npm - @bryan-thompson/inspector-assessment-client - Versions diffs - 1.30.1 → 1.32.0 - Mend

@bryan-thompson/inspector-assessment-client 1.30.1 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

package/lib/services/assessment/config/performanceConfigSchemas.d.ts ADDED Viewed

@@ -0,0 +1,111 @@
+/**
+ * Zod Schemas for Performance Configuration
+ *
+ * Runtime validation schemas for performance configuration.
+ * Replaces manual validatePerformanceConfig() function with declarative schemas.
+ *
+ * @module assessment/config/performanceConfigSchemas
+ * @see performanceConfig.ts for the interface definitions
+ * @see sharedSchemas.ts for PERF_CONFIG_RANGES constants
+ */
+import { z } from "zod";
+import { PERF_CONFIG_RANGES } from "../../../lib/assessment/sharedSchemas.js";
+export { PERF_CONFIG_RANGES };
+/**
+ * Schema for performance configuration fields.
+ * All fields are optional since partial configs are merged with defaults.
+ *
+ * Validation ranges are defined in PERF_CONFIG_RANGES (sharedSchemas.ts).
+ */
+export declare const PerformanceConfigSchema: z.ZodObject<{
+    /**
+     * Interval in milliseconds between progress batch flushes.
+     */
+    batchFlushIntervalMs: z.ZodOptional<z.ZodNumber>;
+    /**
+     * Batch size for functionality assessment progress events.
+     */
+    functionalityBatchSize: z.ZodOptional<z.ZodNumber>;
+    /**
+     * Batch size for security assessment progress events.
+     */
+    securityBatchSize: z.ZodOptional<z.ZodNumber>;
+    /**
+     * Timeout for individual test scenario execution in milliseconds.
+     */
+    testTimeoutMs: z.ZodOptional<z.ZodNumber>;
+    /**
+     * Timeout for individual security payload tests in milliseconds.
+     */
+    securityTestTimeoutMs: z.ZodOptional<z.ZodNumber>;
+    /**
+     * Warning threshold for queue depth monitoring.
+     */
+    queueWarningThreshold: z.ZodOptional<z.ZodNumber>;
+    /**
+     * Maximum EventEmitter listeners to prevent Node.js warnings.
+     */
+    eventEmitterMaxListeners: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    batchFlushIntervalMs?: number;
+    functionalityBatchSize?: number;
+    securityBatchSize?: number;
+    testTimeoutMs?: number;
+    securityTestTimeoutMs?: number;
+    queueWarningThreshold?: number;
+    eventEmitterMaxListeners?: number;
+}, {
+    batchFlushIntervalMs?: number;
+    functionalityBatchSize?: number;
+    securityBatchSize?: number;
+    testTimeoutMs?: number;
+    securityTestTimeoutMs?: number;
+    queueWarningThreshold?: number;
+    eventEmitterMaxListeners?: number;
+}>;
+/**
+ * Type inferred from the schema.
+ * Equivalent to Partial<PerformanceConfig> from performanceConfig.ts
+ */
+export type PartialPerformanceConfig = z.infer<typeof PerformanceConfigSchema>;
+/**
+ * Validate a partial performance config using Zod.
+ * Drop-in replacement for the manual validatePerformanceConfig() function.
+ *
+ * @param config - Partial config to validate
+ * @returns Array of validation error messages (empty if valid)
+ */
+export declare function validatePerformanceConfigWithZod(config: unknown): string[];
+/**
+ * Parse and validate a performance config, returning the validated data.
+ * Throws ZodError if validation fails.
+ *
+ * @param config - Config to parse and validate
+ * @returns Validated partial config
+ * @throws ZodError if validation fails
+ */
+export declare function parsePerformanceConfig(config: unknown): PartialPerformanceConfig;
+/**
+ * Safely parse a performance config without throwing.
+ *
+ * @param config - Config to parse and validate
+ * @returns SafeParseResult with success status and data/error
+ */
+export declare function safeParsePerformanceConfig(config: unknown): z.SafeParseReturnType<{
+    batchFlushIntervalMs?: number;
+    functionalityBatchSize?: number;
+    securityBatchSize?: number;
+    testTimeoutMs?: number;
+    securityTestTimeoutMs?: number;
+    queueWarningThreshold?: number;
+    eventEmitterMaxListeners?: number;
+}, {
+    batchFlushIntervalMs?: number;
+    functionalityBatchSize?: number;
+    securityBatchSize?: number;
+    testTimeoutMs?: number;
+    securityTestTimeoutMs?: number;
+    queueWarningThreshold?: number;
+    eventEmitterMaxListeners?: number;
+}>;
+//# sourceMappingURL=performanceConfigSchemas.d.ts.map

