@bryan-thompson/inspector-assessment-client 1.25.4 → 1.25.5

package/lib/services/assessment/config/performanceConfig.d.ts

@@ -0,0 +1,122 @@
+/**
+ * Performance Configuration for Assessment Engine
+ *
+ * Centralizes performance-related magic numbers that were previously
+ * scattered across multiple modules. Supports JSON configuration files
+ * for runtime tuning via CLI flags.
+ *
+ * @see https://github.com/triepod-ai/inspector-assessment/issues/37
+ */
+import type { Logger } from "../lib/logger.js";
+/**
+ * Performance configuration for assessment execution.
+ * Controls batching, timeouts, concurrency, and resource limits.
+ */
+export interface PerformanceConfig {
+    /**
+     * Interval in milliseconds between progress batch flushes.
+     * Controls how often batched test results are emitted.
+     * @default 500
+     */
+    batchFlushIntervalMs: number;
+    /**
+     * Batch size for functionality assessment progress events.
+     * Smaller than security batch size because functionality tests are fewer.
+     * @default 5
+     */
+    functionalityBatchSize: number;
+    /**
+     * Batch size for security assessment progress events.
+     * @default 10
+     */
+    securityBatchSize: number;
+    /**
+     * Timeout for individual test scenario execution in milliseconds.
+     * Applied via Promise.race in TestScenarioEngine.
+     * @default 5000
+     */
+    testTimeoutMs: number;
+    /**
+     * Timeout for individual security payload tests in milliseconds.
+     * Fallback when not specified in assessment configuration.
+     * @default 5000
+     */
+    securityTestTimeoutMs: number;
+    /**
+     * Warning threshold for queue depth monitoring.
+     * Triggers warning when task queue exceeds this size.
+     *
+     * Derivation: Advanced security assessments can legitimately queue:
+     *   29 tools x 140 payloads (across 23 attack patterns) = 4,060 tasks
+     *
+     * Threshold of 10,000 provides ~146% headroom to accommodate larger
+     * tool sets while catching true runaway scenarios.
+     * @default 10000
+     */
+    queueWarningThreshold: number;
+    /**
+     * Maximum EventEmitter listeners to prevent Node.js warnings.
+     * Assessment operations require more listeners than Node's default (10).
+     * @default 50
+     */
+    eventEmitterMaxListeners: number;
+}
+/**
+ * Default performance configuration.
+ * These values preserve existing behavior across all modules.
+ */
+export declare const DEFAULT_PERFORMANCE_CONFIG: Readonly<Required<PerformanceConfig>>;
+/**
+ * Performance presets for common use cases.
+ */
+export declare const PERFORMANCE_PRESETS: {
+    /** Default configuration - balanced performance */
+    readonly default: Readonly<Required<PerformanceConfig>>;
+    /** Optimized for speed with larger batches */
+    readonly fast: Readonly<{
+        functionalityBatchSize: 10;
+        securityBatchSize: 20;
+        batchFlushIntervalMs: number;
+        testTimeoutMs: number;
+        securityTestTimeoutMs: number;
+        queueWarningThreshold: number;
+        eventEmitterMaxListeners: number;
+    }>;
+    /** Conservative settings for resource-constrained environments */
+    readonly resourceConstrained: Readonly<{
+        functionalityBatchSize: 3;
+        securityBatchSize: 5;
+        queueWarningThreshold: 5000;
+        batchFlushIntervalMs: number;
+        testTimeoutMs: number;
+        securityTestTimeoutMs: number;
+        eventEmitterMaxListeners: number;
+    }>;
+};
+/**
+ * Validate a partial performance config.
+ * Ensures values are within reasonable bounds.
+ *
+ * @param config - Partial config to validate
+ * @returns Array of validation error messages (empty if valid)
+ */
+export declare function validatePerformanceConfig(config: Partial<PerformanceConfig>): string[];
+/**
+ * Merge a partial config with defaults.
+ * User-provided values override defaults.
+ *
+ * @param partial - Partial config to merge
+ * @returns Complete config with defaults applied
+ */
+export declare function mergeWithDefaults(partial: Partial<PerformanceConfig>): Required<PerformanceConfig>;
+/**
+ * Load performance configuration from a JSON file.
+ * Partial configs are validated and merged with defaults.
+ *
+ * @param configPath - Path to JSON configuration file
+ * @param logger - Optional logger for diagnostic output
+ * @returns Complete configuration with defaults applied
+ * @throws Error if config file has validation errors
+ */
+export declare function loadPerformanceConfig(configPath?: string, logger?: Logger): Required<PerformanceConfig>;
+//# sourceMappingURL=performanceConfig.d.ts.map

