@bryan-thompson/inspector-assessment-client 1.25.4 → 1.25.5

package/lib/services/assessment/modules/ManifestValidationAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ManifestValidationAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ManifestValidationAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EACV,4BAA4B,EAK7B,MAAM,uBAAuB,CAAC;AAM/B,qBAAa,0BAA2B,SAAQ,YAAY;IAC1D;;OAEG;IACG,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,4BAA4B,CAAC;IA6JxC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAyB9B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAmB/B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAgC/B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAiC7B;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAiChC;;OAEG;IACH,OAAO,CAAC,iBAAiB;IA+CzB;;OAEG;IACH,OAAO,CAAC,YAAY;IAqCpB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA+B1B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IA8B7B;;OAEG;YACW,yBAAyB;IA2EvC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAsB/B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA0C3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;CA+ChC"}
+{"version":3,"file":"ManifestValidationAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ManifestValidationAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EACV,4BAA4B,EAK7B,MAAM,uBAAuB,CAAC;AAM/B,qBAAa,0BAA2B,SAAQ,YAAY;IAC1D;;OAEG;IACG,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,4BAA4B,CAAC;IA6JxC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAyB9B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAmB/B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAgC/B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAiC7B;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAiChC;;OAEG;IACH,OAAO,CAAC,iBAAiB;IA+CzB;;OAEG;IACH,OAAO,CAAC,YAAY;IAqCpB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA+B1B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IA8B7B;;OAEG;YACW,yBAAyB;IAoFvC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAsB/B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA0C3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;CA+ChC"}

package/lib/services/assessment/modules/ManifestValidationAssessor.js

@@ -412,7 +412,8 @@ export class ManifestValidationAssessor extends BaseAssessor {
             try {
                 new URL(url);
             }
-            catch {
+            catch (error) {
+                this.logError(`Invalid privacy policy URL format: ${url}`, error);
                 results.push({
                     url,
                     accessible: false,
@@ -437,8 +438,11 @@ export class ManifestValidationAssessor extends BaseAssessor {
                     contentType: response.headers.get("content-type") || undefined,
                 });
             }
-            catch {
+            catch (headError) {
                 // Try GET request as fallback (some servers reject HEAD)
+                this.logger.debug(`HEAD request failed for ${url}, trying GET`, {
+                    error: headError instanceof Error ? headError.message : String(headError),
+                });
                 try {
                     const controller = new AbortController();
                     const timeoutId = setTimeout(() => controller.abort(), 5000);
@@ -456,6 +460,7 @@ export class ManifestValidationAssessor extends BaseAssessor {
                     });
                 }
                 catch (fetchError) {
+                    this.logError(`Failed to fetch privacy policy URL: ${url}`, fetchError);
                     results.push({
                         url,
                         accessible: false,

package/lib/services/assessment/modules/PromptAssessor.d.ts

@@ -32,6 +32,7 @@ export declare class PromptAssessor extends BaseAssessor {
     private analyzePromptTemplate;
     /**
      * Analyze dynamic content characteristics for enrichment (Issue #9)
+     * Enhanced with SanitizationDetector for library-aware detection (Issue #56)
      */
     private analyzeDynamicContent;
 }

