@bryan-thompson/inspector-assessment 1.37.0 → 1.38.0

package/client/lib/services/assessment/AssessmentOrchestrator.d.ts

@@ -5,10 +5,11 @@
  * @public
  * @module AssessmentOrchestrator
  */
-import { MCPDirectoryAssessment, AssessmentConfiguration, ManifestJsonSchema, ProgressCallback, ServerInfo, PackageJson } from "../../lib/assessmentTypes.js";
+import { MCPDirectoryAssessment, AssessmentConfiguration, ManifestJsonSchema, ProgressCallback, ServerInfo, PackageJson, ToolAnnotationsContext } from "../../lib/assessmentTypes.js";
 import { Tool, CompatibilityCallToolResult } from "@modelcontextprotocol/sdk/types.js";
 import { ClaudeCodeBridge, ClaudeCodeBridgeConfig } from "./lib/claudeCodeBridge.js";
 import { ExternalAPIDependencyInfo } from "./helpers/ExternalAPIDependencyDetector.js";
+import { TransportDetectionResult } from "./helpers/StdioTransportDetector.js";
 /**
  * MCP Resource interface for assessment context
  * @public
@@ -98,6 +99,8 @@ export interface AssessmentContext {
     };
     listTools?: () => Promise<Tool[]>;
     externalAPIDependencies?: ExternalAPIDependencyInfo;
+    transportDetection?: TransportDetectionResult;
+    toolAnnotationsContext?: ToolAnnotationsContext;
 }
 /**
  * Main orchestrator class for running MCP server assessments

package/client/lib/services/assessment/AssessmentOrchestrator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AssessmentOrchestrator.d.ts","sourceRoot":"","sources":["../../../src/services/assessment/AssessmentOrchestrator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EAEvB,kBAAkB,EAClB,gBAAgB,EAChB,UAAU,EACV,WAAW,EACZ,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,IAAI,EACJ,2BAA2B,EAC5B,MAAM,oCAAoC,CAAC;AAK5C,OAAO,EACL,gBAAgB,EAChB,sBAAsB,EAEvB,MAAM,wBAAwB,CAAC;AAchC,OAAO,EAAE,yBAAyB,EAAE,MAAM,yCAAyC,CAAC;AAWpF;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,KAAK,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,OAAO,CAAC;KACpB,CAAC,CAAC;CACJ;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,KAAK,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IAClC,SAAS,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,OAAO,CAAC;QAAC,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IAC3D,OAAO,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACxC;AAED;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,IAAI,EAAE,CAAC;IACd,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,CAAC;IAC1C,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,MAAM,EAAE,uBAAuB,CAAC;IAChC,UAAU,CAAC,EAAE,UAAU,CAAC;IAIxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAGtC,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;IAIrB,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAG9B,SAAS,CAAC,EAAE,WAAW,EAAE,CAAC;IAC1B,iBAAiB,CAAC,EAAE,mBAAmB,EAAE,CAAC;IAC1C,OAAO,CAAC,EAAE,SAAS,EAAE,CAAC;IACtB,kBAAkB,CAAC,EAAE,qBAAqB,CAAC;IAG3C,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAChD,SAAS,CAAC,EAAE,CACV,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KACzB,OAAO,CAAC;QAAE,QAAQ,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,CAAC,CAAC;IAGrE,eAAe,CAAC,EAAE;QAChB,IAAI,EAAE,OAAO,GAAG,KAAK,GAAG,iBAAiB,CAAC;QAC1C,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,YAAY,CAAC,EAAE,OAAO,CAAC;KACxB,CAAC;IAIF,SAAS,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAKlC,uBAAuB,CAAC,EAAE,yBAAyB,CAAC;CACrD;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,sBAAsB;IACjC,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,SAAS,CAAa;IAC9B,OAAO,CAAC,aAAa,CAAa;IAGlC,OAAO,CAAC,YAAY,CAAC,CAAmB;IACxC,OAAO,CAAC,aAAa,CAAkB;IAIvC,OAAO,CAAC,QAAQ,CAAmB;gBAEvB,MAAM,GAAE,OAAO,CAAC,uBAAuB,CAAM;IAiDzD;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAe9B;;;;OAIG;IACH,gBAAgB,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,GAAG,IAAI;IAgBhE;;;OAGG;IACH,eAAe,IAAI,OAAO;IAI1B;;;OAGG;IACH,eAAe,IAAI,gBAAgB,GAAG,SAAS;IAI/C;;;OAGG;IACG,iBAAiB,CACrB,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,sBAAsB,CAAC;IAiHlC;;;;OAIG;IACG,MAAM,CACV,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,UAAU,EACvB,aAAa,CAAC,EAAE,MAAM,EACtB,WAAW,CAAC,EAAE,WAAW,GACxB,OAAO,CAAC,sBAAsB,CAAC;IAclC,OAAO,CAAC,qBAAqB;IAO7B;;;OAGG;IACH,SAAS,IAAI,uBAAuB;IAIpC;;;OAGG;IACH,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,uBAAuB,CAAC,GAAG,IAAI;CAG7D"}
