@bryan-thompson/inspector-assessment 1.0.1 → 1.2.0

package/README.md

@@ -45,6 +45,18 @@ bunx @bryan-thompson/inspector-assessment
 
 The web interface will open at http://localhost:6274
 
+## For MCP Directory Reviewers
+
+If you're reviewing MCP servers for the Anthropic MCP Directory, see our **[Reviewer Quick Start Guide](docs/REVIEWER_QUICK_START.md)** for:
+
+- **60-second fast screening** workflow for approve/reject decisions
+- **5-minute detailed review** process for borderline cases
+- **Common pitfalls** explanation (false positives in security, informational vs scored tests)
+- **Decision matrix** with clear approval criteria
+- **Fast CLI analysis** commands for troubleshooting
+
+The quick start guide is optimized for fast reviewer onboarding and provides clear guidance on interpreting assessment results.
+
 ## About This Fork
 
 This is an enhanced fork of [Anthropic's MCP Inspector](https://github.com/modelcontextprotocol/inspector) with significantly expanded assessment capabilities for MCP server validation and testing.

package/client/dist/assets/{OAuthCallback-pJpyrBg5.js → OAuthCallback-CS0hHvzr.js}

@@ -1,4 +1,4 @@
-import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-BEmDUKhR.js";
+import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-CkSRacMw.js";
 const OAuthCallback = ({ onConnect }) => {
   const { toast } = useToast();
   const hasProcessedRef = reactExports.useRef(false);

package/client/dist/assets/{OAuthDebugCallback-BGti8QhX.js → OAuthDebugCallback-CRsLrDJk.js}

@@ -1,4 +1,4 @@
-import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-BEmDUKhR.js";
+import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-CkSRacMw.js";
 const OAuthDebugCallback = ({ onConnect }) => {
   reactExports.useEffect(() => {
     let isProcessed = false;

package/client/dist/assets/{index-DYiWOife.css → index-Bc4MVSgQ.css}

@@ -1332,6 +1332,9 @@ video {
 .whitespace-nowrap {
   white-space: nowrap;
 }
+.whitespace-pre-line {
+  white-space: pre-line;
+}
 .whitespace-pre-wrap {
   white-space: pre-wrap;
 }
@@ -1383,6 +1386,10 @@ video {
 .border-t {
   border-top-width: 1px;
 }
+.border-amber-500 {
+  --tw-border-opacity: 1;
+  border-color: rgb(245 158 11 / var(--tw-border-opacity, 1));
+}
 .border-blue-200 {
   --tw-border-opacity: 1;
   border-color: rgb(191 219 254 / var(--tw-border-opacity, 1));
@@ -1474,6 +1481,14 @@ video {
 .bg-accent {
   background-color: hsl(var(--accent));
 }
+.bg-amber-100 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(254 243 199 / var(--tw-bg-opacity, 1));
+}
+.bg-amber-50 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(255 251 235 / var(--tw-bg-opacity, 1));
+}
 .bg-background {
   background-color: hsl(var(--background));
 }
@@ -1550,6 +1565,10 @@ video {
 .bg-muted\/50 {
   background-color: hsl(var(--muted) / 0.5);
 }
+.bg-orange-100 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(255 237 213 / var(--tw-bg-opacity, 1));
+}
 .bg-orange-50 {
   --tw-bg-opacity: 1;
   background-color: rgb(255 247 237 / var(--tw-bg-opacity, 1));
@@ -1818,6 +1837,14 @@ video {
   --tw-text-opacity: 1;
   color: rgb(217 119 6 / var(--tw-text-opacity, 1));
 }
+.text-amber-800 {
+  --tw-text-opacity: 1;
+  color: rgb(146 64 14 / var(--tw-text-opacity, 1));
+}
+.text-amber-900 {
+  --tw-text-opacity: 1;
+  color: rgb(120 53 15 / var(--tw-text-opacity, 1));
+}
 .text-blue-500 {
   --tw-text-opacity: 1;
   color: rgb(59 130 246 / var(--tw-text-opacity, 1));
@@ -1912,6 +1939,10 @@ video {
   --tw-text-opacity: 1;
   color: rgb(234 88 12 / var(--tw-text-opacity, 1));
 }
+.text-orange-800 {
+  --tw-text-opacity: 1;
+  color: rgb(154 52 18 / var(--tw-text-opacity, 1));
+}
 .text-popover-foreground {
   color: hsl(var(--popover-foreground));
 }

