@bryan-thompson/inspector-assessment 1.26.4 → 1.26.6

package/cli/build/lib/cli-parser.js

@@ -0,0 +1,419 @@
+/**
+ * CLI Parser Module
+ *
+ * Handles command-line argument parsing, validation, and help text for
+ * the mcp-assess-full CLI tool.
+ *
+ * Extracted from assess-full.ts as part of Issue #90 modularization.
+ *
+ * @module cli/lib/cli-parser
+ */
+import { ASSESSMENT_CATEGORY_METADATA, } from "../../../client/lib/lib/assessmentTypes.js";
+import { ASSESSMENT_PROFILES, isValidProfileName, getProfileHelpText, } from "../profiles.js";
+// ============================================================================
+// Constants
+// ============================================================================
+// Valid module names derived from ASSESSMENT_CATEGORY_METADATA
+const VALID_MODULE_NAMES = Object.keys(ASSESSMENT_CATEGORY_METADATA);
+// ============================================================================
+// Validation Functions
+// ============================================================================
+/**
+ * Validate module names from CLI input
+ *
+ * @param input - Comma-separated module names
+ * @param flagName - Flag name for error messages (e.g., "--skip-modules")
+ * @returns Array of validated module names, or empty array if invalid
+ */
+export function validateModuleNames(input, flagName) {
+    const names = input
+        .split(",")
+        .map((n) => n.trim())
+        .filter(Boolean);
+    const invalid = names.filter((n) => !VALID_MODULE_NAMES.includes(n));
+    if (invalid.length > 0) {
+        console.error(`Error: Invalid module name(s) for ${flagName}: ${invalid.join(", ")}`);
+        console.error(`Valid modules: ${VALID_MODULE_NAMES.join(", ")}`);
+        setTimeout(() => process.exit(1), 10);
+        return [];
+    }
+    return names;
+}
+/**
+ * Validate parsed options for consistency and requirements
+ *
+ * @param options - Partial assessment options to validate
+ * @returns Validation result with any errors
+ */
+export function validateArgs(options) {
+    const errors = [];
+    // Server name is required
+    if (!options.serverName) {
+        errors.push("--server is required");
+    }
+    // Validate mutual exclusivity of --profile, --skip-modules, and --only-modules
+    if (options.profile &&
+        (options.skipModules?.length || options.onlyModules?.length)) {
+        errors.push("--profile cannot be used with --skip-modules or --only-modules");
+    }
+    if (options.skipModules?.length && options.onlyModules?.length) {
+        errors.push("--skip-modules and --only-modules are mutually exclusive");
+    }
+    return {
+        valid: errors.length === 0,
+        errors,
+    };
+}
+// ============================================================================
+// Argument Parsing
+// ============================================================================
+/**
+ * Parse command-line arguments
+ *
+ * @param argv - Command-line arguments (defaults to process.argv.slice(2))
+ * @returns Parsed assessment options
+ */
+export function parseArgs(argv) {
+    const args = argv ?? process.argv.slice(2);
+    const options = {};
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        if (!arg)
+            continue;
+        switch (arg) {
+            case "--server":
+            case "-s":
+                options.serverName = args[++i];
+                break;
+            case "--config":
+            case "-c":
+                options.serverConfigPath = args[++i];
+                break;
+            case "--output":
+            case "-o":
+                options.outputPath = args[++i];
+                break;
+            case "--source":
+                options.sourceCodePath = args[++i];
+                break;
+            case "--pattern-config":
+            case "-p":
+                options.patternConfigPath = args[++i];
+                break;
+            case "--performance-config":
+                options.performanceConfigPath = args[++i];
+                break;
+            case "--claude-enabled":
+                options.claudeEnabled = true;
+                break;
+            case "--claude-http":
+                // Enable Claude Bridge with HTTP transport (connects to mcp-auditor)
+                options.claudeEnabled = true;
+                options.claudeHttp = true;
+                break;
+            case "--mcp-auditor-url": {
+                const urlValue = args[++i];
+                if (!urlValue || urlValue.startsWith("-")) {
+                    console.error("Error: --mcp-auditor-url requires a URL argument");
