npm - @bryan-thompson/inspector-assessment - Versions diffs - 1.22.13 → 1.22.16 - Mend

@bryan-thompson/inspector-assessment 1.22.13 → 1.22.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/README.md CHANGED Viewed

@@ -416,6 +416,9 @@ Configure assessment behavior through the UI:
 **Note**: The old numeric "Error Handling Test Limit" has been replaced with the tool selector. The `maxToolsToTestForErrors` config field is deprecated but still works for backward compatibility.
+> **Deprecation Notice**: `maxToolsToTestForErrors` will be removed in v2.0.0.
+> Migrate to `selectedToolsForTesting` (undefined = test all, [] = test none).
 ### Viewing Assessment Results
 The Assessment tab provides:

package/cli/build/assess-full.js CHANGED Viewed

@@ -12,13 +12,19 @@
 import * as fs from "fs";
 import * as path from "path";
 import * as os from "os";
+import { EventEmitter } from "events";
+// Increase max listeners to prevent warning during security testing
+// Full assessment runs 234+ sequential tool calls (6 tools × 13 patterns × 3 payloads)
+// Each call may add listeners to the underlying socket
+EventEmitter.defaultMaxListeners = 300;
+process.setMaxListeners(300);
 import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
 import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
 // Import from local client lib (will use package exports when published)
 import { AssessmentOrchestrator, } from "../../client/lib/services/assessment/AssessmentOrchestrator.js";
-import { DEFAULT_ASSESSMENT_CONFIG, ASSESSMENT_CATEGORY_METADATA, } from "../../client/lib/lib/assessmentTypes.js";
+import { DEFAULT_ASSESSMENT_CONFIG, ASSESSMENT_CATEGORY_METADATA, getAllModulesConfig, } from "../../client/lib/lib/assessmentTypes.js";
 import { FULL_CLAUDE_CODE_CONFIG } from "../../client/lib/services/assessment/lib/claudeCodeBridge.js";
 import { createFormatter, } from "../../client/lib/lib/reportFormatters/index.js";
 import { generatePolicyComplianceReport } from "../../client/lib/services/assessment/PolicyComplianceGenerator.js";
@@ -333,30 +339,14 @@ function buildConfig(options) {
         enableExtendedAssessment: options.fullAssessment !== false,
         parallelTesting: true,
         testTimeout: 30000,
-        enableSourceCodeAnalysis: !!options.sourceCodePath,
+        enableSourceCodeAnalysis: Boolean(options.sourceCodePath),
     };
     if (options.fullAssessment !== false) {
-        // Start with all modules enabled by default
-        const allModules = {
-            functionality: true,
-            security: true,
-            documentation: true,
-            errorHandling: true,
-            usability: true,
-            mcpSpecCompliance: true,
-            aupCompliance: true,
-            toolAnnotations: true,
-            prohibitedLibraries: true,
-            manifestValidation: true,
-            portability: true,
-            externalAPIScanner: !!options.sourceCodePath,
-            temporal: !options.skipTemporal, // Enable by default with --full, skip with --skip-temporal
-            // New capability assessors - always enabled in full mode
-            resources: true,
-            prompts: true,
-            crossCapability: true,
-            authentication: true,
-        };
+        // Derive module config from ASSESSMENT_CATEGORY_METADATA (single source of truth)
+        const allModules = getAllModulesConfig({
+            sourceCodePath: Boolean(options.sourceCodePath),
+            skipTemporal: options.skipTemporal,
+        });
         // Apply --only-modules filter (whitelist mode)
         if (options.onlyModules?.length) {
             for (const key of Object.keys(allModules)) {

package/client/dist/assets/{OAuthCallback-CZrJlcLn.js → OAuthCallback-DNYBkA2C.js} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-_w0OL9Gt.js";
+import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-BRiFDs-g.js";
 const OAuthCallback = ({ onConnect }) => {
   const { toast } = useToast();
   const hasProcessedRef = reactExports.useRef(false);

package/client/dist/assets/{OAuthDebugCallback-DjI-YxME.js → OAuthDebugCallback-EhdSHXee.js} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-_w0OL9Gt.js";
+import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-BRiFDs-g.js";
 const OAuthDebugCallback = ({ onConnect }) => {
   reactExports.useEffect(() => {
     let isProcessed = false;

package/client/dist/assets/{index-_w0OL9Gt.js → index-BRiFDs-g.js} RENAMED Viewed

