Skip to main content
Glama
cloudcwfranck

@cloudcraftwithfranck/govcloud-mcp

by cloudcwfranck
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Remote

control_narrative

Generate AO-review quality control implementation narratives for NIST 800-53 Rev 5 controls from your system description. Input system details to produce eMASS-ready prose.

Instructions

Generate eMASS-ready control implementation narratives for any NIST 800-53 Rev 5 control given your system description. Output is AO-review quality prose.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
controlIdYese.g. "AC-2", "SC-28"
systemNameYesName of the system
systemDescriptionYesWhat the system does
azureServicesYesAzure services in scope
cspLevelYesCloud service provider level
impactLevelYesSystem impact level
organizationNameNoOrganization name (optional)

Implementation Reference

  • src/tools/compliance/control-narrative.ts:71-129 (handler)
    Main handler function for the control_narrative tool. Uses runTool wrapper with Zod schema validation, fetches ESLZ grounding context (Azure Enterprise Scale policies/architecture), builds a prompt via controlNarrativeTemplate, calls Anthropic Claude API, and returns the AI-generated eMASS-ready control implementation narrative.
    export async function handleControlNarrative(args: unknown): Promise<string> {
  return runTool('control_narrative', args, Schema, async ({ controlId, systemName, systemDescription, azureServices, cspLevel: rawCspLevel, impactLevel, organizationName }) => {
    const cspLevel = rawCspLevel
      .replace('gcc-high', 'azure-gcc-high')
      .replace('azure-gov', 'azure-government');
    const controlFamily = controlId.split('-')[0];

    // Fetch ESLZ grounding context in parallel — graceful degradation on failure
    const [policyDefs, archDoc] = await Promise.all([
      fetchEslzContent('eslzArm/managementGroupTemplates/policyDefinitions/policies.json'),
      fetchEslzContent('README.md'),
    ]);

    const eslzAvailable = !!(policyDefs || archDoc);

    let groundingContext = '';
    if (eslzAvailable) {
      const relevantPolicies = extractRelevantPolicies(policyDefs, controlFamily, azureServices);
      const archGuidance = extractRelevantArchGuidance(archDoc, controlFamily);

      const sections: string[] = [];
      if (relevantPolicies) {
        sections.push(`## Azure Enterprise Scale Policy Definitions (Official Microsoft Source)
The following are real Azure Policy definitions from the official Azure/Enterprise-Scale repository relevant to ${controlId}:

${relevantPolicies}`);
      }
      if (archGuidance) {
        sections.push(`## Azure Landing Zone Design Guidance (Official Microsoft Source)
${archGuidance}`);
      }
      groundingContext = sections.join('\n\n');
    }

    const basePrompt = controlNarrativeTemplate(
      controlId,
      systemName,
      systemDescription,
      azureServices,
      cspLevel,
      impactLevel,
      organizationName
    );

    const fullPrompt = groundingContext
      ? `${basePrompt}\n\n## Grounding Context — Official Microsoft Azure/Enterprise-Scale Repository\nUse the following official Microsoft content to ensure your narrative references real Azure Policy definition names and accurate ALZ architecture patterns:\n\n${groundingContext}`
      : basePrompt;

    const response = await anthropic.messages.create({
      model: MODEL,
      max_tokens: getTokenBudget('control_narrative'),
      system: NARRATIVE_SYSTEM,
      messages: [{ role: 'user', content: fullPrompt }],
    });