+                    setTimeout(() => process.exit(1), 10);
+                    options.helpRequested = true;
+                    return options;
+                }
+                try {
+                    new URL(urlValue); // Validate URL format
+                    options.mcpAuditorUrl = urlValue;
+                }
+                catch {
+                    console.error(`Error: Invalid URL for --mcp-auditor-url: ${urlValue}`);
+                    console.error("  Expected format: http://hostname:port or https://hostname:port");
+                    setTimeout(() => process.exit(1), 10);
+                    options.helpRequested = true;
+                    return options;
+                }
+                break;
+            }
+            case "--full":
+                options.fullAssessment = true;
+                break;
+            case "--verbose":
+            case "-v":
+                options.verbose = true;
+                options.logLevel = "debug";
+                break;
+            case "--silent":
+                options.logLevel = "silent";
+                break;
+            case "--log-level": {
+                const levelValue = args[++i];
+                const validLevels = [
+                    "silent",
+                    "error",
+                    "warn",
+                    "info",
+                    "debug",
+                ];
+                if (!validLevels.includes(levelValue)) {
+                    console.error(`Invalid log level: ${levelValue}. Valid options: ${validLevels.join(", ")}`);
+                    setTimeout(() => process.exit(1), 10);
+                    options.helpRequested = true;
+                    return options;
+                }
+                options.logLevel = levelValue;
+                break;
+            }
+            case "--json":
+                options.jsonOnly = true;
+                break;
+            case "--format":
+            case "-f": {
+                const formatValue = args[++i];
+                if (formatValue !== "json" && formatValue !== "markdown") {
+                    console.error(`Invalid format: ${formatValue}. Valid options: json, markdown`);
+                    setTimeout(() => process.exit(1), 10);
+                    options.helpRequested = true;
+                    return options;
+                }
+                options.format = formatValue;
+                break;
+            }
+            case "--include-policy":
+                options.includePolicy = true;
+                break;
+            case "--preflight":
+                options.preflightOnly = true;
+                break;
+            case "--compare":
+                options.comparePath = args[++i];
+                break;
+            case "--diff-only":
+                options.diffOnly = true;
+                break;
+            case "--resume":
+                options.resume = true;
+                break;
+            case "--no-resume":
+                options.noResume = true;
+                break;
+            case "--temporal-invocations":
+                options.temporalInvocations = parseInt(args[++i], 10);
+                break;
+            case "--skip-temporal":
+                options.skipTemporal = true;
+                break;
+            case "--profile": {
+                const profileValue = args[++i];
+                if (!profileValue) {
+                    console.error("Error: --profile requires a profile name");
+                    console.error(`Valid profiles: ${Object.keys(ASSESSMENT_PROFILES).join(", ")}`);
+                    setTimeout(() => process.exit(1), 10);
+                    options.helpRequested = true;
+                    return options;
+                }
+                if (!isValidProfileName(profileValue)) {
+                    console.error(`Error: Invalid profile name: ${profileValue}`);
+                    console.error(`Valid profiles: ${Object.keys(ASSESSMENT_PROFILES).join(", ")}`);
+                    setTimeout(() => process.exit(1), 10);
+                    options.helpRequested = true;
+                    return options;
+                }
+                options.profile = profileValue;
+                break;
+            }
+            case "--skip-modules": {
+                const skipValue = args[++i];
+                if (!skipValue) {
+                    console.error("Error: --skip-modules requires a comma-separated list");
+                    setTimeout(() => process.exit(1), 10);
+                    options.helpRequested = true;