package/lib/services/assessment/modules/PromptAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"PromptAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/PromptAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,gBAAgB,EAGjB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAa,MAAM,2BAA2B,CAAC;AA6DzE,qBAAa,cAAe,SAAQ,YAAY;IACxC,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAqDnE,OAAO,CAAC,uBAAuB;YAajB,UAAU;IAsFxB,OAAO,CAAC,oBAAoB;IAK5B,OAAO,CAAC,kBAAkB;IAa1B,OAAO,CAAC,qBAAqB;YAuBf,mBAAmB;IAuCjC,OAAO,CAAC,6BAA6B;YAqBvB,mBAAmB;IA6CjC,OAAO,CAAC,qBAAqB;YAsCf,sBAAsB;IA+BpC,OAAO,CAAC,qBAAqB;IAe7B,OAAO,CAAC,mBAAmB;IAmC3B,OAAO,CAAC,uBAAuB;IAqC/B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAkC7B;;OAEG;IACH,OAAO,CAAC,qBAAqB;CA+C9B"}
+{"version":3,"file":"PromptAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/PromptAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,gBAAgB,EAGjB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAa,MAAM,2BAA2B,CAAC;AA8DzE,qBAAa,cAAe,SAAQ,YAAY;IACxC,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAqDnE,OAAO,CAAC,uBAAuB;YAajB,UAAU;IAsFxB,OAAO,CAAC,oBAAoB;IAK5B,OAAO,CAAC,kBAAkB;IAa1B,OAAO,CAAC,qBAAqB;YAuBf,mBAAmB;IAwCjC,OAAO,CAAC,6BAA6B;YAqBvB,mBAAmB;IAmDjC,OAAO,CAAC,qBAAqB;YAsCf,sBAAsB;IAqCpC,OAAO,CAAC,qBAAqB;IAe7B,OAAO,CAAC,mBAAmB;IAmC3B,OAAO,CAAC,uBAAuB;IAqC/B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAkC7B;;;OAGG;IACH,OAAO,CAAC,qBAAqB;CAsD9B"}

package/lib/services/assessment/modules/PromptAssessor.js

@@ -9,6 +9,7 @@
  * - Required vs optional argument handling
  */
 import { BaseAssessor } from "./BaseAssessor.js";
+import { SanitizationDetector } from "./securityTests/SanitizationDetector.js";
 // AUP violation patterns in prompt descriptions/content
 const AUP_VIOLATION_PATTERNS = [
     // Harmful content generation
@@ -215,6 +216,7 @@ export class PromptAssessor extends BaseAssessor {
             return { success: true, unsafeContent, executionTime };
         }
         catch (error) {
+            this.logError(`Prompt execution failed: ${prompt.name}`, error);
             return {
                 success: false,
                 unsafeContent: false,
@@ -265,8 +267,11 @@ export class PromptAssessor extends BaseAssessor {
             }
             return { vulnerable: false };
         }
-        catch {
+        catch (error) {
             // Error handling payload is good - not vulnerable
+            this.logger.debug(`Injection payload rejected for ${prompt.name} (good)`, {
+                error: error instanceof Error ? error.message : String(error),
+            });
             return { vulnerable: false };
         }
     }
@@ -311,8 +316,11 @@ export class PromptAssessor extends BaseAssessor {
                 // If we got here without error, validation failed
                 return false;
             }
-            catch {
+            catch (error) {
                 // Expected - missing required arg should throw
+                this.logger.debug(`Missing arg ${arg.name} correctly rejected for ${prompt.name}`, {
+                    error: error instanceof Error ? error.message : String(error),
+                });
                 continue;
             }
         }
@@ -399,6 +407,7 @@ export class PromptAssessor extends BaseAssessor {
     }
     /**
      * Analyze dynamic content characteristics for enrichment (Issue #9)
+     * Enhanced with SanitizationDetector for library-aware detection (Issue #56)
      */
     analyzeDynamicContent(prompt) {
         const description = prompt.description || "";
@@ -409,25 +418,26 @@ export class PromptAssessor extends BaseAssessor {
             /\$\{.*\}/i.test(fullText) ||
             /\{[a-zA-Z_][a-zA-Z0-9_]*\}/i.test(fullText) ||
             (prompt.arguments?.length || 0) > 0;
-        // Detect escaping mechanisms mentioned
-        const escapingApplied = [];
-        if (/sanitiz/i.test(fullText))
-            escapingApplied.push("sanitization");
-        if (/escap/i.test(fullText))
-            escapingApplied.push("escaping");
-        if (/encod/i.test(fullText))
-            escapingApplied.push("encoding");
-        if (/validat/i.test(fullText))
-            escapingApplied.push("validation");
-        if (/filter/i.test(fullText))
-            escapingApplied.push("filtering");
+        // Issue #56: Use SanitizationDetector for library-aware detection
+        const sanitizationDetector = new SanitizationDetector();
+        const sanitizationResult = sanitizationDetector.detectFromText(fullText);
+        // Combine library detection with generic patterns for escapingApplied
+        const escapingApplied = [
+            ...sanitizationResult.libraries,
+            ...sanitizationResult.genericPatterns,
+        ];
         // Infer injection safety from multiple signals
         const hasTypeChecks = prompt.arguments?.some((a) => a.description?.toLowerCase().includes("type") ||
             a.description?.toLowerCase().includes("must be"));
         const hasLengthLimits = prompt.arguments?.some((a) => a.description?.toLowerCase().includes("max") ||
             a.description?.toLowerCase().includes("limit"));
-        // Consider injection safe if escaping is mentioned or validation exists
-        const injectionSafe = escapingApplied.length > 0 || hasTypeChecks || hasLengthLimits || false;
+        // Issue #56: Enhanced injection safety determination
+        // Now considers specific libraries (stronger signal) in addition to generic patterns
+        const injectionSafe = sanitizationResult.libraries.length > 0 || // Specific library = strong signal
+            sanitizationResult.genericPatterns.length >= 2 || // Multiple generic patterns
+            hasTypeChecks ||
+            hasLengthLimits ||
+            false;
         return {
             hasInterpolation,
             injectionSafe,

