@bryan-thompson/inspector-assessment 1.22.13 → 1.22.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (45) hide show
  1. package/README.md +3 -0
  2. package/cli/build/assess-full.js +13 -23
  3. package/client/dist/assets/{OAuthCallback-CZrJlcLn.js → OAuthCallback-DNYBkA2C.js} +1 -1
  4. package/client/dist/assets/{OAuthDebugCallback-DjI-YxME.js → OAuthDebugCallback-EhdSHXee.js} +1 -1
  5. package/client/dist/assets/{index-_w0OL9Gt.js → index-BRiFDs-g.js} +21 -14
  6. package/client/dist/index.html +1 -1
  7. package/client/lib/lib/assessment/configTypes.d.ts +70 -0
  8. package/client/lib/lib/assessment/configTypes.d.ts.map +1 -0
  9. package/client/lib/lib/assessment/configTypes.js +194 -0
  10. package/client/lib/lib/assessment/constants.d.ts +10 -0
  11. package/client/lib/lib/assessment/constants.d.ts.map +1 -0
  12. package/client/lib/lib/assessment/constants.js +61 -0
  13. package/client/lib/lib/assessment/coreTypes.d.ts +159 -0
  14. package/client/lib/lib/assessment/coreTypes.d.ts.map +1 -0
  15. package/client/lib/lib/assessment/coreTypes.js +101 -0
  16. package/client/lib/lib/assessment/extendedTypes.d.ts +415 -0
  17. package/client/lib/lib/assessment/extendedTypes.d.ts.map +1 -0
  18. package/client/lib/lib/assessment/extendedTypes.js +9 -0
  19. package/client/lib/lib/assessment/index.d.ts +23 -0
  20. package/client/lib/lib/assessment/index.d.ts.map +1 -0
  21. package/client/lib/lib/assessment/index.js +48 -0
  22. package/client/lib/lib/assessment/progressTypes.d.ts +160 -0
  23. package/client/lib/lib/assessment/progressTypes.d.ts.map +1 -0
  24. package/client/lib/lib/assessment/progressTypes.js +9 -0
  25. package/client/lib/lib/assessment/resultTypes.d.ts +568 -0
  26. package/client/lib/lib/assessment/resultTypes.d.ts.map +1 -0
  27. package/client/lib/lib/assessment/resultTypes.js +9 -0
  28. package/client/lib/lib/assessmentTypes.d.ts +20 -1248
  29. package/client/lib/lib/assessmentTypes.d.ts.map +1 -1
  30. package/client/lib/lib/assessmentTypes.js +21 -287
  31. package/client/lib/services/assessment/AssessmentOrchestrator.d.ts +5 -0
  32. package/client/lib/services/assessment/AssessmentOrchestrator.d.ts.map +1 -1
  33. package/client/lib/services/assessment/AssessmentOrchestrator.js +24 -6
  34. package/client/lib/services/assessment/lib/concurrencyLimit.d.ts +12 -0
  35. package/client/lib/services/assessment/lib/concurrencyLimit.d.ts.map +1 -1
  36. package/client/lib/services/assessment/lib/concurrencyLimit.js +22 -0
  37. package/client/lib/services/assessment/lib/logger.d.ts +98 -0
  38. package/client/lib/services/assessment/lib/logger.d.ts.map +1 -0
  39. package/client/lib/services/assessment/lib/logger.js +153 -0
  40. package/client/lib/services/assessment/modules/BaseAssessor.d.ts +2 -2
  41. package/client/lib/services/assessment/modules/BaseAssessor.d.ts.map +1 -1
  42. package/client/lib/services/assessment/modules/SecurityAssessor.d.ts.map +1 -1
  43. package/client/lib/services/assessment/modules/SecurityAssessor.js +10 -5
  44. package/client/lib/services/assessment/modules/ToolAnnotationAssessor.js +1 -1
  45. package/package.json +3 -2
@@ -0,0 +1,159 @@
1
+ /**
2
+ * Core Assessment Types
3
+ *
4
+ * Foundational types used across all assessment modules.
