@bryan-thompson/inspector-assessment-cli 1.32.2 → 1.32.3

package/build/__tests__/security/security-pattern-count.test.js

@@ -0,0 +1,245 @@
+/**
+ * Security Pattern Count Consistency Tests
+ *
+ * Verifies that all references to security pattern count are consistent across:
+ * - CLI help messages
+ * - Console output
+ * - Configuration defaults
+ * - Documentation comments
+ *
+ * Addresses QA requirement: verify all references to security pattern count are consistent (30 patterns).
+ *
+ * NOTE: The DEFAULT_ASSESSMENT_CONFIG uses 8 patterns (for Anthropic's basic security testing).
+ * CLI tools override this to 30 patterns for comprehensive security assessment.
+ * This test verifies consistency within each context.
+ */
+import { describe, it, expect } from "@jest/globals";
+import * as fs from "fs";
+import * as path from "path";
+import { fileURLToPath } from "url";
+// Get the root directory of the project (one level up from cli/)
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const projectRoot = path.resolve(__dirname, "../../../.."); // From cli/src/__tests__/security to root
+describe("Security Pattern Count Consistency", () => {
+    describe("CLI assess-security references", () => {
+        it("should use consistent pattern count in assess-security.ts", () => {
+            const filePath = path.join(projectRoot, "cli/src/assess-security.ts");
+            const content = fs.readFileSync(filePath, "utf-8");
+            // Find all references to pattern count
+            const references = [
+                { match: /securityPatternsToTest:\s*(\d+)/, name: "config value" },
+                {
+                    match: /Running security assessment with (\d+) attack patterns/,
+                    name: "console log",
+                },
+                {
+                    match: /Run security assessment.*with (\d+) attack patterns/,
+                    name: "help text header",
+                },
+                {
+                    match: /Attack Patterns Tested \((\d+) total\)/,
+                    name: "help text section",
+                },
+            ];
+            const expectedCount = 30;
+            const findings = [];
+            for (const ref of references) {
+                const match = content.match(ref.match);
+                if (match && match[1]) {
+                    const count = parseInt(match[1], 10);
+                    findings.push({ name: ref.name, value: count });
+                    expect(count).toBe(expectedCount);
+                }
+            }
+            // Ensure we found at least 3 references (config + 2 messages)
+            expect(findings.length).toBeGreaterThanOrEqual(3);
+            // Verify all found references match
+            const allMatch = findings.every((f) => f.value === expectedCount);
+            expect(allMatch).toBe(true);
+        });
+        it("should document 30 patterns in help text", () => {
+            const filePath = path.join(projectRoot, "cli/src/assess-security.ts");
+            const content = fs.readFileSync(filePath, "utf-8");
+            // Verify help text explicitly mentions 30 patterns
+            expect(content).toContain("30 attack patterns");
+            expect(content).toContain("Attack Patterns Tested (30 total)");
+        });
+    });
+    describe("Configuration consistency", () => {
+        it("should use 8 patterns for DEFAULT_ASSESSMENT_CONFIG (Anthropic basic)", () => {
+            const filePath = path.join(projectRoot, "client/src/lib/assessment/configTypes.ts");
+            const content = fs.readFileSync(filePath, "utf-8");
+            // DEFAULT_ASSESSMENT_CONFIG should use 8 patterns (Anthropic's basic requirement)
+            const defaultConfigMatch = content.match(/DEFAULT_ASSESSMENT_CONFIG[\s\S]*?securityPatternsToTest:\s*(\d+)/);
+            expect(defaultConfigMatch).toBeTruthy();
+            if (defaultConfigMatch) {
+                const count = parseInt(defaultConfigMatch[1], 10);
+                expect(count).toBe(8);
+            }
+        });
+        it("should use 3 patterns for REVIEWER_MODE_CONFIG (fast review)", () => {
+            const filePath = path.join(projectRoot, "client/src/lib/assessment/configTypes.ts");
+            const content = fs.readFileSync(filePath, "utf-8");
+            // REVIEWER_MODE_CONFIG should use 3 patterns (optimized for speed)
+            const reviewerConfigMatch = content.match(/REVIEWER_MODE_CONFIG[\s\S]*?securityPatternsToTest:\s*(\d+)/);
