Automotive Cybersecurity MCP Server
Complete R155/R156 Content - Production-ready with full regulation text from official UNECE sources.
Stop wasting hours searching through PDF regulations. Ask Claude about automotive cybersecurity requirements in natural language and get instant, accurate answers with source references.
A Model Context Protocol (MCP) server that gives Claude direct access to UNECE R155/R156 regulations and ISO 21434 guidance, enabling AI-powered compliance workflows.
Why This Matters
The Problem:
- 📄 Automotive cybersecurity regulations span hundreds of pages across multiple PDFs
- 🔍 Finding specific requirements requires manual searching through dense technical text
- 🔗 Cross-referencing between R155, R156, and ISO 21434 is time-consuming
- 💰 Hiring consultants for compliance questions is expensive ($200-400/hour)
The Solution:
- 💬 Ask Claude questions in natural language: "What does R155 require for vulnerability management?"
- ⚡ Get instant answers with exact article references and full text
- 🔗 See how requirements map across frameworks (R155 ↔ ISO 21434)
- 📊 Generate compliance matrices, gap analyses, and documentation on-demand
Who This Is For:
- 🚗 Automotive OEMs - Preparing for UNECE type approval
- 🔧 Tier 1/2 Suppliers - Understanding customer cybersecurity requirements
- 🛡️ Cybersecurity Engineers - Implementing ISO 21434 compliant systems
- 📋 Compliance Officers - Generating audit documentation
- 🎓 Consultants - Quickly accessing regulatory content for client projects
Quick Start
⚡ 30-Second Setup:
Add to ~/.claude/claude_desktop_config.json:
{
"mcpServers": {
"automotive": {
"command": "npx",
"args": ["-y", "@ansvar/automotive-cybersecurity-mcp"]
}
}
}
Restart Claude Desktop, then ask: "What does R155 Article 7 require?"
📚 Documentation:
- QUICK_START.md - 5-minute guide with examples
- docs/USAGE_GUIDE.md - Complete usage scenarios & ROI
- docs/CI_CD.md - CI/CD workflows and npm publishing
- R155_R156_INTEGRATION_SUMMARY.md - Technical details
Usage Examples
Preparing for Type Approval:
"What documentation does R155 require for CSMS approval?"
"Show me the R155 Annex 4 certificate template"
"List all R155 requirements for vulnerability management"
Compliance Analysis:
"Search R155 for requirements about incident response"
"What does R156 Article 7 require for software update assessment?"
"Compare R155 and R156 approval processes"
Documentation Generation:
"Generate a compliance checklist from R155 Article 7"
"Create a gap analysis template for R155"
"What evidence does R155 require for type approval?"
Training & Education:
"Explain R155 Article 7.2.2.2 in simple terms"
"What are the key differences between R155 Revision 1 and 2?"
"Create quiz questions from R155 CSMS requirements"
Why This Works
Direct Source Access: Content comes directly from official UNECE regulation documents, not LLM training data or paraphrased summaries.
Instant Retrieval: Sub-millisecond full-text search across 294KB of regulation content eliminates PDF scrolling.
Accurate Citations: Every answer includes exact article references (e.g., "R155 Article 7.2.2.2") for audit trails.
Always Current: Database includes complete R155/R156 Revision 2 (effective 2024-07-07) from official sources.
Traditional Approach vs. MCP
| Task | Traditional Approach | With Automotive MCP |
|---|---|---|
| Find specific requirement | Download PDF → Ctrl+F → Read context → Verify article | Ask Claude → Get answer with citation |
| Time | 15-30 minutes | 10 seconds |
| Prepare for audit | Read 200 pages → Highlight → Create checklist → Cross-reference | Ask for requirements → Generate checklist → Done |
| Time | 2-3 days | 30 minutes |
| Answer RFQ question | Search PDF → Read articles → Draft response → Verify | Ask Claude → Get exact requirement → Copy citation |
| Time | 1-2 hours | 2 minutes |
| Train engineers | Create slides → Extract requirements → Format → Present | Ask for explanations → Generate quiz → Export |
| Time | 1 week | 2 hours |
| Cost | $200-400/hour consultant | $0 (open source) |
ROI: First question answered = immediate payback. 10 questions/month = $36,000/year saved.
