@bryan-thompson/inspector-assessment-client 1.18.1 → 1.19.0

package/lib/services/assessment/modules/SecurityAssessor.js

@@ -13,7 +13,9 @@ import { BaseAssessor } from "./BaseAssessor.js";
 import { getAllAttackPatterns, getPayloadsForAttack, } from "../../../lib/securityPatterns.js";
 import { ToolClassifier, ToolCategory } from "../ToolClassifier.js";
 import { createConcurrencyLimit } from "../lib/concurrencyLimit.js";
+import { LanguageAwarePayloadGenerator } from "../LanguageAwarePayloadGenerator.js";
 export class SecurityAssessor extends BaseAssessor {
+    languageGenerator = new LanguageAwarePayloadGenerator();
     async assess(context) {
         // Select tools for testing first
         const toolsToTest = this.selectToolsForTesting(context.tools);
@@ -1089,10 +1091,14 @@ export class SecurityAssessor extends BaseAssessor {
             /action\s+received:/i,
             /input\s+received:/i,
             /request\s+received:/i,
-            // Explicit safety indicators in JSON responses
-            /"safe":\s*true/i,
-            /"vulnerable":\s*false/i,
-            /"status":\s*"acknowledged"/i,
+            // Explicit safety indicators in JSON responses (context-aware to avoid matching unrelated fields)
+            // Require safety-related context: message, result, status, stored, reflected, etc.
+            /"safe"\s*:\s*true[^}]*("message"|"result"|"status"|"response")/i,
+            /("message"|"result"|"status"|"response")[^}]*"safe"\s*:\s*true/i,
+            /"vulnerable"\s*:\s*false[^}]*("safe"|"stored"|"reflected"|"status")/i,
+            /("safe"|"stored"|"reflected"|"status")[^}]*"vulnerable"\s*:\s*false/i,
+            /"status"\s*:\s*"acknowledged"[^}]*("message"|"result"|"safe")/i,
+            /("message"|"result"|"safe")[^}]*"status"\s*:\s*"acknowledged"/i,
         ];
         const reflectionPatterns = [
             ...statusPatterns,
@@ -1328,8 +1334,41 @@ export class SecurityAssessor extends BaseAssessor {
         const params = {};
         const targetParamTypes = payload.parameterTypes || [];
         let payloadInjected = false;
-        // Try to match payload to appropriate parameter by name
-        if (targetParamTypes.length > 0) {
+        // NEW: Check for language-specific code execution parameters first
+        // This enables detection of vulnerabilities in tools expecting Python/JS/SQL code
+        for (const [key, prop] of Object.entries(schema.properties)) {
+            const propSchema = prop;
+            if (propSchema.type !== "string")
+                continue;
+            const detectedLanguage = this.languageGenerator.detectLanguage(key, tool.name, tool.description);
+            // If we detect a specific language (not generic), use language-appropriate payloads
+            if (detectedLanguage !== "generic" && !payloadInjected) {
+                const languagePayloads = this.languageGenerator.getPayloadsForLanguage(detectedLanguage);
+                if (languagePayloads.length > 0) {
+                    // Select a payload that targets similar behavior as the current attack pattern
+                    // (e.g., if testing command injection, use a command-executing payload)
+                    const payloadLower = payload.payload.toLowerCase();
+                    const isCommandTest = payloadLower.includes("whoami") ||
+                        payloadLower.includes("passwd") ||
+                        payloadLower.includes("id");
+                    // Find matching language payload based on test intent
+                    let selectedPayload = languagePayloads[0]; // Default to first
+                    if (isCommandTest) {
+                        // Prefer command execution payloads
+                        const cmdPayload = languagePayloads.find((lp) => lp.payload.includes("whoami") ||
+                            lp.payload.includes("subprocess") ||
+                            lp.payload.includes("execSync"));
+                        if (cmdPayload)
+                            selectedPayload = cmdPayload;
+                    }
+                    params[key] = selectedPayload.payload;
+                    payloadInjected = true;
+                    break;
+                }
+            }
+        }
+        // Fall back to parameterTypes matching if no language-specific payload was used
+        if (!payloadInjected && targetParamTypes.length > 0) {
             // Payload is parameter-specific (e.g., URLs only for "url" params)
             for (const [key, prop] of Object.entries(schema.properties)) {
                 const propSchema = prop;
@@ -1343,8 +1382,8 @@ export class SecurityAssessor extends BaseAssessor {
                 }
             }
         }
-        else {
-            // Generic payload - inject into first string parameter (original behavior)
+        // Fall back to generic payload - inject into first string parameter (original behavior)
+        if (!payloadInjected) {
             for (const [key, prop] of Object.entries(schema.properties)) {
                 const propSchema = prop;
                 if (propSchema.type === "string" && !payloadInjected) {

package/lib/services/assessment/modules/TemporalAssessor.d.ts

@@ -28,6 +28,11 @@ export declare class TemporalAssessor extends BaseAssessor {
     constructor(config: AssessmentConfiguration);
     assess(context: AssessmentContext): Promise<TemporalAssessment>;
     private assessTool;
+    /**
+     * Detect mutations in tool definition across invocation snapshots.
