@bryan-thompson/inspector-assessment-client 1.15.1 → 1.16.0

package/lib/services/assessment/config/annotationPatterns.js

@@ -224,7 +224,7 @@ export function loadPatternConfig(configPath) {
             ambiguous: userConfig.ambiguous ?? DEFAULT_ANNOTATION_PATTERNS.ambiguous,
         };
     }
-    catch (error) {
+    catch {
         console.warn(`Warning: Could not load pattern config from ${configPath}, using defaults`);
         return DEFAULT_ANNOTATION_PATTERNS;
     }

package/lib/services/assessment/lib/RequestHistoryAnalyzer.d.ts

@@ -0,0 +1,67 @@
+/**
+ * Request History Analyzer
+ * Utility library for analyzing MCP request/response patterns
+ *
+ * Provides analysis for:
+ * - Protocol compliance validation (JSON-RPC 2.0)
+ * - Error pattern analysis across requests
+ * - Timing analysis and response time percentiles
+ * - Content consistency validation
+ */
+export interface RequestHistoryEntry {
+    id: string | number;
+    method: string;
+    params?: Record<string, unknown>;
+    timestamp: number;
+    response?: {
+        result?: unknown;
+        error?: {
+            code: number;
+            message: string;
+            data?: unknown;
+        };
+    };
+    responseTime?: number;
+    status: "pending" | "success" | "error";
+}
+export interface RequestHistoryAnalysis {
+    totalRequests: number;
+    successCount: number;
+    errorCount: number;
+    pendingCount: number;
+    successRate: number;
+    timing: {
+        averageResponseTime: number;
+        minResponseTime: number;
+        maxResponseTime: number;
+        p50ResponseTime: number;
+        p95ResponseTime: number;
+        p99ResponseTime: number;
+    };
+    errors: {
+        byCode: Record<number, number>;
+        byMessage: Record<string, number>;
+        patterns: string[];
+    };
+    protocolCompliance: {
+        allHaveJsonRpcVersion: boolean;
+        allHaveValidIds: boolean;
+        allHaveProperStructure: boolean;
+        violations: string[];
+    };
+    methodDistribution: Record<string, number>;
+    slowRequests: Array<{
+        method: string;
+        responseTime: number;
+        timestamp: number;
+    }>;
+}
+/**
+ * Analyze a collection of MCP request/response entries
+ */
+export declare function analyzeRequestHistory(entries: RequestHistoryEntry[]): RequestHistoryAnalysis;
+/**
+ * Generate a summary string from the analysis
+ */
+export declare function generateAnalysisSummary(analysis: RequestHistoryAnalysis): string;
+//# sourceMappingURL=RequestHistoryAnalyzer.d.ts.map

package/lib/services/assessment/lib/RequestHistoryAnalyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RequestHistoryAnalyzer.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/lib/RequestHistoryAnalyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,GAAG,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE;QACT,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,KAAK,CAAC,EAAE;YACN,IAAI,EAAE,MAAM,CAAC;YACb,OAAO,EAAE,MAAM,CAAC;YAChB,IAAI,CAAC,EAAE,OAAO,CAAC;SAChB,CAAC;KACH,CAAC;IACF,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,SAAS,GAAG,SAAS,GAAG,OAAO,CAAC;CACzC;AAED,MAAM,WAAW,sBAAsB;IACrC,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IAGpB,MAAM,EAAE;QACN,mBAAmB,EAAE,MAAM,CAAC;QAC5B,eAAe,EAAE,MAAM,CAAC;QACxB,eAAe,EAAE,MAAM,CAAC;QACxB,eAAe,EAAE,MAAM,CAAC;QACxB,eAAe,EAAE,MAAM,CAAC;QACxB,eAAe,EAAE,MAAM,CAAC;KACzB,CAAC;IAGF,MAAM,EAAE;QACN,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC/B,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAClC,QAAQ,EAAE,MAAM,EAAE,CAAC;KACpB,CAAC;IAGF,kBAAkB,EAAE;QAClB,qBAAqB,EAAE,OAAO,CAAC;QAC/B,eAAe,EAAE,OAAO,CAAC;QACzB,sBAAsB,EAAE,OAAO,CAAC;QAChC,UAAU,EAAE,MAAM,EAAE,CAAC;KACtB,CAAC;IAGF,kBAAkB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAG3C,YAAY,EAAE,KAAK,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,YAAY,EAAE,MAAM,CAAC;QACrB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC,CAAC;CACJ;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,mBAAmB,EAAE,GAC7B,sBAAsB,CA0CxB;AAqKD;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,sBAAsB,GAC/B,MAAM,CA0BR"}

