@bryan-thompson/inspector-assessment-client 1.5.0 → 1.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (74) hide show
  1. package/dist/assets/{OAuthCallback-DGVqLct6.js → OAuthCallback-Xo9zS7pv.js} +1 -1
  2. package/dist/assets/{OAuthDebugCallback-DHflRQgp.js → OAuthDebugCallback-CaIey8K_.js} +1 -1
  3. package/dist/assets/{index-Btl7vuTl.js → index-nCPw6E-c.js} +4 -4
  4. package/dist/index.html +1 -1
  5. package/lib/lib/assessmentTypes.d.ts +670 -0
  6. package/lib/lib/assessmentTypes.d.ts.map +1 -0
  7. package/lib/lib/assessmentTypes.js +220 -0
  8. package/lib/lib/aupPatterns.d.ts +63 -0
  9. package/lib/lib/aupPatterns.d.ts.map +1 -0
  10. package/lib/lib/aupPatterns.js +344 -0
  11. package/lib/lib/prohibitedLibraries.d.ts +76 -0
  12. package/lib/lib/prohibitedLibraries.d.ts.map +1 -0
  13. package/lib/lib/prohibitedLibraries.js +364 -0
  14. package/lib/lib/securityPatterns.d.ts +64 -0
  15. package/lib/lib/securityPatterns.d.ts.map +1 -0
  16. package/lib/lib/securityPatterns.js +453 -0
  17. package/lib/services/assessment/AssessmentOrchestrator.d.ts +88 -0
  18. package/lib/services/assessment/AssessmentOrchestrator.d.ts.map +1 -0
  19. package/lib/services/assessment/AssessmentOrchestrator.js +418 -0
  20. package/lib/services/assessment/ResponseValidator.d.ts +69 -0
  21. package/lib/services/assessment/ResponseValidator.d.ts.map +1 -0
  22. package/lib/services/assessment/ResponseValidator.js +1038 -0
  23. package/lib/services/assessment/TestDataGenerator.d.ts +86 -0
  24. package/lib/services/assessment/TestDataGenerator.d.ts.map +1 -0
  25. package/lib/services/assessment/TestDataGenerator.js +669 -0
  26. package/lib/services/assessment/TestScenarioEngine.d.ts +91 -0
  27. package/lib/services/assessment/TestScenarioEngine.d.ts.map +1 -0
  28. package/lib/services/assessment/TestScenarioEngine.js +505 -0
  29. package/lib/services/assessment/ToolClassifier.d.ts +61 -0
  30. package/lib/services/assessment/ToolClassifier.d.ts.map +1 -0
  31. package/lib/services/assessment/ToolClassifier.js +349 -0
  32. package/lib/services/assessment/lib/claudeCodeBridge.d.ts +160 -0
  33. package/lib/services/assessment/lib/claudeCodeBridge.d.ts.map +1 -0
  34. package/lib/services/assessment/lib/claudeCodeBridge.js +357 -0
  35. package/lib/services/assessment/modules/AUPComplianceAssessor.d.ts +100 -0
  36. package/lib/services/assessment/modules/AUPComplianceAssessor.d.ts.map +1 -0
  37. package/lib/services/assessment/modules/AUPComplianceAssessor.js +474 -0
  38. package/lib/services/assessment/modules/BaseAssessor.d.ts +71 -0
  39. package/lib/services/assessment/modules/BaseAssessor.d.ts.map +1 -0
  40. package/lib/services/assessment/modules/BaseAssessor.js +171 -0
  41. package/lib/services/assessment/modules/DocumentationAssessor.d.ts +45 -0
  42. package/lib/services/assessment/modules/DocumentationAssessor.d.ts.map +1 -0
  43. package/lib/services/assessment/modules/DocumentationAssessor.js +355 -0
  44. package/lib/services/assessment/modules/ErrorHandlingAssessor.d.ts +25 -0
  45. package/lib/services/assessment/modules/ErrorHandlingAssessor.d.ts.map +1 -0
  46. package/lib/services/assessment/modules/ErrorHandlingAssessor.js +564 -0
  47. package/lib/services/assessment/modules/FunctionalityAssessor.d.ts +20 -0
  48. package/lib/services/assessment/modules/FunctionalityAssessor.d.ts.map +1 -0
  49. package/lib/services/assessment/modules/FunctionalityAssessor.js +253 -0
  50. package/lib/services/assessment/modules/MCPSpecComplianceAssessor.d.ts +70 -0
