@bryan-thompson/inspector-assessment-client 1.22.14 → 1.22.16

package/dist/assets/{OAuthCallback-DDbR9we4.js → OAuthCallback-DNYBkA2C.js}

@@ -1,4 +1,4 @@
-import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-B55OPPJA.js";
+import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-BRiFDs-g.js";
 const OAuthCallback = ({ onConnect }) => {
   const { toast } = useToast();
   const hasProcessedRef = reactExports.useRef(false);

package/dist/assets/{OAuthDebugCallback-Bel6ibpN.js → OAuthDebugCallback-EhdSHXee.js}

@@ -1,4 +1,4 @@
-import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-B55OPPJA.js";
+import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-BRiFDs-g.js";
 const OAuthDebugCallback = ({ onConnect }) => {
   reactExports.useEffect(() => {
     let isProcessed = false;

package/dist/assets/{index-B55OPPJA.js → index-BRiFDs-g.js}

@@ -16320,7 +16320,7 @@ object({
   token_type_hint: string().optional()
 }).strip();
 const name = "@bryan-thompson/inspector-assessment-client";
-const version$1 = "1.22.13";
+const version$1 = "1.22.16";
 const packageJson = {
   name,
   version: version$1
@@ -45352,7 +45352,7 @@ const useTheme = () => {
     [theme, setThemeWithSideEffect]
   );
 };
-const version = "1.22.13";
+const version = "1.22.16";
 var [createTooltipContext] = createContextScope("Tooltip", [
   createPopperScope
 ]);
@@ -48033,8 +48033,6 @@ const DEFAULT_ASSESSMENT_CONFIG = {
   // Enable MCP Spec Compliance assessment by default
   parallelTesting: false,
   maxParallelTests: 5,
-  maxToolsToTestForErrors: -1,
-  // Default to test ALL tools for comprehensive compliance
   securityPatternsToTest: 8,
   // Test all security patterns by default
   enableDomainTesting: true,
@@ -48078,8 +48076,6 @@ const REVIEWER_MODE_CONFIG = {
   maxParallelTests: 5,
   scenariosPerTool: 1,
   // Single realistic test per tool
-  maxToolsToTestForErrors: 3,
-  // Test only first 3 tools for error handling
   securityPatternsToTest: 3,
   // Test only 3 critical security patterns
   enableDomainTesting: false,
@@ -48119,8 +48115,6 @@ const DEVELOPER_MODE_CONFIG = {
   parallelTesting: false,
   // Sequential for easier debugging
   maxParallelTests: 5,
-  maxToolsToTestForErrors: -1,
-  // Test ALL tools
   securityPatternsToTest: 8,
   // Test all security patterns
   enableDomainTesting: true,
@@ -48836,11 +48830,13 @@ class MCPSpecComplianceAssessor extends BaseAssessor {
     return recommendations;
   }
 }
+const QUEUE_WARNING_THRESHOLD = 1e4;
 function createConcurrencyLimit(concurrency) {
   if (concurrency < 1) {
     throw new Error("Concurrency must be at least 1");
   }
   let activeCount = 0;
+  let hasWarned = false;
   const queue = [];
   const next = () => {
     if (activeCount < concurrency && queue.length > 0) {
@@ -48864,6 +48860,12 @@ function createConcurrencyLimit(concurrency) {
         resolve: resolve2,
         reject
       });
+      if (queue.length > QUEUE_WARNING_THRESHOLD && !hasWarned) {
+        hasWarned = true;
+        console.warn(
+          `[concurrencyLimit] Queue depth: ${queue.length} (threshold: ${QUEUE_WARNING_THRESHOLD}). Active: ${activeCount}/${concurrency}. This may indicate a slow/stalled server.`
+        );
+      }
       next();
     });
   };
@@ -52458,7 +52460,7 @@ function getPayloadsForAttack(attackName, limit2) {
   );
   if (!pattern2) return [];
   const payloads = pattern2.payloads;
-  return payloads;
+  return limit2 ? payloads.slice(0, limit2) : payloads;
 }
 function getAllAttackPatterns() {
   return SECURITY_ATTACK_PATTERNS;
@@ -52801,7 +52803,11 @@ class SecurityAssessor extends BaseAssessor {
     const toolsToTest = this.selectToolsForTesting(context.tools);
     const concurrency = this.config.maxParallelTests ?? 5;
     const limit2 = createConcurrencyLimit(concurrency);
-    const totalEstimate = toolsToTest.length * attackPatterns.length * 3;
+    let totalPayloads = 0;
+    for (const pattern2 of attackPatterns) {
+      totalPayloads += getPayloadsForAttack(pattern2.attackName).length;
+    }
+    const totalEstimate = toolsToTest.length * totalPayloads;
     let completedTests = 0;
     let lastBatchTime = Date.now();
     const startTime = Date.now();
@@ -53062,9 +53068,10 @@ class SecurityAssessor extends BaseAssessor {
           evidence: "No compatible parameters for testing"
         };
       }
+      const securityTimeout = this.config.securityTestTimeout ?? 5e3;
       const response = await this.executeWithTimeout(
         callTool(tool.name, params),
-        5e3
+        securityTimeout
       );
       if (this.isConnectionError(response)) {
         return {
@@ -59266,13 +59273,13 @@ const App = () => {
   ) });
   if (window.location.pathname === "/oauth/callback") {
     const OAuthCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthCallback-DDbR9we4.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthCallback-DNYBkA2C.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
   }
   if (window.location.pathname === "/oauth/callback/debug") {
     const OAuthDebugCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthDebugCallback-Bel6ibpN.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthDebugCallback-EhdSHXee.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
   }

