@bryan-thompson/inspector-assessment-client 1.30.0 → 1.31.0

package/lib/services/assessment/AssessmentOrchestrator.js

@@ -29,6 +29,8 @@ import { PromptAssessor } from "./modules/PromptAssessor.js";
 import { CrossCapabilitySecurityAssessor } from "./modules/CrossCapabilitySecurityAssessor.js";
 // Code quality assessors
 import { FileModularizationAssessor } from "./modules/FileModularizationAssessor.js";
+// Official MCP conformance testing
+import { ConformanceAssessor } from "./modules/ConformanceAssessor.js";
 // Note: ProtocolConformanceAssessor merged into ProtocolComplianceAssessor (v1.25.2)
 // Pattern configuration for tool annotation assessment
 import { loadPatternConfig, compilePatterns, } from "./config/annotationPatterns.js";
@@ -82,6 +84,8 @@ export class AssessmentOrchestrator {
     crossCapabilityAssessor;
     // Code quality assessors
     fileModularizationAssessor;
+    // Official MCP conformance testing (opt-in via --conformance flag)
+    conformanceAssessor;
     // Note: protocolConformanceAssessor merged into protocolComplianceAssessor (v1.25.2)
     constructor(config = {}) {
         this.config = { ...DEFAULT_ASSESSMENT_CONFIG, ...config };
@@ -182,6 +186,11 @@ export class AssessmentOrchestrator {
             if (this.config.assessmentCategories?.fileModularization) {
                 this.fileModularizationAssessor = new FileModularizationAssessor(this.config);
             }
+            // Initialize official MCP conformance testing (opt-in via --conformance flag)
+            // Requires HTTP/SSE transport with serverUrl available
+            if (this.config.assessmentCategories?.conformance) {
+                this.conformanceAssessor = new ConformanceAssessor(this.config);
+            }
             // Note: Protocol conformance now handled by unified ProtocolComplianceAssessor above
         }
         // Wire up Claude bridge to TestDataGenerator for intelligent test generation
@@ -305,6 +314,10 @@ export class AssessmentOrchestrator {
         if (this.fileModularizationAssessor) {
             this.fileModularizationAssessor.resetTestCount();
         }
+        // Reset official conformance assessor
+        if (this.conformanceAssessor) {
+            this.conformanceAssessor.resetTestCount();
+        }
     }
     /**
      * Run a complete assessment on an MCP server
@@ -462,6 +475,15 @@ export class AssessmentOrchestrator {
                     return (assessmentResults.fileModularization = r);
                 }));
             }
+            // Official MCP conformance testing (opt-in, requires HTTP/SSE transport)
+            if (this.conformanceAssessor) {
+                // Conformance tests ~7 server scenarios
+                emitModuleStartedEvent("Conformance", 7, toolCount);
+                assessmentPromises.push(this.conformanceAssessor.assess(context).then((r) => {
+                    emitModuleProgress("Conformance", r.status, r, this.conformanceAssessor.getTestCount());
+                    return (assessmentResults.conformance = r);
+                }));
+            }
             // Note: Protocol Conformance now handled by unified ProtocolComplianceAssessor above
             await Promise.all(assessmentPromises);
         }
@@ -587,6 +609,13 @@ export class AssessmentOrchestrator {
                     await this.fileModularizationAssessor.assess(context);
                 emitModuleProgress("File Modularization", assessmentResults.fileModularization.status, assessmentResults.fileModularization, this.fileModularizationAssessor.getTestCount());
             }
+            // Official MCP conformance testing (sequential, opt-in)
+            if (this.conformanceAssessor) {
+                emitModuleStartedEvent("Conformance", 7, toolCount);
+                assessmentResults.conformance =
+                    await this.conformanceAssessor.assess(context);
+                emitModuleProgress("Conformance", assessmentResults.conformance.status, assessmentResults.conformance, this.conformanceAssessor.getTestCount());
+            }
             // Note: Protocol Conformance now handled by unified ProtocolComplianceAssessor above
         }
         // Integrate temporal findings into security.vulnerabilities for unified view
@@ -668,6 +697,8 @@ export class AssessmentOrchestrator {
         const crossCapabilityCount = this.crossCapabilityAssessor?.getTestCount() || 0;
         // Code quality assessor counts
         const fileModularizationCount = this.fileModularizationAssessor?.getTestCount() || 0;
+        // Official MCP conformance test count
+        const conformanceCount = this.conformanceAssessor?.getTestCount() || 0;
         // Note: Protocol conformance now included in mcpSpecCount (unified ProtocolComplianceAssessor)
         this.logger.debug("Test counts by assessor", {
             functionality: functionalityCount,
@@ -688,6 +719,7 @@ export class AssessmentOrchestrator {
             prompts: promptsCount,
             crossCapability: crossCapabilityCount,
             fileModularization: fileModularizationCount,
+            conformance: conformanceCount,
             // Note: protocolConformance now included in mcpSpec (unified)
         });
         total =
@@ -708,7 +740,8 @@ export class AssessmentOrchestrator {
                 resourcesCount +
                 promptsCount +
                 crossCapabilityCount +
-                fileModularizationCount;
+                fileModularizationCount +
+                conformanceCount;
         // Note: protocolConformance now included in mcpSpecCount (unified)
         this.logger.debug("Total test count", { total });
         return total;

