npm - @bryan-thompson/inspector-assessment - Versions diffs - 1.1.0 → 1.2.0 - Mend

@bryan-thompson/inspector-assessment 1.1.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/client/dist/assets/{OAuthCallback-aV2t2Zmo.js → OAuthCallback-CS0hHvzr.js} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-DrU0QB6A.js";
+import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-CkSRacMw.js";
 const OAuthCallback = ({ onConnect }) => {
   const { toast } = useToast();
   const hasProcessedRef = reactExports.useRef(false);

package/client/dist/assets/{OAuthDebugCallback-Ca01948b.js → OAuthDebugCallback-CRsLrDJk.js} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-DrU0QB6A.js";
+import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-CkSRacMw.js";
 const OAuthDebugCallback = ({ onConnect }) => {
   reactExports.useEffect(() => {
     let isProcessed = false;

package/client/dist/assets/{index-DYiWOife.css → index-Bc4MVSgQ.css} RENAMED Viewed

@@ -1332,6 +1332,9 @@ video {
 .whitespace-nowrap {
   white-space: nowrap;
 }
+.whitespace-pre-line {
+  white-space: pre-line;
+}
 .whitespace-pre-wrap {
   white-space: pre-wrap;
 }
@@ -1383,6 +1386,10 @@ video {
 .border-t {
   border-top-width: 1px;
 }
+.border-amber-500 {
+  --tw-border-opacity: 1;
+  border-color: rgb(245 158 11 / var(--tw-border-opacity, 1));
+}
 .border-blue-200 {
   --tw-border-opacity: 1;
   border-color: rgb(191 219 254 / var(--tw-border-opacity, 1));
@@ -1474,6 +1481,14 @@ video {
 .bg-accent {
   background-color: hsl(var(--accent));
 }
+.bg-amber-100 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(254 243 199 / var(--tw-bg-opacity, 1));
+}
+.bg-amber-50 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(255 251 235 / var(--tw-bg-opacity, 1));
+}
 .bg-background {
   background-color: hsl(var(--background));
 }
@@ -1550,6 +1565,10 @@ video {
 .bg-muted\/50 {
   background-color: hsl(var(--muted) / 0.5);
 }
+.bg-orange-100 {
+  --tw-bg-opacity: 1;
+  background-color: rgb(255 237 213 / var(--tw-bg-opacity, 1));
+}
 .bg-orange-50 {
   --tw-bg-opacity: 1;
   background-color: rgb(255 247 237 / var(--tw-bg-opacity, 1));
@@ -1818,6 +1837,14 @@ video {
   --tw-text-opacity: 1;
   color: rgb(217 119 6 / var(--tw-text-opacity, 1));
 }
+.text-amber-800 {
+  --tw-text-opacity: 1;
+  color: rgb(146 64 14 / var(--tw-text-opacity, 1));
+}
+.text-amber-900 {
+  --tw-text-opacity: 1;
+  color: rgb(120 53 15 / var(--tw-text-opacity, 1));
+}
 .text-blue-500 {
   --tw-text-opacity: 1;
   color: rgb(59 130 246 / var(--tw-text-opacity, 1));
@@ -1912,6 +1939,10 @@ video {
   --tw-text-opacity: 1;
   color: rgb(234 88 12 / var(--tw-text-opacity, 1));
 }
+.text-orange-800 {
+  --tw-text-opacity: 1;
+  color: rgb(154 52 18 / var(--tw-text-opacity, 1));
+}
 .text-popover-foreground {
   color: hsl(var(--popover-foreground));
 }

package/client/dist/assets/{index-DrU0QB6A.js → index-CkSRacMw.js} RENAMED Viewed

