@bryan-thompson/inspector-assessment-client 1.13.0 → 1.14.0

package/lib/services/assessment/modules/AuthenticationAssessor.js

@@ -0,0 +1,270 @@
+/**
+ * Authentication Assessor
+ * Evaluates if OAuth is appropriate for the deployment model (local vs remote).
+ *
+ * Detection Logic:
+ * 1. Check if server uses OAuth (serverInfo/manifest)
+ * 2. Analyze if tools access local resources (files, apps, OS features)
+ * 3. If OAuth + no local deps = recommend cloud deployment
+ * 4. If OAuth + local deps = warn about mixed model
+ */
+import { BaseAssessor } from "./BaseAssessor.js";
+// Patterns that indicate OAuth usage
+const OAUTH_PATTERNS = [
+    /oauth/i,
+    /authorization\s*code/i,
+    /access_token/i,
+    /refresh_token/i,
+    /client_id/i,
+    /client_secret/i,
+    /pkce/i,
+    /code_verifier/i,
+    /code_challenge/i,
+    /authorize\s*url/i,
+    /token\s*endpoint/i,
+];
+// Patterns that indicate API key usage
+const API_KEY_PATTERNS = [
+    /api[_-]?key/i,
+    /x-api-key/i,
+    /bearer\s+token/i,
+    /authorization:\s*bearer/i,
+    /secret[_-]?key/i,
+];
+// Patterns that indicate local resource dependencies
+const LOCAL_RESOURCE_PATTERNS = [
+    /process\.cwd/i,
+    /fs\.(read|write|exists|mkdir|rmdir)/i,
+    /child_process/i,
+    /execSync|spawnSync/i,
+    /os\.(homedir|tmpdir|platform)/i,
+    /path\.(join|resolve|dirname)/i,
+    /__dirname|__filename/i,
+    /\.local|\.config|\.cache/i,
+    /localhost|127\.0\.0\.1/i,
+    /file:\/\//i,
+];
+export class AuthenticationAssessor extends BaseAssessor {
+    /**
+     * Run authentication assessment
+     */
+    async assess(context) {
+        this.log("Starting authentication assessment");
+        this.testCount = 0;
+        const oauthIndicators = [];
+        const localResourceIndicators = [];
+        const apiKeyIndicators = [];
+        // Analyze source code for patterns
+        if (context.sourceCodeFiles) {
+            for (const [filePath, content] of context.sourceCodeFiles) {
+                this.testCount++;
+                // Check for OAuth patterns
+                for (const pattern of OAUTH_PATTERNS) {
+                    if (pattern.test(content)) {
+                        const indicator = `${filePath}: ${pattern.source}`;
+                        if (!oauthIndicators.includes(indicator)) {
+                            oauthIndicators.push(indicator);
+                        }
+                    }
+                }
+                // Check for API key patterns
+                for (const pattern of API_KEY_PATTERNS) {
+                    if (pattern.test(content)) {
+                        const indicator = `${filePath}: ${pattern.source}`;
+                        if (!apiKeyIndicators.includes(indicator)) {
+                            apiKeyIndicators.push(indicator);
+                        }
+                    }
+                }
+                // Check for local resource patterns
+                for (const pattern of LOCAL_RESOURCE_PATTERNS) {
+                    if (pattern.test(content)) {
+                        const indicator = `${filePath}: ${pattern.source}`;
+                        if (!localResourceIndicators.includes(indicator)) {
+                            localResourceIndicators.push(indicator);
+                        }
+                    }
+                }
+            }
+        }
+        // Determine auth method
+        const authMethod = this.detectAuthMethod(oauthIndicators, apiKeyIndicators, context);
+        // Determine if there are local dependencies
+        const hasLocalDependencies = localResourceIndicators.length > 0;
+        // Get transport type
+        const transportType = this.detectTransportType(context);
+        // Evaluate appropriateness
+        const appropriateness = this.evaluateAppropriateness({
+            authMethod,
+            hasLocalDependencies,
+            transportType,
+            oauthIndicators,
+        });
+        const recommendation = this.generateRecommendation(authMethod, hasLocalDependencies, transportType, appropriateness);
+        const status = this.evaluateStatus(appropriateness);
+        const explanation = this.generateExplanation(authMethod, hasLocalDependencies, transportType, appropriateness);
+        const recommendations = this.generateRecommendations(authMethod, hasLocalDependencies, appropriateness);
+        this.log(`Assessment complete: auth=${authMethod}, localDeps=${hasLocalDependencies}`);
+        return {
+            authMethod,
+            hasLocalDependencies,
+            transportType,
+            appropriateness,
+            recommendation,
+            detectedPatterns: {
+                oauthIndicators,
+                localResourceIndicators,
+                apiKeyIndicators,
+            },
+            status,
+            explanation,
+            recommendations,
+        };
+    }
+    /**
+     * Detect authentication method
+     */
+    detectAuthMethod(oauthIndicators, apiKeyIndicators, context) {
+        // Check manifest for OAuth configuration
+        if (context.manifestJson) {
+            const manifestStr = JSON.stringify(context.manifestJson);
+            if (/oauth/i.test(manifestStr)) {
+                return "oauth";
+            }
+        }
+        // Check for OAuth patterns in code
+        if (oauthIndicators.length >= 3) {
+            return "oauth";
+        }
+        // Check for API key patterns
+        if (apiKeyIndicators.length >= 2) {
+            return "api_key";
+        }
+        // If we found some indicators but not enough to be confident
