@bryan-thompson/inspector-assessment-client 1.19.5 → 1.19.7

package/dist/assets/{OAuthCallback-DbXCayzE.js → OAuthCallback-CTi1WHpO.js}

@@ -1,4 +1,4 @@
-import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-BToUV-36.js";
+import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-CdUk9TCd.js";
 const OAuthCallback = ({ onConnect }) => {
   const { toast } = useToast();
   const hasProcessedRef = reactExports.useRef(false);

package/dist/assets/{OAuthDebugCallback-DO4zwsDb.js → OAuthDebugCallback-Ugn64tA_.js}

@@ -1,4 +1,4 @@
-import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-BToUV-36.js";
+import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-CdUk9TCd.js";
 const OAuthDebugCallback = ({ onConnect }) => {
   reactExports.useEffect(() => {
     let isProcessed = false;

package/dist/assets/{index-BToUV-36.js → index-CdUk9TCd.js}

@@ -16320,7 +16320,7 @@ object({
   token_type_hint: string().optional()
 }).strip();
 const name = "@bryan-thompson/inspector-assessment-client";
-const version$1 = "1.19.4";
+const version$1 = "1.19.7";
 const packageJson = {
   name,
   version: version$1
@@ -45352,7 +45352,7 @@ const useTheme = () => {
     [theme, setThemeWithSideEffect]
   );
 };
-const version = "1.19.4";
+const version = "1.19.7";
 var [createTooltipContext] = createContextScope("Tooltip", [
   createPopperScope
 ]);
@@ -48915,6 +48915,11 @@ class ErrorHandlingAssessor extends BaseAssessor {
   }
   selectToolsForTesting(tools) {
     if (this.config.selectedToolsForTesting !== void 0) {
+      if (this.config.maxToolsToTestForErrors !== void 0) {
+        this.log(
+          `Warning: Both selectedToolsForTesting and maxToolsToTestForErrors are set. Using selectedToolsForTesting (maxToolsToTestForErrors is deprecated).`
+        );
+      }
       const selectedNames = new Set(this.config.selectedToolsForTesting);
       const selectedTools = tools.filter(
         (tool) => selectedNames.has(tool.name)
@@ -59161,13 +59166,13 @@ const App = () => {
   ) });
   if (window.location.pathname === "/oauth/callback") {
     const OAuthCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthCallback-DbXCayzE.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthCallback-CTi1WHpO.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
   }
   if (window.location.pathname === "/oauth/callback/debug") {
     const OAuthDebugCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthDebugCallback-DO4zwsDb.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthDebugCallback-Ugn64tA_.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
   }

package/dist/index.html

@@ -5,7 +5,7 @@
     <link rel="icon" type="image/svg+xml" href="/mcp.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>MCP Inspector</title>
-    <script type="module" crossorigin src="/assets/index-BToUV-36.js"></script>
+    <script type="module" crossorigin src="/assets/index-CdUk9TCd.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-DiyPO_Zj.css">
   </head>
   <body>

