Automotive Cybersecurity MCP Server

Complete R155/R156 Content - Production-ready with full regulation text from official UNECE sources.

Stop wasting hours searching through PDF regulations. Ask Claude about automotive cybersecurity requirements in natural language and get instant, accurate answers with source references.

A Model Context Protocol (MCP) server that gives Claude direct access to UNECE R155/R156 regulations and ISO 21434 guidance, enabling AI-powered compliance workflows.

Why This Matters

The Problem:

• 📄 Automotive cybersecurity regulations span hundreds of pages across multiple PDFs
• 🔍 Finding specific requirements requires manual searching through dense technical text
• 🔗 Cross-referencing between R155, R156, and ISO 21434 is time-consuming
• 💰 Hiring consultants for compliance questions is expensive ($200-400/hour)

The Solution:

• 💬 Ask Claude questions in natural language: "What does R155 require for vulnerability management?"
• ⚡ Get instant answers with exact article references and full text
• 🔗 See how requirements map across frameworks (R155 ↔ ISO 21434)
• 📊 Generate compliance matrices, gap analyses, and documentation on-demand

Who This Is For:

• 🚗 Automotive OEMs - Preparing for UNECE type approval
• 🔧 Tier 1/2 Suppliers - Understanding customer cybersecurity requirements
• 🛡️ Cybersecurity Engineers - Implementing ISO 21434 compliant systems
• 📋 Compliance Officers - Generating audit documentation
• 🎓 Consultants - Quickly accessing regulatory content for client projects

Quick Start

⚡ 30-Second Setup:

Add to ~/.claude/claude_desktop_config.json:

{
  "mcpServers": {
    "automotive": {
      "command": "npx",
      "args": ["-y", "@ansvar/automotive-cybersecurity-mcp"]
    }
  }
}

Restart Claude Desktop, then ask: "What does R155 Article 7 require?"

📚 Documentation:

• QUICK_START.md - 5-minute guide with examples
• docs/USAGE_GUIDE.md - Complete usage scenarios & ROI
• docs/CI_CD.md - CI/CD workflows and npm publishing
• R155_R156_INTEGRATION_SUMMARY.md - Technical details

Usage Examples

Preparing for Type Approval:

"What documentation does R155 require for CSMS approval?"
"Show me the R155 Annex 4 certificate template"
"List all R155 requirements for vulnerability management"

Compliance Analysis:

"Search R155 for requirements about incident response"
"What does R156 Article 7 require for software update assessment?"
"Compare R155 and R156 approval processes"

Documentation Generation:

"Generate a compliance checklist from R155 Article 7"
"Create a gap analysis template for R155"
"What evidence does R155 require for type approval?"

Training & Education:

"Explain R155 Article 7.2.2.2 in simple terms"
"What are the key differences between R155 Revision 1 and 2?"
"Create quiz questions from R155 CSMS requirements"

Why This Works

Direct Source Access: Content comes directly from official UNECE regulation documents, not LLM training data or paraphrased summaries.

Instant Retrieval: Sub-millisecond full-text search across 294KB of regulation content eliminates PDF scrolling.

Accurate Citations: Every answer includes exact article references (e.g., "R155 Article 7.2.2.2") for audit trails.

Always Current: Database includes complete R155/R156 Revision 2 (effective 2024-07-07) from official sources.

Traditional Approach vs. MCP

| Task | Traditional Approach | With Automotive MCP | |------|---------------------|---------------------| | Find specific requirement | Download PDF → Ctrl+F → Read context → Verify article | Ask Claude → Get answer with citation | | Time | 15-30 minutes | 10 seconds | | Prepare for audit | Read 200 pages → Highlight → Create checklist → Cross-reference | Ask for requirements → Generate checklist → Done | | Time | 2-3 days | 30 minutes | | Answer RFQ question | Search PDF → Read articles → Draft response → Verify | Ask Claude → Get exact requirement → Copy citation | | Time | 1-2 hours | 2 minutes | | Train engineers | Create slides → Extract requirements → Format → Present | Ask for explanations → Generate quiz → Export | | Time | 1 week | 2 hours | | Cost | $200-400/hour consultant | $0 (open source) |

ROI: First question answered = immediate payback. 10 questions/month = $36,000/year saved.