Overview
This MCP server enables AI assistants to access and reason about automotive cybersecurity requirements, helping with:
- Type approval preparation - Access UNECE R155/R156 requirements for cybersecurity type approval
- Compliance verification - Map requirements across different frameworks (UNECE regulations, ISO standards)
- Security analysis - Search for relevant requirements by topic or keyword
- Documentation - Generate compliance evidence and traceability matrices
The server uses a read-only SQLite database with full-text search (FTS5) to provide fast, accurate access to regulatory content.
Features
Current Release (v1.0.0) ✅
Production Infrastructure:
- ✅ 5 core tools -
list_sources,get_requirement,search_requirements,list_work_products,export_compliance_matrix - ✅ SQLite database - FTS5 full-text search with BM25 ranking (~360KB)
- ✅ MCP protocol - Full stdio transport support
- ✅ Type-safe API - TypeScript with strict mode
- ✅ Comprehensive tests - 105 tests, 100% pass rate
- ✅ Performance - Sub-millisecond queries (<1ms avg)
Complete Content:
- UNECE R155: 17 items (12 articles + 5 annexes) - Full regulation text including:
- Article 7: Complete CSMS specifications (22KB)
- Annex 5: Comprehensive threat catalog (148KB)
- All official annexes (communication forms, approval marks, certificates)
- UNECE R156: 16 items (12 articles + 4 annexes) - Full regulation text including:
- Article 7: SUMS requirements
- All official annexes
- ISO 21434: 25 clauses with expert guidance, R155 mappings, and work products
- VDA TISAX: 14 control areas for supplier qualification
- SAE J3061: 7 lifecycle clauses (legacy reference)
- AUTOSAR: 8 security modules for ECU implementation
- Total: 99 items (33 regulation + 68 standard clauses) with ~360KB of content
Future Enhancements 🚀
- 📋 TARA methodology tools and threat scenario library
- 📋 Type approval checklist generation
- 📋 ReqIF export format for PLM integration
Installation
Prerequisites
- Node.js 18 or higher
- Claude Desktop or compatible MCP client
Option 1: Use with npx (Recommended)
No installation needed! Use directly in Claude Desktop:
macOS: Edit ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: Edit %APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"automotive-cybersecurity": {
"command": "npx",
"args": ["-y", "@ansvar/automotive-cybersecurity-mcp"]
}
}
}
Restart Claude Desktop after editing the config.
Option 2: Install globally from npm
npm install -g @ansvar/automotive-cybersecurity-mcp
Then in Claude Desktop config:
{
"mcpServers": {
"automotive-cybersecurity": {
"command": "automotive-cybersecurity-mcp"
}
}
}
Option 3: Install from source (for development)
# Clone the repository
git clone https://github.com/ansvar-ai/automotive-mcp.git
cd automotive-mcp
# Install dependencies and build
npm install
npm run build:db # Build SQLite database
npm run build # Compile TypeScript
Then in Claude Desktop config:
{
"mcpServers": {
"automotive-cybersecurity": {
"command": "node",
"args": ["/absolute/path/to/automotive-mcp/dist/index.js"]
}
}
}
Replace /absolute/path/to/automotive-mcp with your installation path.
Verify Installation
After restarting Claude Desktop, ask:
What automotive cybersecurity sources are available?
Claude should use the list_sources tool and show R155, R156, and ISO 21434.