package/client/dist/assets/{index-BEmDUKhR.js → index-CkSRacMw.js}

@@ -16205,7 +16205,7 @@ objectType({
   token_type_hint: stringType().optional()
 }).strip();
 const name = "@bryan-thompson/inspector-assessment-client";
-const version$1 = "1.0.1";
+const version$1 = "1.2.0";
 const packageJson = {
   name,
   version: version$1
@@ -41736,7 +41736,7 @@ const useTheme = () => {
     [theme, setThemeWithSideEffect]
   );
 };
-const version = "1.0.1";
+const version = "1.2.0";
 var [createTooltipContext] = createContextScope("Tooltip", [
   createPopperScope
 ]);
@@ -44133,6 +44133,8 @@ const ToolsTab = ({
 const DEFAULT_ASSESSMENT_CONFIG = {
   testTimeout: 3e4,
   // 30 seconds per tool
+  delayBetweenTests: 0,
+  // No delay by default
   skipBrokenTools: false,
   reviewerMode: false,
   enableExtendedAssessment: true,
@@ -44158,6 +44160,8 @@ const DEFAULT_ASSESSMENT_CONFIG = {
 const REVIEWER_MODE_CONFIG = {
   testTimeout: 1e4,
   // 10 seconds per tool (faster)
+  delayBetweenTests: 100,
+  // Small delay for rate limiting
   skipBrokenTools: true,
   // Skip broken tools to save time
   reviewerMode: true,
@@ -44188,6 +44192,8 @@ const REVIEWER_MODE_CONFIG = {
 const DEVELOPER_MODE_CONFIG = {
   testTimeout: 3e4,
   // 30 seconds per tool
+  delayBetweenTests: 500,
+  // Moderate delay for thorough testing
   skipBrokenTools: false,
   reviewerMode: false,
   enableExtendedAssessment: true,
@@ -44783,6 +44789,9 @@ class ErrorHandlingAssessor extends BaseAssessor {
       );
       testDetails.push(...toolTests);
       passedTests += toolTests.filter((t) => t.passed).length;
+      if (this.config.delayBetweenTests && this.config.delayBetweenTests > 0) {
+        await this.sleep(this.config.delayBetweenTests);
+      }
     }
     this.testCount = testDetails.length;
     const metrics = this.calculateMetrics(testDetails, passedTests);
@@ -44837,7 +44846,7 @@ class ErrorHandlingAssessor extends BaseAssessor {
     return tests;
   }
   async testMissingParameters(tool, callTool) {
-    var _a;
+    var _a, _b, _c;
     const testInput = {};
     const schema = this.getToolSchema(tool);
     const hasRequiredParams = (schema == null ? void 0 : schema.required) && Array.isArray(schema.required) && schema.required.length > 0;
@@ -44883,9 +44892,9 @@ class ErrorHandlingAssessor extends BaseAssessor {
         reason: isError ? void 0 : "Tool did not reject missing parameters"
       };
     } catch (error) {
-      const errorMessage = this.extractErrorMessage(error);
-      const messageLower = (errorMessage == null ? void 0 : errorMessage.toLowerCase()) ?? "";
-      const isMeaningfulError = messageLower.includes("required") || messageLower.includes("missing") || messageLower.includes("parameter") || messageLower.includes("must") || messageLower.includes("invalid") || messageLower.includes("validation") || (errorMessage == null ? void 0 : errorMessage.length) > 20;
+      const errorInfo = this.extractErrorInfo(error);
+      const messageLower = ((_b = errorInfo.message) == null ? void 0 : _b.toLowerCase()) ?? "";
+      const isMeaningfulError = messageLower.includes("required") || messageLower.includes("missing") || messageLower.includes("parameter") || messageLower.includes("must") || messageLower.includes("invalid") || messageLower.includes("validation") || (((_c = errorInfo.message) == null ? void 0 : _c.length) ?? 0) > 20;
       return {
         toolName: tool.name,
         testType: "missing_required",
@@ -44893,7 +44902,8 @@ class ErrorHandlingAssessor extends BaseAssessor {
         expectedError: "Missing required parameters",
         actualResponse: {
           isError: true,
-          errorMessage,
+          errorCode: errorInfo.code,
+          errorMessage: errorInfo.message,
           rawResponse: error
         },
         passed: isMeaningfulError,
@@ -44902,7 +44912,7 @@ class ErrorHandlingAssessor extends BaseAssessor {
     }
   }
   async testWrongTypes(tool, callTool) {
-    var _a;
+    var _a, _b, _c;
     const schema = this.getToolSchema(tool);
