@bryan-thompson/inspector-assessment-client 1.26.1 → 1.26.3

package/lib/services/assessment/modules/AuthenticationAssessor.js

@@ -60,6 +60,124 @@ const SECURE_TRANSPORT_PATTERNS = [
     /helmet/i, // Security middleware
     /cors.*origin.*string|cors.*origin.*array/i, // Specific CORS origins
 ];
+// ============================================================================
+// Issue #62: Auth Configuration Patterns
+// Detects environment-dependent auth, fail-open patterns, and dev mode warnings
+// ============================================================================
+// Patterns for env vars that control authentication
+const AUTH_ENV_VAR_PATTERNS = [
+    /process\.env\.([A-Z_]*SECRET[A-Z_]*)/i,
+    /process\.env\.([A-Z_]*AUTH[A-Z_]*)/i,
+    /process\.env\.([A-Z_]*TOKEN[A-Z_]*)/i,
+    /process\.env\.([A-Z_]*API[_-]?KEY[A-Z_]*)/i,
+    /process\.env\.([A-Z_]*PASSWORD[A-Z_]*)/i,
+    /process\.env\.([A-Z_]*CREDENTIAL[A-Z_]*)/i,
+    /os\.environ\.get\(['"](.*(?:SECRET|AUTH|TOKEN|API[_-]?KEY|PASSWORD|CREDENTIAL).*)['"]/i, // Python
+    /os\.getenv\(['"](.*(?:SECRET|AUTH|TOKEN|API[_-]?KEY|PASSWORD|CREDENTIAL).*)['"]/i, // Python
+];
+// Patterns that indicate fail-open behavior (auth bypassed when env var missing)
+// These capture the context around env var usage with fallback operators
+const FAIL_OPEN_PATTERNS = [
+    // JavaScript/TypeScript: process.env.X || 'fallback' or process.env.X ?? 'fallback'
+    {
+        pattern: /process\.env\.[A-Z_]*(SECRET|AUTH|TOKEN|API[_-]?KEY)[A-Z_]*\s*\|\|/gi,
+        name: "OR_FALLBACK",
+    },
+    {
+        pattern: /process\.env\.[A-Z_]*(SECRET|AUTH|TOKEN|API[_-]?KEY)[A-Z_]*\s*\?\?/gi,
+        name: "NULLISH_FALLBACK",
+    },
+    // if (!process.env.X) pattern suggesting bypass
+    {
+        pattern: /if\s*\(\s*!?\s*process\.env\.[A-Z_]*(SECRET|AUTH|TOKEN|API[_-]?KEY)/gi,
+        name: "CONDITIONAL_CHECK",
+    },
+    // Python: os.environ.get('X', 'default') or os.getenv('X', 'default')
+    {
+        pattern: /os\.environ\.get\([^,]+(?:SECRET|AUTH|TOKEN|API[_-]?KEY)[^,]*,\s*['"]/gi,
+        name: "PYTHON_DEFAULT",
+    },
+    {
+        pattern: /os\.getenv\([^,]+(?:SECRET|AUTH|TOKEN|API[_-]?KEY)[^,]*,\s*['"]/gi,
+        name: "PYTHON_GETENV_DEFAULT",
+    },
+];
+// Patterns that indicate dev mode weakening security
+// Warning 2 fix: Added word boundaries and assignment context to reduce false positives
+const DEV_MODE_PATTERNS = [
+    // Development mode bypasses
+    {
+        pattern: /NODE_ENV.*development|development.*NODE_ENV/i,
+        severity: "LOW",
+    },
+    {
+        pattern: /if\s*\(\s*(?:process\.env\.)?NODE_ENV\s*[!=]==?\s*['"]development['"]\s*\)/i,
+        severity: "MEDIUM",
+    },
+    {
+        // Require word boundary and assignment context to avoid matching unrelated identifiers
+        pattern: /\b(isDev|isDevelopment|devMode|debugMode)\s*[=:]/i,
+        severity: "LOW",
+    },
+    // Debug authentication bypasses
+    {
+        pattern: /skip.*auth.*dev|dev.*skip.*auth/i,
+        severity: "HIGH",
+    },
+    {
+        pattern: /disable.*auth.*debug|debug.*disable.*auth/i,
+        severity: "HIGH",
+    },
+    {
+        pattern: /auth.*bypass|bypass.*auth/i,
+        severity: "HIGH",
+    },
+    // "authenticate all requests as dev user" pattern from issue
+    {
+        pattern: /authenticate.*all.*requests|all.*requests.*authenticate/i,
+        severity: "HIGH",
+    },
+    {
+        pattern: /as\s+dev\s+user|dev\s+user.*auth/i,
+        severity: "HIGH",
+    },
+];
+// Patterns that indicate hardcoded secrets (should be env vars)
+const HARDCODED_SECRET_PATTERNS = [
+    {
+        pattern: /['"]sk[-_](?:live|test)_[a-zA-Z0-9]{20,}['"]/i,
+        name: "STRIPE_KEY",
+    }, // Stripe keys
+    {
+        pattern: /['"]pk[-_](?:live|test)_[a-zA-Z0-9]{20,}['"]/i,
+        name: "STRIPE_PUBLISHABLE",
+    },
+    {