package/lib/services/assessment/ResponseValidator.d.ts

@@ -24,6 +24,16 @@ export interface ValidationContext {
     scenarioCategory?: "happy_path" | "edge_case" | "boundary" | "error_case";
 }
 export declare class ResponseValidator {
+    /**
+     * Safely extract content array from response using Zod validation.
+     * Falls back to undefined if content is not a valid array.
+     */
+    private static safeGetContentArray;
+    /**
+     * Safely parse MCP tool call result using Zod validation.
+     * Returns validated data or undefined if validation fails.
+     */
+    private static safeGetMCPResponse;
     /**
      * Extract response metadata including content types, structuredContent, and _meta
      */

package/lib/services/assessment/ResponseValidator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ResponseValidator.d.ts","sourceRoot":"","sources":["../../../src/services/assessment/ResponseValidator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAOzD,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,cAAc,EACV,eAAe,GACf,mBAAmB,GACnB,mBAAmB,GACnB,QAAQ,GACR,OAAO,CAAC;IACZ,8EAA8E;IAC9E,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;CACrC;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,IAAI,CAAC;IACX,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,QAAQ,EAAE,2BAA2B,CAAC;IACtC,gBAAgB,CAAC,EAAE,YAAY,GAAG,WAAW,GAAG,UAAU,GAAG,YAAY,CAAC;CAC3E;AAED,qBAAa,iBAAiB;IAC5B;;OAEG;IACH,MAAM,CAAC,uBAAuB,CAAC,OAAO,EAAE,iBAAiB,GAAG,gBAAgB;IAoG5E;;OAEG;IACH,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,iBAAiB,GAAG,gBAAgB;IAgHrE;;;OAGG;IACH,MAAM,CAAC,oBAAoB,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO;IAgThE;;OAEG;IACH,MAAM,CAAC,0BAA0B,CAAC,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM;CAsBvE"}
+{"version":3,"file":"ResponseValidator.d.ts","sourceRoot":"","sources":["../../../src/services/assessment/ResponseValidator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAazD,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,cAAc,EACV,eAAe,GACf,mBAAmB,GACnB,mBAAmB,GACnB,QAAQ,GACR,OAAO,CAAC;IACZ,8EAA8E;IAC9E,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;CACrC;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,IAAI,CAAC;IACX,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,QAAQ,EAAE,2BAA2B,CAAC;IACtC,gBAAgB,CAAC,EAAE,YAAY,GAAG,WAAW,GAAG,UAAU,GAAG,YAAY,CAAC;CAC3E;AAED,qBAAa,iBAAiB;IAC5B;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,mBAAmB;IAOlC;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,kBAAkB;IAOjC;;OAEG;IACH,MAAM,CAAC,uBAAuB,CAAC,OAAO,EAAE,iBAAiB,GAAG,gBAAgB;IA2G5E;;OAEG;IACH,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,iBAAiB,GAAG,gBAAgB;IAgHrE;;;OAGG;IACH,MAAM,CAAC,oBAAoB,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO;IAgThE;;OAEG;IACH,MAAM,CAAC,0BAA0B,CAAC,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM;CAsBvE"}

