@bryan-thompson/inspector-assessment 1.36.4 → 1.37.0

package/client/lib/services/assessment/modules/annotations/AnnotationDeceptionDetector.d.ts

@@ -15,6 +15,18 @@ export declare const READONLY_CONTRADICTION_KEYWORDS: string[];
  * Issue #18: browser-tools-mcp uses runAccessibilityAudit, runSEOAudit, etc.
  */
 export declare const RUN_READONLY_EXEMPT_SUFFIXES: string[];
+/**
+ * Prefixes that indicate read-only operations.
+ * Issue #161: When a tool starts with these prefixes, certain keywords become nouns.
+ * For example, "post" in "get_post_details" is a Reddit post (noun), not POST method (verb).
+ */
+export declare const READONLY_PREFIX_PATTERNS: RegExp[];
+/**
+ * Keywords that can be nouns when following a read-only prefix.
+ * Issue #161: These words are verbs when used as prefixes (post_message) but
+ * nouns when used after read-only prefixes (get_post_details).
+ */
+export declare const NOUN_KEYWORDS_IN_READONLY_CONTEXT: string[];
 /**
  * Keywords that contradict destructiveHint=false (these tools delete/destroy data)
  */
@@ -41,6 +53,16 @@ export declare function containsKeyword(toolName: string, keywords: string[]): s
  * Issue #18: Prevents false positives for analysis/audit tools.
  */
 export declare function isRunKeywordExempt(toolName: string): boolean;
+/**
+ * Check if a keyword is being used as a noun in a read-only context.
+ * Issue #161: "post" in "get_post_details" is a Reddit post (noun), not POST method (verb).
+ * Prevents false positives when read-only tools reference content types.
+ *
+ * @param toolName - The tool name to check
+ * @param keyword - The keyword that was matched (e.g., "post")
+ * @returns true if the keyword is a noun in this read-only context
+ */
+export declare function isNounInReadOnlyContext(toolName: string, keyword: string): boolean;
 /**
  * Type guard for confidence levels that warrant event emission or status changes.
  * Uses positive check for acceptable levels (safer than !== "low" if new levels added).

package/client/lib/services/assessment/modules/annotations/AnnotationDeceptionDetector.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AnnotationDeceptionDetector.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/AnnotationDeceptionDetector.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;GAEG;AACH,eAAO,MAAM,+BAA+B,UA0C3C,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,4BAA4B,UAexC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kCAAkC,UAgB9C,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,cAAc,GAAG,iBAAiB,CAAC;IAC1C,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAAE,GACjB,MAAM,GAAG,IAAI,CAkBf;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAU5D;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAElE;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE;IAAE,YAAY,CAAC,EAAE,OAAO,CAAC;IAAC,eAAe,CAAC,EAAE,OAAO,CAAA;CAAE,GACjE,eAAe,GAAG,IAAI,CAoCxB"}
+{"version":3,"file":"AnnotationDeceptionDetector.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/AnnotationDeceptionDetector.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;GAEG;AACH,eAAO,MAAM,+BAA+B,UA0C3C,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,4BAA4B,UAexC,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,UAYpC,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,iCAAiC,UAO7C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kCAAkC,UAgB9C,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,cAAc,GAAG,iBAAiB,CAAC;IAC1C,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAAE,GACjB,MAAM,GAAG,IAAI,CAkBf;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAU5D;AAED;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,GACd,OAAO,CAOT;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAElE;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE;IAAE,YAAY,CAAC,EAAE,OAAO,CAAC;IAAC,eAAe,CAAC,EAAE,OAAO,CAAA;CAAE,GACjE,eAAe,GAAG,IAAI,CAwCxB"}

package/client/lib/services/assessment/modules/annotations/AnnotationDeceptionDetector.js

@@ -72,6 +72,37 @@ export const RUN_READONLY_EXEMPT_SUFFIXES = [
     "benchmark", // runBenchmark, runPerfBenchmark
     "diagnostic", // runDiagnostic
 ];
+/**
+ * Prefixes that indicate read-only operations.
+ * Issue #161: When a tool starts with these prefixes, certain keywords become nouns.
+ * For example, "post" in "get_post_details" is a Reddit post (noun), not POST method (verb).
+ */
+export const READONLY_PREFIX_PATTERNS = [
+    /^get[_-]/i,
+    /^list[_-]/i,
+    /^fetch[_-]/i,
+    /^read[_-]/i,
+    /^search[_-]/i,
+    /^find[_-]/i,
+    /^show[_-]/i,
+    /^view[_-]/i,
+    /^describe[_-]/i,
+    /^check[_-]/i,
+    /^query[_-]/i,
+];
+/**
+ * Keywords that can be nouns when following a read-only prefix.
+ * Issue #161: These words are verbs when used as prefixes (post_message) but
+ * nouns when used after read-only prefixes (get_post_details).
+ */
+export const NOUN_KEYWORDS_IN_READONLY_CONTEXT = [
+    "post", // Reddit post, blog post, forum post
+    "message", // chat message, email message
+    "comment", // post comment, code comment
+    "thread", // forum thread, email thread
+    "log", // log entry, audit log
+    "record", // database record
+];
 /**
  * Keywords that contradict destructiveHint=false (these tools delete/destroy data)
  */
@@ -130,6 +161,23 @@ export function isRunKeywordExempt(toolName) {
     // Check if any exempt suffix is present
     return RUN_READONLY_EXEMPT_SUFFIXES.some((suffix) => lowerName.includes(suffix));
 }
+/**
+ * Check if a keyword is being used as a noun in a read-only context.
+ * Issue #161: "post" in "get_post_details" is a Reddit post (noun), not POST method (verb).
+ * Prevents false positives when read-only tools reference content types.
+ *
+ * @param toolName - The tool name to check
+ * @param keyword - The keyword that was matched (e.g., "post")
+ * @returns true if the keyword is a noun in this read-only context
+ */
+export function isNounInReadOnlyContext(toolName, keyword) {
+    // Check if keyword can be a noun in read-only context
+    if (!NOUN_KEYWORDS_IN_READONLY_CONTEXT.includes(keyword)) {
+        return false;
+    }
+    // Check if tool name starts with read-only prefix
+    return READONLY_PREFIX_PATTERNS.some((pattern) => pattern.test(toolName));
+}
 /**
  * Type guard for confidence levels that warrant event emission or status changes.
  * Uses positive check for acceptable levels (safer than !== "low" if new levels added).
@@ -152,6 +200,11 @@ export function detectAnnotationDeception(toolName, annotations) {
                 // Tool matches "run" but has an analysis suffix - not deceptive
                 // Fall through to normal pattern-based inference
             }
+            else if (isNounInReadOnlyContext(toolName, keyword)) {
+                // Issue #161: Skip when keyword is a noun in read-only context
+                // e.g., "post" in "get_post_details" is a Reddit post, not POST method
+                // Fall through to normal pattern-based inference
+            }
             else {
                 return {
                     field: "readOnlyHint",

