@bryan-thompson/inspector-assessment-client 1.26.6 → 1.26.7

package/lib/lib/assessment/configTypes.d.ts

@@ -50,6 +50,8 @@ export interface AssessmentConfiguration {
     selectedToolsForTesting?: string[];
     securityPatternsToTest?: number;
     enableDomainTesting?: boolean;
+    /** Enable cross-tool sequence testing for privilege escalation (Issue #92, default true) */
+    enableSequenceTesting?: boolean;
     mcpProtocolVersion?: string;
     enableSourceCodeAnalysis?: boolean;
     patternConfigPath?: string;

package/lib/lib/assessment/configTypes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"configTypes.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/configTypes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,aAAa,EACb,QAAQ,EACR,sBAAsB,EACvB,MAAM,kCAAkC,CAAC;AAG1C,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC;AACxC,OAAO,EAAE,sBAAsB,EAAE,CAAC;AAElC;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE;QACR,yBAAyB,EAAE,OAAO,CAAC;QACnC,mBAAmB,EAAE,OAAO,CAAC;QAC7B,mBAAmB,EAAE,OAAO,CAAC;QAC7B,oBAAoB,EAAE,OAAO,CAAC;KAC/B,CAAC;IACF,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;IAC3B,UAAU,CAAC,EAAE,mBAAmB,CAAC;CAClC;AAED,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,6GAA6G;IAC7G,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,EAAE,OAAO,CAAC;IAEzB,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC,sBAAsB,CAAC,EAAE,SAAS,GAAG,UAAU,GAAG,SAAS,CAAC;IAI5D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAE9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,kDAAkD;IAClD,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,oBAAoB,CAAC,EAAE;QACrB,aAAa,EAAE,OAAO,CAAC;QACvB,QAAQ,EAAE,OAAO,CAAC;QAClB,aAAa,EAAE,OAAO,CAAC;QACvB,aAAa,EAAE,OAAO,CAAC;QACvB,SAAS,EAAE,OAAO,CAAC;QACnB,6EAA6E;QAC7E,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAE5B,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAE7B,aAAa,CAAC,EAAE,OAAO,CAAC;QACxB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAC9B,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,WAAW,CAAC,EAAE,OAAO,CAAC;QACtB,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,QAAQ,CAAC,EAAE,OAAO,CAAC;QAEnB,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,eAAe,CAAC,EAAE,OAAO,CAAC;QAE1B,6EAA6E;QAC7E,mBAAmB,CAAC,EAAE,OAAO,CAAC;KAC/B,CAAC;CACH;AAMD,eAAO,MAAM,yBAAyB,EAAE,uBAoCvC,CAAC;AAIF,eAAO,MAAM,oBAAoB,EAAE,uBAqClC,CAAC;AAGF,eAAO,MAAM,qBAAqB,EAAE,uBAoCnC,CAAC;AAIF,eAAO,MAAM,iBAAiB,EAAE,uBAoC/B,CAAC;AAIF,eAAO,MAAM,4BAA4B,EAAE,uBA+C1C,CAAC"}
+{"version":3,"file":"configTypes.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/configTypes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,aAAa,EACb,QAAQ,EACR,sBAAsB,EACvB,MAAM,kCAAkC,CAAC;AAG1C,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC;AACxC,OAAO,EAAE,sBAAsB,EAAE,CAAC;AAElC;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE;QACR,yBAAyB,EAAE,OAAO,CAAC;QACnC,mBAAmB,EAAE,OAAO,CAAC;QAC7B,mBAAmB,EAAE,OAAO,CAAC;QAC7B,oBAAoB,EAAE,OAAO,CAAC;KAC/B,CAAC;IACF,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;IAC3B,UAAU,CAAC,EAAE,mBAAmB,CAAC;CAClC;AAED,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,6GAA6G;IAC7G,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,EAAE,OAAO,CAAC;IAEzB,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC,sBAAsB,CAAC,EAAE,SAAS,GAAG,UAAU,GAAG,SAAS,CAAC;IAI5D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,4FAA4F;IAC5F,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAE9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,kDAAkD;IAClD,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,oBAAoB,CAAC,EAAE;QACrB,aAAa,EAAE,OAAO,CAAC;QACvB,QAAQ,EAAE,OAAO,CAAC;QAClB,aAAa,EAAE,OAAO,CAAC;QACvB,aAAa,EAAE,OAAO,CAAC;QACvB,SAAS,EAAE,OAAO,CAAC;QACnB,6EAA6E;QAC7E,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAE5B,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAE7B,aAAa,CAAC,EAAE,OAAO,CAAC;QACxB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAC9B,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,WAAW,CAAC,EAAE,OAAO,CAAC;QACtB,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,QAAQ,CAAC,EAAE,OAAO,CAAC;QAEnB,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,eAAe,CAAC,EAAE,OAAO,CAAC;QAE1B,6EAA6E;QAC7E,mBAAmB,CAAC,EAAE,OAAO,CAAC;KAC/B,CAAC;CACH;AAMD,eAAO,MAAM,yBAAyB,EAAE,uBAoCvC,CAAC;AAIF,eAAO,MAAM,oBAAoB,EAAE,uBAqClC,CAAC;AAGF,eAAO,MAAM,qBAAqB,EAAE,uBAoCnC,CAAC;AAIF,eAAO,MAAM,iBAAiB,EAAE,uBAoC/B,CAAC;AAIF,eAAO,MAAM,4BAA4B,EAAE,uBA+C1C,CAAC"}