  51. package/lib/services/assessment/modules/MCPSpecComplianceAssessor.d.ts.map +1 -0
  52. package/lib/services/assessment/modules/MCPSpecComplianceAssessor.js +508 -0
  53. package/lib/services/assessment/modules/ManifestValidationAssessor.d.ts +70 -0
  54. package/lib/services/assessment/modules/ManifestValidationAssessor.d.ts.map +1 -0
  55. package/lib/services/assessment/modules/ManifestValidationAssessor.js +430 -0
  56. package/lib/services/assessment/modules/PortabilityAssessor.d.ts +43 -0
  57. package/lib/services/assessment/modules/PortabilityAssessor.d.ts.map +1 -0
  58. package/lib/services/assessment/modules/PortabilityAssessor.js +347 -0
  59. package/lib/services/assessment/modules/ProhibitedLibrariesAssessor.d.ts +41 -0
  60. package/lib/services/assessment/modules/ProhibitedLibrariesAssessor.d.ts.map +1 -0
  61. package/lib/services/assessment/modules/ProhibitedLibrariesAssessor.js +256 -0
  62. package/lib/services/assessment/modules/SecurityAssessor.d.ts +176 -0
  63. package/lib/services/assessment/modules/SecurityAssessor.d.ts.map +1 -0
  64. package/lib/services/assessment/modules/SecurityAssessor.js +1333 -0
  65. package/lib/services/assessment/modules/ToolAnnotationAssessor.d.ts +96 -0
  66. package/lib/services/assessment/modules/ToolAnnotationAssessor.d.ts.map +1 -0
  67. package/lib/services/assessment/modules/ToolAnnotationAssessor.js +593 -0
  68. package/lib/services/assessment/modules/UsabilityAssessor.d.ts +21 -0
  69. package/lib/services/assessment/modules/UsabilityAssessor.d.ts.map +1 -0
  70. package/lib/services/assessment/modules/UsabilityAssessor.js +241 -0
  71. package/lib/services/assessment/modules/index.d.ts +33 -0
  72. package/lib/services/assessment/modules/index.d.ts.map +1 -0
  73. package/lib/services/assessment/modules/index.js +35 -0
  74. package/package.json +15 -3
package/lib/lib/prohibitedLibraries.d.ts ADDED
@@ -0,0 +1,76 @@
1
+ /**
2
+ * Prohibited Libraries Detection
3
+ * Based on Anthropic MCP Directory Policy #28-30
4
+ *
5
+ * MCP servers should NOT include:
6
+ * - Financial transaction processing libraries (Policy #28)
7
+ * - Payment processing libraries (Policy #29)
8
+ * - Media processing libraries without justification (Policy #30)
9
+ *
10
+ * Reference: https://support.claude.com/en/articles/11697096-anthropic-mcp-directory-policy
11
+ */
12
+ import type { ProhibitedLibraryCategory } from "./assessmentTypes.js";
13
+ export interface ProhibitedLibrary {
14
+ name: string;
15
+ patterns: RegExp[];
16
+ category: ProhibitedLibraryCategory;
17
+ severity: "BLOCKING" | "HIGH" | "MEDIUM";
18
+ policyReference: string;
19
+ reason: string;
20
+ alternatives?: string;
21
+ }
22
+ /**
23
+ * Financial/Payment Processing Libraries - BLOCKING
24
+ * These libraries handle real money transactions and should not be in MCP servers
25
+ */
26
+ export declare const FINANCIAL_LIBRARIES: ProhibitedLibrary[];
27
+ /**
28
+ * Media Processing Libraries - HIGH (requires justification)
29
+ * These libraries should only be included with clear justification
30
+ */
31
+ export declare const MEDIA_LIBRARIES: ProhibitedLibrary[];
32
+ /**
33
+ * All prohibited libraries combined
34
+ */
35
+ export declare const ALL_PROHIBITED_LIBRARIES: ProhibitedLibrary[];
36
+ /**
37
+ * Check a dependency name against prohibited libraries
38
+ */
39
+ export declare function checkDependency(depName: string): ProhibitedLibrary | null;
40
+ /**
41
+ * Check source code imports for prohibited libraries