package/dist/index.html

@@ -5,7 +5,7 @@
     <link rel="icon" type="image/svg+xml" href="/mcp.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>MCP Inspector</title>
-    <script type="module" crossorigin src="/assets/index-B55OPPJA.js"></script>
+    <script type="module" crossorigin src="/assets/index-BRiFDs-g.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-DiyPO_Zj.css">
   </head>
   <body>

package/lib/lib/assessment/configTypes.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Assessment Configuration Types
+ *
+ * Configuration interfaces and preset configurations for assessments.
+ *
+ * @module assessment/configTypes
+ */
+/**
+ * Claude Code Bridge Configuration
+ * Enables integration with Claude Code CLI for intelligent analysis
+ */
+export interface ClaudeCodeConfig {
+    enabled: boolean;
+    features: {
+        intelligentTestGeneration: boolean;
+        aupSemanticAnalysis: boolean;
+        annotationInference: boolean;
+        documentationQuality: boolean;
+    };
+    timeout: number;
+    workingDir?: string;
+    maxRetries?: number;
+}
+export interface AssessmentConfiguration {
+    testTimeout: number;
+    /** Security-specific test timeout in ms (default: 5000). Lower than testTimeout for fast payload testing. */
+    securityTestTimeout?: number;
+    delayBetweenTests?: number;
+    skipBrokenTools: boolean;
+    reviewerMode?: boolean;
+    enableExtendedAssessment?: boolean;
+    documentationVerbosity?: "minimal" | "standard" | "verbose";
+    parallelTesting?: boolean;
+    maxParallelTests?: number;
+    scenariosPerTool?: number;
+    maxToolsToTestForErrors?: number;
+    selectedToolsForTesting?: string[];
+    securityPatternsToTest?: number;
+    enableDomainTesting?: boolean;
+    mcpProtocolVersion?: string;
+    enableSourceCodeAnalysis?: boolean;
+    patternConfigPath?: string;
+    claudeCode?: ClaudeCodeConfig;
+    temporalInvocations?: number;
+    assessmentCategories?: {
+        functionality: boolean;
+        security: boolean;
+        documentation: boolean;
+        errorHandling: boolean;
+        usability: boolean;
+        mcpSpecCompliance?: boolean;
+        aupCompliance?: boolean;
+        toolAnnotations?: boolean;
+        prohibitedLibraries?: boolean;
+        manifestValidation?: boolean;
+        portability?: boolean;
+        externalAPIScanner?: boolean;
+        authentication?: boolean;
+        temporal?: boolean;
+        resources?: boolean;
+        prompts?: boolean;
+        crossCapability?: boolean;
+    };
+}
+export declare const DEFAULT_ASSESSMENT_CONFIG: AssessmentConfiguration;
+export declare const REVIEWER_MODE_CONFIG: AssessmentConfiguration;
+export declare const DEVELOPER_MODE_CONFIG: AssessmentConfiguration;
+export declare const AUDIT_MODE_CONFIG: AssessmentConfiguration;
+export declare const CLAUDE_ENHANCED_AUDIT_CONFIG: AssessmentConfiguration;
+//# sourceMappingURL=configTypes.d.ts.map