package/lib/services/assessment/config/performanceConfigSchemas.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"performanceConfigSchemas.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/config/performanceConfigSchemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,OAAO,EAAE,kBAAkB,EAAE,MAAM,uCAAuC,CAAC;AAG3E,OAAO,EAAE,kBAAkB,EAAE,CAAC;AAE9B;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB;IAClC;;OAEG;;IAcH;;OAEG;;IAcH;;OAEG;;IAcH;;OAEG;;IAcH;;OAEG;;IAcH;;OAEG;;IAcH;;OAEG;;;;;;;;;;;;;;;;;;EAaH,CAAC;AAEH;;;GAGG;AACH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE/E;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,EAAE,CAW1E;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,OAAO,GACd,wBAAwB,CAE1B;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,OAAO;;;;;;;;;;;;;;;;GAEzD"}

package/lib/services/assessment/config/performanceConfigSchemas.js ADDED Viewed

@@ -0,0 +1,123 @@
+/**
+ * Zod Schemas for Performance Configuration
+ *
+ * Runtime validation schemas for performance configuration.
+ * Replaces manual validatePerformanceConfig() function with declarative schemas.
+ *
+ * @module assessment/config/performanceConfigSchemas
+ * @see performanceConfig.ts for the interface definitions
+ * @see sharedSchemas.ts for PERF_CONFIG_RANGES constants
+ */
+import { z } from "zod";
+// Import validation range constants from single source of truth
+import { PERF_CONFIG_RANGES } from "../../../lib/assessment/sharedSchemas.js";
+// Re-export for consumers who need the range constants
+export { PERF_CONFIG_RANGES };
+/**
+ * Schema for performance configuration fields.
+ * All fields are optional since partial configs are merged with defaults.
+ *
+ * Validation ranges are defined in PERF_CONFIG_RANGES (sharedSchemas.ts).
+ */
+export const PerformanceConfigSchema = z.object({
+    /**
+     * Interval in milliseconds between progress batch flushes.
+     */
+    batchFlushIntervalMs: z
+        .number()
+        .int("batchFlushIntervalMs must be an integer")
+        .min(PERF_CONFIG_RANGES.batchFlushIntervalMs.min, `batchFlushIntervalMs must be >= ${PERF_CONFIG_RANGES.batchFlushIntervalMs.min}`)
+        .max(PERF_CONFIG_RANGES.batchFlushIntervalMs.max, `batchFlushIntervalMs must be <= ${PERF_CONFIG_RANGES.batchFlushIntervalMs.max}`)
+        .optional(),
+    /**
+     * Batch size for functionality assessment progress events.
+     */
+    functionalityBatchSize: z
+        .number()
+        .int("functionalityBatchSize must be an integer")
+        .min(PERF_CONFIG_RANGES.functionalityBatchSize.min, `functionalityBatchSize must be >= ${PERF_CONFIG_RANGES.functionalityBatchSize.min}`)
+        .max(PERF_CONFIG_RANGES.functionalityBatchSize.max, `functionalityBatchSize must be <= ${PERF_CONFIG_RANGES.functionalityBatchSize.max}`)
+        .optional(),
+    /**
+     * Batch size for security assessment progress events.
+     */
+    securityBatchSize: z
+        .number()
+        .int("securityBatchSize must be an integer")
+        .min(PERF_CONFIG_RANGES.securityBatchSize.min, `securityBatchSize must be >= ${PERF_CONFIG_RANGES.securityBatchSize.min}`)
+        .max(PERF_CONFIG_RANGES.securityBatchSize.max, `securityBatchSize must be <= ${PERF_CONFIG_RANGES.securityBatchSize.max}`)
+        .optional(),
+    /**
+     * Timeout for individual test scenario execution in milliseconds.
+     */
+    testTimeoutMs: z
+        .number()
+        .int("testTimeoutMs must be an integer")
+        .min(PERF_CONFIG_RANGES.testTimeoutMs.min, `testTimeoutMs must be >= ${PERF_CONFIG_RANGES.testTimeoutMs.min}`)
+        .max(PERF_CONFIG_RANGES.testTimeoutMs.max, `testTimeoutMs must be <= ${PERF_CONFIG_RANGES.testTimeoutMs.max}`)
+        .optional(),
+    /**
+     * Timeout for individual security payload tests in milliseconds.
+     */
+    securityTestTimeoutMs: z
+        .number()
+        .int("securityTestTimeoutMs must be an integer")
+        .min(PERF_CONFIG_RANGES.securityTestTimeoutMs.min, `securityTestTimeoutMs must be >= ${PERF_CONFIG_RANGES.securityTestTimeoutMs.min}`)
+        .max(PERF_CONFIG_RANGES.securityTestTimeoutMs.max, `securityTestTimeoutMs must be <= ${PERF_CONFIG_RANGES.securityTestTimeoutMs.max}`)
+        .optional(),
+    /**
+     * Warning threshold for queue depth monitoring.
+     */
+    queueWarningThreshold: z
+        .number()
+        .int("queueWarningThreshold must be an integer")
+        .min(PERF_CONFIG_RANGES.queueWarningThreshold.min, `queueWarningThreshold must be >= ${PERF_CONFIG_RANGES.queueWarningThreshold.min}`)
+        .max(PERF_CONFIG_RANGES.queueWarningThreshold.max, `queueWarningThreshold must be <= ${PERF_CONFIG_RANGES.queueWarningThreshold.max}`)
+        .optional(),
+    /**
+     * Maximum EventEmitter listeners to prevent Node.js warnings.
+     */
+    eventEmitterMaxListeners: z
+        .number()
+        .int("eventEmitterMaxListeners must be an integer")
+        .min(PERF_CONFIG_RANGES.eventEmitterMaxListeners.min, `eventEmitterMaxListeners must be >= ${PERF_CONFIG_RANGES.eventEmitterMaxListeners.min}`)
+        .max(PERF_CONFIG_RANGES.eventEmitterMaxListeners.max, `eventEmitterMaxListeners must be <= ${PERF_CONFIG_RANGES.eventEmitterMaxListeners.max}`)
+        .optional(),
+});
+/**
+ * Validate a partial performance config using Zod.
+ * Drop-in replacement for the manual validatePerformanceConfig() function.
+ *
+ * @param config - Partial config to validate
+ * @returns Array of validation error messages (empty if valid)
+ */
+export function validatePerformanceConfigWithZod(config) {
+    const result = PerformanceConfigSchema.safeParse(config);
+    if (result.success) {
+        return [];
+    }
+    return result.error.errors.map((e) => {
+        const path = e.path.length > 0 ? `${e.path.join(".")}: ` : "";
+        return `${path}${e.message}`;
+    });
+}
+/**
+ * Parse and validate a performance config, returning the validated data.
+ * Throws ZodError if validation fails.
+ *
+ * @param config - Config to parse and validate
+ * @returns Validated partial config
+ * @throws ZodError if validation fails
+ */
+export function parsePerformanceConfig(config) {
+    return PerformanceConfigSchema.parse(config);
+}
+/**
+ * Safely parse a performance config without throwing.
+ *
+ * @param config - Config to parse and validate
+ * @returns SafeParseResult with success status and data/error
+ */
+export function safeParsePerformanceConfig(config) {
+    return PerformanceConfigSchema.safeParse(config);
+}

