@bryan-thompson/inspector-assessment-client 1.27.0 → 1.29.0

package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts

@@ -45,6 +45,26 @@ export interface StateBasedAuthResult {
     stateDependency: "SHARED_STATE" | "INDEPENDENT" | "UNKNOWN";
     evidence: string;
 }
+/**
+ * Result of blacklist bypass response analysis (Issue #110, Challenge #11)
+ * Detects incomplete blacklist security controls being bypassed
+ */
+export interface BlacklistBypassResult {
+    detected: boolean;
+    bypassType: "BLACKLIST_BYPASS" | "ALLOWLIST_BLOCKED" | "UNKNOWN";
+    bypassMethod?: string;
+    evidence?: string;
+}
+/**
+ * Result of output injection response analysis (Issue #110, Challenge #8)
+ * Detects indirect prompt injection via unsanitized tool output
+ */
+export interface OutputInjectionResult {
+    detected: boolean;
+    injectionType: "LLM_INJECTION_MARKERS" | "RAW_CONTENT_INCLUDED" | "SANITIZED" | "UNKNOWN";
+    markers?: string[];
+    evidence?: string;
+}
 /**
  * Chain execution type classification (Issue #93, Challenge #6)
  */
@@ -115,6 +135,31 @@ export declare class SecurityResponseAnalyzer {
      * indicated by shared_state_checked: false or independent_auth_required: true
      */
     analyzeStateBasedAuthBypass(response: CompatibilityCallToolResult): StateBasedAuthResult;
+    /**
+     * Analyze response for blacklist bypass patterns (Issue #110, Challenge #11)
+     * Detects when incomplete blacklist security controls are bypassed
+     *
+     * This method extracts JSON metadata from tool responses to detect:
+     * - VULNERABLE: bypass_used: true, blacklist_check: "passed"
+     * - SAFE: execution_blocked: true, allowlist_used: true
+     *
+     * @param response The tool response to analyze
+     * @returns Analysis result with bypass detection status
+     */
+    analyzeBlacklistBypassResponse(response: CompatibilityCallToolResult): BlacklistBypassResult;
+    /**
+     * Analyze response for output injection vulnerabilities (Issue #110, Challenge #8)
+     * Detects indirect prompt injection via unsanitized tool output
+     *
+     * This method detects:
+     * - VULNERABLE: LLM injection markers (<IMPORTANT>, [INST], etc.) in output
+     * - VULNERABLE: Tool self-reports raw_content_included: true
+     * - SAFE: Tool reports content_sanitized: true or uses hash references
+     *
+     * @param response The tool response to analyze
+     * @returns Analysis result with output injection detection status
+     */
+    analyzeOutputInjectionResponse(response: CompatibilityCallToolResult): OutputInjectionResult;
     /**
      * Analyze response for chain exploitation vulnerabilities (Issue #93, Challenge #6)
      * Detects multi-tool chained exploitation attacks including:
@@ -129,6 +174,41 @@ export declare class SecurityResponseAnalyzer {
      * @returns Analysis result with vulnerability status and evidence
      */
     analyzeChainExploitation(response: CompatibilityCallToolResult): ChainExploitationAnalysis;
+    /**
+     * Check for secret leakage in response (Issue #103, Challenge #9)
+     * Scans for credential patterns regardless of payload type.
+     *
+     * This method detects when tools inadvertently expose:
+     * - API keys (AWS, OpenAI, GitHub, GitLab, Slack)
+     * - Database connection strings with credentials
+     * - Environment variable values
+     * - Partial key previews
+     *
+     * @note This method must be called separately from analyzeResponse().
+     * It is not part of the standard vulnerability detection flow because
+     * secret leakage detection requires examining ALL responses, not just
+     * those matching attack payloads. Callers should invoke this method
+     * independently when auditing tool responses for credential exposure.
