@bryan-thompson/inspector-assessment-client 1.30.1 → 1.32.0

package/lib/lib/securityPatterns.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"securityPatterns.d.ts","sourceRoot":"","sources":["../../src/lib/securityPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,iBAAiB,CAAC;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,eAAe,EAAE,CAAC;CAC7B;AAED;;;;;;GAMG;AACH,eAAO,MAAM,wBAAwB,EAAE,aAAa,EAq7DnD,CAAC;AAEF;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,MAAM,GACb,eAAe,EAAE,CAQnB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,aAAa,EAAE,CAEtD;AAED;;GAEG;AACH,wBAAgB,oBAAoB;;;;;;;;EA8BnC"}
+{"version":3,"file":"securityPatterns.d.ts","sourceRoot":"","sources":["../../src/lib/securityPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,iBAAiB,CAAC;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,eAAe,EAAE,CAAC;CAC7B;AAED;;;;;;GAMG;AACH,eAAO,MAAM,wBAAwB,EAAE,aAAa,EAo7DnD,CAAC;AAEF;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,MAAM,GACb,eAAe,EAAE,CAQnB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,aAAa,EAAE,CAEtD;AAED;;GAEG;AACH,wBAAgB,oBAAoB;;;;;;;;EA8BnC"}

package/lib/lib/securityPatterns.js

@@ -1798,10 +1798,10 @@ export const SECURITY_ATTACK_PATTERNS = [
                 payloadType: "crypto",
                 parameterTypes: ["action", "operation", "type"],
             },
-            // CWE-326: Inadequate encryption key length
+            // CWE-326: Inadequate encryption key length (< 16 bytes)
             {
                 payload: "sign",
-                evidence: /"key_length"\s*:\s*[1-9](?!\d)|"key_secure"\s*:\s*false|"cwe_ids"\s*:\s*\[.*"CWE-326"/i,
+                evidence: /"key_length"\s*:\s*(?:[1-9]|1[0-5])(?!\d)|"key_secure"\s*:\s*false|"cwe_ids"\s*:\s*\[.*"CWE-326"/i,
                 riskLevel: "HIGH",
                 description: "Weak HMAC key length easily brute-forceable (CWE-326)",
                 payloadType: "crypto",

package/lib/services/assessment/AssessmentOrchestrator.d.ts

@@ -116,24 +116,26 @@ export declare class AssessmentOrchestrator {
     private totalTestsRun;
     private claudeBridge?;
     private claudeEnabled;
-    private functionalityAssessor?;
-    private securityAssessor?;
-    private documentationAssessor?;
-    private errorHandlingAssessor?;
-    private usabilityAssessor?;
-    private protocolComplianceAssessor?;
-    private aupComplianceAssessor?;
-    private toolAnnotationAssessor?;
-    private prohibitedLibrariesAssessor?;
-    private manifestValidationAssessor?;
-    private portabilityAssessor?;
-    private externalAPIScannerAssessor?;
-    private temporalAssessor?;
-    private authenticationAssessor?;
-    private resourceAssessor?;
-    private promptAssessor?;
-    private crossCapabilityAssessor?;
-    private fileModularizationAssessor?;
+    private registry;
+    private get functionalityAssessor();
+    private get securityAssessor();
+    private get documentationAssessor();
+    private get errorHandlingAssessor();
+    private get usabilityAssessor();
+    private get protocolComplianceAssessor();
+    private get aupComplianceAssessor();
+    private get toolAnnotationAssessor();
+    private get prohibitedLibrariesAssessor();
+    private get manifestValidationAssessor();
+    private get portabilityAssessor();
+    private get externalAPIScannerAssessor();
+    private get temporalAssessor();
+    private get authenticationAssessor();
+    private get resourceAssessor();
+    private get promptAssessor();
+    private get crossCapabilityAssessor();
+    private get fileModularizationAssessor();
+    private get conformanceAssessor();
     constructor(config?: Partial<AssessmentConfiguration>);
     /**
      * Get the count of tools that will actually be tested based on selectedToolsForTesting config.