package/lib/services/assessment/lib/RequestHistoryAnalyzer.js

@@ -0,0 +1,191 @@
+/**
+ * Request History Analyzer
+ * Utility library for analyzing MCP request/response patterns
+ *
+ * Provides analysis for:
+ * - Protocol compliance validation (JSON-RPC 2.0)
+ * - Error pattern analysis across requests
+ * - Timing analysis and response time percentiles
+ * - Content consistency validation
+ */
+/**
+ * Analyze a collection of MCP request/response entries
+ */
+export function analyzeRequestHistory(entries) {
+    const totalRequests = entries.length;
+    const successCount = entries.filter((e) => e.status === "success").length;
+    const errorCount = entries.filter((e) => e.status === "error").length;
+    const pendingCount = entries.filter((e) => e.status === "pending").length;
+    const successRate = totalRequests > 0 ? (successCount / totalRequests) * 100 : 0;
+    // Calculate timing metrics
+    const timing = calculateTimingMetrics(entries);
+    // Analyze errors
+    const errors = analyzeErrors(entries);
+    // Check protocol compliance
+    const protocolCompliance = checkProtocolCompliance(entries);
+    // Calculate method distribution
+    const methodDistribution = calculateMethodDistribution(entries);
+    // Find slow requests
+    const slowRequests = entries
+        .filter((e) => e.responseTime && e.responseTime > 1000)
+        .map((e) => ({
+        method: e.method,
+        responseTime: e.responseTime,
+        timestamp: e.timestamp,
+    }))
+        .sort((a, b) => b.responseTime - a.responseTime);
+    return {
+        totalRequests,
+        successCount,
+        errorCount,
+        pendingCount,
+        successRate,
+        timing,
+        errors,
+        protocolCompliance,
+        methodDistribution,
+        slowRequests,
+    };
+}
+function calculateTimingMetrics(entries) {
+    const responseTimes = entries
+        .filter((e) => e.responseTime !== undefined)
+        .map((e) => e.responseTime)
+        .sort((a, b) => a - b);
+    if (responseTimes.length === 0) {
+        return {
+            averageResponseTime: 0,
+            minResponseTime: 0,
+            maxResponseTime: 0,
+            p50ResponseTime: 0,
+            p95ResponseTime: 0,
+            p99ResponseTime: 0,
+        };
+    }
+    const sum = responseTimes.reduce((acc, t) => acc + t, 0);
+    const avg = sum / responseTimes.length;
+    const min = responseTimes[0];
+    const max = responseTimes[responseTimes.length - 1];
+    // Calculate percentiles
+    const p50Index = Math.floor(responseTimes.length * 0.5);
+    const p95Index = Math.floor(responseTimes.length * 0.95);
+    const p99Index = Math.floor(responseTimes.length * 0.99);
+    return {
+        averageResponseTime: Math.round(avg),
+        minResponseTime: min,
+        maxResponseTime: max,
+        p50ResponseTime: responseTimes[p50Index] || max,
+        p95ResponseTime: responseTimes[p95Index] || max,
+        p99ResponseTime: responseTimes[p99Index] || max,
+    };
+}
+function analyzeErrors(entries) {
+    const byCode = {};
+    const byMessage = {};
+    const patterns = [];
+    const errorEntries = entries.filter((e) => e.status === "error" && e.response?.error);
+    for (const entry of errorEntries) {
+        const error = entry.response.error;
+        // Count by error code
+        byCode[error.code] = (byCode[error.code] || 0) + 1;
+        // Count by message (truncated)
+        const truncatedMsg = error.message.substring(0, 50);
+        byMessage[truncatedMsg] = (byMessage[truncatedMsg] || 0) + 1;
+    }
+    // Identify error patterns
+    if (byCode[-32600])
+        patterns.push("Invalid Request errors detected");
+    if (byCode[-32601])
+        patterns.push("Method Not Found errors detected");
+    if (byCode[-32602])
+        patterns.push("Invalid Params errors detected");
