@bryan-thompson/inspector-assessment 1.37.0 → 1.38.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (80) hide show
  1. package/cli/build/lib/assessment-runner/assessment-executor.js +29 -1
  2. package/cli/build/lib/assessment-runner/source-loader.js +11 -0
  3. package/cli/package.json +1 -1
  4. package/client/dist/assets/{OAuthCallback-6-wM7Zc1.js → OAuthCallback-2AYSUA_B.js} +1 -1
  5. package/client/dist/assets/{OAuthDebugCallback-Bw9-AzzP.js → OAuthDebugCallback-CWkaV-fa.js} +1 -1
  6. package/client/dist/assets/{index-DyCdQP10.js → index-BDx5upZX.js} +18633 -18360
  7. package/client/dist/index.html +1 -1
  8. package/client/lib/lib/assessment/coreTypes.d.ts +37 -0
  9. package/client/lib/lib/assessment/coreTypes.d.ts.map +1 -1
  10. package/client/lib/lib/assessment/resultTypes.d.ts +26 -1
  11. package/client/lib/lib/assessment/resultTypes.d.ts.map +1 -1
  12. package/client/lib/lib/securityPatterns/advancedExploitPatterns.d.ts +13 -0
  13. package/client/lib/lib/securityPatterns/advancedExploitPatterns.d.ts.map +1 -0
  14. package/client/lib/lib/securityPatterns/advancedExploitPatterns.js +504 -0
  15. package/client/lib/lib/securityPatterns/authSessionPatterns.d.ts +12 -0
  16. package/client/lib/lib/securityPatterns/authSessionPatterns.d.ts.map +1 -0
  17. package/client/lib/lib/securityPatterns/authSessionPatterns.js +357 -0
  18. package/client/lib/lib/securityPatterns/index.d.ts +18 -0
  19. package/client/lib/lib/securityPatterns/index.d.ts.map +1 -0
  20. package/client/lib/lib/securityPatterns/index.js +18 -0
  21. package/client/lib/lib/securityPatterns/injectionPatterns.d.ts +13 -0
  22. package/client/lib/lib/securityPatterns/injectionPatterns.d.ts.map +1 -0
  23. package/client/lib/lib/securityPatterns/injectionPatterns.js +356 -0
  24. package/client/lib/lib/securityPatterns/resourceExhaustionPatterns.d.ts +12 -0
  25. package/client/lib/lib/securityPatterns/resourceExhaustionPatterns.d.ts.map +1 -0
  26. package/client/lib/lib/securityPatterns/resourceExhaustionPatterns.js +215 -0
  27. package/client/lib/lib/securityPatterns/toolSpecificPatterns.d.ts +13 -0
  28. package/client/lib/lib/securityPatterns/toolSpecificPatterns.d.ts.map +1 -0
  29. package/client/lib/lib/securityPatterns/toolSpecificPatterns.js +373 -0
  30. package/client/lib/lib/securityPatterns/types.d.ts +20 -0
  31. package/client/lib/lib/securityPatterns/types.d.ts.map +1 -0
  32. package/client/lib/lib/securityPatterns/types.js +6 -0
  33. package/client/lib/lib/securityPatterns/utils.d.ts +56 -0
  34. package/client/lib/lib/securityPatterns/utils.d.ts.map +1 -0
  35. package/client/lib/lib/securityPatterns/utils.js +96 -0
  36. package/client/lib/lib/securityPatterns/validationPatterns.d.ts +13 -0
  37. package/client/lib/lib/securityPatterns/validationPatterns.d.ts.map +1 -0
  38. package/client/lib/lib/securityPatterns/validationPatterns.js +110 -0
  39. package/client/lib/lib/securityPatterns.d.ts +18 -69
  40. package/client/lib/lib/securityPatterns.d.ts.map +1 -1
  41. package/client/lib/lib/securityPatterns.js +18 -1946
  42. package/client/lib/services/assessment/AssessmentOrchestrator.d.ts +4 -1
  43. package/client/lib/services/assessment/AssessmentOrchestrator.d.ts.map +1 -1
  44. package/client/lib/services/assessment/helpers/ExternalAPIDependencyDetector.d.ts +96 -5
  45. package/client/lib/services/assessment/helpers/ExternalAPIDependencyDetector.d.ts.map +1 -1
  46. package/client/lib/services/assessment/helpers/ExternalAPIDependencyDetector.js +202 -16
  47. package/client/lib/services/assessment/helpers/StdioTransportDetector.d.ts +137 -0
  48. package/client/lib/services/assessment/helpers/StdioTransportDetector.d.ts.map +1 -0
  49. package/client/lib/services/assessment/helpers/StdioTransportDetector.js +315 -0
  50. package/client/lib/services/assessment/helpers/ToolAnnotationExtractor.d.ts +34 -0
  51. package/client/lib/services/assessment/helpers/ToolAnnotationExtractor.d.ts.map +1 -0
  52. package/client/lib/services/assessment/helpers/ToolAnnotationExtractor.js +85 -0