package/client/lib/services/assessment/modules/annotations/DescriptionPoisoningDetector.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"DescriptionPoisoningDetector.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/DescriptionPoisoningDetector.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAE/D;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACpC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;QACpC,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC,CAAC;IACH,SAAS,EAAE,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IAC9C,oFAAoF;IACpF,aAAa,CAAC,EAAE;QACd,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,EAAE,MAAM,CAAC;QAClB,WAAW,EAAE,OAAO,CAAC;KACtB,CAAC;CACH;AAED;;;;GAIG;AACH,eAAO,MAAM,8BAA8B,EAAE,gBAAgB,EAwT5D,CAAC;AASF,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,IAAI,GAAG,mBAAmB,CAoE3E"}
+{"version":3,"file":"DescriptionPoisoningDetector.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/DescriptionPoisoningDetector.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAE/D;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACpC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;QACpC,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC,CAAC;IACH,SAAS,EAAE,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IAC9C,oFAAoF;IACpF,aAAa,CAAC,EAAE;QACd,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,EAAE,MAAM,CAAC;QAClB,WAAW,EAAE,OAAO,CAAC;KACtB,CAAC;CACH;AAED;;;;GAIG;AACH,eAAO,MAAM,8BAA8B,EAAE,gBAAgB,EAwT5D,CAAC;AASF,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,IAAI,GAAG,mBAAmB,CA8E3E"}

package/client/lib/services/assessment/modules/annotations/DescriptionPoisoningDetector.js

@@ -318,6 +318,7 @@ export function scanDescriptionForPoisoning(tool) {
     const matches = [];
     // Length-based heuristic (Issue #119, Challenge #15)
     // Excessively long descriptions may be used to hide malicious content
+    // Issue #167: Length check moved AFTER pattern scan - severity depends on other patterns
     let lengthWarning;
     if (description.length > DESCRIPTION_LENGTH_WARNING_THRESHOLD) {
         lengthWarning = {
@@ -325,13 +326,7 @@ export function scanDescriptionForPoisoning(tool) {
             threshold: DESCRIPTION_LENGTH_WARNING_THRESHOLD,
             isExcessive: true,
         };
-        matches.push({
-            name: "excessive_description_length",
-            pattern: `length > ${DESCRIPTION_LENGTH_WARNING_THRESHOLD}`,
-            severity: "MEDIUM",
-            category: "suspicious_length",
-            evidence: `Description is ${description.length} characters (threshold: ${DESCRIPTION_LENGTH_WARNING_THRESHOLD})`,
-        });
+        // NOTE: matches.push moved to after pattern loop (Issue #167)
     }
     for (const patternDef of DESCRIPTION_POISONING_PATTERNS) {
         // Create a fresh regex to reset lastIndex
@@ -351,6 +346,20 @@ export function scanDescriptionForPoisoning(tool) {
                 break;
         }
     }
+    // Issue #167: Add length warning AFTER pattern scan with conditional severity
+    // Long descriptions alone are LOW (informational), but length + other patterns = MEDIUM
+    if (lengthWarning) {
+        const hasOtherPatterns = matches.length > 0;
+        matches.push({
+            name: "excessive_description_length",
+            pattern: `length > ${DESCRIPTION_LENGTH_WARNING_THRESHOLD}`,
+            severity: hasOtherPatterns ? "MEDIUM" : "LOW",
+            category: "suspicious_length",
+            evidence: hasOtherPatterns
+                ? `Description is ${description.length} characters AND contains ${matches.length} suspicious pattern(s)`
+                : `Description is ${description.length} characters (informational - no suspicious patterns detected)`,
+        });
+    }
     // Determine overall risk level based on highest severity match
     let riskLevel = "NONE";
     if (matches.some((m) => m.severity === "HIGH")) {

package/client/lib/services/assessment/modules/securityTests/ErrorClassifier.d.ts

