@bryan-thompson/inspector-assessment-client 1.27.0 → 1.29.0

package/lib/services/assessment/modules/annotations/ExplanationGenerator.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Explanation Generator Module
+ * Generates explanations and recommendations for annotation assessment results
+ *
+ * Extracted from ToolAnnotationAssessor.ts as part of Issue #105 refactoring.
+ */
+import type { ToolAnnotationResult } from "../../../../lib/assessmentTypes.js";
+import type { EnhancedToolAnnotationResult } from "./types.js";
+/**
+ * Generate basic explanation for annotation assessment
+ */
+export declare function generateExplanation(annotatedCount: number, missingCount: number, misalignedCount: number, totalTools: number): string;
+/**
+ * Generate enhanced explanation with Claude analysis
+ */
+export declare function generateEnhancedExplanation(annotatedCount: number, missingCount: number, highConfidenceMisalignments: number, totalTools: number): string;
+/**
+ * Generate recommendations for annotation issues
+ */
+export declare function generateRecommendations(results: ToolAnnotationResult[]): string[];
+/**
+ * Generate enhanced recommendations with Claude analysis
+ */
+export declare function generateEnhancedRecommendations(results: EnhancedToolAnnotationResult[]): string[];
+//# sourceMappingURL=ExplanationGenerator.d.ts.map

package/lib/services/assessment/modules/annotations/ExplanationGenerator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ExplanationGenerator.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/ExplanationGenerator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAClE,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,SAAS,CAAC;AAE5D;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,cAAc,EAAE,MAAM,EACtB,YAAY,EAAE,MAAM,EACpB,eAAe,EAAE,MAAM,EACvB,UAAU,EAAE,MAAM,GACjB,MAAM,CA4BR;AAED;;GAEG;AACH,wBAAgB,2BAA2B,CACzC,cAAc,EAAE,MAAM,EACtB,YAAY,EAAE,MAAM,EACpB,2BAA2B,EAAE,MAAM,EACnC,UAAU,EAAE,MAAM,GACjB,MAAM,CA0BR;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,oBAAoB,EAAE,GAC9B,MAAM,EAAE,CAuCV;AAED;;GAEG;AACH,wBAAgB,+BAA+B,CAC7C,OAAO,EAAE,4BAA4B,EAAE,GACtC,MAAM,EAAE,CA2EV"}

package/lib/services/assessment/modules/annotations/ExplanationGenerator.js

@@ -0,0 +1,122 @@
+/**
+ * Explanation Generator Module
+ * Generates explanations and recommendations for annotation assessment results
+ *
+ * Extracted from ToolAnnotationAssessor.ts as part of Issue #105 refactoring.
+ */
+/**
+ * Generate basic explanation for annotation assessment
+ */
+export function generateExplanation(annotatedCount, missingCount, misalignedCount, totalTools) {
+    const parts = [];
+    if (totalTools === 0) {
+        return "No tools found to assess for annotations.";
+    }
+    parts.push(`Tool annotation coverage: ${annotatedCount}/${totalTools} tools have annotations.`);
+    if (missingCount > 0) {
+        parts.push(`${missingCount} tool(s) are missing required annotations (readOnlyHint, destructiveHint).`);
+    }
+    if (misalignedCount > 0) {
+        parts.push(`${misalignedCount} tool(s) have potentially misaligned annotations based on naming patterns.`);
+    }
+    if (missingCount === 0 && misalignedCount === 0) {
+        parts.push("All tools are properly annotated.");
+    }
+    return parts.join(" ");
+}
+/**
+ * Generate enhanced explanation with Claude analysis
+ */
+export function generateEnhancedExplanation(annotatedCount, missingCount, highConfidenceMisalignments, totalTools) {
+    const parts = [];
+    if (totalTools === 0) {
+        return "No tools found to assess for annotations.";
+    }
+    parts.push(`Tool annotation coverage: ${annotatedCount}/${totalTools} tools have annotations.`);
+    if (missingCount > 0) {
+        parts.push(`${missingCount} tool(s) are missing required annotations (readOnlyHint, destructiveHint).`);
+    }
+    if (highConfidenceMisalignments > 0) {
+        parts.push(`Claude analysis identified ${highConfidenceMisalignments} high-confidence annotation misalignment(s).`);
+    }
+    parts.push("Analysis enhanced with Claude semantic behavior inference.");
+    return parts.join(" ");
+}
+/**
+ * Generate recommendations for annotation issues
+ */
+export function generateRecommendations(results) {
+    const recommendations = [];
+    const allRecs = new Set();
+    for (const result of results) {
+        for (const rec of result.recommendations) {
+            allRecs.add(rec);
+        }
+    }
+    const destructiveRecs = Array.from(allRecs).filter((r) => r.includes("destructive"));
+    const otherRecs = Array.from(allRecs).filter((r) => !r.includes("destructive"));
+    if (destructiveRecs.length > 0) {
+        recommendations.push("PRIORITY: The following tools appear to perform destructive operations but lack proper destructiveHint annotation:");
+        recommendations.push(...destructiveRecs.slice(0, 5));
+    }
+    if (otherRecs.length > 0) {
+        recommendations.push(...otherRecs.slice(0, 5));
+    }
+    if (recommendations.length === 0) {
+        recommendations.push("All tools have proper annotations. No action required.");
+    }
+    else {
+        recommendations.push("Reference: MCP Directory Policy #17 requires tools to have readOnlyHint and destructiveHint annotations.");
+    }
+    return recommendations;
+}
+/**
+ * Generate enhanced recommendations with Claude analysis
+ */
+export function generateEnhancedRecommendations(results) {
+    const recommendations = [];
+    const claudeMisalignments = results.filter((r) => r.claudeInference &&
+        r.claudeInference.source === "claude-inferred" &&
+        r.claudeInference.confidence >= 70 &&
+        r.claudeInference.misalignmentDetected);
+    if (claudeMisalignments.length > 0) {
+        recommendations.push("HIGH CONFIDENCE: Claude analysis identified the following annotation issues:");
+        for (const result of claudeMisalignments.slice(0, 5)) {
+            if (result.claudeInference) {
+                recommendations.push(`  - ${result.toolName}: ${result.claudeInference.reasoning}`);
+            }
+        }
+    }
+    const claudeSuggestions = results
+        .filter((r) => r.claudeInference &&
+        r.claudeInference.source === "claude-inferred" &&
+        r.claudeInference.confidence >= 60)
+        .flatMap((r) => r.recommendations.filter((rec) => rec.includes("Claude")));
+    if (claudeSuggestions.length > 0) {
+        recommendations.push(...claudeSuggestions.slice(0, 5));
+    }
+    const patternRecs = new Set();
+    for (const result of results) {
+        for (const rec of result.recommendations) {
+            if (!rec.includes("Claude")) {
+                patternRecs.add(rec);
+            }
+        }
+    }
+    const destructiveRecs = Array.from(patternRecs).filter((r) => r.includes("destructive"));
+    const otherRecs = Array.from(patternRecs).filter((r) => !r.includes("destructive"));
+    if (destructiveRecs.length > 0) {
+        recommendations.push("PRIORITY: Potential destructive tools without proper hints:");
+        recommendations.push(...destructiveRecs.slice(0, 3));
+    }
+    if (otherRecs.length > 0 && recommendations.length < 10) {
+        recommendations.push(...otherRecs.slice(0, 3));
+    }
+    if (recommendations.length === 0) {
+        recommendations.push("All tools have proper annotations. No action required.");
+    }
+    else {
+        recommendations.push("Reference: MCP Directory Policy #17 requires tools to have readOnlyHint and destructiveHint annotations.");
+    }
+    return recommendations;
+}

