@bryan-thompson/inspector-assessment-client 1.26.7 → 1.27.0

package/dist/assets/{OAuthCallback-CCWVtjr7.js → OAuthCallback-CJWH8Ytw.js}

@@ -1,4 +1,4 @@
-import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-CsDJSSWq.js";
+import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-Cu9XzUwB.js";
 const OAuthCallback = ({ onConnect }) => {
   const { toast } = useToast();
   const hasProcessedRef = reactExports.useRef(false);

package/dist/assets/{OAuthDebugCallback-DqbXfUi4.js → OAuthDebugCallback-DL5adXJw.js}

@@ -1,4 +1,4 @@
-import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-CsDJSSWq.js";
+import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-Cu9XzUwB.js";
 const OAuthDebugCallback = ({ onConnect }) => {
   reactExports.useEffect(() => {
     let isProcessed = false;

package/dist/assets/{index-CsDJSSWq.js → index-Cu9XzUwB.js}

@@ -16373,7 +16373,7 @@ object({
   token_type_hint: string().optional()
 }).strip();
 const name = "@bryan-thompson/inspector-assessment-client";
-const version$1 = "1.26.6";
+const version$1 = "1.27.0";
 const packageJson = {
   name,
   version: version$1
@@ -45288,7 +45288,7 @@ const useTheme = () => {
     [theme, setThemeWithSideEffect]
   );
 };
-const version = "1.26.6";
+const version = "1.27.0";
 var [createTooltipContext] = createContextScope("Tooltip", [
   createPopperScope
 ]);
@@ -48845,13 +48845,13 @@ const App = () => {
   ) });
   if (window.location.pathname === "/oauth/callback") {
     const OAuthCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthCallback-CCWVtjr7.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthCallback-CJWH8Ytw.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
   }
   if (window.location.pathname === "/oauth/callback/debug") {
     const OAuthDebugCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthDebugCallback-DqbXfUi4.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthDebugCallback-DL5adXJw.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
   }

package/dist/index.html

@@ -5,7 +5,7 @@
     <link rel="icon" type="image/svg+xml" href="/mcp.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>MCP Inspector</title>
-    <script type="module" crossorigin src="/assets/index-CsDJSSWq.js"></script>
+    <script type="module" crossorigin src="/assets/index-Cu9XzUwB.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-cHhcEXbr.css">
   </head>
   <body>

package/lib/services/assessment/modules/ErrorHandlingAssessor.d.ts

@@ -3,9 +3,13 @@
  * Tests error handling and input validation
  */
 import { ErrorHandlingAssessment } from "../../../lib/assessmentTypes.js";
+import { AssessmentConfiguration } from "../../../lib/assessment/configTypes.js";
 import { BaseAssessor } from "./BaseAssessor.js";
 import { AssessmentContext } from "../AssessmentOrchestrator.js";
 export declare class ErrorHandlingAssessor extends BaseAssessor {
+    private executionDetector;
+    private safeResponseDetector;
+    constructor(config: AssessmentConfiguration);
     assess(context: AssessmentContext): Promise<ErrorHandlingAssessment>;
     private selectToolsForTesting;
     private testToolErrorHandling;
@@ -17,6 +21,27 @@ export declare class ErrorHandlingAssessor extends BaseAssessor {
     private generateWrongTypeParams;
     private generateInvalidValueParams;
     private generateParamsWithValue;
+    /**
+     * Analyze invalid_values response to determine scoring impact
+     * Issue #99: Contextual empty string validation scoring
+     *
+     * Classifications:
+     * - safe_rejection: Tool rejected with error (no penalty)
+     * - safe_reflection: Tool stored/echoed without executing (no penalty)
+     * - defensive_programming: Tool handled gracefully (no penalty)
+     * - execution_detected: Tool executed input (penalty)
+     * - unknown: Cannot determine (partial penalty)
+     */
+    private analyzeInvalidValuesResponse;
+    /**
+     * Safely extract response text from various response formats
+     */
+    private extractResponseTextSafe;
+    /**
+     * Check for defensive programming patterns - tool accepted but caused no harm
+     * Examples: "Deleted 0 keys", "No results found", "Query returned 0"
+     */
+    private isDefensiveProgrammingResponse;
     private calculateMetrics;
     private determineErrorHandlingStatus;
     private generateExplanation;

