@bryan-thompson/inspector-assessment-client 1.29.0 → 1.30.0

package/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.js

@@ -372,7 +372,10 @@ export class SecurityResponseAnalyzer {
             { pattern: /<\|system\|>/i, name: "<|system|>" },
             { pattern: /<\|user\|>/i, name: "<|user|>" },
             { pattern: /\{\{SYSTEM_PROMPT\}\}/i, name: "{{SYSTEM_PROMPT}}" },
-            { pattern: /ignore.*previous.*instructions/i, name: "ignore instructions" },
+            {
+                pattern: /ignore.*previous.*instructions/i,
+                name: "ignore instructions",
+            },
         ];
         for (const { pattern, name } of markerPatterns) {
             if (pattern.test(responseText)) {
@@ -441,6 +444,404 @@ export class SecurityResponseAnalyzer {
         }
         return { detected: false, injectionType: "UNKNOWN" };
     }
+    /**
+     * Analyze response for session management vulnerabilities (Issue #111, Challenge #12)
+     * Detects 5 CWEs from mcp-vulnerable-testbed:
+     * - CWE-384: Session Fixation (accepts external session ID, no regeneration)
+     * - CWE-330: Predictable Tokens (session_{user}_{timestamp}_{counter})
+     * - CWE-613: No Session Timeout (expires_at: null, timeout_checked: false)
+     * - CWE-200: ID Exposure in URL (session_url contains session_id=)
+     *
+     * @param response The tool response to analyze
+     * @returns Analysis result with session management detection status
+     */
+    analyzeSessionManagementResponse(response) {
+        const responseText = this.extractResponseContent(response);
+        const cweIds = [];
+        let vulnerabilityType = "UNKNOWN";
+        let evidence;
+        // Check for safe patterns first (hardened server)
+        const safePatterns = [
+            {
+                pattern: /"fixation_prevented"\s*:\s*true/i,
+                name: "fixation_prevented",
+            },
+            { pattern: /"token_secure"\s*:\s*true/i, name: "token_secure" },
+            { pattern: /"timeout_enforced"\s*:\s*true/i, name: "timeout_enforced" },
+            { pattern: /"id_in_url"\s*:\s*false/i, name: "id_in_url: false" },
+            {
+                pattern: /"regeneration_on_auth"\s*:\s*true/i,
+                name: "regeneration_on_auth",
+            },
+            { pattern: /"attack_blocked"\s*:\s*true/i, name: "attack_blocked" },
+            { pattern: /"cwe_384_mitigated"\s*:\s*true/i, name: "cwe_384_mitigated" },
+        ];
+        for (const { pattern, name } of safePatterns) {
+            if (pattern.test(responseText)) {
+                return {
+                    detected: false,
+                    vulnerabilityType: "UNKNOWN",
+                    cweIds: [],
+                    evidence: `Secure session management: ${name}`,
+                };
+            }
+        }
+        // CWE-384: Session Fixation (external ID accepted)
+        const fixationPatterns = [
+            {
+                pattern: /"attacker_controlled"\s*:\s*true/i,
+                evidence: "attacker_controlled: true (session fixation)",
+            },
+            {
+                pattern: /"fixed"\s*:\s*true/i,
+                evidence: "fixed: true (fixated session)",
+            },
+            {
+                pattern: /session\s*fixation\s*accepted/i,
+                evidence: "session fixation attack accepted",
+            },
+            {
+                pattern: /"fixation_url"\s*:/i,
+                evidence: "fixation_url present (attack vector)",
+            },
+        ];
+        for (const { pattern, evidence: evidenceText } of fixationPatterns) {
+            if (pattern.test(responseText)) {
+                if (!cweIds.includes("CWE-384"))
+                    cweIds.push("CWE-384");
+                vulnerabilityType = "SESSION_FIXATION";
+                evidence = evidenceText;
+                break;
+            }
+        }
+        // CWE-384: No Regeneration after authentication
+        if (/"session_regenerated"\s*:\s*false/i.test(responseText)) {
+            if (!cweIds.includes("CWE-384"))
+                cweIds.push("CWE-384");
+            if (vulnerabilityType === "UNKNOWN") {
+                vulnerabilityType = "NO_REGENERATION";
