npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@auditpilot/compliance-kb-mcp

v0.2.0

Published

NIST SP 800-53 Rev 5 knowledge-base MCP server (324 controls) with SOC 2 TSC mappings and BM25 search.

Readme

compliance-kb-mcp

License: Apache 2.0 PyPI npm

compliance-kb-mcp is a typed MCP server that exposes the canonical NIST Special Publication 800-53 Revision 5 control catalog (324 base controls across 20 families) over stdio transport. Each control is annotated with the SOC 2 Trust Services Criteria identifiers it helps satisfy, derived from publicly available crosswalks.

This package is part of the AuditPilot SOC 2 readiness reference architecture and is designed to be easy to fork for other control catalogs.

Why NIST 800-53?

  • Public domain. NIST 800-53 is a U.S. federal government work and is in the public domain (17 U.S.C. 105). The full canonical control text can be redistributed without licensing concerns.
  • Machine-readable canonical source. NIST publishes the catalog in OSCAL JSON, XML, and YAML at usnistgov/oscal-content.
  • Well-mapped to SOC 2. The AICPA publishes a TSC to 800-53 mapping (registration required); supplementary public crosswalks like the Open Security Architecture project make the relationship transparent.

Positioning

AuditPilot maps your environment to NIST 800-53 controls and shows which SOC 2 Trust Services Criteria are satisfied by your 800-53 coverage. The included compliance-kb-mcp ships with NIST 800-53 Rev 5 (public domain) and curated SOC 2 TSC mappings. For canonical SOC 2 TSC text, refer to AICPA-CIMA's published 2017 Trust Services Criteria -- that text is copyright-protected and is not redistributed in this package.

Features

  • Strict Pydantic v2 schemas with extra="forbid".
  • 324 NIST 800-53 Rev 5 base controls with parameter-substituted statements.
  • Curated SOC 2 TSC to 800-53 mapping covering Common Criteria, Availability, Confidentiality, Processing Integrity, and Privacy clauses.
  • Four MCP tools: lookup_control, lookup_by_soc2_tsc, search_controls, list_controls.
  • Naive BM25 ranking for lexical search across statement, guidance, title, and family text.
  • Zero external runtime dependencies beyond mcp>=1.0 and pydantic>=2.0.

Installation

Python (for running the stdio MCP server)

pip install compliance-kb-mcp

Or with uv:

uv add compliance-kb-mcp

npm / Node.js (thin shim that delegates to the Python server)

npm install -g @auditpilot/compliance-kb-mcp

Or run without installation via npx:

npx @auditpilot/compliance-kb-mcp

MCP Client Configuration

Add the server to your MCP client config (e.g. Claude Desktop's claude_desktop_config.json, or your project's .mcp.json).

Using the installed Python package (recommended):

{
  "mcpServers": {
    "compliance-kb": {
      "command": "compliance-kb-mcp"
    }
  }
}

Using uvx (no global install required):

{
  "mcpServers": {
    "compliance-kb": {
      "command": "uvx",
      "args": ["compliance-kb-mcp"]
    }
  }
}

Using npx (Node shim delegates to Python):

{
  "mcpServers": {
    "compliance-kb": {
      "command": "npx",
      "args": ["-y", "@auditpilot/compliance-kb-mcp"]
    }
  }
}

Note: The npx shim requires Python to be available on PATH. It spawns python -m compliance_kb_mcp.server using the PYTHON env var if set, otherwise falls back to python.

Tool Reference

lookup_control

  • Input: control_id: str -- NIST 800-53 base identifier, e.g. "AC-1"
  • Output: Control | None
  • Behavior: Returns the canonical 800-53 control payload (title, statement, guidance, assessment objectives, SOC 2 TSC mappings, citation). Returns null if the identifier is not found.

lookup_by_soc2_tsc

  • Input: tsc_id: str -- SOC 2 TSC identifier, e.g. "CC6.1", "A1.2"
  • Output: list[Control]
  • Behavior: Returns all 800-53 controls mapped to the given SOC 2 TSC.

search_controls

  • Input: query: str, k: int (1-20, default 5)
  • Output: list[Control]
  • Behavior: Returns top k BM25-ranked controls matching the query terms.

list_controls

  • Input: family_id: str | None -- e.g. "ac", "sc", "ia"
  • Output: list[ControlSummary]
  • Behavior: Lists all 324 controls (or scoped to a single family) as lightweight summaries including id, title, and SOC 2 TSC mappings.

Local Development

# Install the package in editable mode with dev dependencies
uv sync --directory packages/compliance-kb-mcp

# Run tests
uv run --directory packages/compliance-kb-mcp pytest tests/

# Run the server locally (stdio transport)
uv run --directory packages/compliance-kb-mcp python -m compliance_kb_mcp

Data Sources

How to Refresh the Dataset When NIST Republishes the Catalog

  1. Pull the latest catalog from usnistgov/oscal-content:
    curl -sL https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json \
        -o /tmp/nist_catalog.json
  2. Regenerate the dataset:
    python scripts/build_dataset.py --oscal-source /tmp/nist_catalog.json
  3. Re-run the test suite:
    uv run --directory packages/compliance-kb-mcp pytest tests/
  4. Update CHANGELOG.md and the source citation oscal_last_modified line in the resulting JSON.

How To Fork For Another Catalog

  1. Copy packages/compliance-kb-mcp to a new package folder (for example packages/iso-27001-kb-mcp or packages/cmmc-kb-mcp).
  2. Rename the Python package and npm metadata.
  3. Replace src/compliance_kb_mcp/data/nist_800_53_rev5_controls.json with the new catalog (matching the Control Pydantic schema).
  4. Update Control.framework literals and validation patterns in schemas.py.
  5. Keep the tool signatures unchanged so existing LangGraph integrations continue to work.
  6. Run tests and dry-run packaging:
    • pytest tests/
    • npm pack --dry-run
    • uv build

License

Apache-2.0. See LICENSE.