@@ -16320,7 +16320,7 @@ object({
   token_type_hint: string().optional()
 }).strip();
 const name = "@bryan-thompson/inspector-assessment-client";
-const version$1 = "1.22.13";
+const version$1 = "1.22.16";
 const packageJson = {
   name,
   version: version$1
@@ -45352,7 +45352,7 @@ const useTheme = () => {
     [theme, setThemeWithSideEffect]
   );
 };
-const version = "1.22.13";
+const version = "1.22.16";
 var [createTooltipContext] = createContextScope("Tooltip", [
   createPopperScope
 ]);
@@ -48033,8 +48033,6 @@ const DEFAULT_ASSESSMENT_CONFIG = {
   // Enable MCP Spec Compliance assessment by default
   parallelTesting: false,
   maxParallelTests: 5,
-  maxToolsToTestForErrors: -1,
-  // Default to test ALL tools for comprehensive compliance
   securityPatternsToTest: 8,
   // Test all security patterns by default
   enableDomainTesting: true,
@@ -48078,8 +48076,6 @@ const REVIEWER_MODE_CONFIG = {
   maxParallelTests: 5,
   scenariosPerTool: 1,
   // Single realistic test per tool
-  maxToolsToTestForErrors: 3,
-  // Test only first 3 tools for error handling
   securityPatternsToTest: 3,
   // Test only 3 critical security patterns
   enableDomainTesting: false,
@@ -48119,8 +48115,6 @@ const DEVELOPER_MODE_CONFIG = {
   parallelTesting: false,
   // Sequential for easier debugging
   maxParallelTests: 5,
-  maxToolsToTestForErrors: -1,
-  // Test ALL tools
   securityPatternsToTest: 8,
   // Test all security patterns
   enableDomainTesting: true,
@@ -48836,11 +48830,13 @@ class MCPSpecComplianceAssessor extends BaseAssessor {
     return recommendations;
   }
 }
+const QUEUE_WARNING_THRESHOLD = 1e4;
 function createConcurrencyLimit(concurrency) {
   if (concurrency < 1) {
     throw new Error("Concurrency must be at least 1");
   }
   let activeCount = 0;
+  let hasWarned = false;
   const queue = [];
   const next = () => {
     if (activeCount < concurrency && queue.length > 0) {
@@ -48864,6 +48860,12 @@ function createConcurrencyLimit(concurrency) {
         resolve: resolve2,
         reject
       });
+      if (queue.length > QUEUE_WARNING_THRESHOLD && !hasWarned) {
+        hasWarned = true;
+        console.warn(
+          `[concurrencyLimit] Queue depth: ${queue.length} (threshold: ${QUEUE_WARNING_THRESHOLD}). Active: ${activeCount}/${concurrency}. This may indicate a slow/stalled server.`
+        );
+      }
       next();
     });
   };
@@ -52458,7 +52460,7 @@ function getPayloadsForAttack(attackName, limit2) {
   );
   if (!pattern2) return [];
   const payloads = pattern2.payloads;
-  return payloads;
+  return limit2 ? payloads.slice(0, limit2) : payloads;
 }
 function getAllAttackPatterns() {
   return SECURITY_ATTACK_PATTERNS;
@@ -52801,7 +52803,11 @@ class SecurityAssessor extends BaseAssessor {
     const toolsToTest = this.selectToolsForTesting(context.tools);
     const concurrency = this.config.maxParallelTests ?? 5;
     const limit2 = createConcurrencyLimit(concurrency);
-    const totalEstimate = toolsToTest.length * attackPatterns.length * 3;
+    let totalPayloads = 0;
+    for (const pattern2 of attackPatterns) {
+      totalPayloads += getPayloadsForAttack(pattern2.attackName).length;
+    }
+    const totalEstimate = toolsToTest.length * totalPayloads;
     let completedTests = 0;
     let lastBatchTime = Date.now();
     const startTime = Date.now();
@@ -53062,9 +53068,10 @@ class SecurityAssessor extends BaseAssessor {
           evidence: "No compatible parameters for testing"
         };
       }
+      const securityTimeout = this.config.securityTestTimeout ?? 5e3;
       const response = await this.executeWithTimeout(
         callTool(tool.name, params),
-        5e3
+        securityTimeout
       );
       if (this.isConnectionError(response)) {
         return {
@@ -53554,7 +53561,7 @@ class SecurityAssessor extends BaseAssessor {
    * Added for Issue #14: False positives on safe input reflection
    */
   isComputedMathResult(payload, responseText) {
-    const simpleMathPattern = /^\s*(\d+)\s*([+\-*\/])\s*(\d+)(?:\s*([+\-*\/])\s*(\d+))?\s*$/;
+    const simpleMathPattern = /^\s*(\d+)\s*([+\-*/])\s*(\d+)(?:\s*([+\-*/])\s*(\d+))?\s*$/;
     const match = payload.match(simpleMathPattern);
     if (!match) {
       return false;
@@ -59266,13 +59273,13 @@ const App = () => {
   ) });
   if (window.location.pathname === "/oauth/callback") {
     const OAuthCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthCallback-CZrJlcLn.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthCallback-DNYBkA2C.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
   }
   if (window.location.pathname === "/oauth/callback/debug") {
     const OAuthDebugCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthDebugCallback-DjI-YxME.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthDebugCallback-EhdSHXee.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
   }

