@bryan-thompson/inspector-assessment-client 1.25.4 → 1.25.6

package/lib/services/assessment/modules/UsabilityAssessor.d.ts

@@ -3,9 +3,14 @@
  * Evaluates tool naming, parameter clarity, and best practices
  */
 import { UsabilityAssessment } from "../../../lib/assessmentTypes.js";
+import { AssessmentConfiguration } from "../../../lib/assessment/configTypes.js";
 import { BaseAssessor } from "./BaseAssessor.js";
 import { AssessmentContext } from "../AssessmentOrchestrator.js";
+/**
+ * @deprecated Use DeveloperExperienceAssessor instead. Will be removed in v2.0.0.
+ */
 export declare class UsabilityAssessor extends BaseAssessor {
+    constructor(config: AssessmentConfiguration);
     assess(context: AssessmentContext): Promise<UsabilityAssessment>;
     private analyzeUsability;
     private analyzeNamingConvention;

package/lib/services/assessment/modules/UsabilityAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"UsabilityAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/UsabilityAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,mBAAmB,EAGpB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAE9D,qBAAa,iBAAkB,SAAQ,YAAY;IAC3C,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAgBtE,OAAO,CAAC,gBAAgB;IAcxB,OAAO,CAAC,uBAAuB;IAqC/B,OAAO,CAAC,uBAAuB;IAwC/B,OAAO,CAAC,iBAAiB;IAezB,OAAO,CAAC,kBAAkB;IA6C1B,OAAO,CAAC,iBAAiB;IAoCzB,OAAO,CAAC,aAAa;IAQrB,OAAO,CAAC,wBAAwB;IAkBhC,OAAO,CAAC,mBAAmB;IAqB3B,OAAO,CAAC,uBAAuB;CAyBhC"}
+{"version":3,"file":"UsabilityAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/UsabilityAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,mBAAmB,EAIpB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AAEvE,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAQ9D;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,YAAY;gBACrC,MAAM,EAAE,uBAAuB;IAYrC,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAgBtE,OAAO,CAAC,gBAAgB;IAcxB,OAAO,CAAC,uBAAuB;IAuC/B,OAAO,CAAC,uBAAuB;IA0C/B,OAAO,CAAC,iBAAiB;IAezB,OAAO,CAAC,kBAAkB;IA6C1B,OAAO,CAAC,iBAAiB;IAoCzB,OAAO,CAAC,aAAa;IAQrB,OAAO,CAAC,wBAAwB;IAkBhC,OAAO,CAAC,mBAAmB;IAwB3B,OAAO,CAAC,uBAAuB;CAyBhC"}

package/lib/services/assessment/modules/UsabilityAssessor.js

@@ -3,7 +3,18 @@
  * Evaluates tool naming, parameter clarity, and best practices
  */
 import { BaseAssessor } from "./BaseAssessor.js";
+/**
+ * @deprecated Use DeveloperExperienceAssessor instead. Will be removed in v2.0.0.
+ */
 export class UsabilityAssessor extends BaseAssessor {
+    constructor(config) {
+        super(config);
+        this.logger.warn("UsabilityAssessor is deprecated. Use DeveloperExperienceAssessor instead. " +
+            "This module will be removed in v2.0.0.", {
+            module: "UsabilityAssessor",
+            replacement: "DeveloperExperienceAssessor",
+        });
+    }
     async assess(context) {
         this.log("Starting usability assessment");
         const metrics = this.analyzeUsability(context.tools);