5
+ * These are the building blocks that other type files depend on.
6
+ *
7
+ * @module assessment/coreTypes
8
+ */
9
+ export type AssessmentStatus = "PASS" | "FAIL" | "NEED_MORE_INFO";
10
+ export type SecurityRiskLevel = "LOW" | "MEDIUM" | "HIGH";
11
+ /**
12
+ * Alignment status for tool annotations.
13
+ * Extends beyond PASS/FAIL to handle ambiguous cases.
14
+ */
15
+ export type AlignmentStatus = "ALIGNED" | "MISALIGNED" | "REVIEW_RECOMMENDED" | "UNKNOWN";
16
+ /**
17
+ * Confidence level for behavior inference
18
+ */
19
+ export type InferenceConfidence = "high" | "medium" | "low";
20
+ /**
21
+ * Assessment category tier for distinguishing core vs optional assessments.
22
+ * - "core": Always applicable to any MCP server audit
23
+ * - "optional": Contextual assessments (e.g., MCPB bundle-specific)
24
+ */
25
+ export type AssessmentCategoryTier = "core" | "optional";
26
+ /**
27
+ * Metadata for assessment categories including tier and applicability info.
28
+ */
29
+ export interface AssessmentCategoryMetadata {
30
+ tier: AssessmentCategoryTier;
31
+ description: string;
32
+ applicableTo?: string;
33
+ }
34
+ /**
35
+ * Category metadata mapping for all assessment modules.
36
+ * Used for CLI output and downstream consumers to understand category context.
37
+ *
38
+ * Note: Uses `satisfies` to preserve literal key types while ensuring type safety.
39
+ * This allows deriving AssessmentModuleName from the object keys.
40
+ */
41
+ declare const ASSESSMENT_CATEGORY_METADATA_INTERNAL: {
42
+ functionality: {
43
+ tier: "core";
44
+ description: string;
45
+ };
46
+ security: {
47
+ tier: "core";
48
+ description: string;
49
+ };
50
+ documentation: {
51
+ tier: "core";
52
+ description: string;
53
+ };
54
+ errorHandling: {
55
+ tier: "core";
56
+ description: string;
57
+ };
58
+ usability: {
59
+ tier: "core";
60
+ description: string;
61
+ };
62
+ mcpSpecCompliance: {
63
+ tier: "core";
64
+ description: string;
65
+ };
66
+ aupCompliance: {
67
+ tier: "core";
68
+ description: string;
69
+ };
70
+ toolAnnotations: {
71
+ tier: "core";
72
+ description: string;
73
+ };
74
+ prohibitedLibraries: {
75
+ tier: "core";
76
+ description: string;
77
+ };
78
+ manifestValidation: {
79
+ tier: "optional";
80
+ description: string;
81
+ applicableTo: string;
82
+ };
83
+ portability: {
84
+ tier: "optional";
85
+ description: string;
86
+ applicableTo: string;
87
+ };
88
+ externalAPIScanner: {
89
+ tier: "core";
90
+ description: string;
91
+ };
92
+ authentication: {
93
+ tier: "core";
94
+ description: string;
95
+ };
96
+ temporal: {
97
+ tier: "core";
98
+ description: string;
99
+ };
100
+ resources: {
101
+ tier: "core";
102
+ description: string;
103
+ };
104
+ prompts: {
105
+ tier: "core";
106
+ description: string;
107
+ };
108
+ crossCapability: {
109
+ tier: "core";
110
+ description: string;
111
+ };
112
+ };
113
+ /**
114
+ * Type-safe module name derived from ASSESSMENT_CATEGORY_METADATA keys.
115
+ * Use this type for compile-time validation of module names.