+                    return options;
+                }
+                options.skipModules = validateModuleNames(skipValue, "--skip-modules");
+                if (options.skipModules.length === 0 && skipValue) {
+                    options.helpRequested = true;
+                    return options;
+                }
+                break;
+            }
+            case "--only-modules": {
+                const onlyValue = args[++i];
+                if (!onlyValue) {
+                    console.error("Error: --only-modules requires a comma-separated list");
+                    setTimeout(() => process.exit(1), 10);
+                    options.helpRequested = true;
+                    return options;
+                }
+                options.onlyModules = validateModuleNames(onlyValue, "--only-modules");
+                if (options.onlyModules.length === 0 && onlyValue) {
+                    options.helpRequested = true;
+                    return options;
+                }
+                break;
+            }
+            case "--help":
+            case "-h":
+                printHelp();
+                options.helpRequested = true;
+                return options;
+            default:
+                if (!arg.startsWith("-")) {
+                    if (!options.serverName) {
+                        options.serverName = arg;
+                    }
+                }
+                else {
+                    console.error(`Unknown argument: ${arg}`);
+                    printHelp();
+                    setTimeout(() => process.exit(1), 10);
+                    options.helpRequested = true;
+                    return options;
+                }
+        }
+    }
+    // Validate mutual exclusivity of --profile, --skip-modules, and --only-modules
+    if (options.profile &&
+        (options.skipModules?.length || options.onlyModules?.length)) {
+        console.error("Error: --profile cannot be used with --skip-modules or --only-modules");
+        setTimeout(() => process.exit(1), 10);
+        options.helpRequested = true;
+        return options;
+    }
+    if (options.skipModules?.length && options.onlyModules?.length) {
+        console.error("Error: --skip-modules and --only-modules are mutually exclusive");
+        setTimeout(() => process.exit(1), 10);
+        options.helpRequested = true;
+        return options;
+    }
+    if (!options.serverName) {
+        console.error("Error: --server is required");
+        printHelp();
+        setTimeout(() => process.exit(1), 10);
+        options.helpRequested = true;
+        return options;
+    }
+    // Environment variable fallbacks (matches run-security-assessment.ts behavior)
+    // INSPECTOR_CLAUDE=true enables Claude with HTTP transport
+    if (process.env.INSPECTOR_CLAUDE === "true" && !options.claudeEnabled) {
+        options.claudeEnabled = true;
+        options.claudeHttp = true; // HTTP transport when enabled via env var
+    }
+    // INSPECTOR_MCP_AUDITOR_URL overrides default URL (only if not set via CLI)
+    if (process.env.INSPECTOR_MCP_AUDITOR_URL && !options.mcpAuditorUrl) {
+        const envUrl = process.env.INSPECTOR_MCP_AUDITOR_URL;
+        try {
+            new URL(envUrl);
+            options.mcpAuditorUrl = envUrl;
+        }
+        catch {
+            console.warn(`Warning: Invalid INSPECTOR_MCP_AUDITOR_URL: ${envUrl}, using default`);
+        }
+    }
+    return options;
+}
+// ============================================================================
+// Help Text
+// ============================================================================
+/**
+ * Print help message to console
+ */
+export function printHelp() {
+    console.log(`
+Usage: mcp-assess-full [options] [server-name]
+
+Run comprehensive MCP server assessment with 16 assessor modules organized in 4 tiers.
+
+Options:
+  --server, -s <name>    Server name (required, or pass as first positional arg)
+  --config, -c <path>    Path to server config JSON
+  --output, -o <path>    Output path (default: /tmp/inspector-full-assessment-<server>.<ext>)
+  --source <path>        Source code path for deep analysis (AUP, portability, etc.)
+  --pattern-config, -p <path>  Path to custom annotation pattern JSON
+  --performance-config <path>  Path to performance tuning JSON (batch sizes, timeouts, etc.)
+  --format, -f <type>    Output format: json (default) or markdown
+  --include-policy       Include policy compliance mapping in report (30 requirements)
+  --preflight            Run quick validation only (tools exist, manifest valid, server responds)