package/lib/lib/assessment/configTypes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"configTypes.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/configTypes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE;QACR,yBAAyB,EAAE,OAAO,CAAC;QACnC,mBAAmB,EAAE,OAAO,CAAC;QAC7B,mBAAmB,EAAE,OAAO,CAAC;QAC7B,oBAAoB,EAAE,OAAO,CAAC;KAC/B,CAAC;IACF,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,6GAA6G;IAC7G,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,EAAE,OAAO,CAAC;IAEzB,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC,sBAAsB,CAAC,EAAE,SAAS,GAAG,UAAU,GAAG,SAAS,CAAC;IAI5D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAE9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,oBAAoB,CAAC,EAAE;QACrB,aAAa,EAAE,OAAO,CAAC;QACvB,QAAQ,EAAE,OAAO,CAAC;QAClB,aAAa,EAAE,OAAO,CAAC;QACvB,aAAa,EAAE,OAAO,CAAC;QACvB,SAAS,EAAE,OAAO,CAAC;QACnB,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAE5B,aAAa,CAAC,EAAE,OAAO,CAAC;QACxB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAC9B,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,WAAW,CAAC,EAAE,OAAO,CAAC;QACtB,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,QAAQ,CAAC,EAAE,OAAO,CAAC;QAEnB,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,eAAe,CAAC,EAAE,OAAO,CAAC;KAC3B,CAAC;CACH;AAMD,eAAO,MAAM,yBAAyB,EAAE,uBAgCvC,CAAC;AAIF,eAAO,MAAM,oBAAoB,EAAE,uBAiClC,CAAC;AAGF,eAAO,MAAM,qBAAqB,EAAE,uBAgCnC,CAAC;AAIF,eAAO,MAAM,iBAAiB,EAAE,uBAgC/B,CAAC;AAIF,eAAO,MAAM,4BAA4B,EAAE,uBA2C1C,CAAC"}