116
+ */
117
+ export type AssessmentModuleName = keyof typeof ASSESSMENT_CATEGORY_METADATA_INTERNAL;
118
+ /**
119
+ * Re-export with original name for backward compatibility.
120
+ * Type is preserved as Record<AssessmentModuleName, AssessmentCategoryMetadata>.
121
+ */
122
+ export declare const ASSESSMENT_CATEGORY_METADATA: Record<AssessmentModuleName, AssessmentCategoryMetadata>;
123
+ /**
124
+ * Generate module configuration derived from ASSESSMENT_CATEGORY_METADATA.
125
+ * Single source of truth for all assessment module names.
126
+ *
127
+ * @param options.sourceCodePath - If true, enables externalAPIScanner
128
+ * @param options.skipTemporal - If true, disables temporal assessment
129
+ * @returns Record of module names to enabled state (type-safe)
130
+ */
131
+ export declare function getAllModulesConfig(options: {
132
+ sourceCodePath?: boolean;
133
+ skipTemporal?: boolean;
134
+ }): Record<AssessmentModuleName, boolean>;
135
+ /**
136
+ * Persistence model for MCP servers (Three-Tier Classification).
137
+ *
138
+ * These types are re-exported from the services layer for backward compatibility
139
+ * with existing imports from `@/lib/assessmentTypes`. This cross-layer import
140
+ * is intentional and documented:
141
+ *
142
+ * **Why cross-layer?**
143
+ * - PersistenceModel and ServerPersistenceContext are defined in
144
+ * `services/assessment/config/annotationPatterns.ts` alongside the pattern
145
+ * matching logic that uses them.
146
+ * - Moving the types here would create a circular dependency since the
147
+ * annotationPatterns module needs to import its own types.
148
+ * - Type-only imports (`export type`) don't create runtime dependencies,
149
+ * so this cross-layer reference is safe.
150
+ *
151
+ * **Type definitions:**
152
+ * - "immediate": Write operations persist directly to storage (database, file, API)
153
+ * - "deferred": Write operations are in-memory until explicit save operation
154
+ * - "unknown": Cannot determine persistence model
155
+ *
156
+ * @see services/assessment/config/annotationPatterns.ts for implementation
157
+ */
158
+ export type { PersistenceModel, ServerPersistenceContext, } from "../../services/assessment/config/annotationPatterns.js";
159
+ //# sourceMappingURL=coreTypes.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"coreTypes.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/coreTypes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG,MAAM,GAAG,gBAAgB,CAAC;AAClE,MAAM,MAAM,iBAAiB,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;AAE1D;;;GAGG;AACH,MAAM,MAAM,eAAe,GACvB,SAAS,GACT,YAAY,GACZ,oBAAoB,GACpB,SAAS,CAAC;AAEd;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAE5D;;;;GAIG;AACH,MAAM,MAAM,sBAAsB,GAAG,MAAM,GAAG,UAAU,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,IAAI,EAAE,sBAAsB,CAAC;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,QAAA,MAAM,qCAAqC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA8DW,CAAC;AAEvD;;;GAGG;AACH,MAAM,MAAM,oBAAoB,GAC9B,MAAM,OAAO,qCAAqC,CAAC;AAErD;;;GAGG;AACH,eAAO,MAAM,4BAA4B,EAAE,MAAM,CAC/C,oBAAoB,EACpB,0BAA0B,CACa,CAAC;AAE1C;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE;IAC3C,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB,GAAG,MAAM,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAaxC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,YAAY,EACV,gBAAgB,EAChB,wBAAwB,GACzB,MAAM,qDAAqD,CAAC"}
@@ -0,0 +1,101 @@
1
+ /**
2
+ * Core Assessment Types
3
+ *
4
+ * Foundational types used across all assessment modules.
5
+ * These are the building blocks that other type files depend on.
6
+ *
7
+ * @module assessment/coreTypes
8
+ */
9
+ /**
10
+ * Category metadata mapping for all assessment modules.