package/lib/services/assessment/AssessmentOrchestrator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AssessmentOrchestrator.d.ts","sourceRoot":"","sources":["../../../src/services/assessment/AssessmentOrchestrator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EAEvB,kBAAkB,EAClB,gBAAgB,EAChB,UAAU,EACX,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,IAAI,EACJ,2BAA2B,EAC5B,MAAM,oCAAoC,CAAC;AAuC5C,OAAO,EACL,gBAAgB,EAChB,sBAAsB,EAEvB,MAAM,wBAAwB,CAAC;AAehC;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,KAAK,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,OAAO,CAAC;KACpB,CAAC,CAAC;CACJ;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,KAAK,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IAClC,SAAS,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,OAAO,CAAC;QAAC,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IAC3D,OAAO,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACxC;AAED;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,IAAI,EAAE,CAAC;IACd,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,CAAC;IAC1C,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,MAAM,EAAE,uBAAuB,CAAC;IAChC,UAAU,CAAC,EAAE,UAAU,CAAC;IAIxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAGtC,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;IAIrB,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAG9B,SAAS,CAAC,EAAE,WAAW,EAAE,CAAC;IAC1B,iBAAiB,CAAC,EAAE,mBAAmB,EAAE,CAAC;IAC1C,OAAO,CAAC,EAAE,SAAS,EAAE,CAAC;IACtB,kBAAkB,CAAC,EAAE,qBAAqB,CAAC;IAG3C,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAChD,SAAS,CAAC,EAAE,CACV,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KACzB,OAAO,CAAC;QAAE,QAAQ,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,CAAC,CAAC;IAGrE,eAAe,CAAC,EAAE;QAChB,IAAI,EAAE,OAAO,GAAG,KAAK,GAAG,iBAAiB,CAAC;QAC1C,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,YAAY,CAAC,EAAE,OAAO,CAAC;KACxB,CAAC;IAIF,SAAS,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;CACnC;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,sBAAsB;IACjC,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,SAAS,CAAa;IAC9B,OAAO,CAAC,aAAa,CAAa;IAGlC,OAAO,CAAC,YAAY,CAAC,CAAmB;IACxC,OAAO,CAAC,aAAa,CAAkB;IAGvC,OAAO,CAAC,qBAAqB,CAAC,CAAwB;IACtD,OAAO,CAAC,gBAAgB,CAAC,CAAmB;IAC5C,OAAO,CAAC,qBAAqB,CAAC,CAAwB;IACtD,OAAO,CAAC,qBAAqB,CAAC,CAAwB;IACtD,OAAO,CAAC,iBAAiB,CAAC,CAAoB;IAG9C,OAAO,CAAC,0BAA0B,CAAC,CAA6B;IAGhE,OAAO,CAAC,qBAAqB,CAAC,CAAwB;IACtD,OAAO,CAAC,sBAAsB,CAAC,CAAyB;IACxD,OAAO,CAAC,2BAA2B,CAAC,CAA8B;IAClE,OAAO,CAAC,0BAA0B,CAAC,CAA6B;IAChE,OAAO,CAAC,mBAAmB,CAAC,CAAsB;IAClD,OAAO,CAAC,0BAA0B,CAAC,CAA6B;IAChE,OAAO,CAAC,gBAAgB,CAAC,CAAmB;IAC5C,OAAO,CAAC,sBAAsB,CAAC,CAAyB;IAGxD,OAAO,CAAC,gBAAgB,CAAC,CAAmB;IAC5C,OAAO,CAAC,cAAc,CAAC,CAAiB;IACxC,OAAO,CAAC,uBAAuB,CAAC,CAAkC;IAGlE,OAAO,CAAC,0BAA0B,CAAC,CAA6B;gBAIpD,MAAM,GAAE,OAAO,CAAC,uBAAuB,CAAM;IAkJzD;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAQ9B;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAe9B;;;;OAIG;IACH,gBAAgB,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,GAAG,IAAI;IAwBhE;;;OAGG;IACH,eAAe,IAAI,OAAO;IAI1B;;;OAGG;IACH,eAAe,IAAI,gBAAgB,GAAG,SAAS;IAI/C;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA2C1B;;;OAGG;IACG,iBAAiB,CACrB,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,sBAAsB,CAAC;IAulBlC;;;;OAIG;IACG,MAAM,CACV,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,UAAU,EACvB,aAAa,CAAC,EAAE,MAAM,EACtB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACpC,OAAO,CAAC,sBAAsB,CAAC;IAclC,OAAO,CAAC,qBAAqB;IAoF7B;;;OAGG;IACH,SAAS,IAAI,uBAAuB;IAIpC;;;OAGG;IACH,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,uBAAuB,CAAC,GAAG,IAAI;CAG7D"}