package/client/dist/index.html CHANGED Viewed

@@ -5,7 +5,7 @@
     <link rel="icon" type="image/svg+xml" href="/mcp.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>MCP Inspector</title>
-    <script type="module" crossorigin src="/assets/index-_w0OL9Gt.js"></script>
+    <script type="module" crossorigin src="/assets/index-BRiFDs-g.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-DiyPO_Zj.css">
   </head>
   <body>

package/client/lib/lib/assessment/configTypes.d.ts ADDED Viewed

@@ -0,0 +1,70 @@
+/**
+ * Assessment Configuration Types
+ *
+ * Configuration interfaces and preset configurations for assessments.
+ *
+ * @module assessment/configTypes
+ */
+/**
+ * Claude Code Bridge Configuration
+ * Enables integration with Claude Code CLI for intelligent analysis
+ */
+export interface ClaudeCodeConfig {
+    enabled: boolean;
+    features: {
+        intelligentTestGeneration: boolean;
+        aupSemanticAnalysis: boolean;
+        annotationInference: boolean;
+        documentationQuality: boolean;
+    };
+    timeout: number;
+    workingDir?: string;
+    maxRetries?: number;
+}
+export interface AssessmentConfiguration {
+    testTimeout: number;
+    /** Security-specific test timeout in ms (default: 5000). Lower than testTimeout for fast payload testing. */
+    securityTestTimeout?: number;
+    delayBetweenTests?: number;
+    skipBrokenTools: boolean;
+    reviewerMode?: boolean;
+    enableExtendedAssessment?: boolean;
+    documentationVerbosity?: "minimal" | "standard" | "verbose";
+    parallelTesting?: boolean;
+    maxParallelTests?: number;
+    scenariosPerTool?: number;
+    maxToolsToTestForErrors?: number;
+    selectedToolsForTesting?: string[];
+    securityPatternsToTest?: number;
+    enableDomainTesting?: boolean;
+    mcpProtocolVersion?: string;
+    enableSourceCodeAnalysis?: boolean;
+    patternConfigPath?: string;
+    claudeCode?: ClaudeCodeConfig;
+    temporalInvocations?: number;
+    assessmentCategories?: {
+        functionality: boolean;
+        security: boolean;
+        documentation: boolean;
+        errorHandling: boolean;
+        usability: boolean;
+        mcpSpecCompliance?: boolean;
+        aupCompliance?: boolean;
+        toolAnnotations?: boolean;
+        prohibitedLibraries?: boolean;
+        manifestValidation?: boolean;
+        portability?: boolean;
+        externalAPIScanner?: boolean;
+        authentication?: boolean;
+        temporal?: boolean;
+        resources?: boolean;
+        prompts?: boolean;
+        crossCapability?: boolean;
+    };
+}
+export declare const DEFAULT_ASSESSMENT_CONFIG: AssessmentConfiguration;
+export declare const REVIEWER_MODE_CONFIG: AssessmentConfiguration;
+export declare const DEVELOPER_MODE_CONFIG: AssessmentConfiguration;
+export declare const AUDIT_MODE_CONFIG: AssessmentConfiguration;
+export declare const CLAUDE_ENHANCED_AUDIT_CONFIG: AssessmentConfiguration;
+//# sourceMappingURL=configTypes.d.ts.map