+    if (byCode[-32603])
+        patterns.push("Internal errors detected");
+    if (byCode[-32700])
+        patterns.push("Parse errors detected");
+    // Check for high error rates on specific methods
+    const methodErrors = {};
+    const methodTotal = {};
+    for (const entry of entries) {
+        methodTotal[entry.method] = (methodTotal[entry.method] || 0) + 1;
+        if (entry.status === "error") {
+            methodErrors[entry.method] = (methodErrors[entry.method] || 0) + 1;
+        }
+    }
+    for (const [method, total] of Object.entries(methodTotal)) {
+        const errors = methodErrors[method] || 0;
+        if (errors / total > 0.5 && errors >= 3) {
+            patterns.push(`High error rate (${Math.round((errors / total) * 100)}%) on ${method}`);
+        }
+    }
+    return { byCode, byMessage, patterns };
+}
+function checkProtocolCompliance(entries) {
+    const violations = [];
+    // Check IDs
+    const allHaveValidIds = entries.every((e) => e.id !== undefined && e.id !== null);
+    if (!allHaveValidIds) {
+        violations.push("Some requests missing valid id field");
+    }
+    // Check for duplicate IDs
+    const ids = entries.map((e) => e.id);
+    const uniqueIds = new Set(ids);
+    if (ids.length !== uniqueIds.size) {
+        violations.push("Duplicate request IDs detected");
+    }
+    // Check method names
+    const allHaveProperStructure = entries.every((e) => {
+        if (!e.method || typeof e.method !== "string")
+            return false;
+        if (e.params !== undefined && typeof e.params !== "object")
+            return false;
+        return true;
+    });
+    if (!allHaveProperStructure) {
+        violations.push("Some requests have improper structure");
+    }
+    // Check error responses
+    const errorResponses = entries.filter((e) => e.response?.error);
+    const allErrorsProper = errorResponses.every((e) => {
+        const error = e.response.error;
+        return typeof error.code === "number" && typeof error.message === "string";
+    });
+    if (!allErrorsProper && errorResponses.length > 0) {
+        violations.push("Some error responses do not follow JSON-RPC 2.0 format");
+    }
+    return {
+        allHaveJsonRpcVersion: true, // Assumed if MCP connection works
+        allHaveValidIds,
+        allHaveProperStructure,
+        violations,
+    };
+}
+function calculateMethodDistribution(entries) {
+    const distribution = {};
+    for (const entry of entries) {
+        distribution[entry.method] = (distribution[entry.method] || 0) + 1;
+    }
+    return distribution;
+}
+/**
+ * Generate a summary string from the analysis
+ */
+export function generateAnalysisSummary(analysis) {
+    const parts = [];
+    parts.push(`Analyzed ${analysis.totalRequests} requests.`);
+    parts.push(`Success rate: ${analysis.successRate.toFixed(1)}%`);
+    if (analysis.timing.averageResponseTime > 0) {
+        parts.push(`Avg response time: ${analysis.timing.averageResponseTime}ms`);
+        parts.push(`P95 response time: ${analysis.timing.p95ResponseTime}ms`);
+    }
+    if (analysis.errors.patterns.length > 0) {
+        parts.push(`Error patterns: ${analysis.errors.patterns.join(", ")}`);
+    }
+    if (analysis.protocolCompliance.violations.length > 0) {
+        parts.push(`Protocol issues: ${analysis.protocolCompliance.violations.join(", ")}`);
+    }
+    if (analysis.slowRequests.length > 0) {
+        parts.push(`${analysis.slowRequests.length} slow request(s) detected`);
+    }
+    return parts.join(" ");
+}

package/lib/services/assessment/lib/claudeCodeBridge.d.ts

@@ -115,6 +115,7 @@ export declare class ClaudeCodeBridge {
     private checkClaudeAvailability;
     /**
      * Execute Claude CLI with a prompt
+     * Uses execFileSync to avoid shell injection vulnerabilities
      */
     private executeClaudeCommand;
     /**

