compliance-mcp
A Python Model Context Protocol server thatexposes SOC2 (Trust Services Criteria) and HIPAA (Security Rule)compliance remediation logic as structured tools that AI agents can call.
The server is purpose-built for an LLM-driven workflow:
discover → assess → remediate → report
Each tool returns strongly-typed structured content (Pydantic models) so thecalling agent can chain steps without parsing prose.
Features
- Curated control catalogs for SOC2 (Common Criteria + Availability +Confidentiality samples) and HIPAA (Administrative, Physical, and Technicalsafeguards under 45 CFR 164.308 / .310 / .312).
- Assessment engine that scores controls against provided evidence andobservations, surfacing matched evidence, missing evidence, findings, andprioritized remediation steps.
- Prescriptive remediation plans with ordered steps, recommended owner role,and effort estimates.
- Cross-framework mappings between SOC2 controls and HIPAA safeguards.
- Report generation that rolls multiple per-control assessments into aprioritized remediation plan with an overall status and human-readablesummary.
- Exposed as MCP tools, resources, and a prompt via the official
mcpPython SDK.
Install
Requires Python 3.10+.
pip install -e ".[dev]"
Run
compliance-mcp
This starts the MCP server on stdio. Wire it up in any MCP-aware client (ClaudeDesktop, Claude Code, custom agents, etc.):
{
"mcpServers": {
"compliance": {
"command": "compliance-mcp"
}
}
}
Tools
| Tool | Purpose |
|---|---|
list_soc2_controls |
List SOC2 controls, optionally filtered by category |
get_soc2_control |
Full detail for a SOC2 control (e.g. CC6.1) |
list_hipaa_safeguards |
List HIPAA safeguards |
get_hipaa_safeguard |
Full detail for a HIPAA safeguard (e.g. 164.312(a)(1)) |
search_controls |
Free-text search across both catalogs |
assess_soc2_control |
Score evidence + observations against a SOC2 control |
assess_hipaa_safeguard |
Score evidence + observations against a HIPAA safeguard |
get_soc2_remediation |
Prescriptive plan for a SOC2 control |
get_hipaa_remediation |
Prescriptive plan for a HIPAA safeguard |
map_soc2_to_hipaa |
HIPAA safeguards mapped to a SOC2 control |
map_hipaa_to_soc2 |
SOC2 controls mapped to a HIPAA safeguard |
list_cross_framework_mappings |
Full cross-framework mapping list |
generate_soc2_report |
Multi-control SOC2 assessment report |
generate_hipaa_report |
Multi-control HIPAA assessment report |
check_exception_registry |
Look up a documented exception for a control (downgrade or escalate severity) |
log_human_approval |
Append an immutable human-approval record and return a ticket-ready audit entry |
attach_manual_evidence |
Attach manual evidence (screenshot/document/log_export) and return a Vanta-ready audit note |
run_remediation_workflow |
One-call orchestrator: assess → check exception → fetch remediation → log approval → return WorkflowResult with severity, exception status, steps, audit_trail_entry, and next_actions |
list_hipaa_controls |
List every HIPAA control (legacy safeguards plus the HIPAA--prefixed top-level standards) |
get_hipaa_control |
Full detail for a HIPAA control (e.g. HIPAA-164.312(a)(1)) |
assess_hipaa_control |
Assess a HIPAA control against a single observation; mirrors assess_soc2_control |
Exception, approval, and manual-evidence records are persisted as JSONunder src/compliance_mcp/data/. The approval and evidence stores areappend-only; tests redirect storage to a temp directory viacompliance_mcp.storage.set_data_dir.
assess_soc2_control automatically consults the exception registry wheneverthe preliminary severity for a finding is HIGH or CRITICAL. An activeexception downgrades severity by one level and injects an [EXCEPTION:ACTIVE]note into the findings; an expired exception escalates the finding toCRITICAL.
Resources
compliance://soc2/catalog– JSON dump of every SOC2 controlcompliance://hipaa/catalog– JSON dump of every HIPAA safeguardcompliance://mappings– JSON dump of SOC2 → HIPAA mappings
Prompt
remediation_review– guides an agent through using the tools to remediate aspecific control.
Example agent flow
list_soc2_controls(category="Logical and Physical Access")assess_soc2_control(control_id="CC6.1", evidence=[...], observations=[...])get_soc2_remediation(control_id="CC6.1", severity="high")map_soc2_to_hipaa(soc2_control_id="CC6.1")then assess the linked HIPAAsafeguards.generate_soc2_report(generated_for="prod-platform", assessments=[...])
Testing
pytest
The test suite covers the assessment engine end-to-end and verifies that everytool is registered and callable through the MCP runtime.
Project layout
src/compliance_mcp/
__init__.py
models.py # Pydantic data model
engine.py # Pure-Python assessment + remediation logic
server.py # FastMCP server: tools, resources, prompts
data/
soc2.py # SOC2 control catalog
hipaa.py # HIPAA safeguard catalog
mappings.py # SOC2 ↔ HIPAA cross mappings
tests/
test_engine.py
test_server.py
Caveats
The control catalogs are intentionally a curated subset suitable for drivingremediation reasoning. They are not a substitute for the AICPA TSC or theHHS HIPAA Security Rule text itself, and should not be the only artifact reliedupon for an audit.
License
MIT
