@bryan-thompson/inspector-assessment-client 1.26.4 → 1.26.6

package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts

@@ -1,22 +1,24 @@
 /**
- * Security Response Analyzer
+ * Security Response Analyzer (Facade)
  * Analyzes tool responses for evidence-based vulnerability detection
  *
- * Extracted from SecurityAssessor.ts for maintainability.
- * Handles response analysis, reflection detection, and confidence calculation.
+ * REFACTORED in Issue #53 (v2.0.0): Converted to facade pattern
+ * Delegates to focused classes for maintainability (CC 218 → ~50)
+ *
+ * Extracted classes:
+ * - ErrorClassifier: Error classification and connection error detection
+ * - ExecutionArtifactDetector: Execution evidence detection
+ * - MathAnalyzer: Math computation detection (Calculator Injection)
+ * - SafeResponseDetector: Safe response pattern detection
+ * - ConfidenceScorer: Confidence level calculation
  */
 import { CompatibilityCallToolResult, Tool } from "@modelcontextprotocol/sdk/types.js";
 import { SecurityPayload } from "../../../../lib/securityPatterns.js";
 import type { SanitizationDetectionResult } from "./SanitizationDetector.js";
-/**
- * Result of confidence calculation
- */
-export interface ConfidenceResult {
-    confidence: "high" | "medium" | "low";
-    requiresManualReview: boolean;
-    manualReviewReason?: string;
-    reviewGuidance?: string;
-}
+import { MathResultAnalysis } from "./MathAnalyzer.js";
+import { ConfidenceResult } from "./ConfidenceScorer.js";
+export type { ConfidenceResult } from "./ConfidenceScorer.js";
+export type { MathResultAnalysis } from "./MathAnalyzer.js";
 /**
  * Result of response analysis
  */
@@ -24,14 +26,6 @@ export interface AnalysisResult {
     isVulnerable: boolean;
     evidence?: string;
 }
-/**
- * Result of computed math analysis with confidence level (Issue #58)
- */
-export interface MathResultAnalysis {
-    isComputed: boolean;
-    confidence: "high" | "medium" | "low";
-    reason?: string;
-}
 /**
  * Result of auth bypass response analysis (Issue #75)
  * Detects fail-open authentication vulnerabilities (CVE-2025-52882)
@@ -48,8 +42,17 @@ export type ErrorClassification = "connection" | "server" | "protocol";
 /**
  * Analyzes tool responses for security vulnerabilities
  * Distinguishes between safe reflection and actual execution
+ *
+ * This class serves as a facade, delegating to focused analyzers
+ * while maintaining the same public API for backward compatibility.
  */
 export declare class SecurityResponseAnalyzer {
+    private errorClassifier;
+    private executionDetector;
+    private mathAnalyzer;
+    private safeDetector;
+    private confidenceScorer;
+    constructor();
     /**
      * Analyze response with evidence-based detection
      * CRITICAL: Distinguish between safe reflection and actual execution
@@ -59,24 +62,34 @@ export declare class SecurityResponseAnalyzer {
      */
     analyzeResponse(response: CompatibilityCallToolResult, payload: SecurityPayload, tool: Tool): AnalysisResult;
     /**
-     * Check for safe error responses that indicate proper input rejection
-     * Handles: MCP validation errors (-32602), HTTP 4xx/5xx errors
+     * Calculate confidence level and manual review requirements
      */
-    private checkSafeErrorResponses;
+    calculateConfidence(tool: Tool, isVulnerable: boolean, evidence: string, responseText: string, payload: SecurityPayload, sanitizationResult?: SanitizationDetectionResult): ConfidenceResult;
     /**
-     * Check for safe tool behavior patterns
-     * Handles: Tool categories, reflection, computed math, validation rejection
+     * Analyze response for auth bypass patterns (Issue #75)
+     * Detects fail-open authentication vulnerabilities (CVE-2025-52882)
      */
-    private checkSafeToolBehavior;
+    analyzeAuthBypassResponse(response: CompatibilityCallToolResult): AuthBypassResult;
     /**
-     * Check for vulnerability evidence in response
-     * Handles: Evidence pattern matching, fallback injection analysis
+     * Check if response indicates connection/server failure
      */
-    private checkVulnerabilityEvidence;
+    isConnectionError(response: CompatibilityCallToolResult): boolean;
     /**
-     * Check if tool explicitly rejected input with validation error (SAFE)
+     * Check if caught exception indicates connection/server failure
      */
-    isValidationRejection(response: CompatibilityCallToolResult): boolean;
+    isConnectionErrorFromException(error: unknown): boolean;
+    /**
+     * Classify error type for reporting
+     */
+    classifyError(response: CompatibilityCallToolResult): ErrorClassification;
+    /**
+     * Classify error type from caught exception
+     */
+    classifyErrorFromException(error: unknown): ErrorClassification;
+    /**
+     * Extract response content from MCP response
+     */
+    extractResponseContent(response: CompatibilityCallToolResult): string;
     /**
      * Check if response is an MCP validation error (safe rejection)
      */
@@ -98,45 +111,19 @@ export declare class SecurityResponseAnalyzer {
     hasExecutionEvidence(responseText: string): boolean;