+        if (oauthIndicators.length > 0 || apiKeyIndicators.length > 0) {
+            return "unknown";
+        }
+        return "none";
+    }
+    /**
+     * Detect transport type from context
+     */
+    detectTransportType(context) {
+        // Check config for transport
+        if (context.config) {
+            const config = context.config;
+            if (config.transport) {
+                return String(config.transport);
+            }
+        }
+        // Default to stdio for local servers
+        return "stdio";
+    }
+    /**
+     * Evaluate if authentication setup is appropriate
+     */
+    evaluateAppropriateness(params) {
+        const { authMethod, hasLocalDependencies, transportType } = params;
+        const concerns = [];
+        let isAppropriate = true;
+        // OAuth on local stdio server with local dependencies is concerning
+        if (authMethod === "oauth" &&
+            hasLocalDependencies &&
+            transportType === "stdio") {
+            concerns.push("OAuth authentication detected on local stdio server with file system dependencies");
+            concerns.push("Consider: Is OAuth necessary for a local-only server that accesses local resources?");
+            isAppropriate = false;
+        }
+        // OAuth on stdio without local deps might suggest it should be remote
+        if (authMethod === "oauth" &&
+            !hasLocalDependencies &&
+            transportType === "stdio") {
+            concerns.push("OAuth detected on stdio transport but no local resource dependencies found");
+            concerns.push("This server might be better suited for remote deployment");
+        }
+        // API key on remote server without proper security
+        if (authMethod === "api_key" && transportType !== "stdio") {
+            concerns.push("API key authentication on remote transport - ensure HTTPS is enforced");
+        }
+        // No auth on remote server is a concern
+        if (authMethod === "none" && transportType !== "stdio") {
+            concerns.push("No authentication detected on remote transport");
+            concerns.push("Consider adding authentication for production use");
+            isAppropriate = false;
+        }
+        const explanation = concerns.length > 0
+            ? `Found ${concerns.length} concern(s) with authentication setup`
+            : "Authentication configuration appears appropriate for deployment model";
+        return { isAppropriate, concerns, explanation };
+    }
+    /**
+     * Generate recommendation based on analysis
+     */
+    generateRecommendation(authMethod, hasLocalDependencies, transportType, appropriateness) {
+        if (appropriateness.isAppropriate) {
+            return "Authentication configuration is appropriate for the deployment model";
+        }
+        if (authMethod === "oauth" && !hasLocalDependencies) {
+            return "Consider deploying as a remote server if OAuth is required - no local dependencies detected";
+        }
+        if (authMethod === "oauth" && hasLocalDependencies) {
+            return "Review if OAuth is necessary - server has local dependencies suggesting local-only usage";
+        }
+        if (authMethod === "none" && transportType !== "stdio") {
+            return "Add authentication for remote deployment to prevent unauthorized access";
+        }
+        return "Review authentication configuration for production deployment";
+    }
+    /**
+     * Evaluate overall status based on appropriateness
+     */
+    evaluateStatus(appropriateness) {
+        if (!appropriateness.isAppropriate) {
+            return "NEED_MORE_INFO";
+        }
+        if (appropriateness.concerns.length > 0) {
+            return "NEED_MORE_INFO";
+        }
+        return "PASS";
+    }
+    /**
+     * Generate explanation
+     */
+    generateExplanation(authMethod, hasLocalDependencies, transportType, appropriateness) {
+        const parts = [];
+        parts.push(`Detected authentication: ${authMethod}`);
+        parts.push(`Transport: ${transportType}`);
+        parts.push(`Local dependencies: ${hasLocalDependencies ? "Yes" : "No"}`);
+        if (appropriateness.concerns.length > 0) {
+            parts.push(`Concerns: ${appropriateness.concerns.length}`);
+        }
+        return parts.join(". ");
+    }
+    /**
+     * Generate recommendations
+     */
+    generateRecommendations(authMethod, hasLocalDependencies, appropriateness) {
+        const recommendations = [];
+        if (!appropriateness.isAppropriate) {
+            recommendations.push("REVIEW - Authentication configuration:");
+            for (const concern of appropriateness.concerns.slice(0, 3)) {
+                recommendations.push(`  - ${concern}`);
+            }
+        }
+        if (authMethod === "oauth") {
+            recommendations.push("Ensure OAuth configuration follows RFC 8707");
+            recommendations.push("Verify PKCE is implemented for public clients");
+        }
+        if (authMethod === "api_key") {
+            recommendations.push("Ensure API keys are not hardcoded");
+            recommendations.push("Use environment variables for secrets");
+        }
+        if (authMethod === "none" && !hasLocalDependencies) {
+            recommendations.push("Consider adding authentication if server will be remotely accessible");
+        }
+        if (recommendations.length === 0) {
+            recommendations.push("Authentication configuration appears appropriate");
+        }
+        return recommendations;
+    }
+}