+            expect(reviewerConfigMatch).toBeTruthy();
+            if (reviewerConfigMatch) {
+                const count = parseInt(reviewerConfigMatch[1], 10);
+                expect(count).toBe(3);
+            }
+        });
+        it("should use 8 patterns for DEVELOPER_MODE_CONFIG (comprehensive)", () => {
+            const filePath = path.join(projectRoot, "client/src/lib/assessment/configTypes.ts");
+            const content = fs.readFileSync(filePath, "utf-8");
+            // DEVELOPER_MODE_CONFIG should use 8 patterns (comprehensive testing)
+            const developerConfigMatch = content.match(/DEVELOPER_MODE_CONFIG[\s\S]*?securityPatternsToTest:\s*(\d+)/);
+            expect(developerConfigMatch).toBeTruthy();
+            if (developerConfigMatch) {
+                const count = parseInt(developerConfigMatch[1], 10);
+                expect(count).toBe(8);
+            }
+        });
+        it("should use 8 patterns for AUDIT_MODE_CONFIG (compliance)", () => {
+            const filePath = path.join(projectRoot, "client/src/lib/assessment/configTypes.ts");
+            const content = fs.readFileSync(filePath, "utf-8");
+            // AUDIT_MODE_CONFIG should use 8 patterns (compliance validation)
+            const auditConfigMatch = content.match(/AUDIT_MODE_CONFIG[\s\S]*?securityPatternsToTest:\s*(\d+)/);
+            expect(auditConfigMatch).toBeTruthy();
+            if (auditConfigMatch) {
+                const count = parseInt(auditConfigMatch[1], 10);
+                expect(count).toBe(8);
+            }
+        });
+        it("should use 8 patterns for CLAUDE_ENHANCED_AUDIT_CONFIG", () => {
+            const filePath = path.join(projectRoot, "client/src/lib/assessment/configTypes.ts");
+            const content = fs.readFileSync(filePath, "utf-8");
+            // CLAUDE_ENHANCED_AUDIT_CONFIG should use 8 patterns (enhanced validation)
+            const claudeConfigMatch = content.match(/CLAUDE_ENHANCED_AUDIT_CONFIG[\s\S]*?securityPatternsToTest:\s*(\d+)/);
+            expect(claudeConfigMatch).toBeTruthy();
+            if (claudeConfigMatch) {
+                const count = parseInt(claudeConfigMatch[1], 10);
+                expect(count).toBe(8);
+            }
+        });
+    });
+    describe("Documentation consistency", () => {
+        it("should reference correct pattern counts in config comments", () => {
+            const filePath = path.join(projectRoot, "client/src/lib/assessment/configTypes.ts");
+            const content = fs.readFileSync(filePath, "utf-8");
+            // Check inline comments for pattern counts
+            // Default: "default all 8" or "default 8"
+            expect(content).toMatch(/securityPatternsToTest\?\s*:\s*number;.*default.*8/i);
+            // Reviewer mode: "Test only 3 critical"
+            expect(content).toMatch(/securityPatternsToTest:\s*3;.*3 critical/i);
+            // Developer/audit modes: "all security patterns" or "all 8"
+            expect(content).toMatch(/securityPatternsToTest:\s*8;.*all.*8|8.*patterns/i);
+        });
+        it("should document pattern count in help text comments", () => {
+            const filePath = path.join(projectRoot, "cli/src/assess-security.ts");
+            const content = fs.readFileSync(filePath, "utf-8");
+            // CLI uses 30 patterns (expanded from base 8)
+            expect(content).toContain("30 attack patterns");
+            expect(content).toContain("(30 total)");
+        });
+    });
+    describe("Cross-file consistency", () => {
+        it("should have matching pattern counts between related files", () => {
+            // assess-security.ts: 30 patterns (CLI override)
+            const assessSecurityPath = path.join(projectRoot, "cli/src/assess-security.ts");
+            const assessSecurityContent = fs.readFileSync(assessSecurityPath, "utf-8");
+            const assessSecurityMatch = assessSecurityContent.match(/securityPatternsToTest:\s*(\d+)/);
+            expect(assessSecurityMatch).toBeTruthy();
+            if (assessSecurityMatch) {
+                const cliCount = parseInt(assessSecurityMatch[1], 10);
+                expect(cliCount).toBe(30); // CLI uses 30 patterns
+            }
+            // configTypes.ts: 8 patterns default (Anthropic basic)
+            const configTypesPath = path.join(projectRoot, "client/src/lib/assessment/configTypes.ts");