     /**
      * Check if a math expression payload was computed (execution evidence)
+     * @deprecated Use analyzeComputedMathResult instead
      */
     isComputedMathResult(payload: string, responseText: string): boolean;
     /**
-     * Check if numeric value appears in structured data context (not as computation result)
-     * Distinguishes {"records": 4} from computed "4" (Issue #58)
-     *
-     * @param result The computed numeric result to check for
-     * @param responseText The response text to analyze
-     * @returns true if the number appears to be coincidental data, not a computed result
+     * Check if numeric value appears in structured data context
      */
     isCoincidentalNumericInStructuredData(result: number, responseText: string): boolean;
     /**
      * Enhanced computed math result analysis with tool context (Issue #58)
-     *
-     * Returns a confidence level indicating how likely this is a real Calculator Injection:
-     * - high: Strong evidence of computation (should flag as vulnerable)
-     * - medium: Ambiguous (excluded from vulnerability count per user decision)
-     * - low: Likely coincidental data (excluded from vulnerability count)
      */
     analyzeComputedMathResult(payload: string, responseText: string, tool?: Tool): MathResultAnalysis;
-    /**
-     * Check if response indicates connection/server failure
-     */
-    isConnectionError(response: CompatibilityCallToolResult): boolean;
-    /**
-     * Check if caught exception indicates connection/server failure
-     */
-    isConnectionErrorFromException(error: unknown): boolean;
-    /**
-     * Classify error type for reporting
-     */
-    classifyError(response: CompatibilityCallToolResult): ErrorClassification;
-    /**
-     * Classify error type from caught exception
-     */
-    classifyErrorFromException(error: unknown): ErrorClassification;
     /**
      * Check if response is just reflection (safe)
-     * Two-layer defense: Match reflection patterns, verify NO execution evidence
      */
     isReflectionResponse(responseText: string): boolean;
     /**
@@ -148,21 +135,9 @@ export declare class SecurityResponseAnalyzer {
      */
     containsEchoedInjectionPayload(responseText: string): boolean;
     /**
-     * Analyze injection response (fallback logic)
-     */
-    analyzeInjectionResponse(response: CompatibilityCallToolResult, _payload: string): AnalysisResult;
-    /**
-     * Calculate confidence level and manual review requirements
-     *
-     * @param tool - The tool being tested
-     * @param isVulnerable - Whether the tool was flagged as vulnerable
-     * @param evidence - Evidence string from vulnerability detection
-     * @param responseText - The response text from the tool
-     * @param payload - The security payload used for testing
-     * @param sanitizationResult - Optional sanitization detection result (Issue #56)
-     * @returns Confidence result with manual review requirements
+     * Check if tool explicitly rejected input with validation error (SAFE)
      */
-    calculateConfidence(tool: Tool, isVulnerable: boolean, evidence: string, responseText: string, payload: SecurityPayload, sanitizationResult?: SanitizationDetectionResult): ConfidenceResult;
+    isValidationRejection(response: CompatibilityCallToolResult): boolean;
     /**
      * Check if tool is a structured data tool
      */
@@ -171,25 +146,28 @@ export declare class SecurityResponseAnalyzer {
      * Check if response is returning search results
      */
     isSearchResultResponse(responseText: string): boolean;
-    /**
-     * Analyze response for auth bypass patterns (Issue #75)
-     * Detects fail-open authentication vulnerabilities (CVE-2025-52882)
-     *
-     * @param response The tool response to analyze
-     * @returns AuthBypassResult with detection status and failure mode classification
-     */
-    analyzeAuthBypassResponse(response: CompatibilityCallToolResult): AuthBypassResult;
     /**
      * Check if response is from a creation/modification operation
      */
     isCreationResponse(responseText: string): boolean;
     /**
-     * Extract response content
+     * Check for safe error responses that indicate proper input rejection
+     * Handles: MCP validation errors (-32602), HTTP 4xx/5xx errors
      */
-    extractResponseContent(response: CompatibilityCallToolResult): string;
+    private checkSafeErrorResponses;
     /**
-     * Extract error info from response
+     * Check for safe tool behavior patterns
+     * Handles: Tool categories, reflection, computed math, validation rejection
+     */
+    private checkSafeToolBehavior;
+    /**
+     * Check for vulnerability evidence in response
+     * Handles: Evidence pattern matching, fallback injection analysis
+     */
+    private checkVulnerabilityEvidence;
+    /**
+     * Analyze injection response (fallback logic)
      */
-    private extractErrorInfo;
+    private analyzeInjectionResponse;
 }
 //# sourceMappingURL=SecurityResponseAnalyzer.d.ts.map

