@bryan-thompson/inspector-assessment-client 1.15.0 → 1.15.1

package/dist/assets/{OAuthCallback-BleN4Jjs.js → OAuthCallback-tZBHqkSF.js}

@@ -1,4 +1,4 @@
-import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-CPXmfP9b.js";
+import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-BAbFakRL.js";
 const OAuthCallback = ({ onConnect }) => {
   const { toast } = useToast();
   const hasProcessedRef = reactExports.useRef(false);

package/dist/assets/{OAuthDebugCallback-C__lzEyx.js → OAuthDebugCallback-D73S8G8X.js}

@@ -1,4 +1,4 @@
-import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-CPXmfP9b.js";
+import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-BAbFakRL.js";
 const OAuthDebugCallback = ({ onConnect }) => {
   reactExports.useEffect(() => {
     let isProcessed = false;

package/dist/assets/{index-CPXmfP9b.js → index-BAbFakRL.js}

@@ -16320,7 +16320,7 @@ object({
   token_type_hint: string().optional()
 }).strip();
 const name = "@bryan-thompson/inspector-assessment-client";
-const version$1 = "1.15.0";
+const version$1 = "1.15.1";
 const packageJson = {
   name,
   version: version$1
@@ -48863,7 +48863,7 @@ const useTheme = () => {
     [theme, setThemeWithSideEffect]
   );
 };
-const version = "1.15.0";
+const version = "1.15.1";
 var [createTooltipContext] = createContextScope("Tooltip", [
   createPopperScope
 ]);
@@ -61877,13 +61877,13 @@ const App = () => {
   ) });
   if (window.location.pathname === "/oauth/callback") {
     const OAuthCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthCallback-BleN4Jjs.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthCallback-tZBHqkSF.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
   }
   if (window.location.pathname === "/oauth/callback/debug") {
     const OAuthDebugCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthDebugCallback-C__lzEyx.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthDebugCallback-D73S8G8X.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
   }

package/dist/index.html

@@ -5,7 +5,7 @@
     <link rel="icon" type="image/svg+xml" href="/mcp.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>MCP Inspector</title>
-    <script type="module" crossorigin src="/assets/index-CPXmfP9b.js"></script>
+    <script type="module" crossorigin src="/assets/index-BAbFakRL.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-BdXNC65t.css">
   </head>
   <body>

package/lib/services/assessment/modules/TemporalAssessor.d.ts

@@ -12,6 +12,7 @@ import { BaseAssessor } from "./BaseAssessor.js";
 export declare class TemporalAssessor extends BaseAssessor {
     private invocationsPerTool;
     private readonly DESTRUCTIVE_PATTERNS;
+    private readonly PER_INVOCATION_TIMEOUT;
     constructor(config: AssessmentConfiguration);
     assess(context: AssessmentContext): Promise<TemporalAssessment>;
     private assessTool;

package/lib/services/assessment/modules/TemporalAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"TemporalAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/TemporalAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,uBAAuB,EAEvB,kBAAkB,EAEnB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAS9C,qBAAa,gBAAiB,SAAQ,YAAY;IAChD,OAAO,CAAC,kBAAkB,CAAS;IAGnC,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAanC;gBAEU,MAAM,EAAE,uBAAuB;IAKrC,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;YA8CvD,UAAU;IA8CxB,OAAO,CAAC,gBAAgB;IA0DxB;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAsC3B;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IA0CzB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAKzB,OAAO,CAAC,uBAAuB;IAa/B,OAAO,CAAC,mBAAmB;IAoB3B,OAAO,CAAC,uBAAuB;CA8BhC"}
+{"version":3,"file":"TemporalAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/TemporalAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,uBAAuB,EAEvB,kBAAkB,EAEnB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAY9C,qBAAa,gBAAiB,SAAQ,YAAY;IAChD,OAAO,CAAC,kBAAkB,CAAS;IAGnC,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAoBnC;IAGF,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAU;gBAErC,MAAM,EAAE,uBAAuB;IAKrC,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;YA8CvD,UAAU;IAkExB,OAAO,CAAC,gBAAgB;IA0DxB;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAsC3B;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAoDzB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAKzB,OAAO,CAAC,uBAAuB;IAa/B,OAAO,CAAC,mBAAmB;IAoB3B,OAAO,CAAC,uBAAuB;CA8BhC"}