package/lib/services/assessment/modules/ProtocolComplianceAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ProtocolComplianceAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ProtocolComplianceAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EACL,2BAA2B,EAM3B,uBAAuB,EAGxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAOpE,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAmB9D;;;GAGG;AACH,MAAM,WAAW,4BAA6B,SAAQ,2BAA2B;IAC/E,2EAA2E;IAC3E,iBAAiB,CAAC,EAAE;QAClB,mBAAmB,EAAE,aAAa,CAAC;QACnC,kBAAkB,EAAE,aAAa,CAAC;QAClC,uBAAuB,EAAE,aAAa,CAAC;KACxC,CAAC;CACH;AAED,qBAAa,0BAA2B,SAAQ,YAAY,CAAC,4BAA4B,CAAC;IACxF,OAAO,CAAC,GAAG,CAAc;gBAEb,MAAM,EAAE,uBAAuB;IAK3C;;OAEG;IACH,OAAO,CAAC,cAAc;IAItB;;OAEG;IACH,OAAO,CAAC,cAAc;IAItB;;;OAGG;IACG,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,4BAA4B,CAAC;IAmIxC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAqB9B;;OAEG;YACW,sBAAsB;IAuBpC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAsB/B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAuC7B;;OAEG;YACW,mBAAmB;IAiCjC;;OAEG;IACH,OAAO,CAAC,4BAA4B;IAYpC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAkEnC;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAS7B;;OAEG;YACW,wBAAwB;IA4GtC;;OAEG;YACW,uBAAuB;IA2FrC;;OAEG;YACW,4BAA4B;IAoD1C,OAAO,CAAC,yBAAyB;IAkEjC,OAAO,CAAC,uBAAuB;IAqB/B,OAAO,CAAC,sBAAsB;IA0B9B,OAAO,CAAC,qBAAqB;IAgC7B,OAAO,CAAC,oBAAoB;IA8E5B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAoC3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;CAqEhC"}
+{"version":3,"file":"ProtocolComplianceAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ProtocolComplianceAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EACL,2BAA2B,EAM3B,uBAAuB,EAGxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAOpE,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAmB9D;;;GAGG;AACH,MAAM,WAAW,4BAA6B,SAAQ,2BAA2B;IAC/E,2EAA2E;IAC3E,iBAAiB,CAAC,EAAE;QAClB,mBAAmB,EAAE,aAAa,CAAC;QACnC,kBAAkB,EAAE,aAAa,CAAC;QAClC,uBAAuB,EAAE,aAAa,CAAC;KACxC,CAAC;CACH;AAED,qBAAa,0BAA2B,SAAQ,YAAY,CAAC,4BAA4B,CAAC;IACxF,OAAO,CAAC,GAAG,CAAc;gBAEb,MAAM,EAAE,uBAAuB;IAK3C;;OAEG;IACH,OAAO,CAAC,cAAc;IAItB;;OAEG;IACH,OAAO,CAAC,cAAc;IAItB;;;OAGG;IACG,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,4BAA4B,CAAC;IAmIxC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAqB9B;;OAEG;YACW,sBAAsB;IAuBpC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAsB/B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAwC7B;;OAEG;YACW,mBAAmB;IAiCjC;;OAEG;IACH,OAAO,CAAC,4BAA4B;IAYpC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAkEnC;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAS7B;;OAEG;YACW,wBAAwB;IA4GtC;;OAEG;YACW,uBAAuB;IA2FrC;;OAEG;YACW,4BAA4B;IAoD1C,OAAO,CAAC,yBAAyB;IAkEjC,OAAO,CAAC,uBAAuB;IAqB/B,OAAO,CAAC,sBAAsB;IA0B9B,OAAO,CAAC,qBAAqB;IAgC7B,OAAO,CAAC,oBAAoB;IA8E5B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAoC3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;CAqEhC"}