package/lib/services/assessment/AssessmentOrchestrator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AssessmentOrchestrator.d.ts","sourceRoot":"","sources":["../../../src/services/assessment/AssessmentOrchestrator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EAGvB,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,IAAI,EACJ,2BAA2B,EAC5B,MAAM,oCAAoC,CAAC;AAiC5C,OAAO,EACL,gBAAgB,EAChB,sBAAsB,EAEvB,MAAM,wBAAwB,CAAC;AAwEhC;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,KAAK,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,OAAO,CAAC;KACpB,CAAC,CAAC;CACJ;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,KAAK,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IAClC,SAAS,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,OAAO,CAAC;QAAC,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IAC3D,OAAO,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,IAAI,EAAE,CAAC;IACd,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,CAAC;IAC1C,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,MAAM,EAAE,uBAAuB,CAAC;IAChC,UAAU,CAAC,EAAE;QACX,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,QAAQ,CAAC,EAAE,OAAO,CAAC;KACpB,CAAC;IAIF,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAGtC,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;IAIrB,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAG9B,SAAS,CAAC,EAAE,WAAW,EAAE,CAAC;IAC1B,iBAAiB,CAAC,EAAE,mBAAmB,EAAE,CAAC;IAC1C,OAAO,CAAC,EAAE,SAAS,EAAE,CAAC;IACtB,kBAAkB,CAAC,EAAE,qBAAqB,CAAC;IAG3C,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAChD,SAAS,CAAC,EAAE,CACV,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KACzB,OAAO,CAAC;QAAE,QAAQ,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,CAAC,CAAC;IAGrE,eAAe,CAAC,EAAE;QAChB,IAAI,EAAE,OAAO,GAAG,KAAK,GAAG,iBAAiB,CAAC;QAC1C,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,YAAY,CAAC,EAAE,OAAO,CAAC;KACxB,CAAC;IAIF,SAAS,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;CACnC;AAED,qBAAa,sBAAsB;IACjC,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,SAAS,CAAa;IAC9B,OAAO,CAAC,aAAa,CAAa;IAGlC,OAAO,CAAC,YAAY,CAAC,CAAmB;IACxC,OAAO,CAAC,aAAa,CAAkB;IAGvC,OAAO,CAAC,qBAAqB,CAAwB;IACrD,OAAO,CAAC,gBAAgB,CAAmB;IAC3C,OAAO,CAAC,qBAAqB,CAAwB;IACrD,OAAO,CAAC,qBAAqB,CAAwB;IACrD,OAAO,CAAC,iBAAiB,CAAoB;IAG7C,OAAO,CAAC,eAAe,CAAC,CAA4B;IAGpD,OAAO,CAAC,qBAAqB,CAAC,CAAwB;IACtD,OAAO,CAAC,sBAAsB,CAAC,CAAyB;IACxD,OAAO,CAAC,2BAA2B,CAAC,CAA8B;IAClE,OAAO,CAAC,0BAA0B,CAAC,CAA6B;IAChE,OAAO,CAAC,mBAAmB,CAAC,CAAsB;IAClD,OAAO,CAAC,0BAA0B,CAAC,CAA6B;IAChE,OAAO,CAAC,gBAAgB,CAAC,CAAmB;IAG5C,OAAO,CAAC,gBAAgB,CAAC,CAAmB;IAC5C,OAAO,CAAC,cAAc,CAAC,CAAiB;IACxC,OAAO,CAAC,uBAAuB,CAAC,CAAkC;gBAEtD,MAAM,GAAE,OAAO,CAAC,uBAAuB,CAAM;IAsFzD;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAiB9B;;;OAGG;IACH,gBAAgB,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,GAAG,IAAI;IAqBhE;;OAEG;IACH,eAAe,IAAI,OAAO;IAI1B;;OAEG;IACH,eAAe,IAAI,gBAAgB,GAAG,SAAS;IAI/C;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAqC1B;;OAEG;IACG,iBAAiB,CACrB,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,sBAAsB,CAAC;IA4flC;;OAEG;IACG,MAAM,CACV,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,GAAG,EAChB,aAAa,CAAC,EAAE,MAAM,EACtB,WAAW,CAAC,EAAE,GAAG,GAChB,OAAO,CAAC,sBAAsB,CAAC;IAclC,OAAO,CAAC,qBAAqB;IAsE7B,OAAO,CAAC,sBAAsB;IAoB9B,OAAO,CAAC,eAAe;IA8DvB,OAAO,CAAC,uBAAuB;IAc/B;;OAEG;IACH,SAAS,IAAI,uBAAuB;IAIpC;;OAEG;IACH,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,uBAAuB,CAAC,GAAG,IAAI;CAG7D"}
+{"version":3,"file":"AssessmentOrchestrator.d.ts","sourceRoot":"","sources":["../../../src/services/assessment/AssessmentOrchestrator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EAGvB,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,IAAI,EACJ,2BAA2B,EAC5B,MAAM,oCAAoC,CAAC;AAiC5C,OAAO,EACL,gBAAgB,EAChB,sBAAsB,EAEvB,MAAM,wBAAwB,CAAC;AAgKhC;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,KAAK,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,OAAO,CAAC;KACpB,CAAC,CAAC;CACJ;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,KAAK,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IAClC,SAAS,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,OAAO,CAAC;QAAC,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IAC3D,OAAO,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,IAAI,EAAE,CAAC;IACd,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,CAAC;IAC1C,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,MAAM,EAAE,uBAAuB,CAAC;IAChC,UAAU,CAAC,EAAE;QACX,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,QAAQ,CAAC,EAAE,OAAO,CAAC;KACpB,CAAC;IAIF,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAGtC,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;IAIrB,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAG9B,SAAS,CAAC,EAAE,WAAW,EAAE,CAAC;IAC1B,iBAAiB,CAAC,EAAE,mBAAmB,EAAE,CAAC;IAC1C,OAAO,CAAC,EAAE,SAAS,EAAE,CAAC;IACtB,kBAAkB,CAAC,EAAE,qBAAqB,CAAC;IAG3C,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAChD,SAAS,CAAC,EAAE,CACV,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KACzB,OAAO,CAAC;QAAE,QAAQ,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,CAAC,CAAC;IAGrE,eAAe,CAAC,EAAE;QAChB,IAAI,EAAE,OAAO,GAAG,KAAK,GAAG,iBAAiB,CAAC;QAC1C,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,YAAY,CAAC,EAAE,OAAO,CAAC;KACxB,CAAC;IAIF,SAAS,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;CACnC;AAED,qBAAa,sBAAsB;IACjC,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,SAAS,CAAa;IAC9B,OAAO,CAAC,aAAa,CAAa;IAGlC,OAAO,CAAC,YAAY,CAAC,CAAmB;IACxC,OAAO,CAAC,aAAa,CAAkB;IAGvC,OAAO,CAAC,qBAAqB,CAAwB;IACrD,OAAO,CAAC,gBAAgB,CAAmB;IAC3C,OAAO,CAAC,qBAAqB,CAAwB;IACrD,OAAO,CAAC,qBAAqB,CAAwB;IACrD,OAAO,CAAC,iBAAiB,CAAoB;IAG7C,OAAO,CAAC,eAAe,CAAC,CAA4B;IAGpD,OAAO,CAAC,qBAAqB,CAAC,CAAwB;IACtD,OAAO,CAAC,sBAAsB,CAAC,CAAyB;IACxD,OAAO,CAAC,2BAA2B,CAAC,CAA8B;IAClE,OAAO,CAAC,0BAA0B,CAAC,CAA6B;IAChE,OAAO,CAAC,mBAAmB,CAAC,CAAsB;IAClD,OAAO,CAAC,0BAA0B,CAAC,CAA6B;IAChE,OAAO,CAAC,gBAAgB,CAAC,CAAmB;IAG5C,OAAO,CAAC,gBAAgB,CAAC,CAAmB;IAC5C,OAAO,CAAC,cAAc,CAAC,CAAiB;IACxC,OAAO,CAAC,uBAAuB,CAAC,CAAkC;gBAEtD,MAAM,GAAE,OAAO,CAAC,uBAAuB,CAAM;IAsFzD;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAiB9B;;;OAGG;IACH,gBAAgB,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,GAAG,IAAI;IAqBhE;;OAEG;IACH,eAAe,IAAI,OAAO;IAI1B;;OAEG;IACH,eAAe,IAAI,gBAAgB,GAAG,SAAS;IAI/C;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAqC1B;;OAEG;IACG,iBAAiB,CACrB,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,sBAAsB,CAAC;IA4flC;;OAEG;IACG,MAAM,CACV,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,GAAG,EAChB,aAAa,CAAC,EAAE,MAAM,EACtB,WAAW,CAAC,EAAE,GAAG,GAChB,OAAO,CAAC,sBAAsB,CAAC;IAclC,OAAO,CAAC,qBAAqB;IAsE7B,OAAO,CAAC,sBAAsB;IAoB9B,OAAO,CAAC,eAAe;IA8DvB,OAAO,CAAC,uBAAuB;IAc/B;;OAEG;IACH,SAAS,IAAI,uBAAuB;IAIpC;;OAEG;IACH,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,uBAAuB,CAAC,GAAG,IAAI;CAG7D"}