+     * DVMCP Challenge 4: Tool descriptions that mutate after N calls.
+     */
+    private detectDefinitionMutation;
     private analyzeResponses;
     /**
      * Generate a safe/neutral payload for a tool based on its input schema.

package/lib/services/assessment/modules/TemporalAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"TemporalAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/TemporalAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,uBAAuB,EAEvB,kBAAkB,EAEnB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAY9C,qBAAa,gBAAiB,SAAQ,YAAY;IAChD,OAAO,CAAC,kBAAkB,CAAS;IAGnC,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAoBnC;IAGF,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAU;IAEjD;;;;;;;;;;OAUG;IACH,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CASrC;gBAEU,MAAM,EAAE,uBAAuB;IAKrC,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;YA8CvD,UAAU;IAkExB,OAAO,CAAC,gBAAgB;IAmFxB;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAsC3B;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAoDzB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAKzB;;;;OAIG;IACH,OAAO,CAAC,cAAc;IAYtB;;;;;;OAMG;IACH,OAAO,CAAC,cAAc;IAuBtB;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAiCzB,OAAO,CAAC,uBAAuB;IAa/B,OAAO,CAAC,mBAAmB;IAoB3B,OAAO,CAAC,uBAAuB;CA8BhC"}
+{"version":3,"file":"TemporalAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/TemporalAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,uBAAuB,EAEvB,kBAAkB,EAEnB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AA+B9C,qBAAa,gBAAiB,SAAQ,YAAY;IAChD,OAAO,CAAC,kBAAkB,CAAS;IAGnC,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAoBnC;IAGF,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAU;IAEjD;;;;;;;;;;OAUG;IACH,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CASrC;gBAEU,MAAM,EAAE,uBAAuB;IAKrC,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;YAqEvD,UAAU;IAuHxB;;;OAGG;IACH,OAAO,CAAC,wBAAwB;IAkChC,OAAO,CAAC,gBAAgB;IAmFxB;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAsC3B;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAoDzB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAKzB;;;;OAIG;IACH,OAAO,CAAC,cAAc;IAYtB;;;;;;OAMG;IACH,OAAO,CAAC,cAAc;IAuBtB;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAiCzB,OAAO,CAAC,uBAAuB;IAa/B,OAAO,CAAC,mBAAmB;IA+C3B,OAAO,CAAC,uBAAuB;CA+DhC"}

package/lib/services/assessment/modules/TemporalAssessor.js

@@ -63,7 +63,15 @@ export class TemporalAssessor extends BaseAssessor {
     async assess(context) {
         const results = [];
         let rugPullsDetected = 0;
-        this.log(`Starting temporal assessment with ${this.invocationsPerTool} invocations per tool`);
+        let definitionMutationsDetected = 0;
+        // Check if definition tracking is available
+        const canTrackDefinitions = typeof context.listTools === "function";
+        if (canTrackDefinitions) {
+            this.log(`Starting temporal assessment with ${this.invocationsPerTool} invocations per tool (definition tracking enabled)`);
+        }
+        else {
+            this.log(`Starting temporal assessment with ${this.invocationsPerTool} invocations per tool (definition tracking unavailable)`);
+        }
         for (const tool of context.tools) {
             // Skip if tool selection is configured and this tool isn't selected
             if (this.config.selectedToolsForTesting !== undefined &&
@@ -76,33 +84,63 @@ export class TemporalAssessor extends BaseAssessor {
                 rugPullsDetected++;
                 this.log(`RUG PULL DETECTED: ${tool.name} changed behavior at invocation ${result.firstDeviationAt}`);
             }
+            if (result.definitionMutated) {
+                definitionMutationsDetected++;
+                this.log(`DEFINITION MUTATION DETECTED: ${tool.name} changed description at invocation ${result.definitionMutationAt}`);
+            }
             // Respect delay between tests
             if (this.config.delayBetweenTests) {
                 await this.sleep(this.config.delayBetweenTests);
             }
         }
-        const status = this.determineTemporalStatus(rugPullsDetected, results);
+        // Status fails if either response or definition mutations detected
+        const totalVulnerabilities = rugPullsDetected + definitionMutationsDetected;