package/lib/services/assessment/modules/annotations/AnnotationDeceptionDetector.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Annotation Deception Detector
+ * High-confidence deception detection for obvious annotation misalignments
+ *
+ * Extracted from ToolAnnotationAssessor.ts for maintainability.
+ * Handles keyword-based misalignment detection.
+ */
+/**
+ * Keywords that contradict readOnlyHint=true (these tools modify state)
+ */
+export declare const READONLY_CONTRADICTION_KEYWORDS: string[];
+/**
+ * Suffixes that exempt "run" from readOnlyHint contradiction detection.
+ * Tools matching "run" + these suffixes are legitimately read-only (fetch analysis data).
+ * Issue #18: browser-tools-mcp uses runAccessibilityAudit, runSEOAudit, etc.
+ */
+export declare const RUN_READONLY_EXEMPT_SUFFIXES: string[];
+/**
+ * Keywords that contradict destructiveHint=false (these tools delete/destroy data)
+ */
+export declare const DESTRUCTIVE_CONTRADICTION_KEYWORDS: string[];
+/**
+ * Deception detection result
+ */
+export interface DeceptionResult {
+    field: "readOnlyHint" | "destructiveHint";
+    matchedKeyword: string;
+    reason: string;
+}
+/**
+ * Check if a tool name contains any of the given keywords (case-insensitive)
+ * Uses word segment matching to avoid false positives (e.g., "put" in "output")
+ * Issue #25: Substring matching caused false positives for words like "output", "input", "compute"
+ *
+ * Handles: camelCase (putFile), snake_case (put_file), kebab-case (put-file), PascalCase (PutFile)
+ */
+export declare function containsKeyword(toolName: string, keywords: string[]): string | null;
+/**
+ * Check if a tool name with "run" keyword is exempt from readOnlyHint contradiction.
+ * Tools like "runAccessibilityAudit" are genuinely read-only (fetch analysis data).
+ * Issue #18: Prevents false positives for analysis/audit tools.
+ */
+export declare function isRunKeywordExempt(toolName: string): boolean;
+/**
+ * Type guard for confidence levels that warrant event emission or status changes.
+ * Uses positive check for acceptable levels (safer than !== "low" if new levels added).
+ */
+export declare function isActionableConfidence(confidence: string): boolean;
+/**
+ * Detect high-confidence annotation deception
+ * Returns misalignment info if obvious deception detected, null otherwise
+ */
+export declare function detectAnnotationDeception(toolName: string, annotations: {
+    readOnlyHint?: boolean;
+    destructiveHint?: boolean;
+}): DeceptionResult | null;
+//# sourceMappingURL=AnnotationDeceptionDetector.d.ts.map

package/lib/services/assessment/modules/annotations/AnnotationDeceptionDetector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AnnotationDeceptionDetector.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/AnnotationDeceptionDetector.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;GAEG;AACH,eAAO,MAAM,+BAA+B,UA0C3C,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,4BAA4B,UAexC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kCAAkC,UAgB9C,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,cAAc,GAAG,iBAAiB,CAAC;IAC1C,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAAE,GACjB,MAAM,GAAG,IAAI,CAkBf;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAU5D;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAElE;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE;IAAE,YAAY,CAAC,EAAE,OAAO,CAAC;IAAC,eAAe,CAAC,EAAE,OAAO,CAAA;CAAE,GACjE,eAAe,GAAG,IAAI,CAoCxB"}

package/lib/services/assessment/modules/annotations/AnnotationDeceptionDetector.js