+            const configTypesContent = fs.readFileSync(configTypesPath, "utf-8");
+            const configMatch = configTypesContent.match(/DEFAULT_ASSESSMENT_CONFIG[\s\S]*?securityPatternsToTest:\s*(\d+)/);
+            expect(configMatch).toBeTruthy();
+            if (configMatch) {
+                const defaultCount = parseInt(configMatch[1], 10);
+                expect(defaultCount).toBe(8); // Default uses 8 patterns
+            }
+        });
+        it("should match pattern count in estimators comment", () => {
+            const estimatorsPath = path.join(projectRoot, "client/src/services/assessment/registry/estimators.ts");
+            if (fs.existsSync(estimatorsPath)) {
+                const content = fs.readFileSync(estimatorsPath, "utf-8");
+                // Verify comment mentions "default 8" for security patterns
+                expect(content).toMatch(/Security assessor:.*securityPatternsToTest.*default 8/i);
+                // Verify fallback value is 8
+                const fallbackMatch = content.match(/securityPatternsToTest.*\?\?.*(\d+)/);
+                if (fallbackMatch) {
+                    const fallback = parseInt(fallbackMatch[1], 10);
+                    expect(fallback).toBe(8);
+                }
+            }
+        });
+    });
+    describe("Pattern count validation rules", () => {
+        it("should enforce consistent pattern counts across contexts", () => {
+            // Rule: CLI tools use 30 patterns (comprehensive security testing)
+            // Rule: Default config uses 8 patterns (Anthropic basic requirement)
+            // Rule: Reviewer mode uses 3 patterns (fast reviews)
+            // Rule: Developer/Audit modes use 8 patterns (comprehensive validation)
+            const rules = {
+                cli: 30,
+                default: 8,
+                reviewer: 3,
+                developer: 8,
+                audit: 8,
+            };
+            // This test documents the expected pattern counts for each context
+            expect(rules.cli).toBe(30);
+            expect(rules.default).toBe(8);
+            expect(rules.reviewer).toBe(3);
+            expect(rules.developer).toBe(8);
+            expect(rules.audit).toBe(8);
+        });
+        it("should validate CLI pattern count matches help text", () => {
+            const filePath = path.join(projectRoot, "cli/src/assess-security.ts");
+            const content = fs.readFileSync(filePath, "utf-8");
+            // Extract config value
+            const configMatch = content.match(/securityPatternsToTest:\s*(\d+)/);
+            expect(configMatch).toBeTruthy();
+            // Extract help text values
+            const helpMatches = [
+                ...content.matchAll(/(\d+) attack patterns/gi),
+                ...content.matchAll(/\((\d+) total\)/gi),
+            ];
+            // All should reference 30
+            const expectedCount = 30;
+            if (configMatch) {
+                expect(parseInt(configMatch[1], 10)).toBe(expectedCount);
+            }
+            for (const match of helpMatches) {
+                if (match[1]) {
+                    expect(parseInt(match[1], 10)).toBe(expectedCount);
+                }
+            }
+        });
+    });
+    describe("Edge cases and error scenarios", () => {
+        it("should handle missing pattern count gracefully", () => {
+            // This test verifies that even if config is missing securityPatternsToTest,
+            // the system has documented defaults
+            const configTypesPath = path.join(projectRoot, "client/src/lib/assessment/configTypes.ts");
+            const content = fs.readFileSync(configTypesPath, "utf-8");
+            // Verify comment documents the default value
+            expect(content).toMatch(/securityPatternsToTest.*default.*8/i);
+        });
+        it("should document pattern count semantics clearly", () => {
+            const filePath = path.join(projectRoot, "cli/src/assess-security.ts");
+            const content = fs.readFileSync(filePath, "utf-8");
+            // Help text should clearly state what "30 patterns" means
+            expect(content).toContain("Attack Patterns Tested");
+            expect(content).toContain("30 total");
+            // Should list pattern categories for clarity
+            expect(content).toContain("Command Injection");
+            expect(content).toContain("SQL Injection");
+        });
+    });
+});