+{"version":3,"file":"AssessmentOrchestrator.d.ts","sourceRoot":"","sources":["../../../src/services/assessment/AssessmentOrchestrator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EAEvB,kBAAkB,EAClB,gBAAgB,EAChB,UAAU,EACX,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,IAAI,EACJ,2BAA2B,EAC5B,MAAM,oCAAoC,CAAC;AAuC5C,OAAO,EACL,gBAAgB,EAChB,sBAAsB,EAEvB,MAAM,wBAAwB,CAAC;AA2BhC;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,KAAK,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,OAAO,CAAC;KACpB,CAAC,CAAC;CACJ;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,KAAK,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IAClC,SAAS,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,OAAO,CAAC;QAAC,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IAC3D,OAAO,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACxC;AAED;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,IAAI,EAAE,CAAC;IACd,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,CAAC;IAC1C,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,MAAM,EAAE,uBAAuB,CAAC;IAChC,UAAU,CAAC,EAAE,UAAU,CAAC;IAIxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAGtC,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;IAIrB,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAG9B,SAAS,CAAC,EAAE,WAAW,EAAE,CAAC;IAC1B,iBAAiB,CAAC,EAAE,mBAAmB,EAAE,CAAC;IAC1C,OAAO,CAAC,EAAE,SAAS,EAAE,CAAC;IACtB,kBAAkB,CAAC,EAAE,qBAAqB,CAAC;IAG3C,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAChD,SAAS,CAAC,EAAE,CACV,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KACzB,OAAO,CAAC;QAAE,QAAQ,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,CAAC,CAAC;IAGrE,eAAe,CAAC,EAAE;QAChB,IAAI,EAAE,OAAO,GAAG,KAAK,GAAG,iBAAiB,CAAC;QAC1C,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,YAAY,CAAC,EAAE,OAAO,CAAC;KACxB,CAAC;IAIF,SAAS,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;CACnC;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,sBAAsB;IACjC,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,SAAS,CAAa;IAC9B,OAAO,CAAC,aAAa,CAAa;IAGlC,OAAO,CAAC,YAAY,CAAC,CAAmB;IACxC,OAAO,CAAC,aAAa,CAAkB;IAIvC,OAAO,CAAC,QAAQ,CAAmB;IAQnC,OAAO,KAAK,qBAAqB,GAEhC;IAED,OAAO,KAAK,gBAAgB,GAE3B;IAED,OAAO,KAAK,qBAAqB,GAEhC;IAED,OAAO,KAAK,qBAAqB,GAEhC;IAED,OAAO,KAAK,iBAAiB,GAE5B;IAED,OAAO,KAAK,0BAA0B,GAErC;IAED,OAAO,KAAK,qBAAqB,GAEhC;IAED,OAAO,KAAK,sBAAsB,GAEjC;IAED,OAAO,KAAK,2BAA2B,GAEtC;IAED,OAAO,KAAK,0BAA0B,GAErC;IAED,OAAO,KAAK,mBAAmB,GAE9B;IAED,OAAO,KAAK,0BAA0B,GAErC;IAED,OAAO,KAAK,gBAAgB,GAE3B;IAED,OAAO,KAAK,sBAAsB,GAEjC;IAED,OAAO,KAAK,gBAAgB,GAE3B;IAED,OAAO,KAAK,cAAc,GAEzB;IAED,OAAO,KAAK,uBAAuB,GAElC;IAED,OAAO,KAAK,0BAA0B,GAErC;IAED,OAAO,KAAK,mBAAmB,GAE9B;gBAIW,MAAM,GAAE,OAAO,CAAC,uBAAuB,CAAM;IAiDzD;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAQ9B;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAe9B;;;;OAIG;IACH,gBAAgB,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,GAAG,IAAI;IAgBhE;;;OAGG;IACH,eAAe,IAAI,OAAO;IAI1B;;;OAGG;IACH,eAAe,IAAI,gBAAgB,GAAG,SAAS;IAI/C;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA+C1B;;;OAGG;IACG,iBAAiB,CACrB,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,sBAAsB,CAAC;IAqqBlC;;;;OAIG;IACG,MAAM,CACV,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,UAAU,EACvB,aAAa,CAAC,EAAE,MAAM,EACtB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACpC,OAAO,CAAC,sBAAsB,CAAC;IAclC,OAAO,CAAC,qBAAqB;IAyF7B;;;OAGG;IACH,SAAS,IAAI,uBAAuB;IAIpC;;;OAGG;IACH,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,uBAAuB,CAAC,GAAG,IAAI;CAG7D"}