@@ -29,6 +29,20 @@ export declare class ErrorClassifier {
      * Check if caught exception indicates connection/server failure
      */
     isConnectionErrorFromException(error: unknown): boolean;
+    /**
+     * Check if response indicates transient error worth retrying.
+     * Transient errors (ECONNREFUSED, ETIMEDOUT, etc.) may resolve on retry.
+     * Permanent errors (unknown tool, unauthorized) will not.
+     *
+     * @see https://github.com/triepod-ai/inspector-assessment/issues/157
+     */
+    isTransientError(response: CompatibilityCallToolResult): boolean;
+    /**
+     * Check if caught exception indicates transient error worth retrying.
+     *
+     * @see https://github.com/triepod-ai/inspector-assessment/issues/157
+     */
+    isTransientErrorFromException(error: unknown): boolean;
     /**
      * Internal: Check if text indicates connection/server failure
      */

package/client/lib/services/assessment/modules/securityTests/ErrorClassifier.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ErrorClassifier.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/ErrorClassifier.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AAQjF;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEvE;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,qBAAa,eAAe;IAC1B;;OAEG;IACH,iBAAiB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAKjE;;OAEG;IACH,8BAA8B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO;IAQvD;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAgBjC;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,2BAA2B,GAAG,mBAAmB;IAKzE;;OAEG;IACH,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,mBAAmB;IAQ/D;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAgB7B;;OAEG;IACH,gBAAgB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,SAAS;IAsBlE;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,MAAM;CAUtE"}
+{"version":3,"file":"ErrorClassifier.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/ErrorClassifier.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AASjF;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEvE;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,qBAAa,eAAe;IAC1B;;OAEG;IACH,iBAAiB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAKjE;;OAEG;IACH,8BAA8B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO;IAQvD;;;;;;OAMG;IACH,gBAAgB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAKhE;;;;OAIG;IACH,6BAA6B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO;IAQtD;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAgBjC;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,2BAA2B,GAAG,mBAAmB;IAKzE;;OAEG;IACH,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,mBAAmB;IAQ/D;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAgB7B;;OAEG;IACH,gBAAgB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,SAAS;IAsBlE;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,MAAM;CAUtE"}

package/client/lib/services/assessment/modules/securityTests/ErrorClassifier.js

@@ -5,7 +5,7 @@
  * Extracted from SecurityResponseAnalyzer.ts (Issue #53)
  * Handles: connection error detection, error classification, error info extraction
  */
-import { CONNECTION_ERROR_PATTERNS, ERROR_CLASSIFICATION_PATTERNS, matchesAny, hasMcpErrorPrefix, } from "./SecurityPatternLibrary.js";
+import { CONNECTION_ERROR_PATTERNS, ERROR_CLASSIFICATION_PATTERNS, matchesAny, hasMcpErrorPrefix, isTransientErrorPattern, } from "./SecurityPatternLibrary.js";
 /**
  * Classifies errors from tool responses and exceptions
  */
@@ -27,6 +27,29 @@ export class ErrorClassifier {
         }
         return false;
     }
+    /**
+     * Check if response indicates transient error worth retrying.
+     * Transient errors (ECONNREFUSED, ETIMEDOUT, etc.) may resolve on retry.
+     * Permanent errors (unknown tool, unauthorized) will not.
+     *
+     * @see https://github.com/triepod-ai/inspector-assessment/issues/157
+     */
+    isTransientError(response) {
+        const text = this.extractResponseContent(response).toLowerCase();
+        return isTransientErrorPattern(text);
+    }
+    /**
+     * Check if caught exception indicates transient error worth retrying.
+     *
+     * @see https://github.com/triepod-ai/inspector-assessment/issues/157
+     */
+    isTransientErrorFromException(error) {
+        if (error instanceof Error) {
+            const message = error.message.toLowerCase();
+            return isTransientErrorPattern(message);
+        }
+        return false;
+    }
     /**
      * Internal: Check if text indicates connection/server failure
      */

package/client/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts

@@ -96,7 +96,7 @@ export declare const OUTPUT_INJECTION_METADATA: {
  */
 export declare const CONNECTION_ERROR_PATTERNS: {
     /** Unambiguous connection errors */
-    readonly unambiguous: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+    readonly unambiguous: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
     /** Only apply when response starts with MCP error prefix */
     readonly contextual: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
     /** MCP error prefix pattern */
@@ -111,6 +111,28 @@ export declare const ERROR_CLASSIFICATION_PATTERNS: {
     readonly server: RegExp;
     readonly protocol: RegExp;
 };
+/**
+ * Transient error patterns that are worth retrying.
+ * These indicate temporary network/server issues that may resolve.
+ * Used by: isTransientError(), isTransientErrorFromException()
+ *
+ * @see https://github.com/triepod-ai/inspector-assessment/issues/157
+ */
+export declare const TRANSIENT_ERROR_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Permanent error patterns that should NOT be retried.
+ * These indicate issues that will not resolve with retry.
+ * Used by: isTransientError() to short-circuit retry logic
+ *
+ * @see https://github.com/triepod-ai/inspector-assessment/issues/157
+ */
+export declare const PERMANENT_ERROR_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Check if error text indicates a transient error worth retrying.
+ * @param text Error message or response text
+ * @returns true if error is transient and should be retried
+ */
+export declare function isTransientErrorPattern(text: string): boolean;
 /**
  * Status patterns indicating safe response handling
  * Used by: isReflectionResponse()