package/lib/services/assessment/config/performanceConfig.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"performanceConfig.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/config/performanceConfig.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AAE5C;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC;;;;OAIG;IACH,oBAAoB,EAAE,MAAM,CAAC;IAE7B;;;;OAIG;IACH,sBAAsB,EAAE,MAAM,CAAC;IAE/B;;;OAGG;IACH,iBAAiB,EAAE,MAAM,CAAC;IAE1B;;;;OAIG;IACH,aAAa,EAAE,MAAM,CAAC;IAEtB;;;;OAIG;IACH,qBAAqB,EAAE,MAAM,CAAC;IAE9B;;;;;;;;;;OAUG;IACH,qBAAqB,EAAE,MAAM,CAAC;IAE9B;;;;OAIG;IACH,wBAAwB,EAAE,MAAM,CAAC;CAClC;AAED;;;GAGG;AACH,eAAO,MAAM,0BAA0B,EAAE,QAAQ,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CASzE,CAAC;AAEL;;GAEG;AACH,eAAO,MAAM,mBAAmB;IAC9B,mDAAmD;;IAGnD,8CAA8C;;;;8BAxExB,MAAM;uBAoBb,MAAM;+BAOE,MAAM;+BAaN,MAAM;kCAOH,MAAM;;IAgChC,kEAAkE;;;;;8BA/E5C,MAAM;uBAoBb,MAAM;+BAOE,MAAM;kCAoBH,MAAM;;CAuCxB,CAAC;AAEX;;;;;;GAMG;AACH,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,OAAO,CAAC,iBAAiB,CAAC,GACjC,MAAM,EAAE,CAwDV;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAClC,QAAQ,CAAC,iBAAiB,CAAC,CAsB7B;AAED;;;;;;;;GAQG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,CAAC,EAAE,MAAM,EACnB,MAAM,CAAC,EAAE,MAAM,GACd,QAAQ,CAAC,iBAAiB,CAAC,CAyC7B"}