package/client/lib/lib/assessment/configTypes.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"configTypes.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/configTypes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE;QACR,yBAAyB,EAAE,OAAO,CAAC;QACnC,mBAAmB,EAAE,OAAO,CAAC;QAC7B,mBAAmB,EAAE,OAAO,CAAC;QAC7B,oBAAoB,EAAE,OAAO,CAAC;KAC/B,CAAC;IACF,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,6GAA6G;IAC7G,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,EAAE,OAAO,CAAC;IAEzB,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC,sBAAsB,CAAC,EAAE,SAAS,GAAG,UAAU,GAAG,SAAS,CAAC;IAI5D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAE9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,oBAAoB,CAAC,EAAE;QACrB,aAAa,EAAE,OAAO,CAAC;QACvB,QAAQ,EAAE,OAAO,CAAC;QAClB,aAAa,EAAE,OAAO,CAAC;QACvB,aAAa,EAAE,OAAO,CAAC;QACvB,SAAS,EAAE,OAAO,CAAC;QACnB,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAE5B,aAAa,CAAC,EAAE,OAAO,CAAC;QACxB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAC9B,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,WAAW,CAAC,EAAE,OAAO,CAAC;QACtB,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,QAAQ,CAAC,EAAE,OAAO,CAAC;QAEnB,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,eAAe,CAAC,EAAE,OAAO,CAAC;KAC3B,CAAC;CACH;AAMD,eAAO,MAAM,yBAAyB,EAAE,uBAgCvC,CAAC;AAIF,eAAO,MAAM,oBAAoB,EAAE,uBAiClC,CAAC;AAGF,eAAO,MAAM,qBAAqB,EAAE,uBAgCnC,CAAC;AAIF,eAAO,MAAM,iBAAiB,EAAE,uBAgC/B,CAAC;AAIF,eAAO,MAAM,4BAA4B,EAAE,uBA2C1C,CAAC"}

