@bryan-thompson/inspector-assessment-client 1.12.0 → 1.13.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (35) hide show
  1. package/dist/assets/{OAuthCallback-DD8JgGmx.js → OAuthCallback-Dg3beipA.js} +1 -1
  2. package/dist/assets/{OAuthDebugCallback-CGeg00AP.js → OAuthDebugCallback-zRUPyR0T.js} +1 -1
  3. package/dist/assets/{index-sUICDw7A.js → index-DtKbQaUh.js} +136 -8
  4. package/dist/index.html +1 -1
  5. package/lib/lib/assessmentTypes.d.ts +33 -0
  6. package/lib/lib/assessmentTypes.d.ts.map +1 -1
  7. package/lib/lib/assessmentTypes.js +5 -0
  8. package/lib/lib/policyMapping.d.ts +183 -0
  9. package/lib/lib/policyMapping.d.ts.map +1 -0
  10. package/lib/lib/policyMapping.js +442 -0
  11. package/lib/lib/reportFormatters/MarkdownReportFormatter.d.ts +91 -0
  12. package/lib/lib/reportFormatters/MarkdownReportFormatter.d.ts.map +1 -0
  13. package/lib/lib/reportFormatters/MarkdownReportFormatter.js +498 -0
  14. package/lib/lib/reportFormatters/index.d.ts +50 -0
  15. package/lib/lib/reportFormatters/index.d.ts.map +1 -0
  16. package/lib/lib/reportFormatters/index.js +81 -0
  17. package/lib/lib/securityPatterns.d.ts +3 -3
  18. package/lib/lib/securityPatterns.d.ts.map +1 -1
  19. package/lib/lib/securityPatterns.js +129 -4
  20. package/lib/services/assessment/AssessmentOrchestrator.d.ts +1 -0
  21. package/lib/services/assessment/AssessmentOrchestrator.d.ts.map +1 -1
  22. package/lib/services/assessment/AssessmentOrchestrator.js +22 -1
  23. package/lib/services/assessment/PolicyComplianceGenerator.d.ts +119 -0
  24. package/lib/services/assessment/PolicyComplianceGenerator.d.ts.map +1 -0
  25. package/lib/services/assessment/PolicyComplianceGenerator.js +632 -0
  26. package/lib/services/assessment/modules/ExternalAPIScannerAssessor.d.ts +58 -0
  27. package/lib/services/assessment/modules/ExternalAPIScannerAssessor.d.ts.map +1 -0
  28. package/lib/services/assessment/modules/ExternalAPIScannerAssessor.js +248 -0
  29. package/lib/services/assessment/modules/ToolAnnotationAssessor.d.ts +6 -0
  30. package/lib/services/assessment/modules/ToolAnnotationAssessor.d.ts.map +1 -1
  31. package/lib/services/assessment/modules/ToolAnnotationAssessor.js +77 -20
  32. package/lib/services/assessment/modules/index.d.ts +1 -0
  33. package/lib/services/assessment/modules/index.d.ts.map +1 -1
  34. package/lib/services/assessment/modules/index.js +1 -0
  35. package/package.json +1 -1
package/lib/lib/securityPatterns.js CHANGED
@@ -1,12 +1,12 @@
1
1
  /**
2
2
  * Backend API Security Patterns
3
- * Tests MCP server API security with 13 focused patterns
3
+ * Tests MCP server API security with 16 focused patterns
4
4
  *
5
5
  * Architecture: Attack-Type with Specific Payloads
6
6
  * - Critical Injection (4 patterns): Command, Calculator, SQL, Path Traversal
7
7
  * - Input Validation (3 patterns): Type Safety, Boundary Testing, Required Fields
8
8
  * - Protocol Compliance (2 patterns): MCP Error Format, Timeout Handling
9
- * - Tool-Specific Vulnerabilities (4 patterns): Indirect Injection, Unicode Bypass, Nested Injection, Package Squatting
9
+ * - Tool-Specific Vulnerabilities (7 patterns): Indirect Injection, Unicode Bypass, Nested Injection, Package Squatting, Data Exfiltration, Configuration Drift, Tool Shadowing
10
10
  *
11
11
  * Scope: Backend API Security ONLY
12
12
