@bryan-thompson/inspector-assessment-client 1.19.6 → 1.19.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/dist/assets/{OAuthCallback-2egbdNUk.js → OAuthCallback-CTi1WHpO.js} +1 -1
  2. package/dist/assets/{OAuthDebugCallback-BfKpx34j.js → OAuthDebugCallback-Ugn64tA_.js} +1 -1
  3. package/dist/assets/{index-coKZl3U4.js → index-CdUk9TCd.js} +4 -4
  4. package/dist/index.html +1 -1
  5. package/lib/services/assessment/modules/TemporalAssessor.d.ts +15 -7
  6. package/lib/services/assessment/modules/TemporalAssessor.d.ts.map +1 -1
  7. package/lib/services/assessment/modules/TemporalAssessor.js +50 -8
  8. package/package.json +1 -1
package/dist/assets/{OAuthCallback-2egbdNUk.js → OAuthCallback-CTi1WHpO.js} RENAMED
@@ -1,4 +1,4 @@
1
- import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-coKZl3U4.js";
1
+ import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-CdUk9TCd.js";
2
2
  const OAuthCallback = ({ onConnect }) => {
3
3
  const { toast } = useToast();
4
4
  const hasProcessedRef = reactExports.useRef(false);
package/dist/assets/{OAuthDebugCallback-BfKpx34j.js → OAuthDebugCallback-Ugn64tA_.js} RENAMED
@@ -1,4 +1,4 @@
1
- import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-coKZl3U4.js";
1
+ import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-CdUk9TCd.js";
2
2
  const OAuthDebugCallback = ({ onConnect }) => {
3
3
  reactExports.useEffect(() => {
4
4
  let isProcessed = false;
package/dist/assets/{index-coKZl3U4.js → index-CdUk9TCd.js} RENAMED
@@ -16320,7 +16320,7 @@ object({
16320
16320
  token_type_hint: string().optional()
16321
16321
  }).strip();
16322
16322
  const name = "@bryan-thompson/inspector-assessment-client";
16323
- const version$1 = "1.19.6";
16323
+ const version$1 = "1.19.7";
16324
16324
  const packageJson = {
16325
16325
  name,
16326
16326
  version: version$1
@@ -45352,7 +45352,7 @@ const useTheme = () => {
45352
45352
  [theme, setThemeWithSideEffect]
45353
45353
  );
45354
45354
  };
45355
- const version = "1.19.6";
45355
+ const version = "1.19.7";
45356
45356
  var [createTooltipContext] = createContextScope("Tooltip", [
45357
45357
  createPopperScope
45358
45358
  ]);
@@ -59166,13 +59166,13 @@ const App = () => {
59166
59166
  ) });
59167
59167
  if (window.location.pathname === "/oauth/callback") {
59168
59168
  const OAuthCallback = React.lazy(
59169
- () => __vitePreload(() => import("./OAuthCallback-2egbdNUk.js"), true ? [] : void 0)
59169
+ () => __vitePreload(() => import("./OAuthCallback-CTi1WHpO.js"), true ? [] : void 0)
59170
59170
  );
59171
59171
  return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
59172
59172
  }
59173
59173
  if (window.location.pathname === "/oauth/callback/debug") {
59174
59174
  const OAuthDebugCallback = React.lazy(
59175
- () => __vitePreload(() => import("./OAuthDebugCallback-BfKpx34j.js"), true ? [] : void 0)
59175
+ () => __vitePreload(() => import("./OAuthDebugCallback-Ugn64tA_.js"), true ? [] : void 0)
59176
59176
  );
59177
59177
  return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
59178
59178
  }
package/dist/index.html CHANGED
@@ -5,7 +5,7 @@
5
5
  <link rel="icon" type="image/svg+xml" href="/mcp.svg" />
6
6
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
7
7
  <title>MCP Inspector</title>
8
- <script type="module" crossorigin src="/assets/index-coKZl3U4.js"></script>
8
+ <script type="module" crossorigin src="/assets/index-CdUk9TCd.js"></script>
9
9
  <link rel="stylesheet" crossorigin href="/assets/index-DiyPO_Zj.css">
10
10
  </head>
11
11
  <body>
package/lib/services/assessment/modules/TemporalAssessor.d.ts CHANGED
@@ -16,13 +16,17 @@ export declare class TemporalAssessor extends BaseAssessor {
16
16
  /**
17
17
  * Tool name patterns that are expected to have state-dependent responses.
18
18
  * These tools legitimately return different results based on data state,
19
- * which is NOT a rug pull vulnerability (e.g., search returning more results
20
- * after other tools have stored data).
19
+ * which is NOT a rug pull vulnerability.
21
20
  *
22
- * NOTE: Uses substring matching, so "get" matches "get_user", "forget",
23
- * "target", etc. This favors recall over precision - we prefer lenient
24
- * schema comparison for edge cases over false positives on legitimate tools.
25
- * Consider word-boundary regex if false positives become problematic.
