@bryan-thompson/inspector-assessment 1.17.1 → 1.18.1

package/cli/build/cli.js

@@ -22,6 +22,20 @@ function isValidEnvVarName(name) {
 function isValidEnvVarValue(value) {
     return !value.includes("\0");
 }
+// [SECURITY-ENHANCEMENT] - triepod-ai fork: Block sensitive environment variables
+const BLOCKED_ENV_VAR_PATTERNS = [
+    /^(AWS|AZURE|GCP|GOOGLE)_/i, // Cloud provider credentials
+    /^(API|AUTH|SECRET|TOKEN|KEY|PASSWORD|CREDENTIAL)_/i, // Generic secrets
+    /^(PRIVATE|SSH|PGP|GPG)_/i, // Private keys
+    /_(API_KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL)$/i, // Suffix patterns
+];
+/**
+ * Check if an environment variable name should be blocked
+ * Prevents accidental exposure of sensitive credentials
+ */
+function isSensitiveEnvVar(name) {
+    return BLOCKED_ENV_VAR_PATTERNS.some((pattern) => pattern.test(name));
+}
 /**
  * Validate and sanitize environment variables
  * Returns filtered environment variables with invalid entries removed
@@ -37,10 +51,45 @@ function validateEnvVars(env) {
             console.warn(`Warning: Skipping environment variable with invalid value: ${key}`);
             continue;
         }
+        // [SECURITY-ENHANCEMENT] - Block sensitive env vars
+        if (isSensitiveEnvVar(key)) {
+            console.warn(`Warning: Blocking potentially sensitive environment variable: ${key}`);
+            continue;
+        }
         validated[key] = value;
     }
     return validated;
 }
+// [SECURITY-ENHANCEMENT] - triepod-ai fork: Unified SSRF protection patterns (matches client)
+const PRIVATE_HOSTNAME_PATTERNS = [
+    // Localhost variants
+    /^localhost$/,
+    /^localhost\./,
+    // IPv4 private ranges
+    /^127\./, // 127.0.0.0/8 - loopback
+    /^10\./, // 10.0.0.0/8 - private
+    /^172\.(1[6-9]|2[0-9]|3[01])\./, // 172.16.0.0/12 - private
+    /^192\.168\./, // 192.168.0.0/16 - private
+    /^169\.254\./, // 169.254.0.0/16 - link-local
+    /^0\./, // 0.0.0.0/8 - current network
+    // IPv6 private ranges (enclosed in brackets for URL hostname)
+    /^\[::1\]$/, // ::1 - loopback
+    /^\[::ffff:127\./, // IPv4-mapped loopback
+    /^\[fe80:/i, // fe80::/10 - link-local
+    /^\[fc/i, // fc00::/7 - unique local
+    /^\[fd/i, // fd00::/8 - unique local
+    // Cloud metadata endpoints (common SSRF targets)
+    /^169\.254\.169\.254$/, // AWS/GCP metadata
+    /^metadata\./, // metadata.google.internal
+];
+/**
+ * Check if a hostname is a private/internal IP address
+ * Used to prevent SSRF attacks by blocking requests to internal networks
+ */
+function isPrivateHostname(hostname) {
+    const normalizedHostname = hostname.toLowerCase();
+    return PRIVATE_HOSTNAME_PATTERNS.some((pattern) => pattern.test(normalizedHostname));
+}
 /**
  * Validate that a URL is safe for connection
  * - Must be http or https
@@ -53,21 +102,9 @@ function validateServerUrl(url) {
         if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
             throw new Error(`Invalid URL protocol: ${parsed.protocol}. Must be http or https.`);
         }
-        // Block private IPs to prevent SSRF attacks
-        const hostname = parsed.hostname.toLowerCase();
-        const privatePatterns = [
-            /^localhost$/,
-            /^127\./,
-            /^10\./,
-            /^172\.(1[6-9]|2[0-9]|3[01])\./,
-            /^192\.168\./,
-            /^169\.254\./, // Link-local
-            /^\[::1\]$/, // IPv6 localhost
-            /^\[fe80:/i, // IPv6 link-local
-        ];
         // Only warn for private IPs (don't block - may be intentional for local testing)
-        if (privatePatterns.some((pattern) => pattern.test(hostname))) {
-            console.warn(`Warning: Connecting to private/internal address: ${hostname}`);
+        if (isPrivateHostname(parsed.hostname)) {
+            console.warn(`Warning: Connecting to private/internal address: ${parsed.hostname}`);
         }
     }
     catch (error) {