package/lib/services/assessment/modules/annotations/index.d.ts

@@ -10,4 +10,9 @@ export { inferBehavior, inferBehaviorEnhanced, type BehaviorInferenceResult, } f
 export { analyzeDescription, hasReadOnlyIndicators, hasDestructiveIndicators, hasWriteIndicators, DESCRIPTION_BEHAVIOR_KEYWORDS, } from "./DescriptionAnalyzer.js";
 export { analyzeInputSchema, analyzeOutputSchema, hasBulkOperationIndicators, hasPaginationParameters, hasForceFlags, INPUT_READONLY_PATTERNS, INPUT_DESTRUCTIVE_PATTERNS, INPUT_WRITE_PATTERNS, OUTPUT_READONLY_PATTERNS, OUTPUT_DESTRUCTIVE_PATTERNS, OUTPUT_WRITE_PATTERNS, type JSONSchema, } from "./SchemaAnalyzer.js";
 export { detectArchitecture, hasDatabaseToolPatterns, extractDatabasesFromDependencies, type Tool as ArchitectureTool, type ArchitectureContext, } from "./ArchitectureDetector.js";
+export { type ClaudeInference, type EnhancedToolAnnotationResult, } from "./types.js";
+export { extractAnnotations, extractExtendedMetadata, extractToolParams, assessSingleTool, determineAnnotationStatus, calculateMetrics, type ExtractedAnnotations, type AlignmentMetricsResult, } from "./AlignmentChecker.js";
+export { generateExplanation, generateEnhancedExplanation, generateRecommendations, generateEnhancedRecommendations, } from "./ExplanationGenerator.js";
+export { emitAnnotationEvents, emitMismatchEvent } from "./EventEmitter.js";
+export { enhanceWithClaudeInference, createPatternBasedInference, } from "./ClaudeIntegration.js";
 //# sourceMappingURL=index.d.ts.map