What's Included
Complete UNECE Regulations:
- ✅ UNECE R155 - All 17 items (12 articles + 5 annexes) including full Annex 5 threat catalog
- ✅ UNECE R156 - All 16 items (12 articles + 4 annexes) for software update management
- ✅ Full-text search - Sub-millisecond queries across 294KB of authoritative regulation text
ISO 21434 Guidance:
- ✅ 25 clauses - Comprehensive expert guidance for all major clauses (5-15) plus key annexes
- ✅ R155 mappings - Each clause linked to corresponding R155 requirements
- ✅ Work products - 40+ work product references with descriptions
Additional Frameworks:
- ✅ VDA TISAX - 14 control areas with assessment level guidance (AL1-AL3)
- ✅ SAE J3061 - 7 lifecycle phases plus TARA methods annex
- ✅ AUTOSAR Security - 8 modules (SecOC, CSM, KeyM, IdsM, Secure Boot, etc.)
- ✅ Chinese GB/T - 12 clauses covering GB/T 40857, 40856, 40855, GB 44495, CCC certification
Content Inventory
| Source | Items | Content | Size |
|---|---|---|---|
| UNECE R155 | 17 | Articles 1-12, Annexes 1-5 | 223KB |
| UNECE R156 | 16 | Articles 1-12, Annexes 1-4 | 64KB |
| ISO 21434 | 25 | Clauses 5-15, TARA sub-clauses, Annexes A/D-H | ~25KB |
| VDA TISAX | 14 | Control areas 1-13 + Prototype protection | ~15KB |
| SAE J3061 | 7 | Lifecycle clauses 5-10 + Annex A | ~8KB |
| AUTOSAR | 8 | SecOC, CSM, KeyM, IdsM, Secure Boot, etc. | ~10KB |
| Chinese GB/T | 12 | GB/T 40857, 40856, 40855, GB 44495, CCC, V2X | ~15KB |
| Total | 99 | 5 standards + 2 regulations | ~360KB |
Key R155 Content:
- Article 7: Complete CSMS specifications (largest article, ~22KB)
- Annex 5: Full threat catalog with 70+ threat scenarios (~148KB)
- Annexes 1-4: Communication forms, approval marks, certificates
Key R156 Content:
- Article 7: Complete SUMS requirements
- Annexes 1-4: All approval documentation templates
Available Tools
The server provides 5 MCP tools for accessing automotive cybersecurity requirements:
1. list_sources
List available automotive cybersecurity regulations and standards.
Input:
source_type(optional): Filter by type - "regulation", "standard", or "all" (default: "all")
Example:
{
"source_type": "regulation"
}
Returns:
{
"sources": [
{
"id": "r155",
"name": "UN Regulation No. 155",
"version": "Revision 2",
"type": "regulation",
"description": "Cyber Security and Cyber Security Management System",
"item_count": 1,
"full_text_available": true
},
{
"id": "r156",
"name": "UN Regulation No. 156",
"version": "Revision 2",
"type": "regulation",
"description": "Software Update and Software Updates Management System",
"item_count": 0,
"full_text_available": true
},
{
"id": "iso_21434",
"name": "ISO/SAE 21434:2021",
"version": "2021",
"type": "standard",
"description": "Road vehicles — Cybersecurity engineering",
"item_count": 1,
"full_text_available": false
}
]
}
2. get_requirement
Retrieve a specific regulation article or standard clause with optional cross-framework mappings.
Input:
source(required): Source ID (e.g., "r155", "r156", "iso_21434")reference(required): Article/clause reference (e.g., "7.2.2.2", "9.3")include_mappings(optional): Include related requirements (default: false)
Example:
{
"source": "r155",
"reference": "7.2.2.2",
"include_mappings": true
}
Returns:
{
"requirement": {
"source": "r155",
"reference": "7.2.2.2",
"title": "Cybersecurity processes",
"text": "The manufacturer shall demonstrate that the vehicle type...",
"section": "7.2.2.2"
},
"mappings": [
{
"target_source": "iso_21434",
"target_reference": "9.3",
"relationship": "implements"
}
]
}
3. search_requirements
Full-text search across all regulations and standards using FTS5 with BM25 ranking.