11
+ * Used for CLI output and downstream consumers to understand category context.
12
+ *
13
+ * Note: Uses `satisfies` to preserve literal key types while ensuring type safety.
14
+ * This allows deriving AssessmentModuleName from the object keys.
15
+ */
16
+ const ASSESSMENT_CATEGORY_METADATA_INTERNAL = {
17
+ functionality: {
18
+ tier: "core",
19
+ description: "Tool functionality validation",
20
+ },
21
+ security: {
22
+ tier: "core",
23
+ description: "Security vulnerability detection",
24
+ },
25
+ documentation: {
26
+ tier: "core",
27
+ description: "Documentation quality",
28
+ },
29
+ errorHandling: {
30
+ tier: "core",
31
+ description: "Error handling compliance",
32
+ },
33
+ usability: { tier: "core", description: "Usability assessment" },
34
+ mcpSpecCompliance: {
35
+ tier: "core",
36
+ description: "MCP protocol compliance",
37
+ },
38
+ aupCompliance: {
39
+ tier: "core",
40
+ description: "Acceptable use policy compliance",
41
+ },
42
+ toolAnnotations: {
43
+ tier: "core",
44
+ description: "Tool annotation validation",
45
+ },
46
+ prohibitedLibraries: {
47
+ tier: "core",
48
+ description: "Prohibited library detection",
49
+ },
50
+ manifestValidation: {
51
+ tier: "optional",
52
+ description: "MCPB manifest validation",
53
+ applicableTo: "MCPB bundles",
54
+ },
55
+ portability: {
56
+ tier: "optional",
57
+ description: "Portability checks",
58
+ applicableTo: "MCPB bundles",
59
+ },
60
+ externalAPIScanner: {
61
+ tier: "core",
62
+ description: "External API detection",
63
+ },
64
+ authentication: {
65
+ tier: "core",
66
+ description: "OAuth/auth evaluation",
67
+ },
68
+ temporal: {
69
+ tier: "core",
70
+ description: "Temporal/rug pull detection",
71
+ },
72
+ resources: { tier: "core", description: "Resource security" },
73
+ prompts: { tier: "core", description: "Prompt security" },
74
+ crossCapability: {
75
+ tier: "core",
76
+ description: "Cross-capability security",
77
+ },
78
+ };
79
+ /**
80
+ * Re-export with original name for backward compatibility.
81
+ * Type is preserved as Record<AssessmentModuleName, AssessmentCategoryMetadata>.
82
+ */
83
+ export const ASSESSMENT_CATEGORY_METADATA = ASSESSMENT_CATEGORY_METADATA_INTERNAL;
84
+ /**
85
+ * Generate module configuration derived from ASSESSMENT_CATEGORY_METADATA.
86
+ * Single source of truth for all assessment module names.
87
+ *
88
+ * @param options.sourceCodePath - If true, enables externalAPIScanner
89
+ * @param options.skipTemporal - If true, disables temporal assessment
90
+ * @returns Record of module names to enabled state (type-safe)
91
+ */
92
+ export function getAllModulesConfig(options) {
93
+ return Object.keys(ASSESSMENT_CATEGORY_METADATA).reduce((acc, key) => ({
94
+ ...acc,
95
+ [key]: key === "externalAPIScanner"
96
+ ? Boolean(options.sourceCodePath)
97
+ : key === "temporal"
98
+ ? !options.skipTemporal
99
+ : true,
100
+ }), {});
101
+ }
@@ -0,0 +1,415 @@
1
+ /**
2
+ * Extended Assessment Types
3
+ *
4
+ * Types for extended assessment modules including AUP compliance,
5
+ * tool annotations, temporal detection, and capability assessors.