package/lib/services/assessment/modules/TemporalAssessor.js

@@ -7,6 +7,8 @@
  * payloads but never call the same tool repeatedly with identical payloads.
  */
 import { BaseAssessor } from "./BaseAssessor.js";
+// Security: Maximum response size to prevent memory exhaustion attacks
+const MAX_RESPONSE_SIZE = 1_000_000; // 1MB
 export class TemporalAssessor extends BaseAssessor {
     invocationsPerTool;
     // Patterns that suggest a tool may have side effects
@@ -23,7 +25,16 @@ export class TemporalAssessor extends BaseAssessor {
         "submit",
         "execute",
         "run",
+        // P2-3: Additional destructive patterns
+        "drop",
+        "truncate",
+        "clear",
+        "purge",
+        "destroy",
+        "reset",
     ];
+    // P2-2: Per-invocation timeout to prevent long-running tools from blocking
+    PER_INVOCATION_TIMEOUT = 10_000; // 10 seconds
     constructor(config) {
         super(config);
         this.invocationsPerTool = config.temporalInvocations ?? 25;
@@ -72,7 +83,19 @@ export class TemporalAssessor extends BaseAssessor {
         for (let i = 1; i <= invocations; i++) {
             this.testCount++;
             try {
-                const response = await this.executeWithTimeout(context.callTool(tool.name, payload));
+                // P2-2: Use shorter per-invocation timeout (10s vs default 30s)
+                const response = await this.executeWithTimeout(context.callTool(tool.name, payload), this.PER_INVOCATION_TIMEOUT);
+                // Security: Prevent memory exhaustion from large responses
+                const responseSize = JSON.stringify(response).length;
+                if (responseSize > MAX_RESPONSE_SIZE) {
+                    responses.push({
+                        invocation: i,
+                        response: null,
+                        error: `Response exceeded size limit (${responseSize} > ${MAX_RESPONSE_SIZE} bytes)`,
+                        timestamp: Date.now(),
+                    });
+                    continue;
+                }
                 responses.push({
                     invocation: i,
                     response,
@@ -88,6 +111,10 @@ export class TemporalAssessor extends BaseAssessor {
                     timestamp: Date.now(),
                 });
             }
+            // P2-4: Small delay between invocations to prevent rate limiting false positives
+            if (i < invocations) {
+                await this.sleep(50);
+            }
         }
         const result = this.analyzeResponses(tool, responses);
         return {
@@ -191,8 +218,8 @@ export class TemporalAssessor extends BaseAssessor {
     normalizeResponse(response) {
         const str = JSON.stringify(response);
         return (str
-            // ISO timestamps
-            .replace(/"\d{4}-\d{2}-\d{2}T[\d:.]+Z?"/g, '"<TIMESTAMP>"')
+            // ISO timestamps (bounded quantifier to prevent ReDoS)
+            .replace(/"\d{4}-\d{2}-\d{2}T[\d:.]{1,30}Z?"/g, '"<TIMESTAMP>"')
             // Unix timestamps (13 digits)
             .replace(/"\d{13}"/g, '"<TIMESTAMP>"')
             // UUIDs
@@ -218,7 +245,11 @@ export class TemporalAssessor extends BaseAssessor {
             .replace(/"index":\s*\d+/g, '"index": <NUMBER>')
             .replace(/\\"index\\":\s*\d+/g, '\\"index\\": <NUMBER>')
             // String IDs
-            .replace(/"id":\s*"[^"]+"/g, '"id": "<ID>"'));
+            .replace(/"id":\s*"[^"]+"/g, '"id": "<ID>"')
+            // P2-1: Additional timestamp fields that vary between calls
+            .replace(/"(updated_at|created_at|modified_at)":\s*"[^"]+"/g, '"$1": "<TIMESTAMP>"')
+            // P2-1: Dynamic tokens/hashes that change per request
+            .replace(/"(nonce|token|hash|etag|session_id|correlation_id)":\s*"[^"]+"/g, '"$1": "<DYNAMIC>"'));
     }
     /**
      * Detect if a tool may have side effects based on naming patterns.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-client",
-  "version": "1.15.0",
+  "version": "1.15.1",
   "description": "Client-side application for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",