package/lib/services/assessment/modules/annotations/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,8BAA8B,EAC9B,2BAA2B,EAC3B,KAAK,gBAAgB,EACrB,KAAK,mBAAmB,GACzB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,+BAA+B,EAC/B,4BAA4B,EAC5B,kCAAkC,EAClC,eAAe,EACf,kBAAkB,EAClB,sBAAsB,EACtB,yBAAyB,EACzB,KAAK,eAAe,GACrB,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,KAAK,uBAAuB,GAC7B,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,kBAAkB,EAClB,qBAAqB,EACrB,wBAAwB,EACxB,kBAAkB,EAClB,6BAA6B,GAC9B,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,0BAA0B,EAC1B,uBAAuB,EACvB,aAAa,EACb,uBAAuB,EACvB,0BAA0B,EAC1B,oBAAoB,EACpB,wBAAwB,EACxB,2BAA2B,EAC3B,qBAAqB,EACrB,KAAK,UAAU,GAChB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,kBAAkB,EAClB,uBAAuB,EACvB,gCAAgC,EAChC,KAAK,IAAI,IAAI,gBAAgB,EAC7B,KAAK,mBAAmB,GACzB,MAAM,wBAAwB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,8BAA8B,EAC9B,2BAA2B,EAC3B,KAAK,gBAAgB,EACrB,KAAK,mBAAmB,GACzB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,+BAA+B,EAC/B,4BAA4B,EAC5B,kCAAkC,EAClC,eAAe,EACf,kBAAkB,EAClB,sBAAsB,EACtB,yBAAyB,EACzB,KAAK,eAAe,GACrB,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,KAAK,uBAAuB,GAC7B,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,kBAAkB,EAClB,qBAAqB,EACrB,wBAAwB,EACxB,kBAAkB,EAClB,6BAA6B,GAC9B,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,0BAA0B,EAC1B,uBAAuB,EACvB,aAAa,EACb,uBAAuB,EACvB,0BAA0B,EAC1B,oBAAoB,EACpB,wBAAwB,EACxB,2BAA2B,EAC3B,qBAAqB,EACrB,KAAK,UAAU,GAChB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,kBAAkB,EAClB,uBAAuB,EACvB,gCAAgC,EAChC,KAAK,IAAI,IAAI,gBAAgB,EAC7B,KAAK,mBAAmB,GACzB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,KAAK,eAAe,EACpB,KAAK,4BAA4B,GAClC,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,kBAAkB,EAClB,uBAAuB,EACvB,iBAAiB,EACjB,gBAAgB,EAChB,yBAAyB,EACzB,gBAAgB,EAChB,KAAK,oBAAoB,EACzB,KAAK,sBAAsB,GAC5B,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,mBAAmB,EACnB,2BAA2B,EAC3B,uBAAuB,EACvB,+BAA+B,GAChC,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAGzE,OAAO,EACL,0BAA0B,EAC1B,2BAA2B,GAC5B,MAAM,qBAAqB,CAAC"}

package/lib/services/assessment/modules/annotations/index.js

@@ -13,3 +13,11 @@ export { analyzeDescription, hasReadOnlyIndicators, hasDestructiveIndicators, ha
 export { analyzeInputSchema, analyzeOutputSchema, hasBulkOperationIndicators, hasPaginationParameters, hasForceFlags, INPUT_READONLY_PATTERNS, INPUT_DESTRUCTIVE_PATTERNS, INPUT_WRITE_PATTERNS, OUTPUT_READONLY_PATTERNS, OUTPUT_DESTRUCTIVE_PATTERNS, OUTPUT_WRITE_PATTERNS, } from "./SchemaAnalyzer.js";
 // Issue #57: Architecture Detector
 export { detectArchitecture, hasDatabaseToolPatterns, extractDatabasesFromDependencies, } from "./ArchitectureDetector.js";
+// Issue #105: Alignment Checker
+export { extractAnnotations, extractExtendedMetadata, extractToolParams, assessSingleTool, determineAnnotationStatus, calculateMetrics, } from "./AlignmentChecker.js";
+// Issue #105: Explanation Generator
+export { generateExplanation, generateEnhancedExplanation, generateRecommendations, generateEnhancedRecommendations, } from "./ExplanationGenerator.js";
+// Issue #105: Event Emitter
+export { emitAnnotationEvents, emitMismatchEvent } from "./EventEmitter.js";
+// Issue #105: Claude Integration
+export { enhanceWithClaudeInference, createPatternBasedInference, } from "./ClaudeIntegration.js";

package/lib/services/assessment/modules/annotations/types.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Shared Types for Annotation Assessment Modules
+ *
+ * Consolidates common type definitions used across annotation helper modules.
+ * Created as part of Issue #105 refactoring to eliminate duplicate definitions.
+ */
+import type { ToolAnnotationResult } from "../../../../lib/assessmentTypes.js";
+/**
+ * Claude inference result structure
+ * Contains semantic analysis of tool behavior from Claude
+ */
+export interface ClaudeInference {
+    expectedReadOnly: boolean;
+    expectedDestructive: boolean;
+    confidence: number;
+    reasoning: string;
+    suggestedAnnotations: {
+        readOnlyHint?: boolean;
+        destructiveHint?: boolean;
+        idempotentHint?: boolean;
+    };
+    misalignmentDetected: boolean;
+    misalignmentDetails?: string;
+    source: "claude-inferred" | "pattern-based";
+}
+/**
+ * Enhanced tool annotation result with Claude inference
+ * Extends the base result with optional Claude semantic analysis
+ */
+export interface EnhancedToolAnnotationResult extends ToolAnnotationResult {
+    claudeInference?: ClaudeInference;
+}
+//# sourceMappingURL=types.d.ts.map