package/lib/lib/securityPatterns.d.ts

@@ -1,6 +1,6 @@
 /**
  * Backend API Security Patterns
- * Tests MCP server API security with 24 focused patterns
+ * Tests MCP server API security with 26 focused patterns
  *
  * Architecture: Attack-Type with Specific Payloads
  * - Critical Injection (6 patterns): Command, Calculator, SQL, Path Traversal, XXE, NoSQL
@@ -12,6 +12,8 @@
  * - Token Theft (1 pattern): Authentication token leakage
  * - Permission Scope (1 pattern): Privilege escalation and scope bypass
  * - Auth Bypass (1 pattern): Fail-open authentication vulnerabilities (Issue #75)
+ * - Cross-Tool State Bypass (1 pattern): Cross-tool privilege escalation via shared state (Issue #92)
+ * - Chained Exploitation (1 pattern): Multi-tool chain execution attacks (Issue #93)
  *
  * Scope: Backend API Security ONLY
  * - Tests structured data inputs to API endpoints
@@ -43,7 +45,7 @@ export interface AttackPattern {
  * BACKEND API SECURITY PATTERNS
  * ========================================
  *
- * 23 focused patterns for MCP server API security
+ * 26 focused patterns for MCP server API security
  */
 export declare const SECURITY_ATTACK_PATTERNS: AttackPattern[];
 /**

package/lib/lib/securityPatterns.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"securityPatterns.d.ts","sourceRoot":"","sources":["../../src/lib/securityPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,iBAAiB,CAAC;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,eAAe,EAAE,CAAC;CAC7B;AAED;;;;;;GAMG;AACH,eAAO,MAAM,wBAAwB,EAAE,aAAa,EA64CnD,CAAC;AAEF;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,MAAM,GACb,eAAe,EAAE,CAQnB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,aAAa,EAAE,CAEtD;AAED;;GAEG;AACH,wBAAgB,oBAAoB;;;;;;;;EA8BnC"}
+{"version":3,"file":"securityPatterns.d.ts","sourceRoot":"","sources":["../../src/lib/securityPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,iBAAiB,CAAC;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,eAAe,EAAE,CAAC;CAC7B;AAED;;;;;;GAMG;AACH,eAAO,MAAM,wBAAwB,EAAE,aAAa,EAwjDnD,CAAC;AAEF;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,MAAM,GACb,eAAe,EAAE,CAQnB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,aAAa,EAAE,CAEtD;AAED;;GAEG;AACH,wBAAgB,oBAAoB;;;;;;;;EA8BnC"}

