@bryan-thompson/inspector-assessment 1.36.5 → 1.38.0

package/client/lib/services/assessment/modules/securityTests/SecurityPayloadTester.d.ts

@@ -5,7 +5,7 @@
  * Extracted from SecurityAssessor.ts for maintainability.
  * Handles test execution, batching, and progress tracking.
  */
-import { SecurityTestResult } from "../../../../lib/assessmentTypes.js";
+import { SecurityTestResult, ToolAnnotationsContext } from "../../../../lib/assessmentTypes.js";
 import { ProgressCallback } from "../../../../lib/assessment/progressTypes.js";
 import { CompatibilityCallToolResult, Tool } from "@modelcontextprotocol/sdk/types.js";
 import { SecurityPayload } from "../../../../lib/securityPatterns.js";
@@ -21,6 +21,21 @@ export interface PayloadTestConfig {
     maxParallelTests?: number;
     securityTestTimeout?: number;
     selectedToolsForTesting?: string[];
+    /**
+     * Maximum retry attempts for transient errors (Issue #157)
+     * Uses PerformanceConfig.securityRetryMaxAttempts if not specified
+     */
+    securityRetryMaxAttempts?: number;
+    /**
+     * Initial backoff delay in ms for retries (Issue #157)
+     * Uses PerformanceConfig.securityRetryBackoffMs if not specified
+     */
+    securityRetryBackoffMs?: number;
+    /**
+     * Tool annotations context for severity adjustment (Issue #170)
+     * When provided, enables annotation-aware false positive reduction
+     */
+    toolAnnotationsContext?: ToolAnnotationsContext;
 }
 /**
  * Logger interface for test execution
@@ -41,6 +56,11 @@ export declare class SecurityPayloadTester {
     private sanitizationDetector;
     private testCount;
     constructor(config: PayloadTestConfig, logger: TestLogger, executeWithTimeout: <T>(promise: Promise<T>, timeout: number) => Promise<T>);
+    /**
+     * Set tool annotations context for severity adjustment (Issue #170)
+     * Call before running tests to enable annotation-aware false positive reduction
+     */
+    setToolAnnotationsContext(context: ToolAnnotationsContext | undefined): void;
     /**
      * Run comprehensive security tests (advanced mode)
      * Tests selected tools with ALL 23 security patterns using diverse payloads
@@ -55,6 +75,24 @@ export declare class SecurityPayloadTester {
      * Test tool with a specific payload
      */
     testPayload(tool: Tool, attackName: string, payload: SecurityPayload, callTool: (name: string, params: Record<string, unknown>) => Promise<CompatibilityCallToolResult>): Promise<SecurityTestResult>;
+    /**
+     * Test payload with retry logic for transient errors.
+     * Implements exponential backoff: 100ms → 200ms → 400ms
+     *
+     * Issue #157: Connection retry logic for reliability
+     *
+     * @param tool - Tool to test
+     * @param attackName - Name of attack pattern
+     * @param payload - Security payload to test
+     * @param callTool - Function to call the tool
+     * @returns SecurityTestResult with retry metadata if applicable
+     */
+    testPayloadWithRetry(tool: Tool, attackName: string, payload: SecurityPayload, callTool: (name: string, params: Record<string, unknown>) => Promise<CompatibilityCallToolResult>): Promise<SecurityTestResult>;
+    /**
+     * Add retry metadata to result.
+     * Issue #157: Track retry attempts for reliability metrics
+     */
+    private addRetryMetadata;
     /**
      * Extract error message from caught exception
      */