package/client/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityPatternLibrary.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPatternLibrary.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH;;;GAGG;AACH,eAAO,MAAM,mBAAmB;IAC9B,kEAAkE;;IAIlE,8DAA8D;;IAG9D,kCAAkC;;IAGlC,gCAAgC;;CAExB,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,2JAmB5B,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,2GAazB,CAAC;AAEX;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,mFAU3B,CAAC;AAEX;;;;;GAKG;AACH,wBAAgB,uBAAuB,CACrC,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,MAAM,GACd,OAAO,CAWT;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAE/D;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAE7D;AAMD;;;GAGG;AACH,eAAO,MAAM,oBAAoB,2LAuBvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B;IACtC,iCAAiC;;IAejC,0DAA0D;;CAElD,CAAC;AAMX;;;;;;;GAOG;AACH,eAAO,MAAM,qBAAqB,2KA4BxB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;IACpC,uDAAuD;;IAOvD,oDAAoD;;CAO5C,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;IACpC,oCAAoC;;IAqBpC,4DAA4D;;IAW5D,+BAA+B;;CAEvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B;;;;CAMhC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,eAAe,mJAkBlB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,mBAAmB,2rBAwGtB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA+B1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAc5B,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;EAiCjC,CAAC;AAEX;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;EAyB3B,CAAC;AAMX;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iCAAiC,EAAE,oBAAoB,EA0FnE,CAAC;AAEF;;;;;;;;GAQG;AAKH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,MAAM,CAAC;AAE9C;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB,IAAM,CAAC;AAMxC;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,MAAM,CAC1C,MAAM,EACN;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,EAAE,CAgCxC,CAAC;AAEF;;;GAGG;AACH,wBAAgB,6BAA6B,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,EAAE,CAiB5E;AAED,eAAO,MAAM,2BAA2B,EAAE,oBAAoB,EAuE7D,CAAC;AAMF;;;GAGG;AACH,eAAO,MAAM,sBAAsB,2FAWzB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,iBAAiB,mHAcpB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,mFAU1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,mDAM9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,2DAO1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB,2DAO5B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B,yKAWhC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,kBAAkB,mGAYrB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,QACO,CAAC;AAMhD;;;GAGG;AACH,eAAO,MAAM,mBAAmB,QAC8B,CAAC;AAE/D;;;GAGG;AACH,eAAO,MAAM,wBAAwB,2EAS3B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,oRA4B9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;;;CAK7B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;IAClC,iCAAiC;;IAQjC,mDAAmD;;IAInD,gDAAgD;;IAIhD,oCAAoC;;IAEpC,6CAA6C;;CAIrC,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,yBAAyB;IACpC,oDAAoD;;IAOpD,wCAAwC;;CAEhC,CAAC;AAMX;;;;;GAKG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;EAyB3B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;EAyB1B,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,kBAAkB,iLAarB,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,mBAAmB,yEAOtB,CAAC;AAEX;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEvD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEzD;AAMD;;GAEG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAE7E;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEvD;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE5D;AAED;;;GAGG;AACH,wBAAgB,+BAA+B,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAKrE"}
+{"version":3,"file":"SecurityPatternLibrary.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPatternLibrary.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH;;;GAGG;AACH,eAAO,MAAM,mBAAmB;IAC9B,kEAAkE;;IAIlE,8DAA8D;;IAG9D,kCAAkC;;IAGlC,gCAAgC;;CAExB,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,2JAmB5B,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,2GAazB,CAAC;AAEX;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,mFAU3B,CAAC;AAEX;;;;;GAKG;AACH,wBAAgB,uBAAuB,CACrC,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,MAAM,GACd,OAAO,CAWT;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAE/D;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAE7D;AAMD;;;GAGG;AACH,eAAO,MAAM,oBAAoB,2LAuBvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B;IACtC,iCAAiC;;IAejC,0DAA0D;;CAElD,CAAC;AAMX;;;;;;;GAOG;AACH,eAAO,MAAM,qBAAqB,2KA4BxB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;IACpC,uDAAuD;;IAOvD,oDAAoD;;CAO5C,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;IACpC,oCAAoC;;IAsBpC,4DAA4D;;IAW5D,+BAA+B;;CAEvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B;;;;CAMhC,CAAC;AAMX;;;;;;GAMG;AACH,eAAO,MAAM,wBAAwB,mFAU3B,CAAC;AAEX;;;;;;GAMG;AACH,eAAO,MAAM,wBAAwB,mDAM3B,CAAC;AAEX;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAO7D;AAMD;;;GAGG;AACH,eAAO,MAAM,eAAe,mJAkBlB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,mBAAmB,2rBAwGtB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA+B1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAc5B,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;EAiCjC,CAAC;AAEX;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;EAyB3B,CAAC;AAMX;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iCAAiC,EAAE,oBAAoB,EA0FnE,CAAC;AAEF;;;;;;;;GAQG;AAKH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,MAAM,CAAC;AAE9C;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB,IAAM,CAAC;AAMxC;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,MAAM,CAC1C,MAAM,EACN;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,EAAE,CAgCxC,CAAC;AAEF;;;GAGG;AACH,wBAAgB,6BAA6B,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,EAAE,CAiB5E;AAED,eAAO,MAAM,2BAA2B,EAAE,oBAAoB,EAuE7D,CAAC;AAMF;;;GAGG;AACH,eAAO,MAAM,sBAAsB,2FAWzB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,iBAAiB,mHAcpB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,mFAU1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,mDAM9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,2DAO1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB,2DAO5B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B,yKAWhC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,kBAAkB,mGAYrB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,QACO,CAAC;AAMhD;;;GAGG;AACH,eAAO,MAAM,mBAAmB,QAC8B,CAAC;AAE/D;;;GAGG;AACH,eAAO,MAAM,wBAAwB,2EAS3B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,oRA4B9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;;;CAK7B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;IAClC,iCAAiC;;IAQjC,mDAAmD;;IAInD,gDAAgD;;IAIhD,oCAAoC;;IAEpC,6CAA6C;;CAIrC,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,yBAAyB;IACpC,oDAAoD;;IAOpD,wCAAwC;;CAEhC,CAAC;AAMX;;;;;GAKG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;EAyB3B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;EAyB1B,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,kBAAkB,iLAarB,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,mBAAmB,yEAOtB,CAAC;AAEX;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEvD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEzD;AAMD;;GAEG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAE7E;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEvD;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE5D;AAED;;;GAGG;AACH,wBAAgB,+BAA+B,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAKrE"}