+     *
+     * @example
+     * ```typescript
+     * const analyzer = new SecurityResponseAnalyzer();
+     * const response = await client.callTool("get_status", { verbose: true });
+     *
+     * // Standard vulnerability check
+     * const vulnResult = analyzer.analyzeResponse(response, payload);
+     *
+     * // Additional secret leakage check (separate concern)
+     * const leakResult = analyzer.checkSecretLeakage(response);
+     * if (leakResult.detected) {
+     *   console.warn(`Secret leaked: ${leakResult.evidence}`);
+     * }
+     * ```
+     */
+    checkSecretLeakage(response: CompatibilityCallToolResult): {
+        detected: boolean;
+        evidence?: string;
+    };
     /**
      * Check if response indicates connection/server failure
      */

package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityResponseAnalyzer.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityResponseAnalyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AAK1E,OAAO,EAAgB,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EAAoB,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAYxE,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAC3D,YAAY,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,WAAW,GAAG,aAAa,GAAG,SAAS,CAAC;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,eAAe,EAAE,cAAc,GAAG,aAAa,GAAG,SAAS,CAAC;IAC5D,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B,sBAAsB,GACtB,iBAAiB,GACjB,SAAS,GACT,SAAS,CAAC;AAEd;;GAEG;AACH,MAAM,MAAM,0BAA0B,GAClC,kBAAkB,GAClB,iBAAiB,GACjB,2BAA2B,GAC3B,gBAAgB,GAChB,qBAAqB,GACrB,iBAAiB,CAAC;AAEtB;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,kBAAkB,CAAC;IAC9B,uBAAuB,EAAE,0BAA0B,EAAE,CAAC;IACtD,QAAQ,EAAE;QACR,kBAAkB,EAAE,MAAM,EAAE,CAAC;QAC7B,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,eAAe,EAAE,MAAM,CAAC;QACxB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEvE;;;;;;GAMG;AACH,qBAAa,wBAAwB;IAEnC,OAAO,CAAC,eAAe,CAAkB;IACzC,OAAO,CAAC,iBAAiB,CAA4B;IACrD,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,gBAAgB,CAAmB;;IAc3C;;;;;;OAMG;IACH,eAAe,CACb,QAAQ,EAAE,2BAA2B,EACrC,OAAO,EAAE,eAAe,EACxB,IAAI,EAAE,IAAI,GACT,cAAc;IAqBjB;;OAEG;IACH,mBAAmB,CACjB,IAAI,EAAE,IAAI,EACV,YAAY,EAAE,OAAO,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,eAAe,EACxB,kBAAkB,CAAC,EAAE,2BAA2B,GAC/C,gBAAgB;IAWnB;;;OAGG;IACH,yBAAyB,CACvB,QAAQ,EAAE,2BAA2B,GACpC,gBAAgB;IAsFnB;;;;;;;;;OASG;IACH,2BAA2B,CACzB,QAAQ,EAAE,2BAA2B,GACpC,oBAAoB;IAmGvB;;;;;;;;;;;;OAYG;IACH,wBAAwB,CACtB,QAAQ,EAAE,2BAA2B,GACpC,yBAAyB;IA6D5B;;OAEG;IACH,iBAAiB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIjE;;OAEG;IACH,8BAA8B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO;IAIvD;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,2BAA2B,GAAG,mBAAmB;IAIzE;;OAEG;IACH,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,mBAAmB;IAI/D;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,MAAM;IAQrE;;OAEG;IACH,oBAAoB,CAClB,SAAS,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,EACvD,YAAY,EAAE,MAAM,GACnB,OAAO;IAIV;;OAEG;IACH,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIlD;;OAEG;IACH,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;;OAGG;IACH,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAIpE;;OAEG;IACH,qCAAqC,CACnC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GACnB,OAAO;IAOV;;OAEG;IACH,yBAAyB,CACvB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,IAAI,CAAC,EAAE,IAAI,GACV,kBAAkB;IAQrB;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;OAEG;IACH,wBAAwB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIvD;;OAEG;IACH,8BAA8B,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI7D;;OAEG;IACH,qBAAqB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIrE;;OAEG;IACH,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO;IAOxE;;OAEG;IACH,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAQjD;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAyB/B;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IA+E7B;;;OAGG;IACH,OAAO,CAAC,0BAA0B;IAwClC;;OAEG;IACH,OAAO,CAAC,wBAAwB;CAoBjC"}