package/lib/services/assessment/modules/annotations/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAElE;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,mBAAmB,EAAE,OAAO,CAAC;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,oBAAoB,EAAE;QACpB,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,cAAc,CAAC,EAAE,OAAO,CAAC;KAC1B,CAAC;IACF,oBAAoB,EAAE,OAAO,CAAC;IAC9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,MAAM,EAAE,iBAAiB,GAAG,eAAe,CAAC;CAC7C;AAED;;;GAGG;AACH,MAAM,WAAW,4BAA6B,SAAQ,oBAAoB;IACxE,eAAe,CAAC,EAAE,eAAe,CAAC;CACnC"}

package/lib/services/assessment/modules/annotations/types.js

@@ -0,0 +1,7 @@
+/**
+ * Shared Types for Annotation Assessment Modules
+ *
+ * Consolidates common type definitions used across annotation helper modules.
+ * Created as part of Issue #105 refactoring to eliminate duplicate definitions.
+ */
+export {};

package/lib/services/assessment/modules/securityTests/SafeResponseDetector.d.ts

@@ -37,6 +37,9 @@ export declare class SafeResponseDetector {
     /**
      * Check if response is just reflection (safe)
      * Two-layer defense: Match reflection patterns, verify NO execution evidence
+     *
+     * Issue #110, Challenge #8: Also checks for LLM injection markers and
+     * output injection vulnerability metadata before declaring response safe.
      */
     isReflectionResponse(responseText: string): boolean;
     /**

package/lib/services/assessment/modules/securityTests/SafeResponseDetector.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SafeResponseDetector.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SafeResponseDetector.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AAcjF;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,iBAAiB,CAA4B;;IAMrD;;OAEG;IACH,oBAAoB,CAAC,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAQzE;;OAEG;IACH,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIlD;;;OAGG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAkEnD;;OAEG;IACH,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIjD;;OAEG;IACH,qBAAqB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IA0CrE;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,MAAM;CAUtE"}
+{"version":3,"file":"SafeResponseDetector.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SafeResponseDetector.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AAgBjF;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,iBAAiB,CAA4B;;IAMrD;;OAEG;IACH,oBAAoB,CAAC,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAQzE;;OAEG;IACH,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIlD;;;;;;OAMG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IA8EnD;;OAEG;IACH,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIjD;;OAEG;IACH,qBAAqB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IA0CrE;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,MAAM;CAUtE"}

package/lib/services/assessment/modules/securityTests/SafeResponseDetector.js

@@ -5,7 +5,7 @@
  * Extracted from SecurityResponseAnalyzer.ts (Issue #53)
  * Handles: MCP validation, HTTP errors, reflection detection, validation rejection
  */
-import { VALIDATION_ERROR_PATTERNS, STATUS_PATTERNS, REFLECTION_PATTERNS, SEARCH_RESULT_PATTERNS, CREATION_PATTERNS, TEXT_REJECTION_PATTERNS, RESULT_REJECTION_PATTERNS, isHttpError, matchesAny, } from "./SecurityPatternLibrary.js";
+import { VALIDATION_ERROR_PATTERNS, STATUS_PATTERNS, REFLECTION_PATTERNS, SEARCH_RESULT_PATTERNS, CREATION_PATTERNS, TEXT_REJECTION_PATTERNS, RESULT_REJECTION_PATTERNS, isHttpError, matchesAny, hasLLMInjectionMarkers, hasOutputInjectionVulnerability, } from "./SecurityPatternLibrary.js";
 import { ExecutionArtifactDetector } from "./ExecutionArtifactDetector.js";
 /**
  * Detects safe response patterns indicating proper tool behavior
@@ -33,8 +33,21 @@ export class SafeResponseDetector {
     /**
      * Check if response is just reflection (safe)
      * Two-layer defense: Match reflection patterns, verify NO execution evidence
+     *
+     * Issue #110, Challenge #8: Also checks for LLM injection markers and
+     * output injection vulnerability metadata before declaring response safe.
      */
     isReflectionResponse(responseText) {
+        // Issue #110: Check for LLM injection markers BEFORE reflection check
+        // If response contains <IMPORTANT>, [INST], or similar markers, it's not safe
+        if (hasLLMInjectionMarkers(responseText)) {
+            return false; // Not safe - contains potential LLM injection
+        }
+        // Issue #110: Check for output injection vulnerability metadata
+        // If tool self-reports raw_content_included or injection risk, it's not safe
+        if (hasOutputInjectionVulnerability(responseText)) {
+            return false; // Not safe - tool reports output injection vulnerability
+        }
         // Combine status patterns and reflection patterns
         const allReflectionPatterns = [...STATUS_PATTERNS, ...REFLECTION_PATTERNS];
         const hasReflection = matchesAny(allReflectionPatterns, responseText);