@@ -0,0 +1,176 @@
+/**
+ * Annotation Deception Detector
+ * High-confidence deception detection for obvious annotation misalignments
+ *
+ * Extracted from ToolAnnotationAssessor.ts for maintainability.
+ * Handles keyword-based misalignment detection.
+ */
+/**
+ * Keywords that contradict readOnlyHint=true (these tools modify state)
+ */
+export const READONLY_CONTRADICTION_KEYWORDS = [
+    // Execution keywords - tools that execute code/commands are never read-only
+    "exec",
+    "execute",
+    "run",
+    "shell",
+    "command",
+    "cmd",
+    "spawn",
+    "invoke",
+    // Write/modify keywords
+    "write",
+    "create",
+    "delete",
+    "remove",
+    "modify",
+    "update",
+    "edit",
+    "change",
+    "set",
+    "put",
+    "patch",
+    // Deployment/installation keywords
+    "install",
+    "deploy",
+    "upload",
+    "push",
+    // Communication keywords (sending data)
+    "send",
+    "post",
+    "submit",
+    "publish",
+    // Destructive keywords
+    "destroy",
+    "drop",
+    "purge",
+    "wipe",
+    "clear",
+    "truncate",
+    "reset",
+    "kill",
+    "terminate",
+];
+/**
+ * Suffixes that exempt "run" from readOnlyHint contradiction detection.
+ * Tools matching "run" + these suffixes are legitimately read-only (fetch analysis data).
+ * Issue #18: browser-tools-mcp uses runAccessibilityAudit, runSEOAudit, etc.
+ */
+export const RUN_READONLY_EXEMPT_SUFFIXES = [
+    "audit", // runAccessibilityAudit, runPerformanceAudit, runSEOAudit
+    "check", // runHealthCheck, runSecurityCheck
+    "mode", // runAuditMode, runDebuggerMode
+    "test", // runTest, runUnitTest (analysis, not execution)
+    "scan", // runSecurityScan, runVulnerabilityScan
+    "analyze", // runAnalyze, runCodeAnalyze
+    "report", // runReport, runStatusReport
+    "status", // runStatus, runHealthStatus
+    "validate", // runValidate, runSchemaValidate
+    "verify", // runVerify, runIntegrityVerify
+    "inspect", // runInspect, runCodeInspect
+    "lint", // runLint, runEslint
+    "benchmark", // runBenchmark, runPerfBenchmark
+    "diagnostic", // runDiagnostic
+];
+/**
+ * Keywords that contradict destructiveHint=false (these tools delete/destroy data)
+ */
+export const DESTRUCTIVE_CONTRADICTION_KEYWORDS = [
+    "delete",
+    "remove",
+    "drop",
+    "destroy",
+    "purge",
+    "wipe",
+    "erase",
+    "truncate",
+    "clear",
+    "reset",
+    "kill",
+    "terminate",
+    "revoke",
+    "cancel",
+    "force",
+];
+/**
+ * Check if a tool name contains any of the given keywords (case-insensitive)
+ * Uses word segment matching to avoid false positives (e.g., "put" in "output")
+ * Issue #25: Substring matching caused false positives for words like "output", "input", "compute"
+ *
+ * Handles: camelCase (putFile), snake_case (put_file), kebab-case (put-file), PascalCase (PutFile)
+ */
+export function containsKeyword(toolName, keywords) {
+    // Normalize camelCase/PascalCase by inserting separator before uppercase letters
+    // "putFile" → "put_File", "updateUser" → "update_User", "GetOutput" → "Get_Output"
+    const normalized = toolName.replace(/([a-z])([A-Z])/g, "$1_$2").toLowerCase();
+    // Split by common separators (underscore, hyphen)
+    const segments = normalized.split(/[_-]/);
+    for (const keyword of keywords) {
+        for (const segment of segments) {
+            // Match if segment equals keyword or starts with keyword
+            // This handles: "exec" matches "exec" segment, "exec_command" segment starts with "exec"
+            if (segment === keyword || segment.startsWith(keyword)) {
+                return keyword;
+            }
+        }
+    }
+    return null;
+}
+/**
+ * Check if a tool name with "run" keyword is exempt from readOnlyHint contradiction.
+ * Tools like "runAccessibilityAudit" are genuinely read-only (fetch analysis data).
+ * Issue #18: Prevents false positives for analysis/audit tools.
+ */
+export function isRunKeywordExempt(toolName) {
+    const lowerName = toolName.toLowerCase();
+    // Only applies when "run" is detected
+    if (!lowerName.includes("run")) {
+        return false;
+    }
+    // Check if any exempt suffix is present
+    return RUN_READONLY_EXEMPT_SUFFIXES.some((suffix) => lowerName.includes(suffix));
+}
+/**
+ * Type guard for confidence levels that warrant event emission or status changes.
+ * Uses positive check for acceptable levels (safer than !== "low" if new levels added).
+ */
+export function isActionableConfidence(confidence) {
+    return confidence === "high" || confidence === "medium";
+}
+/**
+ * Detect high-confidence annotation deception
+ * Returns misalignment info if obvious deception detected, null otherwise
+ */
+export function detectAnnotationDeception(toolName, annotations) {
+    // Check readOnlyHint=true contradiction
+    if (annotations.readOnlyHint === true) {
+        const keyword = containsKeyword(toolName, READONLY_CONTRADICTION_KEYWORDS);
+        if (keyword) {
+            // Issue #18: Skip deception flagging for "run" + analysis suffix combinations
+            // Tools like "runAccessibilityAudit" are genuinely read-only
+            if (keyword === "run" && isRunKeywordExempt(toolName)) {
+                // Tool matches "run" but has an analysis suffix - not deceptive
+                // Fall through to normal pattern-based inference
+            }
+            else {
+                return {
+                    field: "readOnlyHint",
+                    matchedKeyword: keyword,
+                    reason: `Tool name contains '${keyword}' but claims readOnlyHint=true - this is likely deceptive`,
+                };
+            }
+        }
+    }
+    // Check destructiveHint=false contradiction
+    if (annotations.destructiveHint === false) {
+        const keyword = containsKeyword(toolName, DESTRUCTIVE_CONTRADICTION_KEYWORDS);
+        if (keyword) {
+            return {
+                field: "destructiveHint",
+                matchedKeyword: keyword,
+                reason: `Tool name contains '${keyword}' but claims destructiveHint=false - this is likely deceptive`,
+            };
+        }
+    }
+    return null;
+}