+{"version":3,"file":"SecurityResponseAnalyzer.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityResponseAnalyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AAK1E,OAAO,EAAgB,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EAAoB,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAYxE,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAC3D,YAAY,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,WAAW,GAAG,aAAa,GAAG,SAAS,CAAC;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,eAAe,EAAE,cAAc,GAAG,aAAa,GAAG,SAAS,CAAC;IAC5D,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,UAAU,EAAE,kBAAkB,GAAG,mBAAmB,GAAG,SAAS,CAAC;IACjE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,aAAa,EACT,uBAAuB,GACvB,sBAAsB,GACtB,WAAW,GACX,SAAS,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B,sBAAsB,GACtB,iBAAiB,GACjB,SAAS,GACT,SAAS,CAAC;AAEd;;GAEG;AACH,MAAM,MAAM,0BAA0B,GAClC,kBAAkB,GAClB,iBAAiB,GACjB,2BAA2B,GAC3B,gBAAgB,GAChB,qBAAqB,GACrB,iBAAiB,CAAC;AAEtB;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,kBAAkB,CAAC;IAC9B,uBAAuB,EAAE,0BAA0B,EAAE,CAAC;IACtD,QAAQ,EAAE;QACR,kBAAkB,EAAE,MAAM,EAAE,CAAC;QAC7B,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,eAAe,EAAE,MAAM,CAAC;QACxB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEvE;;;;;;GAMG;AACH,qBAAa,wBAAwB;IAEnC,OAAO,CAAC,eAAe,CAAkB;IACzC,OAAO,CAAC,iBAAiB,CAA4B;IACrD,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,gBAAgB,CAAmB;;IAc3C;;;;;;OAMG;IACH,eAAe,CACb,QAAQ,EAAE,2BAA2B,EACrC,OAAO,EAAE,eAAe,EACxB,IAAI,EAAE,IAAI,GACT,cAAc;IAqBjB;;OAEG;IACH,mBAAmB,CACjB,IAAI,EAAE,IAAI,EACV,YAAY,EAAE,OAAO,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,eAAe,EACxB,kBAAkB,CAAC,EAAE,2BAA2B,GAC/C,gBAAgB;IAWnB;;;OAGG;IACH,yBAAyB,CACvB,QAAQ,EAAE,2BAA2B,GACpC,gBAAgB;IAsFnB;;;;;;;;;OASG;IACH,2BAA2B,CACzB,QAAQ,EAAE,2BAA2B,GACpC,oBAAoB;IAmGvB;;;;;;;;;;OAUG;IACH,8BAA8B,CAC5B,QAAQ,EAAE,2BAA2B,GACpC,qBAAqB;IAyFxB;;;;;;;;;;;OAWG;IACH,8BAA8B,CAC5B,QAAQ,EAAE,2BAA2B,GACpC,qBAAqB;IA0FxB;;;;;;;;;;;;OAYG;IACH,wBAAwB,CACtB,QAAQ,EAAE,2BAA2B,GACpC,yBAAyB;IA6D5B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,kBAAkB,CAAC,QAAQ,EAAE,2BAA2B,GAAG;QACzD,QAAQ,EAAE,OAAO,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB;IAwCD;;OAEG;IACH,iBAAiB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIjE;;OAEG;IACH,8BAA8B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO;IAIvD;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,2BAA2B,GAAG,mBAAmB;IAIzE;;OAEG;IACH,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,mBAAmB;IAI/D;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,MAAM;IAQrE;;OAEG;IACH,oBAAoB,CAClB,SAAS,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,EACvD,YAAY,EAAE,MAAM,GACnB,OAAO;IAIV;;OAEG;IACH,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIlD;;OAEG;IACH,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;;OAGG;IACH,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAIpE;;OAEG;IACH,qCAAqC,CACnC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GACnB,OAAO;IAOV;;OAEG;IACH,yBAAyB,CACvB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,IAAI,CAAC,EAAE,IAAI,GACV,kBAAkB;IAQrB;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;OAEG;IACH,wBAAwB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIvD;;OAEG;IACH,8BAA8B,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI7D;;OAEG;IACH,qBAAqB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIrE;;OAEG;IACH,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO;IAOxE;;OAEG;IACH,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAQjD;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAyB/B;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAqF7B;;;OAGG;IACH,OAAO,CAAC,0BAA0B;IA0DlC;;OAEG;IACH,OAAO,CAAC,wBAAwB;CAmBjC"}

package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.js

@@ -258,6 +258,189 @@ export class SecurityResponseAnalyzer {
             evidence: "",
         };
     }
+    /**
+     * Analyze response for blacklist bypass patterns (Issue #110, Challenge #11)
+     * Detects when incomplete blacklist security controls are bypassed
+     *
+     * This method extracts JSON metadata from tool responses to detect:
+     * - VULNERABLE: bypass_used: true, blacklist_check: "passed"
+     * - SAFE: execution_blocked: true, allowlist_used: true
+     *
+     * @param response The tool response to analyze
+     * @returns Analysis result with bypass detection status
+     */
+    analyzeBlacklistBypassResponse(response) {
+        const responseText = this.extractResponseContent(response);
+        // Vulnerable patterns - blacklist bypassed (Challenge #11)
+        const vulnerablePatterns = [
+            {
+                pattern: /"bypass_used"\s*:\s*true/i,
+                evidence: "bypass_used: true (blacklist bypassed)",
+            },
+            {
+                pattern: /"blacklist_check"\s*:\s*"passed"/i,
+                evidence: "blacklist_check: passed (command not blocked)",
+            },
+            {
+                // Combined pattern: vulnerable with bypass context