42
+ */
43
+ export declare function checkSourceImports(sourceCode: string): Array<{
44
+ library: ProhibitedLibrary;
45
+ matchedText: string;
46
+ lineNumber?: number;
47
+ }>;
48
+ /**
49
+ * Check package.json dependencies for prohibited libraries
50
+ */
51
+ export declare function checkPackageJsonDependencies(packageJson: {
52
+ dependencies?: Record<string, string>;
53
+ devDependencies?: Record<string, string>;
54
+ peerDependencies?: Record<string, string>;
55
+ }): Array<{
56
+ library: ProhibitedLibrary;
57
+ dependencyType: "dependencies" | "devDependencies" | "peerDependencies";
58
+ version: string;
59
+ }>;
60
+ /**
61
+ * Check Python requirements.txt for prohibited libraries
62
+ */
63
+ export declare function checkRequirementsTxt(content: string): Array<{
64
+ library: ProhibitedLibrary;
65
+ matchedText: string;
66
+ lineNumber: number;
67
+ }>;
68
+ /**
69
+ * Get libraries by severity level
70
+ */
71
+ export declare function getLibrariesBySeverity(severity: "BLOCKING" | "HIGH" | "MEDIUM"): ProhibitedLibrary[];
72
+ /**
73
+ * Get libraries by category
74
+ */
75
+ export declare function getLibrariesByCategory(category: ProhibitedLibraryCategory): ProhibitedLibrary[];
76
+ //# sourceMappingURL=prohibitedLibraries.d.ts.map
package/lib/lib/prohibitedLibraries.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"prohibitedLibraries.d.ts","sourceRoot":"","sources":["../../src/lib/prohibitedLibraries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AAEnE,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,EAAE,yBAAyB,CAAC;IACpC,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,CAAC;IACzC,eAAe,EAAE,MAAM,CAAC;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;GAGG;AACH,eAAO,MAAM,mBAAmB,EAAE,iBAAiB,EAqHlD,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,iBAAiB,EAkH9C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,wBAAwB,EAAE,iBAAiB,EAGvD,CAAC;AAEF;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CASzE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,KAAK,CAAC;IAC5D,OAAO,EAAE,iBAAiB,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC,CAgDD;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,WAAW,EAAE;IACxD,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtC,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACzC,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC3C,GAAG,KAAK,CAAC;IACR,OAAO,EAAE,iBAAiB,CAAC;IAC3B,cAAc,EAAE,cAAc,GAAG,iBAAiB,GAAG,kBAAkB,CAAC;IACxE,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC,CA8BD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,KAAK,CAAC;IAC3D,OAAO,EAAE,iBAAiB,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC,CAgCD;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GACvC,iBAAiB,EAAE,CAErB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,yBAAyB,GAClC,iBAAiB,EAAE,CAErB"}
package/lib/lib/prohibitedLibraries.js ADDED
@@ -0,0 +1,364 @@
1
+ /**
2
+ * Prohibited Libraries Detection
3
+ * Based on Anthropic MCP Directory Policy #28-30
4
+ *
5
+ * MCP servers should NOT include:
6
+ * - Financial transaction processing libraries (Policy #28)
7
+ * - Payment processing libraries (Policy #29)
8
+ * - Media processing libraries without justification (Policy #30)
9
+ *
10
+ * Reference: https://support.claude.com/en/articles/11697096-anthropic-mcp-directory-policy
11
+ */
12
+ /**
13
+ * Financial/Payment Processing Libraries - BLOCKING
14
+ * These libraries handle real money transactions and should not be in MCP servers