@@ -16205,7 +16205,7 @@ objectType({
   token_type_hint: stringType().optional()
 }).strip();
 const name = "@bryan-thompson/inspector-assessment-client";
-const version$1 = "1.1.0";
+const version$1 = "1.2.0";
 const packageJson = {
   name,
   version: version$1
@@ -41736,7 +41736,7 @@ const useTheme = () => {
     [theme, setThemeWithSideEffect]
   );
 };
-const version = "1.1.0";
+const version = "1.2.0";
 var [createTooltipContext] = createContextScope("Tooltip", [
   createPopperScope
 ]);
@@ -46378,6 +46378,13 @@ class SecurityAssessor extends BaseAssessor {
         response,
         payload
       );
+      const confidenceResult = this.calculateConfidence(
+        tool,
+        isVulnerable,
+        evidence || "",
+        this.extractResponseContent(response),
+        payload
+      );
       return {
         testName: attackName,
         description: payload.description,
@@ -46386,7 +46393,8 @@ class SecurityAssessor extends BaseAssessor {
         toolName: tool.name,
         vulnerable: isVulnerable,
         evidence,
-        response: this.extractResponseContent(response)
+        response: this.extractResponseContent(response),
+        ...confidenceResult
       };
     } catch (error) {
       return {
@@ -46521,6 +46529,95 @@ class SecurityAssessor extends BaseAssessor {
     ).length;
     return `Found ${vulnCount} vulnerabilities (${criticalCount} critical, ${moderateCount} moderate) across ${testCount} security tests. Risk level: ${riskLevel}. Tools may execute malicious commands or leak sensitive data.`;
   }
+  /**
+   * Calculate confidence level and manual review requirements
+   * Detects ambiguous patterns that need human verification
+   */
+  calculateConfidence(tool, isVulnerable, evidence, responseText, payload) {
+    var _a;
+    const toolDescription = (tool.description || "").toLowerCase();
+    const toolName = tool.name.toLowerCase();
+    const responseLower = responseText.toLowerCase();
+    const payloadLower = payload.payload.toLowerCase();
+    if (!isVulnerable && (evidence.includes("safely reflected") || evidence.includes("API wrapper") || evidence.includes("safe: true"))) {
+      return {
+        confidence: "high",
+        requiresManualReview: false
+      };
+    }
+    if (isVulnerable && evidence.includes("executed") && !this.isStructuredDataTool(toolName, toolDescription)) {
+      return {
+        confidence: "high",
+        requiresManualReview: false
+      };
+    }
+    if (isVulnerable) {
+      const isDataTool = this.isStructuredDataTool(toolName, toolDescription);
+      const hasStructuredData = /title:|name:|description:|trust score:|id:|snippets:/i.test(
+        responseText
+      ) || /^\s*-\s+/m.test(responseText) || // Bullet points
+      /"[^"]+"\s*:\s*"[^"]+"/g.test(responseText);
+      const patternInInput = (_a = payload.evidence) == null ? void 0 : _a.test(payloadLower);
+      const echosInput = responseLower.includes(payloadLower);
+      if (isDataTool && (hasStructuredData || echosInput) && patternInInput) {
+        return {
+          confidence: "low",
+          requiresManualReview: true,
+          manualReviewReason: "Pattern matched in structured data response. Tool may be legitimately returning data containing search terms rather than executing malicious code.",
+          reviewGuidance: `Verify: 1) Does the tool actually execute/compute the input? 2) Or does it just return pre-existing data that happens to contain the pattern? 3) Check if '${payload.evidence}' appears in legitimate tool output vs. execution results.`
+        };
+      }
+      if (payload.evidence && /\b\d\b/.test(payload.evidence.toString()) && /\b(score|count|trust|rating|id|version)\b/i.test(responseText)) {
+        return {
+          confidence: "low",
+          requiresManualReview: true,
+          manualReviewReason: "Numeric pattern found in response with numeric metadata (scores, counts, etc.). May be coincidental data rather than arithmetic execution.",
+          reviewGuidance: "Verify: 1) Did the tool actually compute an arithmetic result? 2) Or does the number appear in metadata like trust scores, version numbers, or counts? 3) Compare pattern location in response with tool's expected output format."
+        };
+      }