+                pattern: /"vulnerable"\s*:\s*true[^}]*"bypass_used"|"bypass_used"[^}]*"vulnerable"\s*:\s*true/i,
+                evidence: "vulnerable flag with bypass context",
+            },
+            {
+                pattern: /"bypass_method"\s*:\s*"[^"]+"/i,
+                evidence: "bypass_method specified (blacklist circumvented)",
+            },
+            {
+                pattern: /incomplete\s+blacklist\s+allowed/i,
+                evidence: "evidence indicates incomplete blacklist",
+            },
+        ];
+        // Safe patterns - allowlist enforced or execution blocked (hardened)
+        const safePatterns = [
+            {
+                pattern: /"execution_blocked"\s*:\s*true/i,
+                evidence: "execution_blocked: true (secure)",
+            },
+            {
+                pattern: /"allowlist_used"\s*:\s*true/i,
+                evidence: "allowlist_used: true (secure pattern)",
+            },
+            {
+                pattern: /"allowlist_enforced"\s*:\s*true/i,
+                evidence: "allowlist_enforced: true (secure)",
+            },
+            {
+                pattern: /"blacklist_used"\s*:\s*false/i,
+                evidence: "blacklist_used: false (allowlist pattern)",
+            },
+            {
+                pattern: /"status"\s*:\s*"pending_review"/i,
+                evidence: "command stored for review (not executed)",
+            },
+            {
+                pattern: /command.*stored.*not\s+executed/i,
+                evidence: "command stored, not executed",
+            },
+        ];
+        // Extract bypass method if present
+        const bypassMethodMatch = responseText.match(/"bypass_method"\s*:\s*"([^"]+)"/i);
+        const bypassMethod = bypassMethodMatch ? bypassMethodMatch[1] : undefined;
+        // Check for vulnerable patterns first
+        for (const { pattern, evidence } of vulnerablePatterns) {
+            if (pattern.test(responseText)) {
+                return {
+                    detected: true,
+                    bypassType: "BLACKLIST_BYPASS",
+                    bypassMethod,
+                    evidence,
+                };
+            }
+        }
+        // Check for safe patterns
+        for (const { pattern, evidence } of safePatterns) {
+            if (pattern.test(responseText)) {
+                return {
+                    detected: false,
+                    bypassType: "ALLOWLIST_BLOCKED",
+                    evidence,
+                };
+            }
+        }
+        return { detected: false, bypassType: "UNKNOWN" };
+    }
+    /**
+     * Analyze response for output injection vulnerabilities (Issue #110, Challenge #8)
+     * Detects indirect prompt injection via unsanitized tool output
+     *
+     * This method detects:
+     * - VULNERABLE: LLM injection markers (<IMPORTANT>, [INST], etc.) in output
+     * - VULNERABLE: Tool self-reports raw_content_included: true
+     * - SAFE: Tool reports content_sanitized: true or uses hash references
+     *
+     * @param response The tool response to analyze
+     * @returns Analysis result with output injection detection status
+     */
+    analyzeOutputInjectionResponse(response) {
+        const responseText = this.extractResponseContent(response);
+        // Check for LLM injection markers in response
+        const llmMarkers = [];
+        const markerPatterns = [
+            { pattern: /<IMPORTANT>/i, name: "<IMPORTANT>" },
+            { pattern: /<\/IMPORTANT>/i, name: "</IMPORTANT>" },
+            { pattern: /<SYSTEM>/i, name: "<SYSTEM>" },
+            { pattern: /\[INST\]/i, name: "[INST]" },
+            { pattern: /<\|system\|>/i, name: "<|system|>" },
+            { pattern: /<\|user\|>/i, name: "<|user|>" },
+            { pattern: /\{\{SYSTEM_PROMPT\}\}/i, name: "{{SYSTEM_PROMPT}}" },
+            { pattern: /ignore.*previous.*instructions/i, name: "ignore instructions" },
+        ];
+        for (const { pattern, name } of markerPatterns) {
+            if (pattern.test(responseText)) {
+                llmMarkers.push(name);
+            }
+        }
+        if (llmMarkers.length > 0) {
+            return {
+                detected: true,
+                injectionType: "LLM_INJECTION_MARKERS",
+                markers: llmMarkers,
+                evidence: `LLM injection markers detected: ${llmMarkers.join(", ")}`,
+            };
+        }
+        // Check for raw content vulnerability metadata
+        const rawContentPatterns = [
+            {