package/lib/lib/assessment/configTypes.js

@@ -0,0 +1,194 @@
+/**
+ * Assessment Configuration Types
+ *
+ * Configuration interfaces and preset configurations for assessments.
+ *
+ * @module assessment/configTypes
+ */
+// ============================================================================
+// Configuration Presets
+// ============================================================================
+export const DEFAULT_ASSESSMENT_CONFIG = {
+    testTimeout: 30000, // 30 seconds per tool
+    delayBetweenTests: 0, // No delay by default
+    skipBrokenTools: false,
+    reviewerMode: false,
+    enableExtendedAssessment: true, // Enable MCP Spec Compliance assessment by default
+    parallelTesting: false,
+    maxParallelTests: 5,
+    securityPatternsToTest: 8, // Test all security patterns by default
+    enableDomainTesting: true, // Enable advanced security testing by default (all 8 backend patterns)
+    mcpProtocolVersion: "2025-06",
+    enableSourceCodeAnalysis: false, // Source code analysis disabled by default (requires sourceCodePath)
+    assessmentCategories: {
+        functionality: true,
+        security: true,
+        documentation: true,
+        errorHandling: true,
+        usability: true,
+        mcpSpecCompliance: false,
+        // New assessors - disabled by default, enable for MCP Directory compliance audits
+        aupCompliance: false,
+        toolAnnotations: false,
+        prohibitedLibraries: false,
+        manifestValidation: false,
+        portability: false,
+        externalAPIScanner: false,
+        authentication: false,
+        // New capability assessors - disabled by default
+        resources: false,
+        prompts: false,
+        crossCapability: false,
+    },
+};
+// Reviewer mode configuration: optimized for fast, human-assisted reviews
+// Focuses on Anthropic's 5 core requirements only
+export const REVIEWER_MODE_CONFIG = {
+    testTimeout: 10000, // 10 seconds per tool (faster)
+    delayBetweenTests: 100, // Small delay for rate limiting
+    skipBrokenTools: true, // Skip broken tools to save time
+    reviewerMode: true,
+    enableExtendedAssessment: false, // Disable extended assessments (not required for directory approval)
+    parallelTesting: true, // Faster execution
+    maxParallelTests: 5,
+    scenariosPerTool: 1, // Single realistic test per tool
+    securityPatternsToTest: 3, // Test only 3 critical security patterns
+    enableDomainTesting: false, // Use basic security testing for speed (3 patterns)
+    mcpProtocolVersion: "2025-06",
+    enableSourceCodeAnalysis: false,
+    assessmentCategories: {
+        functionality: true,
+        security: true,
+        documentation: true,
+        errorHandling: true,
+        usability: true,
+        mcpSpecCompliance: false, // Not part of Anthropic's 5 core requirements
+        // New assessors - disabled in reviewer mode for speed
+        aupCompliance: false,
+        toolAnnotations: false,
+        prohibitedLibraries: false,
+        manifestValidation: false,
+        portability: false,
+        externalAPIScanner: false,
+        authentication: false,
+        // New capability assessors - disabled in reviewer mode for speed
+        resources: false,
+        prompts: false,
+        crossCapability: false,
+    },
+};
+// Developer mode configuration: comprehensive testing for debugging
+export const DEVELOPER_MODE_CONFIG = {
+    testTimeout: 30000, // 30 seconds per tool
+    delayBetweenTests: 500, // Moderate delay for thorough testing
+    skipBrokenTools: false,
+    reviewerMode: false,
+    enableExtendedAssessment: true,
+    parallelTesting: false, // Sequential for easier debugging
+    maxParallelTests: 5,
+    securityPatternsToTest: 8, // Test all security patterns
+    enableDomainTesting: true, // Enable advanced security testing (all 8 backend patterns)
+    mcpProtocolVersion: "2025-06",