+        const status = this.determineTemporalStatus(totalVulnerabilities, results);
         return {
             toolsTested: results.length,
             invocationsPerTool: this.invocationsPerTool,
             rugPullsDetected,
+            definitionMutationsDetected,
             details: results,
             status,
-            explanation: this.generateExplanation(rugPullsDetected, results),
+            explanation: this.generateExplanation(rugPullsDetected, definitionMutationsDetected, results),
             recommendations: this.generateRecommendations(results),
         };
     }
     async assessTool(context, tool) {
         const responses = [];
+        const definitionSnapshots = [];
         const payload = this.generateSafePayload(tool);
         // Reduce invocations for potentially destructive tools
         const isDestructive = this.isDestructiveTool(tool);
         const invocations = isDestructive
             ? Math.min(5, this.invocationsPerTool)
             : this.invocationsPerTool;
+        // Check if definition tracking is available
+        const canTrackDefinitions = typeof context.listTools === "function";
         this.log(`Testing ${tool.name} with ${invocations} invocations${isDestructive ? " (reduced - destructive)" : ""}`);
         for (let i = 1; i <= invocations; i++) {
             this.testCount++;
+            // Track tool definition BEFORE each invocation (if available)
+            // This detects rug pulls where description mutates after N calls
+            if (canTrackDefinitions) {
+                try {
+                    const currentTools = await this.executeWithTimeout(context.listTools(), this.PER_INVOCATION_TIMEOUT);
+                    const currentTool = currentTools.find((t) => t.name === tool.name);
+                    if (currentTool) {
+                        definitionSnapshots.push({
+                            invocation: i,
+                            description: currentTool.description,
+                            inputSchema: currentTool.inputSchema,
+                            timestamp: Date.now(),
+                        });
+                    }
+                }
+                catch {
+                    // Definition tracking failed - continue with response tracking
+                    this.log(`Warning: Failed to fetch tool definition for ${tool.name} at invocation ${i}`);
+                }
+            }
             try {
                 // P2-2: Use shorter per-invocation timeout (10s vs default 30s)
                 const response = await this.executeWithTimeout(context.callTool(tool.name, payload), this.PER_INVOCATION_TIMEOUT);
@@ -137,12 +175,59 @@ export class TemporalAssessor extends BaseAssessor {
                 await this.sleep(50);
             }
         }
+        // Analyze responses for temporal behavior changes
         const result = this.analyzeResponses(tool, responses);
+        // Analyze definitions for mutation (rug pull via description change)
+        const definitionMutation = this.detectDefinitionMutation(definitionSnapshots);
         return {
             ...result,
             reducedInvocations: isDestructive,
+            // Add definition mutation results
+            definitionMutated: definitionMutation !== null,
+            definitionMutationAt: definitionMutation?.detectedAt ?? null,
+            definitionEvidence: definitionMutation
+                ? {
+                    baselineDescription: definitionMutation.baselineDescription,
+                    mutatedDescription: definitionMutation.mutatedDescription,
+                    baselineSchema: definitionMutation.baselineSchema,
+                    mutatedSchema: definitionMutation.mutatedSchema,
+                }
+                : undefined,
+            // If definition mutated, mark as vulnerable with DEFINITION pattern
+            vulnerable: result.vulnerable || definitionMutation !== null,
+            pattern: definitionMutation !== null ? "RUG_PULL_DEFINITION" : result.pattern,
+            severity: definitionMutation !== null || result.vulnerable ? "HIGH" : "NONE",
         };
     }
+    /**
+     * Detect mutations in tool definition across invocation snapshots.
+     * DVMCP Challenge 4: Tool descriptions that mutate after N calls.