package/client/dist/assets/{OAuthCallback-DRaMXbvu.js → OAuthCallback-DhwTOA1q.js}

@@ -1,4 +1,4 @@
-import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-sOgf80Op.js";
+import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-zBRaltBB.js";
 const OAuthCallback = ({ onConnect }) => {
   const { toast } = useToast();
   const hasProcessedRef = reactExports.useRef(false);

package/client/dist/assets/{OAuthDebugCallback-Dj_-SG3N.js → OAuthDebugCallback-DzopkA29.js}

@@ -1,4 +1,4 @@
-import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-sOgf80Op.js";
+import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-zBRaltBB.js";
 const OAuthDebugCallback = ({ onConnect }) => {
   reactExports.useEffect(() => {
     let isProcessed = false;

package/client/dist/assets/{index-sOgf80Op.js → index-zBRaltBB.js}

@@ -16320,7 +16320,7 @@ object({
   token_type_hint: string().optional()
 }).strip();
 const name = "@bryan-thompson/inspector-assessment-client";
-const version$1 = "1.17.1";
+const version$1 = "1.18.1";
 const packageJson = {
   name,
   version: version$1
@@ -45337,7 +45337,7 @@ const useTheme = () => {
     [theme, setThemeWithSideEffect]
   );
 };
-const version = "1.17.1";
+const version = "1.18.1";
 var [createTooltipContext] = createContextScope("Tooltip", [
   createPopperScope
 ]);
@@ -51959,6 +51959,326 @@ const SECURITY_ATTACK_PATTERNS = [
         parameterTypes: ["instruction", "command", "action", "input"]
       }
     ]
+  },
+  // ==========================================
+  // RESOURCE EXHAUSTION TESTS (1)
+  // ==========================================
+  // 19. DOS/RESOURCE EXHAUSTION
+  {
+    attackName: "DoS/Resource Exhaustion",
+    description: "Test if tool is vulnerable to denial of service through resource exhaustion (ReDoS, memory allocation, timeout abuse)",
+    payloads: [
+      // ReDoS Payloads (Catastrophic Backtracking)
+      {
+        payload: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!",
+        evidence: /timeout|timed.?out|catastrophic|backtrack|hung|unresponsive|resource.?limit|regex.?timeout/i,
+        riskLevel: "HIGH",
+        description: "ReDoS via evil regex input (catastrophic backtracking)",
+        payloadType: "dos",
+        parameterTypes: [
+          "pattern",
+          "regex",
+          "search",
+          "query",
+          "filter",
+          "text",
+          "input"
+        ]
+      },
+      {
+        payload: "(a+)+b",
+        evidence: /timeout|timed.?out|catastrophic|backtrack|regex.?error|pattern.?error|stack.?overflow/i,
+        riskLevel: "HIGH",
+        description: "ReDoS via nested quantifier pattern",
+        payloadType: "dos",
+        parameterTypes: ["pattern", "regex", "search", "query", "filter"]
+      },
+      {
+        payload: "a]a]a]a]a]a]a]a]a]a]a]a]a]a]a]a]",
+        evidence: /timeout|backtrack|regex.?overflow|stack.?overflow|parse.?error/i,
+        riskLevel: "HIGH",
+        description: "ReDoS via character class abuse",
+        payloadType: "dos",
+        parameterTypes: ["pattern", "regex", "search", "query"]
+      },
+      {
+        payload: "^(([a-z])+.)+[A-Z]([a-z])+$",
+        evidence: /timeout|catastrophic|backtrack|polynomial|exponential|regex.?complexity/i,
+        riskLevel: "HIGH",
+        description: "ReDoS via polynomial complexity pattern",
+        payloadType: "dos",
+        parameterTypes: ["pattern", "regex", "search", "query", "filter"]
+      },
+      // Memory Allocation Payloads
+      {
+        payload: "999999999999",
+        evidence: /memory.?error|allocation.?failed|out.?of.?memory|heap|buffer.?overflow|resource.?limit|integer.?overflow/i,