package/lib/services/assessment/AssessmentOrchestrator.js

@@ -6,32 +6,9 @@
  * @module AssessmentOrchestrator
  */
 import { DEFAULT_ASSESSMENT_CONFIG, } from "../../lib/assessmentTypes.js";
-// Core assessment modules
-import { FunctionalityAssessor } from "./modules/FunctionalityAssessor.js";
-import { SecurityAssessor } from "./modules/SecurityAssessor.js";
-import { DocumentationAssessor } from "./modules/DocumentationAssessor.js";
-import { ErrorHandlingAssessor } from "./modules/ErrorHandlingAssessor.js";
-import { UsabilityAssessor } from "./modules/UsabilityAssessor.js";
-// Extended assessment modules - unified protocol compliance
-import { ProtocolComplianceAssessor } from "./modules/ProtocolComplianceAssessor.js";
-// New MCP Directory Compliance Gap assessors
-import { AUPComplianceAssessor } from "./modules/AUPComplianceAssessor.js";
-import { ToolAnnotationAssessor } from "./modules/ToolAnnotationAssessor.js";
-import { ProhibitedLibrariesAssessor } from "./modules/ProhibitedLibrariesAssessor.js";
-import { ManifestValidationAssessor } from "./modules/ManifestValidationAssessor.js";
-import { PortabilityAssessor } from "./modules/PortabilityAssessor.js";
-import { ExternalAPIScannerAssessor } from "./modules/ExternalAPIScannerAssessor.js";
-import { TemporalAssessor } from "./modules/TemporalAssessor.js";
-import { AuthenticationAssessor } from "./modules/AuthenticationAssessor.js";
-// New capability assessors
-import { ResourceAssessor } from "./modules/ResourceAssessor.js";
-import { PromptAssessor } from "./modules/PromptAssessor.js";
-import { CrossCapabilitySecurityAssessor } from "./modules/CrossCapabilitySecurityAssessor.js";
-// Code quality assessors
-import { FileModularizationAssessor } from "./modules/FileModularizationAssessor.js";
 // Note: ProtocolConformanceAssessor merged into ProtocolComplianceAssessor (v1.25.2)
-// Pattern configuration for tool annotation assessment
-import { loadPatternConfig, compilePatterns, } from "./config/annotationPatterns.js";
+// Pattern configuration for tool annotation assessment now handled by registry (Issue #91)
+// See AssessorDefinitions.ts customSetup for ToolAnnotationAssessor
 // Claude Code integration for intelligent analysis
 import { ClaudeCodeBridge, FULL_CLAUDE_CODE_CONFIG, } from "./lib/claudeCodeBridge.js";
 import { TestDataGenerator } from "./TestDataGenerator.js";
@@ -39,6 +16,10 @@ import { TestDataGenerator } from "./TestDataGenerator.js";
 import { createLogger, DEFAULT_LOGGING_CONFIG } from "./lib/logger.js";
 // Extracted helpers for testability
 import { emitModuleStartedEvent, emitModuleProgress, determineOverallStatus, generateSummary, generateRecommendations, } from "./orchestratorHelpers.js";
+// Registry pattern for assessor management (Issue #91)
+import { AssessorRegistry, ASSESSOR_DEFINITIONS, } from "./registry/index.js";
+// Module scoring for dual-key output (Issue #124)
+import { calculateModuleScore } from "../../lib/moduleScoring.js";
 /**
  * Main orchestrator class for running MCP server assessments
  *
@@ -59,29 +40,71 @@ export class AssessmentOrchestrator {
     // Claude Code Bridge for intelligent analysis
     claudeBridge;
     claudeEnabled = false;
-    // Core assessors (optional to support --skip-modules)
-    functionalityAssessor;
-    securityAssessor;
-    documentationAssessor;
-    errorHandlingAssessor;
-    usabilityAssessor;
-    // Extended assessors - unified protocol compliance
-    protocolComplianceAssessor;
-    // New MCP Directory Compliance Gap assessors
-    aupComplianceAssessor;
-    toolAnnotationAssessor;
-    prohibitedLibrariesAssessor;
-    manifestValidationAssessor;
-    portabilityAssessor;
-    externalAPIScannerAssessor;
-    temporalAssessor;
-    authenticationAssessor;
-    // New capability assessors
-    resourceAssessor;
-    promptAssessor;
-    crossCapabilityAssessor;
-    // Code quality assessors
-    fileModularizationAssessor;
+    // Registry for assessor management (Issue #91)
+    // Delegates construction, test count aggregation, and Claude bridge wiring
+    registry;
+    // ============================================================================
+    // Private getters for backward compatibility with tests
+    // Tests access these via type assertions: (orchestrator as any).assessorName
+    // These delegate to the registry to maintain a single source of truth
+    // ============================================================================
+    get functionalityAssessor() {
+        return this.registry.getAssessor("functionality");
+    }
+    get securityAssessor() {
+        return this.registry.getAssessor("security");
+    }
+    get documentationAssessor() {
+        return this.registry.getAssessor("documentation");
+    }
+    get errorHandlingAssessor() {
+        return this.registry.getAssessor("errorHandling");
+    }
+    get usabilityAssessor() {
+        return this.registry.getAssessor("usability");
+    }
+    get protocolComplianceAssessor() {
+        return this.registry.getAssessor("protocolCompliance");
+    }
+    get aupComplianceAssessor() {
+        return this.registry.getAssessor("aupCompliance");
+    }
+    get toolAnnotationAssessor() {
+        return this.registry.getAssessor("toolAnnotations");
+    }
+    get prohibitedLibrariesAssessor() {
+        return this.registry.getAssessor("prohibitedLibraries");
+    }
+    get manifestValidationAssessor() {
+        return this.registry.getAssessor("manifestValidation");
+    }
+    get portabilityAssessor() {
+        return this.registry.getAssessor("portability");
+    }
+    get externalAPIScannerAssessor() {
+        return this.registry.getAssessor("externalAPIScanner");
+    }
+    get temporalAssessor() {
+        return this.registry.getAssessor("temporal");
+    }
+    get authenticationAssessor() {
+        return this.registry.getAssessor("authentication");
+    }
+    get resourceAssessor() {
+        return this.registry.getAssessor("resources");
+    }
+    get promptAssessor() {
+        return this.registry.getAssessor("prompts");
+    }
+    get crossCapabilityAssessor() {
+        return this.registry.getAssessor("crossCapability");
+    }
+    get fileModularizationAssessor() {
+        return this.registry.getAssessor("fileModularization");
+    }
+    get conformanceAssessor() {
+        return this.registry.getAssessor("conformance");
+    }
     // Note: protocolConformanceAssessor merged into protocolComplianceAssessor (v1.25.2)
     constructor(config = {}) {