+        pattern: /api[_-]?key\s*[:=]\s*['"][a-zA-Z0-9]{20,}['"]/i,
+        name: "API_KEY",
+    },
+    {
+        pattern: /secret[_-]?key\s*[:=]\s*['"][a-zA-Z0-9]{16,}['"]/i,
+        name: "SECRET_KEY",
+    },
+    {
+        // Warning 3 fix: Exclude env var interpolation and common placeholder values
+        pattern: /password\s*[:=]\s*['"](?!\$\{|password|changeme|example|test)[a-zA-Z0-9!@#$%^&*]{8,}['"]/i,
+        name: "HARDCODED_PASSWORD",
+    },
+    {
+        pattern: /auth[_-]?token\s*[:=]\s*['"][a-zA-Z0-9._-]{20,}['"]/i,
+        name: "AUTH_TOKEN",
+    },
+];
+// ============================================================================
+// Issue #65: Rate Limiting Constants
+// Prevents performance issues when analyzing large codebases
+// ============================================================================
+/** Maximum number of source files to analyze (prevents performance degradation) */
+const MAX_FILES = 500;
+/** Maximum number of findings per type (prevents overwhelming output) */
+const MAX_FINDINGS = 100;
 export class AuthenticationAssessor extends BaseAssessor {
     /**
      * Run authentication assessment
@@ -126,7 +244,23 @@ export class AuthenticationAssessor extends BaseAssessor {
         if (transportSecurity.hasInsecurePatterns) {
             appropriateness.concerns.push(...transportSecurity.insecurePatterns.map((p) => `Insecure transport pattern: ${p}`));
         }
-        this.log(`Assessment complete: auth=${authMethod}, localDeps=${hasLocalDependencies}, tlsEnforced=${transportSecurity.tlsEnforced}`);
+        // Issue #62: Analyze auth configuration for env-dependent auth and fail-open patterns
+        const authConfigAnalysis = this.analyzeAuthConfiguration(context);
+        // Add auth config findings to concerns
+        if (authConfigAnalysis.hasHighSeverity) {
+            appropriateness.concerns.push(...authConfigAnalysis.findings
+                .filter((f) => f.severity === "HIGH")
+                .map((f) => `Auth config issue: ${f.message}`));
+        }
+        // Update status based on auth config findings
+        let finalStatus = status;
+        if (authConfigAnalysis.hasHighSeverity) {
+            finalStatus = "NEED_MORE_INFO";
+        }
+        // Generate additional recommendations from auth config findings
+        const authConfigRecommendations = authConfigAnalysis.findings.map((f) => f.recommendation ||
+            `Review ${f.type}: ${f.message} (${f.file || "unknown file"})`);
+        this.log(`Assessment complete: auth=${authMethod}, localDeps=${hasLocalDependencies}, tlsEnforced=${transportSecurity.tlsEnforced}, authConfigFindings=${authConfigAnalysis.totalFindings}`);
         return {
             authMethod,
             hasLocalDependencies,
@@ -139,11 +273,13 @@ export class AuthenticationAssessor extends BaseAssessor {
                 apiKeyIndicators,
             },
             transportSecurity,
-            status,
+            authConfigAnalysis,
+            status: finalStatus,
             explanation,
             recommendations: [
                 ...recommendations,
                 ...transportSecurity.recommendations,
+                ...authConfigRecommendations,
             ],
         };
     }
@@ -363,4 +499,225 @@ export class AuthenticationAssessor extends BaseAssessor {
         }
         return recommendations;
     }
+    // ============================================================================
+    // Issue #62: Authentication Configuration Analysis
+    // Detects env-dependent auth, fail-open patterns, and dev mode warnings
+    // ============================================================================
+    /**
+     * Analyze source code for authentication configuration issues (Issue #62)
+     *
+     * Detects:
+     * - Environment-dependent auth (process.env.SECRET, process.env.AUTH_KEY, etc.)