package/client/lib/services/assessment/modules/securityTests/SecurityPayloadTester.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityPayloadTester.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPayloadTester.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EACL,gBAAgB,EAIjB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAGL,eAAe,EAChB,MAAM,wBAAwB,CAAC;AAOhC;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG,gBAAgB,CAAC;AAEpD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/B,QAAQ,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;CACrD;AAED;;GAEG;AACH,qBAAa,qBAAqB;IAO9B,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,kBAAkB;IAR5B,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,oBAAoB,CAAuB;IACnD,OAAO,CAAC,SAAS,CAAK;gBAGZ,MAAM,EAAE,iBAAiB,EACzB,MAAM,EAAE,UAAU,EAClB,kBAAkB,EAAE,CAAC,CAAC,EAC5B,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,EACnB,OAAO,EAAE,MAAM,KACZ,OAAO,CAAC,CAAC,CAAC;IAOjB;;;OAGG;IACG,yBAAyB,CAC7B,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAqMhC;;;OAGG;IACG,qBAAqB,CACzB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IA6LhC;;OAEG;IACG,WAAW,CACf,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,GACxC,OAAO,CAAC,kBAAkB,CAAC;IAyR9B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAO3B;;OAEG;IACH,OAAO,CAAC,KAAK;CAGd"}
+{"version":3,"file":"SecurityPayloadTester.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPayloadTester.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,gBAAgB,EAIjB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAGL,eAAe,EAChB,MAAM,wBAAwB,CAAC;AAQhC;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG,gBAAgB,CAAC;AAEpD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC;;;OAGG;IACH,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC;;;OAGG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC;;;OAGG;IACH,sBAAsB,CAAC,EAAE,sBAAsB,CAAC;CACjD;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/B,QAAQ,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;CACrD;AAED;;GAEG;AACH,qBAAa,qBAAqB;IAO9B,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,kBAAkB;IAR5B,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,oBAAoB,CAAuB;IACnD,OAAO,CAAC,SAAS,CAAK;gBAGZ,MAAM,EAAE,iBAAiB,EACzB,MAAM,EAAE,UAAU,EAClB,kBAAkB,EAAE,CAAC,CAAC,EAC5B,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,EACnB,OAAO,EAAE,MAAM,KACZ,OAAO,CAAC,CAAC,CAAC;IAOjB;;;OAGG;IACH,yBAAyB,CAAC,OAAO,EAAE,sBAAsB,GAAG,SAAS,GAAG,IAAI;IAI5E;;;OAGG;IACG,yBAAyB,CAC7B,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAsMhC;;;OAGG;IACG,qBAAqB,CACzB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IA8LhC;;OAEG;IACG,WAAW,CACf,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,GACxC,OAAO,CAAC,kBAAkB,CAAC;IAqT9B;;;;;;;;;;;OAWG;IACG,oBAAoB,CACxB,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,GACxC,OAAO,CAAC,kBAAkB,CAAC;IAqD9B;;;OAGG;IACH,OAAO,CAAC,gBAAgB;IAqBxB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAO3B;;OAEG;IACH,OAAO,CAAC,KAAK;CAGd"}

package/client/lib/services/assessment/modules/securityTests/SecurityPayloadTester.js