         this.config = { ...DEFAULT_ASSESSMENT_CONFIG, ...config };
@@ -100,92 +123,17 @@ export class AssessmentOrchestrator {
         if (this.config.claudeCode?.enabled) {
             this.initializeClaudeBridge(this.config.claudeCode);
         }
-        // Initialize core assessors (respects assessmentCategories config for --skip-modules)
-        if (this.config.assessmentCategories?.functionality !== false) {
-            this.functionalityAssessor = new FunctionalityAssessor(this.config);
-        }
-        if (this.config.assessmentCategories?.security !== false) {
-            this.securityAssessor = new SecurityAssessor(this.config);
-            // Wire up Claude bridge for security semantic analysis
-            if (this.claudeBridge) {
-                this.securityAssessor.setClaudeBridge(this.claudeBridge);
-            }
-        }
-        if (this.config.assessmentCategories?.documentation !== false) {
-            this.documentationAssessor = new DocumentationAssessor(this.config);
-        }
-        if (this.config.assessmentCategories?.errorHandling !== false) {
-            this.errorHandlingAssessor = new ErrorHandlingAssessor(this.config);
-        }
-        if (this.config.assessmentCategories?.usability !== false) {
-            this.usabilityAssessor = new UsabilityAssessor(this.config);
-        }
-        // Initialize extended assessors if enabled
-        if (this.config.enableExtendedAssessment) {
-            // Initialize unified protocol compliance assessor
-            // Supports new protocolCompliance flag and deprecated mcpSpecCompliance/protocolConformance
-            if (this.config.assessmentCategories?.protocolCompliance ||
-                this.config.assessmentCategories?.mcpSpecCompliance ||
-                this.config.assessmentCategories?.protocolConformance) {
-                this.protocolComplianceAssessor = new ProtocolComplianceAssessor(this.config);
-            }
-            // Initialize new MCP Directory Compliance Gap assessors
-            if (this.config.assessmentCategories?.aupCompliance) {
-                this.aupComplianceAssessor = new AUPComplianceAssessor(this.config);
-                // Wire up Claude bridge for semantic analysis
-                if (this.claudeBridge) {
-                    this.aupComplianceAssessor.setClaudeBridge(this.claudeBridge);
-                }
-            }
-            if (this.config.assessmentCategories?.toolAnnotations) {
-                this.toolAnnotationAssessor = new ToolAnnotationAssessor(this.config);
-                // Wire up Claude bridge for behavior inference
-                if (this.claudeBridge) {
-                    this.toolAnnotationAssessor.setClaudeBridge(this.claudeBridge);
-                }
-                // Load custom pattern configuration if provided
-                if (this.config.patternConfigPath) {
-                    const patternConfig = loadPatternConfig(this.config.patternConfigPath, this.logger);
-                    const compiledPatterns = compilePatterns(patternConfig);
-                    this.toolAnnotationAssessor.setPatterns(compiledPatterns);
-                }
-            }
-            if (this.config.assessmentCategories?.prohibitedLibraries) {
-                this.prohibitedLibrariesAssessor = new ProhibitedLibrariesAssessor(this.config);
-            }
-            if (this.config.assessmentCategories?.manifestValidation) {
-                this.manifestValidationAssessor = new ManifestValidationAssessor(this.config);
-            }
-            if (this.config.assessmentCategories?.portability) {
-                this.portabilityAssessor = new PortabilityAssessor(this.config);
-            }
-            if (this.config.assessmentCategories?.externalAPIScanner) {
-                this.externalAPIScannerAssessor = new ExternalAPIScannerAssessor(this.config);
-            }
-            if (this.config.assessmentCategories?.temporal) {
-                this.temporalAssessor = new TemporalAssessor(this.config);
-            }
-            if (this.config.assessmentCategories?.authentication) {
-                this.authenticationAssessor = new AuthenticationAssessor(this.config);
-            }
-            // Initialize new capability assessors
-            if (this.config.assessmentCategories?.resources) {
-                this.resourceAssessor = new ResourceAssessor(this.config);
-            }
-            if (this.config.assessmentCategories?.prompts) {
-                this.promptAssessor = new PromptAssessor(this.config);
-            }
-            if (this.config.assessmentCategories?.crossCapability) {
-                this.crossCapabilityAssessor = new CrossCapabilitySecurityAssessor(this.config);
-            }
-            // Initialize code quality assessors
-            if (this.config.assessmentCategories?.fileModularization) {
-                this.fileModularizationAssessor = new FileModularizationAssessor(this.config);
-            }
-            // Note: Protocol conformance now handled by unified ProtocolComplianceAssessor above
-        }
-        // Wire up Claude bridge to TestDataGenerator for intelligent test generation
+        // Initialize registry and register all enabled assessors (Issue #91)
+        // The registry handles:
+        // - Conditional instantiation based on config flags
+        // - Deprecated flag OR logic (e.g., protocolCompliance supports 3 flags)
+        // - Custom setup (e.g., ToolAnnotationAssessor pattern config)
+        // - Claude bridge wiring for supporting assessors
+        this.registry = new AssessorRegistry(this.config);
+        this.registry.registerAll(ASSESSOR_DEFINITIONS);
+        // Wire up Claude bridge to registry (handles all supporting assessors)
         if (this.claudeBridge) {
+            this.registry.setClaudeBridge(this.claudeBridge);
             TestDataGenerator.setClaudeBridge(this.claudeBridge);
         }
         // Set logger for TestDataGenerator diagnostic output
@@ -233,17 +181,9 @@ export class AssessmentOrchestrator {
             enabled: true,
         };
         this.initializeClaudeBridge(bridgeConfig);
-        // Wire up to existing assessors
+        // Wire up to all supporting assessors via registry
         if (this.claudeBridge) {
-            if (this.aupComplianceAssessor) {
-                this.aupComplianceAssessor.setClaudeBridge(this.claudeBridge);
-            }
-            if (this.toolAnnotationAssessor) {
-                this.toolAnnotationAssessor.setClaudeBridge(this.claudeBridge);