package/lib/services/assessment/ResponseValidator.js

@@ -6,13 +6,31 @@
  * @module assessment/ResponseValidator
  */
 import { validateToolOutput, hasOutputSchema, tryExtractJsonFromContent, } from "../../utils/schemaUtils.js";
+import { safeParseContentArray, safeParseMCPToolCallResult, } from "./responseValidatorSchemas.js";
 export class ResponseValidator {
+    /**
+     * Safely extract content array from response using Zod validation.
+     * Falls back to undefined if content is not a valid array.
+     */
+    static safeGetContentArray(response) {
+        const parseResult = safeParseContentArray(response.content);
+        return parseResult.success ? parseResult.data : undefined;
+    }
+    /**
+     * Safely parse MCP tool call result using Zod validation.
+     * Returns validated data or undefined if validation fails.
+     */
+    static safeGetMCPResponse(response) {
+        const parseResult = safeParseMCPToolCallResult(response);
+        return parseResult.success ? parseResult.data : undefined;
+    }
     /**
      * Extract response metadata including content types, structuredContent, and _meta
      */
     static extractResponseMetadata(context) {
-        const content = context.response.content;
-        const response = context.response;
+        // Use validated parsing for content array and full response
+        const content = this.safeGetContentArray(context.response);
+        const validatedResponse = this.safeGetMCPResponse(context.response);
         // Track content types present
         const contentTypes = [];
         let textBlockCount = 0;
@@ -40,17 +58,23 @@ export class ResponseValidator {
             }
         }
         // Check for structuredContent property (MCP 2024-11-05+)
-        const hasStructuredContent = "structuredContent" in response &&
-            response.structuredContent !== undefined;
+        // Use validated response data when available, fallback to raw response check
+        const hasStructuredContent = validatedResponse?.structuredContent !== undefined ||
+            ("structuredContent" in context.response &&
+                context.response.structuredContent !== undefined);
         // Check for _meta property
-        const hasMeta = "_meta" in response && response._meta !== undefined;
+        const hasMeta = validatedResponse?._meta !== undefined ||
+            ("_meta" in context.response && context.response._meta !== undefined);
         // Output schema validation
         let outputSchemaValidation;
         const toolHasOutputSchema = hasOutputSchema(context.tool.name);
         if (toolHasOutputSchema) {
             if (hasStructuredContent) {
                 // Primary path: validate structuredContent
-                const validation = validateToolOutput(context.tool.name, response.structuredContent);
+                // Prefer validated data, fallback to raw response
+                const structuredContent = validatedResponse?.structuredContent ??
+                    context.response.structuredContent;
+                const validation = validateToolOutput(context.tool.name, structuredContent);
                 outputSchemaValidation = {
                     hasOutputSchema: true,
                     isValid: validation.isValid,

package/lib/services/assessment/config/performanceConfig.d.ts

@@ -102,6 +102,8 @@ export declare const PERFORMANCE_PRESETS: {
  * Validate a partial performance config.
  * Ensures values are within reasonable bounds.
  *
+ * Uses Zod schema validation under the hood (Issue #84).
+ *
  * @public
  * @param config - Partial config to validate
  * @returns Array of validation error messages (empty if valid)