package/lib/services/assessment/modules/ErrorHandlingAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ErrorHandlingAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ErrorHandlingAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,uBAAuB,EAIxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAG9D,qBAAa,qBAAsB,SAAQ,YAAY;IAC/C,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAiE1E,OAAO,CAAC,qBAAqB;YAuDf,qBAAqB;YAuBrB,qBAAqB;YAmGrB,cAAc;YAmFd,iBAAiB;YA8DjB,kBAAkB;IA6DhC,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,uBAAuB;IAgC/B,OAAO,CAAC,0BAA0B;IAgClC,OAAO,CAAC,uBAAuB;IA4B/B,OAAO,CAAC,gBAAgB;IAoGxB,OAAO,CAAC,4BAA4B;IAapC,OAAO,CAAC,mBAAmB;IAuE3B,OAAO,CAAC,uBAAuB;CA4ChC"}
+{"version":3,"file":"ErrorHandlingAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ErrorHandlingAssessor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,uBAAuB,EAIxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAK9D,qBAAa,qBAAsB,SAAQ,YAAY;IACrD,OAAO,CAAC,iBAAiB,CAA4B;IACrD,OAAO,CAAC,oBAAoB,CAAuB;gBAEvC,MAAM,EAAE,uBAAuB;IAMrC,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAiE1E,OAAO,CAAC,qBAAqB;YAuDf,qBAAqB;YAuBrB,qBAAqB;YAmGrB,cAAc;YAmFd,iBAAiB;YA8DjB,kBAAkB;IA6DhC,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,uBAAuB;IAgC/B,OAAO,CAAC,0BAA0B;IAgClC,OAAO,CAAC,uBAAuB;IA4B/B;;;;;;;;;;OAUG;IACH,OAAO,CAAC,4BAA4B;IAgEpC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAc/B;;;OAGG;IACH,OAAO,CAAC,8BAA8B;IAetC,OAAO,CAAC,gBAAgB;IA8GxB,OAAO,CAAC,4BAA4B;IAapC,OAAO,CAAC,mBAAmB;IAuE3B,OAAO,CAAC,uBAAuB;CA4ChC"}