Overview

This MCP server enables AI assistants to access and reason about automotive cybersecurity requirements, helping with:

• Type approval preparation - Access UNECE R155/R156 requirements for cybersecurity type approval
• Compliance verification - Map requirements across different frameworks (UNECE regulations, ISO standards)
• Security analysis - Search for relevant requirements by topic or keyword
• Documentation - Generate compliance evidence and traceability matrices

The server uses a read-only SQLite database with full-text search (FTS5) to provide fast, accurate access to regulatory content.

Features

Current Release (v1.0.0) ✅

Production Infrastructure:

• ✅ 5 core tools - list_sources, get_requirement, search_requirements, list_work_products, export_compliance_matrix
• ✅ SQLite database - FTS5 full-text search with BM25 ranking (~360KB)
• ✅ MCP protocol - Full stdio transport support
• ✅ Type-safe API - TypeScript with strict mode
• ✅ Comprehensive tests - 105 tests, 100% pass rate
• ✅ Performance - Sub-millisecond queries (<1ms avg)

Complete Content:

• UNECE R155: 17 items (12 articles + 5 annexes) - Full regulation text including:
  • Article 7: Complete CSMS specifications (22KB)
  • Annex 5: Comprehensive threat catalog (148KB)
  • All official annexes (communication forms, approval marks, certificates)
• UNECE R156: 16 items (12 articles + 4 annexes) - Full regulation text including:
  • Article 7: SUMS requirements
  • All official annexes
• ISO 21434: 25 clauses with expert guidance, R155 mappings, and work products
• VDA TISAX: 14 control areas for supplier qualification
• SAE J3061: 7 lifecycle clauses (legacy reference)
• AUTOSAR: 8 security modules for ECU implementation
• Total: 99 items (33 regulation + 68 standard clauses) with ~360KB of content

Future Enhancements 🚀

• 📋 TARA methodology tools and threat scenario library
• 📋 Type approval checklist generation
• 📋 ReqIF export format for PLM integration

Installation

Prerequisites

• Node.js 18 or higher
• Claude Desktop or compatible MCP client

Option 1: Use with npx (Recommended)

No installation needed! Use directly in Claude Desktop:

macOS: Edit ~/Library/Application Support/Claude/claude_desktop_config.json Windows: Edit %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "automotive-cybersecurity": {
      "command": "npx",
      "args": ["-y", "@ansvar/automotive-cybersecurity-mcp"]
    }
  }
}

Restart Claude Desktop after editing the config.

Option 2: Install globally from npm

npm install -g @ansvar/automotive-cybersecurity-mcp

Then in Claude Desktop config:

{
  "mcpServers": {
    "automotive-cybersecurity": {
      "command": "automotive-cybersecurity-mcp"
    }
  }
}

Option 3: Install from source (for development)

# Clone the repository
git clone https://github.com/ansvar-ai/automotive-mcp.git
cd automotive-mcp

# Install dependencies and build
npm install
npm run build:db  # Build SQLite database
npm run build     # Compile TypeScript

Then in Claude Desktop config:

{
  "mcpServers": {
    "automotive-cybersecurity": {
      "command": "node",
      "args": ["/absolute/path/to/automotive-mcp/dist/index.js"]
    }
  }
}

Replace /absolute/path/to/automotive-mcp with your installation path.

Verify Installation

After restarting Claude Desktop, ask:

What automotive cybersecurity sources are available?

Claude should use the list_sources tool and show R155, R156, and ISO 21434.