-            }
-            if (this.securityAssessor) {
-                this.securityAssessor.setClaudeBridge(this.claudeBridge);
-            }
+            this.registry.setClaudeBridge(this.claudeBridge);
             TestDataGenerator.setClaudeBridge(this.claudeBridge);
         }
     }
@@ -305,6 +245,10 @@ export class AssessmentOrchestrator {
         if (this.fileModularizationAssessor) {
             this.fileModularizationAssessor.resetTestCount();
         }
+        // Reset official conformance assessor
+        if (this.conformanceAssessor) {
+            this.conformanceAssessor.resetTestCount();
+        }
     }
     /**
      * Run a complete assessment on an MCP server
@@ -462,6 +406,15 @@ export class AssessmentOrchestrator {
                     return (assessmentResults.fileModularization = r);
                 }));
             }
+            // Official MCP conformance testing (opt-in, requires HTTP/SSE transport)
+            if (this.conformanceAssessor) {
+                // Conformance tests ~7 server scenarios
+                emitModuleStartedEvent("Conformance", 7, toolCount);
+                assessmentPromises.push(this.conformanceAssessor.assess(context).then((r) => {
+                    emitModuleProgress("Conformance", r.status, r, this.conformanceAssessor.getTestCount());
+                    return (assessmentResults.conformance = r);
+                }));
+            }
             // Note: Protocol Conformance now handled by unified ProtocolComplianceAssessor above
             await Promise.all(assessmentPromises);
         }
@@ -587,6 +540,13 @@ export class AssessmentOrchestrator {
                     await this.fileModularizationAssessor.assess(context);
                 emitModuleProgress("File Modularization", assessmentResults.fileModularization.status, assessmentResults.fileModularization, this.fileModularizationAssessor.getTestCount());
             }
+            // Official MCP conformance testing (sequential, opt-in)
+            if (this.conformanceAssessor) {
+                emitModuleStartedEvent("Conformance", 7, toolCount);
+                assessmentResults.conformance =
+                    await this.conformanceAssessor.assess(context);
+                emitModuleProgress("Conformance", assessmentResults.conformance.status, assessmentResults.conformance, this.conformanceAssessor.getTestCount());
+            }
             // Note: Protocol Conformance now handled by unified ProtocolComplianceAssessor above
         }
         // Integrate temporal findings into security.vulnerabilities for unified view
@@ -597,6 +557,41 @@ export class AssessmentOrchestrator {
                 assessmentResults.security.vulnerabilities.push(`RUG_PULL_TEMPORAL: ${detail.tool} - Tool behavior changed after invocation ${detail.firstDeviationAt}. Requires immediate manual review.`);
             }
         }
+        // Issue #124: Dual-key output for v2.0.0 transition
+        // Output BOTH old and new keys to maintain backward compatibility
+        // Old keys (documentation, usability, mcpSpecCompliance) will be removed in v2.0.0
+        // developerExperience (new) = documentation + usability (deprecated)
+        if (assessmentResults.documentation && assessmentResults.usability) {
+            const docScore = calculateModuleScore(assessmentResults.documentation) ?? 50;
+            const usabilityScore = calculateModuleScore(assessmentResults.usability) ?? 50;
+            const combinedStatus = determineOverallStatus({
+                documentation: assessmentResults.documentation,
+                usability: assessmentResults.usability,
+            });
+            assessmentResults.developerExperience = {
+                documentation: assessmentResults.documentation,
+                usability: assessmentResults.usability,
+                status: combinedStatus,
+                score: Math.round((docScore + usabilityScore) / 2),
+            };
+            // Emit deprecation warning for old keys
+            this.logger.warn("Output keys 'documentation' and 'usability' are deprecated. " +
+                "Use 'developerExperience' instead. These keys will be removed in v2.0.0.", {
+                deprecated: ["documentation", "usability"],
+                replacement: "developerExperience",
+            });
+        }
+        // protocolCompliance (new) = mcpSpecCompliance (deprecated)
+        if (assessmentResults.mcpSpecCompliance) {
+            assessmentResults.protocolCompliance =
+                assessmentResults.mcpSpecCompliance;
+            // Emit deprecation warning for old key
+            this.logger.warn("Output key 'mcpSpecCompliance' is deprecated. " +
+                "Use 'protocolCompliance' instead. This key will be removed in v2.0.0.", {
+                deprecated: ["mcpSpecCompliance"],
+                replacement: "protocolCompliance",
+            });
+        }
         // Collect test counts from all assessors
         this.totalTestsRun = this.collectTotalTestCount();
         // Determine overall status
@@ -668,6 +663,8 @@ export class AssessmentOrchestrator {
         const crossCapabilityCount = this.crossCapabilityAssessor?.getTestCount() || 0;
         // Code quality assessor counts
         const fileModularizationCount = this.fileModularizationAssessor?.getTestCount() || 0;
+        // Official MCP conformance test count
+        const conformanceCount = this.conformanceAssessor?.getTestCount() || 0;
         // Note: Protocol conformance now included in mcpSpecCount (unified ProtocolComplianceAssessor)
         this.logger.debug("Test counts by assessor", {
             functionality: functionalityCount,
@@ -688,6 +685,7 @@ export class AssessmentOrchestrator {
             prompts: promptsCount,
             crossCapability: crossCapabilityCount,
             fileModularization: fileModularizationCount,
+            conformance: conformanceCount,
             // Note: protocolConformance now included in mcpSpec (unified)
         });
         total =
@@ -708,7 +706,8 @@ export class AssessmentOrchestrator {
                 resourcesCount +
                 promptsCount +
                 crossCapabilityCount +
-                fileModularizationCount;
+                fileModularizationCount +
+                conformanceCount;
         // Note: protocolConformance now included in mcpSpecCount (unified)
         this.logger.debug("Total test count", { total });
         return total;