+{"version":3,"file":"AssessmentOrchestrator.d.ts","sourceRoot":"","sources":["../../../src/services/assessment/AssessmentOrchestrator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EAEvB,kBAAkB,EAClB,gBAAgB,EAChB,UAAU,EACV,WAAW,EACX,sBAAsB,EACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,IAAI,EACJ,2BAA2B,EAC5B,MAAM,oCAAoC,CAAC;AAK5C,OAAO,EACL,gBAAgB,EAChB,sBAAsB,EAEvB,MAAM,wBAAwB,CAAC;AAchC,OAAO,EAAE,yBAAyB,EAAE,MAAM,yCAAyC,CAAC;AAGpF,OAAO,EAAE,wBAAwB,EAAE,MAAM,kCAAkC,CAAC;AAW5E;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,KAAK,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,OAAO,CAAC;KACpB,CAAC,CAAC;CACJ;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,KAAK,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IAClC,SAAS,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,OAAO,CAAC;QAAC,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IAC3D,OAAO,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACxC;AAED;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,IAAI,EAAE,CAAC;IACd,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,CAAC;IAC1C,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,MAAM,EAAE,uBAAuB,CAAC;IAChC,UAAU,CAAC,EAAE,UAAU,CAAC;IAIxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAGtC,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;IAIrB,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAG9B,SAAS,CAAC,EAAE,WAAW,EAAE,CAAC;IAC1B,iBAAiB,CAAC,EAAE,mBAAmB,EAAE,CAAC;IAC1C,OAAO,CAAC,EAAE,SAAS,EAAE,CAAC;IACtB,kBAAkB,CAAC,EAAE,qBAAqB,CAAC;IAG3C,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAChD,SAAS,CAAC,EAAE,CACV,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KACzB,OAAO,CAAC;QAAE,QAAQ,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,CAAC,CAAC;IAGrE,eAAe,CAAC,EAAE;QAChB,IAAI,EAAE,OAAO,GAAG,KAAK,GAAG,iBAAiB,CAAC;QAC1C,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,YAAY,CAAC,EAAE,OAAO,CAAC;KACxB,CAAC;IAIF,SAAS,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAKlC,uBAAuB,CAAC,EAAE,yBAAyB,CAAC;IAKpD,kBAAkB,CAAC,EAAE,wBAAwB,CAAC;IAK9C,sBAAsB,CAAC,EAAE,sBAAsB,CAAC;CACjD;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,sBAAsB;IACjC,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,SAAS,CAAa;IAC9B,OAAO,CAAC,aAAa,CAAa;IAGlC,OAAO,CAAC,YAAY,CAAC,CAAmB;IACxC,OAAO,CAAC,aAAa,CAAkB;IAIvC,OAAO,CAAC,QAAQ,CAAmB;gBAEvB,MAAM,GAAE,OAAO,CAAC,uBAAuB,CAAM;IAiDzD;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAe9B;;;;OAIG;IACH,gBAAgB,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,sBAAsB,CAAC,GAAG,IAAI;IAgBhE;;;OAGG;IACH,eAAe,IAAI,OAAO;IAI1B;;;OAGG;IACH,eAAe,IAAI,gBAAgB,GAAG,SAAS;IAI/C;;;OAGG;IACG,iBAAiB,CACrB,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,sBAAsB,CAAC;IAiHlC;;;;OAIG;IACG,MAAM,CACV,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,UAAU,EACvB,aAAa,CAAC,EAAE,MAAM,EACtB,WAAW,CAAC,EAAE,WAAW,GACxB,OAAO,CAAC,sBAAsB,CAAC;IAclC,OAAO,CAAC,qBAAqB;IAO7B;;;OAGG;IACH,SAAS,IAAI,uBAAuB;IAIpC;;;OAGG;IACH,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,uBAAuB,CAAC,GAAG,IAAI;CAG7D"}

package/client/lib/services/assessment/helpers/ExternalAPIDependencyDetector.d.ts

@@ -1,17 +1,32 @@
 /**
  * External API Dependency Detector
  *
- * Identifies tools that depend on external APIs based on name and description patterns.