package/build/assess-security.js

@@ -11,8 +11,13 @@
  */
 import * as fs from "fs";
 import * as path from "path";
-import * as os from "os";
 import { execSync } from "child_process";
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
+import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
+import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+// Import shared server config loading (Issue #84 - Zod validation)
+import { loadServerConfig } from "./lib/assessment-runner/server-config.js";
 /**
  * Validate that a command is safe to execute
  * - Must be an absolute path or resolvable via PATH
@@ -69,81 +74,10 @@ function validateEnvVars(env) {
     }
     return validatedEnv;
 }
-/**
- * Safely parse JSON with error handling
- */
-function safeJsonParse(content, filePath) {
-    try {
-        return JSON.parse(content);
-    }
-    catch (error) {
-        throw new Error(`Failed to parse JSON from ${filePath}: ${error instanceof Error ? error.message : String(error)}`);
-    }
-}
-import { Client } from "@modelcontextprotocol/sdk/client/index.js";
-import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
-import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
-import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
 // Import from local client lib (will use package exports when published)
 import { SecurityAssessor } from "../../client/lib/services/assessment/modules/SecurityAssessor.js";
 import { DEFAULT_ASSESSMENT_CONFIG, } from "../../client/lib/lib/assessmentTypes.js";
 import { loadPerformanceConfig } from "../../client/lib/services/assessment/config/performanceConfig.js";
-/**
- * Load server configuration from Claude Code's MCP settings
- */
-function loadServerConfig(serverName, configPath) {
-    const possiblePaths = [
-        configPath,
-        path.join(os.homedir(), ".config", "mcp", "servers", `${serverName}.json`),
-        path.join(os.homedir(), ".config", "claude", "claude_desktop_config.json"),
-    ].filter(Boolean);
-    for (const tryPath of possiblePaths) {
-        if (!fs.existsSync(tryPath))
-            continue;
-        const rawConfig = safeJsonParse(fs.readFileSync(tryPath, "utf-8"), tryPath);
-        // Type guard: check if it's a Claude Desktop config with mcpServers
-        if (rawConfig &&
-            typeof rawConfig === "object" &&
-            "mcpServers" in rawConfig) {
-            const desktopConfig = rawConfig;
-            const serverConfig = desktopConfig.mcpServers?.[serverName];
-            if (serverConfig) {
-                return {
-                    transport: "stdio",
-                    command: serverConfig.command,
-                    args: serverConfig.args || [],
-                    env: serverConfig.env || {},
-                };
-            }
-        }
-        // Type guard: check if it's a direct config file
-        if (rawConfig && typeof rawConfig === "object") {
-            const directConfig = rawConfig;
-            // Check for HTTP/SSE transport
-            if (directConfig.url ||
-                directConfig.transport === "http" ||
-                directConfig.transport === "sse") {
-                if (!directConfig.url) {
-                    throw new Error(`Invalid server config: transport is '${directConfig.transport}' but 'url' is missing`);
-                }
-                return {
-                    transport: directConfig.transport || "http",
-                    url: directConfig.url,
-                };
-            }
-            // Check for stdio transport
-            if (directConfig.command) {
-                return {
-                    transport: "stdio",
-                    command: directConfig.command,
-                    args: directConfig.args || [],
-                    env: directConfig.env || {},
-                };
-            }
-        }
-    }
-    throw new Error(`Server config not found for: ${serverName}\nTried: ${possiblePaths.join(", ")}`);
-}
 /**
  * Connect to MCP server via configured transport
  */
@@ -263,7 +197,7 @@ async function runSecurityAssessment(options) {
     }
     const config = {
         ...DEFAULT_ASSESSMENT_CONFIG,
-        securityPatternsToTest: 17,
+        securityPatternsToTest: 30,
         reviewerMode: false,
         testTimeout: 30000,
     };
@@ -273,7 +207,7 @@ async function runSecurityAssessment(options) {
         callTool: createCallToolWrapper(client),
         config,
     };
-    console.log(`🛡️  Running security assessment with 23 attack patterns...`);
+    console.log(`🛡️  Running security assessment with 30 attack patterns...`);
     const assessor = new SecurityAssessor(config);
     const results = await assessor.assess(context);
     await client.close();
@@ -392,7 +326,7 @@ function printHelp() {
     console.log(`
 Usage: mcp-assess-security [options] [server-name]
 