+    enableSourceCodeAnalysis: true, // Enable source code analysis if path provided
+    assessmentCategories: {
+        functionality: true,
+        security: true,
+        documentation: true,
+        errorHandling: true,
+        usability: true,
+        mcpSpecCompliance: true, // Include extended assessments
+        // New assessors - enabled in developer mode for comprehensive testing
+        aupCompliance: true,
+        toolAnnotations: true,
+        prohibitedLibraries: true,
+        manifestValidation: false, // MCPB bundle-specific, disabled by default
+        portability: false, // MCPB bundle-specific, disabled by default
+        externalAPIScanner: true,
+        authentication: true,
+        // New capability assessors - enabled in developer mode
+        resources: true,
+        prompts: true,
+        crossCapability: true,
+    },
+};
+// MCP Directory Audit mode: focuses on compliance gap assessors
+// Use for pre-submission validation to Anthropic MCP Directory
+export const AUDIT_MODE_CONFIG = {
+    testTimeout: 30000,
+    delayBetweenTests: 100,
+    skipBrokenTools: false,
+    reviewerMode: false,
+    enableExtendedAssessment: true,
+    parallelTesting: true, // Parallel for faster audits
+    maxParallelTests: 5,
+    securityPatternsToTest: 8,
+    enableDomainTesting: true,
+    mcpProtocolVersion: "2025-06",
+    enableSourceCodeAnalysis: true, // Deep analysis for audits
+    assessmentCategories: {
+        functionality: true,
+        security: true,
+        documentation: true,
+        errorHandling: true,
+        usability: true,
+        mcpSpecCompliance: true,
+        // All new assessors enabled for audit mode
+        aupCompliance: true,
+        toolAnnotations: true,
+        prohibitedLibraries: true,
+        manifestValidation: false, // MCPB bundle-specific, disabled by default
+        portability: false, // MCPB bundle-specific, disabled by default
+        externalAPIScanner: true,
+        authentication: true,
+        // New capability assessors - enabled in audit mode
+        resources: true,
+        prompts: true,
+        crossCapability: true,
+    },
+};
+// Claude-enhanced audit mode: uses Claude Code for intelligent analysis
+// Reduces false positives in AUP scanning and improves test quality
+export const CLAUDE_ENHANCED_AUDIT_CONFIG = {
+    testTimeout: 30000,
+    delayBetweenTests: 100,
+    skipBrokenTools: false,
+    reviewerMode: false,
+    enableExtendedAssessment: true,
+    parallelTesting: false, // Sequential when using Claude to avoid rate limiting
+    maxParallelTests: 1,
+    securityPatternsToTest: 8,
+    enableDomainTesting: true,
+    mcpProtocolVersion: "2025-06",
+    enableSourceCodeAnalysis: true,
+    // Claude Code integration enabled
+    claudeCode: {
+        enabled: true,
+        features: {
+            intelligentTestGeneration: true, // Generate semantically meaningful test params
+            aupSemanticAnalysis: true, // Reduce false positives in AUP scanning
+            annotationInference: true, // Detect annotation misalignments
+            documentationQuality: true, // Assess documentation quality semantically
+        },
+        timeout: 90000, // 90 seconds for Claude calls
+        maxRetries: 2,
+    },
+    assessmentCategories: {
+        functionality: true,
+        security: true,
+        documentation: true,
+        errorHandling: true,
+        usability: true,
+        mcpSpecCompliance: true,
+        aupCompliance: true,
+        toolAnnotations: true,
+        prohibitedLibraries: true,
+        manifestValidation: false, // MCPB bundle-specific, disabled by default
+        portability: false, // MCPB bundle-specific, disabled by default
+        externalAPIScanner: true,
+        authentication: true,
+        // New capability assessors - enabled in Claude mode
+        resources: true,
+        prompts: true,
+        crossCapability: true,
+    },
+};