@@ -5,12 +5,14 @@
  * Extracted from SecurityAssessor.ts for maintainability.
  * Handles test execution, batching, and progress tracking.
  */
+import { adjustSeverityForAnnotations } from "./AnnotationAwareSeverity.js";
 import { getAllAttackPatterns, getPayloadsForAttack, } from "../../../../lib/securityPatterns.js";
 import { createConcurrencyLimit } from "../../lib/concurrencyLimit.js";
 import { SecurityResponseAnalyzer } from "./SecurityResponseAnalyzer.js";
 import { SecurityPayloadGenerator } from "./SecurityPayloadGenerator.js";
 import { SanitizationDetector } from "./SanitizationDetector.js";
 import { DEFAULT_PERFORMANCE_CONFIG } from "../../config/performanceConfig.js";
+import { isTransientErrorPattern } from "./SecurityPatternLibrary.js";
 /**
  * Executes security tests with payloads against MCP tools
  */
@@ -30,6 +32,13 @@ export class SecurityPayloadTester {
         this.payloadGenerator = new SecurityPayloadGenerator();
         this.sanitizationDetector = new SanitizationDetector();
     }
+    /**
+     * Set tool annotations context for severity adjustment (Issue #170)
+     * Call before running tests to enable annotation-aware false positive reduction
+     */
+    setToolAnnotationsContext(context) {
+        this.config.toolAnnotationsContext = context;
+    }
     /**
      * Run comprehensive security tests (advanced mode)
      * Tests selected tools with ALL 23 security patterns using diverse payloads
@@ -117,7 +126,8 @@ export class SecurityPayloadTester {
                     completedTests++;
                     batchCount++;
                     try {
-                        const result = await this.testPayload(tool, attackPattern.attackName, payload, callTool);
+                        // Issue #157: Use retry-enabled wrapper for transient error resilience
+                        const result = await this.testPayloadWithRetry(tool, attackPattern.attackName, payload, callTool);
                         toolResults.push(result);
                         if (result.vulnerable && onProgress) {
                             this.logger.log(`🚨 VULNERABILITY: ${tool.name} - ${attackPattern.attackName} (${payload.payloadType}: ${payload.description})`);
@@ -267,7 +277,8 @@ export class SecurityPayloadTester {
                 completedTests++;
                 batchCount++;
                 try {
-                    const result = await this.testPayload(tool, attackPattern.attackName, payload, callTool);
+                    // Issue #157: Use retry-enabled wrapper for transient error resilience
+                    const result = await this.testPayloadWithRetry(tool, attackPattern.attackName, payload, callTool);
                     results.push(result);
                     toolResults.push(result);
                     if (result.vulnerable && onProgress) {
@@ -450,7 +461,8 @@ export class SecurityPayloadTester {
                     excessivePermissionsEvidence: scopeResult.evidence,
                 };
             }
-            return {
+            // Build result object
+            const result = {
                 testName: attackName,
                 description: payload.description,
                 payload: payload.payload,
@@ -476,6 +488,22 @@ export class SecurityPayloadTester {
                 ...excessivePermissionsFields,
                 ...confidenceResult,
             };
+            // Issue #170: Apply annotation-aware severity adjustment
+            // Reduces false positives for read-only servers
+            if (this.config.toolAnnotationsContext) {
+                const toolAnnotations = this.config.toolAnnotationsContext.toolAnnotations.get(tool.name);
+                const adjustment = adjustSeverityForAnnotations(attackName, result.riskLevel, toolAnnotations, this.config.toolAnnotationsContext.serverIsReadOnly, this.config.toolAnnotationsContext.serverIsClosed);
+                if (adjustment.wasAdjusted) {
+                    result.riskLevel = adjustment.adjustedRiskLevel;
+                    result.annotationAdjustment = {
+                        original: adjustment.originalRiskLevel,
+                        adjusted: adjustment.adjustedRiskLevel,
+                        reason: adjustment.adjustmentReason ||
+                            "Adjusted based on tool annotations",
+                    };
+                }
+            }
+            return result;
         }
         catch (error) {
             // Check if error is a connection/server failure
@@ -507,6 +535,68 @@ export class SecurityPayloadTester {
             };
         }
     }
+    /**
+     * Test payload with retry logic for transient errors.
+     * Implements exponential backoff: 100ms → 200ms → 400ms
+     *
+     * Issue #157: Connection retry logic for reliability
+     *
+     * @param tool - Tool to test
+     * @param attackName - Name of attack pattern
+     * @param payload - Security payload to test
+     * @param callTool - Function to call the tool
+     * @returns SecurityTestResult with retry metadata if applicable
+     */
+    async testPayloadWithRetry(tool, attackName, payload, callTool) {
+        const maxRetries = this.config.securityRetryMaxAttempts ??
+            DEFAULT_PERFORMANCE_CONFIG.securityRetryMaxAttempts;
+        const backoffMs = this.config.securityRetryBackoffMs ??
+            DEFAULT_PERFORMANCE_CONFIG.securityRetryBackoffMs;
+        let lastResult = null;
+        let retryAttempts = 0;
+        for (let attempt = 0; attempt <= maxRetries; attempt++) {
+            const result = await this.testPayload(tool, attackName, payload, callTool);
+            // Check if result indicates transient error worth retrying
+            if (result.connectionError && attempt < maxRetries) {
+                const errorText = (result.response || "").toLowerCase();
+                if (isTransientErrorPattern(errorText)) {
+                    retryAttempts++;
+                    lastResult = result;
+                    this.logger.log(`Transient error on ${tool.name}, retrying (${attempt + 1}/${maxRetries}): ${errorText.slice(0, 100)}`);
+                    // Exponential backoff: 100ms → 200ms → 400ms
+                    await this.sleep(backoffMs * Math.pow(2, attempt));
+                    continue;
+                }
+            }
+            // Success or permanent error - return with retry metadata
+            return this.addRetryMetadata(result, retryAttempts, !result.connectionError);
+        }
+        // All retries exhausted - return last result with failure metadata
+        if (lastResult) {
+            return this.addRetryMetadata(lastResult, retryAttempts, false);
+        }
+        // Should not reach here, but handle gracefully
+        throw new Error(`Unexpected retry loop exit for ${tool.name}`);
+    }
+    /**
+     * Add retry metadata to result.
+     * Issue #157: Track retry attempts for reliability metrics
+     */
+    addRetryMetadata(result, retryAttempts, succeeded) {
+        if (retryAttempts === 0) {
+            // No retries needed - return as-is with completed status
+            return {
+                ...result,
+                testReliability: result.connectionError ? "failed" : "completed",
+            };
+        }
+        return {
+            ...result,
+            retryAttempts,
+            retriedSuccessfully: succeeded,
+            testReliability: succeeded ? "retried" : "failed",
+        };
+    }
     /**
      * Extract error message from caught exception
      */

package/client/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts

@@ -363,7 +363,7 @@ export declare class SecurityResponseAnalyzer {
     isCreationResponse(responseText: string): boolean;
     /**
      * Check for safe error responses that indicate proper input rejection
-     * Handles: MCP validation errors (-32602), HTTP 4xx/5xx errors
+     * Handles: MCP validation errors (-32602), HTTP 4xx/5xx errors, AppleScript syntax errors
      */
     private checkSafeErrorResponses;
     /**