     const testInput = this.generateWrongTypeParams(schema);
     try {
@@ -44932,9 +44942,9 @@ class ErrorHandlingAssessor extends BaseAssessor {
         reason: isError ? void 0 : "Tool accepted wrong parameter types"
       };
     } catch (error) {
-      const errorMessage = this.extractErrorMessage(error);
-      const messageLower = (errorMessage == null ? void 0 : errorMessage.toLowerCase()) ?? "";
-      const isMeaningfulError = messageLower.includes("type") || messageLower.includes("invalid") || messageLower.includes("expected") || messageLower.includes("must be") || messageLower.includes("validation") || messageLower.includes("string") || messageLower.includes("number") || (errorMessage == null ? void 0 : errorMessage.length) > 20;
+      const errorInfo = this.extractErrorInfo(error);
+      const messageLower = ((_b = errorInfo.message) == null ? void 0 : _b.toLowerCase()) ?? "";
+      const isMeaningfulError = messageLower.includes("type") || messageLower.includes("invalid") || messageLower.includes("expected") || messageLower.includes("must be") || messageLower.includes("validation") || messageLower.includes("string") || messageLower.includes("number") || (((_c = errorInfo.message) == null ? void 0 : _c.length) ?? 0) > 20;
       return {
         toolName: tool.name,
         testType: "wrong_type",
@@ -44942,7 +44952,8 @@ class ErrorHandlingAssessor extends BaseAssessor {
         expectedError: "Type validation error",
         actualResponse: {
           isError: true,
-          errorMessage,
+          errorCode: errorInfo.code,
+          errorMessage: errorInfo.message,
           rawResponse: error
         },
         passed: isMeaningfulError,
@@ -44951,6 +44962,7 @@ class ErrorHandlingAssessor extends BaseAssessor {
     }
   }
   async testInvalidValues(tool, callTool) {
+    var _a, _b;
     const schema = this.getToolSchema(tool);
     const testInput = this.generateInvalidValueParams(schema);
     try {
@@ -44975,9 +44987,9 @@ class ErrorHandlingAssessor extends BaseAssessor {
         reason: isError ? void 0 : "Tool accepted invalid values"
       };
     } catch (error) {
-      const errorMessage = this.extractErrorMessage(error);
-      const messageLower = (errorMessage == null ? void 0 : errorMessage.toLowerCase()) ?? "";
-      const isMeaningfulError = messageLower.includes("invalid") || messageLower.includes("not allowed") || messageLower.includes("must") || messageLower.includes("cannot") || messageLower.includes("validation") || messageLower.includes("error") || (errorMessage == null ? void 0 : errorMessage.length) > 15;
+      const errorInfo = this.extractErrorInfo(error);
+      const messageLower = ((_a = errorInfo.message) == null ? void 0 : _a.toLowerCase()) ?? "";
+      const isMeaningfulError = messageLower.includes("invalid") || messageLower.includes("not allowed") || messageLower.includes("must") || messageLower.includes("cannot") || messageLower.includes("validation") || messageLower.includes("error") || (((_b = errorInfo.message) == null ? void 0 : _b.length) ?? 0) > 15;
       return {
         toolName: tool.name,
         testType: "invalid_values",
@@ -44985,7 +44997,8 @@ class ErrorHandlingAssessor extends BaseAssessor {
         expectedError: "Invalid parameter values",
         actualResponse: {
           isError: true,
-          errorMessage,
+          errorCode: errorInfo.code,
+          errorMessage: errorInfo.message,
           rawResponse: error
         },
         passed: isMeaningfulError,
@@ -44994,6 +45007,7 @@ class ErrorHandlingAssessor extends BaseAssessor {
     }
   }
   async testExcessiveInput(tool, callTool) {
+    var _a, _b;
     const largeString = "x".repeat(1e5);
     const testInput = this.generateParamsWithValue(tool, largeString);
     try {
@@ -45020,9 +45034,9 @@ class ErrorHandlingAssessor extends BaseAssessor {
         reason: !isError && !response ? "Tool crashed on large input" : void 0
       };
     } catch (error) {
-      const errorMessage = this.extractErrorMessage(error);