package/lib/services/assessment/config/performanceConfig.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"performanceConfig.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/config/performanceConfig.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AAE5C;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC;;;;OAIG;IACH,oBAAoB,EAAE,MAAM,CAAC;IAE7B;;;;OAIG;IACH,sBAAsB,EAAE,MAAM,CAAC;IAE/B;;;OAGG;IACH,iBAAiB,EAAE,MAAM,CAAC;IAE1B;;;;OAIG;IACH,aAAa,EAAE,MAAM,CAAC;IAEtB;;;;OAIG;IACH,qBAAqB,EAAE,MAAM,CAAC;IAE9B;;;;;;;;;;OAUG;IACH,qBAAqB,EAAE,MAAM,CAAC;IAE9B;;;;OAIG;IACH,wBAAwB,EAAE,MAAM,CAAC;CAClC;AAED;;;;GAIG;AACH,eAAO,MAAM,0BAA0B,EAAE,QAAQ,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CASzE,CAAC;AAEL;;;GAGG;AACH,eAAO,MAAM,mBAAmB;IAC9B,mDAAmD;;IAGnD,8CAA8C;;;;8BA1ExB,MAAM;uBAoBb,MAAM;+BAOE,MAAM;+BAaN,MAAM;kCAOH,MAAM;;IAkChC,kEAAkE;;;;;8BAjF5C,MAAM;uBAoBb,MAAM;+BAOE,MAAM;kCAoBH,MAAM;;CAyCxB,CAAC;AAEX;;;;;;;GAOG;AACH,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,OAAO,CAAC,iBAAiB,CAAC,GACjC,MAAM,EAAE,CAwDV;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAClC,QAAQ,CAAC,iBAAiB,CAAC,CAsB7B;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,CAAC,EAAE,MAAM,EACnB,MAAM,CAAC,EAAE,MAAM,GACd,QAAQ,CAAC,iBAAiB,CAAC,CAyC7B"}
+{"version":3,"file":"performanceConfig.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/config/performanceConfig.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AAG5C;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC;;;;OAIG;IACH,oBAAoB,EAAE,MAAM,CAAC;IAE7B;;;;OAIG;IACH,sBAAsB,EAAE,MAAM,CAAC;IAE/B;;;OAGG;IACH,iBAAiB,EAAE,MAAM,CAAC;IAE1B;;;;OAIG;IACH,aAAa,EAAE,MAAM,CAAC;IAEtB;;;;OAIG;IACH,qBAAqB,EAAE,MAAM,CAAC;IAE9B;;;;;;;;;;OAUG;IACH,qBAAqB,EAAE,MAAM,CAAC;IAE9B;;;;OAIG;IACH,wBAAwB,EAAE,MAAM,CAAC;CAClC;AAED;;;;GAIG;AACH,eAAO,MAAM,0BAA0B,EAAE,QAAQ,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CASzE,CAAC;AAEL;;;GAGG;AACH,eAAO,MAAM,mBAAmB;IAC9B,mDAAmD;;IAGnD,8CAA8C;;;;8BA1ExB,MAAM;uBAoBb,MAAM;+BAOE,MAAM;+BAaN,MAAM;kCAOH,MAAM;;IAkChC,kEAAkE;;;;;8BAjF5C,MAAM;uBAoBb,MAAM;+BAOE,MAAM;kCAoBH,MAAM;;CAyCxB,CAAC;AAEX;;;;;;;;;GASG;AACH,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,OAAO,CAAC,iBAAiB,CAAC,GACjC,MAAM,EAAE,CAGV;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAClC,QAAQ,CAAC,iBAAiB,CAAC,CAsB7B;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,CAAC,EAAE,MAAM,EACnB,MAAM,CAAC,EAAE,MAAM,GACd,QAAQ,CAAC,iBAAiB,CAAC,CAyC7B"}