package/lib/services/assessment/modules/ConformanceAssessor.d.ts ADDED Viewed

@@ -0,0 +1,64 @@
+/**
+ * Conformance Assessor Module
+ *
+ * Integrates official MCP conformance tests from @modelcontextprotocol/conformance.
+ * Runs server-side conformance validation against the MCP specification.
+ *
+ * Requirements:
+ * - HTTP/SSE transport (requires serverUrl in config)
+ * - Opt-in via --conformance flag or assessmentCategories.conformance = true
+ *
+ * @module assessment/modules/ConformanceAssessor
+ */
+import { BaseAssessor } from "./BaseAssessor.js";
+import { AssessmentContext } from "../AssessmentOrchestrator.js";
+import type { ConformanceAssessment } from "../../../lib/assessment/extendedTypes.js";
+/**
+ * Conformance Assessor
+ *
+ * Runs official MCP conformance tests against the server.
+ * Requires HTTP/SSE transport with serverUrl available.
+ */
+export declare class ConformanceAssessor extends BaseAssessor<ConformanceAssessment> {
+    /**
+     * Run conformance assessment
+     */
+    assess(context: AssessmentContext): Promise<ConformanceAssessment>;
+    /**
+     * Run a single conformance scenario
+     */
+    private runScenario;
+    /**
+     * Find the checks.json file in the results directory
+     */
+    private findChecksFile;
+    /**
+     * Parse checks.json file from conformance results
+     */
+    private parseChecksFile;
+    /**
+     * Check if the MCP conformance package is available
+     */
+    private isConformancePackageAvailable;
+    /**
+     * Cleanup temporary directory
+     */
+    private cleanupTempDir;
+    /**
+     * Determine overall conformance status
+     */
+    private determineConformanceStatus;
+    /**
+     * Generate human-readable explanation
+     */
+    private generateExplanation;
+    /**
+     * Generate recommendations based on failures
+     */
+    private generateRecommendations;
+    /**
+     * Create a skipped result when conformance tests cannot run
+     */
+    private createSkippedResult;
+}
+//# sourceMappingURL=ConformanceAssessor.d.ts.map

package/lib/services/assessment/modules/ConformanceAssessor.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ConformanceAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ConformanceAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAOH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EACV,qBAAqB,EAGtB,MAAM,gCAAgC,CAAC;AAgCxC;;;;;GAKG;AACH,qBAAa,mBAAoB,SAAQ,YAAY,CAAC,qBAAqB,CAAC;IAC1E;;OAEG;IACG,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAkGxE;;OAEG;YACW,WAAW;IAwEzB;;OAEG;IACH,OAAO,CAAC,cAAc;IAwBtB;;OAEG;IACH,OAAO,CAAC,eAAe;IAmBvB;;OAEG;IACH,OAAO,CAAC,6BAA6B;IAarC;;OAEG;IACH,OAAO,CAAC,cAAc;IAQtB;;OAEG;IACH,OAAO,CAAC,0BAA0B;IA+BlC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAyB3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA+C/B;;OAEG;IACH,OAAO,CAAC,mBAAmB;CAmB5B"}