package/lib/lib/assessment/constants.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Assessment Constants
+ *
+ * Constant values used in security testing.
+ *
+ * @module assessment/constants
+ */
+import type { SecurityTestResult } from "./resultTypes.js";
+export declare const PROMPT_INJECTION_TESTS: Omit<SecurityTestResult, "vulnerable" | "evidence">[];
+//# sourceMappingURL=constants.d.ts.map

package/lib/lib/assessment/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/constants.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAGxD,eAAO,MAAM,sBAAsB,EAAE,IAAI,CACvC,kBAAkB,EAClB,YAAY,GAAG,UAAU,CAC1B,EAqDA,CAAC"}

package/lib/lib/assessment/constants.js

@@ -0,0 +1,61 @@
+/**
+ * Assessment Constants
+ *
+ * Constant values used in security testing.
+ *
+ * @module assessment/constants
+ */
+// Backend API security patterns (8 total) - tests API security, not LLM behaviors
+export const PROMPT_INJECTION_TESTS = [
+    // Critical Injection (3)
+    {
+        testName: "Command Injection",
+        description: "Test if tool executes system commands",
+        payload: "; rm -rf /; echo 'test'",
+        riskLevel: "HIGH",
+    },
+    {
+        testName: "SQL Injection",
+        description: "Test if tool properly escapes SQL commands",
+        payload: "'; DROP TABLE users;--",
+        riskLevel: "HIGH",
+    },
+    {
+        testName: "Path Traversal",
+        description: "Test if tool allows access to files outside intended directory",
+        payload: "../../../etc/passwd",
+        riskLevel: "HIGH",
+    },
+    // Input Validation (3)
+    {
+        testName: "Type Safety",
+        description: "Test if tool validates parameter types correctly",
+        payload: "not_a_number",
+        riskLevel: "MEDIUM",
+    },
+    {
+        testName: "Boundary Testing",
+        description: "Test edge cases and boundary conditions",
+        payload: "",
+        riskLevel: "LOW",
+    },
+    {
+        testName: "Required Fields",
+        description: "Test if tool validates required parameters",
+        payload: "MISSING_REQUIRED",
+        riskLevel: "MEDIUM",
+    },
+    // Protocol Compliance (2)
+    {
+        testName: "MCP Error Format",
+        description: "Verify errors follow MCP protocol specification",
+        payload: "INVALID_TRIGGER_ERROR",
+        riskLevel: "LOW",
+    },
+    {
+        testName: "Timeout Handling",
+        description: "Test if tool handles long operations gracefully",
+        payload: "SIMULATE_LONG_OPERATION",
+        riskLevel: "LOW",
+    },
+];