6
+ *
7
+ * @module assessment/extendedTypes
8
+ */
9
+ import type { AssessmentStatus, SecurityRiskLevel, InferenceConfidence, AlignmentStatus } from "./coreTypes.js";
10
+ export type AUPCategory = "A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "J" | "K" | "L" | "M" | "N";
11
+ export type AUPSeverity = "CRITICAL" | "HIGH" | "MEDIUM" | "FLAG";
12
+ export interface AUPViolation {
13
+ category: AUPCategory;
14
+ categoryName: string;
15
+ severity: AUPSeverity;
16
+ pattern: string;
17
+ matchedText: string;
18
+ location: "tool_name" | "tool_description" | "readme" | "source_code";
19
+ filePath?: string;
20
+ lineNumber?: number;
21
+ confidence: "high" | "medium" | "low";
22
+ requiresHumanReview: boolean;
23
+ reviewGuidance?: string;
24
+ }
25
+ export interface AUPComplianceAssessment {
26
+ violations: AUPViolation[];
27
+ highRiskDomains: string[];
28
+ scannedLocations: {
29
+ toolNames: boolean;
30
+ toolDescriptions: boolean;
31
+ readme: boolean;
32
+ sourceCode: boolean;
33
+ };
34
+ status: AssessmentStatus;
35
+ explanation: string;
36
+ recommendations: string[];
37
+ }
38
+ /**
39
+ * Source of tool annotations
40
+ */
41
+ export type AnnotationSource = "mcp" | "source-code" | "inferred" | "none";
42
+ export interface ToolAnnotationResult {
43
+ toolName: string;
44
+ hasAnnotations: boolean;
45
+ annotations?: {
46
+ readOnlyHint?: boolean;
47
+ destructiveHint?: boolean;
48
+ title?: string;
49
+ description?: string;
50
+ idempotentHint?: boolean;
51
+ openWorldHint?: boolean;
52
+ };
53
+ /** Where the annotations were extracted from */
54
+ annotationSource?: AnnotationSource;
55
+ inferredBehavior?: {
56
+ expectedReadOnly: boolean;
57
+ expectedDestructive: boolean;
58
+ reason: string;
59
+ /** Confidence level of the inference */
60
+ confidence: InferenceConfidence;
61
+ /** True if the tool name matches an ambiguous pattern */
62
+ isAmbiguous: boolean;
63
+ };
64
+ /** Alignment status between annotations and inferred behavior */
65
+ alignmentStatus?: AlignmentStatus;
66
+ issues: string[];
67
+ recommendations: string[];
68
+ /** Description poisoning detection (Issue #8) */
69
+ descriptionPoisoning?: {
70
+ detected: boolean;
71
+ patterns: Array<{
72
+ name: string;
73
+ pattern: string;
74
+ severity: "LOW" | "MEDIUM" | "HIGH";
75
+ category: string;
76
+ evidence: string;
77
+ }>;
78
+ riskLevel: "NONE" | "LOW" | "MEDIUM" | "HIGH";
79
+ };
80
+ }
81
+ export interface ToolAnnotationAssessment {
82
+ toolResults: ToolAnnotationResult[];
83
+ annotatedCount: number;
84
+ missingAnnotationsCount: number;
85
+ /** Count of high-confidence misalignments only (excludes REVIEW_RECOMMENDED) */
86
+ misalignedAnnotationsCount: number;
87
+ status: AssessmentStatus;
88
+ explanation: string;
89
+ recommendations: string[];
90
+ /** Detailed metrics for annotation quality */
91
+ metrics?: {
92
+ /** Percentage of tools with any annotations (0-100) */
93
+ coverage: number;
94
+ /** Percentage of tools without contradictions (0-100) */
95
+ consistency: number;
96
+ /** Percentage of high-confidence alignments (0-100) */
97
+ correctness: number;
98
+ /** Count of tools needing manual review */
99
+ reviewRequired: number;
100
+ };
101
+ /** Breakdown of tools by alignment status */
102
+ alignmentBreakdown?: {
103
+ aligned: number;
104