+     */
+    detectDefinitionMutation(snapshots) {
+        if (snapshots.length < 2)
+            return null;
+        const baseline = snapshots[0];
+        for (let i = 1; i < snapshots.length; i++) {
+            const current = snapshots[i];
+            // Check if description changed
+            const descriptionChanged = baseline.description !== current.description;
+            // Check if schema changed (deep comparison)
+            const schemaChanged = JSON.stringify(baseline.inputSchema) !==
+                JSON.stringify(current.inputSchema);
+            if (descriptionChanged || schemaChanged) {
+                return {
+                    detectedAt: current.invocation,
+                    baselineDescription: baseline.description,
+                    mutatedDescription: descriptionChanged
+                        ? current.description
+                        : undefined,
+                    baselineSchema: schemaChanged ? baseline.inputSchema : undefined,
+                    mutatedSchema: schemaChanged ? current.inputSchema : undefined,
+                };
+            }
+        }
+        return null;
+    }
     analyzeResponses(tool, responses) {
         if (responses.length === 0) {
             return {
@@ -380,31 +465,64 @@ export class TemporalAssessor extends BaseAssessor {
         }
         return "PASS";
     }
-    generateExplanation(rugPullsDetected, results) {
+    generateExplanation(rugPullsDetected, definitionMutationsDetected, results) {
         if (results.length === 0) {
             return "No tools were tested for temporal vulnerabilities.";
         }
-        if (rugPullsDetected === 0) {
-            return `All ${results.length} tools showed consistent behavior across repeated invocations.`;
+        const parts = [];
+        // Report response-based rug pulls
+        if (rugPullsDetected > 0) {
+            const responseVulnerableTools = results
+                .filter((r) => r.vulnerable && r.pattern === "RUG_PULL_TEMPORAL")
+                .map((r) => `${r.tool} (changed at invocation ${r.firstDeviationAt})`)
+                .join(", ");
+            if (responseVulnerableTools) {
+                parts.push(`CRITICAL: ${rugPullsDetected} tool(s) showed temporal response changes: ${responseVulnerableTools}`);
+            }
+        }
+        // Report definition mutations
+        if (definitionMutationsDetected > 0) {
+            const definitionVulnerableTools = results
+                .filter((r) => r.definitionMutated)
+                .map((r) => `${r.tool} (description changed at invocation ${r.definitionMutationAt})`)
+                .join(", ");
+            parts.push(`CRITICAL: ${definitionMutationsDetected} tool(s) mutated their definition/description: ${definitionVulnerableTools}`);
+        }
+        if (parts.length === 0) {
+            return `All ${results.length} tools showed consistent behavior and definitions across repeated invocations.`;
         }
-        const vulnerableTools = results
-            .filter((r) => r.vulnerable)
-            .map((r) => `${r.tool} (changed at invocation ${r.firstDeviationAt})`)
-            .join(", ");
-        return `CRITICAL: ${rugPullsDetected} tool(s) showed temporal behavior changes indicating potential rug pull vulnerability: ${vulnerableTools}`;
+        return parts.join(" ");
     }
     generateRecommendations(results) {
         const recommendations = [];
-        const vulnerableTools = results.filter((r) => r.vulnerable);
-        if (vulnerableTools.length > 0) {
+        // Response-based rug pulls
+        const responseVulnerableTools = results.filter((r) => r.vulnerable && r.pattern === "RUG_PULL_TEMPORAL");
+        if (responseVulnerableTools.length > 0) {
             recommendations.push("Immediately investigate tools with temporal behavior changes - this pattern is characteristic of rug pull attacks.");
-            for (const tool of vulnerableTools) {
+            for (const tool of responseVulnerableTools) {
                 recommendations.push(`Review ${tool.tool}: behavior changed after ${tool.firstDeviationAt} invocations. Compare safe vs malicious responses in evidence.`);
             }
             recommendations.push("Check for invocation counters, time-based triggers, or state accumulation in the tool implementation.");
         }
+        // Definition mutation rug pulls
+        const definitionMutatedTools = results.filter((r) => r.definitionMutated);