package/client/lib/lib/assessment/configTypes.js ADDED Viewed

@@ -0,0 +1,194 @@
+/**
+ * Assessment Configuration Types
+ *
+ * Configuration interfaces and preset configurations for assessments.
+ *
+ * @module assessment/configTypes
+ */
+// ============================================================================
+// Configuration Presets
+// ============================================================================
+export const DEFAULT_ASSESSMENT_CONFIG = {
+    testTimeout: 30000, // 30 seconds per tool
+    delayBetweenTests: 0, // No delay by default
+    skipBrokenTools: false,
+    reviewerMode: false,
+    enableExtendedAssessment: true, // Enable MCP Spec Compliance assessment by default
+    parallelTesting: false,
+    maxParallelTests: 5,
+    securityPatternsToTest: 8, // Test all security patterns by default
+    enableDomainTesting: true, // Enable advanced security testing by default (all 8 backend patterns)
+    mcpProtocolVersion: "2025-06",
+    enableSourceCodeAnalysis: false, // Source code analysis disabled by default (requires sourceCodePath)
+    assessmentCategories: {
+        functionality: true,
+        security: true,
+        documentation: true,
+        errorHandling: true,
+        usability: true,
+        mcpSpecCompliance: false,
+        // New assessors - disabled by default, enable for MCP Directory compliance audits
+        aupCompliance: false,
+        toolAnnotations: false,
+        prohibitedLibraries: false,
+        manifestValidation: false,
+        portability: false,
+        externalAPIScanner: false,
+        authentication: false,
+        // New capability assessors - disabled by default
+        resources: false,
+        prompts: false,
+        crossCapability: false,
+    },
+};
+// Reviewer mode configuration: optimized for fast, human-assisted reviews
+// Focuses on Anthropic's 5 core requirements only
+export const REVIEWER_MODE_CONFIG = {
+    testTimeout: 10000, // 10 seconds per tool (faster)
+    delayBetweenTests: 100, // Small delay for rate limiting
+    skipBrokenTools: true, // Skip broken tools to save time
+    reviewerMode: true,
+    enableExtendedAssessment: false, // Disable extended assessments (not required for directory approval)
+    parallelTesting: true, // Faster execution
+    maxParallelTests: 5,
+    scenariosPerTool: 1, // Single realistic test per tool
+    securityPatternsToTest: 3, // Test only 3 critical security patterns
+    enableDomainTesting: false, // Use basic security testing for speed (3 patterns)
+    mcpProtocolVersion: "2025-06",
+    enableSourceCodeAnalysis: false,
+    assessmentCategories: {
+        functionality: true,
+        security: true,
+        documentation: true,
+        errorHandling: true,
+        usability: true,
+        mcpSpecCompliance: false, // Not part of Anthropic's 5 core requirements
+        // New assessors - disabled in reviewer mode for speed
+        aupCompliance: false,
+        toolAnnotations: false,
+        prohibitedLibraries: false,
+        manifestValidation: false,
+        portability: false,
+        externalAPIScanner: false,
+        authentication: false,
+        // New capability assessors - disabled in reviewer mode for speed
+        resources: false,
+        prompts: false,
+        crossCapability: false,
+    },
+};
+// Developer mode configuration: comprehensive testing for debugging
+export const DEVELOPER_MODE_CONFIG = {
+    testTimeout: 30000, // 30 seconds per tool
+    delayBetweenTests: 500, // Moderate delay for thorough testing
+    skipBrokenTools: false,
+    reviewerMode: false,
+    enableExtendedAssessment: true,
+    parallelTesting: false, // Sequential for easier debugging
+    maxParallelTests: 5,
+    securityPatternsToTest: 8, // Test all security patterns
+    enableDomainTesting: true, // Enable advanced security testing (all 8 backend patterns)
+    mcpProtocolVersion: "2025-06",
+    enableSourceCodeAnalysis: true, // Enable source code analysis if path provided
+    assessmentCategories: {
+        functionality: true,
+        security: true,
+        documentation: true,
+        errorHandling: true,
+        usability: true,
+        mcpSpecCompliance: true, // Include extended assessments
+        // New assessors - enabled in developer mode for comprehensive testing
+        aupCompliance: true,
+        toolAnnotations: true,
+        prohibitedLibraries: true,
+        manifestValidation: false, // MCPB bundle-specific, disabled by default
+        portability: false, // MCPB bundle-specific, disabled by default
+        externalAPIScanner: true,
+        authentication: true,
+        // New capability assessors - enabled in developer mode
+        resources: true,
+        prompts: true,
+        crossCapability: true,
+    },
+};
+// MCP Directory Audit mode: focuses on compliance gap assessors
+// Use for pre-submission validation to Anthropic MCP Directory
+export const AUDIT_MODE_CONFIG = {
+    testTimeout: 30000,
+    delayBetweenTests: 100,
+    skipBrokenTools: false,
+    reviewerMode: false,
+    enableExtendedAssessment: true,
+    parallelTesting: true, // Parallel for faster audits
+    maxParallelTests: 5,
+    securityPatternsToTest: 8,
+    enableDomainTesting: true,
+    mcpProtocolVersion: "2025-06",
+    enableSourceCodeAnalysis: true, // Deep analysis for audits
+    assessmentCategories: {
+        functionality: true,
+        security: true,
+        documentation: true,
+        errorHandling: true,
+        usability: true,
+        mcpSpecCompliance: true,
+        // All new assessors enabled for audit mode
+        aupCompliance: true,
+        toolAnnotations: true,
+        prohibitedLibraries: true,
+        manifestValidation: false, // MCPB bundle-specific, disabled by default
+        portability: false, // MCPB bundle-specific, disabled by default
+        externalAPIScanner: true,
+        authentication: true,
+        // New capability assessors - enabled in audit mode
+        resources: true,
+        prompts: true,
+        crossCapability: true,
+    },
+};
+// Claude-enhanced audit mode: uses Claude Code for intelligent analysis
+// Reduces false positives in AUP scanning and improves test quality
+export const CLAUDE_ENHANCED_AUDIT_CONFIG = {
+    testTimeout: 30000,
+    delayBetweenTests: 100,
+    skipBrokenTools: false,
+    reviewerMode: false,
+    enableExtendedAssessment: true,
+    parallelTesting: false, // Sequential when using Claude to avoid rate limiting
+    maxParallelTests: 1,
+    securityPatternsToTest: 8,
+    enableDomainTesting: true,
+    mcpProtocolVersion: "2025-06",
+    enableSourceCodeAnalysis: true,
+    // Claude Code integration enabled
+    claudeCode: {
+        enabled: true,
+        features: {
+            intelligentTestGeneration: true, // Generate semantically meaningful test params
+            aupSemanticAnalysis: true, // Reduce false positives in AUP scanning
+            annotationInference: true, // Detect annotation misalignments
+            documentationQuality: true, // Assess documentation quality semantically
+        },
+        timeout: 90000, // 90 seconds for Claude calls
+        maxRetries: 2,
+    },
+    assessmentCategories: {
+        functionality: true,
+        security: true,
+        documentation: true,
+        errorHandling: true,
+        usability: true,
+        mcpSpecCompliance: true,
+        aupCompliance: true,
+        toolAnnotations: true,
+        prohibitedLibraries: true,
+        manifestValidation: false, // MCPB bundle-specific, disabled by default
+        portability: false, // MCPB bundle-specific, disabled by default
+        externalAPIScanner: true,
+        authentication: true,
+        // New capability assessors - enabled in Claude mode
+        resources: true,
+        prompts: true,
+        crossCapability: true,
+    },
+};