package/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts

@@ -40,6 +40,25 @@ export declare const EXECUTION_ARTIFACT_PATTERNS: {
     /** Context-sensitive - only count if no echoed payload */
     readonly contextSensitive: readonly [RegExp, RegExp, RegExp];
 };
+/**
+ * Patterns for detecting LLM prompt injection markers in tool output
+ * These indicate potential indirect prompt injection (output injection)
+ * Used by: hasLLMInjectionMarkers()
+ *
+ * When tool output contains these markers, it may flow to the orchestrating
+ * LLM and influence its behavior - a security concern for MCP integrations.
+ */
+export declare const LLM_INJECTION_MARKERS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Patterns for detecting output injection vulnerability metadata
+ * Tools that self-report vulnerability status
+ */
+export declare const OUTPUT_INJECTION_METADATA: {
+    /** Tool reports it includes raw/unsanitized content */
+    readonly rawContentIncluded: readonly [RegExp, RegExp, RegExp];
+    /** Tool reports vulnerability in output handling */
+    readonly vulnerableOutput: readonly [RegExp, RegExp, RegExp, RegExp];
+};
 /**
  * Patterns for connection/server errors
  * Used by: isConnectionError(), isConnectionErrorFromException()
@@ -334,6 +353,33 @@ export declare const STRUCTURED_DATA_INDICATORS: {
     readonly jsonPattern: RegExp;
     readonly numericMetadataPattern: RegExp;
 };
+/**
+ * Patterns for detecting secret/credential leakage in tool responses
+ * Used by: checkSecretLeakage()
+ */
+export declare const SECRET_LEAKAGE_PATTERNS: {
+    /** Well-known API key formats */
+    readonly apiKeys: readonly [RegExp, RegExp, RegExp, RegExp, RegExp];
+    /** Database connection strings with credentials */
+    readonly connectionStrings: readonly [RegExp];
+    /** Environment variable patterns with values */
+    readonly envVars: readonly [RegExp];
+    /** Partial key exposure patterns */
+    readonly partialKeys: readonly [RegExp];
+    /** Generic credential assignment patterns */
+    readonly credentialAssignment: readonly [RegExp];
+};
+/**
+ * Patterns for detecting tool output injection vulnerabilities
+ * Detects when user content is echoed unsanitized in tool output
+ * Used by: analyzeOutputInjection()
+ */
+export declare const OUTPUT_INJECTION_PATTERNS: {
+    /** LLM control patterns that should be sanitized */
+    readonly llmControl: readonly [RegExp, RegExp, RegExp, RegExp];
+    /** Canary markers for echo detection */
+    readonly canaryMarkers: readonly [RegExp];
+};
 /**
  * Check if any pattern in array matches text
  */
@@ -346,4 +392,14 @@ export declare function isHttpError(text: string): boolean;
  * Check if response has MCP error prefix
  */
 export declare function hasMcpErrorPrefix(text: string): boolean;
+/**
+ * Check if text contains LLM injection markers (Issue #110, Challenge #8)
+ * Detects XML-style tags, chat format markers, and instruction overrides
+ */
+export declare function hasLLMInjectionMarkers(text: string): boolean;
+/**
+ * Check if response indicates output injection vulnerability (Issue #110, Challenge #8)
+ * Detects tools that self-report including raw/unsanitized content
+ */
+export declare function hasOutputInjectionVulnerability(text: string): boolean;
 //# sourceMappingURL=SecurityPatternLibrary.d.ts.map