package/client/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityResponseAnalyzer.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityResponseAnalyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AAK1E,OAAO,EAAgB,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EAAoB,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAyBxE,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAC3D,YAAY,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,WAAW,GAAG,aAAa,GAAG,SAAS,CAAC;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,eAAe,EAAE,cAAc,GAAG,aAAa,GAAG,SAAS,CAAC;IAC5D,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,UAAU,EAAE,kBAAkB,GAAG,mBAAmB,GAAG,SAAS,CAAC;IACjE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,aAAa,EACT,uBAAuB,GACvB,sBAAsB,GACtB,WAAW,GACX,SAAS,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,OAAO,CAAC;IAClB,iBAAiB,EACb,kBAAkB,GAClB,mBAAmB,GACnB,YAAY,GACZ,WAAW,GACX,iBAAiB,GACjB,SAAS,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,OAAO,CAAC;IAClB,iBAAiB,EACb,WAAW,GACX,aAAa,GACb,iBAAiB,GACjB,eAAe,GACf,UAAU,GACV,eAAe,GACf,UAAU,GACV,iBAAiB,GACjB,SAAS,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;GAKG;AACH,MAAM,WAAW,+BAA+B;IAC9C,QAAQ,EAAE,OAAO,CAAC;IAClB,aAAa,EACT,iBAAiB,GACjB,kBAAkB,GAClB,MAAM,GACN,SAAS,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B,sBAAsB,GACtB,iBAAiB,GACjB,SAAS,GACT,SAAS,CAAC;AAEd;;GAEG;AACH,MAAM,MAAM,0BAA0B,GAClC,kBAAkB,GAClB,iBAAiB,GACjB,2BAA2B,GAC3B,gBAAgB,GAChB,qBAAqB,GACrB,iBAAiB,CAAC;AAEtB;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,kBAAkB,CAAC;IAC9B,uBAAuB,EAAE,0BAA0B,EAAE,CAAC;IACtD,QAAQ,EAAE;QACR,kBAAkB,EAAE,MAAM,EAAE,CAAC;QAC7B,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,eAAe,EAAE,MAAM,CAAC;QACxB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEvE;;;;;;GAMG;AACH,qBAAa,wBAAwB;IAEnC,OAAO,CAAC,eAAe,CAAkB;IACzC,OAAO,CAAC,iBAAiB,CAA4B;IACrD,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,gBAAgB,CAAmB;;IAc3C;;;;;;OAMG;IACH,eAAe,CACb,QAAQ,EAAE,2BAA2B,EACrC,OAAO,EAAE,eAAe,EACxB,IAAI,EAAE,IAAI,GACT,cAAc;IAqCjB;;OAEG;IACH,mBAAmB,CACjB,IAAI,EAAE,IAAI,EACV,YAAY,EAAE,OAAO,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,eAAe,EACxB,kBAAkB,CAAC,EAAE,2BAA2B,GAC/C,gBAAgB;IAWnB;;;OAGG;IACH,yBAAyB,CACvB,QAAQ,EAAE,2BAA2B,GACpC,gBAAgB;IAoBnB;;;;;;;;;OASG;IACH,2BAA2B,CACzB,QAAQ,EAAE,2BAA2B,GACpC,oBAAoB;IAmCvB;;;;;;;;;;OAUG;IACH,8BAA8B,CAC5B,QAAQ,EAAE,2BAA2B,GACpC,qBAAqB;IAyFxB;;;;;;;;;;;OAWG;IACH,8BAA8B,CAC5B,QAAQ,EAAE,2BAA2B,GACpC,qBAAqB;IA6FxB;;;;;;;;;;OAUG;IACH,gCAAgC,CAC9B,QAAQ,EAAE,2BAA2B,GACpC,uBAAuB;IAwJ1B;;;;;;;;;;;;;OAaG;IACH,4BAA4B,CAC1B,QAAQ,EAAE,2BAA2B,GACpC,mBAAmB;IAqPtB;;;;;;;;;;;;OAYG;IACH,wBAAwB,CACtB,QAAQ,EAAE,2BAA2B,GACpC,yBAAyB;IA6D5B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,kBAAkB,CAAC,QAAQ,EAAE,2BAA2B,GAAG;QACzD,QAAQ,EAAE,OAAO,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB;IAwCD;;OAEG;IACH,iBAAiB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIjE;;OAEG;IACH,8BAA8B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO;IAIvD;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,2BAA2B,GAAG,mBAAmB;IAIzE;;OAEG;IACH,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,mBAAmB;IAI/D;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,MAAM;IAQrE;;OAEG;IACH,oBAAoB,CAClB,SAAS,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,EACvD,YAAY,EAAE,MAAM,GACnB,OAAO;IAIV;;OAEG;IACH,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIlD;;OAEG;IACH,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;;OAGG;IACH,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAIpE;;OAEG;IACH,qCAAqC,CACnC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GACnB,OAAO;IAOV;;OAEG;IACH,yBAAyB,CACvB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,IAAI,CAAC,EAAE,IAAI,GACV,kBAAkB;IAQrB;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;OAEG;IACH,wBAAwB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIvD;;OAEG;IACH,8BAA8B,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI7D;;OAEG;IACH,qBAAqB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIrE;;OAEG;IACH,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO;IAOxE;;OAEG;IACH,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAQjD;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAyB/B;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAqF7B;;;OAGG;IACH,OAAO,CAAC,0BAA0B;IA8DlC;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,4BAA4B;IA8CpC;;;;;;;;;OASG;IACH,mCAAmC,CACjC,QAAQ,EAAE,2BAA2B,GACpC,+BAA+B;IA6ElC;;OAEG;IACH,OAAO,CAAC,wBAAwB;CAmBjC"}