+        if (definitionMutatedTools.length > 0) {
+            recommendations.push("CRITICAL: Tool definition/description mutations detected - this is a sophisticated rug pull attack that injects malicious instructions after N calls.");
+            for (const tool of definitionMutatedTools) {
+                const baseline = tool.definitionEvidence?.baselineDescription
+                    ? `"${tool.definitionEvidence.baselineDescription.substring(0, 100)}..."`
+                    : "unknown";
+                const mutated = tool.definitionEvidence?.mutatedDescription
+                    ? `"${tool.definitionEvidence.mutatedDescription.substring(0, 100)}..."`
+                    : "unknown";
+                recommendations.push(`${tool.tool}: Description changed at invocation ${tool.definitionMutationAt}. Baseline: ${baseline} → Mutated: ${mutated}`);
+            }
+            recommendations.push("Review tool source code for global state that mutates __doc__, description, or tool metadata based on call count.");
+        }
         const errorTools = results.filter((r) => r.errorCount > 0);
-        if (errorTools.length > 0 && vulnerableTools.length === 0) {
+        if (errorTools.length > 0 &&
+            responseVulnerableTools.length === 0 &&
+            definitionMutatedTools.length === 0) {
             recommendations.push(`${errorTools.length} tool(s) had errors during repeated invocations. Review error handling and rate limiting.`);
         }
         return recommendations;

package/lib/services/assessment/modules/ToolAnnotationAssessor.d.ts

@@ -79,6 +79,11 @@ export declare class ToolAnnotationAssessor extends BaseAssessor {
      * Now includes alignment status with confidence-aware logic
      */
     private assessTool;
+    /**
+     * Scan tool description for poisoning patterns (Issue #8)
+     * Detects hidden instructions, override commands, concealment, and exfiltration attempts
+     */
+    private scanDescriptionForPoisoning;
     /**
      * Extract annotations from a tool
      * MCP SDK may have annotations in different locations

package/lib/services/assessment/modules/ToolAnnotationAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ToolAnnotationAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ToolAnnotationAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EACV,wBAAwB,EACxB,oBAAoB,EAKpB,uBAAuB,EAExB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,EACL,KAAK,gBAAgB,EAGtB,MAAM,8BAA8B,CAAC;AAEtC;;GAEG;AACH,MAAM,WAAW,4BAA6B,SAAQ,oBAAoB;IACxE,eAAe,CAAC,EAAE;QAChB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,mBAAmB,EAAE,OAAO,CAAC;QAC7B,UAAU,EAAE,MAAM,CAAC;QACnB,SAAS,EAAE,MAAM,CAAC;QAClB,oBAAoB,EAAE;YACpB,YAAY,CAAC,EAAE,OAAO,CAAC;YACvB,eAAe,CAAC,EAAE,OAAO,CAAC;YAC1B,cAAc,CAAC,EAAE,OAAO,CAAC;SAC1B,CAAC;QACF,oBAAoB,EAAE,OAAO,CAAC;QAC9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;QAC7B,MAAM,EAAE,iBAAiB,GAAG,eAAe,CAAC;KAC7C,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,gCAAiC,SAAQ,wBAAwB;IAChF,WAAW,EAAE,4BAA4B,EAAE,CAAC;IAC5C,cAAc,EAAE,OAAO,CAAC;IACxB,2BAA2B,EAAE,4BAA4B,EAAE,CAAC;CAC7D;AAKD,qBAAa,sBAAuB,SAAQ,YAAY;IACtD,OAAO,CAAC,YAAY,CAAC,CAAmB;IACxC,OAAO,CAAC,gBAAgB,CAAmB;gBAE/B,MAAM,EAAE,uBAAuB;IAM3C;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,gBAAgB,GAAG,IAAI;IAK7C;;OAEG;IACH,eAAe,CAAC,MAAM,EAAE,gBAAgB,GAAG,IAAI;IAK/C;;OAEG;IACH,eAAe,IAAI,OAAO;IAO1B;;OAEG;IACG,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,wBAAwB,GAAG,gCAAgC,CAAC;IA8QvE;;OAEG;YACW,0BAA0B;IA+IxC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAiCnC;;OAEG;IACH,OAAO,CAAC,+BAA+B;IAoFvC;;;OAGG;IACH,OAAO,CAAC,UAAU;IA+GlB;;;;;;;;;OASG;IACH,OAAO,CAAC,kBAAkB;IAyE1B;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAuBzB;;;OAGG;IACH,OAAO,CAAC,aAAa;IAgGrB;;;OAGG;IACH,OAAO,CAAC,yBAAyB;IAkDjC;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAiDxB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAmC3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;CA2ChC"}