+     * - Fail-open patterns (auth bypassed when env var missing with || or ?? fallback)
+     * - Development mode warnings (dev mode bypasses that weaken security)
+     * - Hardcoded secrets (credentials that should be in env vars)
+     */
+    analyzeAuthConfiguration(context) {
+        const findings = [];
+        const envVarsDetected = [];
+        if (!context.sourceCodeFiles) {
+            return {
+                totalFindings: 0,
+                envDependentAuthCount: 0,
+                failOpenPatternCount: 0,
+                devModeWarningCount: 0,
+                hardcodedSecretCount: 0,
+                findings: [],
+                hasHighSeverity: false,
+                envVarsDetected: [],
+            };
+        }
+        // Issue #65: Apply file limit to prevent performance issues on large codebases
+        let sourceFiles = Array.from(context.sourceCodeFiles);
+        if (sourceFiles.length > MAX_FILES) {
+            this.log(`Rate limiting: Analyzing ${MAX_FILES} of ${sourceFiles.length} files`);
+            sourceFiles = sourceFiles.slice(0, MAX_FILES);
+        }
+        for (const [filePath, content] of sourceFiles) {
+            // Warning 4 fix: Add error handling for malformed files
+            try {
+                this.testCount++;
+                const lines = content.split("\n");
+                // 1. Detect env vars used for auth
+                for (const pattern of AUTH_ENV_VAR_PATTERNS) {
+                    const matches = content.match(pattern);
+                    if (matches) {
+                        // Extract the env var name from capture group or full match
+                        for (const match of matches) {
+                            const envVarMatch = match.match(/(?:process\.env\.|os\.environ\.get\(['"]|os\.getenv\(['"])([A-Z_]+)/i);
+                            if (envVarMatch && !envVarsDetected.includes(envVarMatch[1])) {
+                                envVarsDetected.push(envVarMatch[1]);
+                            }
+                        }
+                    }
+                }
+                // Helper to check if we've hit the findings cap for a type (Issue #65)
+                const countByType = (type) => findings.filter((f) => f.type === type).length;
+                // Helper to get context lines (Issue #66)
+                const getContext = (lineIndex) => {
+                    const before = lineIndex > 0 ? lines[lineIndex - 1]?.trim() : undefined;
+                    const after = lineIndex < lines.length - 1
+                        ? lines[lineIndex + 1]?.trim()
+                        : undefined;
+                    return before || after ? { before, after } : undefined;
+                };
+                // 2. Detect fail-open patterns (auth with fallback values)
+                for (const { pattern, name } of FAIL_OPEN_PATTERNS) {
+                    // Issue #65: Skip if we've hit the cap for this type
+                    if (countByType("FAIL_OPEN_PATTERN") >= MAX_FINDINGS)
+                        break;
+                    // Reset lastIndex for global patterns
+                    pattern.lastIndex = 0;
+                    let match;
+                    while ((match = pattern.exec(content)) !== null) {
+                        // Issue #65: Check cap before adding
+                        if (countByType("FAIL_OPEN_PATTERN") >= MAX_FINDINGS)
+                            break;
+                        // Find line number
+                        const beforeMatch = content.substring(0, match.index);
+                        const lineNumber = beforeMatch.split("\n").length;
+                        const lineContent = lines[lineNumber - 1]?.trim() || match[0];
+                        findings.push({
+                            type: "FAIL_OPEN_PATTERN",
+                            severity: "MEDIUM",
+                            message: `Authentication may be bypassed when environment variable is not set (${name} pattern)`,
+                            evidence: lineContent,
+                            file: filePath,
+                            lineNumber,
+                            recommendation: `Ensure authentication fails securely when credentials are missing. Do not use fallback values for auth secrets.`,
+                            context: getContext(lineNumber - 1), // Issue #66: Add context