+      if (/admin|role|privilege|elevated/i.test(payload.payload) && /\b(library|search|documentation|api|wrapper)\b/i.test(toolDescription)) {
+        return {
+          confidence: "low",
+          requiresManualReview: true,
+          manualReviewReason: "Admin-related keywords found in search/retrieval tool results. Tool may be returning data about admin-related libraries/APIs rather than elevating privileges.",
+          reviewGuidance: "Verify: 1) Did the tool actually change behavior or assume admin role? 2) Or did it return search results for admin-related content? 3) Test if tool behavior actually changed after this request."
+        };
+      }
+    }
+    if (isVulnerable && evidence.includes("executed")) {
+      return {
+        confidence: "medium",
+        requiresManualReview: true,
+        manualReviewReason: "Execution indicators found but context suggests possible ambiguity.",
+        reviewGuidance: "Verify: 1) Review the full response to confirm actual code execution. 2) Check if tool's intended function involves execution. 3) Test with variations to confirm consistency."
+      };
+    }
+    return {
+      confidence: "high",
+      requiresManualReview: false
+    };
+  }
+  /**
+   * Check if tool is a structured data tool (search, lookup, retrieval)
+   * These tools naturally echo input patterns in their results
+   */
+  isStructuredDataTool(toolName, toolDescription) {
+    const dataToolPatterns = [
+      /search/i,
+      /find/i,
+      /lookup/i,
+      /query/i,
+      /retrieve/i,
+      /fetch/i,
+      /get/i,
+      /list/i,
+      /resolve/i,
+      /discover/i,
+      /browse/i
+    ];
+    const combined = `${toolName} ${toolDescription}`;
+    return dataToolPatterns.some((pattern2) => pattern2.test(combined));
+  }
   /**
    * Check if response is just reflection (safe)
    * Expanded to catch more reflection patterns including echo, repeat, display
@@ -49778,11 +49875,11 @@ const ReviewerAssessmentView = ({
     {
       id: "documentation",
       name: "3. Documentation Quality",
-      quickCheck: `${assessment.documentation.metrics.hasReadme ? "Has README" : "Missing README"}, ${assessment.documentation.metrics.exampleCount} examples`,
+      quickCheck: `${assessment.documentation.metrics.hasReadme ? "Has README" : "Missing README"}, ${assessment.documentation.metrics.exampleCount} functional examples found`,
       verdict: assessment.documentation.status === "PASS" ? "PASS" : assessment.documentation.metrics.exampleCount < 3 ? "FAIL" : "REVIEW_NEEDED",
       evidence: [
         `Has README: ${assessment.documentation.metrics.hasReadme ? "Yes" : "No"}`,
-        `Code examples: ${assessment.documentation.metrics.exampleCount} (need 3+)`,
+        `Functional examples: ${assessment.documentation.metrics.exampleCount} found (3+ required)`,
         `Has installation instructions: ${assessment.documentation.metrics.hasInstallInstructions ? "Yes" : "No"}`,
         `Has usage guide: ${assessment.documentation.metrics.hasUsageGuide ? "Yes" : "No"}`
       ],
@@ -51126,9 +51223,7 @@ const AssessmentTab = ({
               /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { children: [
                 "Examples:",
                 " ",
-                assessment.documentation.metrics.exampleCount,
-                "/",
-                assessment.documentation.metrics.requiredExamples
+                assessment.documentation.metrics.exampleCount >= assessment.documentation.metrics.requiredExamples ? `${assessment.documentation.metrics.exampleCount} found (${assessment.documentation.metrics.requiredExamples}+ required) ✓` : `${assessment.documentation.metrics.exampleCount}/${assessment.documentation.metrics.requiredExamples} (need more)`
               ] }),
               /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { children: [
                 "Install Guide:",
@@ -52165,9 +52260,30 @@ const SecurityVulnerabilityItem = ({ testResult, toolName }) => {
                 testResult.vulnerable ? "🚨 VULNERABLE - Tool executed malicious input!" : "✅ SECURE - Tool properly rejected malicious input"
               ]
             }
-          )
+          ),
+          testResult.confidence && /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { className: "flex items-center gap-2 mt-2", children: [
+            /* @__PURE__ */ jsxRuntimeExports.jsx("strong", { children: "Confidence:" }),