package/lib/lib/securityPatterns.js

@@ -1,6 +1,6 @@
 /**
  * Backend API Security Patterns
- * Tests MCP server API security with 24 focused patterns
+ * Tests MCP server API security with 26 focused patterns
  *
  * Architecture: Attack-Type with Specific Payloads
  * - Critical Injection (6 patterns): Command, Calculator, SQL, Path Traversal, XXE, NoSQL
@@ -12,6 +12,8 @@
  * - Token Theft (1 pattern): Authentication token leakage
  * - Permission Scope (1 pattern): Privilege escalation and scope bypass
  * - Auth Bypass (1 pattern): Fail-open authentication vulnerabilities (Issue #75)
+ * - Cross-Tool State Bypass (1 pattern): Cross-tool privilege escalation via shared state (Issue #92)
+ * - Chained Exploitation (1 pattern): Multi-tool chain execution attacks (Issue #93)
  *
  * Scope: Backend API Security ONLY
  * - Tests structured data inputs to API endpoints
@@ -29,7 +31,7 @@
  * BACKEND API SECURITY PATTERNS
  * ========================================
  *
- * 23 focused patterns for MCP server API security
+ * 26 focused patterns for MCP server API security
  */
 export const SECURITY_ATTACK_PATTERNS = [
     // ==========================================
@@ -1315,6 +1317,148 @@ export const SECURITY_ATTACK_PATTERNS = [
             },
         ],
     },
+    // ==========================================
+    // CROSS-TOOL STATE BYPASS TESTS (Issue #92, Challenge #7)
+    // ==========================================
+    // 25. CROSS-TOOL STATE BYPASS
+    {
+        attackName: "Cross-Tool State Bypass",
+        description: "Tests for privilege escalation via shared mutable state between tools (Challenge #7)",
+        payloads: [
+            // Admin action payloads - tests tools that check shared state
+            {
+                payload: "read secrets",
+                evidence: /(admin_mode.*true.*cross-tool|enabled\s+by.*another\s+tool|"evidence".*privilege.*escalation)/i,
+                riskLevel: "HIGH",
+                description: "Admin action checking shared state for authorization",
+                payloadType: "state_bypass",
+                parameterTypes: ["action", "command", "request", "operation"],
+            },
+            {
+                payload: "delete user admin",
+                evidence: /(admin_mode.*true.*privilege|destructive.*enabled.*cross-tool|"evidence".*state.*dependency)/i,
+                riskLevel: "HIGH",
+                description: "Destructive action via cross-tool state dependency",
+                payloadType: "state_bypass",
+                parameterTypes: ["action", "command", "request"],
+            },
+            {
+                payload: "modify config security=disabled",
+                evidence: /(admin_mode.*enabled.*config|config\s+modification.*admin|privilege.*escalation.*config)/i,
+                riskLevel: "HIGH",
+                description: "Config modification via cross-tool privilege escalation",
+                payloadType: "state_bypass",
+                parameterTypes: ["action", "setting", "config"],
+            },
+            // State modifier payloads - tests tools that modify shared state
+            {
+                payload: "admin_mode=true",
+                evidence: /(admin\s+mode\s+activated|elevated\s+privileges?\s+granted|admin_mode.*enabled)/i,
+                riskLevel: "HIGH",
+                description: "Tool modifies shared state affecting other tools' authorization",
+                payloadType: "state_modifier",
+                parameterTypes: ["setting", "config", "option"],
+            },
+            {
+                payload: "set admin_mode=true",
+                evidence: /(admin\s+mode\s+activated|elevated\s+privileges?\s+granted|configuration.*updated.*admin)/i,
+                riskLevel: "HIGH",
+                description: "Explicit shared state modification request",
+                payloadType: "state_modifier",
+                parameterTypes: ["setting", "config", "option", "input"],
+            },
+            {
+                payload: "enable elevated privileges",
+                evidence: /(elevated.*granted|privilege.*enabled|admin.*activated)/i,
+                riskLevel: "HIGH",
+                description: "Privilege elevation via shared state",
+                payloadType: "state_modifier",
+                parameterTypes: ["setting", "config", "option", "command"],
+            },
+        ],
+    },
+    // ==========================================
+    // CHAINED EXPLOITATION TESTS (Issue #93, Challenge #6)
+    // ==========================================
+    // 26. CHAINED EXPLOITATION
+    {
+        attackName: "Chained Exploitation",
+        description: "Tests for multi-tool chain execution allowing arbitrary tool invocation, output injection, and recursive attacks",
+        payloads: [
+            // Single-step chain execution without allowlist
+            {
+                payload: '[{"tool": "vulnerable_calculator", "args": {"query": "2+2"}}]',
+                evidence: /(chain_results|steps_executed|vulnerabilities_triggered|chain.*executed)/i,
+                riskLevel: "HIGH",
+                description: "Single-step chain execution without tool allowlist validation",
+                payloadType: "chain_execution",
+                parameterTypes: ["chain", "steps", "sequence", "pipeline"],
+            },
+            // Output injection via {{output}} template
+            {
+                payload: '[{"tool": "calc", "args": {"q": "2+2"}}, {"tool": "exec", "args": {"cmd": "{{output}}"}}]',
+                evidence: /(output_injection|{{output}}.*substituted|\{\{output\}\}.*replaced|output.*injection.*step)/i,
+                riskLevel: "HIGH",
+                description: "Output injection - raw output flows between chain steps",
+                payloadType: "chain_output_injection",
+                parameterTypes: ["chain", "steps", "sequence"],
+            },
+            // Recursive chain (DoS via self-reference)
+            {
+                payload: '[{"tool": "vulnerable_chain_executor", "args": {"chain": "[]"}}]',
+                evidence: /(recursive_chain|chain_executor.*within.*chain|circular.*chain|self.*referential)/i,
+                riskLevel: "HIGH",
+                description: "Recursive chain execution - DoS via self-referential chains",
+                payloadType: "chain_recursion",
+                parameterTypes: ["chain", "steps", "sequence"],
+            },
+            // Arbitrary tool name acceptance
+            {
+                payload: '[{"tool": "MALICIOUS_TOOL_12345", "args": {}}]',
+                evidence: /(arbitrary.*tool|unknown.*tool.*executed|attempted.*execute.*unknown|accepted.*arbitrary)/i,
+                riskLevel: "HIGH",
+                description: "Chain accepts arbitrary tool names without allowlist",
+                payloadType: "chain_arbitrary_tool",
+                parameterTypes: ["chain", "steps", "sequence"],
+            },
+            // State poisoning via multi-step chain
+            {
+                payload: '[{"tool": "config_modifier", "args": {"setting": "admin=true"}}, {"tool": "admin_action", "args": {"action": "read secrets"}}]',
+                evidence: /(state.*poison|admin_mode.*true.*chain|privilege.*escalation.*chain|config.*modified.*chain)/i,
+                riskLevel: "HIGH",
+                description: "State poisoning - earlier step modifies state affecting later steps",
+                payloadType: "chain_state_poisoning",
+                parameterTypes: ["chain", "steps", "sequence"],
+            },
+            // Depth limit bypass
+            {
+                payload: '[{"tool":"a"},{"tool":"b"},{"tool":"c"},{"tool":"d"},{"tool":"e"},{"tool":"f"},{"tool":"g"},{"tool":"h"},{"tool":"i"},{"tool":"j"},{"tool":"k"},{"tool":"l"}]',
+                evidence: /(steps_executed.*1[0-9]|executed.*beyond.*limit|depth.*limit.*bypassed|no.*depth.*limit)/i,
+                riskLevel: "MEDIUM",
+                description: "Missing or bypassable chain depth limits",
+                payloadType: "chain_depth_bypass",
+                parameterTypes: ["chain", "steps", "sequence"],
+            },
+            // Tool shadowing via chain
+            {
+                payload: '[{"tool": "shadowed_tool_name", "args": {}}]',
+                evidence: /(shadowed.*tool|tool.*poison|shadowed_definition|executed.*shadowed)/i,
+                riskLevel: "HIGH",
+                description: "Chain executes shadowed/poisoned tool definitions",
+                payloadType: "chain_shadowing",
+                parameterTypes: ["chain", "steps", "sequence"],
+            },
+            // Large chain input (unbounded input)
+            {
+                payload: '[{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}},{"tool":"t","args":{}}]',
+                evidence: /(steps_executed.*[1-2][0-9]|no.*size.*limit|unbounded.*input|executed.*all.*steps)/i,
+                riskLevel: "MEDIUM",
+                description: "No input size validation on chain definitions",
+                payloadType: "chain_unbounded",
+                parameterTypes: ["chain", "steps", "sequence"],
+            },
+        ],
+    },
 ];
 /**
  * Get all payloads for an attack type