+  --compare <path>       Compare current assessment against baseline JSON file
+  --diff-only            Output only the comparison diff (requires --compare)
+  --resume               Resume from previous interrupted assessment
+  --no-resume            Force fresh start, clear any existing state
+  --claude-enabled       Enable Claude Code integration (CLI transport: requires 'claude' binary)
+  --claude-http          Enable Claude Code via HTTP transport (connects to mcp-auditor proxy)
+  --mcp-auditor-url <url>  mcp-auditor URL for HTTP transport (default: http://localhost:8085)
+  --full                 Enable all assessment modules (default)
+  --profile <name>       Use predefined module profile (quick, security, compliance, full)
+  --temporal-invocations <n>  Number of invocations per tool for rug pull detection (default: 25)
+  --skip-temporal        Skip temporal/rug pull testing (faster assessment)
+  --skip-modules <list>  Skip specific modules (comma-separated)
+  --only-modules <list>  Run only specific modules (comma-separated)
+  --json                 Output only JSON path (no console summary)
+  --verbose, -v          Enable verbose logging (same as --log-level debug)
+  --silent               Suppress all diagnostic logging
+  --log-level <level>    Set log level: silent, error, warn, info (default), debug
+                         Also supports LOG_LEVEL environment variable
+  --help, -h             Show this help message
+
+Environment Variables:
+  INSPECTOR_CLAUDE=true         Enable Claude with HTTP transport (same as --claude-http)
+  INSPECTOR_MCP_AUDITOR_URL     Override default mcp-auditor URL (default: http://localhost:8085)
+  LOG_LEVEL                     Set log level (overridden by --log-level flag)
+
+${getProfileHelpText()}
+Module Selection:
+  --profile, --skip-modules, and --only-modules are mutually exclusive.
+  Use --profile for common assessment scenarios.
+  Use --skip-modules for custom runs by disabling expensive modules.
+  Use --only-modules to focus on specific areas (e.g., tool annotation PRs).
+
+  Valid module names (new naming):
+    functionality, security, errorHandling, protocolCompliance, aupCompliance,
+    toolAnnotations, prohibitedLibraries, manifestValidation, authentication,
+    temporal, resources, prompts, crossCapability, developerExperience,
+    portability, externalAPIScanner
+
+  Legacy module names (deprecated, will map to new names):
+    documentation -> developerExperience
+    usability -> developerExperience
+    mcpSpecCompliance -> protocolCompliance
+    protocolConformance -> protocolCompliance
+
+Module Tiers (16 total):
+  Tier 1 - Core Security (Always Run):
+    • Functionality      - Tests all tools work correctly
+    • Security           - Prompt injection & vulnerability testing
+    • Error Handling     - Validates error responses
+    • Protocol Compliance - MCP protocol + JSON-RPC validation
+    • AUP Compliance     - Acceptable Use Policy checks
+    • Temporal           - Rug pull/temporal behavior change detection
+
+  Tier 2 - Compliance (MCP Directory):
+    • Tool Annotations   - readOnlyHint/destructiveHint validation
+    • Prohibited Libs    - Dependency security checks
+    • Manifest           - MCPB manifest.json validation
+    • Authentication     - OAuth/auth evaluation
+
+  Tier 3 - Capability-Based (Conditional):
+    • Resources          - Resource capability assessment
+    • Prompts            - Prompt capability assessment
+    • Cross-Capability   - Chained vulnerability detection
+
+  Tier 4 - Extended (Optional):
+    • Developer Experience - Documentation + usability assessment
+    • Portability        - Cross-platform compatibility
+    • External API       - External service detection
+
+Examples:
+  # Profile-based (recommended):
+  mcp-assess-full my-server --profile quick         # CI/CD fast check (~30s)
+  mcp-assess-full my-server --profile security      # Security audit (~2-3min)
+  mcp-assess-full my-server --profile compliance    # Directory submission (~5min)
+  mcp-assess-full my-server --profile full          # Comprehensive audit (~10-15min)
+
+  # Custom module selection:
+  mcp-assess-full my-server --skip-modules temporal,resources  # Skip expensive modules
+  mcp-assess-full my-server --only-modules functionality,toolAnnotations  # Annotation PR review
+
+  # Advanced options:
+  mcp-assess-full --server my-server --source ./my-server --output ./results.json
+  mcp-assess-full --server my-server --format markdown --include-policy
+  mcp-assess-full --server my-server --compare ./baseline.json --diff-only
+  `);
+}