package/lib/services/assessment/config/performanceConfig.js

@@ -0,0 +1,154 @@
+/**
+ * Performance Configuration for Assessment Engine
+ *
+ * Centralizes performance-related magic numbers that were previously
+ * scattered across multiple modules. Supports JSON configuration files
+ * for runtime tuning via CLI flags.
+ *
+ * @see https://github.com/triepod-ai/inspector-assessment/issues/37
+ */
+import * as fs from "fs";
+/**
+ * Default performance configuration.
+ * These values preserve existing behavior across all modules.
+ */
+export const DEFAULT_PERFORMANCE_CONFIG = Object.freeze({
+    batchFlushIntervalMs: 500,
+    functionalityBatchSize: 5,
+    securityBatchSize: 10,
+    testTimeoutMs: 5000,
+    securityTestTimeoutMs: 5000,
+    queueWarningThreshold: 10000,
+    eventEmitterMaxListeners: 50,
+});
+/**
+ * Performance presets for common use cases.
+ */
+export const PERFORMANCE_PRESETS = {
+    /** Default configuration - balanced performance */
+    default: DEFAULT_PERFORMANCE_CONFIG,
+    /** Optimized for speed with larger batches */
+    fast: Object.freeze({
+        ...DEFAULT_PERFORMANCE_CONFIG,
+        functionalityBatchSize: 10,
+        securityBatchSize: 20,
+    }),
+    /** Conservative settings for resource-constrained environments */
+    resourceConstrained: Object.freeze({
+        ...DEFAULT_PERFORMANCE_CONFIG,
+        functionalityBatchSize: 3,
+        securityBatchSize: 5,
+        queueWarningThreshold: 5000,
+    }),
+};
+/**
+ * Validate a partial performance config.
+ * Ensures values are within reasonable bounds.
+ *
+ * @param config - Partial config to validate
+ * @returns Array of validation error messages (empty if valid)
+ */
+export function validatePerformanceConfig(config) {
+    const errors = [];
+    if (config.batchFlushIntervalMs !== undefined &&
+        (config.batchFlushIntervalMs < 50 || config.batchFlushIntervalMs > 10000)) {
+        errors.push("batchFlushIntervalMs must be between 50 and 10000");
+    }
+    if (config.functionalityBatchSize !== undefined &&
+        (config.functionalityBatchSize < 1 || config.functionalityBatchSize > 100)) {
+        errors.push("functionalityBatchSize must be between 1 and 100");
+    }
+    if (config.securityBatchSize !== undefined &&
+        (config.securityBatchSize < 1 || config.securityBatchSize > 100)) {
+        errors.push("securityBatchSize must be between 1 and 100");
+    }
+    if (config.testTimeoutMs !== undefined &&
+        (config.testTimeoutMs < 100 || config.testTimeoutMs > 300000)) {
+        errors.push("testTimeoutMs must be between 100 and 300000");
+    }
+    if (config.securityTestTimeoutMs !== undefined &&
+        (config.securityTestTimeoutMs < 100 ||
+            config.securityTestTimeoutMs > 300000)) {
+        errors.push("securityTestTimeoutMs must be between 100 and 300000");
+    }
+    if (config.queueWarningThreshold !== undefined &&
+        (config.queueWarningThreshold < 100 ||
+            config.queueWarningThreshold > 1000000)) {
+        errors.push("queueWarningThreshold must be between 100 and 1000000");
+    }
+    if (config.eventEmitterMaxListeners !== undefined &&
+        (config.eventEmitterMaxListeners < 10 ||
+            config.eventEmitterMaxListeners > 1000)) {
+        errors.push("eventEmitterMaxListeners must be between 10 and 1000");
+    }
+    return errors;
+}
+/**
+ * Merge a partial config with defaults.
+ * User-provided values override defaults.
+ *
+ * @param partial - Partial config to merge
+ * @returns Complete config with defaults applied
+ */
+export function mergeWithDefaults(partial) {
+    return {
+        batchFlushIntervalMs: partial.batchFlushIntervalMs ??
+            DEFAULT_PERFORMANCE_CONFIG.batchFlushIntervalMs,
+        functionalityBatchSize: partial.functionalityBatchSize ??
+            DEFAULT_PERFORMANCE_CONFIG.functionalityBatchSize,
+        securityBatchSize: partial.securityBatchSize ?? DEFAULT_PERFORMANCE_CONFIG.securityBatchSize,
+        testTimeoutMs: partial.testTimeoutMs ?? DEFAULT_PERFORMANCE_CONFIG.testTimeoutMs,
+        securityTestTimeoutMs: partial.securityTestTimeoutMs ??
+            DEFAULT_PERFORMANCE_CONFIG.securityTestTimeoutMs,
+        queueWarningThreshold: partial.queueWarningThreshold ??
+            DEFAULT_PERFORMANCE_CONFIG.queueWarningThreshold,
+        eventEmitterMaxListeners: partial.eventEmitterMaxListeners ??
+            DEFAULT_PERFORMANCE_CONFIG.eventEmitterMaxListeners,
+    };
+}
+/**
+ * Load performance configuration from a JSON file.
+ * Partial configs are validated and merged with defaults.
+ *
+ * @param configPath - Path to JSON configuration file
+ * @param logger - Optional logger for diagnostic output
+ * @returns Complete configuration with defaults applied
+ * @throws Error if config file has validation errors
+ */
+export function loadPerformanceConfig(configPath, logger) {
+    if (!configPath) {
+        return { ...DEFAULT_PERFORMANCE_CONFIG };
+    }
+    try {
+        const configContent = fs.readFileSync(configPath, "utf-8");
+        const userConfig = JSON.parse(configContent);
+        // Validate the config
+        const errors = validatePerformanceConfig(userConfig);
+        if (errors.length > 0) {
+            const errorMsg = `Invalid performance config: ${errors.join(", ")}`;
+            logger?.error(errorMsg, { configPath, errors });
+            throw new Error(errorMsg);
+        }
+        logger?.debug("Loaded performance config", { configPath, userConfig });
+        return mergeWithDefaults(userConfig);
+    }
+    catch (error) {
+        if (error instanceof SyntaxError) {
+            logger?.error("Invalid JSON in performance config file", {
+                configPath,
+                error: error.message,
+            });
+            throw new Error(`Invalid JSON in performance config: ${configPath}`);
+        }
+        // Re-throw validation errors
+        if (error instanceof Error && error.message.includes("Invalid")) {
+            throw error;
+        }
+        // File read errors - use defaults with warning
+        logger?.warn("Could not load performance config, using defaults", {
+            configPath,
+            error: error instanceof Error ? error.message : String(error),
+        });
+        return { ...DEFAULT_PERFORMANCE_CONFIG };
+    }
+}