What's Included

Complete UNECE Regulations:

• ✅ UNECE R155 - All 17 items (12 articles + 5 annexes) including full Annex 5 threat catalog
• ✅ UNECE R156 - All 16 items (12 articles + 4 annexes) for software update management
• ✅ Full-text search - Sub-millisecond queries across 294KB of authoritative regulation text

ISO 21434 Guidance:

• ✅ 25 clauses - Comprehensive expert guidance for all major clauses (5-15) plus key annexes
• ✅ R155 mappings - Each clause linked to corresponding R155 requirements
• ✅ Work products - 40+ work product references with descriptions

Additional Frameworks:

• ✅ VDA TISAX - 14 control areas with assessment level guidance (AL1-AL3)
• ✅ SAE J3061 - 7 lifecycle phases plus TARA methods annex
• ✅ AUTOSAR Security - 8 modules (SecOC, CSM, KeyM, IdsM, Secure Boot, etc.)
• ✅ Chinese GB/T - 12 clauses covering GB/T 40857, 40856, 40855, GB 44495, CCC certification

Content Inventory

| Source | Items | Content | Size | |--------|-------|---------|------| | UNECE R155 | 17 | Articles 1-12, Annexes 1-5 | 223KB | | UNECE R156 | 16 | Articles 1-12, Annexes 1-4 | 64KB | | ISO 21434 | 25 | Clauses 5-15, TARA sub-clauses, Annexes A/D-H | ~25KB | | VDA TISAX | 14 | Control areas 1-13 + Prototype protection | ~15KB | | SAE J3061 | 7 | Lifecycle clauses 5-10 + Annex A | ~8KB | | AUTOSAR | 8 | SecOC, CSM, KeyM, IdsM, Secure Boot, etc. | ~10KB | | Chinese GB/T | 12 | GB/T 40857, 40856, 40855, GB 44495, CCC, V2X | ~15KB | | Total | 99 | 5 standards + 2 regulations | ~360KB |

Key R155 Content:

• Article 7: Complete CSMS specifications (largest article, ~22KB)
• Annex 5: Full threat catalog with 70+ threat scenarios (~148KB)
• Annexes 1-4: Communication forms, approval marks, certificates

Key R156 Content:

• Article 7: Complete SUMS requirements
• Annexes 1-4: All approval documentation templates

Available Tools

The server provides 5 MCP tools for accessing automotive cybersecurity requirements:

1. list_sources

List available automotive cybersecurity regulations and standards.

Input:

• source_type (optional): Filter by type - "regulation", "standard", or "all" (default: "all")

Example:

{
  "source_type": "regulation"
}

Returns:

{
  "sources": [
    {
      "id": "r155",
      "name": "UN Regulation No. 155",
      "version": "Revision 2",
      "type": "regulation",
      "description": "Cyber Security and Cyber Security Management System",
      "item_count": 1,
      "full_text_available": true
    },
    {
      "id": "r156",
      "name": "UN Regulation No. 156",
      "version": "Revision 2",
      "type": "regulation",
      "description": "Software Update and Software Updates Management System",
      "item_count": 0,
      "full_text_available": true
    },
    {
      "id": "iso_21434",
      "name": "ISO/SAE 21434:2021",
      "version": "2021",
      "type": "standard",
      "description": "Road vehicles — Cybersecurity engineering",
      "item_count": 1,
      "full_text_available": false
    }
  ]
}

2. get_requirement

Retrieve a specific regulation article or standard clause with optional cross-framework mappings.

Input:

• source (required): Source ID (e.g., "r155", "r156", "iso_21434")
• reference (required): Article/clause reference (e.g., "7.2.2.2", "9.3")
• include_mappings (optional): Include related requirements (default: false)

Example:

{
  "source": "r155",
  "reference": "7.2.2.2",
  "include_mappings": true
}

Returns:

{
  "requirement": {
    "source": "r155",
    "reference": "7.2.2.2",
    "title": "Cybersecurity processes",
    "text": "The manufacturer shall demonstrate that the vehicle type...",
    "section": "7.2.2.2"
  },
  "mappings": [
    {
      "target_source": "iso_21434",
      "target_reference": "9.3",
      "relationship": "implements"
    }
  ]
}

3. search_requirements

Full-text search across all regulations and standards using FTS5 with BM25 ranking.