package/lib/services/assessment/AssessmentOrchestrator.js

@@ -51,6 +51,7 @@ function emitModuleStartedEvent(moduleName, estimatedTests, toolCount) {
 /**
  * Emit module_complete event with score and duration.
  * Uses shared score calculator for consistent scoring logic.
+ * For AUP module, includes enriched violation data for Claude analysis.
  */
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 function emitModuleProgress(moduleName, status, result, testsRun = 0) {
@@ -61,8 +62,8 @@ function emitModuleProgress(moduleName, status, result, testsRun = 0) {
     const startTime = moduleStartTimes.get(moduleKey);
     const duration = startTime ? Date.now() - startTime : 0;
     moduleStartTimes.delete(moduleKey);
-    // Emit JSONL to stderr with version field
-    console.error(JSON.stringify({
+    // Build base event
+    const event = {
         event: "module_complete",
         module: moduleKey,
         status,
@@ -70,7 +71,78 @@ function emitModuleProgress(moduleName, status, result, testsRun = 0) {
         testsRun,
         duration,
         version: INSPECTOR_VERSION,
-    }));
+    };
+    // Add AUP enrichment when module is AUP
+    if (moduleKey === "aup" && result) {
+        const aupEnrichment = buildAUPEnrichment(result);
+        Object.assign(event, aupEnrichment);
+    }
+    // Emit JSONL to stderr with version field
+    console.error(JSON.stringify(event));
+}
+/**
+ * Build AUP enrichment data from an AUP compliance assessment result.
+ * Samples violations prioritizing by severity (CRITICAL > HIGH > MEDIUM).
+ */
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function buildAUPEnrichment(aupResult, maxSamples = 10) {
+    const violations = aupResult.violations || [];
+    // Calculate metrics
+    const metrics = {
+        total: violations.length,
+        critical: violations.filter((v) => v.severity === "CRITICAL").length,
+        high: violations.filter((v) => v.severity === "HIGH")
+            .length,
+        medium: violations.filter((v) => v.severity === "MEDIUM").length,
+        byCategory: {},
+    };
+    // Count by category
+    for (const v of violations) {
+        metrics.byCategory[v.category] = (metrics.byCategory[v.category] || 0) + 1;
+    }
+    // Sample violations prioritizing by severity
+    const sampled = [];
+    const severityOrder = ["CRITICAL", "HIGH", "MEDIUM"];
+    for (const severity of severityOrder) {
+        if (sampled.length >= maxSamples)
+            break;
+        const bySeverity = violations.filter((v) => v.severity === severity);
+        for (const v of bySeverity) {
+            if (sampled.length >= maxSamples)
+                break;
+            sampled.push({
+                category: v.category,
+                categoryName: v.categoryName,
+                severity: v.severity,
+                matchedText: v.matchedText,
+                location: v.location,
+                confidence: v.confidence,
+            });
+        }
+    }
+    // Build sampling note
+    let samplingNote = "";
+    if (violations.length === 0) {
+        samplingNote = "No violations detected.";
+    }
+    else if (violations.length <= maxSamples) {
+        samplingNote = `All ${violations.length} violation(s) included.`;
+    }
+    else {
+        samplingNote = `Sampled ${sampled.length} of ${violations.length} violations, prioritized by severity (CRITICAL > HIGH > MEDIUM).`;
+    }
+    return {
+        violationsSample: sampled,
+        samplingNote,
+        violationMetrics: metrics,
+        scannedLocations: aupResult.scannedLocations || {
+            toolNames: false,
+            toolDescriptions: false,
+            readme: false,
+            sourceCode: false,
+        },
+        highRiskDomains: (aupResult.highRiskDomains || []).slice(0, 10),
+    };
 }
 export class AssessmentOrchestrator {
     config;