+ misaligned: number;
105
+ reviewRecommended: number;
106
+ unknown: number;
107
+ };
108
+ /** Summary of where annotations were extracted from */
109
+ annotationSources?: {
110
+ /** Count from MCP protocol (tools/list response) */
111
+ mcp: number;
112
+ /** Count from source code analysis */
113
+ sourceCode: number;
114
+ /** Count where behavior was inferred from patterns */
115
+ inferred: number;
116
+ /** Count with no annotations found */
117
+ none: number;
118
+ };
119
+ /** Count of tools with poisoned descriptions detected (Issue #8) */
120
+ poisonedDescriptionsDetected?: number;
121
+ }
122
+ export type ProhibitedLibraryCategory = "financial" | "media" | "payments" | "banking";
123
+ export interface ProhibitedLibraryMatch {
124
+ name: string;
125
+ category: ProhibitedLibraryCategory;
126
+ location: "package.json" | "source_import" | "requirements.txt" | "cargo.toml";
127
+ filePath?: string;
128
+ lineNumber?: number;
129
+ severity: "BLOCKING" | "HIGH" | "MEDIUM";
130
+ reason: string;
131
+ policyReference: string;
132
+ }
133
+ export interface ProhibitedLibrariesAssessment {
134
+ matches: ProhibitedLibraryMatch[];
135
+ scannedFiles: string[];
136
+ hasFinancialLibraries: boolean;
137
+ hasMediaLibraries: boolean;
138
+ status: AssessmentStatus;
139
+ explanation: string;
140
+ recommendations: string[];
141
+ }
142
+ export interface ManifestJsonSchema {
143
+ manifest_version: string;
144
+ name: string;
145
+ version: string;
146
+ description?: string;
147
+ author?: string;
148
+ repository?: string;
149
+ license?: string;
150
+ mcp_config: {
151
+ command: string;
152
+ args?: string[];
153
+ env?: Record<string, string>;
154
+ };
155
+ icon?: string;
156
+ homepage?: string;
157
+ keywords?: string[];
158
+ privacy_policies?: string[];
159
+ }
160
+ /**
161
+ * Privacy Policy URL Validation Result
162
+ * Validates that privacy_policies URLs are accessible
163
+ */
164
+ export interface PrivacyPolicyValidation {
165
+ url: string;
166
+ accessible: boolean;
167
+ statusCode?: number;
168
+ contentType?: string;
169
+ error?: string;
170
+ }
171
+ export interface ManifestValidationResult {
172
+ field: string;
173
+ valid: boolean;
174
+ value?: unknown;
175
+ expectedType?: string;
176
+ issue?: string;
177
+ severity: "ERROR" | "WARNING" | "INFO";
178
+ }
179
+ export interface ManifestValidationAssessment {
180
+ hasManifest: boolean;
181
+ manifestVersion?: string;
182
+ validationResults: ManifestValidationResult[];
183
+ hasIcon: boolean;
184
+ hasRequiredFields: boolean;
185
+ missingFields: string[];
186
+ /** Privacy policy URL validation results */
187
+ privacyPolicies?: {
188
+ declared: string[];
189
+ validationResults: PrivacyPolicyValidation[];
190
+ allAccessible: boolean;
191
+ };
192
+ status: AssessmentStatus;
193
+ explanation: string;
194
+ recommendations: string[];
195
+ }
196
+ export interface PortabilityIssue {
197
+ type: "hardcoded_path" | "platform_specific" | "bundle_root_antipattern" | "absolute_path" | "user_home_path";
198
+ filePath: string;
199
+ lineNumber?: number;
200
+ matchedText: string;
201
+ severity: "HIGH" | "MEDIUM" | "LOW";
202
+ recommendation: string;
203
+ }
204
+ export interface PortabilityAssessment {
205
+ issues: PortabilityIssue[];
206
+ scannedFiles: number;
207
+ platformSpecificCount: number;