+                        });
+                    }
+                }
+                // 3. Detect dev mode patterns that weaken security
+                for (const { pattern, severity } of DEV_MODE_PATTERNS) {
+                    // Issue #65: Skip if we've hit the cap for this type
+                    if (countByType("DEV_MODE_WARNING") >= MAX_FINDINGS)
+                        break;
+                    if (pattern.test(content)) {
+                        // Find first occurrence for line number
+                        const matchResult = content.match(pattern);
+                        if (matchResult) {
+                            const matchIndex = content.indexOf(matchResult[0]);
+                            const beforeMatch = content.substring(0, matchIndex);
+                            const lineNumber = beforeMatch.split("\n").length;
+                            const lineContent = lines[lineNumber - 1]?.trim() || matchResult[0];
+                            findings.push({
+                                type: "DEV_MODE_WARNING",
+                                severity,
+                                message: `Development mode pattern detected that may weaken authentication`,
+                                evidence: lineContent,
+                                file: filePath,
+                                lineNumber,
+                                recommendation: severity === "HIGH"
+                                    ? `Remove auth bypass logic. Authentication should never be disabled based on environment.`
+                                    : `Ensure development mode does not weaken security controls in production.`,
+                                context: getContext(lineNumber - 1), // Issue #66: Add context
+                            });
+                        }
+                    }
+                }
+                // 4. Detect hardcoded secrets
+                for (const { pattern, name } of HARDCODED_SECRET_PATTERNS) {
+                    // Issue #65: Skip if we've hit the cap for this type
+                    if (countByType("HARDCODED_SECRET") >= MAX_FINDINGS)
+                        break;
+                    if (pattern.test(content)) {
+                        const matchResult = content.match(pattern);
+                        if (matchResult) {
+                            const matchIndex = content.indexOf(matchResult[0]);
+                            const beforeMatch = content.substring(0, matchIndex);
+                            const lineNumber = beforeMatch.split("\n").length;
+                            // Redact the actual secret in evidence
+                            const lineContent = lines[lineNumber - 1]
+                                ?.trim()
+                                .replace(/['"][^'"]{8,}['"]/, '"[REDACTED]"') ||
+                                "[secret value]";
+                            findings.push({
+                                type: "HARDCODED_SECRET",
+                                severity: "HIGH",
+                                message: `Hardcoded ${name} detected - should use environment variable`,
+                                evidence: lineContent,
+                                file: filePath,
+                                lineNumber,
+                                recommendation: `Move ${name} to environment variable. Never commit secrets to source control.`,
+                                context: getContext(lineNumber - 1), // Issue #66: Add context
+                            });
+                        }
+                    }
+                }
+                // 5. Detect env-dependent auth patterns (env var usage with auth context)
+                // Only flag if there's auth context around env var usage
+                for (const [index, line] of lines.entries()) {
+                    // Issue #65: Skip if we've hit the cap for this type
+                    if (countByType("ENV_DEPENDENT_AUTH") >= MAX_FINDINGS)
+                        break;
+                    // Check for env var with auth context in surrounding lines
+                    const surroundingContext = lines
+                        .slice(Math.max(0, index - 2), index + 3)
+                        .join("\n");
+                    for (const pattern of AUTH_ENV_VAR_PATTERNS) {
+                        if (pattern.test(line) &&