+                evidence = "session_regenerated: false (CWE-384)";
+            }
+        }
+        // CWE-330: Predictable Token Pattern
+        const predictablePatterns = [
+            {
+                pattern: /"token_pattern"\s*:\s*"session_\{user\}_\{timestamp\}_\{counter\}"/i,
+                evidence: "Predictable token pattern exposed: session_{user}_{timestamp}_{counter}",
+            },
+            {
+                pattern: /"session_id"\s*:\s*"session_[a-z0-9]+_\d{9,}_\d+"/i,
+                evidence: "Predictable session ID format detected",
+            },
+        ];
+        for (const { pattern, evidence: evidenceText } of predictablePatterns) {
+            if (pattern.test(responseText)) {
+                if (!cweIds.includes("CWE-330"))
+                    cweIds.push("CWE-330");
+                if (vulnerabilityType === "UNKNOWN") {
+                    vulnerabilityType = "PREDICTABLE_TOKEN";
+                    evidence = evidenceText;
+                }
+                break;
+            }
+        }
+        // CWE-613: No Session Timeout
+        const noTimeoutPatterns = [
+            {
+                pattern: /"expires_at"\s*:\s*null/i,
+                evidence: "expires_at: null (sessions never expire)",
+            },
+            {
+                pattern: /"timeout_checked"\s*:\s*false/i,
+                evidence: "timeout_checked: false (no expiration validation)",
+            },
+        ];
+        for (const { pattern, evidence: evidenceText } of noTimeoutPatterns) {
+            if (pattern.test(responseText)) {
+                if (!cweIds.includes("CWE-613"))
+                    cweIds.push("CWE-613");
+                if (vulnerabilityType === "UNKNOWN") {
+                    vulnerabilityType = "NO_TIMEOUT";
+                    evidence = evidenceText;
+                }
+                break;
+            }
+        }
+        // CWE-200: Session ID in URL
+        const idInUrlPatterns = [
+            {
+                pattern: /"session_url"\s*:\s*"[^"]*[?&]session_id=/i,
+                evidence: "Session ID exposed in URL query parameter",
+            },
+            {
+                pattern: /"fixation_url"\s*:\s*"[^"]*[?&]session_id=/i,
+                evidence: "Session ID exposed in fixation URL",
+            },
+        ];
+        for (const { pattern, evidence: evidenceText } of idInUrlPatterns) {
+            if (pattern.test(responseText)) {
+                if (!cweIds.includes("CWE-200"))
+                    cweIds.push("CWE-200");
+                if (vulnerabilityType === "UNKNOWN") {
+                    vulnerabilityType = "ID_IN_URL";
+                    evidence = evidenceText;
+                }
+                break;
+            }
+        }
+        return {
+            detected: cweIds.length > 0,
+            vulnerabilityType,
+            cweIds: [...new Set(cweIds)], // Dedupe
+            evidence,
+        };
+    }
+    /**
+     * Analyze response for cryptographic failures (Issue #112, Challenge #13)
+     * Detects OWASP A02:2021 Cryptographic Failures from mcp-vulnerable-testbed:
+     * - CWE-328: Weak Hash (MD5/SHA1 for password hashing)
+     * - CWE-916: Static Salt / Weak KDF
+     * - CWE-330: Predictable RNG (random.random() with timestamp seed)
+     * - CWE-208: Timing Attack (non-constant-time comparison)
+     * - CWE-327: Broken Cipher (ECB mode, XOR)
+     * - CWE-321: Hardcoded Key (key_source: "hardcoded")
+     * - CWE-326: Weak Key Length (key_length < 16)
+     *
+     * @param response The tool response to analyze
+     * @returns Analysis result with cryptographic failure detection status
+     */
+    analyzeCryptographicFailures(response) {
+        const responseText = this.extractResponseContent(response);
+        const cweIds = [];
+        let vulnerabilityType = "UNKNOWN";
+        let evidence;
+        // Check for safe patterns first (hardened server)
+        const safePatterns = [
+            {
+                pattern: /"status"\s*:\s*"stored"/i,
+                name: "request stored (not executed)",
+            },
+            {
+                pattern: /"note"\s*:\s*".*blocked.*secure/i,
+                name: "weak crypto blocked",