package/lib/services/assessment/lib/claudeCodeBridge.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"claudeCodeBridge.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/lib/claudeCodeBridge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC/D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE;QACR,yBAAyB,CAAC,EAAE,OAAO,CAAC;QACpC,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAC9B,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAC5B,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAC9B,uBAAuB,CAAC,EAAE,OAAO,CAAC;QAClC,oBAAoB,CAAC,EAAE,OAAO,CAAC;KAChC,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,EAAE,WAAW,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,WAAW,EAAE,OAAO,CAAC;IACrB,oBAAoB,EAAE,OAAO,CAAC;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,WAAW,CAAC;IACtB,eAAe,EAAE,OAAO,GAAG,iBAAiB,GAAG,OAAO,CAAC;IACvD,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,mBAAmB,EAAE,OAAO,CAAC;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,oBAAoB,EAAE;QACpB,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,cAAc,CAAC,EAAE,OAAO,CAAC;KAC1B,CAAC;IACF,oBAAoB,EAAE,OAAO,CAAC;IAC9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,KAAK,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAChC,gBAAgB,EAAE,MAAM,CAAC;QACzB,QAAQ,EAAE,YAAY,GAAG,WAAW,GAAG,UAAU,GAAG,YAAY,CAAC;KAClE,CAAC,CAAC;IACH,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,eAAO,MAAM,0BAA0B,EAAE,sBAYxC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,sBAYrC,CAAC;AAEF;;;GAGG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAAyB;IACvC,OAAO,CAAC,WAAW,CAAkB;gBAEzB,MAAM,EAAE,sBAAsB;IAW1C;;;OAGG;IACH,gBAAgB,CAAC,OAAO,EAAE,MAAM,sBAAsB,CAAC,UAAU,CAAC,GAAG,OAAO;IAgB5E;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAS/B;;OAEG;IACH,OAAO,CAAC,oBAAoB;IA+B5B;;OAEG;YACW,gBAAgB;IAwB9B;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAqBzB;;;;OAIG;IACG,mBAAmB,CACvB,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,yBAAyB,GAAG,IAAI,CAAC;IA2C5C;;OAEG;IACG,iBAAiB,CACrB,IAAI,EAAE,IAAI,EACV,kBAAkB,CAAC,EAAE;QACnB,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,cAAc,CAAC,EAAE,OAAO,CAAC;KAC1B,GACA,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;IAgD1C;;OAEG;IACG,qBAAqB,CACzB,IAAI,EAAE,IAAI,EACV,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAuCvC;;;OAGG;IACG,sBAAsB,CAC1B,IAAI,EAAE,IAAI,GACT,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC;IAqC5C;;OAEG;IACG,mBAAmB,CACvB,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;QACT,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,WAAW,EAAE,MAAM,EAAE,CAAC;KACvB,GAAG,IAAI,CAAC;CA0CV"}
+{"version":3,"file":"claudeCodeBridge.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/lib/claudeCodeBridge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC/D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE;QACR,yBAAyB,CAAC,EAAE,OAAO,CAAC;QACpC,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAC9B,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAC5B,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAC9B,uBAAuB,CAAC,EAAE,OAAO,CAAC;QAClC,oBAAoB,CAAC,EAAE,OAAO,CAAC;KAChC,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,EAAE,WAAW,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,WAAW,EAAE,OAAO,CAAC;IACrB,oBAAoB,EAAE,OAAO,CAAC;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,WAAW,CAAC;IACtB,eAAe,EAAE,OAAO,GAAG,iBAAiB,GAAG,OAAO,CAAC;IACvD,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,mBAAmB,EAAE,OAAO,CAAC;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,oBAAoB,EAAE;QACpB,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,cAAc,CAAC,EAAE,OAAO,CAAC;KAC1B,CAAC;IACF,oBAAoB,EAAE,OAAO,CAAC;IAC9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,KAAK,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAChC,gBAAgB,EAAE,MAAM,CAAC;QACzB,QAAQ,EAAE,YAAY,GAAG,WAAW,GAAG,UAAU,GAAG,YAAY,CAAC;KAClE,CAAC,CAAC;IACH,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,eAAO,MAAM,0BAA0B,EAAE,sBAYxC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,sBAYrC,CAAC;AAEF;;;GAGG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAAyB;IACvC,OAAO,CAAC,WAAW,CAAkB;gBAEzB,MAAM,EAAE,sBAAsB;IAW1C;;;OAGG;IACH,gBAAgB,CAAC,OAAO,EAAE,MAAM,sBAAsB,CAAC,UAAU,CAAC,GAAG,OAAO;IAgB5E;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAS/B;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IA8B5B;;OAEG;YACW,gBAAgB;IAwB9B;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAqBzB;;;;OAIG;IACG,mBAAmB,CACvB,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,yBAAyB,GAAG,IAAI,CAAC;IA2C5C;;OAEG;IACG,iBAAiB,CACrB,IAAI,EAAE,IAAI,EACV,kBAAkB,CAAC,EAAE;QACnB,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,cAAc,CAAC,EAAE,OAAO,CAAC;KAC1B,GACA,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;IAgD1C;;OAEG;IACG,qBAAqB,CACzB,IAAI,EAAE,IAAI,EACV,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAuCvC;;;OAGG;IACG,sBAAsB,CAC1B,IAAI,EAAE,IAAI,GACT,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC;IAqC5C;;OAEG;IACG,mBAAmB,CACvB,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;QACT,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,WAAW,EAAE,MAAM,EAAE,CAAC;KACvB,GAAG,IAAI,CAAC;CA0CV"}