package/lib/services/assessment/config/sanitizationPatterns.d.ts

@@ -0,0 +1,63 @@
+/**
+ * Sanitization Library Pattern Configuration
+ *
+ * Detects security libraries and sanitization practices in tool metadata/descriptions.
+ * Used by SanitizationDetector to reduce false positives when tools have proper
+ * input sanitization in place.
+ *
+ * @see Issue #56: Improve security analysis granularity
+ */
+/**
+ * Categories of sanitization approaches
+ */
+export type SanitizationCategory = "xss" | "html" | "sql" | "input" | "encoding" | "framework";
+/**
+ * Pattern definition for detecting a specific sanitization library
+ */
+export interface SanitizationLibraryPattern {
+    /** Library name for reporting */
+    name: string;
+    /** Regex patterns to detect this library */
+    patterns: RegExp[];
+    /** Type of sanitization this library provides */
+    category: SanitizationCategory;
+    /** Confidence boost when detected (15-25 points) */
+    confidenceBoost: number;
+    /** Languages this library is typically used with */
+    languageHint?: string[];
+}
+/**
+ * Known sanitization libraries with detection patterns
+ *
+ * Detection is conservative - patterns match explicit mentions of libraries
+ * rather than generic terms that could have other meanings.
+ */
+export declare const SANITIZATION_LIBRARY_PATTERNS: SanitizationLibraryPattern[];
+/**
+ * Generic sanitization keyword patterns
+ *
+ * These are less specific than library patterns and provide lower confidence boost.
+ * Used when no specific library is detected but sanitization is mentioned.
+ */
+export declare const GENERIC_SANITIZATION_KEYWORDS: RegExp[];
+/**
+ * Response-time sanitization indicators
+ *
+ * Patterns that indicate sanitization was applied to the response.
+ * These provide evidence that input was processed safely.
+ */
+export declare const RESPONSE_SANITIZATION_INDICATORS: RegExp[];
+/**
+ * Confidence boost values for different detection types
+ */
+export declare const CONFIDENCE_BOOSTS: {
+    /** Specific library detected (e.g., DOMPurify) */
+    readonly SPECIFIC_LIBRARY: 25;
+    /** Generic sanitization keyword detected */
+    readonly GENERIC_KEYWORD: 8;
+    /** Response-time sanitization evidence */
+    readonly RESPONSE_EVIDENCE: 10;
+    /** Maximum total adjustment (cap) */
+    readonly MAX_ADJUSTMENT: 50;
+};
+//# sourceMappingURL=sanitizationPatterns.d.ts.map

package/lib/services/assessment/config/sanitizationPatterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitizationPatterns.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/config/sanitizationPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAC5B,KAAK,GACL,MAAM,GACN,KAAK,GACL,OAAO,GACP,UAAU,GACV,WAAW,CAAC;AAEhB;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,iCAAiC;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,4CAA4C;IAC5C,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,iDAAiD;IACjD,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,oDAAoD;IACpD,eAAe,EAAE,MAAM,CAAC;IACxB,oDAAoD;IACpD,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED;;;;;GAKG;AACH,eAAO,MAAM,6BAA6B,EAAE,0BAA0B,EAkKrE,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,6BAA6B,EAAE,MAAM,EAWjD,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,EAAE,MAAM,EAWpD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,iBAAiB;IAC5B,kDAAkD;;IAElD,4CAA4C;;IAE5C,0CAA0C;;IAE1C,qCAAqC;;CAE7B,CAAC"}