package/lib/services/assessment/modules/annotations/ArchitectureDetector.d.ts

@@ -0,0 +1,67 @@
+/**
+ * Architecture Detector
+ *
+ * Detects server architecture characteristics including:
+ * - Database backends (Neo4j, MongoDB, PostgreSQL, etc.)
+ * - Transport modes (stdio, HTTP, SSE)
+ * - Server type classification (local, hybrid, remote)
+ * - Network access requirements
+ *
+ * Part of Issue #57: Architecture detection and behavior inference modules
+ */
+import type { ArchitectureAnalysis, DatabaseBackend } from "../../../../lib/assessment/extendedTypes.js";
+/**
+ * Tool definition for analysis
+ */
+export interface Tool {
+    name: string;
+    description?: string;
+    inputSchema?: unknown;
+}
+/**
+ * Context provided for architecture detection
+ */
+export interface ArchitectureContext {
+    /** Tools provided by the server */
+    tools: Tool[];
+    /** Transport type if known (from connection) */
+    transportType?: string;
+    /** Source code files (filename -> content) */
+    sourceCodeFiles?: Map<string, string>;
+    /** Manifest JSON content */
+    manifestJson?: {
+        name?: string;
+        description?: string;
+        dependencies?: Record<string, string>;
+        devDependencies?: Record<string, string>;
+    };
+    /** Package.json content if available */
+    packageJson?: {
+        dependencies?: Record<string, string>;
+        devDependencies?: Record<string, string>;
+    };
+    /** Requirements.txt content if available */
+    requirementsTxt?: string;
+}
+/**
+ * Detect architecture characteristics from the provided context.
+ *
+ * @param context - Architecture context with tools, source code, etc.
+ * @returns ArchitectureAnalysis with detected characteristics
+ */
+export declare function detectArchitecture(context: ArchitectureContext): ArchitectureAnalysis;
+/**
+ * Quick check if tools suggest database operations.
+ *
+ * @param tools - Tools to analyze
+ * @returns True if tools suggest database operations
+ */
+export declare function hasDatabaseToolPatterns(tools: Tool[]): boolean;
+/**
+ * Extract database types from package.json dependencies.
+ *
+ * @param dependencies - Package.json dependencies object
+ * @returns Array of detected database types
+ */
+export declare function extractDatabasesFromDependencies(dependencies: Record<string, string>): DatabaseBackend[];
+//# sourceMappingURL=ArchitectureDetector.d.ts.map

package/lib/services/assessment/modules/annotations/ArchitectureDetector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ArchitectureDetector.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/ArchitectureDetector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EACV,oBAAoB,EACpB,eAAe,EAGhB,MAAM,gCAAgC,CAAC;AAQxC;;GAEG;AACH,MAAM,WAAW,IAAI;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,mCAAmC;IACnC,KAAK,EAAE,IAAI,EAAE,CAAC;IACd,gDAAgD;IAChD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,8CAA8C;IAC9C,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtC,4BAA4B;IAC5B,YAAY,CAAC,EAAE;QACb,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACtC,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAC1C,CAAC;IACF,wCAAwC;IACxC,WAAW,CAAC,EAAE;QACZ,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACtC,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAC1C,CAAC;IACF,4CAA4C;IAC5C,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,mBAAmB,GAC3B,oBAAoB,CAiEtB;AAwKD;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,OAAO,CAa9D;AAED;;;;;GAKG;AACH,wBAAgB,gCAAgC,CAC9C,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GACnC,eAAe,EAAE,CAYnB"}