package/lib/lib/assessment/coreTypes.d.ts

@@ -0,0 +1,159 @@
+/**
+ * Core Assessment Types
+ *
+ * Foundational types used across all assessment modules.
+ * These are the building blocks that other type files depend on.
+ *
+ * @module assessment/coreTypes
+ */
+export type AssessmentStatus = "PASS" | "FAIL" | "NEED_MORE_INFO";
+export type SecurityRiskLevel = "LOW" | "MEDIUM" | "HIGH";
+/**
+ * Alignment status for tool annotations.
+ * Extends beyond PASS/FAIL to handle ambiguous cases.
+ */
+export type AlignmentStatus = "ALIGNED" | "MISALIGNED" | "REVIEW_RECOMMENDED" | "UNKNOWN";
+/**
+ * Confidence level for behavior inference
+ */
+export type InferenceConfidence = "high" | "medium" | "low";
+/**
+ * Assessment category tier for distinguishing core vs optional assessments.
+ * - "core": Always applicable to any MCP server audit
+ * - "optional": Contextual assessments (e.g., MCPB bundle-specific)
+ */
+export type AssessmentCategoryTier = "core" | "optional";
+/**
+ * Metadata for assessment categories including tier and applicability info.
+ */
+export interface AssessmentCategoryMetadata {
+    tier: AssessmentCategoryTier;
+    description: string;
+    applicableTo?: string;
+}
+/**
+ * Category metadata mapping for all assessment modules.
+ * Used for CLI output and downstream consumers to understand category context.
+ *
+ * Note: Uses `satisfies` to preserve literal key types while ensuring type safety.
+ * This allows deriving AssessmentModuleName from the object keys.
+ */
+declare const ASSESSMENT_CATEGORY_METADATA_INTERNAL: {
+    functionality: {
+        tier: "core";
+        description: string;
+    };
+    security: {
+        tier: "core";
+        description: string;
+    };
+    documentation: {
+        tier: "core";
+        description: string;
+    };
+    errorHandling: {
+        tier: "core";
+        description: string;
+    };
+    usability: {
+        tier: "core";
+        description: string;
+    };
+    mcpSpecCompliance: {
+        tier: "core";
+        description: string;
+    };
+    aupCompliance: {
+        tier: "core";
+        description: string;
+    };
+    toolAnnotations: {
+        tier: "core";
+        description: string;
+    };
+    prohibitedLibraries: {
+        tier: "core";
+        description: string;
+    };
+    manifestValidation: {
+        tier: "optional";
+        description: string;
+        applicableTo: string;
+    };
+    portability: {
+        tier: "optional";
+        description: string;
+        applicableTo: string;
+    };
+    externalAPIScanner: {
+        tier: "core";
+        description: string;
+    };
+    authentication: {
+        tier: "core";
+        description: string;
+    };
+    temporal: {
+        tier: "core";
+        description: string;
+    };
+    resources: {
+        tier: "core";
+        description: string;
+    };
+    prompts: {
+        tier: "core";
+        description: string;
+    };
+    crossCapability: {
+        tier: "core";
+        description: string;
+    };
+};
+/**
+ * Type-safe module name derived from ASSESSMENT_CATEGORY_METADATA keys.
+ * Use this type for compile-time validation of module names.
+ */
+export type AssessmentModuleName = keyof typeof ASSESSMENT_CATEGORY_METADATA_INTERNAL;
+/**
+ * Re-export with original name for backward compatibility.
+ * Type is preserved as Record<AssessmentModuleName, AssessmentCategoryMetadata>.
+ */
+export declare const ASSESSMENT_CATEGORY_METADATA: Record<AssessmentModuleName, AssessmentCategoryMetadata>;
+/**
+ * Generate module configuration derived from ASSESSMENT_CATEGORY_METADATA.
+ * Single source of truth for all assessment module names.
+ *
+ * @param options.sourceCodePath - If true, enables externalAPIScanner
+ * @param options.skipTemporal - If true, disables temporal assessment
+ * @returns Record of module names to enabled state (type-safe)
+ */
+export declare function getAllModulesConfig(options: {
+    sourceCodePath?: boolean;
+    skipTemporal?: boolean;
+}): Record<AssessmentModuleName, boolean>;
+/**
+ * Persistence model for MCP servers (Three-Tier Classification).
+ *
+ * These types are re-exported from the services layer for backward compatibility
+ * with existing imports from `@/lib/assessmentTypes`. This cross-layer import
+ * is intentional and documented:
+ *
+ * **Why cross-layer?**
+ * - PersistenceModel and ServerPersistenceContext are defined in
+ *   `services/assessment/config/annotationPatterns.ts` alongside the pattern
+ *   matching logic that uses them.
+ * - Moving the types here would create a circular dependency since the
+ *   annotationPatterns module needs to import its own types.
+ * - Type-only imports (`export type`) don't create runtime dependencies,
+ *   so this cross-layer reference is safe.
+ *
+ * **Type definitions:**
+ * - "immediate": Write operations persist directly to storage (database, file, API)
+ * - "deferred": Write operations are in-memory until explicit save operation
+ * - "unknown": Cannot determine persistence model
+ *
+ * @see services/assessment/config/annotationPatterns.ts for implementation
+ */
+export type { PersistenceModel, ServerPersistenceContext, } from "../../services/assessment/config/annotationPatterns.js";
+//# sourceMappingURL=coreTypes.d.ts.map

package/lib/lib/assessment/coreTypes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"coreTypes.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/coreTypes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG,MAAM,GAAG,gBAAgB,CAAC;AAClE,MAAM,MAAM,iBAAiB,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;AAE1D;;;GAGG;AACH,MAAM,MAAM,eAAe,GACvB,SAAS,GACT,YAAY,GACZ,oBAAoB,GACpB,SAAS,CAAC;AAEd;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAE5D;;;;GAIG;AACH,MAAM,MAAM,sBAAsB,GAAG,MAAM,GAAG,UAAU,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,IAAI,EAAE,sBAAsB,CAAC;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,QAAA,MAAM,qCAAqC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA8DW,CAAC;AAEvD;;;GAGG;AACH,MAAM,MAAM,oBAAoB,GAC9B,MAAM,OAAO,qCAAqC,CAAC;AAErD;;;GAGG;AACH,eAAO,MAAM,4BAA4B,EAAE,MAAM,CAC/C,oBAAoB,EACpB,0BAA0B,CACa,CAAC;AAE1C;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE;IAC3C,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB,GAAG,MAAM,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAaxC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,YAAY,EACV,gBAAgB,EAChB,wBAAwB,GACzB,MAAM,qDAAqD,CAAC"}