Input:
query(required): Search query textsources(optional): Filter to specific sources (e.g., ["r155", "iso_21434"])limit(optional): Maximum results (default: 10)
Example:
{
"query": "vulnerability management",
"sources": ["r155"],
"limit": 5
}
Returns:
{
"results": [
{
"source": "r155",
"reference": "7.2.2.2",
"title": "Cybersecurity processes",
"snippet": "...processes for vulnerability management and...",
"rank": 1.245
}
],
"total": 5
}
4. list_work_products
List ISO 21434 work products (deliverables) required for cybersecurity engineering.
Input:
clause_id(optional): Filter to specific clause (e.g., "15" for TARA, "6" for cybersecurity case)phase(optional): Filter by lifecycle phase - organizational, project, continual, concept, development, validation, production, operations, decommissioning, tara
Example:
{
"phase": "tara"
}
Returns:
{
"work_products": [
{
"id": "WP-15-01",
"name": "TARA report",
"clause_id": "15",
"clause_title": "Threat analysis and risk assessment (TARA)",
"cal_relevant": true,
"r155_refs": ["5.1.1(b)", "7.2.2.2(b)", "7.3.3"]
}
],
"summary": {
"total_work_products": 44,
"clauses_covered": 19,
"cal_relevant_count": 31
}
}
5. export_compliance_matrix
Generate a compliance traceability matrix for audit documentation.
Input:
regulation(optional): "r155" or "r156" (default: "r155")format(optional): "markdown" or "csv" (default: "markdown")include_guidance(optional): Include ISO 21434 guidance summaries
Example:
{
"regulation": "r155",
"format": "csv"
}
Returns:
{
"format": "csv",
"content": "Requirement,Title,ISO 21434 Clauses,Work Products,Status\n\"R155 7\",\"Specifications\",\"15, 8, 6...\",\"WP-15-01...\",Mapped",
"statistics": {
"total_requirements": 12,
"mapped_requirements": 2,
"coverage_percent": 17,
"unique_work_products": 36
}
}
Quality & Testing
This MCP server is built to production standards:
- ✅ 105 automated tests - 100% pass rate across all test suites
- ✅ Type-safe - Strict TypeScript with comprehensive type definitions
- ✅ Fast queries - <2ms average per query
- ✅ Secure - Read-only database, SQL injection protection
- ✅ MCP compliant - Verified with MCP protocol testing
- ✅ Well-tested - Unit, integration, and manual testing complete
See QUALITY_ASSESSMENT_REPORT.md for detailed test results.
Real-World Use Cases
1. 🎯 Type Approval Prep - "What do I need to pass audit?"
Scenario: Your OEM is 6 weeks from UNECE R155 type approval audit. You need to know every requirement.
Before (Manual Process):
- Download R155 PDF (80+ pages)
- Search for keywords, read dense legal text
- Miss requirements due to synonym variations
- Time: 4-6 hours
With This MCP:
You: "List all R155 requirements related to vulnerability management"
Claude: "R155 has several vulnerability management requirements:
📍 Article 7.2.2.2(g) - Vulnerability Management
The CSMS shall include processes for managing vulnerabilities...
[Full text with exact reference]
📍 Article 7.2.2.2(h) - Security Updates
Procedures for providing security updates...
[Full text with exact reference]
I found these by searching R155 for 'vulnerability' and related terms."
Time: 30 seconds
2. 🔗 Cross-Framework Mapping - "Does our ISO 21434 work satisfy R155?"
Scenario: You've implemented ISO 21434 clause 9.3. Customer asks: "Does this satisfy R155 requirements?"