package/lib/services/assessment/modules/AUPComplianceAssessor.js

@@ -35,7 +35,7 @@ export class AUPComplianceAssessor extends BaseAssessor {
      * If Claude semantic analysis is enabled, violations are verified to reduce false positives.
      */
     async assess(context) {
-        this.log("Starting AUP compliance assessment");
+        this.logger.info("Starting AUP compliance assessment");
         this.testCount = 0;
         const violations = [];
         const highRiskDomains = [];
@@ -51,7 +51,7 @@ export class AUPComplianceAssessor extends BaseAssessor {
             toolDescriptionMap.set(tool.name, tool.description || "");
         }
         // Scan tool names
-        this.log("Scanning tool names...");
+        this.logger.info("Scanning tool names...");
         scannedLocations.toolNames = true;
         for (const tool of context.tools) {
             this.testCount++;
@@ -66,7 +66,7 @@ export class AUPComplianceAssessor extends BaseAssessor {
             }
         }
         // Scan tool descriptions
-        this.log("Scanning tool descriptions...");
+        this.logger.info("Scanning tool descriptions...");
         scannedLocations.toolDescriptions = true;
         for (const tool of context.tools) {
             if (tool.description) {
@@ -83,7 +83,7 @@ export class AUPComplianceAssessor extends BaseAssessor {
         }
         // Scan README content
         if (context.readmeContent) {
-            this.log("Scanning README content...");
+            this.logger.info("Scanning README content...");
             scannedLocations.readme = true;
             this.testCount++;
             const readmeViolations = this.scanReadme(context.readmeContent);
@@ -97,7 +97,7 @@ export class AUPComplianceAssessor extends BaseAssessor {
         }
         // Scan source code if available
         if (context.sourceCodeFiles && context.config.enableSourceCodeAnalysis) {
-            this.log("Scanning source code files...");
+            this.logger.info("Scanning source code files...");
             scannedLocations.sourceCode = true;
             for (const [filePath, content] of context.sourceCodeFiles) {
                 // Skip non-relevant files
@@ -110,14 +110,14 @@ export class AUPComplianceAssessor extends BaseAssessor {
         }
         // If Claude semantic analysis is enabled, verify violations to reduce false positives
         if (this.isSemanticAnalysisEnabled() && violations.length > 0) {
-            this.log(`Running semantic analysis on ${violations.length} potential violations...`);
+            this.logger.info(`Running semantic analysis on ${violations.length} potential violations...`);
             return await this.runSemanticAnalysis(violations, highRiskDomains, scannedLocations, toolDescriptionMap);
         }
         // Standard assessment without semantic analysis
         const status = this.determineAUPStatus(violations);
         const explanation = this.generateExplanation(violations, highRiskDomains, scannedLocations);
         const recommendations = this.generateRecommendations(violations, highRiskDomains);
-        this.log(`Assessment complete: ${violations.length} violations found, ${highRiskDomains.length} high-risk domains`);
+        this.logger.info(`Assessment complete: ${violations.length} violations found, ${highRiskDomains.length} high-risk domains`);
         return {
             violations,
             highRiskDomains,
@@ -185,7 +185,7 @@ export class AUPComplianceAssessor extends BaseAssessor {
                 // Low confidence - likely false positive
                 else {
                     falsePositivesFiltered++;
-                    this.log(`Filtered likely false positive: "${violation.matchedText}" - ${analysis.reasoning}`);
+                    this.logger.info(`Filtered likely false positive: "${violation.matchedText}" - ${analysis.reasoning}`);
                 }
             }
             catch (error) {
@@ -205,7 +205,7 @@ export class AUPComplianceAssessor extends BaseAssessor {
         const status = this.determineAUPStatus(confirmedViolations);
         const explanation = this.generateSemanticExplanation(confirmedViolations, flaggedForReview, falsePositivesFiltered, highRiskDomains, scannedLocations);
         const recommendations = this.generateSemanticRecommendations(confirmedViolations, flaggedForReview, highRiskDomains);
-        this.log(`Semantic analysis complete: ${confirmedViolations.length} confirmed, ${flaggedForReview.length} flagged, ${falsePositivesFiltered} filtered`);
+        this.logger.info(`Semantic analysis complete: ${confirmedViolations.length} confirmed, ${flaggedForReview.length} flagged, ${falsePositivesFiltered} filtered`);
         return {
             violations: [...confirmedViolations, ...flaggedForReview],
             confirmedViolations,