package/lib/services/assessment/modules/ExternalAPIScannerAssessor.d.ts

@@ -0,0 +1,58 @@
+/**
+ * External API Scanner Assessor
+ *
+ * Scans source code for external API dependencies and checks for affiliation.
+ * Helps identify:
+ * - External services used (GitHub, Slack, AWS, etc.)
+ * - Hardcoded URLs that may need privacy policy disclosure
+ * - Server names that suggest affiliation without verification
+ *
+ * Part of Priority 2 gap-closing features.
+ */
+import { BaseAssessor } from "./BaseAssessor.js";
+import type { AssessmentContext } from "../AssessmentOrchestrator.js";
+import type { ExternalAPIScannerAssessment } from "../../../lib/assessmentTypes.js";
+export declare class ExternalAPIScannerAssessor extends BaseAssessor {
+    assess(context: AssessmentContext): Promise<ExternalAPIScannerAssessment>;
+    /**
+     * Check if file should be skipped
+     */
+    private shouldSkipFile;
+    /**
+     * Scan a file for external API URLs
+     */
+    private scanFileForAPIs;
+    /**
+     * Check if URL should be skipped
+     */
+    private shouldSkipUrl;
+    /**
+     * Clean URL by removing trailing punctuation
+     */
+    private cleanUrl;
+    /**
+     * Identify which service a URL belongs to
+     */
+    private identifyService;
+    /**
+     * Check if server name suggests affiliation that needs verification
+     */
+    private checkAffiliation;
+    /**
+     * Compute assessment status based on scan results
+     */
+    private computeStatus;
+    /**
+     * Generate explanation text
+     */
+    private generateExplanation;
+    /**
+     * Generate recommendations
+     */
+    private generateRecommendations;
+    /**
+     * Create result when source code analysis is not available
+     */
+    private createNoSourceResult;
+}
+//# sourceMappingURL=ExternalAPIScannerAssessor.d.ts.map