package/lib/services/assessment/config/sanitizationPatterns.js

@@ -0,0 +1,223 @@
+/**
+ * Sanitization Library Pattern Configuration
+ *
+ * Detects security libraries and sanitization practices in tool metadata/descriptions.
+ * Used by SanitizationDetector to reduce false positives when tools have proper
+ * input sanitization in place.
+ *
+ * @see Issue #56: Improve security analysis granularity
+ */
+/**
+ * Known sanitization libraries with detection patterns
+ *
+ * Detection is conservative - patterns match explicit mentions of libraries
+ * rather than generic terms that could have other meanings.
+ */
+export const SANITIZATION_LIBRARY_PATTERNS = [
+    // XSS Prevention Libraries
+    {
+        name: "DOMPurify",
+        patterns: [/\bDOMPurify\b/i, /\bdom[\-_]?purify\b/i],
+        category: "xss",
+        confidenceBoost: 25,
+        languageHint: ["javascript", "typescript"],
+    },
+    {
+        name: "xss",
+        patterns: [
+            /\bxss\s*\(/i,
+            /require\s*\(\s*['"]xss['"]\s*\)/i,
+            /import.*from\s+['"]xss['"]/i,
+            /xss\s+library/i,
+        ],
+        category: "xss",
+        confidenceBoost: 25,
+        languageHint: ["javascript", "typescript"],
+    },
+    {
+        name: "bleach",
+        patterns: [/\bbleach\b/i, /bleach\.clean/i, /import\s+bleach/i],
+        category: "xss",
+        confidenceBoost: 25,
+        languageHint: ["python"],
+    },
+    // HTML Sanitization
+    {
+        name: "sanitize-html",
+        patterns: [
+            /\bsanitize[\-_]?html\b/i,
+            /sanitizeHtml\s*\(/i,
+            /require\s*\(\s*['"]sanitize-html['"]\s*\)/i,
+        ],
+        category: "html",
+        confidenceBoost: 20,
+        languageHint: ["javascript", "typescript"],
+    },
+    {
+        name: "escape-html",
+        patterns: [
+            /\bescape[\-_]?html\b/i,
+            /escapeHtml\s*\(/i,
+            /require\s*\(\s*['"]escape-html['"]\s*\)/i,
+        ],
+        category: "encoding",
+        confidenceBoost: 15,
+        languageHint: ["javascript", "typescript"],
+    },
+    {
+        name: "he",
+        patterns: [
+            /\bhe\.encode/i,
+            /\bhe\.escape/i,
+            /require\s*\(\s*['"]he['"]\s*\)/i,
+        ],
+        category: "encoding",
+        confidenceBoost: 15,
+        languageHint: ["javascript", "typescript"],
+    },
+    // Input Validation Libraries
+    {
+        name: "validator",
+        patterns: [
+            /validator\.js/i,
+            /\bvalidatorjs\b/i,
+            /validator\.(isEmail|escape|sanitize|isURL|isAlphanumeric)/i,
+            /require\s*\(\s*['"]validator['"]\s*\)/i,
+        ],
+        category: "input",
+        confidenceBoost: 20,
+        languageHint: ["javascript", "typescript"],
+    },
+    {
+        name: "Zod",
+        patterns: [
+            /\bz\.string\s*\(\)/i,
+            /\bz\.object\s*\(/i,
+            /\bzod\b/i,
+            /\.safeParse\s*\(/i,
+            /import.*from\s+['"]zod['"]/i,
+        ],
+        category: "input",
+        confidenceBoost: 15,
+        languageHint: ["typescript"],
+    },
+    {
+        name: "Joi",
+        patterns: [
+            /\bJoi\b/i,
+            /Joi\.string\s*\(\)/i,
+            /Joi\.object\s*\(/i,