package/client/lib/lib/assessment/constants.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+/**
+ * Assessment Constants
+ *
+ * Constant values used in security testing.
+ *
+ * @module assessment/constants
+ */
+import type { SecurityTestResult } from "./resultTypes.js";
+export declare const PROMPT_INJECTION_TESTS: Omit<SecurityTestResult, "vulnerable" | "evidence">[];
+//# sourceMappingURL=constants.d.ts.map

package/client/lib/lib/assessment/constants.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/constants.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAGxD,eAAO,MAAM,sBAAsB,EAAE,IAAI,CACvC,kBAAkB,EAClB,YAAY,GAAG,UAAU,CAC1B,EAqDA,CAAC"}

package/client/lib/lib/assessment/constants.js ADDED Viewed

@@ -0,0 +1,61 @@
+/**
+ * Assessment Constants
+ *
+ * Constant values used in security testing.
+ *
+ * @module assessment/constants
+ */
+// Backend API security patterns (8 total) - tests API security, not LLM behaviors
+export const PROMPT_INJECTION_TESTS = [
+    // Critical Injection (3)
+    {
+        testName: "Command Injection",
+        description: "Test if tool executes system commands",
+        payload: "; rm -rf /; echo 'test'",
+        riskLevel: "HIGH",
+    },
+    {
+        testName: "SQL Injection",
+        description: "Test if tool properly escapes SQL commands",
+        payload: "'; DROP TABLE users;--",
+        riskLevel: "HIGH",
+    },
+    {
+        testName: "Path Traversal",
+        description: "Test if tool allows access to files outside intended directory",
+        payload: "../../../etc/passwd",
+        riskLevel: "HIGH",
+    },
+    // Input Validation (3)
+    {
+        testName: "Type Safety",
+        description: "Test if tool validates parameter types correctly",
+        payload: "not_a_number",
+        riskLevel: "MEDIUM",
+    },
+    {
+        testName: "Boundary Testing",
+        description: "Test edge cases and boundary conditions",
+        payload: "",
+        riskLevel: "LOW",
+    },
+    {
+        testName: "Required Fields",
+        description: "Test if tool validates required parameters",
+        payload: "MISSING_REQUIRED",
+        riskLevel: "MEDIUM",
+    },
+    // Protocol Compliance (2)
+    {
+        testName: "MCP Error Format",
+        description: "Verify errors follow MCP protocol specification",
+        payload: "INVALID_TRIGGER_ERROR",
+        riskLevel: "LOW",
+    },
+    {
+        testName: "Timeout Handling",
+        description: "Test if tool handles long operations gracefully",
+        payload: "SIMULATE_LONG_OPERATION",
+        riskLevel: "LOW",
+    },
+];