+            },
+            {
+                pattern: /"recommendation"\s*:\s*"Use\s+(?:bcrypt|scrypt|Argon2|AES-GCM)/i,
+                name: "secure alternative recommended",
+            },
+            {
+                pattern: /"vulnerable"\s*:\s*false/i,
+                name: "vulnerable: false",
+            },
+        ];
+        for (const { pattern, name } of safePatterns) {
+            if (pattern.test(responseText)) {
+                return {
+                    detected: false,
+                    vulnerabilityType: "UNKNOWN",
+                    cweIds: [],
+                    evidence: `Secure crypto handling: ${name}`,
+                };
+            }
+        }
+        // CWE-328: Weak Hash Algorithm (MD5/SHA1)
+        const weakHashPatterns = [
+            {
+                pattern: /"algorithm"\s*:\s*"MD5"/i,
+                evidence: 'algorithm: "MD5" (weak hash for passwords)',
+            },
+            {
+                pattern: /"algorithm"\s*:\s*"SHA1"/i,
+                evidence: 'algorithm: "SHA1" (weak hash for passwords)',
+            },
+            {
+                pattern: /"algorithm_secure"\s*:\s*false/i,
+                evidence: "algorithm_secure: false",
+            },
+        ];
+        for (const { pattern, evidence: evidenceText } of weakHashPatterns) {
+            if (pattern.test(responseText)) {
+                if (!cweIds.includes("CWE-328"))
+                    cweIds.push("CWE-328");
+                vulnerabilityType = "WEAK_HASH";
+                evidence = evidenceText;
+                break;
+            }
+        }
+        // CWE-916: Static Salt
+        const staticSaltPatterns = [
+            {
+                pattern: /"salt_type"\s*:\s*"static"/i,
+                evidence: 'salt_type: "static" (same salt for all passwords)',
+            },
+            {
+                pattern: /"salt"\s*:\s*"static_salt_123"/i,
+                evidence: 'salt: "static_salt_123" (hardcoded static salt)',
+            },
+            {
+                pattern: /"salt_secure"\s*:\s*false/i,
+                evidence: "salt_secure: false",
+            },
+        ];
+        for (const { pattern, evidence: evidenceText } of staticSaltPatterns) {
+            if (pattern.test(responseText)) {
+                if (!cweIds.includes("CWE-916"))
+                    cweIds.push("CWE-916");
+                if (vulnerabilityType === "UNKNOWN") {
+                    vulnerabilityType = "STATIC_SALT";
+                    evidence = evidenceText;
+                }
+                break;
+            }
+        }
+        // CWE-330: Predictable RNG
+        const predictableRngPatterns = [
+            {
+                pattern: /"rng_type"\s*:\s*"random\.random\(\)"/i,
+                evidence: 'rng_type: "random.random()" (non-cryptographic RNG)',
+            },
+            {
+                pattern: /"seed"\s*:\s*"timestamp"/i,
+                evidence: 'seed: "timestamp" (predictable seed)',
+            },
+            {
+                pattern: /"cryptographically_secure"\s*:\s*false/i,
+                evidence: "cryptographically_secure: false",
+            },
+        ];
+        for (const { pattern, evidence: evidenceText } of predictableRngPatterns) {
+            if (pattern.test(responseText)) {
+                if (!cweIds.includes("CWE-330"))
+                    cweIds.push("CWE-330");
+                if (vulnerabilityType === "UNKNOWN") {
+                    vulnerabilityType = "PREDICTABLE_RNG";
+                    evidence = evidenceText;
+                }
+                break;
+            }
+        }
+        // CWE-208: Timing Attack
+        const timingPatterns = [
+            {
+                pattern: /"timing_safe"\s*:\s*false/i,
+                evidence: "timing_safe: false (vulnerable to timing attacks)",
+            },
+            {
+                pattern: /"comparison_type"\s*:\s*"direct_equality"/i,
+                evidence: 'comparison_type: "direct_equality" (non-constant-time)',
+            },
+        ];
+        for (const { pattern, evidence: evidenceText } of timingPatterns) {
+            if (pattern.test(responseText)) {
