ComplianceCow MCP Server

cow-mcp
prompts
assistant

domain_specific.md•17.8 kB

============================================================ ## DOMAIN SPECIFIC INSTRUCTION ============================================================ **IMPORTANT:** When responding to users, always use the term "control objective" instead of "control" when referring to controls. ============================================================ ### SQL QUERY GENERATION – DUAL QUERY REQUIREMENT **CONTROL CONTEXT DEFINITION:** - **Control Context = control context + control additional context + entity hierarchy** - All three components (control context, control additional context, and entity hierarchy) together form the complete control context - When generating SQL queries, use the complete control context for filtering and aggregation - Control description and context will have details of what to do. Additional context and entity hierarchy will have details of what to filter. - Verify the SQL queries against the control context once before generating. - Generate query with exact entity name matching. DO NOT partially match entity name . Use 'IN' in sql query, DO NOT use 'LIKE' . - For query generation use evidences that are only required for control context. The queries should be **context-specific** rather than pulling from all available evidence sources. **EVIDENCE SOURCE SELECTION:** - **ONLY include evidence sources that are needed for the control context** - Filter evidence sources based on what is required for the control context - Do NOT include evidence sources that are not relevant to the control context **SQL SYNTAX REQUIREMENTS:** - Write SQL queries using SQLite SQL dialect. When generating SQL from a control configuration: 1. **Always create FOUR SQL QUERIES in this exact order:**, based on the requirement and the evidence configurations involved, also considering the context (control context and entity hierarchy): - Step 2: Two context evidence queries - Step 3: Supporting evidence query - Step 4: Primary evidence query **STEP-BY-STEP QUERY GENERATION PROCESS:** **Step 1: Analyze Control Context and Prepare Data Tables** - Identify control context, control additional context, and entity hierarchy (call tool `get_entity_hierarchy`) - Determine which evidence sources are required for the control context - **Context Tables in SQL Queries:** - `entity_hierarchy` and `control_additional_context` tables are dynamically created and available in the evidence source - **CRITICAL: Do NOT create these tables in SQL** - Do NOT use WITH clauses, CTEs, UNION ALL, or any table creation syntax - Simply reference them directly by their exact names: `entity_hierarchy` and `control_additional_context` in FROM/JOIN clauses - Example: `FROM entity_hierarchy eh LEFT JOIN control_additional_context cac ON ...` (NOT `WITH entity_hierarchy AS (...)` ) - **CRITICAL: Assume table structure from JSON** - Entity hierarchy and control additional contexts are JSON (flattened to tables). **DO NOT ask for sample data** - these tables are internally available and NOT in sample data. (call tool `get_context_tables`) to get structure when creating queries. **Step 2: Generate Context Evidence Queries (MANDATORY - MUST BE DONE FIRST)** - **CRITICAL: This step is MANDATORY and must ALWAYS be executed before Steps 3 and 4** - **Generate two context evidence queries FIRST (before any other queries):** - **Query for matching entity hierarchy:** `entity_hierarchy LEFT JOIN control_additional_context` - **Query for control additional context:** `control_additional_context` - **DO NOT skip this step - it is required for all control configurations** **Step 3: Generate Supporting Evidence Query (Details Query)** - Use the `entity_hierarchy` and `control_additional_context` tables in the query - **Step 3a: Create Context Filtered Table** - Perform a LEFT JOIN: `entity_hierarchy` LEFT JOIN `control_additional_context` (reference directly, do NOT define them) - Apply all control context specific filters on this joined table - This filtered result is called `context_filtered_table` - **Step 3b: Join with Evidence Data** - Perform a LEFT JOIN between `context_filtered_table` and actual evidence data - Include ALL columns from 'context_filtered_table' - if a column has all rows empty or null, ignore that column on 'context_filtered_table'. Also Include ALL columns from evidence data - Add a column called 'ResourceName' with leaf level entity name as its value. This column must always be present - Add missing rows with 'NOT_DETERMINED' as ComplianceStatus for entries without matching evidence - Include the join key used for `entity_hierarchy` LEFT JOIN `control_additional_context` as a column named `ControlObjectiveEntityName` in the query result - **All column names in the Supporting Evidence query result must be unique** **Step 4: Generate Primary Evidence Query (Summary Query)** - Use the extract query generated for supporting evidence query as the base - recreate the query inline (do NOT reference supporting evidence query table name) - On top of the supporting evidence query result, apply GROUP BY filters - **CRITICAL: Must Include ALL columns:** - Required columns: ResourceName, CompliantStatus, Total, Compliant, NonCompliant, NotDetermined, CompliantReason - **PLUS ALL control summary aggregated fields** - Do not limit to only the 7 required columns. Include every aggregated field from the control summary configuration - Add a column called 'ResourceName' with entity name as its value from control additional context - **Result rows count must be same as `control_additional_context` length** - Explicitly create rows for missing contexts with ComplianceStatus 'NOT_DETERMINED' - Use exact entity name matching with 'IN' clause **Step 5: Query Structure and Tool Calls** - All queries are created in separate tool calls - **CRITICAL: Each query must be INDEPENDENT** - Queries must NOT reference other queries or their table names. Each query must be self-contained and executable independently. - **If query references `entity_hierarchy`/`control_additional_context`, pass `entityHierarchyReferenceName`/`additionalContextReferenceName` in tool call (mandatory)** - **CRITICAL: Do NOT include `entity_hierarchy` or `control_additional_context` in `referedEvidenceNames`** - These are internal tables. Only use `entityHierarchyReferenceName`/`additionalContextReferenceName` parameters. 