  53. package/client/lib/services/assessment/modules/ErrorHandlingAssessor.d.ts +17 -0
  54. package/client/lib/services/assessment/modules/ErrorHandlingAssessor.d.ts.map +1 -1
  55. package/client/lib/services/assessment/modules/ErrorHandlingAssessor.js +162 -10
  56. package/client/lib/services/assessment/modules/ProtocolComplianceAssessor.d.ts.map +1 -1
  57. package/client/lib/services/assessment/modules/ProtocolComplianceAssessor.js +30 -0
  58. package/client/lib/services/assessment/modules/SecurityAssessor.d.ts.map +1 -1
  59. package/client/lib/services/assessment/modules/SecurityAssessor.js +6 -0
  60. package/client/lib/services/assessment/modules/securityTests/AnnotationAwareSeverity.d.ts +55 -0
  61. package/client/lib/services/assessment/modules/securityTests/AnnotationAwareSeverity.d.ts.map +1 -0
  62. package/client/lib/services/assessment/modules/securityTests/AnnotationAwareSeverity.js +135 -0
  63. package/client/lib/services/assessment/modules/securityTests/SafeResponseDetector.d.ts +16 -0
  64. package/client/lib/services/assessment/modules/securityTests/SafeResponseDetector.d.ts.map +1 -1
  65. package/client/lib/services/assessment/modules/securityTests/SafeResponseDetector.js +21 -1
  66. package/client/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts +58 -0
  67. package/client/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts.map +1 -1
  68. package/client/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.js +114 -0
  69. package/client/lib/services/assessment/modules/securityTests/SecurityPayloadTester.d.ts +11 -1
  70. package/client/lib/services/assessment/modules/securityTests/SecurityPayloadTester.d.ts.map +1 -1
  71. package/client/lib/services/assessment/modules/securityTests/SecurityPayloadTester.js +26 -1
  72. package/client/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts +1 -1
  73. package/client/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts.map +1 -1
  74. package/client/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.js +30 -1
  75. package/client/lib/services/assessment/modules/securityTests/index.d.ts +1 -0
  76. package/client/lib/services/assessment/modules/securityTests/index.d.ts.map +1 -1
  77. package/client/lib/services/assessment/modules/securityTests/index.js +1 -0
  78. package/client/package.json +1 -1
  79. package/package.json +1 -1
  80. package/server/package.json +1 -1
package/cli/build/lib/assessment-runner/assessment-executor.js CHANGED
@@ -22,6 +22,10 @@ import { setAnnotationDebugMode } from "../../../../client/lib/services/assessme
22
22
  import { getToolsWithPreservedHints } from "./tools-with-hints.js";
23
23
  // Issue #168: Import external API dependency detector
24
24
  import { ExternalAPIDependencyDetector } from "../../../../client/lib/services/assessment/helpers/ExternalAPIDependencyDetector.js";
25
+ // Issue #172: Import stdio transport detector for C6/F6 compliance
26
+ import { StdioTransportDetector } from "../../../../client/lib/services/assessment/helpers/StdioTransportDetector.js";
27
+ // Issue #170: Import tool annotation extractor for security severity adjustment
28
+ import { extractToolAnnotationsContext } from "../../../../client/lib/services/assessment/helpers/ToolAnnotationExtractor.js";
25
29
  /**
26
30
  * Run full assessment against an MCP server
27
31
  *
@@ -289,10 +293,30 @@ export async function runFullAssessment(options) {
289
293
  // Issue #168: Detect external API dependencies before assessors run
290
294
  // This enables TemporalAssessor, FunctionalityAssessor, and ErrorHandlingAssessor
291
295
  // to adjust their behavior for tools that depend on external APIs
296
+ // Enhanced: Pass sourceCodeFiles when available for more accurate detection
292
297
  const apiDetector = new ExternalAPIDependencyDetector();
293
- const externalAPIDependencies = apiDetector.detect(tools);
298
+ const externalAPIDependencies = apiDetector.detect(tools, sourceFiles.sourceCodeFiles);
294
299
  if (!options.jsonOnly && externalAPIDependencies.detectedCount > 0) {
295
300