package/lib/services/assessment/modules/ProtocolComplianceAssessor.js

@@ -229,7 +229,9 @@ export class ProtocolComplianceAssessor extends BaseAssessor {
                         hasErrors = true;
                         const errorMsg = `${tool.name}: ${JSON.stringify(this.ajv.errors)}`;
                         errors.push(errorMsg);
-                        console.warn(`Invalid schema for tool ${tool.name}:`, this.ajv.errors);
+                        this.logger.warn(`Invalid schema for tool ${tool.name}`, {
+                            errors: this.ajv.errors,
+                        });
                     }
                 }
             }
@@ -240,7 +242,9 @@ export class ProtocolComplianceAssessor extends BaseAssessor {
             };
         }
         catch (error) {
-            console.error("Schema compliance check failed:", error);
+            this.logger.error("Schema compliance check failed", {
+                error: String(error),
+            });
             return {
                 passed: false,
                 confidence: "low",

package/lib/services/assessment/modules/ProtocolConformanceAssessor.d.ts

@@ -11,10 +11,15 @@
  *
  * @module assessment/modules/ProtocolConformanceAssessor
  */
+import { AssessmentConfiguration } from "../../../lib/assessment/configTypes.js";
 import type { ProtocolConformanceAssessment } from "../../../lib/assessment/extendedTypes.js";
 import { BaseAssessor } from "./BaseAssessor.js";
 import { AssessmentContext } from "../AssessmentOrchestrator.js";
+/**
+ * @deprecated Use ProtocolComplianceAssessor instead. Will be removed in v2.0.0.
+ */
 export declare class ProtocolConformanceAssessor extends BaseAssessor<ProtocolConformanceAssessment> {
+    constructor(config: AssessmentConfiguration);
     /**
      * Select representative tools for testing (first, middle, last for diversity)
      */