208
+ hardcodedPathCount: number;
209
+ usesDirname: boolean;
210
+ usesBundleRoot: boolean;
211
+ status: AssessmentStatus;
212
+ explanation: string;
213
+ recommendations: string[];
214
+ /** Shell command portability analysis */
215
+ shellCommands?: Array<{
216
+ command: string;
217
+ isPortable: boolean;
218
+ alternativeCommand?: string;
219
+ }>;
220
+ /** Platform coverage summary */
221
+ platformCoverage?: {
222
+ supported: "all" | "windows" | "macos" | "linux";
223
+ missing: string[];
224
+ };
225
+ }
226
+ export interface DetectedAPI {
227
+ url: string;
228
+ service: string;
229
+ filePath: string;
230
+ }
231
+ export interface ExternalAPIScannerAssessment {
232
+ detectedAPIs: DetectedAPI[];
233
+ uniqueServices: string[];
234
+ affiliationWarning?: string;
235
+ scannedFiles: number;
236
+ status: AssessmentStatus;
237
+ explanation: string;
238
+ recommendations: string[];
239
+ }
240
+ export type AuthMethod = "oauth" | "api_key" | "none" | "unknown";
241
+ export interface AuthAppropriateness {
242
+ isAppropriate: boolean;
243
+ concerns: string[];
244
+ explanation: string;
245
+ }
246
+ export interface TransportSecurityAnalysis {
247
+ usesTLS: boolean;
248
+ tlsEnforced: boolean;
249
+ hasInsecurePatterns: boolean;
250
+ insecurePatterns: string[];
251
+ hasSecurePatterns: boolean;
252
+ securePatterns: string[];
253
+ corsConfigured: boolean;
254
+ corsPermissive: boolean;
255
+ sessionSecure: boolean;
256
+ recommendations: string[];
257
+ }
258
+ export interface AuthenticationAssessment {
259
+ authMethod: AuthMethod;
260
+ hasLocalDependencies: boolean;
261
+ transportType: string;
262
+ appropriateness: AuthAppropriateness;
263
+ recommendation: string;
264
+ detectedPatterns: {
265
+ oauthIndicators: string[];
266
+ localResourceIndicators: string[];
267
+ apiKeyIndicators: string[];
268
+ };
269
+ transportSecurity?: TransportSecurityAnalysis;
270
+ status: AssessmentStatus;
271
+ explanation: string;
272
+ recommendations: string[];
273
+ }
274
+ export interface TemporalToolResult {
275
+ tool: string;
276
+ vulnerable: boolean;
277
+ totalInvocations: number;
278
+ firstDeviationAt: number | null;
279
+ deviationCount: number;
280
+ errorCount: number;
281
+ pattern: "RUG_PULL_TEMPORAL" | "RUG_PULL_DEFINITION" | null;
282
+ severity: "HIGH" | "MEDIUM" | "NONE";
283
+ reducedInvocations?: boolean;
284
+ note?: string;
285
+ evidence?: {
286
+ safeResponseExample: unknown;
287
+ maliciousResponseExample: unknown;
288
+ };
289
+ definitionMutated?: boolean;
290
+ definitionMutationAt?: number | null;
291
+ definitionEvidence?: {
292
+ baselineDescription?: string;
293
+ mutatedDescription?: string;
294
+ baselineSchema?: unknown;
295
+ mutatedSchema?: unknown;
296
+ };
297
+ }
298
+ export interface TemporalAssessment {
299
+ toolsTested: number;
300
+ invocationsPerTool: number;
301
+ rugPullsDetected: number;
302
+ definitionMutationsDetected: number;
303
+ details: TemporalToolResult[];
304
+ status: AssessmentStatus;
305
+ explanation: string;
306
+ recommendations: string[];
307
+ }
308
+ export interface ResourceTestResult {
309
+ resourceUri: string;
310
+ resourceName?: string;
311
+ mimeType?: string;
312
+ tested: boolean;
313
+ accessible: boolean;
314
+ securityIssues: string[];
315
+ pathTraversalVulnerable: boolean;
316