package/lib/services/assessment/modules/AuthenticationAssessor.js

@@ -246,7 +246,7 @@ export class AuthenticationAssessor extends BaseAssessor {
      * Run authentication assessment
      */
     async assess(context) {
-        this.log("Starting authentication assessment");
+        this.logger.info("Starting authentication assessment");
         this.testCount = 0;
         const oauthIndicators = [];
         const localResourceIndicators = [];
@@ -323,7 +323,7 @@ export class AuthenticationAssessor extends BaseAssessor {
         // Generate additional recommendations from auth config findings
         const authConfigRecommendations = authConfigAnalysis.findings.map((f) => f.recommendation ||
             `Review ${f.type}: ${f.message} (${f.file || "unknown file"})`);
-        this.log(`Assessment complete: auth=${authMethod}, localDeps=${hasLocalDependencies}, tlsEnforced=${transportSecurity.tlsEnforced}, authConfigFindings=${authConfigAnalysis.totalFindings}`);
+        this.logger.info(`Assessment complete: auth=${authMethod}, localDeps=${hasLocalDependencies}, tlsEnforced=${transportSecurity.tlsEnforced}, authConfigFindings=${authConfigAnalysis.totalFindings}`);
         return {
             authMethod,
             hasLocalDependencies,
@@ -594,7 +594,7 @@ export class AuthenticationAssessor extends BaseAssessor {
         // Issue #65: Apply file limit to prevent performance issues on large codebases
         let sourceFiles = Array.from(context.sourceCodeFiles);
         if (sourceFiles.length > MAX_FILES) {
-            this.log(`Rate limiting: Analyzing ${MAX_FILES} of ${sourceFiles.length} files`);
+            this.logger.info(`Rate limiting: Analyzing ${MAX_FILES} of ${sourceFiles.length} files`);
             sourceFiles = sourceFiles.slice(0, MAX_FILES);
         }
         for (const [filePath, content] of sourceFiles) {
@@ -776,7 +776,7 @@ export class AuthenticationAssessor extends BaseAssessor {
             }
             catch (error) {
                 // Warning 4 fix: Handle malformed files gracefully
-                this.log(`Error analyzing ${filePath}: ${error}`);
+                this.logger.info(`Error analyzing ${filePath}: ${error}`);
                 continue;
             }
         }

package/lib/services/assessment/modules/BaseAssessor.d.ts

@@ -10,7 +10,6 @@ export declare abstract class BaseAssessor<T = unknown> {
     protected config: AssessmentConfiguration;
     protected logger: Logger;
     protected testCount: number;
-    private deprecationWarningsEmitted;
     constructor(config: AssessmentConfiguration);
     /**
      * Abstract method that each assessor must implement
@@ -20,19 +19,6 @@ export declare abstract class BaseAssessor<T = unknown> {
      * Common method to determine status based on pass rate
      */
     protected determineStatus(passed: number, total: number, threshold?: number): AssessmentStatus;
-    /**
-     * Log assessment progress
-     * @deprecated Use this.logger.info() directly for structured logging with context. Will be removed in v2.0.0.
-     */
-    protected log(message: string): void;
-    /**
-     * Log error with optional context
-     * @deprecated Use this.logger.error() directly for structured logging with context. Will be removed in v2.0.0.
-     *
-     * @param message - Description of what operation failed
-     * @param error - The error that occurred (optional)
-     */
-    protected logError(message: string, error?: unknown): void;
     /**
      * Handle an error with logging and structured result
      *