+                            /\b(auth|secret|key|token|password|credential)\b/i.test(surroundingContext)) {
+                            const matchResult = line.match(pattern);
+                            if (matchResult) {
+                                // Check if we already have a finding for this line (avoid duplicates)
+                                const existingFinding = findings.find((f) => f.file === filePath &&
+                                    f.lineNumber === index + 1 &&
+                                    f.type === "ENV_DEPENDENT_AUTH");
+                                if (!existingFinding) {
+                                    findings.push({
+                                        type: "ENV_DEPENDENT_AUTH",
+                                        severity: "LOW",
+                                        message: `Authentication depends on environment variable that may not be set`,
+                                        evidence: line.trim(),
+                                        file: filePath,
+                                        lineNumber: index + 1,
+                                        recommendation: `Document required environment variables and validate they are set at startup.`,
+                                        context: getContext(index), // Issue #66: Add context
+                                    });
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+            catch (error) {
+                // Warning 4 fix: Handle malformed files gracefully
+                this.log(`Error analyzing ${filePath}: ${error}`);
+                continue;
+            }
+        }
+        // Deduplicate findings by file+line+type
+        const uniqueFindings = this.deduplicateFindings(findings);
+        // Count by type
+        const envDependentAuthCount = uniqueFindings.filter((f) => f.type === "ENV_DEPENDENT_AUTH").length;
+        const failOpenPatternCount = uniqueFindings.filter((f) => f.type === "FAIL_OPEN_PATTERN").length;
+        const devModeWarningCount = uniqueFindings.filter((f) => f.type === "DEV_MODE_WARNING").length;
+        const hardcodedSecretCount = uniqueFindings.filter((f) => f.type === "HARDCODED_SECRET").length;
+        const hasHighSeverity = uniqueFindings.some((f) => f.severity === "HIGH");
+        return {
+            totalFindings: uniqueFindings.length,
+            envDependentAuthCount,
+            failOpenPatternCount,
+            devModeWarningCount,
+            hardcodedSecretCount,
+            findings: uniqueFindings,
+            hasHighSeverity,
+            envVarsDetected,
+        };
+    }
+    /**
+     * Deduplicate findings by file, line, and type
+     */
+    deduplicateFindings(findings) {
+        const seen = new Set();
+        return findings.filter((f) => {
+            const key = `${f.file || ""}:${f.lineNumber || 0}:${f.type}`;
+            if (seen.has(key))
+                return false;
+            seen.add(key);
+            return true;
+        });
+    }
 }

package/lib/services/assessment/modules/ProhibitedLibrariesAssessor.d.ts

@@ -27,6 +27,11 @@ export declare class ProhibitedLibrariesAssessor extends BaseAssessor {
     private deduplicateMatches;
     /**
      * Calculate overall status from matches
+     *
+     * Issue #63: Status now considers dependency usage:
+     * - ACTIVE dependencies are actively imported (high risk)
+     * - UNUSED dependencies are listed but not imported (lower risk, recommend removal)
+     * - UNKNOWN usage falls back to previous behavior
      */
     private calculateStatusFromMatches;
     /**
@@ -35,6 +40,8 @@ export declare class ProhibitedLibrariesAssessor extends BaseAssessor {
     private generateExplanation;
     /**
      * Generate recommendations
+     *
+     * Issue #63: Recommendations now distinguish between ACTIVE and UNUSED dependencies
      */
     private generateRecommendations;
 }

package/lib/services/assessment/modules/ProhibitedLibrariesAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ProhibitedLibrariesAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ProhibitedLibrariesAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EACV,6BAA6B,EAG9B,MAAM,uBAAuB,CAAC;AAO/B,qBAAa,2BAA4B,SAAQ,YAAY;IAC3D;;OAEG;IACG,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,6BAA6B,CAAC;IA4IzC;;OAEG;IACH,OAAO,CAAC,YAAY;IA0BpB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAqB1B;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAuBlC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAoD3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;CAqDhC"}