+ * Identifies tools that depend on external APIs based on:
+ * 1. Tool name and description patterns (fast, always available)
+ * 2. Source code scanning for API calls (more accurate, when source available)
+ *
  * This information enables downstream assessors to adjust their behavior:
  * - TemporalAssessor: Relaxed variance thresholds for external API tools
  * - FunctionalityAssessor: Accept API errors as valid responses
  * - ErrorHandlingAssessor: Account for external service failures
  *
- * Issue #168: New module for external API dependency detection
+ * Issue #168: Enhanced with source code scanning support
  *
  * @module helpers/ExternalAPIDependencyDetector
  */
 import { Tool } from "@modelcontextprotocol/sdk/types.js";
+/**
+ * Implications of external API dependencies for downstream assessors
+ * @public
+ */
+export interface ExternalAPIImplications {
+    /** Expected temporal variance behavior */
+    temporalVariance: string;
+    /** Dependency on external service availability */
+    availabilityDependency: string;
+    /** Potential rate limiting from external services */
+    rateLimitingRisk?: string;
+}
 /**
  * External API dependency detection results
  * @public
@@ -25,6 +40,12 @@ export interface ExternalAPIDependencyInfo {
     confidence: "high" | "medium" | "low";
     /** List of detected tool names (for serialization) */
     detectedTools: string[];
+    /** Extracted domains from source code scanning (e.g., ["api.worldbank.org"]) */
+    domains?: string[];
+    /** Whether source code was available and scanned */
+    sourceCodeScanned?: boolean;
+    /** Implications for downstream assessors when external APIs are detected */
+    implications?: ExternalAPIImplications;
 }
 /**
  * Detects external API dependencies in MCP tools based on name and description patterns.
@@ -46,12 +67,82 @@ export declare class ExternalAPIDependencyDetector {
      */
     private readonly EXTERNAL_API_DESCRIPTION_PATTERNS;
     /**
-     * Detect external API dependencies from a list of tools.
+     * Source code patterns that indicate external API calls.
+     * Each pattern captures the URL in group 1.
+     *
+     * Issue #168: Patterns from proposal for source code scanning
+     */
+    private readonly SOURCE_CODE_API_PATTERNS;
+    /**
+     * URL patterns to skip (localhost, local networks, documentation)
+     */
+    private readonly LOCALHOST_PATTERNS;
+    /**
+     * File patterns to skip during source code scanning
+     */
+    private readonly SKIP_FILE_PATTERNS;
+    /**
+     * Detect external API dependencies from tools and optionally source code.
+     *
+     * Detection strategy:
+     * 1. Always analyze tool names and descriptions (fast, no source needed)
+     * 2. If sourceCodeFiles provided, scan for actual API calls (more accurate)
+     * 3. Combine results and compute confidence
      *
      * @param tools - List of MCP tools to analyze
-     * @returns Detection results with tool names and confidence
+     * @param sourceCodeFiles - Optional map of file paths to content for source scanning
+     * @returns Detection results with tool names, domains, and implications
+     */
+    detect(tools: Tool[], sourceCodeFiles?: Map<string, string>): ExternalAPIDependencyInfo;
+    /** Maximum content length per file (500KB) - prevents ReDoS attacks */
+    private readonly MAX_CONTENT_LENGTH;
+    /** Maximum matches per file - prevents runaway matching */
+    private readonly MAX_MATCHES_PER_FILE;
+    /**
+     * Scan source code files for external API URLs.
+     * Returns unique external domains found in the code.
+     *
+     * @param sourceCodeFiles - Map of file paths to content
+     * @returns Array of unique external domain names
+     */
+    scanSourceCode(sourceCodeFiles: Map<string, string>): string[];
+    /**
+     * Extract the hostname from a URL string.
+     *
+     * @param url - URL string (may be partial)
+     * @returns Hostname or null if extraction fails
+     */
+    private extractDomain;
+    /**
+     * Check if a URL points to localhost or local network.