package/lib/services/assessment/ResponseValidator.d.ts

@@ -24,6 +24,16 @@ export interface ValidationContext {
     scenarioCategory?: "happy_path" | "edge_case" | "boundary" | "error_case";
 }
 export declare class ResponseValidator {
+    /**
+     * Safely extract content array from response using Zod validation.
+     * Falls back to undefined if content is not a valid array.
+     */
+    private static safeGetContentArray;
+    /**
+     * Safely parse MCP tool call result using Zod validation.
+     * Returns validated data or undefined if validation fails.
+     */
+    private static safeGetMCPResponse;
     /**
      * Extract response metadata including content types, structuredContent, and _meta
      */

package/lib/services/assessment/ResponseValidator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ResponseValidator.d.ts","sourceRoot":"","sources":["../../../src/services/assessment/ResponseValidator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAOzD,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,cAAc,EACV,eAAe,GACf,mBAAmB,GACnB,mBAAmB,GACnB,QAAQ,GACR,OAAO,CAAC;IACZ,8EAA8E;IAC9E,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;CACrC;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,IAAI,CAAC;IACX,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,QAAQ,EAAE,2BAA2B,CAAC;IACtC,gBAAgB,CAAC,EAAE,YAAY,GAAG,WAAW,GAAG,UAAU,GAAG,YAAY,CAAC;CAC3E;AAED,qBAAa,iBAAiB;IAC5B;;OAEG;IACH,MAAM,CAAC,uBAAuB,CAAC,OAAO,EAAE,iBAAiB,GAAG,gBAAgB;IAoG5E;;OAEG;IACH,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,iBAAiB,GAAG,gBAAgB;IAgHrE;;;OAGG;IACH,MAAM,CAAC,oBAAoB,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO;IAgThE;;OAEG;IACH,MAAM,CAAC,0BAA0B,CAAC,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM;CAsBvE"}
+{"version":3,"file":"ResponseValidator.d.ts","sourceRoot":"","sources":["../../../src/services/assessment/ResponseValidator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAazD,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,cAAc,EACV,eAAe,GACf,mBAAmB,GACnB,mBAAmB,GACnB,QAAQ,GACR,OAAO,CAAC;IACZ,8EAA8E;IAC9E,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;CACrC;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,IAAI,CAAC;IACX,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,QAAQ,EAAE,2BAA2B,CAAC;IACtC,gBAAgB,CAAC,EAAE,YAAY,GAAG,WAAW,GAAG,UAAU,GAAG,YAAY,CAAC;CAC3E;AAED,qBAAa,iBAAiB;IAC5B;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,mBAAmB;IAOlC;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,kBAAkB;IAOjC;;OAEG;IACH,MAAM,CAAC,uBAAuB,CAAC,OAAO,EAAE,iBAAiB,GAAG,gBAAgB;IA2G5E;;OAEG;IACH,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,iBAAiB,GAAG,gBAAgB;IAgHrE;;;OAGG;IACH,MAAM,CAAC,oBAAoB,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO;IAgThE;;OAEG;IACH,MAAM,CAAC,0BAA0B,CAAC,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM;CAsBvE"}

package/lib/services/assessment/ResponseValidator.js

@@ -6,13 +6,31 @@
  * @module assessment/ResponseValidator
  */
 import { validateToolOutput, hasOutputSchema, tryExtractJsonFromContent, } from "../../utils/schemaUtils.js";
+import { safeParseContentArray, safeParseMCPToolCallResult, } from "./responseValidatorSchemas.js";
 export class ResponseValidator {
+    /**
+     * Safely extract content array from response using Zod validation.
+     * Falls back to undefined if content is not a valid array.
+     */
+    static safeGetContentArray(response) {
+        const parseResult = safeParseContentArray(response.content);
+        return parseResult.success ? parseResult.data : undefined;
+    }
+    /**
+     * Safely parse MCP tool call result using Zod validation.
+     * Returns validated data or undefined if validation fails.
+     */
+    static safeGetMCPResponse(response) {
+        const parseResult = safeParseMCPToolCallResult(response);
+        return parseResult.success ? parseResult.data : undefined;
+    }
     /**
      * Extract response metadata including content types, structuredContent, and _meta
      */
     static extractResponseMetadata(context) {
-        const content = context.response.content;
-        const response = context.response;
+        // Use validated parsing for content array and full response
+        const content = this.safeGetContentArray(context.response);
+        const validatedResponse = this.safeGetMCPResponse(context.response);
         // Track content types present
         const contentTypes = [];
         let textBlockCount = 0;
@@ -40,17 +58,23 @@ export class ResponseValidator {
             }
         }
         // Check for structuredContent property (MCP 2024-11-05+)
-        const hasStructuredContent = "structuredContent" in response &&
-            response.structuredContent !== undefined;
+        // Use validated response data when available, fallback to raw response check
+        const hasStructuredContent = validatedResponse?.structuredContent !== undefined ||
+            ("structuredContent" in context.response &&
+                context.response.structuredContent !== undefined);
         // Check for _meta property
-        const hasMeta = "_meta" in response && response._meta !== undefined;
+        const hasMeta = validatedResponse?._meta !== undefined ||
+            ("_meta" in context.response && context.response._meta !== undefined);
         // Output schema validation
         let outputSchemaValidation;
         const toolHasOutputSchema = hasOutputSchema(context.tool.name);
         if (toolHasOutputSchema) {
             if (hasStructuredContent) {
                 // Primary path: validate structuredContent
-                const validation = validateToolOutput(context.tool.name, response.structuredContent);
+                // Prefer validated data, fallback to raw response
+                const structuredContent = validatedResponse?.structuredContent ??
+                    context.response.structuredContent;
+                const validation = validateToolOutput(context.tool.name, structuredContent);
                 outputSchemaValidation = {
                     hasOutputSchema: true,
                     isValid: validation.isValid,

package/lib/services/assessment/config/performanceConfig.d.ts

@@ -102,6 +102,8 @@ export declare const PERFORMANCE_PRESETS: {
  * Validate a partial performance config.
  * Ensures values are within reasonable bounds.
  *
+ * Uses Zod schema validation under the hood (Issue #84).
+ *
  * @public
  * @param config - Partial config to validate
  * @returns Array of validation error messages (empty if valid)

