@bryan-thompson/inspector-assessment 1.36.4 → 1.36.5

package/cli/build/__tests__/assessment-runner/tools-with-hints.test.js

@@ -5,7 +5,7 @@
  * from raw MCP transport responses, even when the SDK's Zod validation would
  * normally strip them.
  */
-import { jest, describe, it, expect, beforeEach, afterEach } from "@jest/globals";
+import { jest, describe, it, expect, beforeEach, afterEach, } from "@jest/globals";
 import { getToolsWithPreservedHints, } from "../../lib/assessment-runner/tools-with-hints.js";
 describe("getToolsWithPreservedHints", () => {
     let mockClient;
@@ -198,6 +198,96 @@ describe("getToolsWithPreservedHints", () => {
         const tools = await getToolsWithPreservedHints(mockClient);
         expect(tools[0].destructiveHint).toBe(true);
     });
+    // Issue #160: Non-suffixed property preservation tests
+    it("should preserve non-suffixed readOnly from annotations object (Issue #160)", async () => {
+        mockClient.listTools.mockImplementation(async () => {
+            if (mockTransport.onmessage) {
+                mockTransport.onmessage({
+                    result: {
+                        tools: [
+                            {
+                                name: "domain_search",
+                                annotations: { readOnly: true }, // Non-suffixed version
+                            },
+                        ],
+                    },
+                });
+            }
+            // SDK returns tool without annotations (stripped by Zod)
+            return { tools: [{ name: "domain_search" }] };
+        });
+        const tools = await getToolsWithPreservedHints(mockClient);
+        // Should be mapped to readOnlyHint
+        expect(tools[0].readOnlyHint).toBe(true);
+    });
+    it("should preserve all non-suffixed annotations from annotations object (Issue #160)", async () => {
+        mockClient.listTools.mockImplementation(async () => {
+            if (mockTransport.onmessage) {
+                mockTransport.onmessage({
+                    result: {
+                        tools: [
+                            {
+                                name: "full_tool",
+                                annotations: {
+                                    readOnly: true,
+                                    destructive: false,
+                                    idempotent: true,
+                                    openWorld: false,
+                                },
+                            },
+                        ],
+                    },
+                });
+            }
+            return { tools: [{ name: "full_tool" }] };
+        });
+        const tools = await getToolsWithPreservedHints(mockClient);
+        expect(tools[0].readOnlyHint).toBe(true);
+        expect(tools[0].destructiveHint).toBe(false);
+        expect(tools[0].idempotentHint).toBe(true);
+        expect(tools[0].openWorldHint).toBe(false);
+    });
+    it("should preserve non-suffixed readOnly from direct property (Issue #160)", async () => {
+        mockClient.listTools.mockImplementation(async () => {
+            if (mockTransport.onmessage) {
+                mockTransport.onmessage({
+                    result: {
+                        tools: [
+                            {
+                                name: "direct_tool",
+                                readOnly: true, // Direct non-suffixed property
+                            },
+                        ],
+                    },
+                });
+            }
+            return { tools: [{ name: "direct_tool" }] };
+        });
+        const tools = await getToolsWithPreservedHints(mockClient);
+        expect(tools[0].readOnlyHint).toBe(true);
+    });
+    it("should prioritize *Hint over non-suffixed versions (Issue #160)", async () => {
+        mockClient.listTools.mockImplementation(async () => {
+            if (mockTransport.onmessage) {
+                mockTransport.onmessage({
+                    result: {
+                        tools: [
+                            {
+                                name: "priority_tool",
+                                annotations: {
+                                    readOnlyHint: false, // *Hint should win
+                                    readOnly: true, // Should be ignored
+                                },
+                            },
+                        ],
+                    },
+                });
+            }
+            return { tools: [{ name: "priority_tool" }] };
+        });
+        const tools = await getToolsWithPreservedHints(mockClient);
+        expect(tools[0].readOnlyHint).toBe(false); // *Hint takes priority
+    });
     it("should restore original onmessage handler after call", async () => {
         const originalHandler = jest.fn();
         mockTransport.onmessage = originalHandler;