Input:

• query (required): Search query text
• sources (optional): Filter to specific sources (e.g., ["r155", "iso_21434"])
• limit (optional): Maximum results (default: 10)

Example:

{
  "query": "vulnerability management",
  "sources": ["r155"],
  "limit": 5
}

Returns:

{
  "results": [
    {
      "source": "r155",
      "reference": "7.2.2.2",
      "title": "Cybersecurity processes",
      "snippet": "...processes for vulnerability management and...",
      "rank": 1.245
    }
  ],
  "total": 5
}

4. list_work_products

List ISO 21434 work products (deliverables) required for cybersecurity engineering.

Input:

• clause_id (optional): Filter to specific clause (e.g., "15" for TARA, "6" for cybersecurity case)
• phase (optional): Filter by lifecycle phase - organizational, project, continual, concept, development, validation, production, operations, decommissioning, tara

Example:

{
  "phase": "tara"
}

Returns:

{
  "work_products": [
    {
      "id": "WP-15-01",
      "name": "TARA report",
      "clause_id": "15",
      "clause_title": "Threat analysis and risk assessment (TARA)",
      "cal_relevant": true,
      "r155_refs": ["5.1.1(b)", "7.2.2.2(b)", "7.3.3"]
    }
  ],
  "summary": {
    "total_work_products": 44,
    "clauses_covered": 19,
    "cal_relevant_count": 31
  }
}

5. export_compliance_matrix

Generate a compliance traceability matrix for audit documentation.

Input:

• regulation (optional): "r155" or "r156" (default: "r155")
• format (optional): "markdown" or "csv" (default: "markdown")
• include_guidance (optional): Include ISO 21434 guidance summaries

Example:

{
  "regulation": "r155",
  "format": "csv"
}

Returns:

{
  "format": "csv",
  "content": "Requirement,Title,ISO 21434 Clauses,Work Products,Status\n\"R155 7\",\"Specifications\",\"15, 8, 6...\",\"WP-15-01...\",Mapped",
  "statistics": {
    "total_requirements": 12,
    "mapped_requirements": 2,
    "coverage_percent": 17,
    "unique_work_products": 36
  }
}

Quality & Testing

This MCP server is built to production standards:

• ✅ 105 automated tests - 100% pass rate across all test suites
• ✅ Type-safe - Strict TypeScript with comprehensive type definitions
• ✅ Fast queries - <2ms average per query
• ✅ Secure - Read-only database, SQL injection protection
• ✅ MCP compliant - Verified with MCP protocol testing
• ✅ Well-tested - Unit, integration, and manual testing complete

See QUALITY_ASSESSMENT_REPORT.md for detailed test results.

Real-World Use Cases

1. 🎯 Type Approval Prep - "What do I need to pass audit?"

Scenario: Your OEM is 6 weeks from UNECE R155 type approval audit. You need to know every requirement.

Before (Manual Process):

• Download R155 PDF (80+ pages)
• Search for keywords, read dense legal text
• Miss requirements due to synonym variations
• Time: 4-6 hours

With This MCP:

You: "List all R155 requirements related to vulnerability management"

Claude: "R155 has several vulnerability management requirements:

📍 Article 7.2.2.2(g) - Vulnerability Management
The CSMS shall include processes for managing vulnerabilities...
[Full text with exact reference]

📍 Article 7.2.2.2(h) - Security Updates
Procedures for providing security updates...
[Full text with exact reference]

I found these by searching R155 for 'vulnerability' and related terms."

Time: 30 seconds

2. 🔗 Cross-Framework Mapping - "Does our ISO 21434 work satisfy R155?"

Scenario: You've implemented ISO 21434 clause 9.3. Customer asks: "Does this satisfy R155 requirements?"