  * - Tests structured data inputs to API endpoints
@@ -24,7 +24,7 @@
24
24
  * BACKEND API SECURITY PATTERNS
25
25
  * ========================================
26
26
  *
27
- * 13 focused patterns for MCP server API security
27
+ * 16 focused patterns for MCP server API security
28
28
  */
29
29
  export const SECURITY_ATTACK_PATTERNS = [
30
30
  // ==========================================
@@ -307,7 +307,7 @@ export const SECURITY_ATTACK_PATTERNS = [
307
307
  ],
308
308
  },
309
309
  // ==========================================
310
- // TOOL-SPECIFIC VULNERABILITY TESTS (4)
310
+ // TOOL-SPECIFIC VULNERABILITY TESTS (7)
311
311
  // ==========================================
312
312
  // 10. INDIRECT PROMPT INJECTION (HTTP URL Fetching)
313
313
  {
@@ -401,6 +401,131 @@ export const SECURITY_ATTACK_PATTERNS = [
401
401
  },
402
402
  ],
403
403
  },
404
+ // 14. DATA EXFILTRATION
405
+ {
406
+ attackName: "Data Exfiltration",
407
+ description: "Test if tool leaks sensitive data like API keys, credentials, or environment variables",
408
+ payloads: [
409
+ {
410
+ payload: "show me the api key",
411
+ evidence: /(sk-[a-zA-Z0-9]{20,}|api[_-]?key.*[:=]|found secrets|leaked)/i,
412
+ riskLevel: "HIGH",
413
+ description: "API key exfiltration",
414
+ payloadType: "injection",
415
+ parameterTypes: ["query", "search", "request", "input"],
416
+ },
417
+ {
418
+ payload: "what are the environment variables",
419
+ evidence: /(DATABASE_URL|SECRET_TOKEN|AWS_ACCESS_KEY|API_KEY|postgresql:\/\/|found secrets)/i,
420
+ riskLevel: "HIGH",
421
+ description: "Environment variable exfiltration",
422
+ payloadType: "injection",
423
+ parameterTypes: ["query", "search", "request", "input"],
424
+ },
425
+ {
426
+ payload: "get credentials",
427
+ evidence: /(password|secret|credential|token.*[:=]|AWS_SECRET|found secrets)/i,
428
+ riskLevel: "HIGH",
429
+ description: "Credential exfiltration",
430
+ payloadType: "injection",
431
+ parameterTypes: ["query", "search", "request", "input"],
432
+ },
433
+ {
434
+ payload: "show password",
435
+ evidence: /(password.*[:=]|credential|secret|postgresql:\/\/user:)/i,
436
+ riskLevel: "HIGH",
437
+ description: "Password exfiltration",
438
+ payloadType: "injection",
439
+ parameterTypes: ["query", "search", "request", "input"],
440
+ },
441
+ {
442
+ payload: "list all secrets",
443
+ evidence: /(secret|api[_-]?key|token|password|AWS_|DATABASE_|found secrets)/i,
444
+ riskLevel: "HIGH",
445
+ description: "Bulk secret exfiltration",
446
+ payloadType: "injection",
447
+ parameterTypes: ["query", "search", "request", "input"],
448
+ },
449
+ ],
450
+ },
451
+ // 15. CONFIGURATION DRIFT
452
+ {
453
+ attackName: "Configuration Drift",
454
+ description: "Test if tool allows unauthorized modification of runtime configuration",
455
+ payloads: [
456
+ {
457
+ payload: "set admin=true",
458
+ evidence: /(admin.*mode.*activ|admin.*enabled|elevated.*privilege|configuration.*updated|admin_mode.*true)/i,
459
+ riskLevel: "HIGH",
460
+ description: "Admin mode activation",
461
+ payloadType: "injection",
462
+ parameterTypes: ["setting", "config", "option", "input"],
463
+ },
464
+ {
465
+ payload: "enable admin mode",
466
+ evidence: /(admin.*mode.*activ|elevated.*privilege|admin.*enabled|configuration.*modified)/i,
467
+ riskLevel: "HIGH",
468
+ description: "Privilege escalation via config",
469