package/client/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.js

@@ -244,11 +244,12 @@ export const CONNECTION_ERROR_PATTERNS = {
         /MCP error -32700/i,
         /socket hang up/i,
         /ECONNREFUSED/i,
+        /ECONNRESET/i, // Connection reset by peer (Node.js error code)
         /ETIMEDOUT/i,
         /network error/i,
         /ERR_CONNECTION/i,
         /fetch failed/i,
-        /connection reset/i,
+        /connection reset/i, // TCP reset (generic form)
         /error POSTing to endpoint/i,
         /error GETting.*endpoint/i,
         /service unavailable/i,
@@ -279,6 +280,54 @@ export const ERROR_CLASSIFICATION_PATTERNS = {
     protocol: /-32001/i,
 };
 // =============================================================================
+// TRANSIENT ERROR PATTERNS (Issue #157: Connection retry logic)
+// =============================================================================
+/**
+ * Transient error patterns that are worth retrying.
+ * These indicate temporary network/server issues that may resolve.
+ * Used by: isTransientError(), isTransientErrorFromException()
+ *
+ * @see https://github.com/triepod-ai/inspector-assessment/issues/157
+ */
+export const TRANSIENT_ERROR_PATTERNS = [
+    /ECONNREFUSED/i, // Server temporarily down
+    /ECONNRESET/i, // Connection reset by peer (Node.js error code)
+    /ETIMEDOUT/i, // Network timeout
+    /socket hang up/i, // Connection dropped
+    /fetch failed/i, // Network layer failure
+    /connection reset/i, // TCP reset (generic form)
+    /gateway timeout/i, // Proxy/load balancer timeout
+    /service unavailable/i, // 503 response
+    /ERR_CONNECTION/i, // Browser-style connection errors
+];
+/**
+ * Permanent error patterns that should NOT be retried.
+ * These indicate issues that will not resolve with retry.
+ * Used by: isTransientError() to short-circuit retry logic
+ *
+ * @see https://github.com/triepod-ai/inspector-assessment/issues/157
+ */
+export const PERMANENT_ERROR_PATTERNS = [
+    /unknown tool:/i, // Tool doesn't exist
+    /no such tool/i, // Tool doesn't exist
+    /unauthorized/i, // Auth failure (won't change on retry)
+    /forbidden/i, // Permission denied (won't change on retry)
+    /invalid.*token/i, // Bad credentials
+];
+/**
+ * Check if error text indicates a transient error worth retrying.
+ * @param text Error message or response text
+ * @returns true if error is transient and should be retried
+ */
+export function isTransientErrorPattern(text) {
+    // Check for permanent errors first (never retry these)
+    if (matchesAny(PERMANENT_ERROR_PATTERNS, text)) {
+        return false;
+    }
+    // Check for transient errors
+    return matchesAny(TRANSIENT_ERROR_PATTERNS, text);
+}
+// =============================================================================
 // REFLECTION PATTERNS (safe response detection)
 // =============================================================================
 /**

package/client/lib/services/assessment/modules/securityTests/SecurityPayloadTester.d.ts

@@ -21,6 +21,16 @@ export interface PayloadTestConfig {
     maxParallelTests?: number;
     securityTestTimeout?: number;
     selectedToolsForTesting?: string[];
+    /**
+     * Maximum retry attempts for transient errors (Issue #157)
+     * Uses PerformanceConfig.securityRetryMaxAttempts if not specified
+     */
+    securityRetryMaxAttempts?: number;
+    /**
+     * Initial backoff delay in ms for retries (Issue #157)
+     * Uses PerformanceConfig.securityRetryBackoffMs if not specified
+     */
+    securityRetryBackoffMs?: number;
 }
 /**
  * Logger interface for test execution
@@ -55,6 +65,24 @@ export declare class SecurityPayloadTester {
      * Test tool with a specific payload
      */
     testPayload(tool: Tool, attackName: string, payload: SecurityPayload, callTool: (name: string, params: Record<string, unknown>) => Promise<CompatibilityCallToolResult>): Promise<SecurityTestResult>;
+    /**
+     * Test payload with retry logic for transient errors.
+     * Implements exponential backoff: 100ms → 200ms → 400ms
+     *
+     * Issue #157: Connection retry logic for reliability
+     *
+     * @param tool - Tool to test
+     * @param attackName - Name of attack pattern
+     * @param payload - Security payload to test
+     * @param callTool - Function to call the tool
+     * @returns SecurityTestResult with retry metadata if applicable
+     */
+    testPayloadWithRetry(tool: Tool, attackName: string, payload: SecurityPayload, callTool: (name: string, params: Record<string, unknown>) => Promise<CompatibilityCallToolResult>): Promise<SecurityTestResult>;
+    /**
+     * Add retry metadata to result.
+     * Issue #157: Track retry attempts for reliability metrics
+     */
+    private addRetryMetadata;
     /**
      * Extract error message from caught exception
      */