package/lib/services/assessment/modules/ProtocolConformanceAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ProtocolConformanceAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ProtocolConformanceAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,KAAK,EACV,6BAA6B,EAE9B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAmB9D,qBAAa,2BAA4B,SAAQ,YAAY,CAAC,6BAA6B,CAAC;IAC1F;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAS7B;;OAEG;IACH,OAAO,CAAC,cAAc;IAItB;;OAEG;IACH,OAAO,CAAC,cAAc;IAItB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAI3B;;OAEG;IACH,OAAO,CAAC,eAAe;IAIjB,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,6BAA6B,CAAC;IAqCzC;;;;;;;;;OASG;YACW,wBAAwB;IAoHtC;;;;;OAKG;YACW,uBAAuB;IAkGrC;;;;;;;;OAQG;YACW,4BAA4B;IAkD1C;;OAEG;IACH,OAAO,CAAC,yBAAyB;IA6BjC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAmC3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;CA6ChC"}
+{"version":3,"file":"ProtocolConformanceAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ProtocolConformanceAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,KAAK,EACV,6BAA6B,EAE9B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAmB9D;;GAEG;AACH,qBAAa,2BAA4B,SAAQ,YAAY,CAAC,6BAA6B,CAAC;gBAC9E,MAAM,EAAE,uBAAuB;IAY3C;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAS7B;;OAEG;IACH,OAAO,CAAC,cAAc;IAItB;;OAEG;IACH,OAAO,CAAC,cAAc;IAItB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAI3B;;OAEG;IACH,OAAO,CAAC,eAAe;IAIjB,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,6BAA6B,CAAC;IAqCzC;;;;;;;;;OASG;YACW,wBAAwB;IA0HtC;;;;;OAKG;YACW,uBAAuB;IAmGrC;;;;;;;;OAQG;YACW,4BAA4B;IAkD1C;;OAEG;IACH,OAAO,CAAC,yBAAyB;IA6BjC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAmC3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;CA6ChC"}

package/lib/services/assessment/modules/ProtocolConformanceAssessor.js

@@ -20,7 +20,18 @@ const VALID_CONTENT_TYPES = [
     "resource",
     "resource_link",
 ];
+/**
+ * @deprecated Use ProtocolComplianceAssessor instead. Will be removed in v2.0.0.
+ */
 export class ProtocolConformanceAssessor extends BaseAssessor {
+    constructor(config) {
+        super(config);
+        this.logger.warn("ProtocolConformanceAssessor is deprecated. Use ProtocolComplianceAssessor instead. " +
+            "This module will be removed in v2.0.0.", {
+            module: "ProtocolConformanceAssessor",
+            replacement: "ProtocolComplianceAssessor",
+        });
+    }
     /**
      * Select representative tools for testing (first, middle, last for diversity)
      */
@@ -147,6 +158,9 @@ export class ProtocolConformanceAssessor extends BaseAssessor {
             }
             catch (error) {
                 // Tool threw exception instead of returning error response
+                this.logger.debug(`Tool ${testTool.name} threw exception instead of error response`, {
+                    error: error instanceof Error ? error.message : String(error),
+                });
                 results.push({
                     toolName: testTool.name,
                     passed: false,
@@ -254,6 +268,7 @@ export class ProtocolConformanceAssessor extends BaseAssessor {
             };
         }
         catch (error) {
+            this.logError("Content type validation failed", error);
             return {
                 passed: false,
                 confidence: "medium",

package/lib/services/assessment/modules/ResourceAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ResourceAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ResourceAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,kBAAkB,EAGnB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAoN9D,qBAAa,gBAAiB,SAAQ,YAAY;IAC1C,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAgFrE,OAAO,CAAC,yBAAyB;YAiBnB,YAAY;IAoG1B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAY/B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA4B3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;YAsBjB,oBAAoB;IA4FlC,OAAO,CAAC,UAAU;IAmBlB,OAAO,CAAC,kBAAkB;IAM1B,OAAO,CAAC,cAAc;IAItB,OAAO,CAAC,wBAAwB;IAIhC;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAc7B,OAAO,CAAC,yBAAyB;IAYjC,OAAO,CAAC,uBAAuB;IAqB/B,OAAO,CAAC,mBAAmB;IAoC3B,OAAO,CAAC,uBAAuB;CA+DhC"}
+{"version":3,"file":"ResourceAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ResourceAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,kBAAkB,EAGnB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAoN9D,qBAAa,gBAAiB,SAAQ,YAAY;IAC1C,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAgFrE,OAAO,CAAC,yBAAyB;YAiBnB,YAAY;IAoG1B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAY/B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA4B3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;YAsBjB,oBAAoB;IAkGlC,OAAO,CAAC,UAAU;IAsBlB,OAAO,CAAC,kBAAkB;IAM1B,OAAO,CAAC,cAAc;IAItB,OAAO,CAAC,wBAAwB;IAIhC;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAc7B,OAAO,CAAC,yBAAyB;IAYjC,OAAO,CAAC,uBAAuB;IAqB/B,OAAO,CAAC,mBAAmB;IAoC3B,OAAO,CAAC,uBAAuB;CA+DhC"}

