@bryan-thompson/inspector-assessment 1.23.8 → 1.23.10

package/README.md

@@ -3,7 +3,7 @@
 [![npm version](https://badge.fury.io/js/@bryan-thompson%2Finspector-assessment.svg)](https://www.npmjs.com/package/@bryan-thompson/inspector-assessment)
 [![npm downloads](https://img.shields.io/npm/dm/@bryan-thompson/inspector-assessment.svg)](https://www.npmjs.com/package/@bryan-thompson/inspector-assessment)
 
-**Comprehensive MCP server validation with 16 automated assessment modules.**
+**Comprehensive MCP server validation with 17 automated assessment modules.**
 Test functionality, security, documentation, and policy compliance from the command line.
 
 ![MCP Inspector Screenshot](./mcp-inspector.png)
@@ -63,7 +63,7 @@ The inspector provides three CLI commands for different workflows:
 
 | Command                | Purpose                       | Use Case                     |
 | ---------------------- | ----------------------------- | ---------------------------- |
-| `mcp-assess-full`      | Complete 16-module assessment | Full validation, CI/CD gates |
+| `mcp-assess-full`      | Complete 17-module assessment | Full validation, CI/CD gates |
 | `mcp-assess-security`  | Security-only testing         | Quick vulnerability scan     |
 | `mcp-inspector-assess` | Interactive web UI            | Debugging, exploration       |
 
@@ -93,54 +93,39 @@ For complete CLI documentation, see [CLI Assessment Guide](docs/CLI_ASSESSMENT_G
 
 ---
 
-## Assessment Modules (16 Total)
-
-### Core Modules (5)
-
-| Module             | Purpose                    | Key Features                                        |
-| ------------------ | -------------------------- | --------------------------------------------------- |
-| **Functionality**  | Tool execution validation  | Multi-scenario testing, business logic detection    |
-| **Security**       | Vulnerability detection    | Comprehensive attack patterns, zero false positives |
-| **Documentation**  | README/description quality | Completeness scoring, example validation            |
-| **Error Handling** | MCP protocol compliance    | Error code validation, response quality             |
-| **Usability**      | Developer experience       | Naming conventions, schema completeness             |
-
-### Extended Modules (6) - MCP Directory Compliance
-
-| Module                   | Purpose                      | Policy Alignment                        |
-| ------------------------ | ---------------------------- | --------------------------------------- |
-| **MCP Spec Compliance**  | Protocol adherence           | JSON-RPC 2.0, MCP message formats       |
-| **AUP Compliance**       | Policy violation detection   | 14 AUP categories (A-N)                 |
-| **Tool Annotations**     | readOnlyHint/destructiveHint | Policy #17 compliance                   |
-| **Prohibited Libraries** | Dependency security          | Blocked packages (Stripe, FFmpeg, etc.) |
-| **Manifest Validation**  | MCPB manifest.json           | manifest_version 0.3 spec               |
-| **Portability**          | Cross-platform compatibility | Hardcoded paths, platform-specific code |
-
-### Advanced Modules (5)
-
-| Module                   | Purpose                    | Features                          |
-| ------------------------ | -------------------------- | --------------------------------- |
-| **External API Scanner** | External service detection | API URLs, affiliation warnings    |
-| **Temporal**             | Rug pull detection         | Behavior changes over invocations |
-| **Resources**            | Resource capability        | Discovery, read success, errors   |
-| **Prompts**              | Prompt capability          | Execution, multimodal support     |
-| **Cross-Capability**     | Chained vulnerabilities    | Multi-tool attack patterns        |
+## Assessment Modules (17 Total)
+
+### Core Modules (15)
+
+| Module                   | Purpose                      | Key Features                                        |
+| ------------------------ | ---------------------------- | --------------------------------------------------- |
+| **Functionality**        | Tool execution validation    | Multi-scenario testing, business logic detection    |
+| **Security**             | Vulnerability detection      | Comprehensive attack patterns, zero false positives |
+| **Documentation**        | README/description quality   | Completeness scoring, example validation            |
+| **Error Handling**       | MCP protocol compliance      | Error code validation, response quality             |
+| **Usability**            | Developer experience         | Naming conventions, schema completeness             |
+| **MCP Spec Compliance**  | Protocol adherence           | JSON-RPC 2.0, MCP message formats                   |
+| **AUP Compliance**       | Policy violation detection   | 14 AUP categories (A-N)                             |
+| **Tool Annotations**     | readOnlyHint/destructiveHint | Policy #17 compliance                               |
+| **Prohibited Libraries** | Dependency security          | Blocked packages (Stripe, FFmpeg, etc.)             |
+| **External API Scanner** | External service detection   | API URLs, affiliation warnings                      |
+| **Authentication**       | OAuth/auth evaluation        | Auth pattern validation, deployment context         |
+| **Temporal**             | Rug pull detection           | Behavior changes over invocations                   |
+| **Resources**            | Resource capability          | Discovery, read success, errors                     |
+| **Prompts**              | Prompt capability            | Execution, multimodal support                       |
+| **Cross-Capability**     | Chained vulnerabilities      | Multi-tool attack patterns                          |
+
+### Optional Modules (2) - MCPB Bundles
+
+| Module                  | Purpose                      | Policy Alignment                        |
+| ----------------------- | ---------------------------- | --------------------------------------- |
+| **Manifest Validation** | MCPB manifest.json           | manifest_version 0.3 spec               |
+| **Portability**         | Cross-platform compatibility | Hardcoded paths, platform-specific code |
 