package/lib/services/assessment/modules/BaseAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"BaseAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/BaseAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,uBAAuB,EACvB,gBAAgB,EAEjB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,MAAM,EAAwC,MAAM,eAAe,CAAC;AAC7E,OAAO,EAGL,WAAW,EAEZ,MAAM,eAAe,CAAC;AAGvB,8BAAsB,YAAY,CAAC,CAAC,GAAG,OAAO;IAC5C,SAAS,CAAC,MAAM,EAAE,uBAAuB,CAAC;IAC1C,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC;IACzB,SAAS,CAAC,SAAS,EAAE,MAAM,CAAK;IAGhC,OAAO,CAAC,0BAA0B,CAGhC;gBAEU,MAAM,EAAE,uBAAuB;IAS3C;;OAEG;IACH,QAAQ,CAAC,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,CAAC,CAAC;IAEvD;;OAEG;IACH,SAAS,CAAC,eAAe,CACvB,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,SAAS,GAAE,MAAY,GACtB,gBAAgB;IAUnB;;;OAGG;IACH,SAAS,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAWpC;;;;;;OAMG;IACH,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,GAAG,IAAI;IAW1D;;;;;;;;;;;;;;;;;;;;OAoBG;IACH,SAAS,CAAC,WAAW,CAAC,CAAC,SAAS,WAAW,EACzC,KAAK,EAAE,OAAO,EACd,OAAO,EAAE,MAAM,EACf,QAAQ,GAAE,OAAO,CAAC,CAAC,CAAM,GACxB,CAAC;IAsBJ;;OAEG;IACH,YAAY,IAAI,MAAM;IAItB;;OAEG;IACH,cAAc,IAAI,IAAI;IAItB;;OAEG;IACH,SAAS,CAAC,gBAAgB,CACxB,OAAO,EAAE,MAAM,uBAAuB,CAAC,sBAAsB,CAAC,GAC7D,OAAO;IAIV;;OAEG;cACa,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIhD;;;;;;;;;;OAUG;cACa,kBAAkB,CAAC,CAAC,EAClC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,EACnB,SAAS,GAAE,MAAgC,GAC1C,OAAO,CAAC,CAAC,CAAC;IAOb;;OAEG;IACH,SAAS,CAAC,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAS9C;;OAEG;IACH,SAAS,CAAC,mBAAmB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM;IAgBrD;;;;;;OAMG;IACH,SAAS,CAAC,eAAe,CACvB,QAAQ,EAAE,OAAO,EACjB,UAAU,GAAE,OAAe,GAC1B,OAAO;IA+CV;;OAEG;IACH,SAAS,CAAC,gBAAgB,CAAC,QAAQ,EAAE,OAAO,GAAG;QAC7C,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;QACvB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB;CA2BF"}
+{"version":3,"file":"BaseAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/BaseAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,uBAAuB,EACvB,gBAAgB,EAEjB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,MAAM,EAAwC,MAAM,eAAe,CAAC;AAC7E,OAAO,EAGL,WAAW,EAEZ,MAAM,eAAe,CAAC;AAGvB,8BAAsB,YAAY,CAAC,CAAC,GAAG,OAAO;IAC5C,SAAS,CAAC,MAAM,EAAE,uBAAuB,CAAC;IAC1C,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC;IACzB,SAAS,CAAC,SAAS,EAAE,MAAM,CAAK;gBAEpB,MAAM,EAAE,uBAAuB;IAS3C;;OAEG;IACH,QAAQ,CAAC,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,CAAC,CAAC;IAEvD;;OAEG;IACH,SAAS,CAAC,eAAe,CACvB,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,SAAS,GAAE,MAAY,GACtB,gBAAgB;IAUnB;;;;;;;;;;;;;;;;;;;;OAoBG;IACH,SAAS,CAAC,WAAW,CAAC,CAAC,SAAS,WAAW,EACzC,KAAK,EAAE,OAAO,EACd,OAAO,EAAE,MAAM,EACf,QAAQ,GAAE,OAAO,CAAC,CAAC,CAAM,GACxB,CAAC;IAsBJ;;OAEG;IACH,YAAY,IAAI,MAAM;IAItB;;OAEG;IACH,cAAc,IAAI,IAAI;IAItB;;OAEG;IACH,SAAS,CAAC,gBAAgB,CACxB,OAAO,EAAE,MAAM,uBAAuB,CAAC,sBAAsB,CAAC,GAC7D,OAAO;IAIV;;OAEG;cACa,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIhD;;;;;;;;;;OAUG;cACa,kBAAkB,CAAC,CAAC,EAClC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,EACnB,SAAS,GAAE,MAAgC,GAC1C,OAAO,CAAC,CAAC,CAAC;IAOb;;OAEG;IACH,SAAS,CAAC,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAS9C;;OAEG;IACH,SAAS,CAAC,mBAAmB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM;IAgBrD;;;;;;OAMG;IACH,SAAS,CAAC,eAAe,CACvB,QAAQ,EAAE,OAAO,EACjB,UAAU,GAAE,OAAe,GAC1B,OAAO;IA+CV;;OAEG;IACH,SAAS,CAAC,gBAAgB,CAAC,QAAQ,EAAE,OAAO,GAAG;QAC7C,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;QACvB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB;CA2BF"}

package/lib/services/assessment/modules/BaseAssessor.js

@@ -9,11 +9,6 @@ export class BaseAssessor {
     config;
     logger;
     testCount = 0;
-    // Track deprecation warnings to emit only once per instance
-    deprecationWarningsEmitted = {
-        log: false,
-        logError: false,
-    };
     constructor(config) {
         this.config = config;
         // Create logger from config, using class name as prefix
@@ -32,33 +27,6 @@ export class BaseAssessor {
             return "NEED_MORE_INFO";
         return "FAIL";
     }
-    /**
-     * Log assessment progress
-     * @deprecated Use this.logger.info() directly for structured logging with context. Will be removed in v2.0.0.
-     */
-    log(message) {
-        if (!this.deprecationWarningsEmitted.log) {
-            this.logger.warn("BaseAssessor.log() is deprecated. Use this.logger.info() instead. " +
-                "This method will be removed in v2.0.0.");
-            this.deprecationWarningsEmitted.log = true;
-        }
-        this.logger.info(message);
-    }
-    /**
-     * Log error with optional context
-     * @deprecated Use this.logger.error() directly for structured logging with context. Will be removed in v2.0.0.
-     *
-     * @param message - Description of what operation failed
-     * @param error - The error that occurred (optional)
-     */
-    logError(message, error) {
-        if (!this.deprecationWarningsEmitted.logError) {
-            this.logger.warn("BaseAssessor.logError() is deprecated. Use this.logger.error() instead. " +
-                "This method will be removed in v2.0.0.");
-            this.deprecationWarningsEmitted.logError = true;
-        }
-        this.logger.error(message, error ? { error: String(error) } : undefined);
-    }
     /**
      * Handle an error with logging and structured result
      *
@@ -147,7 +115,7 @@ export class BaseAssessor {
             return JSON.parse(text);
         }
         catch (error) {
-            this.logError(`Failed to parse JSON: ${text}`, error);
+            this.logger.error(`Failed to parse JSON: ${text}`, { error });
             return null;
         }
     }