package/lib/services/assessment/modules/ConformanceAssessor.js ADDED Viewed

@@ -0,0 +1,329 @@
+/**
+ * Conformance Assessor Module
+ *
+ * Integrates official MCP conformance tests from @modelcontextprotocol/conformance.
+ * Runs server-side conformance validation against the MCP specification.
+ *
+ * Requirements:
+ * - HTTP/SSE transport (requires serverUrl in config)
+ * - Opt-in via --conformance flag or assessmentCategories.conformance = true
+ *
+ * @module assessment/modules/ConformanceAssessor
+ */
+import { execFileSync } from "child_process";
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+import { BaseAssessor } from "./BaseAssessor.js";
+/**
+ * Version of the conformance package we're integrating with
+ */
+const CONFORMANCE_PACKAGE_VERSION = "0.1.9";
+/**
+ * Available server scenarios from the conformance package
+ * Updated for @modelcontextprotocol/conformance v0.1.9+
+ */
+const SERVER_SCENARIOS = [
+    "server-initialize",
+    "tools-list",
+    "tools-call-simple-text",
+    "resources-list",
+    "resources-read-text",
+    "prompts-list",
+    "prompts-get-simple",
+];
+/**
+ * Conformance Assessor
+ *
+ * Runs official MCP conformance tests against the server.
+ * Requires HTTP/SSE transport with serverUrl available.
+ */
+export class ConformanceAssessor extends BaseAssessor {
+    /**
+     * Run conformance assessment
+     */
+    async assess(context) {
+        const serverUrl = context.config.serverUrl;
+        // Check if serverUrl is available (required for conformance tests)
+        if (!serverUrl) {
+            this.logger.info("Conformance tests skipped: serverUrl not available (requires HTTP/SSE transport)");
+            return this.createSkippedResult("Server URL not available. Conformance tests require HTTP or SSE transport.");
+        }
+        // Check if conformance package is available
+        if (!this.isConformancePackageAvailable()) {
+            this.logger.warn("MCP conformance package not available. Install with: npm install -g @modelcontextprotocol/conformance");
+            return this.createSkippedResult("MCP conformance package not installed. Run: npm install -g @modelcontextprotocol/conformance");
+        }
+        this.logger.info(`Running conformance tests against: ${serverUrl}`);
+        const scenarios = [];
+        const allChecks = [];
+        let passedScenarios = 0;
+        let totalScenarios = 0;
+        // Run each server scenario
+        for (const scenario of SERVER_SCENARIOS) {
+            totalScenarios++;
+            try {
+                const scenarioResult = await this.runScenario(serverUrl, scenario);
+                scenarios.push(scenarioResult);
+                // Count scenario pass/fail (not individual checks)
+                if (scenarioResult.status === "pass") {
+                    passedScenarios++;
+                }
+                // Aggregate any detailed checks for reporting
+                for (const check of scenarioResult.checks) {
+                    allChecks.push(check);
+                }
+                this.testCount++;
+            }
+            catch (error) {
+                // Log error but continue with other scenarios
+                this.logger.warn(`Scenario ${scenario} failed: ${error instanceof Error ? error.message : String(error)}`);
+                scenarios.push({
+                    name: scenario,
+                    status: "skip",
+                    checks: [],
+                });
+            }
+        }
+        // Calculate compliance score based on scenarios
+        const complianceScore = totalScenarios > 0
+            ? Math.round((passedScenarios / totalScenarios) * 100)
+            : 0;
+        // Determine overall status
+        const status = this.determineConformanceStatus(passedScenarios, totalScenarios, scenarios);
+        // Generate explanation and recommendations
+        const explanation = this.generateExplanation(status, passedScenarios, totalScenarios, scenarios);
+        const recommendations = this.generateRecommendations(scenarios, allChecks);
+        return {
+            status,
+            conformanceVersion: CONFORMANCE_PACKAGE_VERSION,
+            protocolVersion: context.config.mcpProtocolVersion || "2025-06",
+            scenarios,
+            officialChecks: allChecks,
+            passedChecks: passedScenarios,
+            totalChecks: totalScenarios,