package/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityPatternLibrary.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPatternLibrary.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH;;;GAGG;AACH,eAAO,MAAM,mBAAmB;IAC9B,kEAAkE;;IAIlE,8DAA8D;;IAG9D,kCAAkC;;IAGlC,gCAAgC;;CAExB,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,2JAmB5B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,oBAAoB,2LAuBvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B;IACtC,iCAAiC;;IAejC,0DAA0D;;CAElD,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;IACpC,oCAAoC;;IAqBpC,4DAA4D;;IAW5D,+BAA+B;;CAEvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B;;;;CAMhC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,eAAe,mJAkBlB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,mBAAmB,2rBAwGtB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA+B1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAc5B,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;EAiCjC,CAAC;AAEX;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;EAyB3B,CAAC;AAMX;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iCAAiC,EAAE,oBAAoB,EA0FnE,CAAC;AAEF;;;;;;;;GAQG;AAKH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,MAAM,CAAC;AAE9C;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB,IAAM,CAAC;AAMxC;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,MAAM,CAC1C,MAAM,EACN;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,EAAE,CAgCxC,CAAC;AAEF;;;GAGG;AACH,wBAAgB,6BAA6B,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,EAAE,CAiB5E;AAED,eAAO,MAAM,2BAA2B,EAAE,oBAAoB,EAuE7D,CAAC;AAMF;;;GAGG;AACH,eAAO,MAAM,sBAAsB,2FAWzB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,iBAAiB,mHAcpB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,mFAU1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,mDAM9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,2DAO1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB,2DAO5B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B,yKAWhC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,kBAAkB,mGAYrB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,QACO,CAAC;AAMhD;;;GAGG;AACH,eAAO,MAAM,mBAAmB,QAC8B,CAAC;AAE/D;;;GAGG;AACH,eAAO,MAAM,wBAAwB,2EAS3B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,oRA4B9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;;;CAK7B,CAAC;AAMX;;GAEG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAE7E;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEvD"}
+{"version":3,"file":"SecurityPatternLibrary.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPatternLibrary.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH;;;GAGG;AACH,eAAO,MAAM,mBAAmB;IAC9B,kEAAkE;;IAIlE,8DAA8D;;IAG9D,kCAAkC;;IAGlC,gCAAgC;;CAExB,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,2JAmB5B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,oBAAoB,2LAuBvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B;IACtC,iCAAiC;;IAejC,0DAA0D;;CAElD,CAAC;AAMX;;;;;;;GAOG;AACH,eAAO,MAAM,qBAAqB,2KA4BxB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;IACpC,uDAAuD;;IAOvD,oDAAoD;;CAO5C,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;IACpC,oCAAoC;;IAqBpC,4DAA4D;;IAW5D,+BAA+B;;CAEvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B;;;;CAMhC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,eAAe,mJAkBlB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,mBAAmB,2rBAwGtB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA+B1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAc5B,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;EAiCjC,CAAC;AAEX;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;EAyB3B,CAAC;AAMX;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iCAAiC,EAAE,oBAAoB,EA0FnE,CAAC;AAEF;;;;;;;;GAQG;AAKH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,MAAM,CAAC;AAE9C;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB,IAAM,CAAC;AAMxC;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,MAAM,CAC1C,MAAM,EACN;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,EAAE,CAgCxC,CAAC;AAEF;;;GAGG;AACH,wBAAgB,6BAA6B,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,EAAE,CAiB5E;AAED,eAAO,MAAM,2BAA2B,EAAE,oBAAoB,EAuE7D,CAAC;AAMF;;;GAGG;AACH,eAAO,MAAM,sBAAsB,2FAWzB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,iBAAiB,mHAcpB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,mFAU1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,mDAM9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,2DAO1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB,2DAO5B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B,yKAWhC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,kBAAkB,mGAYrB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,QACO,CAAC;AAMhD;;;GAGG;AACH,eAAO,MAAM,mBAAmB,QAC8B,CAAC;AAE/D;;;GAGG;AACH,eAAO,MAAM,wBAAwB,2EAS3B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,oRA4B9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;;;CAK7B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;IAClC,iCAAiC;;IAQjC,mDAAmD;;IAInD,gDAAgD;;IAIhD,oCAAoC;;IAEpC,6CAA6C;;CAIrC,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,yBAAyB;IACpC,oDAAoD;;IAOpD,wCAAwC;;CAEhC,CAAC;AAMX;;GAEG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAE7E;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEvD;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE5D;AAED;;;GAGG;AACH,wBAAgB,+BAA+B,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAKrE"}

