Hugging Face's logo

Spaces:
MCP-1st-Birthday
/
global-compliance-mcp-server
Sleeping

App Files Community
global-compliance-mcp-server / MCP-IMPLEMENTATION.md
Deenadhayalan J
feat: Implement compliance and risk assessment DTOs and services
66cdc1e
preview code
|
raw
history blame contribute delete
9.81 kB

MCP-Compliant Implementation Summary

Global Compliance Audit MCP Server - Enhanced Documentation

Overview

This implementation provides MCP (Model Context Protocol) compliant enterprise compliance operations with comprehensive machine-readable documentation. All DTOs and service methods are fully documented to serve as schema definitions for external AI agents.

🎯 MCP Tools Implemented

1. checkRegulatoryJurisdiction

Purpose: Validates regulatory compliance for business actions across jurisdictions.

When AI Agents Call This:

  • Before recommending data processing activities
  • To validate cross-border data transfers
  • When architecting systems handling regulated data
  • To identify required legal agreements (DPAs, BCRs)

Input Schema: RegulatoryLookupInputDto

  • jurisdiction: ISO-based region code (e.g., "EU", "US-CA", "CN")
  • regulation_type: Framework identifier (e.g., "GDPR", "HIPAA", "SOX")
  • action_description: Natural language description of the proposed action

Output Schema: RegulatoryLookupOutputDto

  • is_compliant: Boolean compliance determination
  • required_mitigations: Ordered array of compliance actions needed

2. queryAuditTrail

Purpose: Retrieves historical audit logs for forensic analysis and compliance reporting.

When AI Agents Call This:

  • To investigate security incidents
  • To generate compliance reports (SOC2, ISO 27001)
  • To analyze user behavior patterns
  • To answer "who accessed what when" questions
  • To verify logging and retention compliance

Input Schema: AuditQueryInputDto

  • transaction_id (optional): UUID/identifier for specific transaction filtering
  • start_date: ISO 8601 datetime (YYYY-MM-DDTHH:mm:ss.sssZ)
  • end_date: ISO 8601 datetime (YYYY-MM-DDTHH:mm:ss.sssZ)

Output Schema: AuditQueryOutputDto

  • log_entries: Array of AuditLogEntry objects
    • timestamp: ISO 8601 activity timestamp
    • user_id: Actor identifier
    • activity_type: Standardized activity classification (DATA_ACCESS, EXPORT, DELETE, etc.)
  • total_records: Integer count of returned entries

3. calculateRiskScore

Purpose: Performs quantitative risk assessment with actionable mitigation recommendations.

When AI Agents Call This:

  • To assess risk before recommending system changes
  • To prioritize security investments
  • To determine required governance controls
  • To evaluate third-party integrations
  • To generate risk assessments for compliance frameworks

Input Schema: RiskScoreInputDto

  • process_name: Human-readable process identifier
  • data_sensitivity_level: Integer 1-5 scale
    • 1 = Public
    • 2 = Internal
    • 3 = Confidential
    • 4 = Restricted
    • 5 = Critical (PII, PHI, financial)
  • external_api_dependencies: Integer count of external integrations

Output Schema: RiskScoreOutputDto

  • risk_score: Integer 0-100 (quantitative risk)
  • risk_rating: Enum ("Low" | "Medium" | "High")
    • Low: 0-30
    • Medium: 31-60
    • High: 61-100
  • mitigation_recommendations: Ordered array of specific actions

Risk Algorithm:

risk_score = (data_sensitivity_level Γ— 15) + (external_api_dependencies Γ— 5)
capped at 100

πŸ“‚ Project Structure 

src/
β”œβ”€β”€ main.ts                          # Enhanced with logger and env config
β”œβ”€β”€ app.module.ts                    # ConfigModule integration
β”œβ”€β”€ compliance/
β”‚   β”œβ”€β”€ compliance.module.ts         # ComplianceModule definition
β”‚   β”œβ”€β”€ compliance.service.ts        # MCP-compliant service methods
β”‚   β”œβ”€β”€ compliance.controller.ts     # REST API endpoints
β”‚   └── dto/
β”‚       β”œβ”€β”€ regulatory-lookup-input.dto.ts
β”‚       β”œβ”€β”€ regulatory-lookup-output.dto.ts
β”‚       β”œβ”€β”€ audit-query-input.dto.ts
β”‚       β”œβ”€β”€ audit-query-output.dto.ts
β”‚       β”œβ”€β”€ risk-score-input.dto.ts
β”‚       └── risk-score-output.dto.ts
.env                                 # Environment configuration
.env.example                         # Example configuration template

πŸ”§ Environment Configuration

File: .env

# Application Configuration
PORT=3000
NODE_ENV=development

# Application Metadata
APP_NAME=Global Compliance Audit MCP Server
APP_VERSION=1.0.0

# API Configuration
API_PREFIX=api/v1

# Logging
LOG_LEVEL=verbose

πŸš€ REST API Endpoints

Base URL: http://localhost:3000/api/v1/mcp/compliance

Endpoint 1: Regulatory Lookup 

POST /api/v1/mcp/compliance/lookup
Content-Type: application/json

{
  "jurisdiction": "EU",
  "regulation_type": "GDPR",
  "action_description": "Transfer customer PII to US cloud provider"
}