package/lib/services/assessment/modules/CrossCapabilitySecurityAssessor.js

@@ -65,7 +65,7 @@ export class CrossCapabilitySecurityAssessor extends BaseAssessor {
         const tools = context.tools || [];
         const resources = context.resources || [];
         const prompts = context.prompts || [];
-        this.log(`Testing cross-capability security: ${tools.length} tools, ${resources.length} resources, ${prompts.length} prompts`);
+        this.logger.info(`Testing cross-capability security: ${tools.length} tools, ${resources.length} resources, ${prompts.length} prompts`);
         // Test 1: Tool->Resource access patterns
         const toolResourceResults = this.testToolResourceAccess(tools, resources);
         results.push(...toolResourceResults);

package/lib/services/assessment/modules/DeveloperExperienceAssessor.js

@@ -15,7 +15,7 @@
 import { BaseAssessor } from "./BaseAssessor.js";
 export class DeveloperExperienceAssessor extends BaseAssessor {
     async assess(context) {
-        this.log("Starting developer experience assessment");
+        this.logger.info("Starting developer experience assessment");
         const readmeContent = context.readmeContent || "";
         // Assess documentation
         const documentationMetrics = this.analyzeDocumentation(readmeContent, context.tools, "verbose");

package/lib/services/assessment/modules/DocumentationAssessor.js

@@ -16,7 +16,7 @@ export class DocumentationAssessor extends BaseAssessor {
         });
     }
     async assess(context) {
-        this.log("Starting documentation assessment");
+        this.logger.info("Starting documentation assessment");
         const readmeContent = context.readmeContent || "";
         const validVerbosityLevels = ["minimal", "standard", "verbose"];
         const configVerbosity = this.config.documentationVerbosity;
@@ -27,7 +27,7 @@ export class DocumentationAssessor extends BaseAssessor {
                 verbosity = configVerbosity;
             }
             else {
-                this.log(`Warning: Invalid documentationVerbosity "${configVerbosity}". ` +
+                this.logger.info(`Warning: Invalid documentationVerbosity "${configVerbosity}". ` +
                     `Valid options: ${validVerbosityLevels.join(", ")}. Using "verbose".`);
             }
         }

package/lib/services/assessment/modules/ErrorHandlingAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ErrorHandlingAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ErrorHandlingAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,uBAAuB,EAIxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAG9D,qBAAa,qBAAsB,SAAQ,YAAY;IAC/C,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAiE1E,OAAO,CAAC,qBAAqB;YAqDf,qBAAqB;YAuBrB,qBAAqB;YAmGrB,cAAc;YAmFd,iBAAiB;YA8DjB,kBAAkB;IA6DhC,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,uBAAuB;IAgC/B,OAAO,CAAC,0BAA0B;IAgClC,OAAO,CAAC,uBAAuB;IA4B/B,OAAO,CAAC,gBAAgB;IAoGxB,OAAO,CAAC,4BAA4B;IAapC,OAAO,CAAC,mBAAmB;IAuE3B,OAAO,CAAC,uBAAuB;CA4ChC"}
+{"version":3,"file":"ErrorHandlingAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ErrorHandlingAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,uBAAuB,EAIxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAG9D,qBAAa,qBAAsB,SAAQ,YAAY;IAC/C,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAiE1E,OAAO,CAAC,qBAAqB;YAuDf,qBAAqB;YAuBrB,qBAAqB;YAmGrB,cAAc;YAmFd,iBAAiB;YA8DjB,kBAAkB;IA6DhC,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,uBAAuB;IAgC/B,OAAO,CAAC,0BAA0B;IAgClC,OAAO,CAAC,uBAAuB;IA4B/B,OAAO,CAAC,gBAAgB;IAoGxB,OAAO,CAAC,4BAA4B;IAapC,OAAO,CAAC,mBAAmB;IAuE3B,OAAO,CAAC,uBAAuB;CA4ChC"}