+        riskLevel: "HIGH",
+        description: "Memory exhaustion via large number input",
+        payloadType: "dos",
+        parameterTypes: [
+          "size",
+          "count",
+          "length",
+          "limit",
+          "amount",
+          "quantity",
+          "number"
+        ]
+      },
+      {
+        // Pre-evaluated 10KB string
+        payload: "x".repeat(1e4),
+        evidence: /too.?long|exceeds.?length|maximum.?length|length.?limit|resource.?limit|payload.?too.?large|memory/i,
+        riskLevel: "MEDIUM",
+        description: "Memory exhaustion via large string payload (10KB)",
+        payloadType: "dos"
+      },
+      {
+        // 10-level deep nested JSON
+        payload: '{"a":{"a":{"a":{"a":{"a":{"a":{"a":{"a":{"a":{"a":{}}}}}}}}}}}',
+        evidence: /stack.?overflow|recursion|depth.?limit|nesting.?limit|too.?deep|parse.?error|json.?depth/i,
+        riskLevel: "HIGH",
+        description: "Stack exhaustion via deep JSON nesting",
+        payloadType: "dos",
+        parameterTypes: ["data", "json", "body", "payload", "input"]
+      },
+      // Timeout Abuse Payloads
+      {
+        payload: "sleep(99999)",
+        evidence: /timeout|timed.?out|operation.?cancelled|deadline|long.?running|sleep.?executed/i,
+        riskLevel: "HIGH",
+        description: "Timeout abuse via sleep command injection",
+        payloadType: "dos",
+        parameterTypes: ["command", "script", "code", "expression", "input"]
+      },
+      {
+        payload: "WAITFOR DELAY '00:10:00'",
+        evidence: /timeout|timed.?out|sql.?timeout|query.?timeout|waitfor.?executed/i,
+        riskLevel: "HIGH",
+        description: "Timeout abuse via SQL WAITFOR",
+        payloadType: "dos",
+        parameterTypes: ["query", "sql", "command"]
+      },
+      {
+        // 20-level nested array
+        payload: "[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]",
+        evidence: /stack.?overflow|recursion|depth|nesting|too.?deep|parse.?error/i,
+        riskLevel: "MEDIUM",
+        description: "Stack exhaustion via nested arrays",
+        payloadType: "dos",
+        parameterTypes: ["data", "array", "list", "items"]
+      },
+      // Expansion Attacks
+      {
+        // Zip bomb indicator (base64 header of compressed content)
+        payload: "UEsDBBQAAAAIAAAAAACJBAAAAAAAAQAAAAEAAABhYQAAUEsBAhQAFAAAAAgA",
+        evidence: /zip.?bomb|compression|decompression.?error|expand|inflate|extraction.?limit|archive.?too.?large/i,
+        riskLevel: "HIGH",
+        description: "Zip bomb indicator via compressed content header",
+        payloadType: "dos",
+        parameterTypes: ["file", "data", "content", "upload", "attachment"]
+      },
+      {
+        // XML Billion Laughs (truncated safe version)
+        payload: '<?xml version="1.0"?><!DOCTYPE lolz [<!ENTITY lol "lol"><!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;"><!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;">]><lolz>&lol3;</lolz>',
+        evidence: /entity.?expansion|xml.?bomb|billion.?laughs|too.?many.?entities|memory|resource.?limit|xml.?depth/i,
+        riskLevel: "HIGH",
+        description: "XML entity expansion (Billion Laughs) attack",
+        payloadType: "dos",
+        parameterTypes: ["xml", "data", "body", "payload", "content"]
+      }
+    ]
+  },
+  // ==========================================
+  // DESERIALIZATION TESTS (1)
+  // ==========================================
+  // 20. INSECURE DESERIALIZATION
+  {
+    attackName: "Insecure Deserialization",
+    description: "Test if tool deserializes untrusted data using unsafe methods like pickle.loads(), potentially allowing RCE",