Before:

• Read ISO 21434 clause 9.3
• Read entire R155 regulation
• Manually compare requirements
• Hope you didn't miss anything
• Time: 2-3 hours

With This MCP:

You: "Show me ISO 21434 clause 9.3 and which R155 requirements it satisfies"

Claude: "ISO 21434 Clause 9.3 - Vulnerability Analysis
[Guidance text]

This clause directly satisfies these R155 requirements:
✅ R155 Article 7.2.2.2(g) - Vulnerability management processes
✅ R155 Article 7.2.2.2(h) - Security update procedures

The mapping shows your ISO 21434 implementation addresses the R155 type approval requirements."

Time: 15 seconds

3. 📄 Instant Documentation - "Generate our compliance matrix"

Scenario: Auditor asks: "Show me your CSMS compliance matrix for R155 Article 7."

Before:

• Manually copy requirements from PDF
• Create Excel/Word table
• Add internal process references
• Format for presentation
• Time: 3-4 hours

With This MCP:

You: "Create a compliance traceability matrix for R155 Article 7 requirements"

Claude: [Generates formatted markdown table]

| R155 Requirement | Description | Our Implementation | Status |
|-----------------|-------------|-------------------|--------|
| 7.2.2.2(a) | Risk assessment | TARA Process Doc v2.1 | ✅ |
| 7.2.2.2(b) | Risk treatment | Security Architecture v3.0 | ✅ |
| 7.2.2.2(g) | Vulnerability mgmt | VMP-001 Procedure | ✅ |
...

You can now add your implementation details to the template.

Time: 2 minutes + your data entry

4. 🔍 Quick Answers - "What's this regulation requirement about?"

Scenario: Email from customer: "Please confirm compliance with R155 Article 7.2.2.2 paragraph (e)."

Before:

• Find R155 PDF in downloads folder
• Search for "7.2.2.2"
• Scroll through subsections to find (e)
• Read surrounding context
• Time: 5-10 minutes

With This MCP:

You: "What is R155 Article 7.2.2.2 paragraph (e)?"

Claude: "R155 Article 7.2.2.2(e) requires:

'Management of security events including tools, procedures and forensic data'

This means your CSMS must have:
- Security event monitoring tools (SIEM, IDS, etc.)
- Incident response procedures
- Forensic data collection and retention
- Event analysis and reporting processes

This is part of the CSMS operational requirements."

Time: 10 seconds

5. 🎓 Learning & Training - "Explain this standard to our team"

Scenario: New engineer asks: "What's the difference between R155 and ISO 21434?"

Before:

• Schedule meeting with compliance expert
• Wait for their availability
• Get 30-minute overview
• Time: Days + meeting time

With This MCP:

You: "Explain the difference between R155 and ISO 21434"

Claude: "Based on the sources:

📋 UNECE R155 (Regulation):
- Legal requirement for vehicle type approval in EU/Asia
- Focus: What you MUST have (CSMS, processes, documentation)
- Enforced by: Government regulators during type approval
- Consequence: Can't sell vehicles without it

📘 ISO 21434 (Standard):
- Industry best practice (not legally required)
- Focus: How to implement automotive cybersecurity engineering
- Provides: Detailed processes, methods, work products
- Used to: Demonstrate compliance with R155

Relationship: R155 says 'you must have a CSMS', ISO 21434 tells you how to build one."

Time: Immediate

Why Not Just Use Google/PDFs?

| Task | Manual Search | This MCP | |------|--------------|----------| | Find specific requirement | Download PDF, Ctrl+F, read context | Ask Claude, get answer + context | | Cross-reference frameworks | Open multiple PDFs, compare manually | Ask for mappings, instant results | | Generate compliance matrix | Copy/paste from PDFs into Excel | Ask Claude to generate table | | Answer "does X satisfy Y?" | Read both docs, hope you understand | Ask, get yes/no + explanation | | Learn a regulation | Read 80+ page PDF | Ask questions, get summaries | | Time for typical task | 30 min - 4 hours | 10 seconds - 2 minutes | | Cost of consultant | $100-400/hour | Free (after setup) |

Key Advantage: Natural language + AI reasoning. Claude doesn't just search keywords - it understands context, relationships, and can synthesize information across multiple requirements.