+     *
+     * @param url - URL string to check
+     * @returns true if URL is local
+     */
+    private isLocalhost;
+    /**
+     * Check if a file should be skipped during source scanning.
+     *
+     * @param filePath - Path to check
+     * @returns true if file should be skipped
+     */
+    private shouldSkipFile;
+    /**
+     * Compute detection confidence based on both methods.
+     * Source code confirmation boosts confidence.
+     *
+     * @param toolCount - Number of tools detected via name/description
+     * @param domains - Domains found in source code
+     * @returns Confidence level
+     */
+    private computeConfidence;
+    /**
+     * Generate implications for downstream assessors.
+     *
+     * @param domains - External domains found
+     * @returns Implications object
      */
-    detect(tools: Tool[]): ExternalAPIDependencyInfo;
+    private generateImplications;
     /**
      * Check if a single tool depends on external APIs.
      * Uses BOTH name patterns AND description analysis for detection.

package/client/lib/services/assessment/helpers/ExternalAPIDependencyDetector.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ExternalAPIDependencyDetector.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/helpers/ExternalAPIDependencyDetector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAE1D;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,qDAAqD;IACrD,8BAA8B,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC5C,8DAA8D;IAC9D,aAAa,EAAE,MAAM,CAAC;IACtB,qDAAqD;IACrD,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACtC,sDAAsD;IACtD,aAAa,EAAE,MAAM,EAAE,CAAC;CACzB;AAED;;;;;GAKG;AACH,qBAAa,6BAA6B;IACxC;;;;;OAKG;IACH,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAuBpC;IAEF;;;OAGG;IACH,OAAO,CAAC,QAAQ,CAAC,iCAAiC,CAQhD;IAEF;;;;;OAKG;IACH,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,yBAAyB;IA8BhD;;;;;;OAMG;IACH,iBAAiB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAmBtC;;;OAGG;IACH,eAAe,IAAI,SAAS,MAAM,EAAE;IAIpC;;;OAGG;IACH,sBAAsB,IAAI,SAAS,MAAM,EAAE;CAG5C"}
+{"version":3,"file":"ExternalAPIDependencyDetector.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/helpers/ExternalAPIDependencyDetector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAE1D;;;GAGG;AACH,MAAM,WAAW,uBAAuB;IACtC,0CAA0C;IAC1C,gBAAgB,EAAE,MAAM,CAAC;IACzB,kDAAkD;IAClD,sBAAsB,EAAE,MAAM,CAAC;IAC/B,qDAAqD;IACrD,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,qDAAqD;IACrD,8BAA8B,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC5C,8DAA8D;IAC9D,aAAa,EAAE,MAAM,CAAC;IACtB,qDAAqD;IACrD,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACtC,sDAAsD;IACtD,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,gFAAgF;IAChF,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,oDAAoD;IACpD,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,4EAA4E;IAC5E,YAAY,CAAC,EAAE,uBAAuB,CAAC;CACxC;AAED;;;;;GAKG;AACH,qBAAa,6BAA6B;IACxC;;;;;OAKG;IACH,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAuBpC;IAEF;;;OAGG;IACH,OAAO,CAAC,QAAQ,CAAC,iCAAiC,CAQhD;IAEF;;;;;OAKG;IACH,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAevC;IAEF;;OAEG;IACH,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAUjC;IAEF;;OAEG;IACH,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAajC;IAEF;;;;;;;;;;;OAWG;IACH,MAAM,CACJ,KAAK,EAAE,IAAI,EAAE,EACb,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GACpC,yBAAyB;IA0C5B,uEAAuE;IACvE,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAW;IAE9C,2DAA2D;IAC3D,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAO;IAE5C;;;;;;OAMG;IACH,cAAc,CAAC,eAAe,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,EAAE;IAoC9D;;;;;OAKG;IACH,OAAO,CAAC,aAAa;IAUrB;;;;;OAKG;IACH,OAAO,CAAC,WAAW;IAInB;;;;;OAKG;IACH,OAAO,CAAC,cAAc;IAItB;;;;;;;OAOG;IACH,OAAO,CAAC,iBAAiB;IAyBzB;;;;;OAKG;IACH,OAAO,CAAC,oBAAoB;IAc5B;;;;;;OAMG;IACH,iBAAiB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO;IAmBtC;;;OAGG;IACH,eAAe,IAAI,SAAS,MAAM,EAAE;IAIpC;;;OAGG;IACH,sBAAsB,IAAI,SAAS,MAAM,EAAE;CAG5C"}

package/client/lib/services/assessment/helpers/ExternalAPIDependencyDetector.js

@@ -1,13 +1,16 @@
 /**
  * External API Dependency Detector
  *
- * Identifies tools that depend on external APIs based on name and description patterns.