+{"version":3,"file":"ProhibitedLibrariesAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ProhibitedLibrariesAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EACV,6BAA6B,EAG9B,MAAM,uBAAuB,CAAC;AAS/B,qBAAa,2BAA4B,SAAQ,YAAY;IAC3D;;OAEG;IACG,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,6BAA6B,CAAC;IAiKzC;;OAEG;IACH,OAAO,CAAC,YAAY;IA0BpB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAqB1B;;;;;;;OAOG;IACH,OAAO,CAAC,0BAA0B;IAiClC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAoD3B;;;;OAIG;IACH,OAAO,CAAC,uBAAuB;CA2EhC"}

package/lib/services/assessment/modules/ProhibitedLibrariesAssessor.js

@@ -10,7 +10,7 @@
  * Reference: Anthropic MCP Directory Policy #28-30
  */
 import { BaseAssessor } from "./BaseAssessor.js";
-import { checkPackageJsonDependencies, checkRequirementsTxt, checkSourceImports, } from "../../../lib/prohibitedLibraries.js";
+import { checkPackageJsonDependencies, checkRequirementsTxt, checkSourceImports, checkDependencyUsage, } from "../../../lib/prohibitedLibraries.js";
 export class ProhibitedLibrariesAssessor extends BaseAssessor {
     /**
      * Run prohibited libraries assessment
@@ -30,6 +30,17 @@ export class ProhibitedLibrariesAssessor extends BaseAssessor {
             const packageJson = context.packageJson;
             const depMatches = checkPackageJsonDependencies(packageJson);
             for (const match of depMatches) {
+                // Issue #63: Check if dependency is actually used in source code
+                let usageStatus = "UNKNOWN";
+                let importCount = 0;
+                let importFiles = [];
+                if (context.sourceCodeFiles &&
+                    context.config.enableSourceCodeAnalysis) {
+                    const usage = checkDependencyUsage(match.library.name, context.sourceCodeFiles);
+                    usageStatus = usage.status;
+                    importCount = usage.importCount;
+                    importFiles = usage.files;
+                }
                 matches.push({
                     name: match.library.name,
                     category: match.library.category,
@@ -37,6 +48,9 @@ export class ProhibitedLibrariesAssessor extends BaseAssessor {
                     severity: match.library.severity,
                     reason: match.library.reason,
                     policyReference: match.library.policyReference,
+                    usageStatus,
+                    importCount,
+                    importFiles,
                 });
                 if (match.library.category === "financial" ||
                     match.library.category === "payments" ||
@@ -169,19 +183,30 @@ export class ProhibitedLibrariesAssessor extends BaseAssessor {
     }
     /**
      * Calculate overall status from matches
+     *
+     * Issue #63: Status now considers dependency usage:
+     * - ACTIVE dependencies are actively imported (high risk)
+     * - UNUSED dependencies are listed but not imported (lower risk, recommend removal)
+     * - UNKNOWN usage falls back to previous behavior
      */
     calculateStatusFromMatches(matches) {
-        // Any BLOCKING library = FAIL
-        const blockingMatches = matches.filter((m) => m.severity === "BLOCKING");
-        if (blockingMatches.length > 0) {
+        // Separate matches by usage status
+        const activeMatches = matches.filter((m) => m.usageStatus !== "UNUSED");
+        const unusedMatches = matches.filter((m) => m.usageStatus === "UNUSED");
+        // Only ACTIVE BLOCKING libraries = FAIL (actually imported and dangerous)
+        const blockingActive = activeMatches.filter((m) => m.severity === "BLOCKING");
+        if (blockingActive.length > 0) {
             return "FAIL";
         }
-        // HIGH severity = NEED_MORE_INFO (requires justification)
-        const highMatches = matches.filter((m) => m.severity === "HIGH");
-        if (highMatches.length > 0) {
+        // UNUSED BLOCKING = NEED_MORE_INFO (recommend removal, but not actively dangerous)
+        if (unusedMatches.some((m) => m.severity === "BLOCKING")) {
+            return "NEED_MORE_INFO";
+        }
+        // ACTIVE HIGH severity = NEED_MORE_INFO (requires justification)