package/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.js

@@ -104,6 +104,62 @@ export const EXECUTION_ARTIFACT_PATTERNS = {
     contextSensitive: [/\/etc\/passwd/i, /\/etc\/shadow/i, /file:\/\/\//i],
 };
 // =============================================================================
+// LLM INJECTION MARKER PATTERNS (Issue #110, Challenge #8)
+// =============================================================================
+/**
+ * Patterns for detecting LLM prompt injection markers in tool output
+ * These indicate potential indirect prompt injection (output injection)
+ * Used by: hasLLMInjectionMarkers()
+ *
+ * When tool output contains these markers, it may flow to the orchestrating
+ * LLM and influence its behavior - a security concern for MCP integrations.
+ */
+export const LLM_INJECTION_MARKERS = [
+    // XML-style instruction tags
+    /<IMPORTANT>/i,
+    /<\/IMPORTANT>/i,
+    /<SYSTEM>/i,
+    /<\/SYSTEM>/i,
+    /<INSTRUCTION>/i,
+    /<\/INSTRUCTION>/i,
+    // Chat model format markers
+    /\[INST\]/i,
+    /\[\/INST\]/i,
+    /<\|system\|>/i,
+    /<\|user\|>/i,
+    /<\|assistant\|>/i,
+    /<\|im_start\|>/i,
+    /<\|im_end\|>/i,
+    // Template injection patterns
+    /\{\{SYSTEM_PROMPT\}\}/i,
+    /\{\{USER_INPUT\}\}/i,
+    /\{\{ASSISTANT\}\}/i,
+    // Instruction override patterns
+    /ignore.*previous.*instructions/i,
+    /disregard.*above.*instructions/i,
+    /new.*instructions.*follow/i,
+    /override.*system.*prompt/i,
+];
+/**
+ * Patterns for detecting output injection vulnerability metadata
+ * Tools that self-report vulnerability status
+ */
+export const OUTPUT_INJECTION_METADATA = {
+    /** Tool reports it includes raw/unsanitized content */
+    rawContentIncluded: [
+        /"raw_content_included"\s*:\s*true/i,
+        /"unsanitized"\s*:\s*true/i,
+        /"content_sanitized"\s*:\s*false/i,
+    ],
+    /** Tool reports vulnerability in output handling */
+    vulnerableOutput: [
+        /enables\s+indirect\s+prompt\s+injection/i,
+        /returns\s+unsanitized\s+user\s+content/i,
+        /output\s+injection/i,
+        /"injection_risk"\s*:\s*true/i,
+    ],
+};
+// =============================================================================
 // CONNECTION ERROR PATTERNS (consolidated from 2 duplicate locations)
 // =============================================================================
 /**
@@ -879,6 +935,56 @@ export const STRUCTURED_DATA_INDICATORS = {
     numericMetadataPattern: /\b(score|count|trust|rating|id|version)\b/i,
 };
 // =============================================================================
+// SECRET LEAKAGE PATTERNS (Issue #103, Challenge #9)
+// =============================================================================
+/**
+ * Patterns for detecting secret/credential leakage in tool responses
+ * Used by: checkSecretLeakage()
+ */
+export const SECRET_LEAKAGE_PATTERNS = {
+    /** Well-known API key formats */
+    apiKeys: [
+        /AKIA[A-Z0-9]{16}/, // AWS Access Key
+        /sk-[a-zA-Z0-9]{20,}/, // OpenAI Key
+        /ghp_[a-zA-Z0-9]{36}/, // GitHub PAT
+        /glpat-[a-zA-Z0-9]{20}/, // GitLab PAT
+        /xox[baprs]-[a-zA-Z0-9-]+/, // Slack tokens
+    ],
+    /** Database connection strings with credentials */
+    connectionStrings: [
+        /(postgresql|mysql|mongodb|redis|mssql):\/\/[^:]+:[^@]+@/i,
+    ],
+    /** Environment variable patterns with values */
+    envVars: [
+        /(SECRET_TOKEN|DATABASE_URL|API_KEY|PRIVATE_KEY|DB_PASSWORD)[^\s]*[:=]/i,
+    ],
+    /** Partial key exposure patterns */
+    partialKeys: [/api_key_preview|key_fragment|partial_key/i],
+    /** Generic credential assignment patterns */
+    credentialAssignment: [
+        /(api[_-]?key|secret|password)[^\s]*[:=]\s*["']?[a-zA-Z0-9_-]{10,}/i,
+    ],
+};
+// =============================================================================
+// OUTPUT INJECTION PATTERNS (Issue #103, Challenge #8)
+// =============================================================================
+/**
+ * Patterns for detecting tool output injection vulnerabilities
+ * Detects when user content is echoed unsanitized in tool output
+ * Used by: analyzeOutputInjection()
+ */
+export const OUTPUT_INJECTION_PATTERNS = {
+    /** LLM control patterns that should be sanitized */
+    llmControl: [
+        /<IMPORTANT>.*<\/IMPORTANT>/is,
+        /\[INST\].*\[\/INST\]/is,
+        /<\|system\|>.*<\|end\|>/is,
+        /\{\{.*\}\}/, // Template vars
+    ],
+    /** Canary markers for echo detection */
+    canaryMarkers: [/SENTINEL_OUTPUT_MARKER_\d+/],
+};
+// =============================================================================
 // HELPER FUNCTIONS
 // =============================================================================
 /**
@@ -902,3 +1008,18 @@ export function isHttpError(text) {
 export function hasMcpErrorPrefix(text) {
     return CONNECTION_ERROR_PATTERNS.mcpPrefix.test(text);
 }
+/**
+ * Check if text contains LLM injection markers (Issue #110, Challenge #8)
+ * Detects XML-style tags, chat format markers, and instruction overrides
+ */
+export function hasLLMInjectionMarkers(text) {
+    return matchesAny(LLM_INJECTION_MARKERS, text);
+}
+/**
+ * Check if response indicates output injection vulnerability (Issue #110, Challenge #8)
+ * Detects tools that self-report including raw/unsanitized content
+ */
+export function hasOutputInjectionVulnerability(text) {
+    return (matchesAny(OUTPUT_INJECTION_METADATA.rawContentIncluded, text) ||
+        matchesAny(OUTPUT_INJECTION_METADATA.vulnerableOutput, text));
+}

package/lib/services/assessment/modules/securityTests/SecurityPayloadGenerator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityPayloadGenerator.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPayloadGenerator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAIzD;;GAEG;AACH,qBAAa,wBAAwB;IACnC,OAAO,CAAC,iBAAiB,CAAuC;IAEhE;;OAEG;IACH,kBAAkB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAUvC;;OAEG;IACH,oBAAoB,CAClB,OAAO,EAAE,eAAe,EACxB,IAAI,EAAE,IAAI,GACT,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAwJ1B;;OAEG;IACH,YAAY,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IASjC;;;OAGG;IACH,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;CAQ7C"}
+{"version":3,"file":"SecurityPayloadGenerator.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPayloadGenerator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAIzD;;GAEG;AACH,qBAAa,wBAAwB;IACnC,OAAO,CAAC,iBAAiB,CAAuC;IAEhE;;OAEG;IACH,kBAAkB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAUvC;;OAEG;IACH,oBAAoB,CAClB,OAAO,EAAE,eAAe,EACxB,IAAI,EAAE,IAAI,GACT,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAwK1B;;OAEG;IACH,YAAY,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IASjC;;;OAGG;IACH,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;CAQ7C"}

package/lib/services/assessment/modules/securityTests/SecurityPayloadGenerator.js