+            /* @__PURE__ */ jsxRuntimeExports.jsx(
+              "span",
+              {
+                className: `text-xs px-2 py-1 rounded font-semibold ${testResult.confidence === "high" ? "bg-green-100 text-green-800" : testResult.confidence === "medium" ? "bg-yellow-100 text-yellow-800" : "bg-orange-100 text-orange-800"}`,
+                children: testResult.confidence.toUpperCase()
+              }
+            )
+          ] })
         ] })
       ] }),
+      testResult.requiresManualReview && /* @__PURE__ */ jsxRuntimeExports.jsx("div", { className: "bg-amber-50 border-l-4 border-amber-500 p-3 rounded", children: /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { className: "flex items-start gap-2", children: [
+        /* @__PURE__ */ jsxRuntimeExports.jsx(CircleAlert, { className: "h-5 w-5 text-amber-600 flex-shrink-0 mt-0.5" }),
+        /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { className: "flex-1", children: [
+          /* @__PURE__ */ jsxRuntimeExports.jsx("div", { className: "text-sm font-semibold text-amber-900 mb-1", children: "⚠️ Manual Review Required" }),
+          testResult.manualReviewReason && /* @__PURE__ */ jsxRuntimeExports.jsx("p", { className: "text-xs text-amber-800 mb-2", children: testResult.manualReviewReason }),
+          testResult.reviewGuidance && /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { className: "bg-amber-100 p-2 rounded text-xs text-amber-900", children: [
+            /* @__PURE__ */ jsxRuntimeExports.jsx("strong", { children: "Review Steps:" }),
+            /* @__PURE__ */ jsxRuntimeExports.jsx("div", { className: "mt-1 whitespace-pre-line", children: testResult.reviewGuidance })
+          ] })
+        ] })
+      ] }) }),
       /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { children: [
         /* @__PURE__ */ jsxRuntimeExports.jsx("div", { className: "text-xs font-medium text-muted-foreground uppercase tracking-wide mb-1", children: "Test Payload" }),
         /* @__PURE__ */ jsxRuntimeExports.jsx("div", { className: "bg-black text-green-400 p-2 rounded text-xs font-mono whitespace-pre-wrap break-all", children: testResult.payload })
@@ -52328,7 +52444,7 @@ const generateTextReport = (assessment, filteredStatus, categoryFilter) => {
     `Status: ${assessment.documentation.status}`,
     assessment.documentation.explanation,
     `- Has README: ${assessment.documentation.metrics.hasReadme ? "Yes" : "No"}`,
-    `- Examples: ${assessment.documentation.metrics.exampleCount}/${assessment.documentation.metrics.requiredExamples}`,
+    `- Examples: ${assessment.documentation.metrics.exampleCount} functional examples found (${assessment.documentation.metrics.requiredExamples}+ required)`,
     `- Installation Guide: ${assessment.documentation.metrics.hasInstallInstructions ? "Yes" : "No"}`,
     `- Usage Guide: ${assessment.documentation.metrics.hasUsageGuide ? "Yes" : "No"}`
   );
@@ -53165,13 +53281,13 @@ const App = () => {
   ) });
   if (window.location.pathname === "/oauth/callback") {
     const OAuthCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthCallback-aV2t2Zmo.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthCallback-CS0hHvzr.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
   }
   if (window.location.pathname === "/oauth/callback/debug") {
     const OAuthDebugCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthDebugCallback-Ca01948b.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthDebugCallback-CRsLrDJk.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
   }

package/client/dist/index.html CHANGED Viewed

@@ -5,8 +5,8 @@
     <link rel="icon" type="image/svg+xml" href="/mcp.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>MCP Inspector</title>
-    <script type="module" crossorigin src="/assets/index-DrU0QB6A.js"></script>
-    <link rel="stylesheet" crossorigin href="/assets/index-DYiWOife.css">
+    <script type="module" crossorigin src="/assets/index-CkSRacMw.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-Bc4MVSgQ.css">
   </head>
   <body>
     <div id="root" class="w-full"></div>

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Enhanced MCP Inspector with comprehensive assessment capabilities for server validation",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",