+            complianceScore,
+            explanation,
+            recommendations,
+        };
+    }
+    /**
+     * Run a single conformance scenario
+     */
+    async runScenario(serverUrl, scenario) {
+        const startTime = Date.now();
+        try {
+            // Create temp directory for results
+            const resultsDir = fs.mkdtempSync(path.join(os.tmpdir(), "mcp-conformance-"));
+            // Run conformance CLI (results are written to checks.json, not stdout)
+            execFileSync("npx", [
+                "@modelcontextprotocol/conformance",
+                "server",
+                "--url",
+                serverUrl,
+                "--scenario",
+                scenario,
+            ], {
+                encoding: "utf-8",
+                timeout: 60000, // 60 second timeout per scenario
+                cwd: resultsDir,
+                stdio: ["pipe", "pipe", "pipe"],
+            });
+            // Parse results from checks.json
+            const checksPath = this.findChecksFile(resultsDir, scenario);
+            const checks = checksPath ? this.parseChecksFile(checksPath) : [];
+            // Determine scenario status
+            const hasFailures = checks.some((c) => c.status === "fail");
+            const status = hasFailures ? "fail" : "pass";
+            // Cleanup temp directory
+            this.cleanupTempDir(resultsDir);
+            return {
+                name: scenario,
+                status,
+                checks,
+                executionTime: Date.now() - startTime,
+            };
+        }
+        catch (error) {
+            this.logger.debug(`Scenario ${scenario} execution error: ${error instanceof Error ? error.message : String(error)}`);
+            // Return skip status for failed scenarios
+            return {
+                name: scenario,
+                status: "skip",
+                checks: [
+                    {
+                        name: `${scenario}-execution`,
+                        status: "fail",
+                        message: error instanceof Error
+                            ? error.message
+                            : "Scenario execution failed",
+                    },
+                ],
+                executionTime: Date.now() - startTime,
+            };
+        }
+    }
+    /**
+     * Find the checks.json file in the results directory
+     */
+    findChecksFile(resultsDir, scenario) {
+        // Look for results in timestamped subdirectory
+        try {
+            const entries = fs.readdirSync(resultsDir);
+            for (const entry of entries) {
+                if (entry.startsWith(`server-${scenario}`) ||
+                    entry.startsWith(scenario)) {
+                    const checksPath = path.join(resultsDir, entry, "checks.json");
+                    if (fs.existsSync(checksPath)) {
+                        return checksPath;
+                    }
+                }
+            }
+        }
+        catch {
+            // Directory might not exist
+        }
+        return undefined;
+    }
+    /**
+     * Parse checks.json file from conformance results
+     */
+    parseChecksFile(checksPath) {
+        try {
+            const content = fs.readFileSync(checksPath, "utf-8");
+            const results = JSON.parse(content);
+            return results.map((r) => ({
+                name: r.name,
+                status: r.status === "pass" ? "pass" : "fail",
+                message: r.message || "",
+                timestamp: r.timestamp,
+            }));
+        }
+        catch (error) {
+            this.logger.debug(`Failed to parse checks.json: ${error instanceof Error ? error.message : String(error)}`);
+            return [];
+        }
+    }
+    /**
+     * Check if the MCP conformance package is available
+     */
+    isConformancePackageAvailable() {
+        try {
+            execFileSync("npx", ["@modelcontextprotocol/conformance", "--version"], {
+                timeout: 30000,
+                stdio: "pipe",
+                encoding: "utf-8",
+            });
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Cleanup temporary directory
+     */
+    cleanupTempDir(dirPath) {
+        try {
+            fs.rmSync(dirPath, { recursive: true, force: true });
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+    }
+    /**
+     * Determine overall conformance status
+     */