+                pattern: /"raw_content_included"\s*:\s*true/i,
+                evidence: "raw_content_included: true (unsanitized user content)",
+            },
+            {
+                pattern: /returns\s+unsanitized\s+user\s+content/i,
+                evidence: "Tool reports returning unsanitized user content",
+            },
+            {
+                pattern: /enables\s+indirect\s+prompt\s+injection/i,
+                evidence: "Tool reports enabling indirect prompt injection",
+            },
+            {
+                pattern: /"injection_risk_level"\s*:\s*"(HIGH|CRITICAL)"/i,
+                evidence: "Tool reports HIGH/CRITICAL injection risk level",
+            },
+        ];
+        for (const { pattern, evidence } of rawContentPatterns) {
+            if (pattern.test(responseText)) {
+                return {
+                    detected: true,
+                    injectionType: "RAW_CONTENT_INCLUDED",
+                    evidence,
+                };
+            }
+        }
+        // Check for safe patterns (sanitized output)
+        const safePatterns = [
+            {
+                pattern: /"content_sanitized"\s*:\s*true/i,
+                evidence: "content_sanitized: true (secure)",
+            },
+            {
+                pattern: /"uses_hash_reference"\s*:\s*true/i,
+                evidence: "uses_hash_reference: true (secure)",
+            },
+            {
+                pattern: /"raw_content_included"\s*:\s*false/i,
+                evidence: "raw_content_included: false (secure)",
+            },
+        ];
+        for (const { pattern, evidence } of safePatterns) {
+            if (pattern.test(responseText)) {
+                return {
+                    detected: false,
+                    injectionType: "SANITIZED",
+                    evidence,
+                };
+            }
+        }
+        return { detected: false, injectionType: "UNKNOWN" };
+    }
     /**
      * Analyze response for chain exploitation vulnerabilities (Issue #93, Challenge #6)
      * Detects multi-tool chained exploitation attacks including:
@@ -321,6 +504,72 @@ export class SecurityResponseAnalyzer {
             },
         };
     }
+    /**
+     * Check for secret leakage in response (Issue #103, Challenge #9)
+     * Scans for credential patterns regardless of payload type.
+     *
+     * This method detects when tools inadvertently expose:
+     * - API keys (AWS, OpenAI, GitHub, GitLab, Slack)
+     * - Database connection strings with credentials
+     * - Environment variable values
+     * - Partial key previews
+     *
+     * @note This method must be called separately from analyzeResponse().
+     * It is not part of the standard vulnerability detection flow because
+     * secret leakage detection requires examining ALL responses, not just
+     * those matching attack payloads. Callers should invoke this method
+     * independently when auditing tool responses for credential exposure.
+     *
+     * @example
+     * ```typescript
+     * const analyzer = new SecurityResponseAnalyzer();
+     * const response = await client.callTool("get_status", { verbose: true });
+     *
+     * // Standard vulnerability check
+     * const vulnResult = analyzer.analyzeResponse(response, payload);
+     *
+     * // Additional secret leakage check (separate concern)
+     * const leakResult = analyzer.checkSecretLeakage(response);
+     * if (leakResult.detected) {
+     *   console.warn(`Secret leaked: ${leakResult.evidence}`);
+     * }
+     * ```
+     */
+    checkSecretLeakage(response) {
+        const responseText = this.extractResponseContent(response);
+        const patterns = [
+            { regex: /AKIA[A-Z0-9]{16}/, name: "AWS Access Key" },
+            { regex: /sk-[a-zA-Z0-9]{20,}/, name: "OpenAI API Key" },
+            { regex: /ghp_[a-zA-Z0-9]{36}/, name: "GitHub PAT" },
+            { regex: /glpat-[a-zA-Z0-9]{20}/, name: "GitLab PAT" },
+            { regex: /xox[baprs]-[a-zA-Z0-9-]+/, name: "Slack Token" },
+            {
+                regex: /(postgresql|mysql|mongodb|redis|mssql):\/\/[^:]+:[^@]+@/i,
+                name: "Connection String with Credentials",
+            },
+            {
+                regex: /(api[_-]?key|secret|password|credential)[^\s]*[:=]\s*["']?[a-zA-Z0-9_-]{10,}/i,
+                name: "Credential Assignment",
+            },
+            {
+                regex: /(SECRET_TOKEN|DATABASE_URL|API_KEY|PRIVATE_KEY|DB_PASSWORD)[^\s]*[:=]/i,