Before:
- Read ISO 21434 clause 9.3
- Read entire R155 regulation
- Manually compare requirements
- Hope you didn't miss anything
- Time: 2-3 hours
With This MCP:
You: "Show me ISO 21434 clause 9.3 and which R155 requirements it satisfies"
Claude: "ISO 21434 Clause 9.3 - Vulnerability Analysis
[Guidance text]
This clause directly satisfies these R155 requirements:
✅ R155 Article 7.2.2.2(g) - Vulnerability management processes
✅ R155 Article 7.2.2.2(h) - Security update procedures
The mapping shows your ISO 21434 implementation addresses the R155 type approval requirements."
Time: 15 seconds
3. 📄 Instant Documentation - "Generate our compliance matrix"
Scenario: Auditor asks: "Show me your CSMS compliance matrix for R155 Article 7."
Before:
- Manually copy requirements from PDF
- Create Excel/Word table
- Add internal process references
- Format for presentation
- Time: 3-4 hours
With This MCP:
You: "Create a compliance traceability matrix for R155 Article 7 requirements"
Claude: [Generates formatted markdown table]
| R155 Requirement | Description | Our Implementation | Status |
|-----------------|-------------|-------------------|--------|
| 7.2.2.2(a) | Risk assessment | TARA Process Doc v2.1 | ✅ |
| 7.2.2.2(b) | Risk treatment | Security Architecture v3.0 | ✅ |
| 7.2.2.2(g) | Vulnerability mgmt | VMP-001 Procedure | ✅ |
...
You can now add your implementation details to the template.
Time: 2 minutes + your data entry
4. 🔍 Quick Answers - "What's this regulation requirement about?"
Scenario: Email from customer: "Please confirm compliance with R155 Article 7.2.2.2 paragraph (e)."
Before:
- Find R155 PDF in downloads folder
- Search for "7.2.2.2"
- Scroll through subsections to find (e)
- Read surrounding context
- Time: 5-10 minutes
With This MCP:
You: "What is R155 Article 7.2.2.2 paragraph (e)?"
Claude: "R155 Article 7.2.2.2(e) requires:
'Management of security events including tools, procedures and forensic data'
This means your CSMS must have:
- Security event monitoring tools (SIEM, IDS, etc.)
- Incident response procedures
- Forensic data collection and retention
- Event analysis and reporting processes
This is part of the CSMS operational requirements."
Time: 10 seconds
5. 🎓 Learning & Training - "Explain this standard to our team"
Scenario: New engineer asks: "What's the difference between R155 and ISO 21434?"
Before:
- Schedule meeting with compliance expert
- Wait for their availability
- Get 30-minute overview
- Time: Days + meeting time
With This MCP:
You: "Explain the difference between R155 and ISO 21434"
Claude: "Based on the sources:
📋 UNECE R155 (Regulation):
- Legal requirement for vehicle type approval in EU/Asia
- Focus: What you MUST have (CSMS, processes, documentation)
- Enforced by: Government regulators during type approval
- Consequence: Can't sell vehicles without it
📘 ISO 21434 (Standard):
- Industry best practice (not legally required)
- Focus: How to implement automotive cybersecurity engineering
- Provides: Detailed processes, methods, work products
- Used to: Demonstrate compliance with R155
Relationship: R155 says 'you must have a CSMS', ISO 21434 tells you how to build one."
Time: Immediate
Why Not Just Use Google/PDFs?
| Task | Manual Search | This MCP |
|---|---|---|
| Find specific requirement | Download PDF, Ctrl+F, read context | Ask Claude, get answer + context |
| Cross-reference frameworks | Open multiple PDFs, compare manually | Ask for mappings, instant results |
| Generate compliance matrix | Copy/paste from PDFs into Excel | Ask Claude to generate table |
| Answer "does X satisfy Y?" | Read both docs, hope you understand | Ask, get yes/no + explanation |
| Learn a regulation | Read 80+ page PDF | Ask questions, get summaries |
| Time for typical task | 30 min - 4 hours | 10 seconds - 2 minutes |
| Cost of consultant | $100-400/hour | Free (after setup) |
Key Advantage: Natural language + AI reasoning. Claude doesn't just search keywords - it understands context, relationships, and can synthesize information across multiple requirements.