-      const messageLower = (errorMessage == null ? void 0 : errorMessage.toLowerCase()) ?? "";
-      const isMeaningfulError = messageLower.includes("size") || messageLower.includes("large") || messageLower.includes("limit") || messageLower.includes("exceed") || messageLower.includes("too") || messageLower.includes("maximum") || (errorMessage == null ? void 0 : errorMessage.length) > 10;
+      const errorInfo = this.extractErrorInfo(error);
+      const messageLower = ((_a = errorInfo.message) == null ? void 0 : _a.toLowerCase()) ?? "";
+      const isMeaningfulError = messageLower.includes("size") || messageLower.includes("large") || messageLower.includes("limit") || messageLower.includes("exceed") || messageLower.includes("too") || messageLower.includes("maximum") || (((_b = errorInfo.message) == null ? void 0 : _b.length) ?? 0) > 10;
       return {
         toolName: tool.name,
         testType: "excessive_input",
@@ -45030,7 +45044,8 @@ class ErrorHandlingAssessor extends BaseAssessor {
         expectedError: "Input size limit exceeded",
         actualResponse: {
           isError: true,
-          errorMessage,
+          errorCode: errorInfo.code,
+          errorMessage: errorInfo.message,
           rawResponse: "[error details omitted]"
         },
         passed: isMeaningfulError,
@@ -45178,12 +45193,17 @@ class ErrorHandlingAssessor extends BaseAssessor {
     else if (score >= 70) quality = "good";
     else if (score >= 50) quality = "fair";
     else quality = "poor";
-    const hasProperErrorCodes = tests.some(
+    const actualErrors = tests.filter((t) => t.actualResponse.isError);
+    const errorsWithCodes = actualErrors.filter(
       (t) => t.actualResponse.errorCode !== void 0
-    );
-    const hasDescriptiveMessages = tests.some(
+    ).length;
+    const errorsWithMessages = actualErrors.filter(
       (t) => t.actualResponse.errorMessage && t.actualResponse.errorMessage.length > 10
-    );
+    ).length;
+    const hasProperErrorCodes = actualErrors.length === 0 || // If no errors were triggered, we can't assess this
+    errorsWithCodes / actualErrors.length >= 0.5;
+    const hasDescriptiveMessages = actualErrors.length === 0 || // If no errors were triggered, we can't assess this
+    errorsWithMessages / actualErrors.length >= 0.5;
     const validatesInputs = tests.filter((t) => ["missing_required", "wrong_type"].includes(t.testType)).some((t) => t.passed);
     return {
       mcpComplianceScore: score,
@@ -46358,6 +46378,13 @@ class SecurityAssessor extends BaseAssessor {
         response,
         payload
       );
+      const confidenceResult = this.calculateConfidence(
+        tool,
+        isVulnerable,
+        evidence || "",
+        this.extractResponseContent(response),
+        payload
+      );
       return {
         testName: attackName,
         description: payload.description,
@@ -46366,7 +46393,8 @@ class SecurityAssessor extends BaseAssessor {
         toolName: tool.name,
         vulnerable: isVulnerable,
         evidence,
-        response: this.extractResponseContent(response)
+        response: this.extractResponseContent(response),
+        ...confidenceResult
       };
     } catch (error) {
       return {
@@ -46501,6 +46529,95 @@ class SecurityAssessor extends BaseAssessor {
     ).length;
     return `Found ${vulnCount} vulnerabilities (${criticalCount} critical, ${moderateCount} moderate) across ${testCount} security tests. Risk level: ${riskLevel}. Tools may execute malicious commands or leak sensitive data.`;
   }
+  /**
+   * Calculate confidence level and manual review requirements
+   * Detects ambiguous patterns that need human verification
+   */
+  calculateConfidence(tool, isVulnerable, evidence, responseText, payload) {
+    var _a;
+    const toolDescription = (tool.description || "").toLowerCase();
+    const toolName = tool.name.toLowerCase();
+    const responseLower = responseText.toLowerCase();
+    const payloadLower = payload.payload.toLowerCase();
+    if (!isVulnerable && (evidence.includes("safely reflected") || evidence.includes("API wrapper") || evidence.includes("safe: true"))) {