Endpoint 2: Audit Query 

POST /api/v1/mcp/compliance/audit/query
Content-Type: application/json

{
  "start_date": "2025-01-01T00:00:00.000Z",
  "end_date": "2025-01-31T23:59:59.999Z",
  "transaction_id": "txn-12345"
}

Endpoint 3: Risk Calculation 

POST /api/v1/mcp/compliance/risk/calculate
Content-Type: application/json

{
  "process_name": "Payment Processing System",
  "data_sensitivity_level": 5,
  "external_api_dependencies": 3
}

πŸ“‹ Documentation Standards

MCP Compliance Requirements βœ…

All DTOs and service methods include:

  1. Method/Class Description

    • Clear statement of what the tool does
    • Why an AI agent would invoke it
    • Real-world use cases

  2. Parameter Descriptions

    • @param with full type information
    • Purpose and semantic meaning
    • Accepted formats (ISO 8601, patterns, enums)
    • Constraints (min/max, required/optional)
    • Examples for each field

  3. Return Descriptions

    • @returns with structured output definition
    • Field-by-field breakdown
    • Data type specifications
    • Semantic interpretation guidelines

  4. Examples

    • Multiple realistic examples
    • Success and error scenarios
    • Edge cases covered

πŸ§ͺ Testing the Server

Start the Server 

npm run start:dev

Expected Output:

[Nest] LOG [Bootstrap] πŸš€ Global Compliance Audit MCP Server is running
[Nest] LOG [Bootstrap] 🌍 Environment: development
[Nest] LOG [Bootstrap] πŸ“‘ Server listening on: http://localhost:3000
[Nest] LOG [Bootstrap] πŸ“‹ Compliance API Base: http://localhost:3000/api/v1/mcp/compliance
[Nest] LOG [Bootstrap] βœ… Health check: http://localhost:3000

Test with PowerShell 

# Test 1: Regulatory Lookup
Invoke-RestMethod -Uri "http://localhost:3000/api/v1/mcp/compliance/lookup" `
  -Method Post `
  -Body '{"jurisdiction":"EU","regulation_type":"GDPR","action_description":"Transfer customer data"}' `
  -ContentType "application/json"

# Test 2: Audit Query
Invoke-RestMethod -Uri "http://localhost:3000/api/v1/mcp/compliance/audit/query" `
  -Method Post `
  -Body '{"start_date":"2025-01-01T00:00:00Z","end_date":"2025-12-31T23:59:59Z"}' `
  -ContentType "application/json"

# Test 3: Risk Score
Invoke-RestMethod -Uri "http://localhost:3000/api/v1/mcp/compliance/risk/calculate" `
  -Method Post `
  -Body '{"process_name":"Payment System","data_sensitivity_level":5,"external_api_dependencies":3}' `
  -ContentType "application/json"

Automated Test Script 

.\test-endpoints.ps1

🎯 Next Steps for MCP Integration

Phase 2: MCP Server Implementation

  1. Install MCP SDK

    npm install @modelcontextprotocol/sdk

  2. Create MCP Tool Handlers

    • Map each service method to an MCP tool definition
    • Use JSDoc documentation as tool schema
    • Implement stdio/SSE transport layer

  3. Tool Registration

    server.setRequestHandler(ListToolsRequestSchema, async () => ({
  tools: [
    {
      name: 'checkRegulatoryJurisdiction',
      description: '...', // From JSDoc
      inputSchema: {
        /* From DTOs */
      },
    },
    // ... other tools
  ],
}));

  4. Testing with MCP Inspector

    npx @modelcontextprotocol/inspector node dist/mcp-server.js

βœ… Implementation Checklist

  • Create all DTO files with strict TypeScript types
  • Add comprehensive JSDoc comments to all DTOs
  • Implement ComplianceService with three methods
  • Add MCP-compliant documentation to service methods
  • Create ComplianceController with REST endpoints
  • Document controller endpoints with examples
  • Configure environment variables with .env
  • Add enhanced logging with port display
  • Format all code with Prettier
  • Test REST API endpoints
  • Implement MCP tool handlers (Phase 2)
  • Add input validation decorators (class-validator)
  • Integrate with real compliance databases
  • Add authentication/authorization
  • Deploy as MCP server

πŸ“– Key Features

βœ… Machine-Readable Schema - All JSDoc comments serve as MCP tool definitions
βœ… Strict TypeScript Types - Full type safety throughout
βœ… REST API for Testing - Easy validation during development
βœ… Environment Configuration - Flexible deployment options
βœ… Enhanced Logging - Clear visibility into server state
βœ… Mock Data Implementation - Validates function signatures
βœ… Production-Ready Structure - Easy to integrate real data sources

πŸ“š Documentation References

  • DTOs: All located in src/compliance/dto/ with comprehensive field documentation
  • Service: src/compliance/compliance.service.ts with detailed method documentation
  • Controller: src/compliance/compliance.controller.ts with HTTP endpoint documentation
  • Testing Guide: TESTING.md with complete testing instructions

Status: βœ… Ready for MCP Integration (Phase 2)