package/lib/services/assessment/config/performanceConfig.js

@@ -10,6 +10,7 @@
  * @see https://github.com/triepod-ai/inspector-assessment/issues/37
  */
 import * as fs from "fs";
+import { validatePerformanceConfigWithZod } from "./performanceConfigSchemas.js";
 /**
  * Default performance configuration.
  * These values preserve existing behavior across all modules.
@@ -49,44 +50,15 @@ export const PERFORMANCE_PRESETS = {
  * Validate a partial performance config.
  * Ensures values are within reasonable bounds.
  *
+ * Uses Zod schema validation under the hood (Issue #84).
+ *
  * @public
  * @param config - Partial config to validate
  * @returns Array of validation error messages (empty if valid)
  */
 export function validatePerformanceConfig(config) {
-    const errors = [];
-    if (config.batchFlushIntervalMs !== undefined &&
-        (config.batchFlushIntervalMs < 50 || config.batchFlushIntervalMs > 10000)) {
-        errors.push("batchFlushIntervalMs must be between 50 and 10000");
-    }
-    if (config.functionalityBatchSize !== undefined &&
-        (config.functionalityBatchSize < 1 || config.functionalityBatchSize > 100)) {
-        errors.push("functionalityBatchSize must be between 1 and 100");
-    }
-    if (config.securityBatchSize !== undefined &&
-        (config.securityBatchSize < 1 || config.securityBatchSize > 100)) {
-        errors.push("securityBatchSize must be between 1 and 100");
-    }
-    if (config.testTimeoutMs !== undefined &&
-        (config.testTimeoutMs < 100 || config.testTimeoutMs > 300000)) {
-        errors.push("testTimeoutMs must be between 100 and 300000");
-    }
-    if (config.securityTestTimeoutMs !== undefined &&
-        (config.securityTestTimeoutMs < 100 ||
-            config.securityTestTimeoutMs > 300000)) {
-        errors.push("securityTestTimeoutMs must be between 100 and 300000");
-    }
-    if (config.queueWarningThreshold !== undefined &&
-        (config.queueWarningThreshold < 100 ||
-            config.queueWarningThreshold > 1000000)) {
-        errors.push("queueWarningThreshold must be between 100 and 1000000");
-    }
-    if (config.eventEmitterMaxListeners !== undefined &&
-        (config.eventEmitterMaxListeners < 10 ||
-            config.eventEmitterMaxListeners > 1000)) {
-        errors.push("eventEmitterMaxListeners must be between 10 and 1000");
-    }
-    return errors;
+    // Delegate to Zod schema validation
+    return validatePerformanceConfigWithZod(config);
 }
 /**
  * Merge a partial config with defaults.

package/lib/services/assessment/config/performanceConfigSchemas.d.ts

@@ -0,0 +1,111 @@
+/**
+ * Zod Schemas for Performance Configuration
+ *
+ * Runtime validation schemas for performance configuration.
+ * Replaces manual validatePerformanceConfig() function with declarative schemas.
+ *
+ * @module assessment/config/performanceConfigSchemas
+ * @see performanceConfig.ts for the interface definitions
+ * @see sharedSchemas.ts for PERF_CONFIG_RANGES constants
+ */
+import { z } from "zod";
+import { PERF_CONFIG_RANGES } from "../../../lib/assessment/sharedSchemas.js";
+export { PERF_CONFIG_RANGES };
+/**
+ * Schema for performance configuration fields.
+ * All fields are optional since partial configs are merged with defaults.
+ *
+ * Validation ranges are defined in PERF_CONFIG_RANGES (sharedSchemas.ts).
+ */
+export declare const PerformanceConfigSchema: z.ZodObject<{
+    /**
+     * Interval in milliseconds between progress batch flushes.
+     */
+    batchFlushIntervalMs: z.ZodOptional<z.ZodNumber>;
+    /**
+     * Batch size for functionality assessment progress events.
+     */
+    functionalityBatchSize: z.ZodOptional<z.ZodNumber>;
+    /**
+     * Batch size for security assessment progress events.
+     */
+    securityBatchSize: z.ZodOptional<z.ZodNumber>;
+    /**
+     * Timeout for individual test scenario execution in milliseconds.
+     */
+    testTimeoutMs: z.ZodOptional<z.ZodNumber>;
+    /**
+     * Timeout for individual security payload tests in milliseconds.
+     */
+    securityTestTimeoutMs: z.ZodOptional<z.ZodNumber>;
+    /**
+     * Warning threshold for queue depth monitoring.
+     */
+    queueWarningThreshold: z.ZodOptional<z.ZodNumber>;
+    /**
+     * Maximum EventEmitter listeners to prevent Node.js warnings.
+     */
+    eventEmitterMaxListeners: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    batchFlushIntervalMs?: number;
+    functionalityBatchSize?: number;
+    securityBatchSize?: number;
+    testTimeoutMs?: number;
+    securityTestTimeoutMs?: number;
+    queueWarningThreshold?: number;
+    eventEmitterMaxListeners?: number;
+}, {
+    batchFlushIntervalMs?: number;
+    functionalityBatchSize?: number;
+    securityBatchSize?: number;
+    testTimeoutMs?: number;
+    securityTestTimeoutMs?: number;
+    queueWarningThreshold?: number;
+    eventEmitterMaxListeners?: number;
+}>;
+/**
+ * Type inferred from the schema.
+ * Equivalent to Partial<PerformanceConfig> from performanceConfig.ts
+ */
+export type PartialPerformanceConfig = z.infer<typeof PerformanceConfigSchema>;
+/**
+ * Validate a partial performance config using Zod.
+ * Drop-in replacement for the manual validatePerformanceConfig() function.
+ *
+ * @param config - Partial config to validate
+ * @returns Array of validation error messages (empty if valid)
+ */
+export declare function validatePerformanceConfigWithZod(config: unknown): string[];
+/**
+ * Parse and validate a performance config, returning the validated data.
+ * Throws ZodError if validation fails.
+ *
+ * @param config - Config to parse and validate
+ * @returns Validated partial config
+ * @throws ZodError if validation fails
+ */
+export declare function parsePerformanceConfig(config: unknown): PartialPerformanceConfig;
+/**
+ * Safely parse a performance config without throwing.
+ *
+ * @param config - Config to parse and validate
+ * @returns SafeParseResult with success status and data/error
+ */
+export declare function safeParsePerformanceConfig(config: unknown): z.SafeParseReturnType<{
+    batchFlushIntervalMs?: number;
+    functionalityBatchSize?: number;
+    securityBatchSize?: number;
+    testTimeoutMs?: number;
+    securityTestTimeoutMs?: number;
+    queueWarningThreshold?: number;
+    eventEmitterMaxListeners?: number;
+}, {
+    batchFlushIntervalMs?: number;
+    functionalityBatchSize?: number;
+    securityBatchSize?: number;
+    testTimeoutMs?: number;
+    securityTestTimeoutMs?: number;
+    queueWarningThreshold?: number;
+    eventEmitterMaxListeners?: number;
+}>;
+//# sourceMappingURL=performanceConfigSchemas.d.ts.map