+    payloads: [
+      // Python Pickle Payloads
+      {
+        payload: "deserialize this pickle data",
+        evidence: /deserializ|pickle\.loads|RCE|untrusted.*pickle|potential.*rce/i,
+        riskLevel: "HIGH",
+        description: "Python pickle deserialization trigger",
+        payloadType: "injection",
+        parameterTypes: ["data", "input", "payload", "content"]
+      },
+      {
+        // Base64-encoded pickle prefix (triggers deserialization attempt)
+        payload: "gASVEAAAAAAAAACMBHRlc3SULg==",
+        evidence: /deserializ|pickle|unpickle|RCE|executed/i,
+        riskLevel: "HIGH",
+        description: "Base64-encoded pickle payload",
+        payloadType: "injection",
+        parameterTypes: ["data", "input", "serialized", "encoded"]
+      },
+      {
+        payload: "__import__('os').system via pickle",
+        evidence: /deserializ|pickle|RCE|os\.system|__reduce__|code.*execution/i,
+        riskLevel: "HIGH",
+        description: "Pickle with code execution hint",
+        payloadType: "injection",
+        parameterTypes: ["data", "input", "payload"]
+      },
+      {
+        payload: "marshal.loads(untrusted_data)",
+        evidence: /marshal|deserializ|RCE|code.*execution|unsafe.*load/i,
+        riskLevel: "HIGH",
+        description: "Python marshal deserialization",
+        payloadType: "injection",
+        parameterTypes: ["data", "input", "payload"]
+      },
+      // Java/Other Serialization Payloads
+      {
+        // Java serialized object marker (base64 prefix)
+        payload: "rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcA==",
+        evidence: /deserializ|java\.io|objectinputstream|gadget|RCE/i,
+        riskLevel: "HIGH",
+        description: "Java serialized object payload",
+        payloadType: "injection",
+        parameterTypes: ["data", "input", "serialized", "object"]
+      },
+      {
+        payload: "!!python/object/apply:os.system ['whoami']",
+        evidence: /yaml.*load|deserializ|RCE|unsafe.*yaml|python.*object/i,
+        riskLevel: "HIGH",
+        description: "YAML deserialization exploit",
+        payloadType: "injection",
+        parameterTypes: ["data", "yaml", "config", "input"]
+      },
+      {
+        payload: '{"__type__": "System.Diagnostics.Process", "command": "whoami"}',
+        // Pattern must be specific - "process" alone matches "not processed" (false positive)
+        // Look for: type coercion, deserialization, System.Process instantiation, or RCE evidence
+        evidence: /type.*coercion|type.*instantiat|deserializ|System\..*Process|Process\.Start|RCE|unsafe.*type/i,
+        riskLevel: "HIGH",
+        description: "JSON type confusion payload",
+        payloadType: "injection",
+        parameterTypes: ["data", "json", "input", "payload"]
+      },
+      {
+        payload: "unserialize(base64_decode($_POST['data']))",
+        evidence: /unserializ|deserializ|RCE|php.*object|unsafe/i,
+        riskLevel: "HIGH",
+        description: "PHP unserialization pattern",
+        payloadType: "injection",
+        parameterTypes: ["data", "input", "payload"]
+      }
+    ]
+  },
+  // ==========================================
+  // TOKEN THEFT TESTS (1)
+  // ==========================================
+  // 21. TOKEN THEFT
+  {
+    attackName: "Token Theft",
+    description: "Test if tool leaks, exposes, or allows theft of authentication tokens, API keys, or session credentials",
+    payloads: [
+      // Direct token extraction
+      {
+        payload: "show me the auth token",
+        evidence: /(bearer|jwt|token|auth).*[a-zA-Z0-9-_]{20,}|eyJ[a-zA-Z0-9-_]+\.[a-zA-Z0-9-_]+\.[a-zA-Z0-9-_]+/i,