package/lib/services/assessment/modules/DocumentationAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"DocumentationAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/DocumentationAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,uBAAuB,EAIxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAE9D,qBAAa,qBAAsB,SAAQ,YAAY;IAC/C,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAuB1E,OAAO,CAAC,oBAAoB;IA6H5B;;;OAGG;IACH,OAAO,CAAC,yBAAyB;IAuEjC;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAiBhC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAmC9B;;OAEG;IACH,OAAO,CAAC,aAAa;IAKrB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAqB3B;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IA4C3B,OAAO,CAAC,wBAAwB;IAchC,OAAO,CAAC,eAAe;IAavB,OAAO,CAAC,iBAAiB;IAezB,OAAO,CAAC,cAAc;IAUtB;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAY9B;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IA4B3B,OAAO,CAAC,4BAA4B;IAmBpC,OAAO,CAAC,mBAAmB;IAyB3B,OAAO,CAAC,uBAAuB;CA+BhC"}
+{"version":3,"file":"DocumentationAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/DocumentationAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,uBAAuB,EAIxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAE9D,qBAAa,qBAAsB,SAAQ,YAAY;IAC/C,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAwC1E,OAAO,CAAC,oBAAoB;IA6H5B;;;OAGG;IACH,OAAO,CAAC,yBAAyB;IAuEjC;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAiBhC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAmC9B;;OAEG;IACH,OAAO,CAAC,aAAa;IAKrB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAqB3B;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IA4C3B,OAAO,CAAC,wBAAwB;IAchC,OAAO,CAAC,eAAe;IAavB,OAAO,CAAC,iBAAiB;IAezB,OAAO,CAAC,cAAc;IAUtB;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAY9B;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IA4B3B,OAAO,CAAC,4BAA4B;IAmBpC,OAAO,CAAC,mBAAmB;IAyB3B,OAAO,CAAC,uBAAuB;CA+BhC"}

package/lib/services/assessment/modules/DocumentationAssessor.js

@@ -7,7 +7,18 @@ export class DocumentationAssessor extends BaseAssessor {
     async assess(context) {
         this.log("Starting documentation assessment");
         const readmeContent = context.readmeContent || "";
-        const verbosity = this.config.documentationVerbosity || "standard";
+        const validVerbosityLevels = ["minimal", "standard", "verbose"];
+        const configVerbosity = this.config.documentationVerbosity;
+        let verbosity = "standard";
+        if (configVerbosity) {
+            if (validVerbosityLevels.includes(configVerbosity)) {
+                verbosity = configVerbosity;
+            }
+            else {
+                this.log(`Warning: Invalid documentationVerbosity "${configVerbosity}". ` +
+                    `Valid options: ${validVerbosityLevels.join(", ")}. Using "standard".`);
+            }
+        }
         const metrics = this.analyzeDocumentation(readmeContent, context.tools, verbosity);
         const status = this.determineDocumentationStatus(metrics);
         const explanation = this.generateExplanation(metrics);