package/lib/services/assessment/config/performanceConfigSchemas.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"performanceConfigSchemas.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/config/performanceConfigSchemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,OAAO,EAAE,kBAAkB,EAAE,MAAM,uCAAuC,CAAC;AAG3E,OAAO,EAAE,kBAAkB,EAAE,CAAC;AAE9B;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB;IAClC;;OAEG;;IAcH;;OAEG;;IAcH;;OAEG;;IAcH;;OAEG;;IAcH;;OAEG;;IAcH;;OAEG;;IAcH;;OAEG;;;;;;;;;;;;;;;;;;EAaH,CAAC;AAEH;;;GAGG;AACH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE/E;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,EAAE,CAW1E;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,OAAO,GACd,wBAAwB,CAE1B;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,OAAO;;;;;;;;;;;;;;;;GAEzD"}

package/lib/services/assessment/config/performanceConfigSchemas.js

@@ -0,0 +1,123 @@
+/**
+ * Zod Schemas for Performance Configuration
+ *
+ * Runtime validation schemas for performance configuration.
+ * Replaces manual validatePerformanceConfig() function with declarative schemas.
+ *
+ * @module assessment/config/performanceConfigSchemas
+ * @see performanceConfig.ts for the interface definitions
+ * @see sharedSchemas.ts for PERF_CONFIG_RANGES constants
+ */
+import { z } from "zod";
+// Import validation range constants from single source of truth
+import { PERF_CONFIG_RANGES } from "../../../lib/assessment/sharedSchemas.js";
+// Re-export for consumers who need the range constants
+export { PERF_CONFIG_RANGES };
+/**
+ * Schema for performance configuration fields.
+ * All fields are optional since partial configs are merged with defaults.
+ *
+ * Validation ranges are defined in PERF_CONFIG_RANGES (sharedSchemas.ts).
+ */
+export const PerformanceConfigSchema = z.object({
+    /**
+     * Interval in milliseconds between progress batch flushes.
+     */
+    batchFlushIntervalMs: z
+        .number()
+        .int("batchFlushIntervalMs must be an integer")
+        .min(PERF_CONFIG_RANGES.batchFlushIntervalMs.min, `batchFlushIntervalMs must be >= ${PERF_CONFIG_RANGES.batchFlushIntervalMs.min}`)
+        .max(PERF_CONFIG_RANGES.batchFlushIntervalMs.max, `batchFlushIntervalMs must be <= ${PERF_CONFIG_RANGES.batchFlushIntervalMs.max}`)
+        .optional(),
+    /**
+     * Batch size for functionality assessment progress events.
+     */
+    functionalityBatchSize: z
+        .number()
+        .int("functionalityBatchSize must be an integer")
+        .min(PERF_CONFIG_RANGES.functionalityBatchSize.min, `functionalityBatchSize must be >= ${PERF_CONFIG_RANGES.functionalityBatchSize.min}`)
+        .max(PERF_CONFIG_RANGES.functionalityBatchSize.max, `functionalityBatchSize must be <= ${PERF_CONFIG_RANGES.functionalityBatchSize.max}`)
+        .optional(),
+    /**
+     * Batch size for security assessment progress events.
+     */
+    securityBatchSize: z
+        .number()
+        .int("securityBatchSize must be an integer")
+        .min(PERF_CONFIG_RANGES.securityBatchSize.min, `securityBatchSize must be >= ${PERF_CONFIG_RANGES.securityBatchSize.min}`)
+        .max(PERF_CONFIG_RANGES.securityBatchSize.max, `securityBatchSize must be <= ${PERF_CONFIG_RANGES.securityBatchSize.max}`)