package/cli/build/lib/assessment-runner/tools-with-hints.js

@@ -6,15 +6,33 @@
  * as a direct property on tools). This module intercepts the raw transport
  * response to preserve these properties.
  *
+ * Issue #160: Also preserves non-suffixed annotation property names (readOnly,
+ * destructive, idempotent, openWorld) for servers that use the shorter names
+ * instead of the *Hint suffix versions required by MCP spec.
+ *
  * @module cli/lib/assessment-runner/tools-with-hints
  */
-// Hint property names we want to preserve
+// Hint property names we want to preserve (*Hint suffix - MCP spec)
 const HINT_PROPERTIES = [
     "readOnlyHint",
     "destructiveHint",
     "idempotentHint",
     "openWorldHint",
 ];
+// Issue #160: Non-suffixed property names (fallback for servers using shorter names)
+const NON_SUFFIXED_PROPERTIES = [
+    "readOnly",
+    "destructive",
+    "idempotent",
+    "openWorld",
+];
+// Mapping from non-suffixed to *Hint versions
+const NON_SUFFIXED_TO_HINT = {
+    readOnly: "readOnlyHint",
+    destructive: "destructiveHint",
+    idempotent: "idempotentHint",
+    openWorld: "openWorldHint",
+};
 /**
  * Get tools from MCP server with hint properties preserved.
  *
@@ -74,23 +92,45 @@ export async function getToolsWithPreservedHints(client) {
                     continue;
                 }
                 // Check raw tool locations in priority order:
-                // 1. Direct property on raw tool
-                // 2. annotations object
-                // 3. metadata object
-                // 4. _meta object
+                // 1. Direct property on raw tool (*Hint)
+                // 2. Direct property on raw tool (non-suffixed, Issue #160)
+                // 3. annotations object (*Hint)
+                // 4. annotations object (non-suffixed, Issue #160)
+                // 5. metadata object (*Hint)
+                // 6. metadata object (non-suffixed, Issue #160)
+                // 7. _meta object (*Hint)
+                // 8. _meta object (non-suffixed, Issue #160)
                 let value;
+                // Get the non-suffixed equivalent (e.g., readOnlyHint -> readOnly)
+                const nonSuffixed = hint.replace("Hint", "");
+                // Check direct properties
                 if (typeof rawTool[hint] === "boolean") {
                     value = rawTool[hint];
                 }
+                else if (typeof rawTool[nonSuffixed] === "boolean") {
+                    value = rawTool[nonSuffixed];
+                }
+                // Check annotations object
                 else if (typeof rawTool.annotations?.[hint] === "boolean") {
                     value = rawTool.annotations[hint];
                 }
+                else if (typeof rawTool.annotations?.[nonSuffixed] === "boolean") {
+                    value = rawTool.annotations[nonSuffixed];
+                }
+                // Check metadata object
                 else if (typeof rawTool.metadata?.[hint] === "boolean") {
                     value = rawTool.metadata[hint];
                 }
+                else if (typeof rawTool.metadata?.[nonSuffixed] === "boolean") {
+                    value = rawTool.metadata[nonSuffixed];
+                }
+                // Check _meta object
                 else if (typeof rawTool._meta?.[hint] === "boolean") {
                     value = rawTool._meta[hint];
                 }
+                else if (typeof rawTool._meta?.[nonSuffixed] === "boolean") {
+                    value = rawTool._meta[nonSuffixed];
+                }
                 if (value !== undefined) {
                     enrichedTool[hint] = value;
                 }

package/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-cli",
-  "version": "1.36.4",
+  "version": "1.36.5",
   "description": "CLI for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",

package/client/dist/assets/{OAuthCallback-pydLxj3d.js → OAuthCallback-DJ1av7om.js}

@@ -1,4 +1,4 @@
-import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-CVyqQ7s8.js";
+import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-DEdS99fp.js";
 const OAuthCallback = ({ onConnect }) => {
   const { toast } = useToast();
   const hasProcessedRef = reactExports.useRef(false);

package/client/dist/assets/{OAuthDebugCallback-BLEebYQf.js → OAuthDebugCallback-lRXgX7wV.js}