    const text = response.content[0].type === 'text' ? response.content[0].text : '';
    return eslzAvailable ? text + ESLZ_ATTRIBUTION : text;
  });
}
  • src/tools/compliance/control-narrative.ts:43-54 (schema)
    Zod schema (Schema) validating: controlId (NIST format regex), systemName, systemDescription, azureServices, cspLevel (enum), impactLevel (enum), and optional organizationName.
    const Schema = z.object({
  controlId: z.string().regex(
    /^[A-Z]{2}-\d{1,2}(\(\d{1,2}\))?$/,
    'Control ID must be NIST format: e.g. AC-2, SC-28, AC-2(1)'
  ),
  systemName: z.string().max(500),
  systemDescription: z.string().max(2000),
  azureServices: z.array(z.string().max(500)).max(50),
  cspLevel: z.enum(['azure-commercial', 'azure-government', 'azure-gcc-high', 'gcc-high', 'azure-gov']),
  impactLevel: z.enum(['low', 'moderate', 'high', 'il4', 'il5']),
  organizationName: z.string().max(500).optional(),
});
  • src/tools/index.ts:60-87 (registration)
    Dispatch in handleToolCall: case 'control_narrative' routes to handleControlNarrative(args).
    export async function handleToolCall(name: string, args: unknown): Promise<string> {
  switch (name) {
    case 'bicep_analyze':         return handleBicepAnalyze(args);
    case 'bicep_remediate':       return handleBicepRemediate(args);
    case 'control_lookup':        return handleControlLookup(args);
    case 'control_narrative':     return handleControlNarrative(args);
    case 'poam_generate':         return handlePoamGenerate(args);
    case 'ato_readiness':         return handleAtoReadiness(args);
    case 'oscal_fragment':        return handleOscalFragment(args);
    case 'landing_zone_design':   return handleLandingZone(args);
    case 'landing_zone_reference': return handleLandingZoneReference(args);
    case 'azure_service_selector': return handleServiceSelect(args);
    case 'gcc_high_guidance':     return handleGccHigh(args);
    case 'private_endpoint_map':  return handlePrivateEndpoint(args);
    case 'bigbang_validate':      return handleBigbangValidate(args);
    case 'bigbang_harden':        return handleBigbangHarden(args);
    case 'ironbank_lookup':       return handleIronbankLookup(args);
    case 'addon_configurator':    return handleAddonConfigurator(args);
    case 'pipeline_audit':        return handlePipelineAudit(args);
    case 'signing_config':        return handleSigningConfig(args);
    case 'devsecops_scorecard':   return handleDevsecopsScorecard(args);
    case 'ssp_section':           return handleSspSection(args);
    case 'contingency_plan':      return handleContingencyPlan(args);
    case 'govcloud_quickstart':   return handleGovcloudQuickstart(args);
    default:
      throw new Error(`Unknown tool: ${name}`);
  }
}
  • src/tools/index.ts:29-58 (registration)
    Tool object registered in allTools array at line 34, imported from './compliance/control-narrative.js'.
    export const allTools = [
  // Compliance
  bicepAnalyzeTool,
  bicepRemediateTool,
  controlLookupTool,
  controlNarrativeTool,
  poamGenerateTool,
  atoReadinessTool,
  oscalFragmentTool,
  // Architecture
  landingZoneTool,
  landingZoneReferenceTool,
  serviceSelectTool,
  gccHighTool,
  privateEndpointTool,
  // Platform One
  bigbangValidateTool,
  bigbangHardenTool,
  ironbankLookupTool,
  addonConfiguratorTool,
  // Pipeline
  pipelineAuditTool,
  signingConfigTool,
  devsecopsScoreCardTool,
  // Documents
  sspSectionTool,
  contingencyPlanTool,
  // Meta
  govcloudQuickstartTool,
];
  • src/tools/compliance/control-narrative.ts:12-41 (schema)
    Tool definition object with name 'control_narrative', description, and input JSON Schema (properties for controlId, systemName, systemDescription, azureServices, cspLevel, impactLevel, organizationName).
    export const controlNarrativeTool = {
  name: 'control_narrative',
  description:
    'Generate eMASS-ready control implementation narratives for any NIST 800-53 Rev 5 control given your system description. Output is AO-review quality prose.',
  inputSchema: {
    type: 'object' as const,
    properties: {
      controlId: { type: 'string', description: 'e.g. "AC-2", "SC-28"' },
      systemName: { type: 'string', description: 'Name of the system' },
      systemDescription: { type: 'string', description: 'What the system does' },
      azureServices: {
        type: 'array',
        items: { type: 'string' },
        description: 'Azure services in scope',
      },
      cspLevel: {
        type: 'string',
        enum: ['azure-commercial', 'azure-government', 'azure-gcc-high', 'gcc-high', 'azure-gov'],
        description: 'Cloud service provider level',
      },
      impactLevel: {
        type: 'string',
        enum: ['low', 'moderate', 'high', 'il4', 'il5'],
        description: 'System impact level',
      },
      organizationName: { type: 'string', description: 'Organization name (optional)' },
    },
    required: ['controlId', 'systemName', 'systemDescription', 'azureServices', 'cspLevel', 'impactLevel'],
  },
};

Tool Definition Quality

A4/5.0
Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries the burden. It explains the quality ('AO-review quality') and domain ('eMASS-ready'), but does not disclose potential side effects, rate limits, or authentication needs, which are minimal for a generation tool.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

Two concise sentences convey the core action, domain, and output quality with no filler words; every sentence earns its place.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Despite no output schema, the description hints at output format ('eMASS-ready prose'). For a tool with 7 parameters (all described) and straightforward generation, it is sufficiently complete, though explicit mention of narrative structure could improve clarity.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema coverage is 100% with descriptions for each parameter, so baseline is 3. The description adds no additional parameter-level meaning beyond the schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description uses specific verbs ('Generate') and resources ('control implementation narratives for NIST 800-53 Rev 5 controls'), clearly distinguishing this tool from siblings like 'control_lookup' and 'ssp_section'.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description clearly states the use case (generating narratives given system description) but does not explicitly mention when not to use or alternative tools, though context is sufficient for an agent.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/cloudcwfranck/govcloud-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server