+      return {
+        confidence: "high",
+        requiresManualReview: false
+      };
+    }
+    if (isVulnerable && evidence.includes("executed") && !this.isStructuredDataTool(toolName, toolDescription)) {
+      return {
+        confidence: "high",
+        requiresManualReview: false
+      };
+    }
+    if (isVulnerable) {
+      const isDataTool = this.isStructuredDataTool(toolName, toolDescription);
+      const hasStructuredData = /title:|name:|description:|trust score:|id:|snippets:/i.test(
+        responseText
+      ) || /^\s*-\s+/m.test(responseText) || // Bullet points
+      /"[^"]+"\s*:\s*"[^"]+"/g.test(responseText);
+      const patternInInput = (_a = payload.evidence) == null ? void 0 : _a.test(payloadLower);
+      const echosInput = responseLower.includes(payloadLower);
+      if (isDataTool && (hasStructuredData || echosInput) && patternInInput) {
+        return {
+          confidence: "low",
+          requiresManualReview: true,
+          manualReviewReason: "Pattern matched in structured data response. Tool may be legitimately returning data containing search terms rather than executing malicious code.",
+          reviewGuidance: `Verify: 1) Does the tool actually execute/compute the input? 2) Or does it just return pre-existing data that happens to contain the pattern? 3) Check if '${payload.evidence}' appears in legitimate tool output vs. execution results.`
+        };
+      }
+      if (payload.evidence && /\b\d\b/.test(payload.evidence.toString()) && /\b(score|count|trust|rating|id|version)\b/i.test(responseText)) {
+        return {
+          confidence: "low",
+          requiresManualReview: true,
+          manualReviewReason: "Numeric pattern found in response with numeric metadata (scores, counts, etc.). May be coincidental data rather than arithmetic execution.",
+          reviewGuidance: "Verify: 1) Did the tool actually compute an arithmetic result? 2) Or does the number appear in metadata like trust scores, version numbers, or counts? 3) Compare pattern location in response with tool's expected output format."
+        };
+      }
+      if (/admin|role|privilege|elevated/i.test(payload.payload) && /\b(library|search|documentation|api|wrapper)\b/i.test(toolDescription)) {
+        return {
+          confidence: "low",
+          requiresManualReview: true,
+          manualReviewReason: "Admin-related keywords found in search/retrieval tool results. Tool may be returning data about admin-related libraries/APIs rather than elevating privileges.",
+          reviewGuidance: "Verify: 1) Did the tool actually change behavior or assume admin role? 2) Or did it return search results for admin-related content? 3) Test if tool behavior actually changed after this request."
+        };
+      }
+    }
+    if (isVulnerable && evidence.includes("executed")) {
+      return {
+        confidence: "medium",
+        requiresManualReview: true,
+        manualReviewReason: "Execution indicators found but context suggests possible ambiguity.",
+        reviewGuidance: "Verify: 1) Review the full response to confirm actual code execution. 2) Check if tool's intended function involves execution. 3) Test with variations to confirm consistency."
+      };
+    }
+    return {
+      confidence: "high",
+      requiresManualReview: false
+    };
+  }
+  /**
+   * Check if tool is a structured data tool (search, lookup, retrieval)
+   * These tools naturally echo input patterns in their results
+   */
+  isStructuredDataTool(toolName, toolDescription) {
+    const dataToolPatterns = [
+      /search/i,
+      /find/i,
+      /lookup/i,
+      /query/i,
+      /retrieve/i,
+      /fetch/i,
+      /get/i,
+      /list/i,
+      /resolve/i,
+      /discover/i,
+      /browse/i
+    ];
+    const combined = `${toolName} ${toolDescription}`;
+    return dataToolPatterns.some((pattern2) => pattern2.test(combined));
+  }
   /**
    * Check if response is just reflection (safe)