+            /\.validate\s*\(/i,
+            /require\s*\(\s*['"]joi['"]\s*\)/i,
+        ],
+        category: "input",
+        confidenceBoost: 15,
+        languageHint: ["javascript", "typescript"],
+    },
+    {
+        name: "yup",
+        patterns: [
+            /\byup\b/i,
+            /yup\.string\s*\(\)/i,
+            /yup\.object\s*\(/i,
+            /import.*from\s+['"]yup['"]/i,
+        ],
+        category: "input",
+        confidenceBoost: 15,
+        languageHint: ["javascript", "typescript"],
+    },
+    {
+        name: "pydantic",
+        patterns: [
+            /\bpydantic\b/i,
+            /from\s+pydantic\s+import/i,
+            /BaseModel/i,
+            /Field\s*\(/i,
+        ],
+        category: "input",
+        confidenceBoost: 15,
+        languageHint: ["python"],
+    },
+    // SQL Injection Prevention
+    {
+        name: "parameterized-queries",
+        patterns: [
+            /prepared[\s_]?statement/i,
+            /parameterized[\s_]?quer/i,
+            /\$\d+\s/i, // PostgreSQL style $1, $2
+            /:\w+\s/i, // Named parameters :name
+            /\?\s/i, // Positional parameters ?
+        ],
+        category: "sql",
+        confidenceBoost: 20,
+        languageHint: ["sql"],
+    },
+    // Framework-level Protection
+    {
+        name: "helmet",
+        patterns: [
+            /\bhelmet\b/i,
+            /helmet\s*\(\)/i,
+            /require\s*\(\s*['"]helmet['"]\s*\)/i,
+        ],
+        category: "framework",
+        confidenceBoost: 10,
+        languageHint: ["javascript", "typescript"],
+    },
+    {
+        name: "django-csrf",
+        patterns: [/csrf_token/i, /CsrfViewMiddleware/i, /@csrf_protect/i],
+        category: "framework",
+        confidenceBoost: 10,
+        languageHint: ["python"],
+    },
+];
+/**
+ * Generic sanitization keyword patterns
+ *
+ * These are less specific than library patterns and provide lower confidence boost.
+ * Used when no specific library is detected but sanitization is mentioned.
+ */
+export const GENERIC_SANITIZATION_KEYWORDS = [
+    /\bsanitiz(e|ed|es|ing|ation)\b/i,
+    /\bescap(e|ed|es|ing)\b/i,
+    /\bencod(e|ed|es|ing)\b/i,
+    /\bvalidat(e|ed|es|ing|ion)\b/i,
+    /\bfilter(ed|s|ing)?\b/i,
+    /\bclean(ed|s|ing)?\b/i,
+    /\bpurif(y|ied|ies|ying)\b/i,
+    /\bnormaliz(e|ed|es|ing)\b/i,
+    /\bstrip(ped|s|ping)?\b/i,
+    /\btrim(med|s|ming)?\b/i,
+];
+/**
+ * Response-time sanitization indicators
+ *
+ * Patterns that indicate sanitization was applied to the response.
+ * These provide evidence that input was processed safely.
+ */
+export const RESPONSE_SANITIZATION_INDICATORS = [
+    /\[sanitized\]/i,
+    /\[filtered\]/i,
+    /\[redacted\]/i,
+    /\[removed\]/i,
+    /\[cleaned\]/i,
+    /\[escaped\]/i,
+    /input.*sanitized/i,
+    /content.*filtered/i,
+    /value.*cleaned/i,
+    /data.*validated/i,
+];
+/**
+ * Confidence boost values for different detection types
+ */
+export const CONFIDENCE_BOOSTS = {
+    /** Specific library detected (e.g., DOMPurify) */
+    SPECIFIC_LIBRARY: 25,
+    /** Generic sanitization keyword detected */
+    GENERIC_KEYWORD: 8,
+    /** Response-time sanitization evidence */
+    RESPONSE_EVIDENCE: 10,
+    /** Maximum total adjustment (cap) */
+    MAX_ADJUSTMENT: 50,
+};