+{"version":3,"file":"ToolAnnotationAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ToolAnnotationAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EACV,wBAAwB,EACxB,oBAAoB,EAKpB,uBAAuB,EAExB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,EACL,KAAK,gBAAgB,EAGtB,MAAM,8BAA8B,CAAC;AAgNtC;;GAEG;AACH,MAAM,WAAW,4BAA6B,SAAQ,oBAAoB;IACxE,eAAe,CAAC,EAAE;QAChB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,mBAAmB,EAAE,OAAO,CAAC;QAC7B,UAAU,EAAE,MAAM,CAAC;QACnB,SAAS,EAAE,MAAM,CAAC;QAClB,oBAAoB,EAAE;YACpB,YAAY,CAAC,EAAE,OAAO,CAAC;YACvB,eAAe,CAAC,EAAE,OAAO,CAAC;YAC1B,cAAc,CAAC,EAAE,OAAO,CAAC;SAC1B,CAAC;QACF,oBAAoB,EAAE,OAAO,CAAC;QAC9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;QAC7B,MAAM,EAAE,iBAAiB,GAAG,eAAe,CAAC;KAC7C,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,gCAAiC,SAAQ,wBAAwB;IAChF,WAAW,EAAE,4BAA4B,EAAE,CAAC;IAC5C,cAAc,EAAE,OAAO,CAAC;IACxB,2BAA2B,EAAE,4BAA4B,EAAE,CAAC;CAC7D;AAKD,qBAAa,sBAAuB,SAAQ,YAAY;IACtD,OAAO,CAAC,YAAY,CAAC,CAAmB;IACxC,OAAO,CAAC,gBAAgB,CAAmB;gBAE/B,MAAM,EAAE,uBAAuB;IAM3C;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,gBAAgB,GAAG,IAAI;IAK7C;;OAEG;IACH,eAAe,CAAC,MAAM,EAAE,gBAAgB,GAAG,IAAI;IAK/C;;OAEG;IACH,eAAe,IAAI,OAAO;IAO1B;;OAEG;IACG,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,wBAAwB,GAAG,gCAAgC,CAAC;IAkSvE;;OAEG;YACW,0BAA0B;IA+IxC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAiCnC;;OAEG;IACH,OAAO,CAAC,+BAA+B;IAoFvC;;;OAGG;IACH,OAAO,CAAC,UAAU;IA2HlB;;;OAGG;IACH,OAAO,CAAC,2BAA2B;IA2DnC;;;;;;;;;OASG;IACH,OAAO,CAAC,kBAAkB;IAyE1B;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAuBzB;;;OAGG;IACH,OAAO,CAAC,aAAa;IAgGrB;;;OAGG;IACH,OAAO,CAAC,yBAAyB;IA0DjC;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAiDxB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAmC3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;CA2ChC"}

package/lib/services/assessment/modules/ToolAnnotationAssessor.js

@@ -12,6 +12,190 @@
  */
 import { BaseAssessor } from "./BaseAssessor.js";
 import { getDefaultCompiledPatterns, matchToolPattern, } from "../config/annotationPatterns.js";
+const DESCRIPTION_POISONING_PATTERNS = [
+    // Hidden instruction tags
+    {
+        name: "hidden_tag",
+        pattern: /<HIDDEN>[\s\S]*?<\/HIDDEN>/gi,
+        severity: "HIGH",
+        category: "hidden_instructions",
+    },
+    {
+        name: "important_tag",
+        pattern: /<IMPORTANT>[\s\S]*?<\/IMPORTANT>/gi,
+        severity: "HIGH",
+        category: "hidden_instructions",
+    },
+    {
+        name: "system_tag",
+        pattern: /<SYSTEM>[\s\S]*?<\/SYSTEM>/gi,
+        severity: "HIGH",
+        category: "hidden_instructions",
+    },
+    {
+        name: "instruction_tag",
+        pattern: /<INSTRUCTION>[\s\S]*?<\/INSTRUCTION>/gi,
+        severity: "HIGH",
+        category: "hidden_instructions",
+    },
+    // Override commands
+    {
+        name: "ignore_instructions",
+        pattern: /ignore\s+(all\s+)?(previous|prior|above)\s+instructions/i,
+        severity: "HIGH",
+        category: "override",
+    },
+    {
+        name: "disregard_instructions",
+        pattern: /disregard\s+(all\s+)?(previous|prior)\s+instructions/i,
+        severity: "HIGH",
+        category: "override",
+    },
+    {
+        name: "you_are_now",
+        pattern: /you\s+are\s+now\s+(a|an|the)/i,
+        severity: "MEDIUM",
+        category: "override",
+    },
+    {
+        name: "system_override",
+        pattern: /system:\s*override/i,
+        severity: "HIGH",
+        category: "override",
+    },
+    // Secrecy/concealment
+    {
+        name: "do_not_mention",
+        pattern: /do\s+not\s+(mention|tell|inform|reveal)/i,
+        severity: "HIGH",
+        category: "concealment",
+    },
+    {
+        name: "secretly",
+        pattern: /\bsecretly\b/i,
+        severity: "MEDIUM",
+        category: "concealment",
+    },
+    {
+        name: "hide_from_user",
+        pattern: /hide\s+(this\s+)?from\s+(the\s+)?user/i,
+        severity: "HIGH",
+        category: "concealment",
+    },
+    // Data exfiltration
+    {
+        name: "return_keys",
+        pattern: /return\s+(all\s+)?(api\s*)?keys/i,
+        severity: "HIGH",
+        category: "exfiltration",
+    },
+    {
+        name: "include_credentials",
+        pattern: /include.*(api.?key|credential|password|secret)/i,
+        severity: "HIGH",
+        category: "exfiltration",
+    },
+    {
+        name: "reveal_secrets",
+        pattern: /reveal\s+(all\s+)?(secrets|credentials|api\s*keys)/i,
+        severity: "HIGH",
+        category: "exfiltration",
+    },
+    {
+        name: "access_internal_secrets",
+        pattern: /access\s+(the\s+)?internal\s+(api\s*)?(key|secret|credential|password|token)/i,
+        severity: "HIGH",
+        category: "exfiltration",
+    },
+    // Delimiter injection
+    {
+        name: "system_codeblock",
+        pattern: /```system[\s\S]*?```/gi,
+        severity: "HIGH",
+        category: "delimiter",
+    },
+    {
+        name: "inst_tags",