    * Expanded to catch more reflection patterns including echo, repeat, display
@@ -48008,9 +48125,17 @@ class ResponseValidator {
   }
 }
 class TestScenarioEngine {
-  constructor(testTimeout = 5e3) {
+  constructor(testTimeout = 5e3, delayBetweenTests = 0) {
     __publicField(this, "testTimeout");
+    __publicField(this, "delayBetweenTests");
     this.testTimeout = testTimeout;
+    this.delayBetweenTests = delayBetweenTests;
+  }
+  /**
+   * Sleep for specified milliseconds (for rate limiting)
+   */
+  async sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
   }
   /**
    * Test tool with progressive complexity to identify failure points
@@ -48163,6 +48288,9 @@ class TestScenarioEngine {
         callTool
       );
       result.scenarioResults.push(scenarioResult);
+      if (this.delayBetweenTests > 0) {
+        await this.sleep(this.delayBetweenTests);
+      }
       if (scenarioResult.executed) {
         result.scenariosExecuted++;
         if (scenarioResult.validation.isValid) {
@@ -48573,7 +48701,10 @@ class MCPAssessmentService {
    * Enhanced functionality assessment with multi-scenario testing
    */
   async assessFunctionalityEnhanced(tools, callTool) {
-    const engine = new TestScenarioEngine(this.config.testTimeout);
+    const engine = new TestScenarioEngine(
+      this.config.testTimeout,
+      this.config.delayBetweenTests ?? 0
+    );
     const toolResults = [];
     const enhancedResults = [];
     let workingCount = 0;
@@ -49744,11 +49875,11 @@ const ReviewerAssessmentView = ({
     {
       id: "documentation",
       name: "3. Documentation Quality",
-      quickCheck: `${assessment.documentation.metrics.hasReadme ? "Has README" : "Missing README"}, ${assessment.documentation.metrics.exampleCount} examples`,
+      quickCheck: `${assessment.documentation.metrics.hasReadme ? "Has README" : "Missing README"}, ${assessment.documentation.metrics.exampleCount} functional examples found`,
       verdict: assessment.documentation.status === "PASS" ? "PASS" : assessment.documentation.metrics.exampleCount < 3 ? "FAIL" : "REVIEW_NEEDED",
       evidence: [
         `Has README: ${assessment.documentation.metrics.hasReadme ? "Yes" : "No"}`,
-        `Code examples: ${assessment.documentation.metrics.exampleCount} (need 3+)`,
+        `Functional examples: ${assessment.documentation.metrics.exampleCount} found (3+ required)`,
         `Has installation instructions: ${assessment.documentation.metrics.hasInstallInstructions ? "Yes" : "No"}`,
         `Has usage guide: ${assessment.documentation.metrics.hasUsageGuide ? "Yes" : "No"}`
       ],
@@ -50718,6 +50849,30 @@ const AssessmentTab = ({
         ),
         !isLoadingTools && tools.length > 0 && /* @__PURE__ */ jsxRuntimeExports.jsx("p", { className: "text-xs text-muted-foreground", children: "Select which tools to test for error handling (the most intensive tests). All tools are selected by default." })
       ] }),
+      /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { className: "space-y-2", children: [
+        /* @__PURE__ */ jsxRuntimeExports.jsx(Label$1, { htmlFor: "delay-between-tests", children: "Delay between tests (milliseconds)" }),
+        /* @__PURE__ */ jsxRuntimeExports.jsx(
+          Input,
+          {
+            id: "delay-between-tests",
+            type: "number",
+            min: "0",
+            max: "5000",
+            step: "100",
+            value: config.delayBetweenTests ?? 0,
+            onChange: (e) => {
+              const value = parseInt(e.target.value, 10);
+              setConfig({
+                ...config,
+                delayBetweenTests: isNaN(value) ? 0 : value
+              });
+            },
+            disabled: isRunning,
+            placeholder: "0"
+          }
+        ),
+        /* @__PURE__ */ jsxRuntimeExports.jsx("p", { className: "text-xs text-muted-foreground", children: "Add a delay between tests to avoid rate limiting. Recommended: 500-1000ms for rate-limited APIs. Set to 0 for no delay (default)." })
+      ] }),