package/lib/services/assessment/modules/ErrorHandlingAssessor.js

@@ -4,7 +4,16 @@
  */
 import { BaseAssessor } from "./BaseAssessor.js";
 import { createConcurrencyLimit } from "../lib/concurrencyLimit.js";
+import { ExecutionArtifactDetector } from "./securityTests/ExecutionArtifactDetector.js";
+import { SafeResponseDetector } from "./securityTests/SafeResponseDetector.js";
 export class ErrorHandlingAssessor extends BaseAssessor {
+    executionDetector;
+    safeResponseDetector;
+    constructor(config) {
+        super(config);
+        this.executionDetector = new ExecutionArtifactDetector();
+        this.safeResponseDetector = new SafeResponseDetector();
+    }
     async assess(context) {
         this.logger.info("Starting error handling assessment");
         const testDetails = [];
@@ -428,17 +437,122 @@ export class ErrorHandlingAssessor extends BaseAssessor {
         return params;
     }
     // isErrorResponse and extractErrorInfo moved to BaseAssessor for reuse across all assessors
+    /**
+     * Analyze invalid_values response to determine scoring impact
+     * Issue #99: Contextual empty string validation scoring
+     *
+     * Classifications:
+     * - safe_rejection: Tool rejected with error (no penalty)
+     * - safe_reflection: Tool stored/echoed without executing (no penalty)
+     * - defensive_programming: Tool handled gracefully (no penalty)
+     * - execution_detected: Tool executed input (penalty)
+     * - unknown: Cannot determine (partial penalty)
+     */
+    analyzeInvalidValuesResponse(test) {
+        const responseText = this.extractResponseTextSafe(test.actualResponse.rawResponse);
+        // Case 1: Tool rejected with error - best case (no penalty)
+        if (test.actualResponse.isError) {
+            return {
+                shouldPenalize: false,
+                penaltyAmount: 0,
+                classification: "safe_rejection",
+                reason: "Tool properly rejected invalid input",
+            };
+        }
+        // Case 2: Defensive programming patterns (no penalty)
+        // Check BEFORE execution detection because patterns like "query returned 0"
+        // might match execution indicators but are actually safe
+        if (this.isDefensiveProgrammingResponse(responseText)) {
+            return {
+                shouldPenalize: false,
+                penaltyAmount: 0,
+                classification: "defensive_programming",
+                reason: "Tool handled empty input defensively",
+            };
+        }
+        // Case 3: Safe reflection patterns (no penalty)
+        if (this.safeResponseDetector.isReflectionResponse(responseText)) {
+            return {
+                shouldPenalize: false,
+                penaltyAmount: 0,
+                classification: "safe_reflection",
+                reason: "Tool safely reflected input without execution",
+            };
+        }
+        // Case 4: Check for execution evidence - VULNERABLE (full penalty)
+        if (this.executionDetector.hasExecutionEvidence(responseText) ||
+            this.executionDetector.detectExecutionArtifacts(responseText)) {
+            return {
+                shouldPenalize: true,
+                penaltyAmount: 100,
+                classification: "execution_detected",
+                reason: "Tool executed input without validation",
+            };
+        }
+        // Case 5: Unknown - partial penalty for manual review
+        return {
+            shouldPenalize: true,
+            penaltyAmount: 25,
+            classification: "unknown",
+            reason: "Unable to determine safety - manual review recommended",
+        };
+    }
+    /**
+     * Safely extract response text from various response formats
+     */
+    extractResponseTextSafe(rawResponse) {
+        if (typeof rawResponse === "string")
+            return rawResponse;
+        if (rawResponse && typeof rawResponse === "object") {
+            const resp = rawResponse;
+            if (resp.content && Array.isArray(resp.content)) {
+                return resp.content
+                    .map((c) => (c.type === "text" ? c.text : ""))
+                    .join(" ");
+            }
+            return JSON.stringify(rawResponse);
+        }
+        return String(rawResponse || "");
+    }
+    /**
+     * Check for defensive programming patterns - tool accepted but caused no harm
+     * Examples: "Deleted 0 keys", "No results found", "Query returned 0"
+     */
+    isDefensiveProgrammingResponse(responseText) {
+        // Patterns for safe "no-op" responses where tool handled empty input gracefully
+        // Use word boundaries (\b) to avoid matching numbers like "10" or "15"
+        const patterns = [
+            /deleted\s+0\s+(keys?|records?|rows?|items?)/i,
+            /no\s+(results?|matches?|items?)\s+found/i,
+            /\b0\s+items?\s+(deleted|updated|processed)/i, // \b prevents matching "10 items"
+            /nothing\s+to\s+(delete|update|process)/i,
+            /empty\s+(result|response|query)/i,
+            /no\s+action\s+taken/i,
+            /query\s+returned\s+0\b/i, // \b prevents matching "query returned 05" etc.
+        ];
+        return patterns.some((p) => p.test(responseText));
+    }
     calculateMetrics(tests, _passed) {
         // Calculate enhanced score with bonus points for quality
         let enhancedScore = 0;
         let maxPossibleScore = 0;
         tests.forEach((test) => {
-            // Phase 1: Exclude "invalid_values" tests from scoring (informational only)
-            // Reason: These tests penalize tools that handle edge cases gracefully (empty strings, etc.)
-            // Instead of rejecting them, which is often correct defensive programming.
-            // Real schema violations will be tested separately in Phase 2+.
+            // Issue #99: Contextual scoring for invalid_values tests
+            // Instead of blanket exclusion, analyze response patterns to determine if
+            // the tool safely handled empty strings (defensive programming, reflection)
+            // or if it executed without validation (security concern).
             if (test.testType === "invalid_values") {
-                return; // Skip scoring, but still included in testDetails
+                const analysis = this.analyzeInvalidValuesResponse(test);
+                if (!analysis.shouldPenalize) {
+                    // Safe response (rejection, reflection, or defensive programming)
+                    // Skip scoring to preserve backward compatibility for well-behaved tools
+                    return;
+                }
+                // Execution detected or unknown - include in scoring with penalty
+                maxPossibleScore += 100;
+                const scoreEarned = 100 * (1 - analysis.penaltyAmount / 100);
+                enhancedScore += test.passed ? scoreEarned : 0;
+                return;
             }
             maxPossibleScore += 100; // Base score for each test
             if (test.passed) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-client",
-  "version": "1.26.7",
+  "version": "1.27.0",
   "description": "Client-side application for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",