15
+ */
16
+ export const FINANCIAL_LIBRARIES = [
17
+ // Payment Processors
18
+ {
19
+ name: "stripe",
20
+ patterns: [/\bstripe\b/i, /@stripe\//i],
21
+ category: "payments",
22
+ severity: "BLOCKING",
23
+ policyReference: "Policy #28",
24
+ reason: "Stripe SDK enables payment processing which violates directory policy",
25
+ alternatives: "Use Stripe's webhook-based approach outside of MCP context",
26
+ },
27
+ {
28
+ name: "paypal",
29
+ patterns: [/\bpaypal\b/i, /@paypal\//i, /paypal-rest-sdk/i],
30
+ category: "payments",
31
+ severity: "BLOCKING",
32
+ policyReference: "Policy #28",
33
+ reason: "PayPal SDK enables payment processing",
34
+ alternatives: "Process payments outside of MCP server",
35
+ },
36
+ {
37
+ name: "square",
38
+ patterns: [/\bsquare\b/i, /@square\//i, /square-connect/i],
39
+ category: "payments",
40
+ severity: "BLOCKING",
41
+ policyReference: "Policy #28",
42
+ reason: "Square SDK enables payment processing",
43
+ },
44
+ {
45
+ name: "braintree",
46
+ patterns: [/\bbraintree\b/i],
47
+ category: "payments",
48
+ severity: "BLOCKING",
49
+ policyReference: "Policy #28",
50
+ reason: "Braintree SDK enables payment processing",
51
+ },
52
+ {
53
+ name: "adyen",
54
+ patterns: [/\badyen\b/i, /@adyen\//i],
55
+ category: "payments",
56
+ severity: "BLOCKING",
57
+ policyReference: "Policy #28",
58
+ reason: "Adyen SDK enables payment processing",
59
+ },
60
+ // Banking/Financial Data
61
+ {
62
+ name: "plaid",
63
+ patterns: [/\bplaid\b/i, /plaid-node/i, /@plaid\//i],
64
+ category: "banking",
65
+ severity: "BLOCKING",
66
+ policyReference: "Policy #29",
67
+ reason: "Plaid connects to bank accounts which poses significant security risk",
68
+ },
69
+ {
70
+ name: "yodlee",
71
+ patterns: [/\byodlee\b/i],
72
+ category: "banking",
73
+ severity: "BLOCKING",
74
+ policyReference: "Policy #29",
75
+ reason: "Yodlee accesses financial account data",
76
+ },
77
+ {
78
+ name: "finicity",
79
+ patterns: [/\bfinicity\b/i],
80
+ category: "banking",
81
+ severity: "BLOCKING",
82
+ policyReference: "Policy #29",
83
+ reason: "Finicity accesses financial account data",
84
+ },
85
+ {
86
+ name: "mx",
87
+ patterns: [/\bmx-platform\b/i, /@mx\//i],
88
+ category: "banking",
89
+ severity: "BLOCKING",
90
+ policyReference: "Policy #29",
91
+ reason: "MX Platform accesses financial account data",
92
+ },
93
+ // Cryptocurrency
94
+ {
95
+ name: "coinbase",
96
+ patterns: [/\bcoinbase\b/i, /coinbase-commerce/i, /@coinbase\//i],
97
+ category: "financial",
98
+ severity: "BLOCKING",
99
+ policyReference: "Policy #28",
100
+ reason: "Coinbase SDK enables cryptocurrency transactions",
101
+ },
102
+ {
103
+ name: "binance",
104
+ patterns: [/\bbinance\b/i, /node-binance-api/i],
105
+ category: "financial",
106
+ severity: "BLOCKING",
107
+ policyReference: "Policy #28",
108
+ reason: "Binance SDK enables cryptocurrency trading",
109
+ },
110
+ {
111
+ name: "ethers",
112
+ patterns: [/\bethers\b/i, /ethers\.js/i],
113
+ category: "financial",
114
+ severity: "HIGH",
115
+ policyReference: "Policy #28",
116
+ reason: "Ethers.js enables Ethereum transactions (review blockchain read-only use)",
117
+ alternatives: "May be acceptable for read-only blockchain queries",
118
+ },
119
+ {
120
+ name: "web3",
121
+ patterns: [/\bweb3\b/i, /web3\.js/i],
122
+ category: "financial",
123
+ severity: "HIGH",
124
+ policyReference: "Policy #28",
125
+ reason: "Web3.js enables blockchain transactions (review read-only use)",
126