-Run security assessment against an MCP server with 23 attack patterns.
+Run security assessment against an MCP server with 30 attack patterns.
 
 Options:
   --server, -s <name>    Server name (required, or pass as first positional arg)
@@ -403,12 +337,12 @@ Options:
   --verbose, -v          Enable verbose logging
   --help, -h             Show this help message
 
-Attack Patterns Tested (23 total):
+Attack Patterns Tested (30 total):
   • Command Injection, SQL Injection, Path Traversal
   • Calculator Injection, Code Execution, XXE
   • Data Exfiltration, Token Theft, NoSQL Injection
   • Unicode Bypass, Nested Injection, Package Squatting
-  • And more...
+  • Session Management, Auth Bypass, and more...
 
 Examples:
   mcp-assess-security my-server

package/build/lib/assessment-runner/__tests__/server-config.test.js

@@ -0,0 +1,116 @@
+/**
+ * Tests for server-config.ts Zod validation integration (Issue #84)
+ *
+ * Verifies that loadServerConfig() correctly validates config files
+ * using Zod schemas and provides helpful error messages.
+ */
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+import { loadServerConfig } from "../server-config.js";
+describe("loadServerConfig with Zod validation", () => {
+    const tmpDir = os.tmpdir();
+    let testConfigPath;
+    beforeEach(() => {
+        testConfigPath = path.join(tmpDir, `test-config-${Date.now()}.json`);
+    });
+    afterEach(() => {
+        // Clean up test config files
+        if (fs.existsSync(testConfigPath)) {
+            fs.unlinkSync(testConfigPath);
+        }
+    });
+    describe("valid configurations", () => {
+        it("should load valid HTTP config", () => {
+            fs.writeFileSync(testConfigPath, JSON.stringify({
+                transport: "http",
+                url: "http://localhost:8080/mcp",
+            }));
+            const config = loadServerConfig("test-server", testConfigPath);
+            expect(config.transport).toBe("http");
+            expect(config.url).toBe("http://localhost:8080/mcp");
+        });
+        it("should load valid SSE config", () => {
+            fs.writeFileSync(testConfigPath, JSON.stringify({
+                transport: "sse",
+                url: "http://localhost:8080/sse",
+            }));
+            const config = loadServerConfig("test-server", testConfigPath);
+            expect(config.transport).toBe("sse");
+            expect(config.url).toBe("http://localhost:8080/sse");
+        });
+        it("should load valid stdio config", () => {
+            fs.writeFileSync(testConfigPath, JSON.stringify({
+                command: "/usr/bin/node",
+                args: ["server.js"],
+                env: { NODE_ENV: "production" },
+            }));
+            const config = loadServerConfig("test-server", testConfigPath);
+            expect(config.transport).toBe("stdio");
+            expect(config.command).toBe("/usr/bin/node");
+            expect(config.args).toEqual(["server.js"]);
+            expect(config.env).toEqual({ NODE_ENV: "production" });