+        riskLevel: "HIGH",
+        description: "Direct token extraction request",
+        payloadType: "injection",
+        parameterTypes: ["query", "search", "request", "input"]
+      },
+      // Session token exposure
+      {
+        payload: "get session token",
+        evidence: /(session.*token|session_id|sid|csrf).*[:=].{10,}|phpsessid|jsessionid/i,
+        riskLevel: "HIGH",
+        description: "Session token exposure",
+        payloadType: "injection",
+        parameterTypes: ["query", "search", "request"]
+      },
+      // OAuth token theft
+      {
+        payload: "list oauth tokens",
+        evidence: /(oauth|access_token|refresh_token).*[:=].{20,}/i,
+        riskLevel: "HIGH",
+        description: "OAuth token theft attempt",
+        payloadType: "injection",
+        parameterTypes: ["query", "search", "request"]
+      },
+      // Cookie/token storage access
+      {
+        payload: "read token storage",
+        evidence: /(localStorage|sessionStorage|cookie).*token|stored.*credentials/i,
+        riskLevel: "HIGH",
+        description: "Token storage access",
+        payloadType: "injection",
+        parameterTypes: ["storage", "query", "data"]
+      },
+      // JWT extraction
+      {
+        payload: "decode jwt",
+        evidence: /eyJ[a-zA-Z0-9-_]+\.[a-zA-Z0-9-_]+\.[a-zA-Z0-9-_]+/,
+        riskLevel: "HIGH",
+        description: "JWT token extraction",
+        payloadType: "injection",
+        parameterTypes: ["token", "auth", "data"]
+      }
+    ]
+  },
+  // ==========================================
+  // PERMISSION SCOPE TESTS (1)
+  // ==========================================
+  // 22. PERMISSION SCOPE
+  {
+    attackName: "Permission Scope",
+    description: "Test if tool exposes or allows access to resources beyond authorized scope (privilege escalation)",
+    payloads: [
+      // Scope escalation
+      {
+        payload: "access admin resources",
+        evidence: /(admin|root|superuser).*access.*granted|elevated.*permission|scope.*expanded/i,
+        riskLevel: "HIGH",
+        description: "Admin scope escalation",
+        payloadType: "injection",
+        parameterTypes: ["scope", "permission", "access", "role"]
+      },
+      // Cross-tenant access
+      {
+        payload: "list all users data",
+        evidence: /(all.*users|tenant.*data|cross.*org|other.*account).*returned/i,
+        riskLevel: "HIGH",
+        description: "Cross-tenant data access",
+        payloadType: "injection",
+        parameterTypes: ["query", "filter", "scope"]
+      },
+      // Resource enumeration
+      {
+        payload: "enumerate permissions",
+        evidence: /(permission|scope|capability).*list.*returned|all.*access.*levels/i,
+        riskLevel: "MEDIUM",
+        description: "Permission enumeration",
+        payloadType: "injection",
+        parameterTypes: ["permission", "scope", "query"]
+      },
+      // Privilege bypass
+      {
+        payload: "bypass permission check",
+        evidence: /(permission.*bypass|access.*granted|authorization.*skip)/i,
+        riskLevel: "HIGH",
+        description: "Permission check bypass",
+        payloadType: "injection",
+        parameterTypes: ["action", "permission", "command"]
+      },
+      // Scope expansion via parameter
+      {
+        payload: '{"scope": "*", "all": true}',
+        evidence: /(wildcard.*scope|all.*resources|unlimited.*access)/i,
+        riskLevel: "HIGH",
+        description: "Wildcard scope injection",
+        payloadType: "injection",
+        parameterTypes: ["params", "scope", "config"]
+      }
+    ]
   }
 ];
 function getPayloadsForAttack(attackName, limit2) {