package/lib/services/assessment/modules/ErrorHandlingAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ErrorHandlingAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ErrorHandlingAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,uBAAuB,EAIxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAG9D,qBAAa,qBAAsB,SAAQ,YAAY;IAC/C,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IA+D1E,OAAO,CAAC,qBAAqB;YA8Cf,qBAAqB;YAuBrB,qBAAqB;YAmGrB,cAAc;YAmFd,iBAAiB;YA8DjB,kBAAkB;IA6DhC,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,uBAAuB;IAgC/B,OAAO,CAAC,0BAA0B;IAgClC,OAAO,CAAC,uBAAuB;IA4B/B,OAAO,CAAC,gBAAgB;IAoGxB,OAAO,CAAC,4BAA4B;IAapC,OAAO,CAAC,mBAAmB;IAuE3B,OAAO,CAAC,uBAAuB;CA4ChC"}
+{"version":3,"file":"ErrorHandlingAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ErrorHandlingAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,uBAAuB,EAIxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAG9D,qBAAa,qBAAsB,SAAQ,YAAY;IAC/C,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IA+D1E,OAAO,CAAC,qBAAqB;YAqDf,qBAAqB;YAuBrB,qBAAqB;YAmGrB,cAAc;YAmFd,iBAAiB;YA8DjB,kBAAkB;IA6DhC,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,uBAAuB;IAgC/B,OAAO,CAAC,0BAA0B;IAgClC,OAAO,CAAC,uBAAuB;IA4B/B,OAAO,CAAC,gBAAgB;IAoGxB,OAAO,CAAC,4BAA4B;IAapC,OAAO,CAAC,mBAAmB;IAuE3B,OAAO,CAAC,uBAAuB;CA4ChC"}

package/lib/services/assessment/modules/ErrorHandlingAssessor.js

@@ -46,6 +46,11 @@ export class ErrorHandlingAssessor extends BaseAssessor {
         // Prefer new selectedToolsForTesting configuration
         // Note: undefined/null means "test all" (default), empty array [] means "test none" (explicit)
         if (this.config.selectedToolsForTesting !== undefined) {
+            // Warn if deprecated maxToolsToTestForErrors is also set
+            if (this.config.maxToolsToTestForErrors !== undefined) {
+                this.log(`Warning: Both selectedToolsForTesting and maxToolsToTestForErrors are set. ` +
+                    `Using selectedToolsForTesting (maxToolsToTestForErrors is deprecated).`);
+            }
             const selectedNames = new Set(this.config.selectedToolsForTesting);
             const selectedTools = tools.filter((tool) => selectedNames.has(tool.name));
             // Empty array means user explicitly selected 0 tools

package/lib/services/assessment/modules/SecurityAssessor.d.ts

@@ -1,13 +1,19 @@
 /**
  * Security Assessor Module
  * Tests for backend API security vulnerabilities using 20 focused patterns
- * - Critical Injection (6): Command, Calculator, SQL, Path Traversal, XXE, NoSQL
- * - Input Validation (3): Type Safety, Boundary Testing, Required Fields
- * - Protocol Compliance (2): MCP Error Format, Timeout Handling
- * - Tool-Specific (7): SSRF, Unicode Bypass, Nested Injection, Package Squatting,
- *                      Data Exfiltration, Configuration Drift, Tool Shadowing
- * - Resource Exhaustion (1): DoS/Resource Exhaustion
- * - Deserialization (1): Insecure Deserialization
+ *
+ * BASIC MODE (5 patterns - enableDomainTesting=false):
+ *   Command Injection, Calculator Injection, SQL Injection, Path Traversal, Unicode Bypass
+ *
+ * ADVANCED MODE (all 20 patterns - enableDomainTesting=true):
+ *   - Critical Injection (6): Command, Calculator, SQL, Path Traversal, XXE, NoSQL
+ *   - Input Validation (3): Type Safety, Boundary Testing, Required Fields
+ *   - Protocol Compliance (2): MCP Error Format, Timeout Handling
+ *   - Tool-Specific (6): SSRF, Nested Injection, Package Squatting,
+ *                        Data Exfiltration, Configuration Drift, Tool Shadowing
+ *   - Encoding Bypass (1): Unicode Bypass
+ *   - Resource Exhaustion (1): DoS/Resource Exhaustion
+ *   - Deserialization (1): Insecure Deserialization
  */
 import { SecurityAssessment } from "../../../lib/assessmentTypes.js";
 import { BaseAssessor } from "./BaseAssessor.js";