+ alternatives: "May be acceptable for read-only blockchain queries",
127
+ },
128
+ ];
129
+ /**
130
+ * Media Processing Libraries - HIGH (requires justification)
131
+ * These libraries should only be included with clear justification
132
+ */
133
+ export const MEDIA_LIBRARIES = [
134
+ // Image Processing
135
+ {
136
+ name: "pillow",
137
+ patterns: [/\bpillow\b/i, /\bpil\b/i, /from\s+PIL\s+import/i],
138
+ category: "media",
139
+ severity: "HIGH",
140
+ policyReference: "Policy #30",
141
+ reason: "PIL/Pillow enables image manipulation - requires justification for MCP server use",
142
+ alternatives: "Consider if image processing is necessary for MCP functionality",
143
+ },
144
+ {
145
+ name: "opencv",
146
+ patterns: [/\bopencv\b/i, /cv2/i, /opencv-python/i],
147
+ category: "media",
148
+ severity: "HIGH",
149
+ policyReference: "Policy #30",
150
+ reason: "OpenCV enables computer vision/image processing - requires justification",
151
+ },
152
+ {
153
+ name: "sharp",
154
+ patterns: [/\bsharp\b/i],
155
+ category: "media",
156
+ severity: "HIGH",
157
+ policyReference: "Policy #30",
158
+ reason: "Sharp enables image processing in Node.js - requires justification",
159
+ alternatives: "Consider if image transformation is core to MCP functionality",
160
+ },
161
+ {
162
+ name: "jimp",
163
+ patterns: [/\bjimp\b/i],
164
+ category: "media",
165
+ severity: "HIGH",
166
+ policyReference: "Policy #30",
167
+ reason: "Jimp enables image manipulation in JavaScript - requires justification",
168
+ },
169
+ {
170
+ name: "imagemagick",
171
+ patterns: [/\bimagemagick\b/i, /\bmagick\b/i, /gm\b/],
172
+ category: "media",
173
+ severity: "HIGH",
174
+ policyReference: "Policy #30",
175
+ reason: "ImageMagick enables image processing - requires justification",
176
+ },
177
+ {
178
+ name: "node-canvas",
179
+ patterns: [/\bnode-canvas\b/i, /\bcanvas\b/],
180
+ category: "media",
181
+ severity: "MEDIUM",
182
+ policyReference: "Policy #30",
183
+ reason: "Canvas enables image generation - may be acceptable for visualization",
184
+ },
185
+ // Video/Audio Processing
186
+ {
187
+ name: "ffmpeg",
188
+ patterns: [/\bffmpeg\b/i, /fluent-ffmpeg/i, /ffmpeg-static/i],
189
+ category: "media",
190
+ severity: "HIGH",
191
+ policyReference: "Policy #30",
192
+ reason: "FFmpeg enables video/audio processing - requires strong justification",
193
+ },
194
+ {
195
+ name: "moviepy",
196
+ patterns: [/\bmoviepy\b/i],
197
+ category: "media",
198
+ severity: "HIGH",
199
+ policyReference: "Policy #30",
200
+ reason: "MoviePy enables video editing - requires justification",
201
+ },
202
+ {
203
+ name: "pydub",
204
+ patterns: [/\bpydub\b/i],
205
+ category: "media",
206
+ severity: "HIGH",
207
+ policyReference: "Policy #30",
208
+ reason: "PyDub enables audio manipulation - requires justification",
209
+ },
210
+ {
211
+ name: "sox",
212
+ patterns: [/\bsox\b/i, /python-sox/i],
213
+ category: "media",
214
+ severity: "HIGH",
215
+ policyReference: "Policy #30",
216
+ reason: "SoX enables audio processing - requires justification",
217
+ },
218
+ // PDF Processing (often legitimate)
219
+ {
220
+ name: "pdf-lib",
221
+ patterns: [/\bpdf-lib\b/i],
222
+ category: "media",
223
+ severity: "MEDIUM",
224
+ policyReference: "Policy #30",
225
+ reason: "PDF-lib enables PDF manipulation - often legitimate for document tools",
226
+ },
227
+ {
228
+ name: "pypdf",
229
+ patterns: [/\bpypdf\b/i, /pypdf2/i],
230
+ category: "media",
231
+ severity: "MEDIUM",
232
+ policyReference: "Policy #30",