       /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { className: "space-y-2 border rounded-lg p-4 bg-blue-50 dark:bg-blue-950", children: [
         /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { className: "flex items-center space-x-2", children: [
           /* @__PURE__ */ jsxRuntimeExports.jsx(
@@ -50734,15 +50889,15 @@ const AssessmentTab = ({
           ),
           /* @__PURE__ */ jsxRuntimeExports.jsxs(Label$1, { htmlFor: "domain-testing", className: "cursor-pointer", children: [
             /* @__PURE__ */ jsxRuntimeExports.jsx("span", { className: "font-semibold", children: "Enable Advanced Security Testing" }),
-            /* @__PURE__ */ jsxRuntimeExports.jsx("span", { className: "ml-2 text-xs bg-blue-100 dark:bg-blue-900 text-blue-800 dark:text-blue-200 px-2 py-0.5 rounded", children: "18 Attack Patterns" })
+            /* @__PURE__ */ jsxRuntimeExports.jsx("span", { className: "ml-2 text-xs bg-blue-100 dark:bg-blue-900 text-blue-800 dark:text-blue-200 px-2 py-0.5 rounded", children: "18 Patterns" })
           ] })
         ] }),
         /* @__PURE__ */ jsxRuntimeExports.jsxs("p", { className: "text-xs text-muted-foreground ml-6", children: [
           /* @__PURE__ */ jsxRuntimeExports.jsx("strong", { children: "Basic:" }),
-          " 3 critical patterns (~48 tests).",
+          " 3 common patterns (~48 checks).",
           " ",
           /* @__PURE__ */ jsxRuntimeExports.jsx("strong", { children: "Advanced:" }),
-          " All 18 patterns. Advanced mode tests Direct Command Injection, Role Override, Data Exfiltration, System Commands, Tool Shadowing, Context Escape, and 12+ other attack vectors."
+          " All 18 patterns. Designed to identify potential issues like Direct Command Injection, Role Override, Data Exfiltration, System Commands, Tool Shadowing, Context Escape, and 12+ other common attack vectors."
         ] })
       ] }),
       /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { className: "flex gap-2", children: [
@@ -51068,9 +51223,7 @@ const AssessmentTab = ({
               /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { children: [
                 "Examples:",
                 " ",
-                assessment.documentation.metrics.exampleCount,
-                "/",
-                assessment.documentation.metrics.requiredExamples
+                assessment.documentation.metrics.exampleCount >= assessment.documentation.metrics.requiredExamples ? `${assessment.documentation.metrics.exampleCount} found (${assessment.documentation.metrics.requiredExamples}+ required) ✓` : `${assessment.documentation.metrics.exampleCount}/${assessment.documentation.metrics.requiredExamples} (need more)`
               ] }),
               /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { children: [
                 "Install Guide:",
@@ -51857,7 +52010,8 @@ const ErrorTestItem = ({ test }) => {
     {
       className: "text-xs border-l-2 pl-3 py-1",
       style: {
-        borderColor: test.passed ? "rgb(34 197 94)" : "rgb(239 68 68)"
+        borderColor: test.testType === "invalid_values" ? "rgb(234 179 8)" : test.passed ? "rgb(34 197 94)" : "rgb(239 68 68)"
+        // red-500 for FAIL
       },
       children: [
         /* @__PURE__ */ jsxRuntimeExports.jsxs(
@@ -52106,9 +52260,30 @@ const SecurityVulnerabilityItem = ({ testResult, toolName }) => {
                 testResult.vulnerable ? "🚨 VULNERABLE - Tool executed malicious input!" : "✅ SECURE - Tool properly rejected malicious input"
               ]
             }
-          )
+          ),
+          testResult.confidence && /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { className: "flex items-center gap-2 mt-2", children: [
+            /* @__PURE__ */ jsxRuntimeExports.jsx("strong", { children: "Confidence:" }),
+            /* @__PURE__ */ jsxRuntimeExports.jsx(
+              "span",
+              {
+                className: `text-xs px-2 py-1 rounded font-semibold ${testResult.confidence === "high" ? "bg-green-100 text-green-800" : testResult.confidence === "medium" ? "bg-yellow-100 text-yellow-800" : "bg-orange-100 text-orange-800"}`,