+                if (!cweIds.includes("CWE-208"))
+                    cweIds.push("CWE-208");
+                if (vulnerabilityType === "UNKNOWN") {
+                    vulnerabilityType = "TIMING_ATTACK";
+                    evidence = evidenceText;
+                }
+                break;
+            }
+        }
+        // CWE-327: Broken Cipher Mode (ECB/XOR)
+        const brokenCipherPatterns = [
+            {
+                pattern: /"mode"\s*:\s*"ECB"/i,
+                evidence: 'mode: "ECB" (pattern leakage in ciphertext)',
+            },
+            {
+                pattern: /"algorithm"\s*:\s*"XOR"/i,
+                evidence: 'algorithm: "XOR" (weak cipher)',
+            },
+        ];
+        for (const { pattern, evidence: evidenceText } of brokenCipherPatterns) {
+            if (pattern.test(responseText)) {
+                if (!cweIds.includes("CWE-327"))
+                    cweIds.push("CWE-327");
+                if (vulnerabilityType === "UNKNOWN") {
+                    vulnerabilityType = "ECB_MODE";
+                    evidence = evidenceText;
+                }
+                break;
+            }
+        }
+        // CWE-321: Hardcoded Key
+        const hardcodedKeyPatterns = [
+            {
+                pattern: /"key_source"\s*:\s*"hardcoded"/i,
+                evidence: 'key_source: "hardcoded" (key in source code)',
+            },
+            {
+                pattern: /"key_preview"\s*:\s*"hardcode/i,
+                evidence: "key_preview shows hardcoded key",
+            },
+        ];
+        for (const { pattern, evidence: evidenceText } of hardcodedKeyPatterns) {
+            if (pattern.test(responseText)) {
+                if (!cweIds.includes("CWE-321"))
+                    cweIds.push("CWE-321");
+                if (vulnerabilityType === "UNKNOWN") {
+                    vulnerabilityType = "HARDCODED_KEY";
+                    evidence = evidenceText;
+                }
+                break;
+            }
+        }
+        // CWE-916: Weak KDF (MD5 for key derivation)
+        const weakKdfPatterns = [
+            {
+                pattern: /"derivation_function"\s*:\s*"MD5"/i,
+                evidence: 'derivation_function: "MD5" (weak KDF)',
+            },
+            {
+                pattern: /"iterations"\s*:\s*1\b/i,
+                evidence: "iterations: 1 (no key stretching)",
+            },
+            {
+                pattern: /"kdf_secure"\s*:\s*false/i,
+                evidence: "kdf_secure: false",
+            },
+        ];
+        for (const { pattern, evidence: evidenceText } of weakKdfPatterns) {
+            if (pattern.test(responseText)) {
+                if (!cweIds.includes("CWE-916"))
+                    cweIds.push("CWE-916");
+                if (vulnerabilityType === "UNKNOWN") {
+                    vulnerabilityType = "WEAK_KDF";
+                    evidence = evidenceText;
+                }
+                break;
+            }
+        }
+        // CWE-326: Weak Key Length
+        const weakKeyPatterns = [
+            {
+                // Match single digit key_length (1-9 bytes = weak)
+                pattern: /"key_length"\s*:\s*[1-9](?!\d)/i,
+                evidence: "key_length < 10 bytes (weak key)",
+            },
+            {
+                pattern: /"key_secure"\s*:\s*false/i,
+                evidence: "key_secure: false (weak key)",
+            },
+        ];
+        for (const { pattern, evidence: evidenceText } of weakKeyPatterns) {
+            if (pattern.test(responseText)) {
+                if (!cweIds.includes("CWE-326"))
+                    cweIds.push("CWE-326");
+                if (vulnerabilityType === "UNKNOWN") {
+                    vulnerabilityType = "WEAK_KEY_LENGTH";
+                    evidence = evidenceText;
+                }
+                break;
+            }
+        }
+        return {
+            detected: cweIds.length > 0,
+            vulnerabilityType,
+            cweIds: [...new Set(cweIds)], // Dedupe
+            evidence,
+        };
+    }
     /**
      * Analyze response for chain exploitation vulnerabilities (Issue #93, Challenge #6)
      * Detects multi-tool chained exploitation attacks including:

package/lib/services/assessment/modules/securityTests/index.d.ts

@@ -1,6 +1,11 @@
 /**
  * Security Assessment Module
- * Exports all security-related components
+ *
+ * Exports all security-related components for testing MCP servers.
+ * Includes payload generation, testing, and response analysis.
+ *
+ * @public
+ * @module assessment/security
  */
 export { SecurityResponseAnalyzer, type ConfidenceResult, type AnalysisResult, type ErrorClassification, type StateBasedAuthResult, type ChainExploitationAnalysis, type ChainExecutionType, type ChainVulnerabilityCategory, } from "./SecurityResponseAnalyzer.js";
 export { SecurityPayloadTester, type TestProgressCallback, type PayloadTestConfig, type TestLogger, } from "./SecurityPayloadTester.js";

package/lib/services/assessment/modules/securityTests/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,wBAAwB,EACxB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,yBAAyB,EAC9B,KAAK,kBAAkB,EACvB,KAAK,0BAA0B,GAChC,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EACL,qBAAqB,EACrB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,EACtB,KAAK,UAAU,GAChB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AAEtE,OAAO,EACL,oBAAoB,EACpB,KAAK,mBAAmB,EACxB,KAAK,QAAQ,EACb,KAAK,gBAAgB,EACrB,KAAK,mBAAmB,GACzB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,oBAAoB,EACpB,KAAK,wBAAwB,EAC7B,KAAK,wBAAwB,EAC7B,KAAK,0BAA0B,EAC/B,KAAK,eAAe,GACrB,MAAM,wBAAwB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACL,wBAAwB,EACxB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,yBAAyB,EAC9B,KAAK,kBAAkB,EACvB,KAAK,0BAA0B,GAChC,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EACL,qBAAqB,EACrB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,EACtB,KAAK,UAAU,GAChB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AAEtE,OAAO,EACL,oBAAoB,EACpB,KAAK,mBAAmB,EACxB,KAAK,QAAQ,EACb,KAAK,gBAAgB,EACrB,KAAK,mBAAmB,GACzB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,oBAAoB,EACpB,KAAK,wBAAwB,EAC7B,KAAK,wBAAwB,EAC7B,KAAK,0BAA0B,EAC/B,KAAK,eAAe,GACrB,MAAM,wBAAwB,CAAC"}

package/lib/services/assessment/modules/securityTests/index.js

@@ -1,6 +1,11 @@
 /**
  * Security Assessment Module
- * Exports all security-related components
+ *
+ * Exports all security-related components for testing MCP servers.
+ * Includes payload generation, testing, and response analysis.
+ *
+ * @public
+ * @module assessment/security
  */
 export { SecurityResponseAnalyzer, } from "./SecurityResponseAnalyzer.js";
 export { SecurityPayloadTester, } from "./SecurityPayloadTester.js";

package/lib/services/assessment/orchestratorHelpers.d.ts

@@ -7,6 +7,9 @@
  * - Module progress/started event emission
  * - Overall status determination
  * - Summary and recommendations generation
+ *
+ * @internal
+ * @module orchestratorHelpers
  */
 import { MCPDirectoryAssessment, AssessmentStatus } from "../../lib/assessmentTypes.js";
 export declare const moduleStartTimes: Map<string, number>;