Integration with Other MCPs

This server works well with other MCP servers:

With GitHub MCP

"Export R155 requirements as GitHub issues for our compliance tracking"

• Use search_requirements to find relevant requirements
• GitHub MCP creates issues with requirement text and references

With Filesystem MCP

"Save all ISO 21434 work products to a structured directory"

• Use list_sources and get_requirement to retrieve content
• Filesystem MCP writes to organized folder structure

With Brave Search MCP

"Find industry best practices for implementing R155 vulnerability management"

• Use get_requirement to understand R155 requirements
• Brave Search finds implementation guidance and tools

Development

Project Structure

automotive-mcp/
├── src/
│   ├── index.ts              # MCP server entry point
│   ├── types/                # TypeScript type definitions
│   │   └── index.ts
│   └── tools/                # Tool implementations
│       ├── registry.ts       # Shared tool registry
│       ├── list.ts          # list_sources tool
│       ├── get.ts           # get_requirement tool
│       └── search.ts        # search_requirements tool
├── data/
│   ├── seed/                # JSON seed data
│   │   ├── regulations.json
│   │   └── standards.json
│   └── automotive.db        # Generated SQLite database (not in git)
├── scripts/
│   └── build-db.ts          # Database build script
├── tests/                   # Vitest tests
└── dist/                    # Compiled TypeScript (not in git)

Building

# Compile TypeScript
npm run build

# Build database from seed data
npm run build:db

# Both
npm run build && npm run build:db

Testing

# Run all tests once
npm test

# Run tests in watch mode
npm run test:watch

Development Mode

# Run with auto-reload on file changes
npm run dev

Testing with MCP Inspector

The MCP Inspector provides a visual interface for testing tools:

npm run build
npx @modelcontextprotocol/inspector node dist/index.js

This opens a web interface where you can:

• View all available tools
• Test tool calls with different inputs
• Inspect responses

Database Schema

The database uses SQLite with FTS5 for full-text search:

Tables:

• sources - Regulation/standard metadata
• requirements - Individual articles/clauses
• requirements_fts - FTS5 virtual table for search
• mappings - Cross-framework relationships (future)

Key Features:

• BM25 ranking for search relevance
• Foreign key constraints for data integrity
• Indexes for fast lookups by source and reference

Adding Content

To add new regulations or standards:

1. Add JSON file to data/seed/:

{
  "id": "new_regulation",
  "name": "New Regulation",
  "full_name": "Full title...",
  "version": "2024",
  "type": "regulation",
  "issuing_body": "Authority",
  "items": [
    {
      "reference": "1.1",
      "title": "Scope",
      "text": "Full text...",
      "section": "1"
    }
  ]
}

2. Rebuild database:

npm run build:db

3. Run tests to verify:

npm test

Environment Variables

• AUTOMOTIVE_CYBERSEC_DB_PATH - Override database location (default: data/automotive.db)

Data Sources and Licensing

UNECE Regulations (R155/R156)

• License: Public domain (UN documents)
• Source: UNECE WP.29
• Status: Complete R155/R156 Revision 2 (all articles and annexes)

ISO 21434

• License: Paid standard (copyright ISO)
• What we include: Guidance, work products, clause structure (no full text)
• What we don't include: Full standard text (requires license)
• How to get full text: Purchase from ISO

More Open Source from Ansvar

We maintain a family of MCP servers for compliance and security professionals:

| Server | Description | Install | |--------|-------------|---------| | EU Regulations | 47 EU regulations (GDPR, AI Act, DORA, NIS2, MiFID II, eIDAS, MDR...) | npx @ansvar/eu-regulations-mcp | | US Regulations | HIPAA, CCPA, SOX, GLBA, FERPA, COPPA, FDA 21 CFR Part 11, state privacy laws | npx @ansvar/us-regulations-mcp | | Security Controls | 1,451 controls across 28 frameworks (ISO 27001, NIST CSF, PCI DSS, CMMC...) | pipx install security-controls-mcp | | OT Security | IEC 62443, NIST 800-82, MITRE ATT&CK for ICS | npx @ansvar/ot-security-mcp | | Sanctions | Offline sanctions screening with OpenSanctions (30+ lists) | pip install ansvar-sanctions-mcp |

Browse all projects: ansvar.eu/open-source

License

This MCP server is licensed under the Apache License 2.0. See LICENSE file for details.