package/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-cli",
-  "version": "1.26.4",
+  "version": "1.26.6",
   "description": "CLI for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",

package/client/dist/assets/{OAuthCallback-DRmaIku9.js → OAuthCallback-CCWVtjr7.js}

@@ -1,4 +1,4 @@
-import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-Dd4pL57l.js";
+import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-CsDJSSWq.js";
 const OAuthCallback = ({ onConnect }) => {
   const { toast } = useToast();
   const hasProcessedRef = reactExports.useRef(false);

package/client/dist/assets/{OAuthDebugCallback-BU8UZdx8.js → OAuthDebugCallback-DqbXfUi4.js}

@@ -1,4 +1,4 @@
-import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-Dd4pL57l.js";
+import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-CsDJSSWq.js";
 const OAuthDebugCallback = ({ onConnect }) => {
   reactExports.useEffect(() => {
     let isProcessed = false;

package/client/dist/assets/{index-Dd4pL57l.js → index-CsDJSSWq.js}

@@ -16373,7 +16373,7 @@ object({
   token_type_hint: string().optional()
 }).strip();
 const name = "@bryan-thompson/inspector-assessment-client";
-const version$1 = "1.26.4";
+const version$1 = "1.26.6";
 const packageJson = {
   name,
   version: version$1
@@ -45288,7 +45288,7 @@ const useTheme = () => {
     [theme, setThemeWithSideEffect]
   );
 };
-const version = "1.26.4";
+const version = "1.26.6";
 var [createTooltipContext] = createContextScope("Tooltip", [
   createPopperScope
 ]);
@@ -48845,13 +48845,13 @@ const App = () => {
   ) });
   if (window.location.pathname === "/oauth/callback") {
     const OAuthCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthCallback-DRmaIku9.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthCallback-CCWVtjr7.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
   }
   if (window.location.pathname === "/oauth/callback/debug") {
     const OAuthDebugCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthDebugCallback-BU8UZdx8.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthDebugCallback-DqbXfUi4.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
   }

package/client/dist/index.html

@@ -5,7 +5,7 @@
     <link rel="icon" type="image/svg+xml" href="/mcp.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>MCP Inspector</title>
-    <script type="module" crossorigin src="/assets/index-Dd4pL57l.js"></script>
+    <script type="module" crossorigin src="/assets/index-CsDJSSWq.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-cHhcEXbr.css">
   </head>
   <body>

package/client/lib/lib/securityPatterns.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"securityPatterns.d.ts","sourceRoot":"","sources":["../../src/lib/securityPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,iBAAiB,CAAC;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,eAAe,EAAE,CAAC;CAC7B;AAED;;;;;;GAMG;AACH,eAAO,MAAM,wBAAwB,EAAE,aAAa,EAg3CnD,CAAC;AAEF;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,MAAM,GACb,eAAe,EAAE,CAQnB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,aAAa,EAAE,CAEtD;AAED;;GAEG;AACH,wBAAgB,oBAAoB;;;;;;;;EA8BnC"}
+{"version":3,"file":"securityPatterns.d.ts","sourceRoot":"","sources":["../../src/lib/securityPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,iBAAiB,CAAC;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,eAAe,EAAE,CAAC;CAC7B;AAED;;;;;;GAMG;AACH,eAAO,MAAM,wBAAwB,EAAE,aAAa,EA64CnD,CAAC;AAEF;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,MAAM,GACb,eAAe,EAAE,CAQnB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,aAAa,EAAE,CAEtD;AAED;;GAEG;AACH,wBAAgB,oBAAoB;;;;;;;;EA8BnC"}