package/lib/services/assessment/modules/ExternalAPIScannerAssessor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ExternalAPIScannerAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ExternalAPIScannerAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AACnE,OAAO,KAAK,EAEV,4BAA4B,EAE7B,MAAM,uBAAuB,CAAC;AAmE/B,qBAAa,0BAA2B,SAAQ,YAAY;IACpD,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,4BAA4B,CAAC;IA6DxC;;OAEG;IACH,OAAO,CAAC,cAAc;IAItB;;OAEG;IACH,OAAO,CAAC,eAAe;IA0BvB;;OAEG;IACH,OAAO,CAAC,aAAa;IAIrB;;OAEG;IACH,OAAO,CAAC,QAAQ;IAIhB;;OAEG;IACH,OAAO,CAAC,eAAe;IASvB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAsBxB;;OAEG;IACH,OAAO,CAAC,aAAa;IAcrB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAyB3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA2B/B;;OAEG;IACH,OAAO,CAAC,oBAAoB;CAa7B"}

package/lib/services/assessment/modules/ExternalAPIScannerAssessor.js

@@ -0,0 +1,248 @@
+/**
+ * External API Scanner Assessor
+ *
+ * Scans source code for external API dependencies and checks for affiliation.
+ * Helps identify:
+ * - External services used (GitHub, Slack, AWS, etc.)
+ * - Hardcoded URLs that may need privacy policy disclosure
+ * - Server names that suggest affiliation without verification
+ *
+ * Part of Priority 2 gap-closing features.
+ */
+import { BaseAssessor } from "./BaseAssessor.js";
+/**
+ * Known external services and their URL patterns
+ */
+const KNOWN_SERVICES = {
+    github: [/api\.github\.com/i, /github\.com\/[^/]+\/[^/]+/i],
+    gitlab: [/gitlab\.com/i, /api\.gitlab\.com/i],
+    slack: [/slack\.com\/api/i, /api\.slack\.com/i, /hooks\.slack\.com/i],
+    discord: [/discord\.com\/api/i, /discordapp\.com/i],
+    aws: [/\.amazonaws\.com/i, /\.aws\.amazon\.com/i],
+    azure: [/\.azure\.com/i, /\.microsoft\.com/i],
+    gcp: [/\.googleapis\.com/i, /\.google\.com\/.*api/i],
+    openai: [/api\.openai\.com/i],
+    anthropic: [/api\.anthropic\.com/i],
+    huggingface: [/huggingface\.co/i, /api\.huggingface\.co/i],
+    stripe: [/api\.stripe\.com/i],
+    twilio: [/api\.twilio\.com/i],
+    sendgrid: [/api\.sendgrid\.com/i],
+    firebase: [/firebaseio\.com/i, /firebase\.google\.com/i],
+    supabase: [/supabase\.co/i],
+    notion: [/api\.notion\.com/i],
+    airtable: [/api\.airtable\.com/i],
+    dropbox: [/api\.dropbox\.com/i, /dropboxapi\.com/i],
+    jira: [/atlassian\.net/i, /jira\.com/i],
+    linear: [/api\.linear\.app/i],
+    asana: [/api\.asana\.com/i],
+};
+/**
+ * URL patterns to skip (not external APIs)
+ */
+const SKIP_URL_PATTERNS = [
+    /localhost/i,
+    /127\.0\.0\.1/i,
+    /0\.0\.0\.0/i,
+    /example\.com/i,
+    /test\.com/i,
+    /\.local\//i,
+    /schema\.org/i,
+    /w3\.org/i,
+    /json-schema\.org/i,
+    /npmjs\.com/i,
+    /unpkg\.com/i,
+    /cdn\./i,
+    /fonts\.googleapis\.com/i,
+];
+/**
+ * File patterns to skip during scanning
+ */
+const SKIP_FILE_PATTERNS = [
+    /node_modules/i,
+    /\.test\.(ts|js|tsx|jsx)$/i,
+    /\.spec\.(ts|js|tsx|jsx)$/i,
+    /\.d\.ts$/i,
+    /package-lock\.json$/i,
+    /yarn\.lock$/i,
+    /\.map$/i,
+    /README\.md$/i,
+    /CHANGELOG\.md$/i,
+    /LICENSE/i,
+    /\.git\//i,
+    /dist\//i,
+    /build\//i,
+];
+export class ExternalAPIScannerAssessor extends BaseAssessor {
+    async assess(context) {
+        this.log("Starting external API scanner assessment");
+        this.resetTestCount();
+        const detectedAPIs = [];
+        let scannedFiles = 0;
+        // Check if source code analysis is enabled
+        if (!context.sourceCodeFiles || !context.config.enableSourceCodeAnalysis) {
+            this.log("Source code analysis not enabled, skipping external API scan");
+            return this.createNoSourceResult();
+        }
+        // Scan each source file
+        for (const [filePath, content] of context.sourceCodeFiles) {
+            if (this.shouldSkipFile(filePath))
+                continue;
+            this.testCount++;
+            scannedFiles++;
+            const fileAPIs = this.scanFileForAPIs(filePath, content);
+            detectedAPIs.push(...fileAPIs);
+        }
+        // Extract unique services
+        const uniqueServices = [...new Set(detectedAPIs.map((api) => api.service))];
+        // Check for affiliation concerns
+        const affiliationWarning = this.checkAffiliation(context.serverName, uniqueServices);
+        // Determine status
+        const status = this.computeStatus(detectedAPIs, affiliationWarning);
+        const explanation = this.generateExplanation(detectedAPIs, uniqueServices, affiliationWarning, scannedFiles);
+        const recommendations = this.generateRecommendations(uniqueServices, affiliationWarning);
+        this.log(`External API scan complete: ${detectedAPIs.length} APIs found in ${scannedFiles} files`);
+        return {
+            detectedAPIs,
+            uniqueServices,
+            affiliationWarning,
+            scannedFiles,
+            status,
+            explanation,
+            recommendations,