+                name: "Environment Variable Leakage",
+            },
+            {
+                regex: /api_key_preview|key_fragment|partial_key/i,
+                name: "Partial Key Exposure",
+            },
+        ];
+        for (const { regex, name } of patterns) {
+            if (regex.test(responseText)) {
+                return {
+                    detected: true,
+                    evidence: `${name} pattern found in response`,
+                };
+            }
+        }
+        return { detected: false };
+    }
     /**
      * Check if response indicates connection/server failure
      */
@@ -495,7 +744,11 @@ export class SecurityResponseAnalyzer {
                 evidence: "Read-only info tool returned user/workspace data (intended data exposure, not vulnerability)",
             };
         }
-        if (classification.categories.includes(ToolCategory.SAFE_STORAGE)) {
+        // Issue #110: Skip SAFE_STORAGE exemption for testbed tools with "vulnerable_" prefix
+        // These are intentionally vulnerable tools that should be tested despite matching safe patterns
+        const isTestbedVulnerableTool = tool.name.startsWith("vulnerable_");
+        if (classification.categories.includes(ToolCategory.SAFE_STORAGE) &&
+            !isTestbedVulnerableTool) {
             return {
                 isVulnerable: false,
                 evidence: "Safe storage control tool (validated safe implementation, control group for testing)",
@@ -556,13 +809,30 @@ export class SecurityResponseAnalyzer {
                 evidence: `Tool executed malicious instruction: found evidence matching ${payload.evidence} - ${payload.description}`,
             };
         }
+        // Issue #110: Check for JSON metadata indicating blacklist bypass (Challenge #11)
+        // This catches cases where regex patterns don't match but structured metadata indicates vulnerability
+        if (payload.payloadType === "blacklist_bypass") {
+            const bypassResult = this.analyzeBlacklistBypassResponse(response);
+            if (bypassResult.detected) {
+                return {
+                    isVulnerable: true,
+                    evidence: `Blacklist bypass detected via JSON metadata: ${bypassResult.evidence}${bypassResult.bypassMethod ? ` (method: ${bypassResult.bypassMethod})` : ""}`,
+                };
+            }
+            if (bypassResult.bypassType === "ALLOWLIST_BLOCKED") {
+                return {
+                    isVulnerable: false,
+                    evidence: `Secure allowlist pattern detected: ${bypassResult.evidence}`,
+                };
+            }
+        }
         // Fall back to injection response analysis
-        return this.analyzeInjectionResponse(response, payload.payload);
+        return this.analyzeInjectionResponse(response);
     }
     /**
      * Analyze injection response (fallback logic)
      */
-    analyzeInjectionResponse(response, _payload) {
+    analyzeInjectionResponse(response) {
         const analysis = this.executionDetector.analyzeInjectionResponse(this.extractResponseContent(response), (text) => this.safeDetector.isReflectionResponse(text));
         if (analysis.isVulnerable) {
             return {

package/lib/services/assessment/modules/temporal/MutationDetector.d.ts

@@ -0,0 +1,75 @@
+/**
+ * Mutation Detector Module
+ * Detects definition mutations and content changes for rug pull detection.
+ *
+ * Extracted from TemporalAssessor as part of Issue #106 refactoring.
+ * DVMCP Challenge 4: Tool descriptions that mutate after N calls to inject malicious instructions.
+ */
+/**
+ * Tracks tool definition snapshots across invocations to detect rug pull mutations.
+ */
+export interface DefinitionSnapshot {
+    invocation: number;
+    description: string | undefined;
+    inputSchema: unknown;
+    timestamp: number;
+}
+/**
+ * Result of definition mutation detection.
+ */
+export interface DefinitionMutation {
+    detectedAt: number;
+    baselineDescription?: string;
+    mutatedDescription?: string;
+    baselineSchema?: unknown;
+    mutatedSchema?: unknown;
+}
+/**
+ * Result of content change detection.
+ */
+export interface ContentChangeResult {
+    detected: boolean;
+    reason: string | null;
+}
+/**
+ * Detects definition mutations and semantic content changes in tool responses.
+ * Used to identify "rug pull" attacks where tools change behavior after N invocations.
+ */
+export declare class MutationDetector {
+    /**
+     * Detect mutations in tool definition across invocation snapshots.