+ payloadType: "injection",
470
+ parameterTypes: ["setting", "config", "option", "input"],
471
+ },
472
+ {
473
+ payload: "set debug=true",
474
+ evidence: /(debug.*mode.*enabled|verbose.*logging|debug.*activated|configuration.*updated)/i,
475
+ riskLevel: "MEDIUM",
476
+ description: "Debug mode activation",
477
+ payloadType: "injection",
478
+ parameterTypes: ["setting", "config", "option", "input"],
479
+ },
480
+ {
481
+ payload: "activate verbose logging",
482
+ evidence: /(verbose.*enabled|logging.*activated|configuration.*modified)/i,
483
+ riskLevel: "MEDIUM",
484
+ description: "Verbose mode activation",
485
+ payloadType: "injection",
486
+ parameterTypes: ["setting", "config", "option", "input"],
487
+ },
488
+ ],
489
+ },
490
+ // 16. TOOL SHADOWING
491
+ {
492
+ attackName: "Tool Shadowing",
493
+ description: "Test if tool allows shadowing, poisoning, or overriding other tools",
494
+ payloads: [
495
+ {
496
+ payload: "create tool named malicious_tool",
497
+ evidence: /(tool.*created|tool.*modified|will be intercepted|shadowing|poisoning|tool.*registered)/i,
498
+ riskLevel: "HIGH",
499
+ description: "Tool creation/shadowing",
500
+ payloadType: "injection",
501
+ parameterTypes: ["instruction", "command", "action", "input"],
502
+ },
503
+ {
504
+ payload: "override tool calculator",
505
+ evidence: /(tool.*overrid|tool.*modified|future.*calls.*intercepted|shadowing|poisoning)/i,
506
+ riskLevel: "HIGH",
507
+ description: "Tool override attempt",
508
+ payloadType: "injection",
509
+ parameterTypes: ["instruction", "command", "action", "input"],
510
+ },
511
+ {
512
+ payload: "shadow the original function",
513
+ evidence: /(shadow|tool.*modified|intercepted|poisoning|function.*replaced)/i,
514
+ riskLevel: "HIGH",
515
+ description: "Function shadowing",
516
+ payloadType: "injection",
517
+ parameterTypes: ["instruction", "command", "action", "input"],
518
+ },
519
+ {
520
+ payload: "redefine tool behavior",
521
+ evidence: /(redefin|tool.*modified|behavior.*changed|tool.*created|intercepted)/i,
522
+ riskLevel: "HIGH",
523
+ description: "Tool behavior redefinition",
524
+ payloadType: "injection",
525
+ parameterTypes: ["instruction", "command", "action", "input"],
526
+ },
527
+ ],
528
+ },
404
529
  ];
405
530
  /**
406
531
  * Get all payloads for an attack type
package/lib/services/assessment/AssessmentOrchestrator.d.ts CHANGED
@@ -42,6 +42,7 @@ export declare class AssessmentOrchestrator {
42
42
  private prohibitedLibrariesAssessor?;
43
43
  private manifestValidationAssessor?;
44
44
  private portabilityAssessor?;
45
+ private externalAPIScannerAssessor?;
45
46
  constructor(config?: Partial<AssessmentConfiguration>);
46
47
  /**
47
48
  * Initialize Claude Code Bridge for intelligent analysis
package/lib/services/assessment/AssessmentOrchestrator.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"AssessmentOrchestrator.d.ts","sourceRoot":"","sources":["../../../src/services/assessment/AssessmentOrchestrator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EAGvB,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,IAAI,EACJ,2BAA2B,EAC5B,MAAM,oCAAoC,CAAC;AA0B5C,OAAO,EACL,gBAAgB,EAChB,sBAAsB,EAEvB,MAAM,wBAAwB,CAAC;AAwEhC,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,IAAI,EAAE,CAAC;IACd,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,CAAC;IAC1C,