+{"version":3,"file":"SecurityResponseAnalyzer.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityResponseAnalyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AAK1E,OAAO,EAAgB,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EAAoB,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAyBxE,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAC3D,YAAY,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,WAAW,GAAG,aAAa,GAAG,SAAS,CAAC;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,eAAe,EAAE,cAAc,GAAG,aAAa,GAAG,SAAS,CAAC;IAC5D,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,UAAU,EAAE,kBAAkB,GAAG,mBAAmB,GAAG,SAAS,CAAC;IACjE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,aAAa,EACT,uBAAuB,GACvB,sBAAsB,GACtB,WAAW,GACX,SAAS,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,OAAO,CAAC;IAClB,iBAAiB,EACb,kBAAkB,GAClB,mBAAmB,GACnB,YAAY,GACZ,WAAW,GACX,iBAAiB,GACjB,SAAS,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,OAAO,CAAC;IAClB,iBAAiB,EACb,WAAW,GACX,aAAa,GACb,iBAAiB,GACjB,eAAe,GACf,UAAU,GACV,eAAe,GACf,UAAU,GACV,iBAAiB,GACjB,SAAS,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;GAKG;AACH,MAAM,WAAW,+BAA+B;IAC9C,QAAQ,EAAE,OAAO,CAAC;IAClB,aAAa,EACT,iBAAiB,GACjB,kBAAkB,GAClB,MAAM,GACN,SAAS,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B,sBAAsB,GACtB,iBAAiB,GACjB,SAAS,GACT,SAAS,CAAC;AAEd;;GAEG;AACH,MAAM,MAAM,0BAA0B,GAClC,kBAAkB,GAClB,iBAAiB,GACjB,2BAA2B,GAC3B,gBAAgB,GAChB,qBAAqB,GACrB,iBAAiB,CAAC;AAEtB;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,kBAAkB,CAAC;IAC9B,uBAAuB,EAAE,0BAA0B,EAAE,CAAC;IACtD,QAAQ,EAAE;QACR,kBAAkB,EAAE,MAAM,EAAE,CAAC;QAC7B,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,eAAe,EAAE,MAAM,CAAC;QACxB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEvE;;;;;;GAMG;AACH,qBAAa,wBAAwB;IAEnC,OAAO,CAAC,eAAe,CAAkB;IACzC,OAAO,CAAC,iBAAiB,CAA4B;IACrD,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,gBAAgB,CAAmB;;IAc3C;;;;;;OAMG;IACH,eAAe,CACb,QAAQ,EAAE,2BAA2B,EACrC,OAAO,EAAE,eAAe,EACxB,IAAI,EAAE,IAAI,GACT,cAAc;IAqCjB;;OAEG;IACH,mBAAmB,CACjB,IAAI,EAAE,IAAI,EACV,YAAY,EAAE,OAAO,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,eAAe,EACxB,kBAAkB,CAAC,EAAE,2BAA2B,GAC/C,gBAAgB;IAWnB;;;OAGG;IACH,yBAAyB,CACvB,QAAQ,EAAE,2BAA2B,GACpC,gBAAgB;IAoBnB;;;;;;;;;OASG;IACH,2BAA2B,CACzB,QAAQ,EAAE,2BAA2B,GACpC,oBAAoB;IAmCvB;;;;;;;;;;OAUG;IACH,8BAA8B,CAC5B,QAAQ,EAAE,2BAA2B,GACpC,qBAAqB;IAyFxB;;;;;;;;;;;OAWG;IACH,8BAA8B,CAC5B,QAAQ,EAAE,2BAA2B,GACpC,qBAAqB;IA6FxB;;;;;;;;;;OAUG;IACH,gCAAgC,CAC9B,QAAQ,EAAE,2BAA2B,GACpC,uBAAuB;IAwJ1B;;;;;;;;;;;;;OAaG;IACH,4BAA4B,CAC1B,QAAQ,EAAE,2BAA2B,GACpC,mBAAmB;IAqPtB;;;;;;;;;;;;OAYG;IACH,wBAAwB,CACtB,QAAQ,EAAE,2BAA2B,GACpC,yBAAyB;IA6D5B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,kBAAkB,CAAC,QAAQ,EAAE,2BAA2B,GAAG;QACzD,QAAQ,EAAE,OAAO,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB;IAwCD;;OAEG;IACH,iBAAiB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIjE;;OAEG;IACH,8BAA8B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO;IAIvD;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,2BAA2B,GAAG,mBAAmB;IAIzE;;OAEG;IACH,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,mBAAmB;IAI/D;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,MAAM;IAQrE;;OAEG;IACH,oBAAoB,CAClB,SAAS,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,EACvD,YAAY,EAAE,MAAM,GACnB,OAAO;IAIV;;OAEG;IACH,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIlD;;OAEG;IACH,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;;OAGG;IACH,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAIpE;;OAEG;IACH,qCAAqC,CACnC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GACnB,OAAO;IAOV;;OAEG;IACH,yBAAyB,CACvB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,IAAI,CAAC,EAAE,IAAI,GACV,kBAAkB;IAQrB;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;OAEG;IACH,wBAAwB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIvD;;OAEG;IACH,8BAA8B,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI7D;;OAEG;IACH,qBAAqB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIrE;;OAEG;IACH,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO;IAOxE;;OAEG;IACH,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAQjD;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAoC/B;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAqF7B;;;OAGG;IACH,OAAO,CAAC,0BAA0B;IA8DlC;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,4BAA4B;IA8CpC;;;;;;;;;OASG;IACH,mCAAmC,CACjC,QAAQ,EAAE,2BAA2B,GACpC,+BAA+B;IA6ElC;;OAEG;IACH,OAAO,CAAC,wBAAwB;CAmBjC"}