package/lib/services/assessment/lib/claudeCodeBridge.d.ts

@@ -12,6 +12,7 @@
  */
 import type { Tool } from "@modelcontextprotocol/sdk/types.js";
 import type { AUPCategory } from "../../../lib/assessmentTypes.js";
+import { Logger } from "./logger.js";
 /**
  * Response from Claude Code execution
  */
@@ -103,7 +104,8 @@ export declare const FULL_CLAUDE_CODE_CONFIG: ClaudeCodeBridgeConfig;
 export declare class ClaudeCodeBridge {
     private config;
     private isAvailable;
-    constructor(config: ClaudeCodeBridgeConfig);
+    private logger?;
+    constructor(config: ClaudeCodeBridgeConfig, logger?: Logger);
     /**
      * Check if a specific feature is enabled
      * Note: annotationInference is an alias for behaviorInference

package/lib/services/assessment/lib/claudeCodeBridge.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"claudeCodeBridge.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/lib/claudeCodeBridge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC/D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE;QACR,yBAAyB,CAAC,EAAE,OAAO,CAAC;QACpC,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAC9B,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAC5B,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAC9B,uBAAuB,CAAC,EAAE,OAAO,CAAC;QAClC,oBAAoB,CAAC,EAAE,OAAO,CAAC;KAChC,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,EAAE,WAAW,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,WAAW,EAAE,OAAO,CAAC;IACrB,oBAAoB,EAAE,OAAO,CAAC;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,WAAW,CAAC;IACtB,eAAe,EAAE,OAAO,GAAG,iBAAiB,GAAG,OAAO,CAAC;IACvD,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,mBAAmB,EAAE,OAAO,CAAC;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,oBAAoB,EAAE;QACpB,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,cAAc,CAAC,EAAE,OAAO,CAAC;KAC1B,CAAC;IACF,oBAAoB,EAAE,OAAO,CAAC;IAC9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,KAAK,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAChC,gBAAgB,EAAE,MAAM,CAAC;QACzB,QAAQ,EAAE,YAAY,GAAG,WAAW,GAAG,UAAU,GAAG,YAAY,CAAC;KAClE,CAAC,CAAC;IACH,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,eAAO,MAAM,0BAA0B,EAAE,sBAYxC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,sBAYrC,CAAC;AAEF;;;GAGG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAAyB;IACvC,OAAO,CAAC,WAAW,CAAkB;gBAEzB,MAAM,EAAE,sBAAsB;IAW1C;;;OAGG;IACH,gBAAgB,CAAC,OAAO,EAAE,MAAM,sBAAsB,CAAC,UAAU,CAAC,GAAG,OAAO;IAgB5E;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAS/B;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IA8B5B;;OAEG;YACW,gBAAgB;IAwB9B;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAqBzB;;;;OAIG;IACG,mBAAmB,CACvB,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,yBAAyB,GAAG,IAAI,CAAC;IA2C5C;;OAEG;IACG,iBAAiB,CACrB,IAAI,EAAE,IAAI,EACV,kBAAkB,CAAC,EAAE;QACnB,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,cAAc,CAAC,EAAE,OAAO,CAAC;KAC1B,GACA,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;IAgD1C;;OAEG;IACG,qBAAqB,CACzB,IAAI,EAAE,IAAI,EACV,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAuCvC;;;OAGG;IACG,sBAAsB,CAC1B,IAAI,EAAE,IAAI,GACT,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC;IAqC5C;;OAEG;IACG,mBAAmB,CACvB,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;QACT,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,WAAW,EAAE,MAAM,EAAE,CAAC;KACvB,GAAG,IAAI,CAAC;CA0CV"}
+{"version":3,"file":"claudeCodeBridge.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/lib/claudeCodeBridge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC/D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAElC;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE;QACR,yBAAyB,CAAC,EAAE,OAAO,CAAC;QACpC,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAC9B,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAC5B,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAC9B,uBAAuB,CAAC,EAAE,OAAO,CAAC;QAClC,oBAAoB,CAAC,EAAE,OAAO,CAAC;KAChC,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,EAAE,WAAW,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,WAAW,EAAE,OAAO,CAAC;IACrB,oBAAoB,EAAE,OAAO,CAAC;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,WAAW,CAAC;IACtB,eAAe,EAAE,OAAO,GAAG,iBAAiB,GAAG,OAAO,CAAC;IACvD,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,mBAAmB,EAAE,OAAO,CAAC;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,oBAAoB,EAAE;QACpB,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,cAAc,CAAC,EAAE,OAAO,CAAC;KAC1B,CAAC;IACF,oBAAoB,EAAE,OAAO,CAAC;IAC9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,KAAK,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAChC,gBAAgB,EAAE,MAAM,CAAC;QACzB,QAAQ,EAAE,YAAY,GAAG,WAAW,GAAG,UAAU,GAAG,YAAY,CAAC;KAClE,CAAC,CAAC;IACH,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,eAAO,MAAM,0BAA0B,EAAE,sBAYxC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,sBAYrC,CAAC;AAEF;;;GAGG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAAyB;IACvC,OAAO,CAAC,WAAW,CAAkB;IACrC,OAAO,CAAC,MAAM,CAAC,CAAS;gBAEZ,MAAM,EAAE,sBAAsB,EAAE,MAAM,CAAC,EAAE,MAAM;IAU3D;;;OAGG;IACH,gBAAgB,CAAC,OAAO,EAAE,MAAM,sBAAsB,CAAC,UAAU,CAAC,GAAG,OAAO;IAgB5E;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAS/B;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IA8B5B;;OAEG;YACW,gBAAgB;IAwB9B;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAqBzB;;;;OAIG;IACG,mBAAmB,CACvB,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,yBAAyB,GAAG,IAAI,CAAC;IA2C5C;;OAEG;IACG,iBAAiB,CACrB,IAAI,EAAE,IAAI,EACV,kBAAkB,CAAC,EAAE;QACnB,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,cAAc,CAAC,EAAE,OAAO,CAAC;KAC1B,GACA,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;IAgD1C;;OAEG;IACG,qBAAqB,CACzB,IAAI,EAAE,IAAI,EACV,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAuCvC;;;OAGG;IACG,sBAAsB,CAC1B,IAAI,EAAE,IAAI,GACT,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC;IAqC5C;;OAEG;IACG,mBAAmB,CACvB,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;QACT,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,WAAW,EAAE,MAAM,EAAE,CAAC;KACvB,GAAG,IAAI,CAAC;CA0CV"}