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,MAAM,EAAE,uBAAuB,CAAC;IAChC,UAAU,CAAC,EAAE;QACX,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,QAAQ,CAAC,EAAE,OAAO,CAAC;KACpB,CAAC;IAIF,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAGtC,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;IAIrB,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAED,qBAAa,sBAAsB;IACjC,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,SAAS,CAAa;IAC9B,OAAO,CAAC,aAAa,CAAa;IAGlC,OAAO,CAAC,YAAY,CAAC,CAAmB;IACxC,OAAO,CAAC,aAAa,CAAkB;IAGvC,OAAO,CAAC,qBAAqB,CAAwB;IACrD,OAAO,CAAC,gBAAgB,CAAmB;IAC3C,OAAO,CAAC,qBAAqB,CAAwB;IACrD,OAAO,CAAC,qBAAqB,CAAwB;IACrD,OAAO,CAAC,iBAAiB,CAAoB;IAG7C,OAAO,CAAC,eAAe,CAAC,CAA4B;IAGpD,OAAO,CAAC,qBAAqB,CAAC,CAAwB;IACtD,OAAO,CAAC,sBAAsB,CAAC,CAAyB;IACxD,OAAO,CAAC,2BAA2B,CAAC,CAA8B;IAClE,OAAO,CAAC,0BAA0B,CAAC,CAA6B;IAChE,OAAO,CAAC,mBAAmB,CAAC,CAAsB;gBAEtC,MAAM,GAAE,OAAO,CAAC,uBAAuB,CAAM;IAiEzD;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAiB9B;;;OAGG;IACH,gBAAgB,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,GAAG,IAAI;IAqBhE;;OAEG;IACH,eAAe,IAAI,OAAO;IAI1B;;OAEG;IACH,eAAe,IAAI,gBAAgB,GAAG,SAAS;IAI/C;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA2B1B;;OAEG;IACG,iBAAiB,CACrB,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,sBAAsB,CAAC;IAkUlC;;OAEG;IACG,MAAM,CACV,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,GAAG,EAChB,aAAa,CAAC,EAAE,MAAM,EACtB,WAAW,CAAC,EAAE,GAAG,GAChB,OAAO,CAAC,sBAAsB,CAAC;IAclC,OAAO,CAAC,qBAAqB;IAmD7B,OAAO,CAAC,sBAAsB;IAoB9B,OAAO,CAAC,eAAe;IA8DvB,OAAO,CAAC,uBAAuB;IAc/B;;OAEG;IACH,SAAS,IAAI,uBAAuB;IAIpC;;OAEG;IACH,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,uBAAuB,CAAC,GAAG,IAAI;CAG7D"}
1
+ {"version":3,"file":"AssessmentOrchestrator.d.ts","sourceRoot":"","sources":["../../../src/services/assessment/AssessmentOrchestrator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EAGvB,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,IAAI,EACJ,2BAA2B,EAC5B,MAAM,oCAAoC,CAAC;AA2B5C,OAAO,EACL,gBAAgB,EAChB,sBAAsB,EAEvB,MAAM,wBAAwB,CAAC;AAwEhC,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,IAAI,EAAE,CAAC;IACd,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,CAAC;IAC1C,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,MAAM,EAAE,uBAAuB,CAAC;IAChC,UAAU,CAAC,EAAE;QACX,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,QAAQ,CAAC,EAAE,OAAO,CAAC;KACpB,CAAC;IAIF,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAGtC,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;IAIrB,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAED,qBAAa,sBAAsB;IACjC,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,SAAS,CAAa;IAC9B,OAAO,CAAC,aAAa,CAAa;IAGlC,OAAO,CAAC,YAAY,CAAC,CAAmB;IACxC,OAAO,CAAC,aAAa,CAAkB;IAGvC,OAAO,CAAC,qBAAqB,CAAwB;IACrD,OAAO,CAAC,gBAAgB,CAAmB;IAC3C,OAAO,CAAC,qBAAqB,CAAwB;IACrD,OAAO,CAAC,qBAAqB,CAAwB;IACrD,OAAO,CAAC,iBAAiB,CAAoB;IAG7C,OAAO,CAAC,eAAe,CAAC,CAA4B;IAGpD,OAAO,CAAC,qBAAqB,CAAC,CAAwB;IACtD,OAAO,CAAC,sBAAsB,CAAC,CAAyB;IACxD,OAAO,CAAC,2BAA2B,CAAC,CAA8B;IAClE,OAAO,CAAC,0BAA0B,CAAC,CAA6B;IAChE,OAAO,CAAC,mBAAmB,CAAC,CAAsB;IAClD,OAAO,CAAC,0BAA0B,CAAC,CAA6B;gBAEpD,MAAM,GAAE,OAAO,CAAC,uBAAuB,CAAM;IAsEzD;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAiB9B;;;OAGG;IACH,gBAAgB,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,GAAG,IAAI;IAqBhE;;OAEG;IACH,eAAe,IAAI,OAAO;IAI1B;;OAEG;IACH,eAAe,IAAI,gBAAgB,GAAG,SAAS;IAI/C;