Important: This license covers the software only. Regulatory content and standards have their own licensing terms as described above.

Contributing

Contributions welcome! Please:

1. Fork the repository
2. Create a feature branch
3. Add tests for new functionality
4. Ensure npm test passes
5. Submit a pull request

FAQ

Is this legally valid for compliance?

Yes, for reference. The regulations (R155/R156) are public domain. However, always verify critical compliance decisions with the official source documents. This tool helps you work faster, not replace your judgment.

How much ISO 21434 content is included?

25 clauses with expert guidance. ISO 21434 is copyrighted—we include clause titles, expert guidance summaries, work products, and R155 mappings (not full text). This covers all major clauses (5-15) plus key annexes. R155/R156 regulations are public domain and fully included.

Can I use this for paid client work?

Yes. Apache 2.0 license allows commercial use. Many consultants use this to speed up their R155/ISO 21434 advisory work.

What about ISO 21434 full text?

Not included (copyright). We provide clause IDs, titles, and expert guidance for ISO 21434. The full standard text requires a license from ISO. This approach respects copyright while still being useful.

Will this work with Claude Pro / Claude API?

Claude Desktop only for now. MCP is currently supported in Claude Desktop. Once Anthropic adds MCP support to web/API, this will work there too (no changes needed).

How do I get updates?

Automatic. If you install via npm/npx, running npm update -g @ansvar/automotive-cybersecurity-mcp (or just restarting Claude Desktop with npx) will get the latest version. v1.0.0 includes all Phase 1 & 2 features.

Can I add my own company's interpretations?

Yes. Fork the repo and modify data/seed/*.json files to add internal notes, then rebuild the database with npm run build:db.

Is my data sent anywhere?

No. Everything runs locally on your machine. The database is read-only SQLite. No network calls, no telemetry, no data collection.

Support

For issues, questions, or contributions:

• GitHub Issues: https://github.com/ansvar-ai/automotive-mcp/issues
• Email: [email protected]
• Discussions: Share your use cases and workflow ideas

Performance & Statistics

Current Implementation:

• Code: ~2,000 lines TypeScript (10 source files)
• Tests: 105 test cases (100% passing)
• Database: ~360KB SQLite with FTS5 indexes
• Content: 99 items (33 regulation + 68 standard clauses)
• Mappings: 87 bidirectional R155 ↔ ISO 21434 mappings
• Query Speed: <2ms average
• Build Time: <500ms for full database rebuild
• Dependencies: MCP SDK + better-sqlite3 only

Important Disclaimers

⚖️ Legal & Compliance

Not Legal Advice: This tool provides access to regulatory text for informational purposes only. It does not constitute legal advice, compliance certification, or professional consultation. For official compliance decisions, consult qualified legal counsel or type approval authorities.

Official Sources: Always verify critical requirements against official UNECE publications and your jurisdiction's implementation of regulations.

Type Approval: Type approval decisions are made by recognized technical services and approval authorities, not by AI tools.

📊 Token Usage

Claude Desktop: This MCP can return large regulation articles (e.g., R155 Article 7 is 22KB). Be mindful of token usage if on limited plans.

Best Practice: Use specific queries rather than requesting entire regulations at once.

📜 ISO Standards

ISO 21434 Content: Full ISO 21434 text is copyright-protected and not included. We provide expert guidance summaries only. Purchase the official standard from ISO for complete requirements.