+        });
+        it("should load config from Claude Desktop format", () => {
+            fs.writeFileSync(testConfigPath, JSON.stringify({
+                mcpServers: {
+                    "my-server": {
+                        command: "/usr/bin/python",
+                        args: ["-m", "mcp_server"],
+                    },
+                },
+            }));
+            const config = loadServerConfig("my-server", testConfigPath);
+            expect(config.transport).toBe("stdio");
+            expect(config.command).toBe("/usr/bin/python");
+            expect(config.args).toEqual(["-m", "mcp_server"]);
+        });
+        it("should default HTTP transport when url present without transport field", () => {
+            fs.writeFileSync(testConfigPath, JSON.stringify({
+                url: "http://localhost:8080/mcp",
+            }));
+            const config = loadServerConfig("test-server", testConfigPath);
+            expect(config.transport).toBe("http");
+            expect(config.url).toBe("http://localhost:8080/mcp");
+        });
+    });
+    describe("invalid configurations with Zod validation errors", () => {
+        it("should throw Zod error for invalid URL", () => {
+            fs.writeFileSync(testConfigPath, JSON.stringify({
+                transport: "http",
+                url: "not-a-valid-url",
+            }));
+            expect(() => loadServerConfig("test-server", testConfigPath)).toThrow(/url must be a valid URL/);
+        });
+        it("should throw Zod error for empty command in stdio config", () => {
+            fs.writeFileSync(testConfigPath, JSON.stringify({
+                command: "",
+            }));
+            expect(() => loadServerConfig("test-server", testConfigPath)).toThrow(/command is required/);
+        });
+        it("should include config source in error message", () => {
+            fs.writeFileSync(testConfigPath, JSON.stringify({
+                transport: "http",
+                url: "invalid",
+            }));
+            expect(() => loadServerConfig("test-server", testConfigPath)).toThrow(new RegExp(testConfigPath));
+        });
+    });
+    describe("error handling", () => {
+        it("should throw for invalid JSON", () => {
+            fs.writeFileSync(testConfigPath, "not valid json {");
+            expect(() => loadServerConfig("test-server", testConfigPath)).toThrow(/Invalid JSON/);
+        });
+        it("should throw for missing config file", () => {
+            expect(() => loadServerConfig("nonexistent-server", "/nonexistent/path.json")).toThrow(/Server config not found/);
+        });
+        it("should throw for server not in Claude Desktop config", () => {
+            fs.writeFileSync(testConfigPath, JSON.stringify({
+                mcpServers: {
+                    "other-server": { command: "node" },
+                },
+            }));
+            expect(() => loadServerConfig("missing-server", testConfigPath)).toThrow(/Server config not found/);
+        });
+    });
+});