Integration with Other MCPs
This server works well with other MCP servers:
With GitHub MCP
"Export R155 requirements as GitHub issues for our compliance tracking"
- Use
search_requirementsto find relevant requirements - GitHub MCP creates issues with requirement text and references
With Filesystem MCP
"Save all ISO 21434 work products to a structured directory"
- Use
list_sourcesandget_requirementto retrieve content - Filesystem MCP writes to organized folder structure
With Brave Search MCP
"Find industry best practices for implementing R155 vulnerability management"
- Use
get_requirementto understand R155 requirements - Brave Search finds implementation guidance and tools
Development
Project Structure
automotive-mcp/
├── src/
│ ├── index.ts # MCP server entry point
│ ├── types/ # TypeScript type definitions
│ │ └── index.ts
│ └── tools/ # Tool implementations
│ ├── registry.ts # Shared tool registry
│ ├── list.ts # list_sources tool
│ ├── get.ts # get_requirement tool
│ └── search.ts # search_requirements tool
├── data/
│ ├── seed/ # JSON seed data
│ │ ├── regulations.json
│ │ └── standards.json
│ └── automotive.db # Generated SQLite database (not in git)
├── scripts/
│ └── build-db.ts # Database build script
├── tests/ # Vitest tests
└── dist/ # Compiled TypeScript (not in git)
Building
# Compile TypeScript
npm run build
# Build database from seed data
npm run build:db
# Both
npm run build && npm run build:db
Testing
# Run all tests once
npm test
# Run tests in watch mode
npm run test:watch
Development Mode
# Run with auto-reload on file changes
npm run dev
Testing with MCP Inspector
The MCP Inspector provides a visual interface for testing tools:
npm run build
npx @modelcontextprotocol/inspector node dist/index.js
This opens a web interface where you can:
- View all available tools
- Test tool calls with different inputs
- Inspect responses
Database Schema
The database uses SQLite with FTS5 for full-text search:
Tables:
sources- Regulation/standard metadatarequirements- Individual articles/clausesrequirements_fts- FTS5 virtual table for searchmappings- Cross-framework relationships (future)
Key Features:
- BM25 ranking for search relevance
- Foreign key constraints for data integrity
- Indexes for fast lookups by source and reference
Adding Content
To add new regulations or standards:
- Add JSON file to
data/seed/:
{
"id": "new_regulation",
"name": "New Regulation",
"full_name": "Full title...",
"version": "2024",
"type": "regulation",
"issuing_body": "Authority",
"items": [
{
"reference": "1.1",
"title": "Scope",
"text": "Full text...",
"section": "1"
}
]
}
- Rebuild database:
npm run build:db
- Run tests to verify:
npm test
Environment Variables
AUTOMOTIVE_CYBERSEC_DB_PATH- Override database location (default:data/automotive.db)
Data Sources and Licensing
UNECE Regulations (R155/R156)
- License: Public domain (UN documents)
- Source: UNECE WP.29
- Status: Complete R155/R156 Revision 2 (all articles and annexes)
ISO 21434
- License: Paid standard (copyright ISO)
- What we include: Guidance, work products, clause structure (no full text)
- What we don't include: Full standard text (requires license)
- How to get full text: Purchase from ISO
More Open Source from Ansvar
We maintain a family of MCP servers for compliance and security professionals:
| Server | Description | Install |
|---|---|---|
| EU Regulations | 47 EU regulations (GDPR, AI Act, DORA, NIS2, MiFID II, eIDAS, MDR...) | npx @ansvar/eu-regulations-mcp |
| US Regulations | HIPAA, CCPA, SOX, GLBA, FERPA, COPPA, FDA 21 CFR Part 11, state privacy laws | npx @ansvar/us-regulations-mcp |
| Security Controls | 1,451 controls across 28 frameworks (ISO 27001, NIST CSF, PCI DSS, CMMC...) | pipx install security-controls-mcp |
| OT Security | IEC 62443, NIST 800-82, MITRE ATT&CK for ICS | npx @ansvar/ot-security-mcp |
| Sanctions | Offline sanctions screening with OpenSanctions (30+ lists) | pip install ansvar-sanctions-mcp |
Browse all projects: ansvar.eu/open-source
License
This MCP server is licensed under the Apache License 2.0. See LICENSE file for details.
