@bryan-thompson/inspector-assessment-cli 1.43.3 → 1.43.5

package/build/assess-full.js

@@ -20,6 +20,8 @@ import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/
 import { AssessmentOrchestrator, } from "../../client/lib/services/assessment/AssessmentOrchestrator.js";
 import { DEFAULT_ASSESSMENT_CONFIG, } from "../../client/lib/lib/assessmentTypes.js";
 import { FULL_CLAUDE_CODE_CONFIG } from "../../client/lib/services/assessment/lib/claudeCodeBridge.js";
+// Use modular CLI parser with full flag support (30+ flags)
+import { parseArgs, } from "./lib/cli-parser.js";
 /**
  * Load server configuration from Claude Code's MCP settings
  */
@@ -257,7 +259,17 @@ async function runFullAssessment(options) {
     if (!options.jsonOnly) {
         console.log(`\n🔍 Starting full assessment for: ${options.serverName}`);
     }
-    const serverConfig = loadServerConfig(options.serverName, options.serverConfigPath);
+    // Build server config from --http/--sse flags or config file
+    let serverConfig;
+    if (options.httpUrl) {
+        serverConfig = { transport: "http", url: options.httpUrl };
+    }
+    else if (options.sseUrl) {
+        serverConfig = { transport: "sse", url: options.sseUrl };
+    }
+    else {
+        serverConfig = loadServerConfig(options.serverName, options.serverConfigPath);
+    }
     if (!options.jsonOnly) {
         console.log("✅ Server config loaded");
     }
@@ -423,126 +435,13 @@ function displaySummary(results) {
     }
     console.log("\n" + "=".repeat(70));
 }
-/**
- * Parse command-line arguments
- */
-function parseArgs() {
-    const args = process.argv.slice(2);
-    const options = {};
-    for (let i = 0; i < args.length; i++) {
-        const arg = args[i];
-        if (!arg)
-            continue;
-        switch (arg) {
-            case "--server":
-            case "-s":
-                options.serverName = args[++i];
-                break;
-            case "--config":
-            case "-c":
-                options.serverConfigPath = args[++i];
-                break;
-            case "--output":
-            case "-o":
-                options.outputPath = args[++i];
-                break;
-            case "--source":
-                options.sourceCodePath = args[++i];
-                break;
-            case "--claude-enabled":
-                options.claudeEnabled = true;
-                break;
-            case "--full":
-                options.fullAssessment = true;
-                break;
-            case "--audit-mode":
-                options.auditMode = true;
-                break;
-            case "--verbose":
-            case "-v":
-                options.verbose = true;
-                break;
-            case "--json":
-                options.jsonOnly = true;
-                break;
-            case "--help":
-            case "-h":
-                printHelp();
-                options.helpRequested = true;
-                return options;
-            default:
-                if (!arg.startsWith("-")) {
-                    if (!options.serverName) {
-                        options.serverName = arg;
-                    }
-                }
-                else {
-                    console.error(`Unknown argument: ${arg}`);
-                    printHelp();
-                    setTimeout(() => process.exit(1), 10);
-                    options.helpRequested = true;
-                    return options;
-                }
-        }
-    }
-    if (!options.serverName) {
-        console.error("Error: --server is required");
-        printHelp();
-        setTimeout(() => process.exit(1), 10);
-        options.helpRequested = true;
-        return options;
-    }
-    return options;
-}
-/**
- * Print help message
- */
-function printHelp() {
-    console.log(`
-Usage: mcp-assess-full [options] [server-name]
-
-Run comprehensive MCP server assessment with all 11 assessor modules.
-
-Options:
-  --server, -s <name>    Server name (required, or pass as first positional arg)
-  --config, -c <path>    Path to server config JSON
-  --output, -o <path>    Output JSON path (default: /tmp/inspector-full-assessment-<server>.json)
-  --source <path>        Source code path for deep analysis (AUP, portability, etc.)
-  --claude-enabled       Enable Claude Code integration for intelligent analysis
-  --full                 Enable all assessment modules (default)
-  --audit-mode           Run only high-value modules for automated MCP auditing
-                         (Functionality, Security, ErrorHandling, MCPSpecCompliance, ToolAnnotations)
-                         Reduces false positives and includes audit summary in output
-  --json                 Output only JSON (no console summary)
-  --verbose, -v          Enable verbose logging
-  --help, -h             Show this help message
-
-Assessment Modules (11 total):
-  • Functionality      - Tests all tools work correctly
-  • Security           - Prompt injection & vulnerability testing
-  • Documentation      - README completeness checks
-  • Error Handling     - Validates error responses
-  • Usability          - Input validation & UX
-  • MCP Spec           - Protocol compliance
-  • AUP Compliance     - Acceptable Use Policy checks
-  • Tool Annotations   - readOnlyHint/destructiveHint validation
-  • Prohibited Libs    - Dependency security checks
-  • Manifest           - MCPB manifest.json validation
-  • Portability        - Cross-platform compatibility
-
-Examples:
-  mcp-assess-full my-server
-  mcp-assess-full --server broken-mcp --claude-enabled
-  mcp-assess-full --server my-server --source ./my-server --output ./results.json
-  `);
-}
 /**
  * Main execution
  */
 async function main() {
     try {
         const options = parseArgs();
-        if (options.helpRequested) {
+        if (options.helpRequested || options.versionRequested || options.listModules) {
             return;
         }
         const results = await runFullAssessment(options);
@@ -550,8 +449,13 @@ async function main() {
             displaySummary(results);
         }
         // Determine transport type for audit summary
-        const serverConfig = loadServerConfig(options.serverName, options.serverConfigPath);
-        const outputPath = saveResults(options.serverName, results, options.outputPath, serverConfig.transport || "stdio");
+        const transportType = options.httpUrl
+            ? "http"
+            : options.sseUrl
+                ? "sse"
+                : loadServerConfig(options.serverName, options.serverConfigPath)
+                    .transport || "stdio";
+        const outputPath = saveResults(options.serverName, results, options.outputPath, transportType);
         if (options.jsonOnly) {
             console.log(outputPath);
         }