+        .optional(),
+    /**
+     * Timeout for individual test scenario execution in milliseconds.
+     */
+    testTimeoutMs: z
+        .number()
+        .int("testTimeoutMs must be an integer")
+        .min(PERF_CONFIG_RANGES.testTimeoutMs.min, `testTimeoutMs must be >= ${PERF_CONFIG_RANGES.testTimeoutMs.min}`)
+        .max(PERF_CONFIG_RANGES.testTimeoutMs.max, `testTimeoutMs must be <= ${PERF_CONFIG_RANGES.testTimeoutMs.max}`)
+        .optional(),
+    /**
+     * Timeout for individual security payload tests in milliseconds.
+     */
+    securityTestTimeoutMs: z
+        .number()
+        .int("securityTestTimeoutMs must be an integer")
+        .min(PERF_CONFIG_RANGES.securityTestTimeoutMs.min, `securityTestTimeoutMs must be >= ${PERF_CONFIG_RANGES.securityTestTimeoutMs.min}`)
+        .max(PERF_CONFIG_RANGES.securityTestTimeoutMs.max, `securityTestTimeoutMs must be <= ${PERF_CONFIG_RANGES.securityTestTimeoutMs.max}`)
+        .optional(),
+    /**
+     * Warning threshold for queue depth monitoring.
+     */
+    queueWarningThreshold: z
+        .number()
+        .int("queueWarningThreshold must be an integer")
+        .min(PERF_CONFIG_RANGES.queueWarningThreshold.min, `queueWarningThreshold must be >= ${PERF_CONFIG_RANGES.queueWarningThreshold.min}`)
+        .max(PERF_CONFIG_RANGES.queueWarningThreshold.max, `queueWarningThreshold must be <= ${PERF_CONFIG_RANGES.queueWarningThreshold.max}`)
+        .optional(),
+    /**
+     * Maximum EventEmitter listeners to prevent Node.js warnings.
+     */
+    eventEmitterMaxListeners: z
+        .number()
+        .int("eventEmitterMaxListeners must be an integer")
+        .min(PERF_CONFIG_RANGES.eventEmitterMaxListeners.min, `eventEmitterMaxListeners must be >= ${PERF_CONFIG_RANGES.eventEmitterMaxListeners.min}`)
+        .max(PERF_CONFIG_RANGES.eventEmitterMaxListeners.max, `eventEmitterMaxListeners must be <= ${PERF_CONFIG_RANGES.eventEmitterMaxListeners.max}`)
+        .optional(),
+});
+/**
+ * Validate a partial performance config using Zod.
+ * Drop-in replacement for the manual validatePerformanceConfig() function.
+ *
+ * @param config - Partial config to validate
+ * @returns Array of validation error messages (empty if valid)
+ */
+export function validatePerformanceConfigWithZod(config) {
+    const result = PerformanceConfigSchema.safeParse(config);
+    if (result.success) {
+        return [];
+    }
+    return result.error.errors.map((e) => {
+        const path = e.path.length > 0 ? `${e.path.join(".")}: ` : "";
+        return `${path}${e.message}`;
+    });
+}
+/**
+ * Parse and validate a performance config, returning the validated data.
+ * Throws ZodError if validation fails.
+ *
+ * @param config - Config to parse and validate
+ * @returns Validated partial config
+ * @throws ZodError if validation fails
+ */
+export function parsePerformanceConfig(config) {
+    return PerformanceConfigSchema.parse(config);
+}
+/**
+ * Safely parse a performance config without throwing.
+ *
+ * @param config - Config to parse and validate
+ * @returns SafeParseResult with success status and data/error
+ */
+export function safeParsePerformanceConfig(config) {
+    return PerformanceConfigSchema.safeParse(config);
+}