+        if (activeMatches.some((m) => m.severity === "HIGH")) {
             return "NEED_MORE_INFO";
         }
-        // MEDIUM severity = PASS with notes
+        // Any remaining matches = NEED_MORE_INFO (review recommended)
         if (matches.length > 0) {
             return "NEED_MORE_INFO";
         }
@@ -220,31 +245,46 @@ export class ProhibitedLibrariesAssessor extends BaseAssessor {
     }
     /**
      * Generate recommendations
+     *
+     * Issue #63: Recommendations now distinguish between ACTIVE and UNUSED dependencies
      */
     generateRecommendations(matches) {
         const recommendations = [];
-        // Group by severity
-        const blocking = matches.filter((m) => m.severity === "BLOCKING");
-        const high = matches.filter((m) => m.severity === "HIGH");
-        const medium = matches.filter((m) => m.severity === "MEDIUM");
-        if (blocking.length > 0) {
-            recommendations.push("BLOCKING - The following libraries must be removed for MCP Directory approval:");
-            for (const match of blocking) {
-                recommendations.push(`- ${match.name} (${match.policyReference}): ${match.reason}`);
+        // Issue #63: Separate active vs unused dependencies
+        const activeMatches = matches.filter((m) => m.usageStatus !== "UNUSED");
+        const unusedMatches = matches.filter((m) => m.usageStatus === "UNUSED");
+        // Group active matches by severity
+        const blockingActive = activeMatches.filter((m) => m.severity === "BLOCKING");
+        const highActive = activeMatches.filter((m) => m.severity === "HIGH");
+        const mediumActive = activeMatches.filter((m) => m.severity === "MEDIUM");
+        if (blockingActive.length > 0) {
+            recommendations.push("BLOCKING (ACTIVE) - The following libraries are imported and must be removed:");
+            for (const match of blockingActive) {
+                const files = match.importFiles && match.importFiles.length > 0
+                    ? ` (imported in: ${match.importFiles.slice(0, 2).join(", ")})`
+                    : "";
+                recommendations.push(`- ${match.name} (${match.policyReference}): ${match.reason}${files}`);
             }
         }
-        if (high.length > 0) {
-            recommendations.push("HIGH - The following libraries require strong justification:");
-            for (const match of high) {
+        if (highActive.length > 0) {
+            recommendations.push("HIGH (ACTIVE) - The following libraries are imported and require strong justification:");
+            for (const match of highActive) {
                 recommendations.push(`- ${match.name} (${match.policyReference}): ${match.reason}`);
             }
         }
-        if (medium.length > 0) {
-            recommendations.push("MEDIUM - Review the following libraries for necessity:");
-            for (const match of medium.slice(0, 3)) {
+        if (mediumActive.length > 0) {
+            recommendations.push("MEDIUM (ACTIVE) - Review the following imported libraries:");
+            for (const match of mediumActive.slice(0, 3)) {
                 recommendations.push(`- ${match.name} (${match.policyReference}): ${match.reason}`);
             }
         }
+        // Issue #63: Add recommendations for unused dependencies
+        if (unusedMatches.length > 0) {
+            recommendations.push("UNUSED - The following libraries are listed but not imported (consider removing):");
+            for (const match of unusedMatches) {
+                recommendations.push(`- npm uninstall ${match.name} (${match.policyReference}): Listed in package.json but not imported`);
+            }
+        }
         if (matches.length === 0) {
             recommendations.push("No prohibited libraries detected. Server is compliant with library restrictions.");
         }

package/lib/services/assessment/modules/SecurityAssessor.d.ts

@@ -59,5 +59,10 @@ export declare class SecurityAssessor extends BaseAssessor {
      * Generate security explanation
      */
     private generateSecurityExplanation;
+    /**
+     * Aggregate auth bypass detection results from security tests (Issue #75)
+     * Summarizes fail-open/fail-closed patterns across all tested tools
+     */
+    private aggregateAuthBypassResults;
 }
 //# sourceMappingURL=SecurityAssessor.d.ts.map