+        pattern: /\[INST\][\s\S]*?\[\/INST\]/gi,
+        severity: "HIGH",
+        category: "delimiter",
+    },
+    {
+        name: "chatml_system",
+        pattern: /<\|im_start\|>system/gi,
+        severity: "HIGH",
+        category: "delimiter",
+    },
+    {
+        name: "llama_sys",
+        pattern: /<<SYS>>/gi,
+        severity: "HIGH",
+        category: "delimiter",
+    },
+    {
+        name: "user_assistant_block",
+        pattern: /\[USER\][\s\S]*?\[ASSISTANT\]/gi,
+        severity: "HIGH",
+        category: "delimiter",
+    },
+    // Role/persona injection (Warning #4)
+    {
+        name: "act_as",
+        pattern: /act\s+(like|as)\s+(a|an|the)/i,
+        severity: "MEDIUM",
+        category: "override",
+    },
+    {
+        name: "pretend_to_be",
+        pattern: /pretend\s+(to\s+be|you\s*'?re)/i,
+        severity: "MEDIUM",
+        category: "override",
+    },
+    {
+        name: "roleplay_as",
+        pattern: /role\s*play\s+(as|like)/i,
+        severity: "MEDIUM",
+        category: "override",
+    },
+    {
+        name: "new_task",
+        pattern: /new\s+(task|instruction|objective):\s*/i,
+        severity: "HIGH",
+        category: "override",
+    },
+    // Encoding bypass detection (Warning #1)
+    {
+        name: "base64_encoded_block",
+        pattern: /[A-Za-z0-9+/]{50,}={0,2}/g, // Large Base64 strings (50+ chars)
+        severity: "MEDIUM",
+        category: "encoding_bypass",
+    },
+    {
+        name: "unicode_escape_sequence",
+        pattern: /(?:\\u[0-9a-fA-F]{4}){3,}/gi, // 3+ consecutive Unicode escapes
+        severity: "MEDIUM",
+        category: "encoding_bypass",
+    },
+    {
+        name: "html_entity_block",
+        pattern: /(?:&#x?[0-9a-fA-F]+;){3,}/gi, // 3+ consecutive HTML entities
+        severity: "MEDIUM",
+        category: "encoding_bypass",
+    },
+    // Typoglycemia/evasion patterns (Warning #2)
+    {
+        name: "ignore_instructions_typo",
+        pattern: /ign[o0]r[e3]?\s+(all\s+)?(pr[e3]v[i1][o0]us|pr[i1][o0]r|ab[o0]v[e3])\s+[i1]nstruct[i1][o0]ns?/i,
+        severity: "HIGH",
+        category: "override",
+    },
+    {
+        name: "disregard_typo",
+        pattern: /d[i1]sr[e3]g[a4]rd\s+(all\s+)?(pr[e3]v[i1][o0]us|pr[i1][o0]r)\s+[i1]nstruct[i1][o0]ns?/i,
+        severity: "HIGH",
+        category: "override",
+    },
+];
 // NOTE: Pattern arrays moved to config/annotationPatterns.ts for configurability
 // The patterns are now loaded from getDefaultCompiledPatterns() or custom config
 export class ToolAnnotationAssessor extends BaseAssessor {
@@ -53,6 +237,7 @@ export class ToolAnnotationAssessor extends BaseAssessor {
         let annotatedCount = 0;
         let missingAnnotationsCount = 0;
         let misalignedAnnotationsCount = 0;
+        let poisonedDescriptionsCount = 0;
         // Track annotation sources
         const annotationSourceCounts = {
             mcp: 0,
@@ -128,6 +313,20 @@ export class ToolAnnotationAssessor extends BaseAssessor {
             else {
                 annotationSourceCounts.none++;
             }
+            // Track and emit poisoned description detection (Issue #8)
+            if (latestResult.descriptionPoisoning?.detected) {
+                poisonedDescriptionsCount++;
+                this.log(`POISONED DESCRIPTION DETECTED: ${tool.name} contains suspicious patterns`);
+                if (context.onProgress) {
+                    context.onProgress({
+                        type: "annotation_poisoned",
+                        tool: tool.name,
+                        description: tool.description,
+                        patterns: latestResult.descriptionPoisoning.patterns,
+                        riskLevel: latestResult.descriptionPoisoning.riskLevel,
+                    });
+                }
+            }
             // Emit annotation_missing event with tool details
             if (!latestResult.hasAnnotations) {
                 if (context.onProgress && latestResult.inferredBehavior) {
@@ -231,7 +430,7 @@ export class ToolAnnotationAssessor extends BaseAssessor {
         const recommendations = this.generateRecommendations(toolResults);
         // Calculate new metrics and alignment breakdown
         const { metrics, alignmentBreakdown } = this.calculateMetrics(toolResults, context.tools.length);
-        this.log(`Assessment complete: ${annotatedCount}/${context.tools.length} tools annotated, ${misalignedAnnotationsCount} misaligned, ${alignmentBreakdown.reviewRecommended} need review`);