package/lib/services/assessment/lib/claudeCodeBridge.js

@@ -10,7 +10,7 @@
  * - Tool behavior inference for annotation validation
  * - Documentation quality assessment
  */
-import { execSync } from "child_process";
+import { execFileSync, execSync } from "child_process";
 /**
  * Default configuration with minimal features
  */
@@ -86,14 +86,15 @@ export class ClaudeCodeBridge {
     }
     /**
      * Execute Claude CLI with a prompt
+     * Uses execFileSync to avoid shell injection vulnerabilities
      */
     executeClaudeCommand(prompt) {
         const startTime = Date.now();
         try {
             const timeout = this.config.timeout || 30000;
-            // Escape the prompt for shell execution
-            const escapedPrompt = prompt.replace(/'/g, "'\\''");
-            const output = execSync(`claude --print '${escapedPrompt}'`, {
+            // Use execFileSync with argument array to prevent shell injection
+            // This avoids spawning a shell and passes arguments directly
+            const output = execFileSync("claude", ["--print", prompt], {
                 encoding: "utf-8",
                 timeout,
                 stdio: ["pipe", "pipe", "pipe"],

package/lib/services/assessment/modules/AuthenticationAssessor.d.ts

@@ -16,6 +16,10 @@ export declare class AuthenticationAssessor extends BaseAssessor {
      * Run authentication assessment
      */
     assess(context: AssessmentContext): Promise<AuthenticationAssessment>;
+    /**
+     * Analyze transport security configuration
+     */
+    private analyzeTransportSecurity;
     /**
      * Detect authentication method
      */

package/lib/services/assessment/modules/AuthenticationAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AuthenticationAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/AuthenticationAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAIV,wBAAwB,EACzB,MAAM,uBAAuB,CAAC;AAwC/B,qBAAa,sBAAuB,SAAQ,YAAY;IACtD;;OAEG;IACG,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,wBAAwB,CAAC;IA2G3E;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA+BxB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAa3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA2D/B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAyB9B;;OAEG;IACH,OAAO,CAAC,cAAc;IActB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAmB3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;CAoChC"}
+{"version":3,"file":"AuthenticationAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/AuthenticationAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAIV,wBAAwB,EAEzB,MAAM,uBAAuB,CAAC;AA0D/B,qBAAa,sBAAuB,SAAQ,YAAY;IACtD;;OAEG;IACG,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,wBAAwB,CAAC;IA2H3E;;OAEG;IACH,OAAO,CAAC,wBAAwB;IA6FhC;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA+BxB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAa3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA2D/B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAyB9B;;OAEG;IACH,OAAO,CAAC,cAAc;IActB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAmB3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;CAoChC"}