@@ -1,4 +1,4 @@
-import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-CVyqQ7s8.js";
+import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-DEdS99fp.js";
 const OAuthDebugCallback = ({ onConnect }) => {
   reactExports.useEffect(() => {
     let isProcessed = false;

package/client/dist/assets/{index-CVyqQ7s8.js → index-DEdS99fp.js}

@@ -16373,7 +16373,7 @@ object({
   token_type_hint: string().optional()
 }).strip();
 const name = "@bryan-thompson/inspector-assessment-client";
-const version$1 = "1.36.4";
+const version$1 = "1.36.5";
 const packageJson = {
   name,
   version: version$1
@@ -48920,7 +48920,7 @@ const useTheme = () => {
     [theme, setThemeWithSideEffect]
   );
 };
-const version = "1.36.4";
+const version = "1.36.5";
 var [createTooltipContext] = createContextScope("Tooltip", [
   createPopperScope
 ]);
@@ -52515,13 +52515,13 @@ const App = () => {
   ) });
   if (window.location.pathname === "/oauth/callback") {
     const OAuthCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthCallback-pydLxj3d.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthCallback-DJ1av7om.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
   }
   if (window.location.pathname === "/oauth/callback/debug") {
     const OAuthDebugCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthDebugCallback-BLEebYQf.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthDebugCallback-lRXgX7wV.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
   }

package/client/dist/index.html

@@ -5,7 +5,7 @@
     <link rel="icon" type="image/svg+xml" href="/mcp.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>MCP Inspector</title>
-    <script type="module" crossorigin src="/assets/index-CVyqQ7s8.js"></script>
+    <script type="module" crossorigin src="/assets/index-DEdS99fp.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-BoUA5OL1.css">
   </head>
   <body>

package/client/lib/services/assessment/modules/annotations/AnnotationDeceptionDetector.d.ts

@@ -15,6 +15,18 @@ export declare const READONLY_CONTRADICTION_KEYWORDS: string[];
  * Issue #18: browser-tools-mcp uses runAccessibilityAudit, runSEOAudit, etc.
  */
 export declare const RUN_READONLY_EXEMPT_SUFFIXES: string[];
+/**
+ * Prefixes that indicate read-only operations.
+ * Issue #161: When a tool starts with these prefixes, certain keywords become nouns.
+ * For example, "post" in "get_post_details" is a Reddit post (noun), not POST method (verb).
+ */
+export declare const READONLY_PREFIX_PATTERNS: RegExp[];
+/**
+ * Keywords that can be nouns when following a read-only prefix.
+ * Issue #161: These words are verbs when used as prefixes (post_message) but
+ * nouns when used after read-only prefixes (get_post_details).
+ */
+export declare const NOUN_KEYWORDS_IN_READONLY_CONTEXT: string[];
 /**
  * Keywords that contradict destructiveHint=false (these tools delete/destroy data)
  */
@@ -41,6 +53,16 @@ export declare function containsKeyword(toolName: string, keywords: string[]): s
  * Issue #18: Prevents false positives for analysis/audit tools.
  */
 export declare function isRunKeywordExempt(toolName: string): boolean;
+/**
+ * Check if a keyword is being used as a noun in a read-only context.
+ * Issue #161: "post" in "get_post_details" is a Reddit post (noun), not POST method (verb).
+ * Prevents false positives when read-only tools reference content types.
+ *
+ * @param toolName - The tool name to check
+ * @param keyword - The keyword that was matched (e.g., "post")
+ * @returns true if the keyword is a noun in this read-only context
+ */
+export declare function isNounInReadOnlyContext(toolName: string, keyword: string): boolean;
 /**
  * Type guard for confidence levels that warrant event emission or status changes.
  * Uses positive check for acceptable levels (safer than !== "low" if new levels added).

package/client/lib/services/assessment/modules/annotations/AnnotationDeceptionDetector.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AnnotationDeceptionDetector.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/AnnotationDeceptionDetector.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;GAEG;AACH,eAAO,MAAM,+BAA+B,UA0C3C,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,4BAA4B,UAexC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kCAAkC,UAgB9C,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,cAAc,GAAG,iBAAiB,CAAC;IAC1C,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAAE,GACjB,MAAM,GAAG,IAAI,CAkBf;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAU5D;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAElE;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE;IAAE,YAAY,CAAC,EAAE,OAAO,CAAC;IAAC,eAAe,CAAC,EAAE,OAAO,CAAA;CAAE,GACjE,eAAe,GAAG,IAAI,CAoCxB"}
+{"version":3,"file":"AnnotationDeceptionDetector.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/AnnotationDeceptionDetector.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;GAEG;AACH,eAAO,MAAM,+BAA+B,UA0C3C,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,4BAA4B,UAexC,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,UAYpC,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,iCAAiC,UAO7C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kCAAkC,UAgB9C,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,cAAc,GAAG,iBAAiB,CAAC;IAC1C,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAAE,GACjB,MAAM,GAAG,IAAI,CAkBf;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAU5D;AAED;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,GACd,OAAO,CAOT;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAElE;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE;IAAE,YAAY,CAAC,EAAE,OAAO,CAAC;IAAC,eAAe,CAAC,EAAE,OAAO,CAAA;CAAE,GACjE,eAAe,GAAG,IAAI,CAwCxB"}

package/client/lib/services/assessment/modules/annotations/AnnotationDeceptionDetector.js