+ * Identifies tools that depend on external APIs based on:
+ * 1. Tool name and description patterns (fast, always available)
+ * 2. Source code scanning for API calls (more accurate, when source available)
+ *
  * This information enables downstream assessors to adjust their behavior:
  * - TemporalAssessor: Relaxed variance thresholds for external API tools
  * - FunctionalityAssessor: Accept API errors as valid responses
  * - ErrorHandlingAssessor: Account for external service failures
  *
- * Issue #168: New module for external API dependency detection
+ * Issue #168: Enhanced with source code scanning support
  *
  * @module helpers/ExternalAPIDependencyDetector
  */
@@ -62,12 +65,72 @@ export class ExternalAPIDependencyDetector {
         /third[- ]?party\s*(api|service)/i,
     ];
     /**
-     * Detect external API dependencies from a list of tools.
+     * Source code patterns that indicate external API calls.
+     * Each pattern captures the URL in group 1.
+     *
+     * Issue #168: Patterns from proposal for source code scanning
+     */
+    SOURCE_CODE_API_PATTERNS = [
+        // fetch() calls - JavaScript/TypeScript
+        /fetch\s*\(\s*['"`](https?:\/\/[^'"`\s]+)/gi,
+        // axios HTTP client calls
+        /axios\s*\.\s*(?:get|post|put|patch|delete|request)\s*\(\s*['"`](https?:\/\/[^'"`\s]+)/gi,
+        // URL construction
+        /new\s+URL\s*\(\s*['"`](https?:\/\/[^'"`\s]+)/gi,
+        // Common API base URL constants
+        /(?:API_BASE_URL|BASE_URL|API_URL|ENDPOINT)\s*=\s*['"`](https?:\/\/[^'"`\s]+)/gi,
+        // Generic HTTP client .get/.post calls
+        /\.\s*(?:get|post)\s*\(\s*['"`](https?:\/\/[^'"`\s]+)/gi,
+        // Python requests library
+        /requests\s*\.\s*(?:get|post|put|patch|delete)\s*\(\s*['"`](https?:\/\/[^'"`\s]+)/gi,
+        // Python httpx library
+        /httpx\s*\.\s*(?:get|post|put|patch|delete)\s*\(\s*['"`](https?:\/\/[^'"`\s]+)/gi,
+    ];
+    /**
+     * URL patterns to skip (localhost, local networks, documentation)
+     */
+    LOCALHOST_PATTERNS = [
+        /localhost/i,
+        /127\.0\.0\.1/,
+        /0\.0\.0\.0/,
+        /192\.168\./,
+        /10\.\d+\./,
+        /172\.(?:1[6-9]|2[0-9]|3[01])\./,
+        /\.local\b/i,
+        /example\.com/i,
+        /test\.com/i,
+    ];
+    /**
+     * File patterns to skip during source code scanning
+     */
+    SKIP_FILE_PATTERNS = [
+        /node_modules/i,
+        /\.test\.(ts|js|tsx|jsx)$/i,
+        /\.spec\.(ts|js|tsx|jsx)$/i,
+        /\.d\.ts$/i,
+        /package-lock\.json$/i,
+        /yarn\.lock$/i,
+        /\.map$/i,
+        /\.git\//i,
+        /dist\//i,
+        /build\//i,
+        /__tests__\//i,
+        /__mocks__\//i,
+    ];
+    /**
+     * Detect external API dependencies from tools and optionally source code.