package/lib/services/assessment/lib/claudeCodeBridge.js

@@ -50,11 +50,13 @@ export const FULL_CLAUDE_CODE_CONFIG = {
 export class ClaudeCodeBridge {
     config;
     isAvailable = false;
-    constructor(config) {
+    logger;
+    constructor(config, logger) {
         this.config = config;
+        this.logger = logger;
         this.isAvailable = this.checkClaudeAvailability();
         if (!this.isAvailable) {
-            console.warn("[ClaudeCodeBridge] Claude CLI not available - features will be disabled");
+            this.logger?.warn("Claude CLI not available - features will be disabled");
         }
     }
     /**
@@ -151,7 +153,7 @@ export class ClaudeCodeBridge {
             return JSON.parse(jsonStr);
         }
         catch {
-            console.warn("[ClaudeCodeBridge] Failed to parse JSON response");
+            this.logger?.warn("Failed to parse JSON response");
             return null;
         }
     }

package/lib/services/assessment/lib/concurrencyLimit.d.ts

@@ -2,6 +2,7 @@
  * Simple concurrency limiter for parallel async operations
  * Provides the same interface as p-limit but is CJS-compatible
  */
+import { Logger } from "./logger.js";
 /**
  * Warning threshold for queue depth monitoring.
  * If queue exceeds this size, a warning is emitted to help diagnose
@@ -12,14 +13,17 @@
  *
  * Threshold of 10,000 provides ~146% headroom to accommodate larger
  * tool sets while catching true runaway scenarios.
+ *
+ * @see PerformanceConfig.queueWarningThreshold (Issue #37)
  */
-export declare const QUEUE_WARNING_THRESHOLD = 10000;
+export declare const QUEUE_WARNING_THRESHOLD: number;
 export type LimitFunction = <T>(fn: () => Promise<T>) => Promise<T>;
 /**
  * Creates a concurrency limiter that allows only a specified number
  * of async operations to run simultaneously
  *
  * @param concurrency - Maximum number of concurrent operations
+ * @param logger - Optional logger instance for queue depth warnings
  * @returns A function that wraps async operations with the concurrency limit
  *
  * @example
@@ -28,5 +32,5 @@ export type LimitFunction = <T>(fn: () => Promise<T>) => Promise<T>;
  *   items.map(item => limit(() => processItem(item)))
  * );
  */
-export declare function createConcurrencyLimit(concurrency: number): LimitFunction;
+export declare function createConcurrencyLimit(concurrency: number, logger?: Logger): LimitFunction;
 //# sourceMappingURL=concurrencyLimit.d.ts.map

package/lib/services/assessment/lib/concurrencyLimit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"concurrencyLimit.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/lib/concurrencyLimit.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,uBAAuB,QAAQ,CAAC;AAE7C,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,CAAC;AAEpE;;;;;;;;;;;;GAYG;AACH,wBAAgB,sBAAsB,CAAC,WAAW,EAAE,MAAM,GAAG,aAAa,CAuDzE"}
+{"version":3,"file":"concurrencyLimit.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/lib/concurrencyLimit.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAGlC;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,uBAAuB,QACc,CAAC;AAEnD,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,CAAC;AAEpE;;;;;;;;;;;;;GAaG;AACH,wBAAgB,sBAAsB,CACpC,WAAW,EAAE,MAAM,EACnB,MAAM,CAAC,EAAE,MAAM,GACd,aAAa,CAwDf"}