package/lib/services/assessment/config/performanceConfig.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"performanceConfig.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/config/performanceConfig.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AAE5C;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC;;;;OAIG;IACH,oBAAoB,EAAE,MAAM,CAAC;IAE7B;;;;OAIG;IACH,sBAAsB,EAAE,MAAM,CAAC;IAE/B;;;OAGG;IACH,iBAAiB,EAAE,MAAM,CAAC;IAE1B;;;;OAIG;IACH,aAAa,EAAE,MAAM,CAAC;IAEtB;;;;OAIG;IACH,qBAAqB,EAAE,MAAM,CAAC;IAE9B;;;;;;;;;;OAUG;IACH,qBAAqB,EAAE,MAAM,CAAC;IAE9B;;;;OAIG;IACH,wBAAwB,EAAE,MAAM,CAAC;CAClC;AAED;;;;GAIG;AACH,eAAO,MAAM,0BAA0B,EAAE,QAAQ,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CASzE,CAAC;AAEL;;;GAGG;AACH,eAAO,MAAM,mBAAmB;IAC9B,mDAAmD;;IAGnD,8CAA8C;;;;8BA1ExB,MAAM;uBAoBb,MAAM;+BAOE,MAAM;+BAaN,MAAM;kCAOH,MAAM;;IAkChC,kEAAkE;;;;;8BAjF5C,MAAM;uBAoBb,MAAM;+BAOE,MAAM;kCAoBH,MAAM;;CAyCxB,CAAC;AAEX;;;;;;;GAOG;AACH,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,OAAO,CAAC,iBAAiB,CAAC,GACjC,MAAM,EAAE,CAwDV;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAClC,QAAQ,CAAC,iBAAiB,CAAC,CAsB7B;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,CAAC,EAAE,MAAM,EACnB,MAAM,CAAC,EAAE,MAAM,GACd,QAAQ,CAAC,iBAAiB,CAAC,CAyC7B"}
+{"version":3,"file":"performanceConfig.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/config/performanceConfig.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AAG5C;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC;;;;OAIG;IACH,oBAAoB,EAAE,MAAM,CAAC;IAE7B;;;;OAIG;IACH,sBAAsB,EAAE,MAAM,CAAC;IAE/B;;;OAGG;IACH,iBAAiB,EAAE,MAAM,CAAC;IAE1B;;;;OAIG;IACH,aAAa,EAAE,MAAM,CAAC;IAEtB;;;;OAIG;IACH,qBAAqB,EAAE,MAAM,CAAC;IAE9B;;;;;;;;;;OAUG;IACH,qBAAqB,EAAE,MAAM,CAAC;IAE9B;;;;OAIG;IACH,wBAAwB,EAAE,MAAM,CAAC;CAClC;AAED;;;;GAIG;AACH,eAAO,MAAM,0BAA0B,EAAE,QAAQ,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CASzE,CAAC;AAEL;;;GAGG;AACH,eAAO,MAAM,mBAAmB;IAC9B,mDAAmD;;IAGnD,8CAA8C;;;;8BA1ExB,MAAM;uBAoBb,MAAM;+BAOE,MAAM;+BAaN,MAAM;kCAOH,MAAM;;IAkChC,kEAAkE;;;;;8BAjF5C,MAAM;uBAoBb,MAAM;+BAOE,MAAM;kCAoBH,MAAM;;CAyCxB,CAAC;AAEX;;;;;;;;;GASG;AACH,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,OAAO,CAAC,iBAAiB,CAAC,GACjC,MAAM,EAAE,CAGV;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAClC,QAAQ,CAAC,iBAAiB,CAAC,CAsB7B;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,CAAC,EAAE,MAAM,EACnB,MAAM,CAAC,EAAE,MAAM,GACd,QAAQ,CAAC,iBAAiB,CAAC,CAyC7B"}

package/lib/services/assessment/config/performanceConfig.js

@@ -10,6 +10,7 @@
  * @see https://github.com/triepod-ai/inspector-assessment/issues/37
  */
 import * as fs from "fs";
+import { validatePerformanceConfigWithZod } from "./performanceConfigSchemas.js";
 /**
  * Default performance configuration.
  * These values preserve existing behavior across all modules.
@@ -49,44 +50,15 @@ export const PERFORMANCE_PRESETS = {
  * Validate a partial performance config.
  * Ensures values are within reasonable bounds.
  *
+ * Uses Zod schema validation under the hood (Issue #84).
+ *
  * @public
  * @param config - Partial config to validate
  * @returns Array of validation error messages (empty if valid)
  */
 export function validatePerformanceConfig(config) {
-    const errors = [];
-    if (config.batchFlushIntervalMs !== undefined &&
-        (config.batchFlushIntervalMs < 50 || config.batchFlushIntervalMs > 10000)) {
-        errors.push("batchFlushIntervalMs must be between 50 and 10000");
-    }
-    if (config.functionalityBatchSize !== undefined &&
-        (config.functionalityBatchSize < 1 || config.functionalityBatchSize > 100)) {
-        errors.push("functionalityBatchSize must be between 1 and 100");
-    }
-    if (config.securityBatchSize !== undefined &&
-        (config.securityBatchSize < 1 || config.securityBatchSize > 100)) {
-        errors.push("securityBatchSize must be between 1 and 100");
-    }
-    if (config.testTimeoutMs !== undefined &&
-        (config.testTimeoutMs < 100 || config.testTimeoutMs > 300000)) {
-        errors.push("testTimeoutMs must be between 100 and 300000");
-    }
-    if (config.securityTestTimeoutMs !== undefined &&
-        (config.securityTestTimeoutMs < 100 ||
-            config.securityTestTimeoutMs > 300000)) {
-        errors.push("securityTestTimeoutMs must be between 100 and 300000");
-    }
-    if (config.queueWarningThreshold !== undefined &&
-        (config.queueWarningThreshold < 100 ||
-            config.queueWarningThreshold > 1000000)) {
-        errors.push("queueWarningThreshold must be between 100 and 1000000");
-    }
-    if (config.eventEmitterMaxListeners !== undefined &&
-        (config.eventEmitterMaxListeners < 10 ||
-            config.eventEmitterMaxListeners > 1000)) {
-        errors.push("eventEmitterMaxListeners must be between 10 and 1000");
-    }
-    return errors;
+    // Delegate to Zod schema validation
+    return validatePerformanceConfigWithZod(config);
 }
 /**
  * Merge a partial config with defaults.