+     *
+     * Detection strategy:
+     * 1. Always analyze tool names and descriptions (fast, no source needed)
+     * 2. If sourceCodeFiles provided, scan for actual API calls (more accurate)
+     * 3. Combine results and compute confidence
      *
      * @param tools - List of MCP tools to analyze
-     * @returns Detection results with tool names and confidence
+     * @param sourceCodeFiles - Optional map of file paths to content for source scanning
+     * @returns Detection results with tool names, domains, and implications
      */
-    detect(tools) {
+    detect(tools, sourceCodeFiles) {
+        // Phase 1: Name/description pattern matching (always runs)
         const toolsWithExternalAPI = new Set();
         for (const tool of tools) {
             if (this.isExternalAPITool(tool)) {
@@ -75,23 +138,146 @@ export class ExternalAPIDependencyDetector {
             }
         }
         const detectedCount = toolsWithExternalAPI.size;
-        // Determine confidence based on detection count
-        // More detections = higher confidence in pattern accuracy
-        let confidence;
-        if (detectedCount === 0) {
-            confidence = "low";
-        }
-        else if (detectedCount >= 3) {
-            confidence = "high";
-        }
-        else {
-            confidence = "medium";
+        // Phase 2: Source code scanning (when available)
+        let domains;
+        let sourceCodeScanned = false;
+        if (sourceCodeFiles && sourceCodeFiles.size > 0) {
+            sourceCodeScanned = true;
+            domains = this.scanSourceCode(sourceCodeFiles);
         }
+        // Compute confidence based on both detection methods
+        const confidence = this.computeConfidence(detectedCount, domains);
+        // Generate implications if any external APIs were detected
+        const hasExternalDependencies = detectedCount > 0 || (domains && domains.length > 0);
+        const implications = hasExternalDependencies
+            ? this.generateImplications(domains)
+            : undefined;
         return {
             toolsWithExternalAPIDependency: toolsWithExternalAPI,
             detectedCount,
             confidence,
             detectedTools: Array.from(toolsWithExternalAPI),
+            domains,
+            sourceCodeScanned,
+            implications,
+        };
+    }
+    /** Maximum content length per file (500KB) - prevents ReDoS attacks */
+    MAX_CONTENT_LENGTH = 500_000;
+    /** Maximum matches per file - prevents runaway matching */
+    MAX_MATCHES_PER_FILE = 100;
+    /**
+     * Scan source code files for external API URLs.
+     * Returns unique external domains found in the code.
+     *
+     * @param sourceCodeFiles - Map of file paths to content
+     * @returns Array of unique external domain names
+     */
+    scanSourceCode(sourceCodeFiles) {
+        const domains = new Set();
+        sourceCodeFiles.forEach((content, filePath) => {
+            // Skip test files, node_modules, etc.
+            if (this.shouldSkipFile(filePath))
+                return;
+            // Skip oversized files to prevent ReDoS
+            if (content.length > this.MAX_CONTENT_LENGTH)
+                return;
+            // Try each API call pattern using matchAll (thread-safe, no lastIndex issues)
+            for (const pattern of this.SOURCE_CODE_API_PATTERNS) {
+                // Use Array.from for compatibility with older TS targets
+                const matches = Array.from(content.matchAll(pattern));
+                let matchCount = 0;
+                for (const match of matches) {
+                    if (matchCount >= this.MAX_MATCHES_PER_FILE)
+                        break;
+                    matchCount++;
+                    const url = match[1];
+                    // Skip localhost and local network URLs
+                    if (this.isLocalhost(url))
+                        continue;
+                    // Extract domain from URL
+                    const domain = this.extractDomain(url);
+                    if (domain) {
+                        domains.add(domain);
+                    }
+                }
+            }
+        });
+        return Array.from(domains);
+    }
+    /**
+     * Extract the hostname from a URL string.
+     *
+     * @param url - URL string (may be partial)
+     * @returns Hostname or null if extraction fails
+     */
+    extractDomain(url) {
+        try {
+            // Handle URLs that may not have protocol
+            const fullUrl = url.startsWith("http") ? url : `https://${url}`;
+            return new URL(fullUrl).hostname;
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Check if a URL points to localhost or local network.
+     *
+     * @param url - URL string to check
+     * @returns true if URL is local
+     */
+    isLocalhost(url) {
+        return this.LOCALHOST_PATTERNS.some((pattern) => pattern.test(url));
+    }
+    /**
+     * Check if a file should be skipped during source scanning.
+     *
+     * @param filePath - Path to check
+     * @returns true if file should be skipped
+     */
+    shouldSkipFile(filePath) {
+        return this.SKIP_FILE_PATTERNS.some((pattern) => pattern.test(filePath));
+    }
+    /**
+     * Compute detection confidence based on both methods.