package/client/lib/lib/securityPatterns.js

@@ -1287,6 +1287,32 @@ export const SECURITY_ATTACK_PATTERNS = [
                     "access_token",
                 ],
             },
+            // Auth failure simulation payloads (Issue #79)
+            // These target tools with simulate_failure parameter to test fail-open behavior
+            {
+                payload: "timeout",
+                evidence: /"auth_type"\s*:\s*"fail-open"|"auth_status"\s*:\s*"bypassed"/i,
+                riskLevel: "HIGH",
+                description: "Simulate auth service timeout - should deny access",
+                payloadType: "auth_failure",
+                parameterTypes: ["simulate_failure", "failure_mode", "failure_type"],
+            },
+            {
+                payload: "exception",
+                evidence: /"auth_type"\s*:\s*"fail-open"|"auth_status"\s*:\s*"bypassed"/i,
+                riskLevel: "HIGH",
+                description: "Simulate auth service exception - should deny access",
+                payloadType: "auth_failure",
+                parameterTypes: ["simulate_failure", "failure_mode", "failure_type"],
+            },
+            {
+                payload: "network_error",
+                evidence: /"auth_type"\s*:\s*"fail-open"|"auth_status"\s*:\s*"bypassed"/i,
+                riskLevel: "HIGH",
+                description: "Simulate network error - should deny access",
+                payloadType: "auth_failure",
+                parameterTypes: ["simulate_failure", "failure_mode", "failure_type"],
+            },
         ],
     },
 ];

package/client/lib/services/assessment/modules/securityTests/ConfidenceScorer.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Confidence Scorer
+ * Calculates confidence levels for vulnerability detections
+ *
+ * Extracted from SecurityResponseAnalyzer.ts (Issue #53)
+ * Handles: confidence calculation, structured data tool detection, validation pattern checks
+ */
+import { Tool } from "@modelcontextprotocol/sdk/types.js";
+import { SecurityPayload } from "../../../../lib/securityPatterns.js";
+import type { SanitizationDetectionResult } from "./SanitizationDetector.js";
+/**
+ * Result of confidence calculation
+ */
+export interface ConfidenceResult {
+    confidence: "high" | "medium" | "low";
+    requiresManualReview: boolean;
+    manualReviewReason?: string;
+    reviewGuidance?: string;
+}
+/**
+ * Calculates confidence levels for security vulnerability detections
+ */
+export declare class ConfidenceScorer {
+    /**
+     * Calculate confidence level for a vulnerability detection
+     *
+     * Factors considered:
+     * - Sanitization detection (Issue #56)
+     * - Structured data tool context
+     * - Evidence quality
+     * - Response characteristics
+     *
+     * @param tool - The tool being tested
+     * @param isVulnerable - Whether the tool was flagged as vulnerable
+     * @param evidence - Evidence string from vulnerability detection
+     * @param responseText - The response text from the tool
+     * @param payload - The security payload used for testing
+     * @param sanitizationResult - Optional sanitization detection result (Issue #56)
+     * @returns Confidence result with manual review requirements
+     */
+    calculateConfidence(tool: Tool, isVulnerable: boolean, evidence: string, responseText: string, payload: SecurityPayload, sanitizationResult?: SanitizationDetectionResult): ConfidenceResult;
+    /**
+     * Check if tool is a structured data tool (search, lookup, retrieval)
+     *
+     * These tools are more likely to return data containing patterns
+     * that look like vulnerabilities but are actually just data.
+     */
+    isStructuredDataTool(toolName: string, toolDescription: string): boolean;
+    /**
+     * Check if evidence pattern is ambiguous (validation-like)
+     *
+     * Some patterns match both security issues AND normal validation errors.
+     * These require more careful analysis.
+     */
+    isValidationPattern(evidencePattern: RegExp): boolean;
+}
+//# sourceMappingURL=ConfidenceScorer.d.ts.map

package/client/lib/services/assessment/modules/securityTests/ConfidenceScorer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ConfidenceScorer.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/ConfidenceScorer.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AAE1E;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACtC,oBAAoB,EAAE,OAAO,CAAC;IAC9B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmCD;;GAEG;AACH,qBAAa,gBAAgB;IAC3B;;;;;;;;;;;;;;;;OAgBG;IACH,mBAAmB,CACjB,IAAI,EAAE,IAAI,EACV,YAAY,EAAE,OAAO,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,eAAe,EACxB,kBAAkB,CAAC,EAAE,2BAA2B,GAC/C,gBAAgB;IA4JnB;;;;;OAKG;IACH,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO;IAOxE;;;;;OAKG;IACH,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO;CAOtD"}