package/client/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.js

@@ -983,7 +983,7 @@ export class SecurityResponseAnalyzer {
     // ============================================================================
     /**
      * Check for safe error responses that indicate proper input rejection
-     * Handles: MCP validation errors (-32602), HTTP 4xx/5xx errors
+     * Handles: MCP validation errors (-32602), HTTP 4xx/5xx errors, AppleScript syntax errors
      */
     checkSafeErrorResponses(responseText, errorInfo) {
         // MCP validation errors (HIGHEST PRIORITY)
@@ -994,6 +994,15 @@ export class SecurityResponseAnalyzer {
                 evidence: `MCP validation error${errorCode}: Tool properly rejected invalid input before processing`,
             };
         }
+        // Issue #175: AppleScript syntax errors (not XXE)
+        // AppleScript errors can trigger false positives when the XXE payload is echoed
+        // back in the error message, matching patterns like "parameter" + "entity"
+        if (this.safeDetector.isAppleScriptSyntaxError(responseText)) {
+            return {
+                isVulnerable: false,
+                evidence: "AppleScript syntax error - not XXE vulnerability (echoed payload in error message)",
+            };
+        }
         // HTTP error responses (Issue #26)
         if (this.safeDetector.isHttpErrorResponse(responseText)) {
             return {

package/client/lib/services/assessment/modules/securityTests/index.d.ts

@@ -13,4 +13,5 @@ export { SecurityPayloadGenerator } from "./SecurityPayloadGenerator.js";
 export { CrossToolStateTester, type CrossToolTestResult, type ToolPair, type CallToolFunction, type CrossToolTestConfig, } from "./CrossToolStateTester.js";
 export { ChainExecutionTester, type ChainExecutionTestResult, type ChainExploitationSummary, type ChainExecutionTesterConfig, type ChainTestReason, } from "./ChainExecutionTester.js";
 export { TestValidityAnalyzer, type TestValidityConfig, type TestValidityResult, } from "./TestValidityAnalyzer.js";
+export { adjustSeverityForAnnotations, type SeverityAdjustment, } from "./AnnotationAwareSeverity.js";
 //# sourceMappingURL=index.d.ts.map

package/client/lib/services/assessment/modules/securityTests/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACL,wBAAwB,EACxB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,yBAAyB,EAC9B,KAAK,kBAAkB,EACvB,KAAK,0BAA0B,GAChC,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EACL,qBAAqB,EACrB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,EACtB,KAAK,UAAU,GAChB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AAEtE,OAAO,EACL,oBAAoB,EACpB,KAAK,mBAAmB,EACxB,KAAK,QAAQ,EACb,KAAK,gBAAgB,EACrB,KAAK,mBAAmB,GACzB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,oBAAoB,EACpB,KAAK,wBAAwB,EAC7B,KAAK,wBAAwB,EAC7B,KAAK,0BAA0B,EAC/B,KAAK,eAAe,GACrB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,oBAAoB,EACpB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,GACxB,MAAM,wBAAwB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACL,wBAAwB,EACxB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,yBAAyB,EAC9B,KAAK,kBAAkB,EACvB,KAAK,0BAA0B,GAChC,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EACL,qBAAqB,EACrB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,EACtB,KAAK,UAAU,GAChB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AAEtE,OAAO,EACL,oBAAoB,EACpB,KAAK,mBAAmB,EACxB,KAAK,QAAQ,EACb,KAAK,gBAAgB,EACrB,KAAK,mBAAmB,GACzB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,oBAAoB,EACpB,KAAK,wBAAwB,EAC7B,KAAK,wBAAwB,EAC7B,KAAK,0BAA0B,EAC/B,KAAK,eAAe,GACrB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,oBAAoB,EACpB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,GACxB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,4BAA4B,EAC5B,KAAK,kBAAkB,GACxB,MAAM,2BAA2B,CAAC"}