 For detailed module documentation, see [Assessment Catalog](docs/ASSESSMENT_CATALOG.md).
 
 ---
 
-## For MCP Directory Reviewers
-
-If you're reviewing MCP servers for the Anthropic MCP Directory, see our **[Reviewer Quick Start Guide](docs/REVIEWER_QUICK_START.md)** for:
-
-- **60-second fast screening** workflow for approve/reject decisions
-- **5-minute detailed review** process for borderline cases
-- **Common pitfalls** explanation (false positives in security, informational vs scored tests)
-- **Decision matrix** with clear approval criteria
-
----
-
 ## Security Testing: Pure Behavior Detection
 
 The inspector uses **pure behavior-based detection** for security assessment, analyzing tool responses to identify actual code execution vs safe data handling.
@@ -242,7 +227,7 @@ echo $?
 
 ## Quality Metrics
 
-- **Test Coverage**: ~1550 tests passing across 65 test suites
+- **Test Coverage**: ~1560 tests passing across 66 test suites
 - **Assessment Module Tests**: 291+ tests validating assessment enhancements
 - **Code Quality**: Production TypeScript types, proper error handling
 - **Upstream Sync**: Up-to-date with v0.18.0
@@ -250,7 +235,7 @@ echo $?
 **Run tests:**
 
 ```bash
-npm test                         # All ~1550 tests
+npm test                         # All ~1560 tests
 npm test -- assessment           # Assessment module tests
 npm test -- SecurityAssessor     # Security tests
 ```
@@ -261,11 +246,10 @@ npm test -- SecurityAssessor     # Security tests
 
 ### Quick Start
 
-| Document                                               | Purpose                                     |
-| ------------------------------------------------------ | ------------------------------------------- |
-| [Reviewer Quick Start](docs/REVIEWER_QUICK_START.md)   | 60-second screening for directory reviewers |
-| [CLI Assessment Guide](docs/CLI_ASSESSMENT_GUIDE.md)   | Complete CLI modes and options              |
-| [Architecture & Value](docs/ARCHITECTURE_AND_VALUE.md) | What this provides and why                  |
+| Document                                               | Purpose                        |
+| ------------------------------------------------------ | ------------------------------ |
+| [CLI Assessment Guide](docs/CLI_ASSESSMENT_GUIDE.md)   | Complete CLI modes and options |
+| [Architecture & Value](docs/ARCHITECTURE_AND_VALUE.md) | What this provides and why     |
 
 ### API & Integration
 
@@ -279,7 +263,7 @@ npm test -- SecurityAssessor     # Security tests
 
 | Document                                                       | Purpose                       |
 | -------------------------------------------------------------- | ----------------------------- |
-| [Assessment Catalog](docs/ASSESSMENT_CATALOG.md)               | All 16 modules reference      |
+| [Assessment Catalog](docs/ASSESSMENT_CATALOG.md)               | All 17 modules reference      |
 | [Security Patterns Catalog](docs/SECURITY_PATTERNS_CATALOG.md) | Comprehensive attack patterns |
 | [Testbed Setup Guide](docs/TESTBED_SETUP_GUIDE.md)             | A/B validation                |
 
@@ -351,7 +335,7 @@ npx @modelcontextprotocol/inspector
 
 We built a comprehensive assessment framework on top of the original inspector, transforming it from a debugging tool into a full validation suite. Key additions:
 
-- **16 Assessment Modules** covering functionality, security, compliance
+- **17 Assessment Modules** covering functionality, security, compliance
 - **Pure Behavior-Based Detection** analyzing responses, not tool names
 - **Zero False Positives** through context-aware reflection detection
 - **CLI-First Workflow** with three specialized commands

package/cli/build/assess-full.js

@@ -1010,9 +1010,10 @@ Module Selection:
   Valid module names:
     functionality, security, documentation, errorHandling, usability,
     mcpSpecCompliance, aupCompliance, toolAnnotations, prohibitedLibraries,
-    manifestValidation, portability, temporal, resources, prompts, crossCapability
+    externalAPIScanner, authentication, temporal, resources, prompts,
+    crossCapability, manifestValidation, portability
 