package/lib/services/assessment/modules/ResourceAssessor.js

@@ -447,8 +447,11 @@ export class ResourceAssessor extends BaseAssessor {
                         traversalResult.securityIssues.push(`Path traversal vulnerability: successfully accessed ${testUri}`);
                     }
                 }
-                catch {
+                catch (error) {
                     // Expected - path traversal should be rejected
+                    this.logger.debug(`Path traversal correctly rejected for ${testUri}`, {
+                        error: error instanceof Error ? error.message : String(error),
+                    });
                     traversalResult.accessible = false;
                 }
                 results.push(traversalResult);
@@ -469,7 +472,10 @@ export class ResourceAssessor extends BaseAssessor {
             // Allow relative paths
             return !uri.includes("..") || uri.startsWith("/");
         }
-        catch {
+        catch (error) {
+            this.logger.debug(`URI validation failed for: ${uri}`, {
+                error: error instanceof Error ? error.message : String(error),
+            });
             return false;
         }
     }

package/lib/services/assessment/modules/SecurityAssessor.d.ts

@@ -19,109 +19,14 @@ import { SecurityAssessment } from "../../../lib/assessmentTypes.js";
 import { BaseAssessor } from "./BaseAssessor.js";
 import { AssessmentContext } from "../AssessmentOrchestrator.js";
 export declare class SecurityAssessor extends BaseAssessor {
-    private languageGenerator;
+    private payloadTester;
+    private payloadGenerator;
+    constructor(config: import("../../../lib/assessment/configTypes.js").AssessmentConfiguration);
     assess(context: AssessmentContext): Promise<SecurityAssessment>;
     /**
      * Select tools for testing based on configuration
      */
     private selectToolsForTesting;
-    /**
-     * Run comprehensive security tests (advanced mode)
-     * Tests selected tools with ALL 23 security patterns using diverse payloads
-     * Includes injection tests, validation tests, and protocol compliance checks
-     */
-    private runUniversalSecurityTests;
-    /**
-     * Run basic security tests (fast mode)
-     * Tests only 3 critical injection patterns with 1 generic payload each
-     * Used when enableDomainTesting = false
-     */
-    private runBasicSecurityTests;
-    /**
-     * Test tool with a specific payload
-     */
-    private testPayload;
-    /**
-     * Check if response indicates connection/server failure
-     * Returns true if test couldn't complete due to infrastructure issues
-     *
-     * CRITICAL: Only match transport/infrastructure errors, NOT tool business logic
-     */
-    private isConnectionError;
-    /**
-     * Check if caught exception indicates connection/server failure
-     * CRITICAL: Only match transport/infrastructure errors, NOT tool business logic
-     */
-    private isConnectionErrorFromException;
-    /**
-     * Classify error type for reporting
-     */
-    private classifyError;
-    /**
-     * Classify error type from caught exception
-     */
-    private classifyErrorFromException;
-    /**
-     * Analyze response with evidence-based detection
-     * CRITICAL: Distinguish between safe reflection and actual execution
-     */
-    private analyzeResponse;
-    /**
-     * Check if tool explicitly rejected input with validation error (SAFE)
-     * Returns true if tool properly rejected invalid input (SECURE)
-     *
-     * Distinguishes between:
-     * - SAFE: {"valid": false, "errors": ["Input too long"]} (rejection)
-     * - VULNERABLE: {"result": "deleted 5 rows"} (execution)
-     */
-    private isValidationRejection;
-    /**
-     * Check if response is an MCP validation error (safe rejection)
-     * Returns true if tool rejected input before processing (SECURE)
-     *
-     * Validation errors indicate proper input sanitization and are NOT vulnerabilities.
-     * Examples:
-     * - MCP error -32602 (JSON-RPC Invalid params standard)
-     * - "parameter validation failed: invalid url"
-     * - "schema validation error: must be a string"
-     */
-    private isMCPValidationError;
-    /**
-     * Check if response is an HTTP error (Issue #26)
-     * HTTP 4xx/5xx error responses indicate tool rejection, not vulnerability.
-     *
-     * This prevents false positives like "404: Not Found" being flagged for