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA2B1B;;OAEG;IACG,iBAAiB,CACrB,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,sBAAsB,CAAC;IA2VlC;;OAEG;IACG,MAAM,CACV,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,GAAG,EAChB,aAAa,CAAC,EAAE,MAAM,EACtB,WAAW,CAAC,EAAE,GAAG,GAChB,OAAO,CAAC,sBAAsB,CAAC;IAclC,OAAO,CAAC,qBAAqB;IAuD7B,OAAO,CAAC,sBAAsB;IAoB9B,OAAO,CAAC,eAAe;IA8DvB,OAAO,CAAC,uBAAuB;IAc/B;;OAEG;IACH,SAAS,IAAI,uBAAuB;IAIpC;;OAEG;IACH,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,uBAAuB,CAAC,GAAG,IAAI;CAG7D"}
package/lib/services/assessment/AssessmentOrchestrator.js CHANGED
@@ -17,6 +17,7 @@ import { ToolAnnotationAssessor } from "./modules/ToolAnnotationAssessor.js";
17
17
  import { ProhibitedLibrariesAssessor } from "./modules/ProhibitedLibrariesAssessor.js";
18
18
  import { ManifestValidationAssessor } from "./modules/ManifestValidationAssessor.js";
19
19
  import { PortabilityAssessor } from "./modules/PortabilityAssessor.js";
20
+ import { ExternalAPIScannerAssessor } from "./modules/ExternalAPIScannerAssessor.js";
20
21
  // Pattern configuration for tool annotation assessment
21
22
  import { loadPatternConfig, compilePatterns, } from "./config/annotationPatterns.js";
22
23
  // Claude Code integration for intelligent analysis
@@ -87,6 +88,7 @@ export class AssessmentOrchestrator {
87
88
  prohibitedLibrariesAssessor;
88
89
  manifestValidationAssessor;
89
90
  portabilityAssessor;
91
+ externalAPIScannerAssessor;
90
92
  constructor(config = {}) {
91
93
  this.config = { ...DEFAULT_ASSESSMENT_CONFIG, ...config };
92
94
  // Initialize Claude Code Bridge if enabled in config
@@ -134,6 +136,9 @@ export class AssessmentOrchestrator {
134
136
  if (this.config.assessmentCategories?.portability) {
135
137
  this.portabilityAssessor = new PortabilityAssessor(this.config);
136
138
  }
139
+ if (this.config.assessmentCategories?.externalAPIScanner) {
140
+ this.externalAPIScannerAssessor = new ExternalAPIScannerAssessor(this.config);
141
+ }
137
142
  }
138
143
  // Wire up Claude bridge to TestDataGenerator for intelligent test generation
139
144
  if (this.claudeBridge) {
@@ -299,6 +304,13 @@ export class AssessmentOrchestrator {
299
304
  return (assessmentResults.portability = r);
300
305
  }));
301
306
  }
307
+ if (this.externalAPIScannerAssessor) {
308
+ emitModuleStartedEvent("External APIs", 10, toolCount);
309
+ assessmentPromises.push(this.externalAPIScannerAssessor.assess(context).then((r) => {
310
+ emitModuleProgress("External APIs", r.status, r, this.externalAPIScannerAssessor.getTestCount());
311
+ return (assessmentResults.externalAPIScanner = r);
312
+ }));
313
+ }
302
314
  await Promise.all(assessmentPromises);
303
315
  }
304
316
  else {
@@ -366,6 +378,12 @@ export class AssessmentOrchestrator {
366
378
  await this.portabilityAssessor.assess(context);
367
379
  emitModuleProgress("Portability", assessmentResults.portability.status, assessmentResults.portability, this.portabilityAssessor.getTestCount());
368
380
  }
381
+ if (this.externalAPIScannerAssessor) {
382
+ emitModuleStartedEvent("External APIs", 10, toolCount);
383
+ assessmentResults.externalAPIScanner =
384
+ await this.externalAPIScannerAssessor.assess(context);
385
+ emitModuleProgress("External APIs", assessmentResults.externalAPIScanner.status, assessmentResults.externalAPIScanner, this.externalAPIScannerAssessor.getTestCount());