+     * Source code confirmation boosts confidence.
+     *
+     * @param toolCount - Number of tools detected via name/description
+     * @param domains - Domains found in source code
+     * @returns Confidence level
+     */
+    computeConfidence(toolCount, domains) {
+        const domainCount = domains?.length ?? 0;
+        // Both methods agree = high confidence
+        if (toolCount > 0 && domainCount > 0) {
+            return "high";
+        }
+        // Either method found multiple = high confidence
+        if (toolCount >= 3 || domainCount >= 3) {
+            return "high";
+        }
+        // Either method found something = medium confidence
+        if (toolCount > 0 || domainCount > 0) {
+            return "medium";
+        }
+        // Nothing found = low confidence (no external APIs)
+        return "low";
+    }
+    /**
+     * Generate implications for downstream assessors.
+     *
+     * @param domains - External domains found
+     * @returns Implications object
+     */
+    generateImplications(domains) {
+        const domainList = domains && domains.length > 0 ? domains.join(", ") : "external services";
+        return {
+            temporalVariance: "Expected - external data changes between invocations",
+            availabilityDependency: `Server depends on ${domainList} uptime`,
+            rateLimitingRisk: domains && domains.length > 0
+                ? `May encounter rate limits from ${domainList}`
+                : undefined,
         };
     }
     /**

package/client/lib/services/assessment/helpers/StdioTransportDetector.d.ts

@@ -0,0 +1,137 @@
+/**
+ * Stdio Transport Detector
+ *
+ * Identifies stdio transport support from multiple sources:
+ * 1. server.json manifest (packages[0].transport.type)
+ * 2. package.json bin entries (indicates CLI/stdio)
+ * 3. Source code scanning for transport patterns
+ * 4. Runtime transport configuration
+ *
+ * This fixes Issue #172: C6/F6 incorrectly fails for valid stdio servers
+ * because transport detection previously relied solely on serverInfo metadata.
+ *
+ * @module helpers/StdioTransportDetector
+ */
+import type { TransportMode } from "../config/architecturePatterns.js";
+/**
+ * Evidence source for transport detection
+ */
+export type TransportEvidenceSource = "server.json" | "package.json" | "source-code" | "runtime-config";
+/**
+ * Individual piece of transport detection evidence
+ */
+export interface TransportEvidence {
+    /** Source of the evidence */
+    source: TransportEvidenceSource;
+    /** Transport type detected */
+    transport: TransportMode;
+    /** Confidence level for this evidence */
+    confidence: "high" | "medium" | "low";
+    /** Human-readable detail about the detection */
+    detail: string;
+}
+/**
+ * Transport detection results
+ */
+export interface TransportDetectionResult {
+    /** Set of detected transport modes */
+    detectedTransports: Set<TransportMode>;
+    /** Overall detection confidence */
+    confidence: "high" | "medium" | "low";
+    /** All evidence collected during detection */
+    evidence: TransportEvidence[];
+    /** Whether stdio transport is supported */
+    supportsStdio: boolean;
+    /** Whether HTTP transport is supported */
+    supportsHTTP: boolean;
+    /** Whether SSE transport is supported */
+    supportsSSE: boolean;
+    /** Whether source code was scanned */
+    sourceCodeScanned: boolean;
+}
+/**
+ * server.json structure (partial - transport fields only)
+ */
+export interface ServerJsonTransport {
+    packages?: Array<{
+        transport?: {
+            type?: string;
+        };
+    }>;
+}
+/**
+ * package.json structure (partial - bin field only)
+ */
+export interface PackageJsonBin {
+    bin?: Record<string, string> | string;
+}
+/**
+ * Detects transport capabilities from multiple sources.
+ *
+ * Detection priority (highest confidence first):
+ * 1. Runtime transport configuration (actual runtime proof)
+ * 2. server.json transport declaration (explicit manifest)
+ * 3. package.json bin entries (strong CLI/stdio indicator)
+ * 4. Source code patterns (StdioServerTransport, mcp.run, etc.)