package/lib/services/assessment/modules/SecurityAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/SecurityAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EACL,kBAAkB,EAInB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAc9D,qBAAa,gBAAiB,SAAQ,YAAY;IAChD,OAAO,CAAC,iBAAiB,CAAuC;IAC1D,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAuFrE;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAkC7B;;;;OAIG;YACW,yBAAyB;IAuKvC;;;;OAIG;YACW,qBAAqB;IA4JnC;;OAEG;YACW,WAAW;IA2HzB;;;;;OAKG;IACH,OAAO,CAAC,iBAAiB;IAgDzB;;;OAGG;IACH,OAAO,CAAC,8BAA8B;IAiDtC;;OAEG;IACH,OAAO,CAAC,aAAa;IA+BrB;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAgClC;;;OAGG;IACH,OAAO,CAAC,eAAe;IA6HvB;;;;;;;OAOG;IACH,OAAO,CAAC,qBAAqB;IAiE7B;;;;;;;;;OASG;IACH,OAAO,CAAC,oBAAoB;IAqC5B;;;;;OAKG;IACH,OAAO,CAAC,mBAAmB;IAsB3B;;;;;;;OAOG;IACH,OAAO,CAAC,oBAAoB;IAkC5B;;OAEG;YACW,+BAA+B;IAiC7C;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAYjC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA0B/B;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAkEnC;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAuI3B;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAsB5B;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,oBAAoB;IAuM5B;;;;;;;;;OASG;IACH,OAAO,CAAC,wBAAwB;IAwDhC;;;OAGG;IACH,OAAO,CAAC,8BAA8B;IAuBtC;;;OAGG;IACH,OAAO,CAAC,wBAAwB;IA8BhC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAW9B;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAO1B,OAAO,CAAC,oBAAoB;IAoH5B;;OAEG;IACH,OAAO,CAAC,YAAY;IASpB;;;OAGG;IACH,OAAO,CAAC,eAAe;IASvB;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAiB9B;;;OAGG;IACH,OAAO,CAAC,kBAAkB;CAmB3B"}
+{"version":3,"file":"SecurityAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/SecurityAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EACL,kBAAkB,EAInB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAc9D,qBAAa,gBAAiB,SAAQ,YAAY;IAChD,OAAO,CAAC,iBAAiB,CAAuC;IAC1D,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAuFrE;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAkC7B;;;;OAIG;YACW,yBAAyB;IAuKvC;;;;OAIG;YACW,qBAAqB;IA4JnC;;OAEG;YACW,WAAW;IA2HzB;;;;;OAKG;IACH,OAAO,CAAC,iBAAiB;IAgDzB;;;OAGG;IACH,OAAO,CAAC,8BAA8B;IAiDtC;;OAEG;IACH,OAAO,CAAC,aAAa;IA+BrB;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAgClC;;;OAGG;IACH,OAAO,CAAC,eAAe;IA6HvB;;;;;;;OAOG;IACH,OAAO,CAAC,qBAAqB;IAiE7B;;;;;;;;;OASG;IACH,OAAO,CAAC,oBAAoB;IAqC5B;;;;;OAKG;IACH,OAAO,CAAC,mBAAmB;IAsB3B;;;;;;;OAOG;IACH,OAAO,CAAC,oBAAoB;IAkC5B;;OAEG;YACW,+BAA+B;IAiC7C;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAYjC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA0B/B;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAkEnC;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAuI3B;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAsB5B;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,oBAAoB;IAuM5B;;;;;;;;;OASG;IACH,OAAO,CAAC,wBAAwB;IAwDhC;;;OAGG;IACH,OAAO,CAAC,8BAA8B;IAuBtC;;;OAGG;IACH,OAAO,CAAC,wBAAwB;IA8BhC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAW9B;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAO1B,OAAO,CAAC,oBAAoB;IAoH5B;;OAEG;IACH,OAAO,CAAC,YAAY;IASpB;;;OAGG;IACH,OAAO,CAAC,eAAe;IASvB;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAiB9B;;;OAGG;IACH,OAAO,CAAC,kBAAkB;CAmB3B"}

package/lib/services/assessment/modules/SecurityAssessor.js

@@ -1,13 +1,19 @@
 /**
  * Security Assessor Module
  * Tests for backend API security vulnerabilities using 20 focused patterns
- * - Critical Injection (6): Command, Calculator, SQL, Path Traversal, XXE, NoSQL
- * - Input Validation (3): Type Safety, Boundary Testing, Required Fields
- * - Protocol Compliance (2): MCP Error Format, Timeout Handling
- * - Tool-Specific (7): SSRF, Unicode Bypass, Nested Injection, Package Squatting,
- *                      Data Exfiltration, Configuration Drift, Tool Shadowing
- * - Resource Exhaustion (1): DoS/Resource Exhaustion
- * - Deserialization (1): Insecure Deserialization
+ *
+ * BASIC MODE (5 patterns - enableDomainTesting=false):
+ *   Command Injection, Calculator Injection, SQL Injection, Path Traversal, Unicode Bypass
+ *
+ * ADVANCED MODE (all 20 patterns - enableDomainTesting=true):
+ *   - Critical Injection (6): Command, Calculator, SQL, Path Traversal, XXE, NoSQL
+ *   - Input Validation (3): Type Safety, Boundary Testing, Required Fields
+ *   - Protocol Compliance (2): MCP Error Format, Timeout Handling
+ *   - Tool-Specific (6): SSRF, Nested Injection, Package Squatting,
+ *                        Data Exfiltration, Configuration Drift, Tool Shadowing
+ *   - Encoding Bypass (1): Unicode Bypass
+ *   - Resource Exhaustion (1): DoS/Resource Exhaustion
+ *   - Deserialization (1): Insecure Deserialization
  */
 import { BaseAssessor } from "./BaseAssessor.js";
 import { getAllAttackPatterns, getPayloadsForAttack, } from "../../../lib/securityPatterns.js";