package/client/lib/services/assessment/modules/securityTests/SecurityPayloadTester.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityPayloadTester.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPayloadTester.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EACL,gBAAgB,EAIjB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAGL,eAAe,EAChB,MAAM,wBAAwB,CAAC;AAOhC;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG,gBAAgB,CAAC;AAEpD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/B,QAAQ,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;CACrD;AAED;;GAEG;AACH,qBAAa,qBAAqB;IAO9B,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,kBAAkB;IAR5B,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,oBAAoB,CAAuB;IACnD,OAAO,CAAC,SAAS,CAAK;gBAGZ,MAAM,EAAE,iBAAiB,EACzB,MAAM,EAAE,UAAU,EAClB,kBAAkB,EAAE,CAAC,CAAC,EAC5B,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,EACnB,OAAO,EAAE,MAAM,KACZ,OAAO,CAAC,CAAC,CAAC;IAOjB;;;OAGG;IACG,yBAAyB,CAC7B,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAqMhC;;;OAGG;IACG,qBAAqB,CACzB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IA6LhC;;OAEG;IACG,WAAW,CACf,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,GACxC,OAAO,CAAC,kBAAkB,CAAC;IAyR9B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAO3B;;OAEG;IACH,OAAO,CAAC,KAAK;CAGd"}
+{"version":3,"file":"SecurityPayloadTester.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPayloadTester.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EACL,gBAAgB,EAIjB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAGL,eAAe,EAChB,MAAM,wBAAwB,CAAC;AAQhC;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG,gBAAgB,CAAC;AAEpD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC;;;OAGG;IACH,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC;;;OAGG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/B,QAAQ,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;CACrD;AAED;;GAEG;AACH,qBAAa,qBAAqB;IAO9B,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,kBAAkB;IAR5B,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,oBAAoB,CAAuB;IACnD,OAAO,CAAC,SAAS,CAAK;gBAGZ,MAAM,EAAE,iBAAiB,EACzB,MAAM,EAAE,UAAU,EAClB,kBAAkB,EAAE,CAAC,CAAC,EAC5B,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,EACnB,OAAO,EAAE,MAAM,KACZ,OAAO,CAAC,CAAC,CAAC;IAOjB;;;OAGG;IACG,yBAAyB,CAC7B,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAsMhC;;;OAGG;IACG,qBAAqB,CACzB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IA8LhC;;OAEG;IACG,WAAW,CACf,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,GACxC,OAAO,CAAC,kBAAkB,CAAC;IAyR9B;;;;;;;;;;;OAWG;IACG,oBAAoB,CACxB,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,GACxC,OAAO,CAAC,kBAAkB,CAAC;IAqD9B;;;OAGG;IACH,OAAO,CAAC,gBAAgB;IAqBxB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAO3B;;OAEG;IACH,OAAO,CAAC,KAAK;CAGd"}

package/client/lib/services/assessment/modules/securityTests/SecurityPayloadTester.js