package/build/lib/assessment-runner/assessment-executor.js

@@ -9,7 +9,7 @@ import * as fs from "fs";
 import * as path from "path";
 import { AssessmentOrchestrator, } from "../../../../client/lib/services/assessment/AssessmentOrchestrator.js";
 import { AssessmentStateManager } from "../../assessmentState.js";
-import { emitServerConnected, emitToolDiscovered, emitToolsDiscoveryComplete, emitAssessmentComplete, emitTestBatch, emitVulnerabilityFound, emitAnnotationMissing, emitAnnotationMisaligned, emitAnnotationReviewRecommended, emitAnnotationAligned, emitModulesConfigured, } from "../jsonl-events.js";
+import { emitServerConnected, emitToolDiscovered, emitToolsDiscoveryComplete, emitAssessmentComplete, emitTestBatch, emitVulnerabilityFound, emitAnnotationMissing, emitAnnotationMisaligned, emitAnnotationReviewRecommended, emitAnnotationAligned, emitModulesConfigured, emitPhaseStarted, emitPhaseComplete, emitToolTestComplete, emitValidationSummary, } from "../jsonl-events.js";
 import { loadServerConfig } from "./server-config.js";
 import { loadSourceFiles } from "./source-loader.js";
 import { connectToServer } from "./server-connection.js";
@@ -29,6 +29,9 @@ export async function runFullAssessment(options) {
     if (!options.jsonOnly) {
         console.log("✅ Server config loaded");
     }
+    // Phase 1: Discovery
+    const discoveryStart = Date.now();
+    emitPhaseStarted("discovery");
     const client = await connectToServer(serverConfig);
     emitServerConnected(options.serverName, serverConfig.transport || "stdio");
     if (!options.jsonOnly) {
@@ -117,6 +120,8 @@ export async function runFullAssessment(options) {
             console.log("💬 Prompts not supported by server");
         }
     }
+    // End of discovery phase
+    emitPhaseComplete("discovery", Date.now() - discoveryStart);
     // State management for resumable assessments
     const stateManager = new AssessmentStateManager(options.serverName);
     if (stateManager.exists() && !options.noResume) {
@@ -239,7 +244,14 @@ export async function runFullAssessment(options) {
         else if (event.type === "annotation_aligned") {
             emitAnnotationAligned(event.tool, event.confidence, event.annotations);
         }
+        else if (event.type === "tool_test_complete") {
+            emitToolTestComplete(event.tool, event.module, event.scenariosPassed, event.scenariosExecuted, event.confidence, event.status, event.executionTime);
+        }
+        else if (event.type === "validation_summary") {
+            emitValidationSummary(event.tool, event.wrongType, event.missingRequired, event.extraParams, event.nullValues, event.invalidValues);
+        }
         // module_started and module_complete are handled by orchestrator directly
+        // phase_started and phase_complete are emitted directly (not via callback)
     };
     const context = {
         serverName: options.serverName,
@@ -267,7 +279,12 @@ export async function runFullAssessment(options) {
         console.log(`\n🏃 Running assessment with ${Object.keys(config.assessmentCategories || {}).length} modules...`);
         console.log("");
     }
+    // Phase 2: Assessment
+    const assessmentStart = Date.now();
+    emitPhaseStarted("assessment");
     const results = await orchestrator.runFullAssessment(context);
+    // End of assessment phase
+    emitPhaseComplete("assessment", Date.now() - assessmentStart);
     // Emit assessment complete event
     const defaultOutputPath = `/tmp/inspector-full-assessment-${options.serverName}.json`;
     emitAssessmentComplete(results.overallStatus, results.totalTestsRun, results.executionTime, options.outputPath || defaultOutputPath);

package/build/lib/assessment-runner/config-builder.js

@@ -8,6 +8,7 @@
 import { DEFAULT_ASSESSMENT_CONFIG, getAllModulesConfig, } from "../../../../client/lib/lib/assessmentTypes.js";
 import { FULL_CLAUDE_CODE_CONFIG } from "../../../../client/lib/services/assessment/lib/claudeCodeBridge.js";
 import { loadPerformanceConfig } from "../../../../client/lib/services/assessment/config/performanceConfig.js";
+import { safeParseAssessmentConfig } from "../../../../client/lib/lib/assessment/configSchemas.js";
 import { getProfileModules, resolveModuleNames, modulesToLegacyConfig, } from "../../profiles.js";
 /**
  * Build assessment configuration from CLI options
@@ -139,5 +140,14 @@ export function buildConfig(options) {
             "This will be required in v2.0.0. " +
             "See docs/DEPRECATION_GUIDE.md for migration info.");
     }
+    // Validate built config with Zod schema (Issue #84)
+    // Warning only - maintains backward compatibility with existing configs
+    const validation = safeParseAssessmentConfig(config);
+    if (!validation.success) {
+        const issues = validation.error.issues
+            .map((i) => `${i.path.join(".")}: ${i.message}`)
+            .join(", ");
+        console.warn(`⚠️  Config validation warning: ${issues}`);
+    }
     return config;
 }