233
+ reason: "PyPDF enables PDF manipulation - often legitimate for document tools",
234
+ },
235
+ ];
236
+ /**
237
+ * All prohibited libraries combined
238
+ */
239
+ export const ALL_PROHIBITED_LIBRARIES = [
240
+ ...FINANCIAL_LIBRARIES,
241
+ ...MEDIA_LIBRARIES,
242
+ ];
243
+ /**
244
+ * Check a dependency name against prohibited libraries
245
+ */
246
+ export function checkDependency(depName) {
247
+ for (const lib of ALL_PROHIBITED_LIBRARIES) {
248
+ for (const pattern of lib.patterns) {
249
+ if (pattern.test(depName)) {
250
+ return lib;
251
+ }
252
+ }
253
+ }
254
+ return null;
255
+ }
256
+ /**
257
+ * Check source code imports for prohibited libraries
258
+ */
259
+ export function checkSourceImports(sourceCode) {
260
+ const matches = [];
261
+ const lines = sourceCode.split("\n");
262
+ for (let i = 0; i < lines.length; i++) {
263
+ const line = lines[i];
264
+ // Check import statements
265
+ const importPatterns = [
266
+ /import\s+.*from\s+['"]([^'"]+)['"]/g, // ES6 import
267
+ /require\s*\(\s*['"]([^'"]+)['"]\s*\)/g, // CommonJS require
268
+ /from\s+([a-zA-Z_][a-zA-Z0-9_]*)\s+import/g, // Python import
269
+ /import\s+([a-zA-Z_][a-zA-Z0-9_]*)/g, // Python import
270
+ ];
271
+ for (const importPattern of importPatterns) {
272
+ let match;
273
+ while ((match = importPattern.exec(line)) !== null) {
274
+ const importedModule = match[1];
275
+ for (const lib of ALL_PROHIBITED_LIBRARIES) {
276
+ for (const pattern of lib.patterns) {
277
+ if (pattern.test(importedModule) || pattern.test(line)) {
278
+ matches.push({
279
+ library: lib,
280
+ matchedText: match[0],
281
+ lineNumber: i + 1,
282
+ });
283
+ }
284
+ }
285
+ }
286
+ }
287
+ }
288
+ }
289
+ // De-duplicate matches by library name and line
290
+ const seen = new Set();
291
+ return matches.filter((m) => {
292
+ const key = `${m.library.name}:${m.lineNumber}`;
293
+ if (seen.has(key))
294
+ return false;
295
+ seen.add(key);
296
+ return true;
297
+ });
298
+ }
299
+ /**
300
+ * Check package.json dependencies for prohibited libraries
301
+ */
302
+ export function checkPackageJsonDependencies(packageJson) {
303
+ const matches = [];
304
+ const depTypes = [
305
+ "dependencies",
306
+ "devDependencies",
307
+ "peerDependencies",
308
+ ];
309
+ for (const depType of depTypes) {
310
+ const deps = packageJson[depType];
311
+ if (!deps)
312
+ continue;
313
+ for (const [depName, version] of Object.entries(deps)) {
314
+ const prohibitedLib = checkDependency(depName);
315
+ if (prohibitedLib) {
316
+ matches.push({
317
+ library: prohibitedLib,
318
+ dependencyType: depType,
319
+ version,
320
+ });
321
+ }
322
+ }
323
+ }
324
+ return matches;
325
+ }
326
+ /**
327
+ * Check Python requirements.txt for prohibited libraries
328
+ */
329
+ export function checkRequirementsTxt(content) {
330
+ const matches = [];
331
+ const lines = content.split("\n");
332
+ for (let i = 0; i < lines.length; i++) {
333
+ const line = lines[i].trim();
334
+ // Skip comments and empty lines
335
+ if (!line || line.startsWith("#"))
336
+ continue;
337
+ // Extract package name (before any version specifier)
338
+ const packageMatch = line.match(/^([a-zA-Z0-9_-]+)/);
339
+ if (!packageMatch)
340
+ continue;
341
+ const packageName = packageMatch[1];
342
+ const prohibitedLib = checkDependency(packageName);
343
+ if (prohibitedLib) {
344
+ matches.push({
345
+ library: prohibitedLib,
346
+ matchedText: line,
347
+ lineNumber: i + 1,
348
+ });
349
+ }
350
+ }
351
+ return matches;