+        };
+    }
+    /**
+     * Check if file should be skipped
+     */
+    shouldSkipFile(filePath) {
+        return SKIP_FILE_PATTERNS.some((pattern) => pattern.test(filePath));
+    }
+    /**
+     * Scan a file for external API URLs
+     */
+    scanFileForAPIs(filePath, content) {
+        const apis = [];
+        const urlPattern = /https?:\/\/[^\s'"`)}\]><]+/g;
+        const matches = content.match(urlPattern) || [];
+        for (const url of matches) {
+            // Skip non-API URLs
+            if (this.shouldSkipUrl(url))
+                continue;
+            // Identify the service
+            const service = this.identifyService(url);
+            // Avoid duplicates in the same file
+            if (!apis.some((api) => api.url === url && api.filePath === filePath)) {
+                apis.push({
+                    url: this.cleanUrl(url),
+                    service,
+                    filePath,
+                });
+            }
+        }
+        return apis;
+    }
+    /**
+     * Check if URL should be skipped
+     */
+    shouldSkipUrl(url) {
+        return SKIP_URL_PATTERNS.some((pattern) => pattern.test(url));
+    }
+    /**
+     * Clean URL by removing trailing punctuation
+     */
+    cleanUrl(url) {
+        return url.replace(/[.,;:!?'")\]}>]+$/, "");
+    }
+    /**
+     * Identify which service a URL belongs to
+     */
+    identifyService(url) {
+        for (const [service, patterns] of Object.entries(KNOWN_SERVICES)) {
+            if (patterns.some((pattern) => pattern.test(url))) {
+                return service;
+            }
+        }
+        return "unknown";
+    }
+    /**
+     * Check if server name suggests affiliation that needs verification
+     */
+    checkAffiliation(serverName, detectedServices) {
+        const nameLower = serverName.toLowerCase();
+        const nameParts = nameLower.split(/[-_\s]/);
+        // Check if server name contains a known service name
+        for (const service of Object.keys(KNOWN_SERVICES)) {
+            if (nameParts.includes(service) || nameLower.includes(service)) {
+                // Server claims this service - check if actually uses it
+                if (detectedServices.includes(service)) {
+                    return `Server name "${serverName}" suggests affiliation with ${service}. Verify the author is officially affiliated before approving.`;
+                }
+                else {
+                    return `Server name "${serverName}" suggests affiliation with ${service}, but no ${service} API calls detected. This may be misleading.`;
+                }
+            }
+        }
+        return undefined;
+    }
+    /**
+     * Compute assessment status based on scan results
+     */
+    computeStatus(apis, affiliationWarning) {
+        if (affiliationWarning) {
+            return "NEED_MORE_INFO";
+        }
+        if (apis.length === 0) {
+            return "PASS";
+        }
+        // Having external APIs isn't a failure, just informational
+        return "PASS";
+    }
+    /**
+     * Generate explanation text
+     */
+    generateExplanation(apis, services, affiliationWarning, scannedFiles) {
+        const parts = [];
+        parts.push(`Scanned ${scannedFiles} source files.`);
+        if (apis.length === 0) {
+            parts.push("No external API dependencies detected.");
+        }
+        else {
+            parts.push(`Found ${apis.length} external API URL(s) across ${services.length} service(s): ${services.join(", ")}.`);
+        }
+        if (affiliationWarning) {
+            parts.push(`ATTENTION: ${affiliationWarning}`);
+        }
+        return parts.join(" ");
+    }
+    /**
+     * Generate recommendations
+     */
+    generateRecommendations(services, affiliationWarning) {
+        const recommendations = [];
+        if (affiliationWarning) {
+            recommendations.push("Verify author affiliation with claimed service before directory approval");
+        }
+        if (services.length > 0 && !services.every((s) => s === "unknown")) {
+            recommendations.push(`Ensure privacy policies are declared for external services: ${services.filter((s) => s !== "unknown").join(", ")}`);
+        }
+        if (services.includes("unknown")) {
+            recommendations.push("Review unrecognized external URLs for security and privacy implications");
+        }
+        return recommendations;
+    }
+    /**
+     * Create result when source code analysis is not available
+     */
+    createNoSourceResult() {
+        return {
+            detectedAPIs: [],
+            uniqueServices: [],
+            scannedFiles: 0,
+            status: "NEED_MORE_INFO",
+            explanation: "External API scanning requires source code analysis. Enable with --source flag.",
+            recommendations: [
+                "Re-run assessment with --source <path> to enable external API scanning",
+            ],
+        };
+    }
+}