package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityResponseAnalyzer.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityResponseAnalyzer.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AAE1E;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACtC,oBAAoB,EAAE,OAAO,CAAC;IAC9B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,UAAU,EAAE,OAAO,CAAC;IACpB,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACtC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,WAAW,GAAG,aAAa,GAAG,SAAS,CAAC;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEvE;;;GAGG;AACH,qBAAa,wBAAwB;IACnC;;;;;;OAMG;IACH,eAAe,CACb,QAAQ,EAAE,2BAA2B,EACrC,OAAO,EAAE,eAAe,EACxB,IAAI,EAAE,IAAI,GACT,cAAc;IAqBjB;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IA2B/B;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAkF7B;;;OAGG;IACH,OAAO,CAAC,0BAA0B;IAuClC;;OAEG;IACH,qBAAqB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IA2DrE;;OAEG;IACH,oBAAoB,CAClB,SAAS,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,EACvD,YAAY,EAAE,MAAM,GACnB,OAAO;IA6BV;;OAEG;IACH,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAiBlD;;OAEG;IACH,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO;IAqBrD;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IA6BnD;;OAEG;IACH,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAiFpE;;;;;;;OAOG;IACH,qCAAqC,CACnC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GACnB,OAAO;IAwFV;;;;;;;OAOG;IACH,yBAAyB,CACvB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,IAAI,CAAC,EAAE,IAAI,GACV,kBAAkB;IAoMrB;;OAEG;IACH,iBAAiB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IA4CjE;;OAEG;IACH,8BAA8B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO;IA8CvD;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,2BAA2B,GAAG,mBAAmB;IA0BzE;;OAEG;IACH,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,mBAAmB;IA2B/D;;;OAGG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IA+KnD;;OAEG;IACH,wBAAwB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAuCvD;;OAEG;IACH,8BAA8B,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAgB7D;;OAEG;IACH,wBAAwB,CACtB,QAAQ,EAAE,2BAA2B,EACrC,QAAQ,EAAE,MAAM,GACf,cAAc;IAyBjB;;;;;;;;;;OAUG;IACH,mBAAmB,CACjB,IAAI,EAAE,IAAI,EACV,YAAY,EAAE,OAAO,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,eAAe,EACxB,kBAAkB,CAAC,EAAE,2BAA2B,GAC/C,gBAAgB;IA4JnB;;OAEG;IACH,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO;IAmBxE;;OAEG;IACH,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAiBrD;;;;;;OAMG;IACH,yBAAyB,CACvB,QAAQ,EAAE,2BAA2B,GACpC,gBAAgB;IAyFnB;;OAEG;IACH,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAoBjD;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,MAAM;IAWrE;;OAEG;IACH,OAAO,CAAC,gBAAgB;CAwBzB"}
+{"version":3,"file":"SecurityResponseAnalyzer.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityResponseAnalyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AAK1E,OAAO,EAAgB,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EAAoB,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAGxE,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAC3D,YAAY,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,WAAW,GAAG,aAAa,GAAG,SAAS,CAAC;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEvE;;;;;;GAMG;AACH,qBAAa,wBAAwB;IAEnC,OAAO,CAAC,eAAe,CAAkB;IACzC,OAAO,CAAC,iBAAiB,CAA4B;IACrD,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,gBAAgB,CAAmB;;IAc3C;;;;;;OAMG;IACH,eAAe,CACb,QAAQ,EAAE,2BAA2B,EACrC,OAAO,EAAE,eAAe,EACxB,IAAI,EAAE,IAAI,GACT,cAAc;IAqBjB;;OAEG;IACH,mBAAmB,CACjB,IAAI,EAAE,IAAI,EACV,YAAY,EAAE,OAAO,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,eAAe,EACxB,kBAAkB,CAAC,EAAE,2BAA2B,GAC/C,gBAAgB;IAWnB;;;OAGG;IACH,yBAAyB,CACvB,QAAQ,EAAE,2BAA2B,GACpC,gBAAgB;IAsFnB;;OAEG;IACH,iBAAiB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIjE;;OAEG;IACH,8BAA8B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO;IAIvD;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,2BAA2B,GAAG,mBAAmB;IAIzE;;OAEG;IACH,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,mBAAmB;IAI/D;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,MAAM;IAQrE;;OAEG;IACH,oBAAoB,CAClB,SAAS,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,EACvD,YAAY,EAAE,MAAM,GACnB,OAAO;IAIV;;OAEG;IACH,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIlD;;OAEG;IACH,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;;OAGG;IACH,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAIpE;;OAEG;IACH,qCAAqC,CACnC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GACnB,OAAO;IAOV;;OAEG;IACH,yBAAyB,CACvB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,IAAI,CAAC,EAAE,IAAI,GACV,kBAAkB;IAQrB;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;OAEG;IACH,wBAAwB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIvD;;OAEG;IACH,8BAA8B,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI7D;;OAEG;IACH,qBAAqB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIrE;;OAEG;IACH,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO;IAOxE;;OAEG;IACH,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAQjD;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAyB/B;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IA+E7B;;;OAGG;IACH,OAAO,CAAC,0BAA0B;IAwClC;;OAEG;IACH,OAAO,CAAC,wBAAwB;CAoBjC"}