+     * DVMCP Challenge 4: Tool descriptions that mutate after N calls.
+     */
+    detectDefinitionMutation(snapshots: DefinitionSnapshot[]): DefinitionMutation | null;
+    /**
+     * Secondary detection for stateful tools that pass schema comparison.
+     * Catches rug pulls that change content semantically while keeping schema intact.
+     *
+     * Examples detected:
+     * - Weather data -> "Rate limit exceeded, upgrade to premium"
+     * - Stock prices -> "Subscribe for $9.99/month to continue"
+     * - Search results -> "Error: Service unavailable"
+     */
+    detectStatefulContentChange(baseline: unknown, current: unknown): ContentChangeResult;
+    /**
+     * Extract text content from a response for semantic analysis.
+     */
+    private extractTextContent;
+    /**
+     * Check for error-related keywords that indicate service degradation.
+     */
+    private hasErrorKeywords;
+    /**
+     * Check for promotional/monetization keywords that indicate a monetization rug pull.
+     * Enhanced to catch CH4-style rug pulls with limited-time offers, referral codes, etc.
+     *
+     * Combined into single regex for O(text_length) performance instead of O(18 * text_length).
+     */
+    private hasPromotionalKeywords;
+    /**
+     * Check for suspicious URL/link injection that wasn't present initially.
+     * Rug pulls often inject links to external malicious or monetization pages.
+     */
+    private hasSuspiciousLinks;
+}
+//# sourceMappingURL=MutationDetector.d.ts.map

package/lib/services/assessment/modules/temporal/MutationDetector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"MutationDetector.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/temporal/MutationDetector.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;IAChC,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED;;;GAGG;AACH,qBAAa,gBAAgB;IAC3B;;;OAGG;IACH,wBAAwB,CACtB,SAAS,EAAE,kBAAkB,EAAE,GAC9B,kBAAkB,GAAG,IAAI;IAgC5B;;;;;;;;OAQG;IACH,2BAA2B,CACzB,QAAQ,EAAE,OAAO,EACjB,OAAO,EAAE,OAAO,GACf,mBAAmB;IAgDtB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAM1B;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAcxB;;;;;OAKG;IACH,OAAO,CAAC,sBAAsB;IAU9B;;;OAGG;IACH,OAAO,CAAC,kBAAkB;CAe3B"}

package/lib/services/assessment/modules/temporal/MutationDetector.js

@@ -0,0 +1,147 @@
+/**
+ * Mutation Detector Module
+ * Detects definition mutations and content changes for rug pull detection.
+ *
+ * Extracted from TemporalAssessor as part of Issue #106 refactoring.
+ * DVMCP Challenge 4: Tool descriptions that mutate after N calls to inject malicious instructions.
+ */
+/**
+ * Detects definition mutations and semantic content changes in tool responses.
+ * Used to identify "rug pull" attacks where tools change behavior after N invocations.
+ */
+export class MutationDetector {
+    /**
+     * Detect mutations in tool definition across invocation snapshots.
+     * DVMCP Challenge 4: Tool descriptions that mutate after N calls.
+     */
+    detectDefinitionMutation(snapshots) {
+        if (snapshots.length < 2)
+            return null;
+        const baseline = snapshots[0];
+        for (let i = 1; i < snapshots.length; i++) {
+            const current = snapshots[i];
+            // Check if description changed
+            const descriptionChanged = baseline.description !== current.description;
+            // Check if schema changed (deep comparison)
+            const schemaChanged = JSON.stringify(baseline.inputSchema) !==
+                JSON.stringify(current.inputSchema);
+            if (descriptionChanged || schemaChanged) {
+                return {
+                    detectedAt: current.invocation,
+                    baselineDescription: baseline.description,
+                    mutatedDescription: descriptionChanged
+                        ? current.description
+                        : undefined,
+                    baselineSchema: schemaChanged ? baseline.inputSchema : undefined,
+                    mutatedSchema: schemaChanged ? current.inputSchema : undefined,
+                };
+            }
+        }
+        return null;
+    }
+    /**
+     * Secondary detection for stateful tools that pass schema comparison.
+     * Catches rug pulls that change content semantically while keeping schema intact.