package/lib/services/assessment/modules/FunctionalityAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"FunctionalityAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/FunctionalityAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,uBAAuB,EAGxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAM9D,qBAAa,qBAAsB,SAAQ,YAAY;IACrD,OAAO,CAAC,cAAc,CAAwB;IAE9C;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAoCvB,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,uBAAuB,CAAC;YA0H5D,QAAQ;IAiFtB,OAAO,CAAC,qBAAqB;IA0D7B,OAAO,CAAC,kBAAkB;IAwF1B;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,uBAAuB,CAe7C;IAEF;;;OAGG;IACH,OAAO,CAAC,mCAAmC;IAsF3C;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAWlB,iBAAiB,CAAC,MAAM,EAAE,GAAG,GAAG,OAAO;IAI9C,OAAO,CAAC,mBAAmB;CA+B5B"}
+{"version":3,"file":"FunctionalityAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/FunctionalityAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,uBAAuB,EAGxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAM9D,qBAAa,qBAAsB,SAAQ,YAAY;IACrD,OAAO,CAAC,cAAc,CAAwB;IAE9C;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAoCvB,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,uBAAuB,CAAC;YAkI5D,QAAQ;IAiFtB,OAAO,CAAC,qBAAqB;IA0D7B,OAAO,CAAC,kBAAkB;IAwF1B;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,uBAAuB,CAe7C;IAEF;;;OAGG;IACH,OAAO,CAAC,mCAAmC;IAsF3C;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAWlB,iBAAiB,CAAC,MAAM,EAAE,GAAG,GAAG,OAAO;IAI9C,OAAO,CAAC,mBAAmB;CA+B5B"}