package/lib/services/assessment/modules/ConformanceAssessor.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Conformance Assessor Module
+ *
+ * Integrates official MCP conformance tests from @modelcontextprotocol/conformance.
+ * Runs server-side conformance validation against the MCP specification.
+ *
+ * Requirements:
+ * - HTTP/SSE transport (requires serverUrl in config)
+ * - Opt-in via --conformance flag or assessmentCategories.conformance = true
+ *
+ * @module assessment/modules/ConformanceAssessor
+ */
+import { BaseAssessor } from "./BaseAssessor.js";
+import { AssessmentContext } from "../AssessmentOrchestrator.js";
+import type { ConformanceAssessment } from "../../../lib/assessment/extendedTypes.js";
+/**
+ * Conformance Assessor
+ *
+ * Runs official MCP conformance tests against the server.
+ * Requires HTTP/SSE transport with serverUrl available.
+ */
+export declare class ConformanceAssessor extends BaseAssessor<ConformanceAssessment> {
+    /**
+     * Run conformance assessment
+     */
+    assess(context: AssessmentContext): Promise<ConformanceAssessment>;
+    /**
+     * Run a single conformance scenario
+     */
+    private runScenario;
+    /**
+     * Find the checks.json file in the results directory
+     */
+    private findChecksFile;
+    /**
+     * Parse checks.json file from conformance results
+     */
+    private parseChecksFile;
+    /**
+     * Cleanup temporary directory
+     */
+    private cleanupTempDir;
+    /**
+     * Determine overall conformance status
+     */
+    private determineConformanceStatus;
+    /**
+     * Generate human-readable explanation
+     */
+    private generateExplanation;
+    /**
+     * Generate recommendations based on failures
+     */
+    private generateRecommendations;
+    /**
+     * Create a skipped result when conformance tests cannot run
+     */
+    private createSkippedResult;
+}
+//# sourceMappingURL=ConformanceAssessor.d.ts.map

package/lib/services/assessment/modules/ConformanceAssessor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ConformanceAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ConformanceAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAOH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EACV,qBAAqB,EAGtB,MAAM,gCAAgC,CAAC;AAgCxC;;;;;GAKG;AACH,qBAAa,mBAAoB,SAAQ,YAAY,CAAC,qBAAqB,CAAC;IAC1E;;OAEG;IACG,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAwFxE;;OAEG;YACW,WAAW;IAwEzB;;OAEG;IACH,OAAO,CAAC,cAAc;IAwBtB;;OAEG;IACH,OAAO,CAAC,eAAe;IAmBvB;;OAEG;IACH,OAAO,CAAC,cAAc;IAQtB;;OAEG;IACH,OAAO,CAAC,0BAA0B;IA+BlC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAyB3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA+C/B;;OAEG;IACH,OAAO,CAAC,mBAAmB;CAmB5B"}