@@ -11,6 +11,7 @@ import { SecurityResponseAnalyzer } from "./SecurityResponseAnalyzer.js";
 import { SecurityPayloadGenerator } from "./SecurityPayloadGenerator.js";
 import { SanitizationDetector } from "./SanitizationDetector.js";
 import { DEFAULT_PERFORMANCE_CONFIG } from "../../config/performanceConfig.js";
+import { isTransientErrorPattern } from "./SecurityPatternLibrary.js";
 /**
  * Executes security tests with payloads against MCP tools
  */
@@ -117,7 +118,8 @@ export class SecurityPayloadTester {
                     completedTests++;
                     batchCount++;
                     try {
-                        const result = await this.testPayload(tool, attackPattern.attackName, payload, callTool);
+                        // Issue #157: Use retry-enabled wrapper for transient error resilience
+                        const result = await this.testPayloadWithRetry(tool, attackPattern.attackName, payload, callTool);
                         toolResults.push(result);
                         if (result.vulnerable && onProgress) {
                             this.logger.log(`🚨 VULNERABILITY: ${tool.name} - ${attackPattern.attackName} (${payload.payloadType}: ${payload.description})`);
@@ -267,7 +269,8 @@ export class SecurityPayloadTester {
                 completedTests++;
                 batchCount++;
                 try {
-                    const result = await this.testPayload(tool, attackPattern.attackName, payload, callTool);
+                    // Issue #157: Use retry-enabled wrapper for transient error resilience
+                    const result = await this.testPayloadWithRetry(tool, attackPattern.attackName, payload, callTool);
                     results.push(result);
                     toolResults.push(result);
                     if (result.vulnerable && onProgress) {
@@ -507,6 +510,68 @@ export class SecurityPayloadTester {
             };
         }
     }
+    /**
+     * Test payload with retry logic for transient errors.
+     * Implements exponential backoff: 100ms → 200ms → 400ms
+     *
+     * Issue #157: Connection retry logic for reliability
+     *
+     * @param tool - Tool to test
+     * @param attackName - Name of attack pattern
+     * @param payload - Security payload to test
+     * @param callTool - Function to call the tool
+     * @returns SecurityTestResult with retry metadata if applicable
+     */
+    async testPayloadWithRetry(tool, attackName, payload, callTool) {
+        const maxRetries = this.config.securityRetryMaxAttempts ??
+            DEFAULT_PERFORMANCE_CONFIG.securityRetryMaxAttempts;
+        const backoffMs = this.config.securityRetryBackoffMs ??
+            DEFAULT_PERFORMANCE_CONFIG.securityRetryBackoffMs;
+        let lastResult = null;
+        let retryAttempts = 0;
+        for (let attempt = 0; attempt <= maxRetries; attempt++) {
+            const result = await this.testPayload(tool, attackName, payload, callTool);
+            // Check if result indicates transient error worth retrying
+            if (result.connectionError && attempt < maxRetries) {
+                const errorText = (result.response || "").toLowerCase();
+                if (isTransientErrorPattern(errorText)) {
+                    retryAttempts++;
+                    lastResult = result;
+                    this.logger.log(`Transient error on ${tool.name}, retrying (${attempt + 1}/${maxRetries}): ${errorText.slice(0, 100)}`);
+                    // Exponential backoff: 100ms → 200ms → 400ms
+                    await this.sleep(backoffMs * Math.pow(2, attempt));
+                    continue;
+                }
+            }
+            // Success or permanent error - return with retry metadata
+            return this.addRetryMetadata(result, retryAttempts, !result.connectionError);
+        }
+        // All retries exhausted - return last result with failure metadata
+        if (lastResult) {
+            return this.addRetryMetadata(lastResult, retryAttempts, false);
+        }
+        // Should not reach here, but handle gracefully
+        throw new Error(`Unexpected retry loop exit for ${tool.name}`);
+    }
+    /**
+     * Add retry metadata to result.
+     * Issue #157: Track retry attempts for reliability metrics
+     */
+    addRetryMetadata(result, retryAttempts, succeeded) {
+        if (retryAttempts === 0) {
+            // No retries needed - return as-is with completed status
+            return {
+                ...result,
+                testReliability: result.connectionError ? "failed" : "completed",
+            };
+        }
+        return {
+            ...result,
+            retryAttempts,
+            retriedSuccessfully: succeeded,
+            testReliability: succeeded ? "retried" : "failed",
+        };
+    }
     /**
      * Extract error message from caught exception
      */

package/client/lib/services/assessment/modules/temporal/VarianceClassifier.d.ts

@@ -13,6 +13,7 @@ import { MutationDetector } from "./MutationDetector.js";
  */
 export declare class VarianceClassifier {
     private mutationDetector;
+    private externalAPIDetector;
     private readonly DESTRUCTIVE_PATTERNS;
     /**
      * Tool name patterns that are expected to have state-dependent responses.
@@ -79,12 +80,26 @@ export declare class VarianceClassifier {
      * - "recreate_view" does NOT match "create" (must be at word boundary)
      */
     isResourceCreatingTool(tool: Tool): boolean;
+    /**
+     * Issue #166: Check if a tool fetches data from external APIs.
+     * External API tools legitimately return different data each call
+     * due to: live data updates, API errors (500, 429), rate limiting, etc.
+     *
+     * Issue #168: Delegates to shared ExternalAPIDependencyDetector for consistent
+     * detection logic across all assessors.
+     *
+     * Uses BOTH name patterns AND description analysis for detection.
+     */
+    isExternalAPITool(tool: Tool): boolean;
     /**
      * Issue #69: Classify variance between two responses to reduce false positives.
      * Returns LEGITIMATE for expected variance (IDs, timestamps), SUSPICIOUS for
      * schema changes, and BEHAVIORAL for semantic changes (promotional keywords, errors).
+     *
+     * Issue #166: Added optional tool parameter to enable external API handling.
+     * External API tools may have error vs success variance which is LEGITIMATE.
      */
-    classifyVariance(baseline: unknown, current: unknown): VarianceClassification;
+    classifyVariance(baseline: unknown, current: unknown, tool?: Tool): VarianceClassification;
     /**
      * Issue #69: Check if a field name represents legitimate variance.
      * Fields containing IDs, timestamps, tokens, etc. are expected to vary.