package/client/lib/services/assessment/modules/securityTests/index.js

@@ -13,3 +13,4 @@ export { SecurityPayloadGenerator } from "./SecurityPayloadGenerator.js";
 export { CrossToolStateTester, } from "./CrossToolStateTester.js";
 export { ChainExecutionTester, } from "./ChainExecutionTester.js";
 export { TestValidityAnalyzer, } from "./TestValidityAnalyzer.js";
+export { adjustSeverityForAnnotations, } from "./AnnotationAwareSeverity.js";

package/client/lib/services/assessment/modules/temporal/VarianceClassifier.d.ts

@@ -13,6 +13,7 @@ import { MutationDetector } from "./MutationDetector.js";
  */
 export declare class VarianceClassifier {
     private mutationDetector;
+    private externalAPIDetector;
     private readonly DESTRUCTIVE_PATTERNS;
     /**
      * Tool name patterns that are expected to have state-dependent responses.
@@ -79,12 +80,26 @@ export declare class VarianceClassifier {
      * - "recreate_view" does NOT match "create" (must be at word boundary)
      */
     isResourceCreatingTool(tool: Tool): boolean;
+    /**
+     * Issue #166: Check if a tool fetches data from external APIs.
+     * External API tools legitimately return different data each call
+     * due to: live data updates, API errors (500, 429), rate limiting, etc.
+     *
+     * Issue #168: Delegates to shared ExternalAPIDependencyDetector for consistent
+     * detection logic across all assessors.
+     *
+     * Uses BOTH name patterns AND description analysis for detection.
+     */
+    isExternalAPITool(tool: Tool): boolean;
     /**
      * Issue #69: Classify variance between two responses to reduce false positives.
      * Returns LEGITIMATE for expected variance (IDs, timestamps), SUSPICIOUS for
      * schema changes, and BEHAVIORAL for semantic changes (promotional keywords, errors).
+     *
+     * Issue #166: Added optional tool parameter to enable external API handling.
+     * External API tools may have error vs success variance which is LEGITIMATE.
      */
-    classifyVariance(baseline: unknown, current: unknown): VarianceClassification;
+    classifyVariance(baseline: unknown, current: unknown, tool?: Tool): VarianceClassification;
     /**
      * Issue #69: Check if a field name represents legitimate variance.
      * Fields containing IDs, timestamps, tokens, etc. are expected to vary.

package/client/lib/services/assessment/modules/temporal/VarianceClassifier.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"VarianceClassifier.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/temporal/VarianceClassifier.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD;;;GAGG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,gBAAgB,CAAmB;IAG3C,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAoBnC;IAEF;;;;;;;;;;;;;;OAcG;IACH,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAqBrC;IAEF;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,QAAQ,CAAC,0BAA0B,CAYzC;gBAEU,gBAAgB,CAAC,EAAE,gBAAgB;IAI/C;;;;OAIG;IACH,iBAAiB,CAAC,QAAQ,EAAE,OAAO,GAAG,MAAM;IAiF5C;;OAEG;IACH,iBAAiB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAKtC;;;;;;;;OAQG;IACH,cAAc,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAenC;;;;;;;;;;;OAWG;IACH,sBAAsB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAQ3C;;;;OAIG;IACH,gBAAgB,CACd,QAAQ,EAAE,OAAO,EACjB,OAAO,EAAE,OAAO,GACf,sBAAsB;IAkEzB;;;OAGG;IACH,yBAAyB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAgEjD;;;OAGG;IACH,gBAAgB,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,SAAK,GAAG,MAAM,EAAE;IAuDrE;;;;;;OAMG;IACH,cAAc,CAAC,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,GAAG,OAAO;IAuB/D;;;OAGG;IACH,iBAAiB,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,SAAK,GAAG,MAAM,EAAE;CAgCvD"}
+{"version":3,"file":"VarianceClassifier.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/temporal/VarianceClassifier.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAItD;;;GAGG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,gBAAgB,CAAmB;IAE3C,OAAO,CAAC,mBAAmB,CAAgC;IAG3D,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAoBnC;IAEF;;;;;;;;;;;;;;OAcG;IACH,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAqBrC;IAEF;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,QAAQ,CAAC,0BAA0B,CAYzC;gBAKU,gBAAgB,CAAC,EAAE,gBAAgB;IAM/C;;;;OAIG;IACH,iBAAiB,CAAC,QAAQ,EAAE,OAAO,GAAG,MAAM;IAiF5C;;OAEG;IACH,iBAAiB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAKtC;;;;;;;;OAQG;IACH,cAAc,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAenC;;;;;;;;;;;OAWG;IACH,sBAAsB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAQ3C;;;;;;;;;OASG;IACH,iBAAiB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAKtC;;;;;;;OAOG;IACH,gBAAgB,CACd,QAAQ,EAAE,OAAO,EACjB,OAAO,EAAE,OAAO,EAChB,IAAI,CAAC,EAAE,IAAI,GACV,sBAAsB;IAuFzB;;;OAGG;IACH,yBAAyB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAgEjD;;;OAGG;IACH,gBAAgB,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,SAAK,GAAG,MAAM,EAAE;IAuDrE;;;;;;OAMG;IACH,cAAc,CAAC,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,GAAG,OAAO;IAuB/D;;;OAGG;IACH,iBAAiB,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,SAAK,GAAG,MAAM,EAAE;CAgCvD"}