package/lib/services/assessment/modules/annotations/ArchitectureDetector.js

@@ -0,0 +1,239 @@
+/**
+ * Architecture Detector
+ *
+ * Detects server architecture characteristics including:
+ * - Database backends (Neo4j, MongoDB, PostgreSQL, etc.)
+ * - Transport modes (stdio, HTTP, SSE)
+ * - Server type classification (local, hybrid, remote)
+ * - Network access requirements
+ *
+ * Part of Issue #57: Architecture detection and behavior inference modules
+ */
+import { detectDatabasesFromContent, detectTransportsFromContent, checkNetworkAccess, detectExternalServices, } from "../../config/architecturePatterns.js";
+/**
+ * Detect architecture characteristics from the provided context.
+ *
+ * @param context - Architecture context with tools, source code, etc.
+ * @returns ArchitectureAnalysis with detected characteristics
+ */
+export function detectArchitecture(context) {
+    const evidence = {
+        databaseIndicators: [],
+        transportIndicators: [],
+        networkIndicators: [],
+    };
+    // Collect all text content for analysis
+    const allContent = collectAnalyzableContent(context);
+    // Detect databases
+    const databaseResults = detectDatabasesFromContent(allContent);
+    const databaseBackends = databaseResults.map((r) => r.backend);
+    const primaryDatabase = databaseBackends[0];
+    evidence.databaseIndicators = databaseResults.map((r) => r.evidence);
+    // Detect transports
+    const detectedTransports = detectTransportsFromContent(allContent);
+    // Include transport from connection if known
+    if (context.transportType) {
+        const normalized = normalizeTransport(context.transportType);
+        if (normalized && !detectedTransports.includes(normalized)) {
+            detectedTransports.push(normalized);
+        }
+        evidence.transportIndicators.push(`Connection transport: ${normalized}`);
+    }
+    // Detect network access requirements
+    const networkCheck = checkNetworkAccess(allContent);
+    if (networkCheck.requiresNetwork) {
+        evidence.networkIndicators = networkCheck.indicators;
+    }
+    // Detect external services
+    const externalServices = detectExternalServices(allContent);
+    // Classify server type
+    const serverType = classifyServerType(detectedTransports, networkCheck.requiresNetwork, networkCheck.localOnly, externalServices);
+    // Calculate confidence
+    const confidence = calculateConfidence(databaseResults, detectedTransports, evidence, context);
+    return {
+        serverType,
+        databaseBackend: primaryDatabase,
+        databaseBackends: databaseBackends.length > 0 ? databaseBackends : [],
+        transportModes: detectedTransports.length > 0 ? detectedTransports : ["stdio"],
+        externalDependencies: externalServices,
+        requiresNetworkAccess: networkCheck.requiresNetwork || externalServices.length > 0,
+        confidence,
+        evidence,
+    };
+}
+/**
+ * Collect all analyzable text content from context.
+ */
+function collectAnalyzableContent(context) {
+    const parts = [];
+    // Tool names and descriptions
+    for (const tool of context.tools) {
+        parts.push(tool.name);
+        if (tool.description) {
+            parts.push(tool.description);
+        }
+        // Include schema as stringified JSON for pattern matching
+        if (tool.inputSchema) {
+            try {
+                parts.push(JSON.stringify(tool.inputSchema));
+            }
+            catch {
+                // Ignore stringify errors
+            }
+        }
+    }
+    // Manifest content
+    if (context.manifestJson) {
+        if (context.manifestJson.name)
+            parts.push(context.manifestJson.name);
+        if (context.manifestJson.description)
+            parts.push(context.manifestJson.description);
+        if (context.manifestJson.dependencies) {
+            parts.push(Object.keys(context.manifestJson.dependencies).join(" "));
+        }
+        if (context.manifestJson.devDependencies) {
+            parts.push(Object.keys(context.manifestJson.devDependencies).join(" "));
+        }
+    }
+    // Package.json dependencies
+    if (context.packageJson) {
+        if (context.packageJson.dependencies) {
+            parts.push(Object.keys(context.packageJson.dependencies).join(" "));
+        }
+        if (context.packageJson.devDependencies) {
+            parts.push(Object.keys(context.packageJson.devDependencies).join(" "));
+        }
+    }
+    // Requirements.txt
+    if (context.requirementsTxt) {
+        parts.push(context.requirementsTxt);
+    }