package/client/lib/services/assessment/modules/temporal/VarianceClassifier.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"VarianceClassifier.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/temporal/VarianceClassifier.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD;;;GAGG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,gBAAgB,CAAmB;IAG3C,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAoBnC;IAEF;;;;;;;;;;;;;;OAcG;IACH,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAqBrC;IAEF;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,QAAQ,CAAC,0BAA0B,CAYzC;gBAEU,gBAAgB,CAAC,EAAE,gBAAgB;IAI/C;;;;OAIG;IACH,iBAAiB,CAAC,QAAQ,EAAE,OAAO,GAAG,MAAM;IAiF5C;;OAEG;IACH,iBAAiB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAKtC;;;;;;;;OAQG;IACH,cAAc,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAenC;;;;;;;;;;;OAWG;IACH,sBAAsB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAQ3C;;;;OAIG;IACH,gBAAgB,CACd,QAAQ,EAAE,OAAO,EACjB,OAAO,EAAE,OAAO,GACf,sBAAsB;IAkEzB;;;OAGG;IACH,yBAAyB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAgEjD;;;OAGG;IACH,gBAAgB,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,SAAK,GAAG,MAAM,EAAE;IAuDrE;;;;;;OAMG;IACH,cAAc,CAAC,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,GAAG,OAAO;IAuB/D;;;OAGG;IACH,iBAAiB,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,SAAK,GAAG,MAAM,EAAE;CAgCvD"}
+{"version":3,"file":"VarianceClassifier.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/temporal/VarianceClassifier.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAItD;;;GAGG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,gBAAgB,CAAmB;IAE3C,OAAO,CAAC,mBAAmB,CAAgC;IAG3D,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAoBnC;IAEF;;;;;;;;;;;;;;OAcG;IACH,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAqBrC;IAEF;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,QAAQ,CAAC,0BAA0B,CAYzC;gBAKU,gBAAgB,CAAC,EAAE,gBAAgB;IAM/C;;;;OAIG;IACH,iBAAiB,CAAC,QAAQ,EAAE,OAAO,GAAG,MAAM;IAiF5C;;OAEG;IACH,iBAAiB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAKtC;;;;;;;;OAQG;IACH,cAAc,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAenC;;;;;;;;;;;OAWG;IACH,sBAAsB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAQ3C;;;;;;;;;OASG;IACH,iBAAiB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAKtC;;;;;;;OAOG;IACH,gBAAgB,CACd,QAAQ,EAAE,OAAO,EACjB,OAAO,EAAE,OAAO,EAChB,IAAI,CAAC,EAAE,IAAI,GACV,sBAAsB;IAuFzB;;;OAGG;IACH,yBAAyB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAgEjD;;;OAGG;IACH,gBAAgB,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,SAAK,GAAG,MAAM,EAAE;IAuDrE;;;;;;OAMG;IACH,cAAc,CAAC,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,GAAG,OAAO;IAuB/D;;;OAGG;IACH,iBAAiB,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,SAAK,GAAG,MAAM,EAAE;CAgCvD"}

package/client/lib/services/assessment/modules/temporal/VarianceClassifier.js

@@ -5,12 +5,16 @@
  * Extracted from TemporalAssessor as part of Issue #106 refactoring.
  */
 import { MutationDetector } from "./MutationDetector.js";
+// Issue #168: Shared external API dependency detector
+import { ExternalAPIDependencyDetector } from "../../helpers/ExternalAPIDependencyDetector.js";
 /**
  * Classifies response variance and categorizes tools by their expected behavior patterns.
  * Used to reduce false positives in temporal assessment by understanding legitimate variance.
  */
 export class VarianceClassifier {
     mutationDetector;
+    // Issue #168: Shared detector for external API pattern matching
+    externalAPIDetector;
     // Patterns that suggest a tool may have side effects
     DESTRUCTIVE_PATTERNS = [
         "create",
@@ -97,8 +101,12 @@ export class VarianceClassifier {
         "init",
         "make",
     ];
+    // Note: External API patterns moved to ExternalAPIDependencyDetector (Issue #168)
+    // The externalAPIDetector field handles all external API detection via shared helper
     constructor(mutationDetector) {
         this.mutationDetector = mutationDetector ?? new MutationDetector();
+        // Issue #168: Initialize shared external API detector
+        this.externalAPIDetector = new ExternalAPIDependencyDetector();
     }
     /**
      * Normalize response for comparison by removing naturally varying data.
@@ -207,12 +215,46 @@ export class VarianceClassifier {
             return wordBoundaryRegex.test(toolName);
         });
     }
+    /**
+     * Issue #166: Check if a tool fetches data from external APIs.
+     * External API tools legitimately return different data each call
+     * due to: live data updates, API errors (500, 429), rate limiting, etc.
+     *
+     * Issue #168: Delegates to shared ExternalAPIDependencyDetector for consistent
+     * detection logic across all assessors.
+     *
+     * Uses BOTH name patterns AND description analysis for detection.
+     */
+    isExternalAPITool(tool) {
+        // Issue #168: Delegate to shared detector for consistent detection
+        return this.externalAPIDetector.isExternalAPITool(tool);
+    }
     /**
      * Issue #69: Classify variance between two responses to reduce false positives.
      * Returns LEGITIMATE for expected variance (IDs, timestamps), SUSPICIOUS for
      * schema changes, and BEHAVIORAL for semantic changes (promotional keywords, errors).
+     *
+     * Issue #166: Added optional tool parameter to enable external API handling.
+     * External API tools may have error vs success variance which is LEGITIMATE.
      */
-    classifyVariance(baseline, current) {
+    classifyVariance(baseline, current, tool) {
+        // Issue #166: Check for isError variance (external API behavior)
+        // If one response is an error and one is success, for stateful/external API tools
+        // this is expected behavior, not a rug pull
+        const baselineIsError = baseline?.isError === true;
+        const currentIsError = current?.isError === true;
+        if (baselineIsError !== currentIsError) {
+            // One is error, one is success - check if this is expected for the tool type
+            if (tool && (this.isStatefulTool(tool) || this.isExternalAPITool(tool))) {
+                return {
+                    type: "LEGITIMATE",
+                    confidence: "medium",
+                    reasons: [
+                        "API error vs success variance (expected for external API/stateful tools)",
+                    ],
+                };
+            }
+        }
         // 1. Schema comparison - structural changes are SUSPICIOUS
         const schemaMatch = this.compareSchemas(baseline, current);
         if (!schemaMatch) {