21
+ * Includes both:
22
+ * - READ operations: search, list, query return more results after data stored
23
+ * - ACCUMULATION operations: add, append, store return accumulated state (counts, IDs)
24
+ *
25
+ * NOTE: Does NOT include patterns already in DESTRUCTIVE_PATTERNS (create, write,
26
+ * insert, etc.) - those need strict comparison to detect real rug pulls.
27
+ *
28
+ * Uses word-boundary matching to prevent false matches.
29
+ * "add_observations" matches "add" but "address_validator" does not.
26
30
  */
27
31
  private readonly STATEFUL_TOOL_PATTERNS;
28
32
  constructor(config: AssessmentConfiguration);
@@ -51,8 +55,12 @@ export declare class TemporalAssessor extends BaseAssessor {
51
55
  private isDestructiveTool;
52
56
  /**
53
57
  * Check if a tool is expected to have state-dependent behavior.
54
- * Stateful tools (search, list, etc.) legitimately return different
58
+ * Stateful tools (search, list, add, store, etc.) legitimately return different
55
59
  * results as underlying data changes - this is NOT a rug pull.
60
+ *
61
+ * Uses word-boundary matching to prevent false positives:
62
+ * - "add_observations" matches "add" ✓
63
+ * - "address_validator" does NOT match "add" ✓
56
64
  */
57
65
  private isStatefulTool;
58
66
  /**
package/lib/services/assessment/modules/TemporalAssessor.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"TemporalAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/TemporalAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,uBAAuB,EAEvB,kBAAkB,EAEnB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AA+B9C,qBAAa,gBAAiB,SAAQ,YAAY;IAChD,OAAO,CAAC,kBAAkB,CAAS;IAGnC,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAoBnC;IAGF,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAU;IAEjD;;;;;;;;;;OAUG;IACH,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CASrC;gBAEU,MAAM,EAAE,uBAAuB;IAKrC,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;YAqEvD,UAAU;IAuHxB;;;OAGG;IACH,OAAO,CAAC,wBAAwB;IAkChC,OAAO,CAAC,gBAAgB;IAmFxB;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAsC3B;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAoDzB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAKzB;;;;OAIG;IACH,OAAO,CAAC,cAAc;IAYtB;;;;;;OAMG;IACH,OAAO,CAAC,cAAc;IAuBtB;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAiCzB,OAAO,CAAC,uBAAuB;IAa/B,OAAO,CAAC,mBAAmB;IA+C3B,OAAO,CAAC,uBAAuB;CA+DhC"}
1
+ {"version":3,"file":"TemporalAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/TemporalAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,uBAAuB,EAEvB,kBAAkB,EAEnB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AA+B9C,qBAAa,gBAAiB,SAAQ,YAAY;IAChD,OAAO,CAAC,kBAAkB,CAAS;IAGnC,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAoBnC;IAGF,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAU;IAEjD;;;;;;;;;;;;;;OAcG;IACH,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAqBrC;gBAEU,MAAM,EAAE,uBAAuB;IAKrC,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;YAqEvD,UAAU;IAuHxB;;;OAGG;IACH,OAAO,CAAC,wBAAwB;IAkChC,OAAO,CAAC,gBAAgB;IAmFxB;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAsC3B;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAiFzB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAKzB;;;;;;;;OAQG;IACH,OAAO,CAAC,cAAc;IAetB;;;;;;OAMG;IACH,OAAO,CAAC,cAAc;IAuBtB;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAiCzB,OAAO,CAAC,uBAAuB;IAa/B,OAAO,CAAC,mBAAmB;IA+C3B,OAAO,CAAC,uBAAuB;CA+DhC"}
package/lib/services/assessment/modules/TemporalAssessor.js CHANGED
@@ -38,15 +38,20 @@ export class TemporalAssessor extends BaseAssessor {
38
38
  /**
39
39
  * Tool name patterns that are expected to have state-dependent responses.
40
40
  * These tools legitimately return different results based on data state,
41
- * which is NOT a rug pull vulnerability (e.g., search returning more results
42
- * after other tools have stored data).
41
+ * which is NOT a rug pull vulnerability.
43
42
  *
44
- * NOTE: Uses substring matching, so "get" matches "get_user", "forget",
45
- * "target", etc. This favors recall over precision - we prefer lenient
46
- * schema comparison for edge cases over false positives on legitimate tools.
47
- * Consider word-boundary regex if false positives become problematic.
43
+ * Includes both:
44
+ * - READ operations: search, list, query return more results after data stored
45
+ * - ACCUMULATION operations: add, append, store return accumulated state (counts, IDs)
46
+ *
47
+ * NOTE: Does NOT include patterns already in DESTRUCTIVE_PATTERNS (create, write,
48
+ * insert, etc.) - those need strict comparison to detect real rug pulls.
49
+ *
50
+ * Uses word-boundary matching to prevent false matches.
51
+ * "add_observations" matches "add" but "address_validator" does not.