+    determineConformanceStatus(passed, total, scenarios) {
+        // If no checks ran, need more info
+        if (total === 0) {
+            return "NEED_MORE_INFO";
+        }
+        // Check if any critical scenarios failed
+        const criticalScenarios = ["server-initialize", "tools-list"];
+        const criticalFailures = scenarios.filter((s) => criticalScenarios.includes(s.name) && s.status === "fail");
+        if (criticalFailures.length > 0) {
+            return "FAIL";
+        }
+        // Use pass rate for status
+        const passRate = passed / total;
+        if (passRate >= 0.9) {
+            return "PASS";
+        }
+        if (passRate >= 0.7) {
+            return "NEED_MORE_INFO";
+        }
+        return "FAIL";
+    }
+    /**
+     * Generate human-readable explanation
+     */
+    generateExplanation(status, passed, total, scenarios) {
+        const passRate = total > 0 ? Math.round((passed / total) * 100) : 0;
+        if (status === "PASS") {
+            return `Server passes ${passRate}% of official MCP conformance checks (${passed}/${total}). The implementation correctly follows the MCP protocol specification.`;
+        }
+        if (status === "NEED_MORE_INFO") {
+            const skipped = scenarios.filter((s) => s.status === "skip").length;
+            if (skipped > 0) {
+                return `Conformance testing partially completed. ${skipped} scenario(s) were skipped. ${passed}/${total} checks passed (${passRate}%).`;
+            }
+            return `Server passes ${passRate}% of conformance checks (${passed}/${total}). Some non-critical checks failed; review recommended.`;
+        }
+        // FAIL
+        const failures = scenarios.filter((s) => s.status === "fail");
+        return `Server fails conformance testing. ${failures.length} scenario(s) failed. Only ${passRate}% of checks passed (${passed}/${total}).`;
+    }
+    /**
+     * Generate recommendations based on failures
+     */
+    generateRecommendations(scenarios, checks) {
+        const recommendations = [];
+        // Check for initialization failures
+        const initScenario = scenarios.find((s) => s.name === "server-initialize");
+        if (initScenario?.status === "fail") {
+            recommendations.push("Fix initialization handshake issues - ensure server responds correctly to initialize request with valid serverInfo and capabilities.");
+        }
+        // Check for tools-list failures
+        const toolsListScenario = scenarios.find((s) => s.name === "tools-list");
+        if (toolsListScenario?.status === "fail") {
+            recommendations.push("Review tools/list implementation - ensure all tools have valid names, descriptions, and input schemas.");
+        }
+        // Check for skipped scenarios
+        const skipped = scenarios.filter((s) => s.status === "skip");
+        if (skipped.length > 0) {
+            recommendations.push(`Run conformance tests again to complete ${skipped.length} skipped scenario(s): ${skipped.map((s) => s.name).join(", ")}.`);
+        }
+        // Generic recommendations based on check failures
+        const failedChecks = checks.filter((c) => c.status === "fail");
+        if (failedChecks.length > 0 && recommendations.length < 3) {
+            recommendations.push("Review MCP specification at modelcontextprotocol.io for protocol compliance requirements.");
+        }
+        if (recommendations.length === 0) {
+            recommendations.push("Consider running full conformance suite periodically to catch regressions.");
+        }
+        return recommendations;
+    }
+    /**
+     * Create a skipped result when conformance tests cannot run
+     */
+    createSkippedResult(reason) {
+        return {
+            status: "NEED_MORE_INFO",
+            conformanceVersion: CONFORMANCE_PACKAGE_VERSION,
+            protocolVersion: this.config.mcpProtocolVersion || "2025-06",
+            scenarios: [],
+            officialChecks: [],
+            passedChecks: 0,
+            totalChecks: 0,
+            complianceScore: 0,
+            explanation: `Conformance testing skipped: ${reason}`,
+            recommendations: [
+                "Use HTTP or SSE transport to enable conformance testing.",
+                "Configure serverUrl in assessment configuration for STDIO servers.",
+            ],
+            skipped: true,
+            skipReason: reason,
+        };
+    }
+}