@@ -130,6 +130,19 @@ export class SecurityPayloadGenerator {
                 }
             }
         }
+        // VERBOSE MODE TESTING (Issue #103, Challenge #9)
+        // For secret_leakage payloads, enable verbose mode to detect additional credential exposure
+        if (payload.payloadType === "secret_leakage") {
+            for (const [key, prop] of Object.entries(schema.properties)) {
+                const propSchema = prop;
+                if (propSchema.type === "boolean" &&
+                    key.toLowerCase() === "verbose" &&
+                    !(key in params)) {
+                    params[key] = true; // Enable verbose mode to test for additional leakage
+                    break;
+                }
+            }
+        }
         // Fill required parameters with safe defaults
         for (const [key, prop] of Object.entries(schema.properties)) {
             const propSchema = prop;

package/lib/services/assessment/modules/securityTests/SecurityPayloadTester.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityPayloadTester.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPayloadTester.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EACL,gBAAgB,EAGjB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAGL,eAAe,EAChB,MAAM,wBAAwB,CAAC;AAOhC;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG,gBAAgB,CAAC;AAEpD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/B,QAAQ,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;CACrD;AAED;;GAEG;AACH,qBAAa,qBAAqB;IAO9B,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,kBAAkB;IAR5B,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,oBAAoB,CAAuB;IACnD,OAAO,CAAC,SAAS,CAAK;gBAGZ,MAAM,EAAE,iBAAiB,EACzB,MAAM,EAAE,UAAU,EAClB,kBAAkB,EAAE,CAAC,CAAC,EAC5B,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,EACnB,OAAO,EAAE,MAAM,KACZ,OAAO,CAAC,CAAC,CAAC;IAOjB;;;OAGG;IACG,yBAAyB,CAC7B,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IA2JhC;;;OAGG;IACG,qBAAqB,CACzB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IA8IhC;;OAEG;IACG,WAAW,CACf,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,GACxC,OAAO,CAAC,kBAAkB,CAAC;IAyJ9B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAO3B;;OAEG;IACH,OAAO,CAAC,KAAK;CAGd"}
+{"version":3,"file":"SecurityPayloadTester.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPayloadTester.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EACL,gBAAgB,EAGjB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAGL,eAAe,EAChB,MAAM,wBAAwB,CAAC;AAOhC;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG,gBAAgB,CAAC;AAEpD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/B,QAAQ,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;CACrD;AAED;;GAEG;AACH,qBAAa,qBAAqB;IAO9B,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,kBAAkB;IAR5B,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,oBAAoB,CAAuB;IACnD,OAAO,CAAC,SAAS,CAAK;gBAGZ,MAAM,EAAE,iBAAiB,EACzB,MAAM,EAAE,UAAU,EAClB,kBAAkB,EAAE,CAAC,CAAC,EAC5B,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,EACnB,OAAO,EAAE,MAAM,KACZ,OAAO,CAAC,CAAC,CAAC;IAOjB;;;OAGG;IACG,yBAAyB,CAC7B,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IA2JhC;;;OAGG;IACG,qBAAqB,CACzB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IA8IhC;;OAEG;IACG,WAAW,CACf,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,GACxC,OAAO,CAAC,kBAAkB,CAAC;IAsM9B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAO3B;;OAEG;IACH,OAAO,CAAC,KAAK;CAGd"}

package/lib/services/assessment/modules/securityTests/SecurityPayloadTester.js

@@ -319,6 +319,26 @@ export class SecurityPayloadTester {
                     authBypassEvidence: authResult.evidence,
                 };
             }
+            // Issue #110: Analyze blacklist bypass patterns for "Blacklist Bypass" attack type
+            let blacklistBypassFields = {};
+            if (attackName === "Blacklist Bypass") {
+                const bypassResult = this.responseAnalyzer.analyzeBlacklistBypassResponse(response);
+                blacklistBypassFields = {
+                    blacklistBypassDetected: bypassResult.detected,
+                    blacklistBypassType: bypassResult.bypassType,
+                    blacklistBypassMethod: bypassResult.bypassMethod,
+                    blacklistBypassEvidence: bypassResult.evidence,
+                };
+            }
+            // Issue #110: Analyze output injection patterns for Challenge #8
+            // Check ALL responses since any tool could have output injection vulnerabilities
+            const outputInjectionResult = this.responseAnalyzer.analyzeOutputInjectionResponse(response);
+            const outputInjectionFields = {
+                outputInjectionDetected: outputInjectionResult.detected,
+                outputInjectionType: outputInjectionResult.injectionType,
+                outputInjectionMarkers: outputInjectionResult.markers,
+                outputInjectionEvidence: outputInjectionResult.evidence,
+            };
             return {
                 testName: attackName,
                 description: payload.description,
@@ -333,6 +353,10 @@ export class SecurityPayloadTester {
                 sanitizationLibraries: combinedSanitization.libraries,
                 // Issue #75: Auth bypass detection fields
                 ...authBypassFields,
+                // Issue #110: Blacklist bypass detection fields
+                ...blacklistBypassFields,
+                // Issue #110: Output injection detection fields (Challenge #8)
+                ...outputInjectionFields,
                 ...confidenceResult,
             };
         }