+        this.log(`Assessment complete: ${annotatedCount}/${context.tools.length} tools annotated, ${misalignedAnnotationsCount} misaligned, ${alignmentBreakdown.reviewRecommended} need review, ${poisonedDescriptionsCount} poisoned`);
         // Return enhanced assessment if Claude was used
         if (useClaudeInference) {
             const highConfidenceMisalignments = toolResults.filter((r) => r.claudeInference &&
@@ -249,6 +448,7 @@ export class ToolAnnotationAssessor extends BaseAssessor {
                 metrics,
                 alignmentBreakdown,
                 annotationSources: annotationSourceCounts,
+                poisonedDescriptionsDetected: poisonedDescriptionsCount,
                 claudeEnhanced: true,
                 highConfidenceMisalignments,
             };
@@ -264,6 +464,7 @@ export class ToolAnnotationAssessor extends BaseAssessor {
             metrics,
             alignmentBreakdown,
             annotationSources: annotationSourceCounts,
+            poisonedDescriptionsDetected: poisonedDescriptionsCount,
         };
     }
     /**
@@ -516,6 +717,12 @@ export class ToolAnnotationAssessor extends BaseAssessor {
                 alignmentStatus = "MISALIGNED";
             }
         }
+        // Scan for description poisoning (Issue #8)
+        const descriptionPoisoning = this.scanDescriptionForPoisoning(tool);
+        if (descriptionPoisoning.detected) {
+            issues.push(`Tool description contains suspicious patterns: ${descriptionPoisoning.patterns.map((p) => p.name).join(", ")}`);
+            recommendations.push(`Review ${tool.name} description for potential prompt injection or hidden instructions`);
+        }
         return {
             toolName: tool.name,
             hasAnnotations,
@@ -525,6 +732,49 @@ export class ToolAnnotationAssessor extends BaseAssessor {
             alignmentStatus,
             issues,
             recommendations,
+            descriptionPoisoning,
+        };
+    }
+    /**
+     * Scan tool description for poisoning patterns (Issue #8)
+     * Detects hidden instructions, override commands, concealment, and exfiltration attempts
+     */
+    scanDescriptionForPoisoning(tool) {
+        const description = tool.description || "";
+        const matches = [];
+        for (const patternDef of DESCRIPTION_POISONING_PATTERNS) {
+            // Create a fresh regex to reset lastIndex
+            const regex = new RegExp(patternDef.pattern.source, patternDef.pattern.flags);
+            // Loop to find all matches (not just first)
+            let match;
+            while ((match = regex.exec(description)) !== null) {
+                matches.push({
+                    name: patternDef.name,
+                    pattern: patternDef.pattern.toString(),
+                    severity: patternDef.severity,
+                    category: patternDef.category,
+                    evidence: match[0].substring(0, 100) + (match[0].length > 100 ? "..." : ""),
+                });
+                // Prevent infinite loop for patterns without 'g' flag
+                if (!regex.global)
+                    break;
+            }
+        }
+        // Determine overall risk level based on highest severity match
+        let riskLevel = "NONE";
+        if (matches.some((m) => m.severity === "HIGH")) {
+            riskLevel = "HIGH";
+        }
+        else if (matches.some((m) => m.severity === "MEDIUM")) {
+            riskLevel = "MEDIUM";
+        }
+        else if (matches.length > 0) {
+            riskLevel = "LOW";
+        }
+        return {
+            detected: matches.length > 0,
+            patterns: matches,
+            riskLevel,
         };
     }
     /**
@@ -700,6 +950,11 @@ export class ToolAnnotationAssessor extends BaseAssessor {
         if (totalTools === 0)
             return "PASS";
         const annotatedCount = results.filter((r) => r.hasAnnotations).length;
+        // Check for poisoned descriptions (Issue #8) - critical security issue
+        const poisonedCount = results.filter((r) => r.descriptionPoisoning?.detected === true).length;
+        if (poisonedCount > 0) {
+            return "FAIL";
+        }
         // Only count actual MISALIGNED, not REVIEW_RECOMMENDED
         const misalignedCount = results.filter((r) => r.alignmentStatus === "MISALIGNED").length;
         // Count high-confidence destructive tools without proper hints