package/client/lib/services/assessment/modules/temporal/VarianceClassifier.js

@@ -5,12 +5,16 @@
  * Extracted from TemporalAssessor as part of Issue #106 refactoring.
  */
 import { MutationDetector } from "./MutationDetector.js";
+// Issue #168: Shared external API dependency detector
+import { ExternalAPIDependencyDetector } from "../../helpers/ExternalAPIDependencyDetector.js";
 /**
  * Classifies response variance and categorizes tools by their expected behavior patterns.
  * Used to reduce false positives in temporal assessment by understanding legitimate variance.
  */
 export class VarianceClassifier {
     mutationDetector;
+    // Issue #168: Shared detector for external API pattern matching
+    externalAPIDetector;
     // Patterns that suggest a tool may have side effects
     DESTRUCTIVE_PATTERNS = [
         "create",
@@ -97,8 +101,12 @@ export class VarianceClassifier {
         "init",
         "make",
     ];
+    // Note: External API patterns moved to ExternalAPIDependencyDetector (Issue #168)
+    // The externalAPIDetector field handles all external API detection via shared helper
     constructor(mutationDetector) {
         this.mutationDetector = mutationDetector ?? new MutationDetector();
+        // Issue #168: Initialize shared external API detector
+        this.externalAPIDetector = new ExternalAPIDependencyDetector();
     }
     /**
      * Normalize response for comparison by removing naturally varying data.
@@ -207,12 +215,46 @@ export class VarianceClassifier {
             return wordBoundaryRegex.test(toolName);
         });
     }
+    /**
+     * Issue #166: Check if a tool fetches data from external APIs.
+     * External API tools legitimately return different data each call
+     * due to: live data updates, API errors (500, 429), rate limiting, etc.
+     *
+     * Issue #168: Delegates to shared ExternalAPIDependencyDetector for consistent
+     * detection logic across all assessors.
+     *
+     * Uses BOTH name patterns AND description analysis for detection.
+     */
+    isExternalAPITool(tool) {
+        // Issue #168: Delegate to shared detector for consistent detection
+        return this.externalAPIDetector.isExternalAPITool(tool);
+    }
     /**
      * Issue #69: Classify variance between two responses to reduce false positives.
      * Returns LEGITIMATE for expected variance (IDs, timestamps), SUSPICIOUS for
      * schema changes, and BEHAVIORAL for semantic changes (promotional keywords, errors).
+     *
+     * Issue #166: Added optional tool parameter to enable external API handling.
+     * External API tools may have error vs success variance which is LEGITIMATE.
      */
-    classifyVariance(baseline, current) {
+    classifyVariance(baseline, current, tool) {
+        // Issue #166: Check for isError variance (external API behavior)
+        // If one response is an error and one is success, for stateful/external API tools
+        // this is expected behavior, not a rug pull
+        const baselineIsError = baseline?.isError === true;
+        const currentIsError = current?.isError === true;
+        if (baselineIsError !== currentIsError) {
+            // One is error, one is success - check if this is expected for the tool type
+            if (tool && (this.isStatefulTool(tool) || this.isExternalAPITool(tool))) {
+                return {
+                    type: "LEGITIMATE",
+                    confidence: "medium",
+                    reasons: [
+                        "API error vs success variance (expected for external API/stateful tools)",
+                    ],
+                };
+            }
+        }
         // 1. Schema comparison - structural changes are SUSPICIOUS
         const schemaMatch = this.compareSchemas(baseline, current);
         if (!schemaMatch) {

package/client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-client",
-  "version": "1.36.5",
+  "version": "1.38.0",
   "description": "Client-side application for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment",
-  "version": "1.36.5",
+  "version": "1.38.0",
   "description": "Enhanced MCP Inspector with comprehensive assessment capabilities for server validation",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",

package/server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-server",
-  "version": "1.36.5",
+  "version": "1.38.0",
   "description": "Server-side application for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",