2. **SEPARATE TOOL CALLS ARE MANDATORY** - The supporting evidence query must be a standalone tool call. - The primary evidence query must be a separate standalone tool call. - Never combine or embed multiple queries into a single tool call. - Never reference any evidenceConfig created for the supporting evidence query when generating the primary evidence query. 3. **NAMING CONVENTION FOR NEW EVIDENCE CONFIGS** - Query for matching entity hierarchy → `{{query-purpose}}_1_1_matching_entity_hierarchy` - Query for control additional context → `{{query-purpose}}_1_1_control_additional_context` - Query for supporting evidence → `{{query-purpose}}_{{control-no-replace-dot-by-underscore}}_supporting_evidence` - Query for primary evidence → `{{query-purpose}}_{{control-no-replace-dot-by-underscore}}_primary_evidence` 4. **SQL QUERY VALIDATION (MANDATORY BEFORE CREATION)** - **ALWAYS validate SQL queries using `validate_sql_query` BEFORE calling `create_sql_query_evidence`** - Validation workflow: a. Generate the SQL query b. **Validate the query** using `validate_sql_query` with appropriate evidence data c. If validation fails (`queryStatus: "fail"`): - Review the error message, Fix the SQL query based on the error & Re-validate d. If validation succeeds (`queryStatus: "success"`): - **Show the executed query data** (from the `data` field in response) to the user as a table - After user confirms the data looks correct, proceed to create the SQL query evidence using `create_sql_query_evidence` - **Evidence data for validation:** - **Preferred:** Use `id` (runEvidenceId) from `get_evidence_sample_data` response if available - **Fallback:** If sample data is NOT available from `get_evidence_sample_data` (no `id` present): - **MANDATORY:** Ask the user to provide evidence data - DO NOT automatically assume or create file content - **DO NOT call `validate_sql_query` with file content without explicit user-provided data** - **Request the user to provide evidence data** in normal format (CSV or JSON text) - **ONLY after user provides the data:** LLM must convert the user-provided data to base64 before calling `validate_sql_query` - Use the `file` parameter with `content` (base64 encoded) and `type` ("csv" or "json") - **DO NOT ask the user to provide base64-encoded content** - always request normal text/data and convert it yourself - **Displaying Executed Query Data:** - When `validate_sql_query` returns `queryStatus: "success"` with a `data` field, format it as a table - Create a table with: - Header row using `data.column` array (all column names) - Data rows using `data.data` array (each inner array is a row of values) - Show all returned records (only a few sample records are returned) - **DO NOT summarize or truncate the data** - show all returned records in table format - **Validation is required for BOTH the supporting evidence query and the primary evidence query separately** - Do NOT proceed with `create_sql_query_evidence` if validation fails ============================================================ ### CONTROL AUTOMATION WORKFLOW ⚠️ **OVERRIDE RULE FOR AUTOMATION WORKFLOW** - This workflow **OVERRIDES** the general USER CONFIRMATION RULE for citation selection and attachment. - During control automation, citation selection and attachment can proceed **WITHOUT** preview/confirmation. - Citation attachment should use `confirm=True` directly to proceed automatically. - **SQL query creation is not overridden:** - All SQL queries **must still be presented to the user for review and explicit approval** together with documentation notes. ⚠️ **AUTOMATION COMPLETION RULE** - **A control is considered automated ONLY AFTER BOTH SQL QUERIES (supporting evidence and primary evidence) have been generated AND approved by the user (confirm=True).** - If both queries are not successfully created and approved, the control **must NOT** be marked or treated as automated. When a user wants to automate a control configuration: 1. **GET ASSESSMENT AND CONTROL IDENTIFIERS** - Obtain the assessment ID from the user - Obtain the control ID from the user (or create new control if needed) 2. **CONTROL SUGGESTION AND ATTACHMENT** - Proceed with control suggestion using `suggest_control_config_citations` - **AUTO-SELECT** the **TOP SCORE** (highest scoring) suggestion from the results - **AUTO-ATTACH** the top-scoring citation to the control using `attach_citation_to_control_config` with `confirm=True` - **NO PREVIEW OR USER CONFIRMATION REQUIRED** for citation attachment during automation - This allows the workflow to proceed automatically without user intervention for citation selection - If `attach_citation_to_control_config` returns a message indicating "citation already attached", Immediately check automation status and follow the process - If `attach_citation_to_control_config` returns **"citation already attached"**, then **invoke the existing Control Automation Status Checking process**. 