Important: This license covers the software only. Regulatory content and standards have their own licensing terms as described above.
Contributing
Contributions welcome! Please:
- Fork the repository
- Create a feature branch
- Add tests for new functionality
- Ensure
npm testpasses - Submit a pull request
FAQ
Is this legally valid for compliance?
Yes, for reference. The regulations (R155/R156) are public domain. However, always verify critical compliance decisions with the official source documents. This tool helps you work faster, not replace your judgment.
How much ISO 21434 content is included?
25 clauses with expert guidance. ISO 21434 is copyrighted—we include clause titles, expert guidance summaries, work products, and R155 mappings (not full text). This covers all major clauses (5-15) plus key annexes. R155/R156 regulations are public domain and fully included.
Can I use this for paid client work?
Yes. Apache 2.0 license allows commercial use. Many consultants use this to speed up their R155/ISO 21434 advisory work.
What about ISO 21434 full text?
Not included (copyright). We provide clause IDs, titles, and expert guidance for ISO 21434. The full standard text requires a license from ISO. This approach respects copyright while still being useful.
Will this work with Claude Pro / Claude API?
Claude Desktop only for now. MCP is currently supported in Claude Desktop. Once Anthropic adds MCP support to web/API, this will work there too (no changes needed).
How do I get updates?
Automatic. If you install via npm/npx, running npm update -g @ansvar/automotive-cybersecurity-mcp (or just restarting Claude Desktop with npx) will get the latest version. v1.0.0 includes all Phase 1 & 2 features.
Can I add my own company's interpretations?
Yes. Fork the repo and modify data/seed/*.json files to add internal notes, then rebuild the database with npm run build:db.
Is my data sent anywhere?
No. Everything runs locally on your machine. The database is read-only SQLite. No network calls, no telemetry, no data collection.
Support
For issues, questions, or contributions:
- GitHub Issues: https://github.com/ansvar-ai/automotive-mcp/issues
- Email: jeffrey@ansvar.ai
- Discussions: Share your use cases and workflow ideas
Performance & Statistics
Current Implementation:
- Code: ~2,000 lines TypeScript (10 source files)
- Tests: 105 test cases (100% passing)
- Database: ~360KB SQLite with FTS5 indexes
- Content: 99 items (33 regulation + 68 standard clauses)
- Mappings: 87 bidirectional R155 ↔ ISO 21434 mappings
- Query Speed: <2ms average
- Build Time: <500ms for full database rebuild
- Dependencies: MCP SDK + better-sqlite3 only
Important Disclaimers
⚖️ Legal & Compliance
Not Legal Advice: This tool provides access to regulatory text for informational purposes only. It does not constitute legal advice, compliance certification, or professional consultation. For official compliance decisions, consult qualified legal counsel or type approval authorities.
Official Sources: Always verify critical requirements against official UNECE publications and your jurisdiction's implementation of regulations.
Type Approval: Type approval decisions are made by recognized technical services and approval authorities, not by AI tools.
📊 Token Usage
Claude Desktop: This MCP can return large regulation articles (e.g., R155 Article 7 is 22KB). Be mindful of token usage if on limited plans.
Best Practice: Use specific queries rather than requesting entire regulations at once.
📜 ISO Standards
ISO 21434 Content: Full ISO 21434 text is copyright-protected and not included. We provide expert guidance summaries only. Purchase the official standard from ISO for complete requirements.
