelcontextprotocol/inspector node build/index.js\n```\n\n---\n\n## Contributing\n\nContributions welcome! Please read [CONTRIBUTING.md](CONTRIBUTING.md) before submitting PRs.\n\n1. Fork the repository\n2. Create your feature branch (`git checkout -b feature/amazing-feature`)\n3. Commit your changes (`git commit -m 'Add amazing feature'`)\n4. Push to the branch (`git push origin feature/amazing-feature`)\n5. Open a Pull Request\n\n---\n\n## License\n\nMIT - see [LICENSE](LICENSE)\n\n---\n\n## Links\n\n- [SCF Controls Platform](https://scfcontrolsplatform.com/) — The compliance platform\n- [ComplianceGenie.io](https://compliancegenie.io) — Maintained by Compliance Genie\n- [Model Context Protocol](https://modelcontextprotocol.io) — MCP specification\n- [SCF Framework](https://securecontrolsframework.com) — Secure Controls Framework\n- [npm Package](https://www.npmjs.com/package/mcp-server-scf) — npm registry\n- [Changelog](CHANGELOG.md) — Release history\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarkac007%2Fmcp-server-scf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmarkac007%2Fmcp-server-scf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarkac007%2Fmcp-server-scf/lists"}