-     * Calculator Injection (the digit "4" in "404" was incorrectly matching
-     * as the computed result of "2+2").
-     */
-    private isHttpErrorResponse;
-    /**
-     * Check if evidence pattern is ambiguous (can match both validation and execution)
-     * These patterns appear in BOTH:
-     * - Secure validation errors: "parameter validation failed: invalid type"
-     * - Vulnerable execution errors: "SQL executed: type error in result"
-     */
-    private isValidationPattern;
-    /**
-     * Check if response contains evidence of actual execution
-     * Returns true only if malicious input was actually PROCESSED/EXECUTED
-     *
-     * Distinguishes between:
-     * - SECURE: "Parameter validation failed: invalid type" (rejected BEFORE execution)
-     * - VULNERABLE: "SQL executed: syntax error" (error DURING execution)
-     */
-    private hasExecutionEvidence;
-    /**
-     * Check if a math expression payload was computed (execution evidence)
-     * Returns true if the response contains the computed result but NOT the original expression.
-     *
-     * This is key evidence of execution:
-     * - VULNERABLE: payload "15*37+100" → response contains "655" (computed result)
-     * - SAFE: payload "15*37+100" → response contains "15*37+100" (echoed, not computed)
-     *
-     * Added for Issue #14: False positives on safe input reflection
-     */
-    private isComputedMathResult;
     /**
      * Perform additional security checks
      */
@@ -138,78 +43,5 @@ export declare class SecurityAssessor extends BaseAssessor {
      * Generate security explanation
      */
     private generateSecurityExplanation;
-    /**
-     * Calculate confidence level and manual review requirements
-     * Detects ambiguous patterns that need human verification
-     */
-    private calculateConfidence;
-    /**
-     * Check if tool is a structured data tool (search, lookup, retrieval)
-     * These tools naturally echo input patterns in their results
-     */
-    private isStructuredDataTool;
-    /**
-     * Check if response is just reflection (safe)
-     * Expanded to catch more reflection patterns including echo, repeat, display
-     * IMPROVED: Bidirectional patterns, safety indicators, and two-layer defense
-     *
-     * CRITICAL: This check distinguishes between:
-     * - SAFE: Tool stores/echoes malicious input as data (reflection)
-     * - VULNERABLE: Tool executes malicious input and returns results (execution)
-     *
-     * Two-layer defense:
-     * Layer 1: Match reflection/status patterns
-     * Layer 2: Verify NO execution evidence (defense-in-depth)
-     */
-    private isReflectionResponse;
-    /**
-     * Detect execution artifacts in response
-     * Returns true if response contains evidence of actual code execution
-     *
-     * HIGH confidence: System files, commands, directory listings
-     * MEDIUM confidence: Contextual patterns (root alone, paths)
-     *
-     * IMPORTANT: Excludes patterns that appear within echoed injection payloads
-     * (e.g., /etc/passwd within an XXE entity definition is NOT execution evidence)
-     */
-    private detectExecutionArtifacts;
-    /**
-     * Check if response contains echoed injection payload patterns
-     * These indicate the tool is safely echoing/storing input rather than executing it
-     */
-    private containsEchoedInjectionPayload;
-    /**
-     * Analyze injection response (existing logic)
-     * Note: payload parameter unused after refactoring to two-layer defense
-     */
-    private analyzeInjectionResponse;
-    /**
-     * Extract response content
-     */
-    private extractResponseContent;
-    /**
-     * Check if tool has input parameters
-     */
-    private hasInputParameters;
-    private createTestParameters;
-    /**
-     * Check if tool is an API wrapper (safe data-passing tool)
-     */
-    private isApiWrapper;
-    /**
-     * Check if attack is an execution-based test
-     * These tests assume the tool executes input as code, which doesn't apply to API wrappers
-     */
-    private isExecutionTest;
-    /**
-     * Check if response is returning search results
-     * Search tools return query results as data, not execute them
-     */
-    private isSearchResultResponse;
-    /**
-     * Check if response is from a creation/modification operation
-     * CRUD tools create/modify resources, not execute code
-     */
-    private isCreationResponse;
 }
 //# sourceMappingURL=SecurityAssessor.d.ts.map