Official Standard: https://www.iso.org/standard/70918.html
Roadmap
✅ Phase 1 & 2 (Complete - v1.0.0)
- ✅ TypeScript MCP server with stdio transport
- ✅ SQLite database with FTS5 full-text search
- ✅ 5 core tools: list_sources, get_requirement, search_requirements, list_work_products, export_compliance_matrix
- ✅ Complete R155/R156 regulations - All 33 items (articles + annexes)
- ✅ ISO 21434 guidance - 25 clauses with expert guidance
- ✅ Cross-framework mappings - 87 bidirectional R155 ↔ ISO 21434 mappings
- ✅ Work products tool - ISO 21434 work product requirements by clause/phase
- ✅ Global standards - VDA TISAX, SAE J3061, AUTOSAR, Chinese GB/T
- ✅ Enterprise CI/CD with security scanning
- ✅ Comprehensive testing (105 tests, 100% pass rate)
📋 Phase 3 (Next - Q2 2026) - TARA Methodology
- TARA guidance tool - Threat analysis and risk assessment methodology
- Threat scenario library - 20+ automotive threat scenarios
- Attack feasibility ratings - ISO 21434 Annex G methodology
- Cybersecurity goals - CAL rating guidance
🎯 Phase 4 (Q3 2026) - Type Approval
- Type approval checklist - R155/R156 audit preparation
- Evidence generation - Compliance documentation
- Gap analysis - Compare implementation vs requirements
- ReqIF export - PLM system integration
Acknowledgments
- Built on the Model Context Protocol by Anthropic
- Follows patterns from the EU Compliance MCP reference implementation
- Regulatory content from UNECE and ISO (with appropriate licensing)
Version History
1.0.0 (2026-01-31) - Production-Ready with Global Market Coverage
🎉 Major Release - Complete Automotive Compliance Platform
Features:
- ✅ 5 MCP tools fully implemented and tested
- ✅ SQLite database with FTS5 full-text search (~360KB)
- ✅ 87 bidirectional cross-framework mappings (ISO 21434 ↔ R155)
- ✅ Work products tool with lifecycle phase filtering
- ✅ Compliance matrix export (CSV/Markdown)
- ✅ 105 tests, 100% pass rate
Content (99 items across 5 standards + 2 regulations):
- UNECE R155: 17 items - Complete with Annex 5 threat catalog
- UNECE R156: 16 items - Complete SUMS requirements
- ISO 21434: 25 clauses - Expert guidance, work products, R155 mappings
- VDA TISAX: 12 clauses - AL1-AL3 assessment levels
- SAE J3061: 7 clauses - Legacy guidebook compatibility
- AUTOSAR: 12 modules - SecOC, CSM, KeyM, IdsM, etc.
- Chinese GB/T: 12 clauses - GB/T 40857, 40856, 40855, GB 44495, CCC
Global Market Support:
- 🇪🇺 EU: R155/R156, ISO 21434, TISAX
- 🇺🇸 US: SAE J3061, ISO 21434
- 🇨🇳 China: GB/T standards, SM2/SM3/SM4 crypto, CCC certification
0.1.0 (2026-01-29) - Initial Release
Features:
- ✅ 3 core MCP tools (list_sources, get_requirement, search_requirements)
- ✅ Complete UNECE R155 and R156 regulation text
- ✅ ISO 21434 basic clause structure
- ✅ Enterprise CI/CD with security scanning
Acknowledgments
This project includes UNECE R155 and R156 regulation content sourced from the EU Compliance MCP project by Ansvar Systems. The EU Compliance MCP provides comprehensive access to 37 EU regulations including automotive cybersecurity standards.
Data Attribution:
- R155/R156 regulation text: Sourced from official UNECE documents via EU Compliance MCP
- License: Apache 2.0 (compatible with this project)
- Original source: https://github.com/Ansvar-Systems/EU_compliance_MCP
We thank the EU Compliance MCP team for their excellent work in making EU and UNECE regulations accessible via MCP protocol.