package/lib/services/assessment/orchestratorHelpers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"orchestratorHelpers.d.ts","sourceRoot":"","sources":["../../../src/services/assessment/orchestratorHelpers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,sBAAsB,EACtB,gBAAgB,EACjB,MAAM,uBAAuB,CAAC;AAU/B,eAAO,MAAM,gBAAgB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAa,CAAC;AAE/D;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,UAAU,EAAE,MAAM,EAClB,cAAc,EAAE,MAAM,EACtB,SAAS,EAAE,MAAM,GAChB,IAAI,CAcN;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAChC,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,OAAO,EACf,QAAQ,GAAE,MAAU,GACnB,IAAI,CAiCN;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,SAAS,EAAE;IACT,UAAU,CAAC,EAAE,KAAK,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC,CAAC;IACH,gBAAgB,CAAC,EAAE;QACjB,SAAS,EAAE,OAAO,CAAC;QACnB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,MAAM,EAAE,OAAO,CAAC;QAChB,UAAU,EAAE,OAAO,CAAC;KACrB,CAAC;IACF,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B,EACD,UAAU,GAAE,MAAW,GACtB;IACD,gBAAgB,EAAE,KAAK,CAAC;QACtB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC,CAAC;IACH,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACpC,CAAC;IACF,gBAAgB,EAAE;QAChB,SAAS,EAAE,OAAO,CAAC;QACnB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,MAAM,EAAE,OAAO,CAAC;QAChB,UAAU,EAAE,OAAO,CAAC;KACrB,CAAC;IACF,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B,CAkEA;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,OAAO,CAAC,sBAAsB,CAAC,GACvC,gBAAgB,CAsBlB;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,OAAO,CAAC,sBAAsB,CAAC,GACvC,MAAM,CA8ER;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,OAAO,CAAC,sBAAsB,CAAC,GACvC,MAAM,EAAE,CAiBV"}
+{"version":3,"file":"orchestratorHelpers.d.ts","sourceRoot":"","sources":["../../../src/services/assessment/orchestratorHelpers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EACL,sBAAsB,EACtB,gBAAgB,EACjB,MAAM,uBAAuB,CAAC;AAW/B,eAAO,MAAM,gBAAgB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAa,CAAC;AAE/D;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,UAAU,EAAE,MAAM,EAClB,cAAc,EAAE,MAAM,EACtB,SAAS,EAAE,MAAM,GAChB,IAAI,CAeN;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAChC,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,OAAO,EACf,QAAQ,GAAE,MAAU,GACnB,IAAI,CAkCN;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,SAAS,EAAE;IACT,UAAU,CAAC,EAAE,KAAK,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC,CAAC;IACH,gBAAgB,CAAC,EAAE;QACjB,SAAS,EAAE,OAAO,CAAC;QACnB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,MAAM,EAAE,OAAO,CAAC;QAChB,UAAU,EAAE,OAAO,CAAC;KACrB,CAAC;IACF,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B,EACD,UAAU,GAAE,MAAW,GACtB;IACD,gBAAgB,EAAE,KAAK,CAAC;QACtB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC,CAAC;IACH,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACpC,CAAC;IACF,gBAAgB,EAAE;QAChB,SAAS,EAAE,OAAO,CAAC;QACnB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,MAAM,EAAE,OAAO,CAAC;QAChB,UAAU,EAAE,OAAO,CAAC;KACrB,CAAC;IACF,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B,CAkEA;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,OAAO,CAAC,sBAAsB,CAAC,GACvC,gBAAgB,CAsBlB;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,OAAO,CAAC,sBAAsB,CAAC,GACvC,MAAM,CA8ER;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,OAAO,CAAC,sBAAsB,CAAC,GACvC,MAAM,EAAE,CAiBV"}

package/lib/services/assessment/orchestratorHelpers.js

@@ -7,9 +7,12 @@
  * - Module progress/started event emission
  * - Overall status determination
  * - Summary and recommendations generation
+ *
+ * @internal
+ * @module orchestratorHelpers
  */
 // Import score calculation helpers from shared module
-import { calculateModuleScore, normalizeModuleKey, INSPECTOR_VERSION, } from "../../lib/moduleScoring.js";
+import { calculateModuleScore, normalizeModuleKey, INSPECTOR_VERSION, SCHEMA_VERSION, } from "../../lib/moduleScoring.js";
 // Track module start times for duration calculation
 export const moduleStartTimes = new Map();
 /**
@@ -19,13 +22,14 @@ export const moduleStartTimes = new Map();
 export function emitModuleStartedEvent(moduleName, estimatedTests, toolCount) {
     const moduleKey = normalizeModuleKey(moduleName);
     moduleStartTimes.set(moduleKey, Date.now());
-    // Emit JSONL to stderr with version field
+    // Emit JSONL to stderr with version and schemaVersion fields
     console.error(JSON.stringify({
         event: "module_started",
         module: moduleKey,
         estimatedTests,
         toolCount,
         version: INSPECTOR_VERSION,
+        schemaVersion: SCHEMA_VERSION,
     }));
 }
 /**
@@ -53,13 +57,14 @@ export function emitModuleProgress(moduleName, status, result, testsRun = 0) {
         testsRun,
         duration,
         version: INSPECTOR_VERSION,
+        schemaVersion: SCHEMA_VERSION,
     };
     // Add AUP enrichment when module is AUP
     if (moduleKey === "aup" && result) {
         const aupEnrichment = buildAUPEnrichment(result);
         Object.assign(event, aupEnrichment);
     }
-    // Emit JSONL to stderr with version field
+    // Emit JSONL to stderr with version and schemaVersion fields
     console.error(JSON.stringify(event));
 }
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-client",
-  "version": "1.29.0",
+  "version": "1.30.0",
   "description": "Client-side application for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",