+                children: testResult.confidence.toUpperCase()
+              }
+            )
+          ] })
         ] })
       ] }),
+      testResult.requiresManualReview && /* @__PURE__ */ jsxRuntimeExports.jsx("div", { className: "bg-amber-50 border-l-4 border-amber-500 p-3 rounded", children: /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { className: "flex items-start gap-2", children: [
+        /* @__PURE__ */ jsxRuntimeExports.jsx(CircleAlert, { className: "h-5 w-5 text-amber-600 flex-shrink-0 mt-0.5" }),
+        /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { className: "flex-1", children: [
+          /* @__PURE__ */ jsxRuntimeExports.jsx("div", { className: "text-sm font-semibold text-amber-900 mb-1", children: "⚠️ Manual Review Required" }),
+          testResult.manualReviewReason && /* @__PURE__ */ jsxRuntimeExports.jsx("p", { className: "text-xs text-amber-800 mb-2", children: testResult.manualReviewReason }),
+          testResult.reviewGuidance && /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { className: "bg-amber-100 p-2 rounded text-xs text-amber-900", children: [
+            /* @__PURE__ */ jsxRuntimeExports.jsx("strong", { children: "Review Steps:" }),
+            /* @__PURE__ */ jsxRuntimeExports.jsx("div", { className: "mt-1 whitespace-pre-line", children: testResult.reviewGuidance })
+          ] })
+        ] })
+      ] }) }),
       /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { children: [
         /* @__PURE__ */ jsxRuntimeExports.jsx("div", { className: "text-xs font-medium text-muted-foreground uppercase tracking-wide mb-1", children: "Test Payload" }),
         /* @__PURE__ */ jsxRuntimeExports.jsx("div", { className: "bg-black text-green-400 p-2 rounded text-xs font-mono whitespace-pre-wrap break-all", children: testResult.payload })
@@ -52269,7 +52444,7 @@ const generateTextReport = (assessment, filteredStatus, categoryFilter) => {
     `Status: ${assessment.documentation.status}`,
     assessment.documentation.explanation,
     `- Has README: ${assessment.documentation.metrics.hasReadme ? "Yes" : "No"}`,
-    `- Examples: ${assessment.documentation.metrics.exampleCount}/${assessment.documentation.metrics.requiredExamples}`,
+    `- Examples: ${assessment.documentation.metrics.exampleCount} functional examples found (${assessment.documentation.metrics.requiredExamples}+ required)`,
     `- Installation Guide: ${assessment.documentation.metrics.hasInstallInstructions ? "Yes" : "No"}`,
     `- Usage Guide: ${assessment.documentation.metrics.hasUsageGuide ? "Yes" : "No"}`
   );
@@ -53106,13 +53281,13 @@ const App = () => {
   ) });
   if (window.location.pathname === "/oauth/callback") {
     const OAuthCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthCallback-pJpyrBg5.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthCallback-CS0hHvzr.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
   }
   if (window.location.pathname === "/oauth/callback/debug") {
     const OAuthDebugCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthDebugCallback-BGti8QhX.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthDebugCallback-CRsLrDJk.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
   }

package/client/dist/index.html

@@ -5,8 +5,8 @@
     <link rel="icon" type="image/svg+xml" href="/mcp.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>MCP Inspector</title>
-    <script type="module" crossorigin src="/assets/index-BEmDUKhR.js"></script>
-    <link rel="stylesheet" crossorigin href="/assets/index-DYiWOife.css">
+    <script type="module" crossorigin src="/assets/index-CkSRacMw.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-Bc4MVSgQ.css">
   </head>
   <body>
     <div id="root" class="w-full"></div>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment",
-  "version": "1.0.1",
+  "version": "1.2.0",
   "description": "Enhanced MCP Inspector with comprehensive assessment capabilities for server validation",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",