package/lib/services/assessment/modules/SecurityAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/SecurityAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EACL,kBAAkB,EAInB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAS9D,OAAO,EACL,gBAAgB,EAGjB,MAAM,yBAAyB,CAAC;AAEjC,qBAAa,gBAAiB,SAAQ,YAAY;IAChD,OAAO,CAAC,aAAa,CAAwB;IAC7C,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,YAAY,CAAiC;IAErD;;;OAGG;IACH,eAAe,CAAC,MAAM,EAAE,gBAAgB,GAAG,IAAI,GAAG,IAAI;IAStD;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAOjC;;;OAGG;YACW,0BAA0B;gBAwBtC,MAAM,EAAE,OAAO,8BAA8B,EAAE,uBAAuB;IA8BlE,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA0JrE;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAkC7B;;OAEG;YACW,+BAA+B;IAiC7C;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAYjC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA0B/B;;OAEG;IACH,OAAO,CAAC,2BAA2B;CAiEpC"}
+{"version":3,"file":"SecurityAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/SecurityAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EACL,kBAAkB,EAInB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAS9D,OAAO,EACL,gBAAgB,EAGjB,MAAM,yBAAyB,CAAC;AAEjC,qBAAa,gBAAiB,SAAQ,YAAY;IAChD,OAAO,CAAC,aAAa,CAAwB;IAC7C,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,YAAY,CAAiC;IAErD;;;OAGG;IACH,eAAe,CAAC,MAAM,EAAE,gBAAgB,GAAG,IAAI,GAAG,IAAI;IAStD;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAOjC;;;OAGG;YACW,0BAA0B;gBAwBtC,MAAM,EAAE,OAAO,8BAA8B,EAAE,uBAAuB;IA8BlE,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA8JrE;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAkC7B;;OAEG;YACW,+BAA+B;IAiC7C;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAYjC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA0B/B;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAkEnC;;;OAGG;IACH,OAAO,CAAC,0BAA0B;CAgDnC"}

package/lib/services/assessment/modules/SecurityAssessor.js

@@ -175,12 +175,15 @@ export class SecurityAssessor extends BaseAssessor {
         const status = this.determineSecurityStatus(validTests, vulnerabilities.length, validTests.length, connectionErrors.length);
         // Generate explanation (pass both validTests and connectionErrors)
         const explanation = this.generateSecurityExplanation(validTests, connectionErrors, vulnerabilities, overallRiskLevel);
+        // Issue #75: Aggregate auth bypass detection results
+        const authBypassSummary = this.aggregateAuthBypassResults(allTests);
         return {
             promptInjectionTests: allTests,
             vulnerabilities,
             overallRiskLevel,
             status,
             explanation,
+            authBypassSummary,
         };
     }
     /**
@@ -308,4 +311,43 @@ export class SecurityAssessor extends BaseAssessor {
                 `Flagged ${lowConfidenceCount} uncertain detection${lowConfidenceCount !== 1 ? "s" : ""} across ${testCount} security tests. Manual verification needed to confirm if these are actual vulnerabilities or false positives.`);
         }
     }
+    /**
+     * Aggregate auth bypass detection results from security tests (Issue #75)
+     * Summarizes fail-open/fail-closed patterns across all tested tools
+     */
+    aggregateAuthBypassResults(tests) {
+        const toolsWithAuthBypass = [];
+        let failOpenCount = 0;
+        let failClosedCount = 0;
+        let unknownCount = 0;
+        // Filter to Auth Bypass tests only
+        const authBypassTests = tests.filter((t) => t.testName === "Auth Bypass" && t.authFailureMode);
+        // Track unique tools with auth bypass detected
+        const seenTools = new Set();
+        for (const test of authBypassTests) {
+            const toolName = test.toolName || "unknown";
+            if (test.authBypassDetected && !seenTools.has(toolName)) {
+                toolsWithAuthBypass.push(toolName);
+                seenTools.add(toolName);
+            }
+            // Count failure modes
+            switch (test.authFailureMode) {
+                case "FAIL_OPEN":
+                    failOpenCount++;
+                    break;
+                case "FAIL_CLOSED":
+                    failClosedCount++;
+                    break;
+                case "UNKNOWN":
+                    unknownCount++;
+                    break;
+            }
+        }
+        return {
+            toolsWithAuthBypass,
+            failOpenCount,
+            failClosedCount,
+            unknownCount,
+        };
+    }
 }