package/lib/services/assessment/modules/TemporalAssessor.d.ts

@@ -16,13 +16,17 @@ export declare class TemporalAssessor extends BaseAssessor {
     /**
      * Tool name patterns that are expected to have state-dependent responses.
      * These tools legitimately return different results based on data state,
-     * which is NOT a rug pull vulnerability (e.g., search returning more results
-     * after other tools have stored data).
+     * which is NOT a rug pull vulnerability.
      *
-     * NOTE: Uses substring matching, so "get" matches "get_user", "forget",
-     * "target", etc. This favors recall over precision - we prefer lenient
-     * schema comparison for edge cases over false positives on legitimate tools.
-     * Consider word-boundary regex if false positives become problematic.
+     * Includes both:
+     * - READ operations: search, list, query return more results after data stored
+     * - ACCUMULATION operations: add, append, store return accumulated state (counts, IDs)
+     *
+     * NOTE: Does NOT include patterns already in DESTRUCTIVE_PATTERNS (create, write,
+     * insert, etc.) - those need strict comparison to detect real rug pulls.
+     *
+     * Uses word-boundary matching to prevent false matches.
+     * "add_observations" matches "add" but "address_validator" does not.
      */
     private readonly STATEFUL_TOOL_PATTERNS;
     constructor(config: AssessmentConfiguration);
@@ -51,8 +55,12 @@ export declare class TemporalAssessor extends BaseAssessor {
     private isDestructiveTool;
     /**
      * Check if a tool is expected to have state-dependent behavior.
-     * Stateful tools (search, list, etc.) legitimately return different
+     * Stateful tools (search, list, add, store, etc.) legitimately return different
      * results as underlying data changes - this is NOT a rug pull.
+     *
+     * Uses word-boundary matching to prevent false positives:
+     * - "add_observations" matches "add" ✓
+     * - "address_validator" does NOT match "add" ✓
      */
     private isStatefulTool;
     /**

package/lib/services/assessment/modules/TemporalAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"TemporalAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/TemporalAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,uBAAuB,EAEvB,kBAAkB,EAEnB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AA+B9C,qBAAa,gBAAiB,SAAQ,YAAY;IAChD,OAAO,CAAC,kBAAkB,CAAS;IAGnC,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAoBnC;IAGF,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAU;IAEjD;;;;;;;;;;OAUG;IACH,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CASrC;gBAEU,MAAM,EAAE,uBAAuB;IAKrC,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;YAqEvD,UAAU;IAuHxB;;;OAGG;IACH,OAAO,CAAC,wBAAwB;IAkChC,OAAO,CAAC,gBAAgB;IAmFxB;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAsC3B;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAoDzB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAKzB;;;;OAIG;IACH,OAAO,CAAC,cAAc;IAYtB;;;;;;OAMG;IACH,OAAO,CAAC,cAAc;IAuBtB;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAiCzB,OAAO,CAAC,uBAAuB;IAa/B,OAAO,CAAC,mBAAmB;IA+C3B,OAAO,CAAC,uBAAuB;CA+DhC"}
+{"version":3,"file":"TemporalAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/TemporalAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,uBAAuB,EAEvB,kBAAkB,EAEnB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AA+B9C,qBAAa,gBAAiB,SAAQ,YAAY;IAChD,OAAO,CAAC,kBAAkB,CAAS;IAGnC,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAoBnC;IAGF,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAU;IAEjD;;;;;;;;;;;;;;OAcG;IACH,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAqBrC;gBAEU,MAAM,EAAE,uBAAuB;IAKrC,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;YAqEvD,UAAU;IAuHxB;;;OAGG;IACH,OAAO,CAAC,wBAAwB;IAkChC,OAAO,CAAC,gBAAgB;IAmFxB;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAsC3B;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAiFzB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAKzB;;;;;;;;OAQG;IACH,OAAO,CAAC,cAAc;IAetB;;;;;;OAMG;IACH,OAAO,CAAC,cAAc;IAuBtB;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAiCzB,OAAO,CAAC,uBAAuB;IAa/B,OAAO,CAAC,mBAAmB;IA+C3B,OAAO,CAAC,uBAAuB;CA+DhC"}