package/lib/services/assessment/modules/AuthenticationAssessor.js

@@ -44,6 +44,22 @@ const LOCAL_RESOURCE_PATTERNS = [
     /localhost|127\.0\.0\.1/i,
     /file:\/\//i,
 ];
+// Patterns indicating insecure transport practices
+const INSECURE_TRANSPORT_PATTERNS = [
+    /http:\/\/(?!localhost|127\.0\.0\.1)/i, // Non-local HTTP
+    /allowInsecure|rejectUnauthorized:\s*false/i, // TLS validation disabled
+    /NODE_TLS_REJECT_UNAUTHORIZED.*0/i, // TLS verification disabled via env
+    /cors.*\*|origin:\s*true|origin:\s*\*/i, // Overly permissive CORS
+];
+// Patterns indicating secure transport practices
+const SECURE_TRANSPORT_PATTERNS = [
+    /https:\/\//i,
+    /secure:\s*true/i,
+    /httpOnly:\s*true/i,
+    /sameSite.*strict|sameSite.*lax/i,
+    /helmet/i, // Security middleware
+    /cors.*origin.*string|cors.*origin.*array/i, // Specific CORS origins
+];
 export class AuthenticationAssessor extends BaseAssessor {
     /**
      * Run authentication assessment
@@ -104,7 +120,13 @@ export class AuthenticationAssessor extends BaseAssessor {
         const status = this.evaluateStatus(appropriateness);
         const explanation = this.generateExplanation(authMethod, hasLocalDependencies, transportType, appropriateness);
         const recommendations = this.generateRecommendations(authMethod, hasLocalDependencies, appropriateness);
-        this.log(`Assessment complete: auth=${authMethod}, localDeps=${hasLocalDependencies}`);
+        // Analyze transport security
+        const transportSecurity = this.analyzeTransportSecurity(context);
+        // Add transport security issues to concerns
+        if (transportSecurity.hasInsecurePatterns) {
+            appropriateness.concerns.push(...transportSecurity.insecurePatterns.map((p) => `Insecure transport pattern: ${p}`));
+        }
+        this.log(`Assessment complete: auth=${authMethod}, localDeps=${hasLocalDependencies}, tlsEnforced=${transportSecurity.tlsEnforced}`);
         return {
             authMethod,
             hasLocalDependencies,
@@ -116,8 +138,82 @@ export class AuthenticationAssessor extends BaseAssessor {
                 localResourceIndicators,
                 apiKeyIndicators,
             },
+            transportSecurity,
             status,
             explanation,
+            recommendations: [
+                ...recommendations,
+                ...transportSecurity.recommendations,
+            ],
+        };
+    }
+    /**
+     * Analyze transport security configuration
+     */
+    analyzeTransportSecurity(context) {
+        const insecurePatterns = [];
+        const securePatterns = [];
+        // Check transport config from context
+        const transportConfig = context.transportConfig;
+        const usesTLS = transportConfig?.usesTLS ?? false;
+        const tlsEnforced = transportConfig?.type === "streamable-http" && usesTLS;
+        // Analyze source code for patterns
+        if (context.sourceCodeFiles) {
+            for (const [filePath, content] of context.sourceCodeFiles) {
+                this.testCount++;
+                // Check for insecure patterns
+                for (const pattern of INSECURE_TRANSPORT_PATTERNS) {
+                    if (pattern.test(content)) {
+                        const indicator = `${filePath}: ${pattern.source}`;
+                        if (!insecurePatterns.includes(indicator)) {
+                            insecurePatterns.push(indicator);
+                        }
+                    }
+                }
+                // Check for secure patterns
+                for (const pattern of SECURE_TRANSPORT_PATTERNS) {
+                    if (pattern.test(content)) {
+                        const indicator = `${filePath}: ${pattern.source}`;
+                        if (!securePatterns.includes(indicator)) {
+                            securePatterns.push(indicator);
+                        }
+                    }
+                }
+            }
+        }
+        // Determine CORS configuration
+        const corsConfigured = securePatterns.some((p) => /cors/i.test(p));
+        const corsPermissive = insecurePatterns.some((p) => /cors.*\*|origin.*true/i.test(p));
+        // Check session security
+        const sessionSecure = securePatterns.some((p) => /secure.*true|httpOnly/i.test(p)) &&
+            !insecurePatterns.some((p) => /secure.*false/i.test(p));
+        // Generate recommendations
+        const recommendations = [];
+        if (insecurePatterns.length > 0) {
+            recommendations.push("TRANSPORT SECURITY: Found insecure patterns that should be reviewed:");
+            for (const pattern of insecurePatterns.slice(0, 3)) {
+                recommendations.push(`  - ${pattern}`);
+            }
+        }
+        if (!usesTLS && transportConfig?.type !== "stdio") {
+            recommendations.push("Ensure HTTPS/TLS is enforced for remote transport to protect data in transit");
+        }
+        if (corsPermissive) {
+            recommendations.push("CORS policy is overly permissive (allows all origins). Restrict to specific trusted origins.");
+        }
+        if (!sessionSecure && securePatterns.length > 0) {
+            recommendations.push("Review session cookie security: ensure Secure, HttpOnly, and SameSite flags are set appropriately");
+        }
+        return {
+            usesTLS,
+            tlsEnforced,
+            hasInsecurePatterns: insecurePatterns.length > 0,
+            insecurePatterns,
+            hasSecurePatterns: securePatterns.length > 0,
+            securePatterns,
+            corsConfigured,
+            corsPermissive,
+            sessionSecure,
             recommendations,
         };
     }