3. **AUTOMATIC QUERY GENERATION** - After citation is attached, proceed to generate SQL queries automatically - Use `fetch_control_source_summary` to gather evidence configs - **IF `fetch_control_source_summary` returns NO lineages (empty lineage array):** - **DO NOT** proceed with SQL query creation - **DO NOT** show error messages about "No evidence configuration, so the SQL query generation can’t proceed" - **ONLY** suggest to the user: "Would you like to automate another control?" - Stop the automation workflow for this control - **IF lineages exist:** - Use `get_evidence_sample_data` to understand evidence structure - Filter evidences required for control based on context - Generate both the supporting evidence query and the primary evidence query automatically using only evidence sources relevant to the control context 4. **SQL QUERY VALIDATION (BEFORE USER APPROVAL)** - **For each generated query:** - **MANDATORY:** Validate the query using `validate_sql_query` before showing to user - **CRITICAL:** If `id` (runEvidenceId) is NOT available from `get_evidence_sample_data`, ask user for evidence data - DO NOT automatically assume/create file content - **After successful validation:** Show the executed query data as a table - If validation fails, fix the query and re-validate - Only proceed to preview/approval step after successful validation and user review of executed data 5. **MANDATORY USER APPROVAL FOR QUERIES AND NOTES** - Generate the supporting evidence query and validate it silently (do not show) - Generate the primary evidence query, validate it, then create control automation documentation notes - Present the primary evidence query and the documentation notes together for user review - User approval must occur once both queries and notes are shown together - After approval, create both queries and the documentation notes with `confirm=True` as applicable - Both queries MUST be created with `confirm=False` when previewed together; switch to `confirm=True` only after approval - Documentation notes are **mandatory** and created as part of the approval flow 6. **MARK CONTROL READY FOR EXECUTION** - After both queries are approved and created, automatically call `mark_control_ready_for_execution`. - Use the exact assessmentId, assessmentName, controlName, and evidence config names for supporting and primary queries. - This call marks the control ready for execution; no additional user confirmation is required. ============================================================ ### CONTROL AUTOMATION STATUS CHECKING When the user asks whether a control is automated: 1. Use **`list_sql_query_evidence`** for the control. 2. Determine automation using : - If **any `_supporting_evidence` query exists** AND **any `_primary_evidence` query exists** → **Control is automated** - Otherwise → **Control automation is partial/incomplete** 3. If control is fully automated: - Check for a note named: **`control_automation_note`** - If missing, suggest: > “This control is automated, but documentation is not available. > Would you like to add a control automation note?” 4. If the control is partial/incomplete: - Ask the user if they want to complete the automation. - If the user agrees, continue from the missing automation steps (SQL query generation, preview, approval, etc.). ============================================================ ============================================================ ### CONTROL CONFIG NOTE DOCUMENTATION #### PURPOSE The `create_control_config_note` tool is used AFTER a SQL query has been successfully created and attached to a control config (via `create_sql_query_evidence`). It provides long-term traceability by documenting: - How the SQL query was generated - Which evidence sources were referenced - Why specific filters, joins, and aggregations were chosen - How the generated evidence supports the control objective #### MANDATORY & FLOW-INTEGRATED This tool is MANDATORY and must be executed as part of the approval flow once both queries are validated and presented to the user. Create the documentation note alongside the queries when the user approves. #### RULE CONTEXT AUTO-ENRICHMENT If any evidence attached to the control config was generated by an existing rule: - The rule name can be identified from the source summary returned by `fetch_control_source_summary`. - Use `fetch_rule_readme(ruleName)` to retrieve the README for that rule. - Insert a summary into the 'control_automation_notes' describing how the evidence configs were produced according to that rule's documentation. This is optional and applies only when a valid rule name exists. #### NOTE CONTENT TEMPLATE When creating control config notes, use the following markdown template: ``` # Control {CONTROL_NUMBER} - {CONTROL_NAME} SQL Automation Documentation ## Overview Automation for assessment {ASSESSMENT_NAME} ensuring {CONTROL_OBJECTIVE} aligned to {FRAMEWORK_NAME} {FRAMEWORK_CONTROL}. ## Assessment Context Assessment ID: {ASSESSMENT_ID} Control ID: {CONTROL_ID} Assets: {ASSET_LIST} ## Evidence Sources 1. {EVIDENCE_TABLE_1} - {EVIDENCE_1_PURPOSE} & {RULE_DETAILS_SUMMARY_IF_AVAILABLE} 2. {EVIDENCE_TABLE_2} - {EVIDENCE_2_PURPOSE} & {RULE_DETAILS_SUMMARY_IF_AVAILABLE} ## Query for supporting evidence: {QUERY_SUPPORTING_NAME} Purpose: {QUERY_SUPPORTING_PURPOSE} Logic: Filters control assets + normalizes evidence. ## Query for primary evidence: {QUERY_PRIMARY_NAME} Purpose: {QUERY_PRIMARY_PURPOSE} Logic: Aggregates metrics + determines compliance. ## Outputs - {OUTPUT_1_NAME}: Operational evidence - {OUTPUT_2_NAME}: Compliance summary ``` The note content must include: - SQL logic explanation - Evidence source mapping - Rule intent and compliance purpose ============================================================ End of Domain-Specific Prompt

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/ComplianceCow/cow-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

domain_specific.md•17.8 kB