352
+ }
353
+ /**
354
+ * Get libraries by severity level
355
+ */
356
+ export function getLibrariesBySeverity(severity) {
357
+ return ALL_PROHIBITED_LIBRARIES.filter((lib) => lib.severity === severity);
358
+ }
359
+ /**
360
+ * Get libraries by category
361
+ */
362
+ export function getLibrariesByCategory(category) {
363
+ return ALL_PROHIBITED_LIBRARIES.filter((lib) => lib.category === category);
364
+ }
package/lib/lib/securityPatterns.d.ts ADDED
@@ -0,0 +1,64 @@
1
+ /**
2
+ * Backend API Security Patterns
3
+ * Tests MCP server API security with 13 focused patterns
4
+ *
5
+ * Architecture: Attack-Type with Specific Payloads
6
+ * - Critical Injection (4 patterns): Command, Calculator, SQL, Path Traversal
7
+ * - Input Validation (3 patterns): Type Safety, Boundary Testing, Required Fields
8
+ * - Protocol Compliance (2 patterns): MCP Error Format, Timeout Handling
9
+ * - Tool-Specific Vulnerabilities (4 patterns): Indirect Injection, Unicode Bypass, Nested Injection, Package Squatting
10
+ *
11
+ * Scope: Backend API Security ONLY
12
+ * - Tests structured data inputs to API endpoints
13
+ * - Validates server-side security controls
14
+ * - Tests MCP protocol compliance
15
+ * - Tests tool-specific vulnerability patterns with parameter-aware payloads
16
+ *
17
+ * Out of Scope: LLM Prompt Injection
18
+ * - MCP servers are APIs that receive structured data, not prompts
19
+ * - If a server uses an LLM internally, that's the LLM's responsibility
20
+ * - We test the MCP API layer, not the LLM behavior layer
21
+ */
22
+ import { SecurityRiskLevel } from "./assessmentTypes.js";
23
+ export interface SecurityPayload {
24
+ payload: string;
25
+ evidence: RegExp;
26
+ riskLevel: SecurityRiskLevel;
27
+ description: string;
28
+ payloadType: string;
29
+ parameterTypes?: string[];
30
+ }
31
+ export interface AttackPattern {
32
+ attackName: string;
33
+ description: string;
34
+ payloads: SecurityPayload[];
35
+ }
36
+ /**
37
+ * ========================================
38
+ * BACKEND API SECURITY PATTERNS
39
+ * ========================================
40
+ *
41
+ * 13 focused patterns for MCP server API security
42
+ */
43
+ export declare const SECURITY_ATTACK_PATTERNS: AttackPattern[];
44
+ /**
45
+ * Get all payloads for an attack type
46
+ */
47
+ export declare function getPayloadsForAttack(attackName: string, limit?: number): SecurityPayload[];
48
+ /**
49
+ * Get all attack patterns (for testing all tools)
50
+ */
51
+ export declare function getAllAttackPatterns(): AttackPattern[];
52
+ /**
53
+ * Get pattern statistics
54
+ */
55
+ export declare function getPatternStatistics(): {
56
+ totalAttackTypes: number;
57
+ totalPayloads: number;
58
+ highRiskPayloads: number;
59
+ mediumRiskPayloads: number;
60
+ lowRiskPayloads: number;
61
+ payloadTypeBreakdown: Record<string, number>;
62
+ averagePayloadsPerAttack: number;
63
+ };
64
+ //# sourceMappingURL=securityPatterns.d.ts.map
package/lib/lib/securityPatterns.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"securityPatterns.d.ts","sourceRoot":"","sources":["../../src/lib/securityPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,iBAAiB,CAAC;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,eAAe,EAAE,CAAC;CAC7B;AAED;;;;;;GAMG;AACH,eAAO,MAAM,wBAAwB,EAAE,aAAa,EAgZnD,CAAC;AAEF;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,MAAM,GACb,eAAe,EAAE,CAQnB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,aAAa,EAAE,CAEtD;AAED;;GAEG;AACH,wBAAgB,oBAAoB;;;;;;;;EA8BnC"}