Official Standard: https://www.iso.org/standard/70918.html

Roadmap

✅ Phase 1 & 2 (Complete - v1.0.0)

• ✅ TypeScript MCP server with stdio transport
• ✅ SQLite database with FTS5 full-text search
• ✅ 5 core tools: list_sources, get_requirement, search_requirements, list_work_products, export_compliance_matrix
• ✅ Complete R155/R156 regulations - All 33 items (articles + annexes)
• ✅ ISO 21434 guidance - 25 clauses with expert guidance
• ✅ Cross-framework mappings - 87 bidirectional R155 ↔ ISO 21434 mappings
• ✅ Work products tool - ISO 21434 work product requirements by clause/phase
• ✅ Global standards - VDA TISAX, SAE J3061, AUTOSAR, Chinese GB/T
• ✅ Enterprise CI/CD with security scanning
• ✅ Comprehensive testing (105 tests, 100% pass rate)

📋 Phase 3 (Next - Q2 2026) - TARA Methodology

• [ ] TARA guidance tool - Threat analysis and risk assessment methodology
• [ ] Threat scenario library - 20+ automotive threat scenarios
• [ ] Attack feasibility ratings - ISO 21434 Annex G methodology
• [ ] Cybersecurity goals - CAL rating guidance

🎯 Phase 4 (Q3 2026) - Type Approval

• [ ] Type approval checklist - R155/R156 audit preparation
• [ ] Evidence generation - Compliance documentation
• [ ] Gap analysis - Compare implementation vs requirements
• [ ] ReqIF export - PLM system integration

Acknowledgments

• Built on the Model Context Protocol by Anthropic
• Follows patterns from the EU Compliance MCP reference implementation
• Regulatory content from UNECE and ISO (with appropriate licensing)

Version History

1.0.0 (2026-01-31) - Production-Ready with Global Market Coverage

🎉 Major Release - Complete Automotive Compliance Platform

Features:

• ✅ 5 MCP tools fully implemented and tested
• ✅ SQLite database with FTS5 full-text search (~360KB)
• ✅ 87 bidirectional cross-framework mappings (ISO 21434 ↔ R155)
• ✅ Work products tool with lifecycle phase filtering
• ✅ Compliance matrix export (CSV/Markdown)
• ✅ 105 tests, 100% pass rate

Content (99 items across 5 standards + 2 regulations):

• UNECE R155: 17 items - Complete with Annex 5 threat catalog
• UNECE R156: 16 items - Complete SUMS requirements
• ISO 21434: 25 clauses - Expert guidance, work products, R155 mappings
• VDA TISAX: 12 clauses - AL1-AL3 assessment levels
• SAE J3061: 7 clauses - Legacy guidebook compatibility
• AUTOSAR: 12 modules - SecOC, CSM, KeyM, IdsM, etc.
• Chinese GB/T: 12 clauses - GB/T 40857, 40856, 40855, GB 44495, CCC

Global Market Support:

• 🇪🇺 EU: R155/R156, ISO 21434, TISAX
• 🇺🇸 US: SAE J3061, ISO 21434
• 🇨🇳 China: GB/T standards, SM2/SM3/SM4 crypto, CCC certification

0.1.0 (2026-01-29) - Initial Release

Features:

• ✅ 3 core MCP tools (list_sources, get_requirement, search_requirements)
• ✅ Complete UNECE R155 and R156 regulation text
• ✅ ISO 21434 basic clause structure
• ✅ Enterprise CI/CD with security scanning

Acknowledgments

This project includes UNECE R155 and R156 regulation content sourced from the EU Compliance MCP project by Ansvar Systems. The EU Compliance MCP provides comprehensive access to 37 EU regulations including automotive cybersecurity standards.

Data Attribution:

• R155/R156 regulation text: Sourced from official UNECE documents via EU Compliance MCP
• License: Apache 2.0 (compatible with this project)
• Original source: https://github.com/Ansvar-Systems/EU_compliance_MCP

We thank the EU Compliance MCP team for their excellent work in making EU and UNECE regulations accessible via MCP protocol.