+ *
+ * @public
+ */
+export declare class StdioTransportDetector {
+    /**
+     * TypeScript/JavaScript patterns for stdio transport
+     */
+    private readonly STDIO_CODE_PATTERNS;
+    /**
+     * Python/FastMCP patterns for stdio transport
+     */
+    private readonly PYTHON_STDIO_PATTERNS;
+    /**
+     * HTTP/SSE transport patterns
+     */
+    private readonly HTTP_CODE_PATTERNS;
+    /**
+     * File patterns to skip during source code scanning
+     */
+    private readonly SKIP_FILE_PATTERNS;
+    /** Maximum file size for source scanning (500KB) */
+    private readonly MAX_FILE_SIZE;
+    /**
+     * Detect transport capabilities from all available sources.
+     *
+     * @param sourceCodeFiles - Map of file paths to content
+     * @param packageJson - Parsed package.json content
+     * @param serverJson - Parsed server.json content
+     * @param runtimeTransport - Transport type from runtime config
+     * @returns Transport detection results
+     */
+    detect(sourceCodeFiles?: Map<string, string>, packageJson?: PackageJsonBin, serverJson?: ServerJsonTransport, runtimeTransport?: TransportMode): TransportDetectionResult;
+    /**
+     * Scan source code files for transport patterns.
+     *
+     * @param sourceCodeFiles - Map of file paths to content
+     * @returns Array of evidence from source code analysis
+     */
+    private scanSourceCode;
+    /**
+     * Check if a transport type is valid.
+     */
+    private isValidTransport;
+    /**
+     * Check if a file should be skipped during scanning.
+     */
+    private shouldSkipFile;
+    /**
+     * Shorten file path for display.
+     */
+    private shortenPath;
+    /**
+     * Compute overall confidence from collected evidence.
+     *
+     * Confidence rules:
+     * - High: Any high-confidence evidence present
+     * - Medium: Only medium-confidence evidence OR multiple sources agree
+     * - Low: No evidence or only weak patterns
+     */
+    private computeConfidence;
+}
+//# sourceMappingURL=StdioTransportDetector.d.ts.map

package/client/lib/services/assessment/helpers/StdioTransportDetector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"StdioTransportDetector.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/helpers/StdioTransportDetector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mCAAmC,CAAC;AAEvE;;GAEG;AACH,MAAM,MAAM,uBAAuB,GAC/B,aAAa,GACb,cAAc,GACd,aAAa,GACb,gBAAgB,CAAC;AAErB;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,6BAA6B;IAC7B,MAAM,EAAE,uBAAuB,CAAC;IAChC,8BAA8B;IAC9B,SAAS,EAAE,aAAa,CAAC;IACzB,yCAAyC;IACzC,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACtC,gDAAgD;IAChD,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,sCAAsC;IACtC,kBAAkB,EAAE,GAAG,CAAC,aAAa,CAAC,CAAC;IACvC,mCAAmC;IACnC,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACtC,8CAA8C;IAC9C,QAAQ,EAAE,iBAAiB,EAAE,CAAC;IAC9B,2CAA2C;IAC3C,aAAa,EAAE,OAAO,CAAC;IACvB,0CAA0C;IAC1C,YAAY,EAAE,OAAO,CAAC;IACtB,yCAAyC;IACzC,WAAW,EAAE,OAAO,CAAC;IACrB,sCAAsC;IACtC,iBAAiB,EAAE,OAAO,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,EAAE,KAAK,CAAC;QACf,SAAS,CAAC,EAAE;YACV,IAAI,CAAC,EAAE,MAAM,CAAC;SACf,CAAC;KACH,CAAC,CAAC;CACJ;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAAC;CACvC;AAED;;;;;;;;;;GAUG;AACH,qBAAa,sBAAsB;IACjC;;OAEG;IACH,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAwBlC;IAEF;;OAEG;IACH,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAoBpC;IAEF;;OAEG;IACH,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAwCjC;IAEF;;OAEG;IACH,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAejC;IAEF,oDAAoD;IACpD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAW;IAEzC;;;;;;;;OAQG;IACH,MAAM,CACJ,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,EACrC,WAAW,CAAC,EAAE,cAAc,EAC5B,UAAU,CAAC,EAAE,mBAAmB,EAChC,gBAAgB,CAAC,EAAE,aAAa,GAC/B,wBAAwB;IAwE3B;;;;;OAKG;IACH,OAAO,CAAC,cAAc;IA4DtB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAIxB;;OAEG;IACH,OAAO,CAAC,cAAc;IAItB;;OAEG;IACH,OAAO,CAAC,WAAW;IAQnB;;;;;;;OAOG;IACH,OAAO,CAAC,iBAAiB;CA0B1B"}