package/lib/services/assessment/modules/CrossCapabilitySecurityAssessor.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Cross-Capability Security Assessor Module
+ * Tests interactions between tools, resources, and prompts for security vulnerabilities
+ *
+ * Tests include:
+ * - Tool->Resource access patterns (can a tool expose unauthorized resources?)
+ * - Prompt->Tool interaction (can a prompt trigger dangerous tool calls?)
+ * - Resource->Tool data flow (is sensitive resource data passed to tools?)
+ * - Privilege escalation across capabilities
+ */
+import { CrossCapabilitySecurityAssessment } from "../../../lib/assessmentTypes.js";
+import { BaseAssessor } from "./BaseAssessor.js";
+import { AssessmentContext } from "../AssessmentOrchestrator.js";
+export declare class CrossCapabilitySecurityAssessor extends BaseAssessor {
+    assess(context: AssessmentContext): Promise<CrossCapabilitySecurityAssessment>;
+    /**
+     * Test if tools can access resources in unauthorized ways
+     */
+    private testToolResourceAccess;
+    /**
+     * Test if prompts could trigger dangerous tool calls
+     */
+    private testPromptToolInteraction;
+    /**
+     * Test if resource data could be passed to tools in unsafe ways
+     */
+    private testResourceToolDataFlow;
+    /**
+     * Test for privilege escalation paths
+     */
+    private testPrivilegeEscalation;
+    private toolHasPathParameter;
+    private toolHasContentParameter;
+    private promptCouldTriggerTool;
+    private determineCrossCapabilityStatus;
+    private generateExplanation;
+    private generateRecommendations;
+}
+//# sourceMappingURL=CrossCapabilitySecurityAssessor.d.ts.map

package/lib/services/assessment/modules/CrossCapabilitySecurityAssessor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CrossCapabilitySecurityAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/CrossCapabilitySecurityAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,iCAAiC,EAGlC,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EACL,iBAAiB,EAGlB,MAAM,2BAA2B,CAAC;AAwDnC,qBAAa,+BAAgC,SAAQ,YAAY;IACzD,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,iCAAiC,CAAC;IAsE7C;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAgD9B;;OAEG;IACH,OAAO,CAAC,yBAAyB;IA2DjC;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAoDhC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAkF/B,OAAO,CAAC,oBAAoB;IAa5B,OAAO,CAAC,uBAAuB;IAW/B,OAAO,CAAC,sBAAsB;IAqB9B,OAAO,CAAC,8BAA8B;IAUtC,OAAO,CAAC,mBAAmB;IA+B3B,OAAO,CAAC,uBAAuB;CA+ChC"}