package/lib/services/assessment/modules/SecurityAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/SecurityAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EACL,kBAAkB,EAInB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAc9D,qBAAa,gBAAiB,SAAQ,YAAY;IAChD,OAAO,CAAC,iBAAiB,CAAuC;IAC1D,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAuFrE;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAkC7B;;;;OAIG;YACW,yBAAyB;IA2KvC;;;;OAIG;YACW,qBAAqB;IA4JnC;;OAEG;YACW,WAAW;IA4HzB;;;;;OAKG;IACH,OAAO,CAAC,iBAAiB;IAgDzB;;;OAGG;IACH,OAAO,CAAC,8BAA8B;IAiDtC;;OAEG;IACH,OAAO,CAAC,aAAa;IA+BrB;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAgClC;;;OAGG;IACH,OAAO,CAAC,eAAe;IAkJvB;;;;;;;OAOG;IACH,OAAO,CAAC,qBAAqB;IAiE7B;;;;;;;;;OASG;IACH,OAAO,CAAC,oBAAoB;IAqC5B;;;;;;;OAOG;IACH,OAAO,CAAC,mBAAmB;IA4B3B;;;;;OAKG;IACH,OAAO,CAAC,mBAAmB;IAsB3B;;;;;;;OAOG;IACH,OAAO,CAAC,oBAAoB;IAkC5B;;;;;;;;;OASG;IACH,OAAO,CAAC,oBAAoB;IA8F5B;;OAEG;YACW,+BAA+B;IAiC7C;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAYjC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA0B/B;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAkEnC;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAuI3B;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAsB5B;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,oBAAoB;IAwN5B;;;;;;;;;OASG;IACH,OAAO,CAAC,wBAAwB;IAwDhC;;;OAGG;IACH,OAAO,CAAC,8BAA8B;IAuBtC;;;OAGG;IACH,OAAO,CAAC,wBAAwB;IA8BhC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAW9B;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAO1B,OAAO,CAAC,oBAAoB;IAoH5B;;OAEG;IACH,OAAO,CAAC,YAAY;IASpB;;;OAGG;IACH,OAAO,CAAC,eAAe;IASvB;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAiB9B;;;OAGG;IACH,OAAO,CAAC,kBAAkB;CAmB3B"}
+{"version":3,"file":"SecurityAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/SecurityAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EACL,kBAAkB,EAInB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAU9D,qBAAa,gBAAiB,SAAQ,YAAY;IAChD,OAAO,CAAC,aAAa,CAAwB;IAC7C,OAAO,CAAC,gBAAgB,CAA2B;gBAGjD,MAAM,EAAE,OAAO,8BAA8B,EAAE,uBAAuB;IA8BlE,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA2FrE;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAkC7B;;OAEG;YACW,+BAA+B;IAiC7C;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAYjC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA0B/B;;OAEG;IACH,OAAO,CAAC,2BAA2B;CAiEpC"}