+     *
+     * Examples detected:
+     * - Weather data -> "Rate limit exceeded, upgrade to premium"
+     * - Stock prices -> "Subscribe for $9.99/month to continue"
+     * - Search results -> "Error: Service unavailable"
+     */
+    detectStatefulContentChange(baseline, current) {
+        // Convert to strings for content analysis
+        const baselineText = this.extractTextContent(baseline);
+        const currentText = this.extractTextContent(current);
+        // Skip if both are empty or identical
+        if (!baselineText && !currentText)
+            return { detected: false, reason: null };
+        if (baselineText === currentText)
+            return { detected: false, reason: null };
+        // Check 1: Error keywords appearing in later responses (not present in baseline)
+        if (this.hasErrorKeywords(currentText) &&
+            !this.hasErrorKeywords(baselineText)) {
+            return { detected: true, reason: "error_keywords_appeared" };
+        }
+        // Check 2: Promotional/payment keywords (rug pull monetization pattern)
+        if (this.hasPromotionalKeywords(currentText) &&
+            !this.hasPromotionalKeywords(baselineText)) {
+            return { detected: true, reason: "promotional_keywords_appeared" };
+        }
+        // Check 3: Suspicious links injected (URLs not present in baseline)
+        if (this.hasSuspiciousLinks(currentText) &&
+            !this.hasSuspiciousLinks(baselineText)) {
+            return { detected: true, reason: "suspicious_links_injected" };
+        }
+        // Check 4: Significant length DECREASE only (response becoming much shorter)
+        // This catches cases where helpful responses shrink to terse error messages
+        // We don't flag length increase because stateful tools legitimately accumulate data
+        if (baselineText.length > 20) {
+            // Only check if baseline has meaningful content
+            const lengthRatio = currentText.length / baselineText.length;
+            if (lengthRatio < 0.3) {
+                // Response shrunk to <30% of original
+                return { detected: true, reason: "significant_length_decrease" };
+            }
+        }
+        return { detected: false, reason: null };
+    }
+    /**
+     * Extract text content from a response for semantic analysis.
+     */
+    extractTextContent(obj) {
+        if (typeof obj === "string")
+            return obj;
+        if (typeof obj !== "object" || !obj)
+            return "";
+        return JSON.stringify(obj);
+    }
+    /**
+     * Check for error-related keywords that indicate service degradation.
+     */
+    hasErrorKeywords(text) {
+        const patterns = [
+            /\berror\b/i,
+            /\bfail(ed|ure)?\b/i,
+            /\bunavailable\b/i,
+            /\brate\s*limit/i,
+            /\bdenied\b/i,
+            /\bexpired\b/i,
+            /\btimeout\b/i,
+            /\bblocked\b/i,
+        ];
+        return patterns.some((p) => p.test(text));
+    }
+    /**
+     * Check for promotional/monetization keywords that indicate a monetization rug pull.
+     * Enhanced to catch CH4-style rug pulls with limited-time offers, referral codes, etc.
+     *
+     * Combined into single regex for O(text_length) performance instead of O(18 * text_length).
+     */
+    hasPromotionalKeywords(text) {
+        // Single combined regex with alternation - matches all 18 original patterns
+        // Word-boundary patterns: upgrade, premium, discount, exclusive, subscription variants,
+        //   multi-word phrases (pro plan, buy now, limited time/offer, free trial, etc.)
+        // Non-word patterns: price ($X.XX), percentage (N% off/discount)
+        const PROMO_PATTERN = /\b(?:upgrade|premium|discount|exclusive|subscri(?:be|ption)|pro\s*plan|buy\s*now|limited\s*(?:time|offer)|free\s*trial|special\s*offer|referral\s*code|promo\s*code|act\s*now|don't\s*miss|for\s*a\s*fee|pay(?:ment)?\s*(?:required|needed|now))\b|\$\d+(?:\.\d{2})?|\b\d+%\s*(?:off|discount)\b/i;
+        return PROMO_PATTERN.test(text);
+    }
+    /**
+     * Check for suspicious URL/link injection that wasn't present initially.
+     * Rug pulls often inject links to external malicious or monetization pages.
+     */
+    hasSuspiciousLinks(text) {
+        const patterns = [
+            // HTTP(S) URLs
+            /https?:\/\/[^\s]+/i,
+            // Markdown links
+            /\[.{0,50}?\]\(.{0,200}?\)/,
+            // URL shorteners
+            /\b(bit\.ly|tinyurl|t\.co|goo\.gl|ow\.ly|buff\.ly)\b/i,
+            // Click-bait action patterns
+            /\bclick\s*(here|now|this)\b/i,
+            /\bvisit\s*our\s*(website|site|page)\b/i,
+            /\b(sign\s*up|register)\s*(here|now|at)\b/i,
+        ];
+        return patterns.some((p) => p.test(text));
+    }
+}