+    // Source code files (limited to avoid overwhelming)
+    if (context.sourceCodeFiles) {
+        let charCount = 0;
+        const maxChars = 100000; // Limit to ~100KB of source
+        for (const [filename, content] of context.sourceCodeFiles) {
+            parts.push(filename);
+            if (charCount + content.length <= maxChars) {
+                parts.push(content);
+                charCount += content.length;
+            }
+        }
+    }
+    return parts.join("\n");
+}
+/**
+ * Normalize transport type string to TransportMode.
+ */
+function normalizeTransport(transport) {
+    const lower = transport.toLowerCase();
+    if (lower.includes("stdio"))
+        return "stdio";
+    if (lower.includes("sse"))
+        return "sse";
+    if (lower.includes("http"))
+        return "http";
+    return null;
+}
+/**
+ * Classify server architecture type based on detected characteristics.
+ */
+function classifyServerType(transports, requiresNetwork, _localOnly, // Reserved for future local-only detection enhancement
+externalServices) {
+    // Remote: HTTP/SSE transport without stdio, or many external services
+    if ((transports.includes("http") || transports.includes("sse")) &&
+        !transports.includes("stdio")) {
+        return "remote";
+    }
+    // Remote: Many external service dependencies
+    if (externalServices.length >= 3) {
+        return "remote";
+    }
+    // Hybrid: Both local (stdio) and remote capabilities
+    if (transports.includes("stdio") &&
+        (transports.includes("http") || transports.includes("sse"))) {
+        return "hybrid";
+    }
+    // Hybrid: Local transport but requires network
+    if (transports.includes("stdio") && requiresNetwork) {
+        return "hybrid";
+    }
+    // Hybrid: Has some external services
+    if (externalServices.length > 0) {
+        return "hybrid";
+    }
+    // Local: stdio-only with no network requirements
+    return "local";
+}
+/**
+ * Calculate confidence level based on evidence strength.
+ */
+function calculateConfidence(databaseResults, transports, _evidence, // Reserved for future evidence-based scoring
+context) {
+    let score = 0;
+    // Database detection confidence
+    const highConfidenceDbs = databaseResults.filter((r) => r.confidence === "high");
+    if (highConfidenceDbs.length > 0)
+        score += 30;
+    else if (databaseResults.length > 0)
+        score += 15;
+    // Transport detection
+    if (context.transportType)
+        score += 30; // Known from connection
+    else if (transports.length > 0)
+        score += 20; // Detected from patterns
+    // Source code analysis
+    if (context.sourceCodeFiles && context.sourceCodeFiles.size > 0)
+        score += 20;
+    // Package.json/requirements.txt
+    if (context.packageJson || context.requirementsTxt)
+        score += 15;
+    // Tool descriptions
+    const toolsWithDescriptions = context.tools.filter((t) => t.description && t.description.length > 20);
+    if (toolsWithDescriptions.length >= 3)
+        score += 15;
+    else if (toolsWithDescriptions.length > 0)
+        score += 10;
+    // Convert score to confidence level
+    if (score >= 60)
+        return "high";
+    if (score >= 30)
+        return "medium";
+    return "low";
+}
+/**
+ * Quick check if tools suggest database operations.
+ *
+ * @param tools - Tools to analyze
+ * @returns True if tools suggest database operations
+ */
+export function hasDatabaseToolPatterns(tools) {
+    // Pattern matches database operation keywords at word boundaries or with underscores
+    // Uses (?:^|[\s_-]) for start boundary and (?:$|[\s_-]) for end boundary
+    // to handle snake_case naming like "select_records"
+    const dbPatterns = /(?:^|[\s_-])(query|select|insert|update|delete|find|aggregate|create_table|drop_table|migrate|seed|backup)(?:$|[\s_-])/i;
+    for (const tool of tools) {
+        if (dbPatterns.test(tool.name))
+            return true;
+        if (tool.description && dbPatterns.test(tool.description))
+            return true;
+    }
+    return false;
+}
+/**
+ * Extract database types from package.json dependencies.
+ *
+ * @param dependencies - Package.json dependencies object
+ * @returns Array of detected database types
+ */
+export function extractDatabasesFromDependencies(dependencies) {
+    const results = [];
+    const depNames = Object.keys(dependencies).join(" ");
+    const detected = detectDatabasesFromContent(depNames);
+    for (const d of detected) {
+        if (!results.includes(d.backend)) {
+            results.push(d.backend);
+        }
+    }
+    return results;
+}