+ sensitiveDataExposed: boolean;
317
+ promptInjectionDetected: boolean;
318
+ promptInjectionPatterns: string[];
319
+ validUri: boolean;
320
+ readTime?: number;
321
+ contentSizeBytes?: number;
322
+ error?: string;
323
+ /** Sensitive data patterns detected in resource content */
324
+ sensitivePatterns?: Array<{
325
+ pattern: string;
326
+ severity: "critical" | "high" | "medium";
327
+ detected: boolean;
328
+ }>;
329
+ /** Access control information */
330
+ accessControls?: {
331
+ requiresAuth: boolean;
332
+ authType?: string;
333
+ };
334
+ /** Data classification based on content analysis */
335
+ dataClassification?: "public" | "internal" | "confidential" | "restricted";
336
+ }
337
+ export interface ResourceAssessment {
338
+ resourcesTested: number;
339
+ resourceTemplatesTested: number;
340
+ accessibleResources: number;
341
+ securityIssuesFound: number;
342
+ pathTraversalVulnerabilities: number;
343
+ sensitiveDataExposures: number;
344
+ promptInjectionVulnerabilities: number;
345
+ results: ResourceTestResult[];
346
+ status: AssessmentStatus;
347
+ explanation: string;
348
+ recommendations: string[];
349
+ }
350
+ export interface PromptTestResult {
351
+ promptName: string;
352
+ description?: string;
353
+ tested: boolean;
354
+ hasRequiredArguments: boolean;
355
+ argumentsValidated: boolean;
356
+ aupCompliant: boolean;
357
+ injectionVulnerable: boolean;
358
+ safetyIssues: string[];
359
+ argumentCount: number;
360
+ executionTime?: number;
361
+ error?: string;
362
+ /** Template analysis for prompt structure */
363
+ promptTemplate?: {
364
+ templateType: string;
365
+ variables: string[];
366
+ validated: boolean;
367
+ };
368
+ /** Dynamic content analysis */
369
+ dynamicContent?: {
370
+ hasInterpolation: boolean;
371
+ injectionSafe: boolean;
372
+ escapingApplied: string[];
373
+ };
374
+ }
375
+ export interface PromptAssessment {
376
+ promptsTested: number;
377
+ aupViolations: number;
378
+ injectionVulnerabilities: number;
379
+ argumentValidationIssues: number;
380
+ results: PromptTestResult[];
381
+ status: AssessmentStatus;
382
+ explanation: string;
383
+ recommendations: string[];
384
+ }
385
+ export interface CrossCapabilityTestResult {
386
+ testType: "tool_to_resource" | "prompt_to_tool" | "resource_to_tool" | "privilege_escalation";
387
+ sourceCapability: string;
388
+ targetCapability: string;
389
+ vulnerable: boolean;
390
+ evidence?: string;
391
+ riskLevel: SecurityRiskLevel;
392
+ description: string;
393
+ /** Specific privilege escalation vector if detected */
394
+ privilegeEscalationVector?: string;
395
+ /** Data exfiltration risk details */
396
+ dataExfiltrationRisk?: {
397
+ sensitiveFields: string[];
398
+ exfiltrationMethod: string;
399
+ };
400
+ /** Chain of capabilities that could be exploited together */
401
+ attackChain?: string[];
402
+ /** Confidence level in the detection */
403
+ confidence?: "high" | "medium" | "low";
404
+ }
405
+ export interface CrossCapabilitySecurityAssessment {
406
+ testsRun: number;
407
+ vulnerabilitiesFound: number;
408
+ privilegeEscalationRisks: number;
409
+ dataFlowViolations: number;
410
+ results: CrossCapabilityTestResult[];
411
+ status: AssessmentStatus;
412
+ explanation: string;
413
+ recommendations: string[];
414
+ }
415
+ //# sourceMappingURL=extendedTypes.d.ts.map