package/lib/services/assessment/modules/ErrorHandlingAssessor.js

@@ -6,7 +6,7 @@ import { BaseAssessor } from "./BaseAssessor.js";
 import { createConcurrencyLimit } from "../lib/concurrencyLimit.js";
 export class ErrorHandlingAssessor extends BaseAssessor {
     async assess(context) {
-        this.log("Starting error handling assessment");
+        this.logger.info("Starting error handling assessment");
         const testDetails = [];
         let passedTests = 0;
         // Test a sample of tools for error handling
@@ -14,7 +14,7 @@ export class ErrorHandlingAssessor extends BaseAssessor {
         // Parallel tool testing with concurrency limit
         const concurrency = this.config.maxParallelTests ?? 5;
         const limit = createConcurrencyLimit(concurrency, this.logger);
-        this.log(`Testing ${toolsToTest.length} tools for error handling with concurrency limit of ${concurrency}`);
+        this.logger.info(`Testing ${toolsToTest.length} tools for error handling with concurrency limit of ${concurrency}`);
         const allToolTests = await Promise.all(toolsToTest.map((tool) => limit(async () => {
             const toolTests = await this.testToolErrorHandling(tool, context.callTool);
             // Add delay between tests to avoid rate limiting
@@ -50,34 +50,34 @@ export class ErrorHandlingAssessor extends BaseAssessor {
         if (this.config.selectedToolsForTesting !== undefined) {
             // Warn if deprecated maxToolsToTestForErrors is also set
             if (this.config.maxToolsToTestForErrors !== undefined) {
-                this.log(`Warning: Both selectedToolsForTesting and maxToolsToTestForErrors are set. ` +
+                this.logger.info(`Warning: Both selectedToolsForTesting and maxToolsToTestForErrors are set. ` +
                     `Using selectedToolsForTesting (maxToolsToTestForErrors is deprecated).`);
             }
             const selectedNames = new Set(this.config.selectedToolsForTesting);
             const selectedTools = tools.filter((tool) => selectedNames.has(tool.name));
             // Empty array means user explicitly selected 0 tools
             if (this.config.selectedToolsForTesting.length === 0) {
-                this.log(`User selected 0 tools for error handling - skipping tests`);
+                this.logger.info(`User selected 0 tools for error handling - skipping tests`);
                 return [];
             }
             // If no tools matched the names (config out of sync), log warning but respect selection
             if (selectedTools.length === 0) {
-                this.log(`Warning: No tools matched selection (${this.config.selectedToolsForTesting.join(", ")})`);
+                this.logger.info(`Warning: No tools matched selection (${this.config.selectedToolsForTesting.join(", ")})`);
                 return [];
             }
-            this.log(`Testing ${selectedTools.length} selected tools out of ${tools.length} for error handling`);
+            this.logger.info(`Testing ${selectedTools.length} selected tools out of ${tools.length} for error handling`);
             return selectedTools;
         }
         // Backward compatibility: use old maxToolsToTestForErrors configuration
         const configLimit = this.config.maxToolsToTestForErrors;
         // If -1, test all tools
         if (configLimit === -1) {
-            this.log(`Testing all ${tools.length} tools for error handling`);
+            this.logger.info(`Testing all ${tools.length} tools for error handling`);
             return tools;
         }
         // Otherwise use the configured limit (default to 5 if not set)
         const maxTools = Math.min(configLimit ?? 5, tools.length);
-        this.log(`Testing ${maxTools} out of ${tools.length} tools for error handling`);
+        this.logger.info(`Testing ${maxTools} out of ${tools.length} tools for error handling`);
         return tools.slice(0, maxTools);
     }
     async testToolErrorHandling(tool, callTool) {

package/lib/services/assessment/modules/ExternalAPIScannerAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ExternalAPIScannerAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ExternalAPIScannerAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AACnE,OAAO,KAAK,EAEV,4BAA4B,EAE7B,MAAM,uBAAuB,CAAC;AAmE/B,qBAAa,0BAA2B,SAAQ,YAAY;IACpD,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,4BAA4B,CAAC;IA6DxC;;OAEG;IACH,OAAO,CAAC,cAAc;IAItB;;OAEG;IACH,OAAO,CAAC,eAAe;IA0BvB;;OAEG;IACH,OAAO,CAAC,aAAa;IAIrB;;OAEG;IACH,OAAO,CAAC,QAAQ;IAIhB;;OAEG;IACH,OAAO,CAAC,eAAe;IASvB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAsBxB;;OAEG;IACH,OAAO,CAAC,aAAa;IAcrB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAyB3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA2B/B;;OAEG;IACH,OAAO,CAAC,oBAAoB;CAa7B"}
+{"version":3,"file":"ExternalAPIScannerAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ExternalAPIScannerAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AACnE,OAAO,KAAK,EAEV,4BAA4B,EAE7B,MAAM,uBAAuB,CAAC;AAmE/B,qBAAa,0BAA2B,SAAQ,YAAY;IACpD,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,4BAA4B,CAAC;IA+DxC;;OAEG;IACH,OAAO,CAAC,cAAc;IAItB;;OAEG;IACH,OAAO,CAAC,eAAe;IA0BvB;;OAEG;IACH,OAAO,CAAC,aAAa;IAIrB;;OAEG;IACH,OAAO,CAAC,QAAQ;IAIhB;;OAEG;IACH,OAAO,CAAC,eAAe;IASvB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAsBxB;;OAEG;IACH,OAAO,CAAC,aAAa;IAcrB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAyB3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA2B/B;;OAEG;IACH,OAAO,CAAC,oBAAoB;CAa7B"}

package/lib/services/assessment/modules/ExternalAPIScannerAssessor.js

@@ -74,13 +74,13 @@ const SKIP_FILE_PATTERNS = [
 ];
 export class ExternalAPIScannerAssessor extends BaseAssessor {
     async assess(context) {
-        this.log("Starting external API scanner assessment");
+        this.logger.info("Starting external API scanner assessment");
         this.resetTestCount();
         const detectedAPIs = [];
         let scannedFiles = 0;
         // Check if source code analysis is enabled
         if (!context.sourceCodeFiles || !context.config.enableSourceCodeAnalysis) {
-            this.log("Source code analysis not enabled, skipping external API scan");
+            this.logger.info("Source code analysis not enabled, skipping external API scan");
             return this.createNoSourceResult();
         }
         // Scan each source file
@@ -100,7 +100,7 @@ export class ExternalAPIScannerAssessor extends BaseAssessor {
         const status = this.computeStatus(detectedAPIs, affiliationWarning);
         const explanation = this.generateExplanation(detectedAPIs, uniqueServices, affiliationWarning, scannedFiles);
         const recommendations = this.generateRecommendations(uniqueServices, affiliationWarning);
-        this.log(`External API scan complete: ${detectedAPIs.length} APIs found in ${scannedFiles} files`);
+        this.logger.info(`External API scan complete: ${detectedAPIs.length} APIs found in ${scannedFiles} files`);
         return {
             detectedAPIs,
             uniqueServices,