  console.log(`🌐 Detected ${externalAPIDependencies.detectedCount} tool(s) with external API dependencies`);
301
+ // Show domains if source code scanning found any
302
+ if (externalAPIDependencies.domains &&
303
+ externalAPIDependencies.domains.length > 0) {
304
+ console.log(` Domains: ${externalAPIDependencies.domains.join(", ")}`);
305
+ }
306
+ }
307
+ // Issue #172: Detect transport capabilities from source code before assessors run
308
+ // This enables C6/F6 to correctly identify stdio servers without serverInfo metadata
309
+ const transportDetector = new StdioTransportDetector();
310
+ const transportDetection = transportDetector.detect(sourceFiles.sourceCodeFiles, sourceFiles.packageJson, sourceFiles.serverJson, serverConfig.transport);
311
+ if (!options.jsonOnly && transportDetection.evidence.length > 0) {
312
+ const transports = Array.from(transportDetection.detectedTransports).join(", ");
313
+ console.log(`🚀 Detected transport(s): ${transports} (${transportDetection.confidence} confidence)`);
314
+ }
315
+ // Issue #170: Extract tool annotations context for security severity adjustment
316
+ // This enables SecurityAssessor to reduce false positives for read-only servers
317
+ const toolAnnotationsContext = extractToolAnnotationsContext(tools);
318
+ if (!options.jsonOnly && toolAnnotationsContext.serverIsReadOnly) {
319
+ console.log(`📖 Server is 100% read-only (${toolAnnotationsContext.annotatedToolCount}/${toolAnnotationsContext.totalToolCount} tools annotated)`);
296
320
  }
297
321
  const context = {
298
322
  serverName: options.serverName,
@@ -317,6 +341,10 @@ export async function runFullAssessment(options) {
317
341
  serverCapabilities: serverCapabilities,
318
342
  // Issue #168: External API dependency detection for assessor behavior adjustment
319
343
  externalAPIDependencies,
344
+ // Issue #172: Transport detection for C6/F6 compliance
345
+ transportDetection,
346
+ // Issue #170: Tool annotations context for security severity adjustment
347
+ toolAnnotationsContext,
320
348
  };
321
349
  if (!options.jsonOnly) {
322
350
  console.log(`\n🏃 Running assessment with ${Object.keys(config.assessmentCategories || {}).length} modules...`);
package/cli/build/lib/assessment-runner/source-loader.js CHANGED
@@ -99,6 +99,17 @@ export function loadSourceFiles(sourcePath, debug = false) {
99
99
  console.warn("[Assessment] Failed to parse manifest.json");
100
100
  }
101
101
  }
102
+ // Issue #172: Load server.json for transport configuration
103
+ const serverJsonPath = path.join(sourcePath, "server.json");
104
+ if (fs.existsSync(serverJsonPath)) {
105
+ try {
106
+ result.serverJson = JSON.parse(fs.readFileSync(serverJsonPath, "utf-8"));
107
+ log(` ✓ Found server.json`);
108
+ }
109
+ catch {
110
+ console.warn("[Assessment] Failed to parse server.json");
111
+ }
112
+ }
102
113
  result.sourceCodeFiles = new Map();
103
114
  // Include config files for portability analysis
104
115
  const sourceExtensions = [
package/cli/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@bryan-thompson/inspector-assessment-cli",
3
- "version": "1.37.0",
3
+ "version": "1.38.1",
4
4
  "description": "CLI for the Enhanced MCP Inspector with assessment capabilities",
5
5
  "license": "MIT",
6
6
  "author": "Bryan Thompson <bryan@triepod.ai>",
package/client/dist/assets/{OAuthCallback-6-wM7Zc1.js → OAuthCallback-2AYSUA_B.js} RENAMED
@@ -1,4 +1,4 @@
1
- import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-DyCdQP10.js";
1
+ import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-BDx5upZX.js";
2
2
  const OAuthCallback = ({ onConnect }) => {
3
3
  const { toast } = useToast();
4
4
  const hasProcessedRef = reactExports.useRef(false);
package/client/dist/assets/{OAuthDebugCallback-Bw9-AzzP.js → OAuthDebugCallback-CWkaV-fa.js} RENAMED
@@ -1,4 +1,4 @@
1
- import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-DyCdQP10.js";
1
+ import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-BDx5upZX.js";
2
2
  const OAuthDebugCallback = ({ onConnect }) => {
3
3
  reactExports.useEffect(() => {
4
4
  let isProcessed = false;