package/lib/services/assessment/modules/TemporalAssessor.js

@@ -38,15 +38,20 @@ export class TemporalAssessor extends BaseAssessor {
     /**
      * Tool name patterns that are expected to have state-dependent responses.
      * These tools legitimately return different results based on data state,
-     * which is NOT a rug pull vulnerability (e.g., search returning more results
-     * after other tools have stored data).
+     * which is NOT a rug pull vulnerability.
      *
-     * NOTE: Uses substring matching, so "get" matches "get_user", "forget",
-     * "target", etc. This favors recall over precision - we prefer lenient
-     * schema comparison for edge cases over false positives on legitimate tools.
-     * Consider word-boundary regex if false positives become problematic.
+     * Includes both:
+     * - READ operations: search, list, query return more results after data stored
+     * - ACCUMULATION operations: add, append, store return accumulated state (counts, IDs)
+     *
+     * NOTE: Does NOT include patterns already in DESTRUCTIVE_PATTERNS (create, write,
+     * insert, etc.) - those need strict comparison to detect real rug pulls.
+     *
+     * Uses word-boundary matching to prevent false matches.
+     * "add_observations" matches "add" but "address_validator" does not.
      */
     STATEFUL_TOOL_PATTERNS = [
+        // READ operations - results depend on current data state
         "search",
         "list",
         "query",
@@ -55,6 +60,17 @@ export class TemporalAssessor extends BaseAssessor {
         "fetch",
         "read",
         "browse",
+        // ACCUMULATION operations (non-destructive) that return accumulated state
+        // These legitimately return different counts/IDs as data accumulates
+        // NOTE: "add" is NOT in DESTRUCTIVE_PATTERNS, unlike "insert", "create", "write"
+        "add",
+        "append",
+        "store",
+        "save",
+        "log",
+        "record",
+        "push",
+        "enqueue",
     ];
     constructor(config) {
         super(config);
@@ -370,6 +386,23 @@ export class TemporalAssessor extends BaseAssessor {
             .replace(/\\"sequence\\":\s*\d+/g, '\\"sequence\\": <NUMBER>')
             .replace(/"index":\s*\d+/g, '"index": <NUMBER>')
             .replace(/\\"index\\":\s*\d+/g, '\\"index\\": <NUMBER>')
+            // Additional accumulation-related counter fields (defense-in-depth)
+            .replace(/"total_observations":\s*\d+/g, '"total_observations": <NUMBER>')
+            .replace(/\\"total_observations\\":\s*\d+/g, '\\"total_observations\\": <NUMBER>')
+            .replace(/"observations_count":\s*\d+/g, '"observations_count": <NUMBER>')
+            .replace(/\\"observations_count\\":\s*\d+/g, '\\"observations_count\\": <NUMBER>')
+            .replace(/"total_records":\s*\d+/g, '"total_records": <NUMBER>')
+            .replace(/\\"total_records\\":\s*\d+/g, '\\"total_records\\": <NUMBER>')
+            .replace(/"records_added":\s*\d+/g, '"records_added": <NUMBER>')
+            .replace(/\\"records_added\\":\s*\d+/g, '\\"records_added\\": <NUMBER>')
+            .replace(/"items_added":\s*\d+/g, '"items_added": <NUMBER>')
+            .replace(/\\"items_added\\":\s*\d+/g, '\\"items_added\\": <NUMBER>')
+            .replace(/"size":\s*\d+/g, '"size": <NUMBER>')
+            .replace(/\\"size\\":\s*\d+/g, '\\"size\\": <NUMBER>')
+            .replace(/"length":\s*\d+/g, '"length": <NUMBER>')
+            .replace(/\\"length\\":\s*\d+/g, '\\"length\\": <NUMBER>')
+            .replace(/"total":\s*\d+/g, '"total": <NUMBER>')
+            .replace(/\\"total\\":\s*\d+/g, '\\"total\\": <NUMBER>')
             // String IDs
             .replace(/"id":\s*"[^"]+"/g, '"id": "<ID>"')
             // P2-1: Additional timestamp fields that vary between calls
@@ -386,8 +419,12 @@ export class TemporalAssessor extends BaseAssessor {
     }
     /**
      * Check if a tool is expected to have state-dependent behavior.
-     * Stateful tools (search, list, etc.) legitimately return different
+     * Stateful tools (search, list, add, store, etc.) legitimately return different
      * results as underlying data changes - this is NOT a rug pull.
+     *
+     * Uses word-boundary matching to prevent false positives:
+     * - "add_observations" matches "add" ✓
+     * - "address_validator" does NOT match "add" ✓
      */
     isStatefulTool(tool) {
         const toolName = tool.name.toLowerCase();
@@ -396,7 +433,12 @@ export class TemporalAssessor extends BaseAssessor {
         if (this.isDestructiveTool(tool)) {
             return false;
         }
-        return this.STATEFUL_TOOL_PATTERNS.some((pattern) => toolName.includes(pattern));
+        // Use word-boundary matching: pattern must be at start/end or bounded by _ or -
+        // This prevents "address_validator" from matching "add"
+        return this.STATEFUL_TOOL_PATTERNS.some((pattern) => {
+            const wordBoundaryRegex = new RegExp(`(^|_|-)${pattern}($|_|-)`);
+            return wordBoundaryRegex.test(toolName);
+        });
     }
     /**
      * Compare response schemas (field names) rather than full content.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-client",
-  "version": "1.19.5",
+  "version": "1.19.7",
   "description": "Client-side application for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",