package/lib/services/assessment/modules/annotations/BehaviorInference.d.ts

@@ -0,0 +1,46 @@
+/**
+ * Behavior Inference
+ * Infers expected tool behavior from name patterns and descriptions
+ *
+ * Extracted from ToolAnnotationAssessor.ts for maintainability.
+ * Handles persistence model detection and behavior classification.
+ *
+ * Enhanced in Issue #57 with multi-signal inference from descriptions and schemas.
+ */
+import type { InferenceConfidence } from "../../../../lib/assessmentTypes.js";
+import type { EnhancedBehaviorInferenceResult } from "../../../../lib/assessment/extendedTypes.js";
+import { type JSONSchema } from "./SchemaAnalyzer.js";
+import { type CompiledPatterns, type ServerPersistenceContext } from "../../config/annotationPatterns.js";
+/**
+ * Result of behavior inference
+ */
+export interface BehaviorInferenceResult {
+    expectedReadOnly: boolean;
+    expectedDestructive: boolean;
+    reason: string;
+    confidence: InferenceConfidence;
+    isAmbiguous: boolean;
+}
+/**
+ * Infer expected behavior from tool name and description
+ * Returns confidence level and ambiguity flag for better handling
+ */
+export declare function inferBehavior(toolName: string, description?: string, compiledPatterns?: CompiledPatterns, persistenceContext?: ServerPersistenceContext): BehaviorInferenceResult;
+/**
+ * Enhanced behavior inference using multiple signals.
+ *
+ * Analyzes tool name patterns, descriptions, and schemas to provide
+ * a more accurate behavior inference with aggregated confidence.
+ *
+ * Part of Issue #57: Architecture detection and behavior inference modules
+ *
+ * @param toolName - Name of the tool
+ * @param description - Tool description (optional)
+ * @param inputSchema - Input parameter schema (optional)
+ * @param outputSchema - Output/return schema (optional)
+ * @param compiledPatterns - Compiled regex patterns for name matching
+ * @param persistenceContext - Server-level persistence context
+ * @returns EnhancedBehaviorInferenceResult with multi-signal analysis
+ */
+export declare function inferBehaviorEnhanced(toolName: string, description?: string, inputSchema?: JSONSchema, outputSchema?: JSONSchema, compiledPatterns?: CompiledPatterns, persistenceContext?: ServerPersistenceContext): EnhancedBehaviorInferenceResult;
+//# sourceMappingURL=BehaviorInference.d.ts.map

package/lib/services/assessment/modules/annotations/BehaviorInference.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"BehaviorInference.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/BehaviorInference.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AACjE,OAAO,KAAK,EAEV,+BAA+B,EAChC,MAAM,gCAAgC,CAAC;AAExC,OAAO,EAGL,KAAK,UAAU,EAChB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,wBAAwB,EAI9B,MAAM,iCAAiC,CAAC;AAGzC;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,mBAAmB,EAAE,OAAO,CAAC;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,mBAAmB,CAAC;IAChC,WAAW,EAAE,OAAO,CAAC;CACtB;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,EACpB,gBAAgB,CAAC,EAAE,gBAAgB,EACnC,kBAAkB,CAAC,EAAE,wBAAwB,GAC5C,uBAAuB,CA8KzB;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,EACpB,WAAW,CAAC,EAAE,UAAU,EACxB,YAAY,CAAC,EAAE,UAAU,EACzB,gBAAgB,CAAC,EAAE,gBAAgB,EACnC,kBAAkB,CAAC,EAAE,wBAAwB,GAC5C,+BAA+B,CA4DjC"}