-Assessment Modules (16 total):
+Assessment Modules (17 total):
   • Functionality      - Tests all tools work correctly
   • Security           - Prompt injection & vulnerability testing
   • Documentation      - README completeness checks
@@ -1022,9 +1023,14 @@ Assessment Modules (16 total):
   • AUP Compliance     - Acceptable Use Policy checks
   • Tool Annotations   - readOnlyHint/destructiveHint validation
   • Prohibited Libs    - Dependency security checks
-  • Manifest           - MCPB manifest.json validation
-  • Portability        - Cross-platform compatibility
+  • External API       - External service detection
+  • Authentication     - OAuth/auth evaluation
   • Temporal           - Rug pull/temporal behavior change detection
+  • Resources          - Resource capability assessment
+  • Prompts            - Prompt capability assessment
+  • Cross-Capability   - Chained vulnerability detection
+  • Manifest           - MCPB manifest.json validation (optional)
+  • Portability        - Cross-platform compatibility (optional)
 
 Examples:
   mcp-assess-full my-server

package/cli/build/assess-security.js

@@ -256,7 +256,7 @@ async function runSecurityAssessment(options) {
         callTool: createCallToolWrapper(client),
         config,
     };
-    console.log(`🛡️  Running security assessment with 17 attack patterns...`);
+    console.log(`🛡️  Running security assessment with 23 attack patterns...`);
     const assessor = new SecurityAssessor(config);
     const results = await assessor.assess(context);
     await client.close();
@@ -372,7 +372,7 @@ function printHelp() {
     console.log(`
 Usage: mcp-assess-security [options] [server-name]
 
-Run security assessment against an MCP server with 17 attack patterns.
+Run security assessment against an MCP server with 23 attack patterns.
 
 Options:
   --server, -s <name>    Server name (required, or pass as first positional arg)
@@ -382,14 +382,11 @@ Options:
   --verbose, -v          Enable verbose logging
   --help, -h             Show this help message
 
-Attack Patterns Tested (17 total):
-  • Direct prompt injection
-  • Indirect prompt injection
-  • Instruction override
-  • Role-playing attacks
-  • Encoding bypass
-  • Multi-turn manipulation
-  • Context poisoning
+Attack Patterns Tested (23 total):
+  • Command Injection, SQL Injection, Path Traversal
+  • Calculator Injection, Code Execution, XXE
+  • Data Exfiltration, Token Theft, NoSQL Injection
+  • Unicode Bypass, Nested Injection, Package Squatting
   • And more...
 
 Examples:

package/client/dist/assets/{OAuthCallback-Dx-ZyJe7.js → OAuthCallback-8m79-pFb.js}

@@ -1,4 +1,4 @@
-import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-P1wj3llX.js";
+import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-C9mj2Mhr.js";
 const OAuthCallback = ({ onConnect }) => {
   const { toast } = useToast();
   const hasProcessedRef = reactExports.useRef(false);

package/client/dist/assets/{OAuthDebugCallback-BPbrWgKx.js → OAuthDebugCallback-CL_C0bio.js}

@@ -1,4 +1,4 @@
-import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-P1wj3llX.js";
+import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-C9mj2Mhr.js";
 const OAuthDebugCallback = ({ onConnect }) => {
   reactExports.useEffect(() => {
     let isProcessed = false;

package/client/dist/assets/{index-P1wj3llX.js → index-C9mj2Mhr.js}

@@ -16320,7 +16320,7 @@ object({
   token_type_hint: string().optional()
 }).strip();
 const name = "@bryan-thompson/inspector-assessment-client";
-const version$1 = "1.23.8";
+const version$1 = "1.23.10";
 const packageJson = {
   name,
   version: version$1
@@ -45217,7 +45217,7 @@ const useTheme = () => {
     [theme, setThemeWithSideEffect]
   );
 };
-const version = "1.23.8";
+const version = "1.23.10";
 var [createTooltipContext] = createContextScope("Tooltip", [
   createPopperScope
 ]);
@@ -48774,13 +48774,13 @@ const App = () => {
   ) });
   if (window.location.pathname === "/oauth/callback") {
     const OAuthCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthCallback-Dx-ZyJe7.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthCallback-8m79-pFb.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
   }
   if (window.location.pathname === "/oauth/callback/debug") {
     const OAuthDebugCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthDebugCallback-BPbrWgKx.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthDebugCallback-CL_C0bio.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
   }

package/client/dist/index.html

@@ -5,7 +5,7 @@
     <link rel="icon" type="image/svg+xml" href="/mcp.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>MCP Inspector</title>
-    <script type="module" crossorigin src="/assets/index-P1wj3llX.js"></script>
+    <script type="module" crossorigin src="/assets/index-C9mj2Mhr.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-Df9Sx1jt.css">
   </head>
   <body>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment",
-  "version": "1.23.8",
+  "version": "1.23.10",
   "description": "Enhanced MCP Inspector with comprehensive assessment capabilities for server validation",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",