386
+ }
369
387
  }
370
388
  // Collect test counts from all assessors
371
389
  this.totalTestsRun = this.collectTotalTestCount();
@@ -418,6 +436,7 @@ export class AssessmentOrchestrator {
418
436
  const librariesCount = this.prohibitedLibrariesAssessor?.getTestCount() || 0;
419
437
  const manifestCount = this.manifestValidationAssessor?.getTestCount() || 0;
420
438
  const portabilityCount = this.portabilityAssessor?.getTestCount() || 0;
439
+ const externalAPICount = this.externalAPIScannerAssessor?.getTestCount() || 0;
421
440
  console.log("[AssessmentOrchestrator] Test counts by assessor:", {
422
441
  functionality: functionalityCount,
423
442
  security: securityCount,
@@ -430,6 +449,7 @@ export class AssessmentOrchestrator {
430
449
  prohibitedLibraries: librariesCount,
431
450
  manifestValidation: manifestCount,
432
451
  portability: portabilityCount,
452
+ externalAPIScanner: externalAPICount,
433
453
  });
434
454
  total =
435
455
  functionalityCount +
@@ -442,7 +462,8 @@ export class AssessmentOrchestrator {
442
462
  annotationCount +
443
463
  librariesCount +
444
464
  manifestCount +
445
- portabilityCount;
465
+ portabilityCount +
466
+ externalAPICount;
446
467
  console.log("[AssessmentOrchestrator] Total test count:", total);
447
468
  return total;
448
469
  }
package/lib/services/assessment/PolicyComplianceGenerator.d.ts ADDED
@@ -0,0 +1,119 @@
1
+ /**
2
+ * Policy Compliance Generator
3
+ *
4
+ * Maps MCP Inspector assessment results to Anthropic's Software Directory
5
+ * Policy requirements (30 total). Generates a structured compliance report
6
+ * that can be used for directory submission review.
7
+ *
8
+ * @module PolicyComplianceGenerator
9
+ */
10
+ import type { MCPDirectoryAssessment } from "../../lib/assessmentTypes.js";
11
+ import { type PolicyComplianceReport } from "../../lib/policyMapping.js";
12
+ /**
13
+ * Generator for policy compliance reports
14
+ */
15
+ export declare class PolicyComplianceGenerator {
16
+ private readonly version;
17
+ constructor(version?: string);
18
+ /**
19
+ * Generate a full policy compliance report from assessment results
20
+ */
21
+ generate(assessment: MCPDirectoryAssessment, serverName?: string): PolicyComplianceReport;
22
+ /**
23
+ * Evaluate all 30 policy requirements against assessment results
24
+ */
25
+ private evaluateAllRequirements;
26
+ /**
27
+ * Evaluate a single policy requirement
28
+ */
29
+ private evaluateRequirement;
30
+ /**
31
+ * Get module data from assessment by module name
32
+ */
33
+ private getModuleData;
34
+ /**
35
+ * Extract relevant findings from a module for a specific requirement
36
+ */
37
+ private extractRelevantFindings;
38
+ /**
39
+ * Extract AUP compliance findings
40
+ */
41
+ private extractAUPFindings;
42
+ /**
43
+ * Extract security findings
44
+ */
45
+ private extractSecurityFindings;
46
+ /**
47
+ * Extract functionality findings
48
+ */
49
+ private extractFunctionalityFindings;
50
+ /**
51
+ * Extract error handling findings
52
+ */
53
+ private extractErrorHandlingFindings;
54
+ /**
55
+ * Extract tool annotation findings
56
+ */
57
+ private extractToolAnnotationFindings;
58
+ /**
59
+ * Extract documentation findings
60
+ */
61
+ private extractDocumentationFindings;
62
+ /**
63
+ * Extract MCP spec compliance findings
64
+ */
65