@@ -72,6 +72,37 @@ export const RUN_READONLY_EXEMPT_SUFFIXES = [
     "benchmark", // runBenchmark, runPerfBenchmark
     "diagnostic", // runDiagnostic
 ];
+/**
+ * Prefixes that indicate read-only operations.
+ * Issue #161: When a tool starts with these prefixes, certain keywords become nouns.
+ * For example, "post" in "get_post_details" is a Reddit post (noun), not POST method (verb).
+ */
+export const READONLY_PREFIX_PATTERNS = [
+    /^get[_-]/i,
+    /^list[_-]/i,
+    /^fetch[_-]/i,
+    /^read[_-]/i,
+    /^search[_-]/i,
+    /^find[_-]/i,
+    /^show[_-]/i,
+    /^view[_-]/i,
+    /^describe[_-]/i,
+    /^check[_-]/i,
+    /^query[_-]/i,
+];
+/**
+ * Keywords that can be nouns when following a read-only prefix.
+ * Issue #161: These words are verbs when used as prefixes (post_message) but
+ * nouns when used after read-only prefixes (get_post_details).
+ */
+export const NOUN_KEYWORDS_IN_READONLY_CONTEXT = [
+    "post", // Reddit post, blog post, forum post
+    "message", // chat message, email message
+    "comment", // post comment, code comment
+    "thread", // forum thread, email thread
+    "log", // log entry, audit log
+    "record", // database record
+];
 /**
  * Keywords that contradict destructiveHint=false (these tools delete/destroy data)
  */
@@ -130,6 +161,23 @@ export function isRunKeywordExempt(toolName) {
     // Check if any exempt suffix is present
     return RUN_READONLY_EXEMPT_SUFFIXES.some((suffix) => lowerName.includes(suffix));
 }
+/**
+ * Check if a keyword is being used as a noun in a read-only context.
+ * Issue #161: "post" in "get_post_details" is a Reddit post (noun), not POST method (verb).
+ * Prevents false positives when read-only tools reference content types.
+ *
+ * @param toolName - The tool name to check
+ * @param keyword - The keyword that was matched (e.g., "post")
+ * @returns true if the keyword is a noun in this read-only context
+ */
+export function isNounInReadOnlyContext(toolName, keyword) {
+    // Check if keyword can be a noun in read-only context
+    if (!NOUN_KEYWORDS_IN_READONLY_CONTEXT.includes(keyword)) {
+        return false;
+    }
+    // Check if tool name starts with read-only prefix
+    return READONLY_PREFIX_PATTERNS.some((pattern) => pattern.test(toolName));
+}
 /**
  * Type guard for confidence levels that warrant event emission or status changes.
  * Uses positive check for acceptable levels (safer than !== "low" if new levels added).
@@ -152,6 +200,11 @@ export function detectAnnotationDeception(toolName, annotations) {
                 // Tool matches "run" but has an analysis suffix - not deceptive
                 // Fall through to normal pattern-based inference
             }
+            else if (isNounInReadOnlyContext(toolName, keyword)) {
+                // Issue #161: Skip when keyword is a noun in read-only context
+                // e.g., "post" in "get_post_details" is a Reddit post, not POST method
+                // Fall through to normal pattern-based inference
+            }
             else {
                 return {
                     field: "readOnlyHint",

package/client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-client",
-  "version": "1.36.4",
+  "version": "1.36.5",
   "description": "Client-side application for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment",
-  "version": "1.36.4",
+  "version": "1.36.5",
   "description": "Enhanced MCP Inspector with comprehensive assessment capabilities for server validation",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",

package/server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-server",
-  "version": "1.36.4",
+  "version": "1.36.5",
   "description": "Server-side application for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",