package/lib/services/assessment/modules/ResourceAssessor.d.ts CHANGED Viewed

@@ -28,6 +28,20 @@ export declare class ResourceAssessor extends BaseAssessor {
      */
     private inferDataClassification;
     private testResourceTemplate;
+    /**
+     * Issue #119, Challenge #14: Test URI injection vulnerabilities in resource templates
+     * Injects malicious payloads into URI parameters and checks for sensitive content leakage
+     */
+    private testParameterizedUriInjection;
+    /**
+     * Issue #119, Challenge #14: Probe for hidden/undeclared resources
+     * Tests common hidden resource patterns to find accessible but undeclared resources
+     */
+    private testHiddenResourceDiscovery;
+    /**
+     * Helper: Probe a single hidden resource URI
+     */
+    private probeHiddenResource;
     private isValidUri;
     private isValidUriTemplate;
     private isSensitiveUri;

package/lib/services/assessment/modules/ResourceAssessor.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ResourceAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ResourceAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,kBAAkB,EAGnB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;~~AAoN9D~~,qBAAa,gBAAiB,SAAQ,YAAY;IAC1C,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;~~IAgFrE~~,OAAO,CAAC,yBAAyB;YAiBnB,YAAY;IAoG1B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAY/B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA4B3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;YAsBjB,oBAAoB;IAkGlC,OAAO,CAAC,UAAU;IAsBlB,OAAO,CAAC,kBAAkB;IAM1B,OAAO,CAAC,cAAc;IAItB,OAAO,CAAC,wBAAwB;IAIhC;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAc7B,OAAO,CAAC,yBAAyB;IAYjC,OAAO,CAAC,uBAAuB;IAqB/B,OAAO,CAAC,mBAAmB;IAoC3B,OAAO,CAAC,uBAAuB;CA+DhC"}
1	+ {"version":3,"file":"ResourceAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ResourceAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,kBAAkB,EAGnB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAuQ9D,qBAAa,gBAAiB,SAAQ,YAAY;IAC1C,MAAM,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA8FrE,OAAO,CAAC,yBAAyB;YAiBnB,YAAY;IAoG1B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAY/B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA4B3B;;OAEG;IACH,OAAO,CAAC,uBAAuB;YAsBjB,oBAAoB;IAkGlC;;;OAGG;YACW,6BAA6B;IA4F3C;;;OAGG;YACW,2BAA2B;IAgEzC;;OAEG;YACW,mBAAmB;IAmEjC,OAAO,CAAC,UAAU;IAsBlB,OAAO,CAAC,kBAAkB;IAM1B,OAAO,CAAC,cAAc;IAItB,OAAO,CAAC,wBAAwB;IAIhC;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAc7B,OAAO,CAAC,yBAAyB;IAYjC,OAAO,CAAC,uBAAuB;IAqB/B,OAAO,CAAC,mBAAmB;IAoC3B,OAAO,CAAC,uBAAuB;CA+DhC"}