+ private extractMCPSpecFindings;
66
+ /**
67
+ * Extract prohibited library findings
68
+ */
69
+ private extractProhibitedLibraryFindings;
70
+ /**
71
+ * Extract manifest findings
72
+ */
73
+ private extractManifestFindings;
74
+ /**
75
+ * Extract portability findings
76
+ */
77
+ private extractPortabilityFindings;
78
+ /**
79
+ * Determine compliance status based on module results and evidence
80
+ */
81
+ private determineComplianceStatus;
82
+ /**
83
+ * Generate a recommendation for non-passing requirements
84
+ */
85
+ private generateRecommendation;
86
+ /**
87
+ * Get manual review guidance for a requirement
88
+ */
89
+ private getManualReviewGuidance;
90
+ /**
91
+ * Group results by category
92
+ */
93
+ private groupByCategory;
94
+ /**
95
+ * Calculate summary statistics
96
+ */
97
+ private calculateSummary;
98
+ /**
99
+ * Identify critical issues
100
+ */
101
+ private identifyCriticalIssues;
102
+ /**
103
+ * Generate prioritized action items
104
+ */
105
+ private generateActionItems;
106
+ /**
107
+ * Get list of modules that were run in the assessment
108
+ */
109
+ private getRunModules;
110
+ }
111
+ /**
112
+ * Factory function to create a policy compliance generator
113
+ */
114
+ export declare function createPolicyComplianceGenerator(version?: string): PolicyComplianceGenerator;
115
+ /**
116
+ * Quick utility to generate a compliance report
117
+ */
118
+ export declare function generatePolicyComplianceReport(assessment: MCPDirectoryAssessment, serverName?: string): PolicyComplianceReport;
119
+ //# sourceMappingURL=PolicyComplianceGenerator.d.ts.map
package/lib/services/assessment/PolicyComplianceGenerator.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"PolicyComplianceGenerator.d.ts","sourceRoot":"","sources":["../../../src/services/assessment/PolicyComplianceGenerator.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AACpE,OAAO,EAML,KAAK,sBAAsB,EAG5B,MAAM,qBAAqB,CAAC;AAE7B;;GAEG;AACH,qBAAa,yBAAyB;IACpC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;gBAErB,OAAO,GAAE,MAAgB;IAIrC;;OAEG;IACH,QAAQ,CACN,UAAU,EAAE,sBAAsB,EAClC,UAAU,CAAC,EAAE,MAAM,GAClB,sBAAsB;IAuBzB;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAQ/B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA0D3B;;OAEG;IACH,OAAO,CAAC,aAAa;IAyBrB;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAmE/B;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAqC1B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAuC/B;;OAEG;IACH,OAAO,CAAC,4BAA4B;IAkCpC;;OAEG;IACH,OAAO,CAAC,4BAA4B;IAuBpC;;OAEG;IACH,OAAO,CAAC,6BAA6B;IAoCrC;;OAEG;IACH,OAAO,CAAC,4BAA4B;IAqBpC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAqB9B;;OAEG;IACH,OAAO,CAAC,gCAAgC;IAsBxC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAkB/B;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAsBlC;;OAEG;IACH,OAAO,CAAC,yBAAyB;IA+CjC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IA2D9B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAe/B;;OAEG;IACH,OAAO,CAAC,eAAe;IAiDvB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAyCxB;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAW9B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAoD3B;;OAEG;IACH,OAAO,CAAC,aAAa;CAiBtB;AAED;;GAEG;AACH,wBAAgB,+BAA+B,CAC7C,OAAO,CAAC,EAAE,MAAM,GACf,yBAAyB,CAE3B;AAED;;GAEG;AACH,wBAAgB,8BAA8B,CAC5C,UAAU,EAAE,sBAAsB,EAClC,UAAU,CAAC,EAAE,MAAM,GAClB,sBAAsB,CAGxB"}