package/build/lib/cli-parser.js

@@ -316,6 +316,11 @@ export function parseArgs(argv) {
                 // Issue #137: Stage B enrichment for Claude semantic analysis
                 options.stageBVerbose = true;
                 break;
+            case "--audit-mode":
+                // Reduced false positives for automated MCP auditing
+                options.auditMode = true;
+                options.profile = "audit";
+                break;
             case "--static-only":
                 // Issue #213: Static-only assessment without server connection
                 options.staticOnly = true;
@@ -417,6 +422,13 @@ export function parseArgs(argv) {
         options.helpRequested = true;
         return options;
     }
+    // Validate mutual exclusivity of --audit-mode with --profile (audit-mode sets profile internally)
+    if (options.auditMode && options.profile && options.profile !== "audit") {
+        console.error("Error: --audit-mode cannot be used with --profile (audit mode sets its own profile)");
+        setTimeout(() => process.exit(1), 10);
+        options.helpRequested = true;
+        return options;
+    }
     // Validate mutual exclusivity of --module with orchestrator options (Issue #184)
     if (options.singleModule &&
         (options.skipModules?.length ||
@@ -547,7 +559,8 @@ Options:
   --claude-http          Enable Claude Code via HTTP transport (connects to mcp-auditor proxy)
   --mcp-auditor-url <url>  mcp-auditor URL for HTTP transport (default: http://localhost:8085)
   --full                 Enable all assessment modules (default)
-  --profile <name>       Use predefined module profile (quick, security, compliance, full, dev)
+  --audit-mode           Reduced false positives for automated MCP auditing (sets --profile audit)
+  --profile <name>       Use predefined module profile (quick, security, compliance, full, dev, audit)
   --temporal-invocations <n>  Number of invocations per tool for rug pull detection (default: 3)
   --skip-temporal        Skip temporal/rug pull testing (faster assessment)
   --conformance          Enable official MCP conformance tests (experimental, requires HTTP/SSE transport)

package/build/lib/cli-parserSchemas.js

@@ -24,6 +24,7 @@ export const AssessmentProfileNameSchema = z.enum([
     "full",
     "dev",
     "all",
+    "audit",
 ]);
 /**
  * Valid assessment module names.

package/build/lib/result-output.js

@@ -303,6 +303,27 @@ export function displaySummary(results) {
             console.log(`   • ${rec}`);
         }
     }
+    // Audit mode summary
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const auditAnalysis = security?.auditAnalysis;
+    if (auditAnalysis) {
+        console.log("\n🔍 AUDIT ANALYSIS (reduced false positives):");
+        if (auditAnalysis.highConfidenceVulnerabilities?.length > 0) {
+            console.log(`   🚨 High-confidence vulnerabilities: ${auditAnalysis.highConfidenceVulnerabilities.length}`);
+            for (const vuln of auditAnalysis.highConfidenceVulnerabilities.slice(0, 5)) {
+                console.log(`      • ${vuln}`);
+            }
+        }
+        else {
+            console.log("   ✅ No high-confidence vulnerabilities detected");
+        }
+        if (auditAnalysis.needsReview?.length > 0) {
+            console.log(`   ⚠️  Needs manual review: ${auditAnalysis.needsReview.length}`);
+            for (const item of auditAnalysis.needsReview.slice(0, 3)) {
+                console.log(`      • ${item}`);
+            }
+        }
+    }
     console.log("\n" + "=".repeat(70));
 }
 // ============================================================================

package/build/profiles.js

@@ -160,6 +160,20 @@ export const ASSESSMENT_PROFILES = {
      * Includes: Tier 1-4 + opt-in (prohibitedLibraries, manifestValidation, etc.)
      */
     all: [...ALL_MODULES],
+    /**
+     * Audit profile: Optimized for automated MCP auditing with reduced false positives
+     * Use when: --audit-mode flag, CI/CD pipeline audits
+     * Time: ~8-12 minutes
+     * Includes: Core security + compliance + capability + tool annotations
+     */
+    audit: [
+        "functionality",
+        "security",
+        "errorHandling",
+        "protocolCompliance",
+        "aupCompliance",
+        "toolAnnotations",
+    ],
 };
 export const PROFILE_METADATA = {
     quick: {
@@ -214,6 +228,12 @@ export const PROFILE_METADATA = {
             "Opt-In",
         ],
     },
+    audit: {
+        description: "Automated MCP auditing with reduced false positives (--audit-mode)",
+        estimatedTime: "~8-12 minutes",
+        moduleCount: ASSESSMENT_PROFILES.audit.length,
+        tiers: ["Tier 1 (Core Security)", "Tier 2 (Compliance, partial)"],
+    },
 };
 /**
  * Resolve module names, applying aliases for deprecated names.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-cli",
-  "version": "1.43.3",
+  "version": "1.43.5",
   "description": "CLI for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",