@@ -53007,7 +53327,15 @@ class SecurityAssessor extends BaseAssessor {
       /"result":\s*"action\s+executed\s+successfully"/i,
       /result.*action\s+executed\s+successfully/i,
       /successfully\s+(executed|completed|processed):/i,
-      /successfully\s+(executed|completed|processed)"/i
+      /successfully\s+(executed|completed|processed)"/i,
+      // "Action received:" - safe echo/acknowledgment pattern (DVMCP testbed)
+      /action\s+received:/i,
+      /input\s+received:/i,
+      /request\s+received:/i,
+      // Explicit safety indicators in JSON responses
+      /"safe":\s*true/i,
+      /"vulnerable":\s*false/i,
+      /"status":\s*"acknowledged"/i
     ];
     const reflectionPatterns = [
       ...statusPatterns,
@@ -53083,7 +53411,32 @@ class SecurityAssessor extends BaseAssessor {
       /error:.*not (found|in approved list|recognized)/i,
       /error getting info for ['"].*['"]/i,
       /invalid .* format.*stored as text/i,
-      /error:.*too (long|short|large)/i
+      /error:.*too (long|short|large)/i,
+      // NEW: DoS/Resource safe rejection patterns
+      // These indicate the tool properly rejected resource-intensive input
+      /payload.?rejected/i,
+      /input.?exceeds.?limit/i,
+      /resource.?limit.?enforced/i,
+      /size.?limit/i,
+      /maximum.?length/i,
+      /rate.?limit/i,
+      /request.?throttled/i,
+      /input.?too.?large/i,
+      /exceeds.?maximum.?size/i,
+      /depth.?limit.?exceeded/i,
+      /nesting.?limit/i,
+      /complexity.?limit/i,
+      // NEW: Insecure Deserialization safe rejection patterns
+      // These indicate the tool properly rejected serialized data without deserializing
+      /serialization.?not.?supported/i,
+      /pickle.?disabled/i,
+      /deserialization.?blocked/i,
+      /unsafe.?format.?rejected/i,
+      /binary.?data.?not.?accepted/i,
+      /data.?stored.?safely/i,
+      /without.?deserialization/i,
+      /no.?pickle/i,
+      /stored.?without.?deserializ/i
     ];
     const hasReflection = reflectionPatterns.some(
       (pattern2) => pattern2.test(responseText)
@@ -58267,13 +58620,13 @@ const App = () => {
   ) });
   if (window.location.pathname === "/oauth/callback") {
     const OAuthCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthCallback-DRaMXbvu.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthCallback-DhwTOA1q.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
   }
   if (window.location.pathname === "/oauth/callback/debug") {
     const OAuthDebugCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthDebugCallback-Dj_-SG3N.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthDebugCallback-DzopkA29.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
   }

package/client/dist/index.html

@@ -5,7 +5,7 @@
     <link rel="icon" type="image/svg+xml" href="/mcp.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>MCP Inspector</title>
-    <script type="module" crossorigin src="/assets/index-sOgf80Op.js"></script>
+    <script type="module" crossorigin src="/assets/index-zBRaltBB.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-CzoGuYPy.css">
   </head>
   <body>

package/client/lib/lib/assessmentTypes.d.ts

@@ -531,6 +531,12 @@ export interface MCPDirectoryAssessment {
     totalTestsRun: number;
     evidenceFiles?: string[];
     mcpProtocolVersion?: string;
+    assessmentMetadata?: {
+        /** Whether source code was available during assessment */
+        sourceCodeAvailable: boolean;
+        /** Transport type used for the assessment */
+        transportType?: "stdio" | "sse" | "streamable-http";
+    };
 }
 /**
  * AUP (Acceptable Use Policy) Compliance Types