package/lib/services/assessment/modules/FunctionalityAssessor.js

@@ -108,6 +108,12 @@ export class FunctionalityAssessor extends BaseAssessor {
         const coveragePercentage = testedTools > 0 ? (workingTools / testedTools) * 100 : 0;
         const status = this.determineStatus(workingTools, testedTools);
         const explanation = this.generateExplanation(totalTools, testedTools, workingTools, brokenTools);
+        // Map tools to include only schema-relevant fields for downstream consumers
+        const tools = context.tools.map((t) => ({
+            name: t.name,
+            description: t.description,
+            inputSchema: t.inputSchema,
+        }));
         return {
             totalTools,
             testedTools,
@@ -117,6 +123,7 @@ export class FunctionalityAssessor extends BaseAssessor {
             status,
             explanation,
             toolResults,
+            tools,
         };
     }
     async testTool(tool, callTool) {

package/lib/services/assessment/modules/ManifestValidationAssessor.d.ts

@@ -54,6 +54,10 @@ export declare class ManifestValidationAssessor extends BaseAssessor {
      * Validate version format (semver)
      */
     private validateVersionFormat;
+    /**
+     * Validate privacy policy URLs are accessible
+     */
+    private validatePrivacyPolicyUrls;
     /**
      * Determine overall status
      */

package/lib/services/assessment/modules/ManifestValidationAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ManifestValidationAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ManifestValidationAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EACV,4BAA4B,EAI7B,MAAM,uBAAuB,CAAC;AAM/B,qBAAa,0BAA2B,SAAQ,YAAY;IAC1D;;OAEG;IACG,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,4BAA4B,CAAC;IA0GxC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAyB9B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAmB/B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAgC/B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAiC7B;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAiChC;;OAEG;IACH,OAAO,CAAC,iBAAiB;IA+CzB;;OAEG;IACH,OAAO,CAAC,YAAY;IAqCpB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA+B1B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IA8B7B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAsB/B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA4B3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;CA+BhC"}
+{"version":3,"file":"ManifestValidationAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ManifestValidationAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EACV,4BAA4B,EAK7B,MAAM,uBAAuB,CAAC;AAM/B,qBAAa,0BAA2B,SAAQ,YAAY;IAC1D;;OAEG;IACG,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,4BAA4B,CAAC;IA6JxC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAyB9B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAmB/B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAgC/B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAiC7B;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAiChC;;OAEG;IACH,OAAO,CAAC,iBAAiB;IA+CzB;;OAEG;IACH,OAAO,CAAC,YAAY;IAqCpB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA+B1B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IA8B7B;;OAEG;YACW,yBAAyB;IA2EvC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAsB/B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA0C3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;CA+ChC"}