48
52
  */
49
53
  STATEFUL_TOOL_PATTERNS = [
54
+ // READ operations - results depend on current data state
50
55
  "search",
51
56
  "list",
52
57
  "query",
@@ -55,6 +60,17 @@ export class TemporalAssessor extends BaseAssessor {
55
60
  "fetch",
56
61
  "read",
57
62
  "browse",
63
+ // ACCUMULATION operations (non-destructive) that return accumulated state
64
+ // These legitimately return different counts/IDs as data accumulates
65
+ // NOTE: "add" is NOT in DESTRUCTIVE_PATTERNS, unlike "insert", "create", "write"
66
+ "add",
67
+ "append",
68
+ "store",
69
+ "save",
70
+ "log",
71
+ "record",
72
+ "push",
73
+ "enqueue",
58
74
  ];
59
75
  constructor(config) {
60
76
  super(config);
@@ -370,6 +386,23 @@ export class TemporalAssessor extends BaseAssessor {
370
386
  .replace(/\\"sequence\\":\s*\d+/g, '\\"sequence\\": <NUMBER>')
371
387
  .replace(/"index":\s*\d+/g, '"index": <NUMBER>')
372
388
  .replace(/\\"index\\":\s*\d+/g, '\\"index\\": <NUMBER>')
389
+ // Additional accumulation-related counter fields (defense-in-depth)
390
+ .replace(/"total_observations":\s*\d+/g, '"total_observations": <NUMBER>')
391
+ .replace(/\\"total_observations\\":\s*\d+/g, '\\"total_observations\\": <NUMBER>')
392
+ .replace(/"observations_count":\s*\d+/g, '"observations_count": <NUMBER>')
393
+ .replace(/\\"observations_count\\":\s*\d+/g, '\\"observations_count\\": <NUMBER>')
394
+ .replace(/"total_records":\s*\d+/g, '"total_records": <NUMBER>')
395
+ .replace(/\\"total_records\\":\s*\d+/g, '\\"total_records\\": <NUMBER>')
396
+ .replace(/"records_added":\s*\d+/g, '"records_added": <NUMBER>')
397
+ .replace(/\\"records_added\\":\s*\d+/g, '\\"records_added\\": <NUMBER>')
398
+ .replace(/"items_added":\s*\d+/g, '"items_added": <NUMBER>')
399
+ .replace(/\\"items_added\\":\s*\d+/g, '\\"items_added\\": <NUMBER>')
400
+ .replace(/"size":\s*\d+/g, '"size": <NUMBER>')
401
+ .replace(/\\"size\\":\s*\d+/g, '\\"size\\": <NUMBER>')
402
+ .replace(/"length":\s*\d+/g, '"length": <NUMBER>')
403
+ .replace(/\\"length\\":\s*\d+/g, '\\"length\\": <NUMBER>')
404
+ .replace(/"total":\s*\d+/g, '"total": <NUMBER>')
405
+ .replace(/\\"total\\":\s*\d+/g, '\\"total\\": <NUMBER>')
373
406
  // String IDs
374
407
  .replace(/"id":\s*"[^"]+"/g, '"id": "<ID>"')
375
408
  // P2-1: Additional timestamp fields that vary between calls
@@ -386,8 +419,12 @@ export class TemporalAssessor extends BaseAssessor {
386
419
  }
387
420
  /**
388
421
  * Check if a tool is expected to have state-dependent behavior.
389
- * Stateful tools (search, list, etc.) legitimately return different
422
+ * Stateful tools (search, list, add, store, etc.) legitimately return different
390
423
  * results as underlying data changes - this is NOT a rug pull.
424
+ *
425
+ * Uses word-boundary matching to prevent false positives:
426
+ * - "add_observations" matches "add" ✓
427
+ * - "address_validator" does NOT match "add" ✓
391
428
  */
392
429
  isStatefulTool(tool) {
393
430
  const toolName = tool.name.toLowerCase();
@@ -396,7 +433,12 @@ export class TemporalAssessor extends BaseAssessor {
396
433
  if (this.isDestructiveTool(tool)) {
397
434
  return false;
398
435
  }
399
- return this.STATEFUL_TOOL_PATTERNS.some((pattern) => toolName.includes(pattern));
436
+ // Use word-boundary matching: pattern must be at start/end or bounded by _ or -
437
+ // This prevents "address_validator" from matching "add"
438
+ return this.STATEFUL_TOOL_PATTERNS.some((pattern) => {
439
+ const wordBoundaryRegex = new RegExp(`(^|_|-)${pattern}($|_|-)`);
440
+ return wordBoundaryRegex.test(toolName);
441
+ });
400
442
  }
401
443
  /**
402
444
  * Compare response schemas (field names) rather than full content.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@bryan-thompson/inspector-assessment-client",
3
- "version": "1.19.6",
3
+ "version": "1.19.7",
4
4
  "description": "Client-side application for the Enhanced MCP Inspector with assessment capabilities",
5
5
  "license": "MIT",
6
6
  "author": "Bryan Thompson <bryan@triepod.ai>",