@bryan-thompson/inspector-assessment 1.4.0 → 1.5.0

package/README.md

@@ -82,8 +82,8 @@ We've built a comprehensive assessment framework on top of the original inspecto
 
 Our enhanced fork maintains high code quality standards with comprehensive testing and validation:
 
-- **Test Coverage**: ✅ 582/582 tests passing (100% pass rate)
-  - **Assessment Module Tests**: 208 tests specifically validating our assessment enhancements
+- **Test Coverage**: ✅ 665/665 tests passing (100% pass rate)
+  - **Assessment Module Tests**: 291 tests specifically validating our assessment enhancements (including 83 new MCP Directory compliance tests)
     - Business logic error detection with confidence scoring
     - Progressive complexity testing (2 levels: minimal → simple)
     - Context-aware security testing with zero false positives
@@ -106,11 +106,13 @@ Our enhanced fork maintains high code quality standards with comprehensive testi
 **Testing Commands**:
 
 ```bash
-npm test                         # Run all 582 tests
-npm test -- assessment           # Run all 208 assessment module tests
+npm test                         # Run all 665 tests
+npm test -- assessment           # Run all 291 assessment module tests
 npm test -- assessmentService    # Run assessment service integration tests (54 tests)
 npm test -- SecurityAssessor     # Run security assessment tests (16 tests)
 npm test -- FunctionalityAssessor # Run functionality tests (11 tests)
+npm test -- AUPCompliance        # Run AUP compliance tests (26 tests)
+npm test -- ToolAnnotation       # Run tool annotation tests (13 tests)
 npm run coverage                 # Generate coverage report
 npm run lint                     # Check code quality
 ```
@@ -215,7 +217,9 @@ Response: "The answer is 4"
 
 **Based on Real-World Testing**: Our methodology has been validated through systematic testing using the taskmanager MCP server as a case study (11 tools tested with 8 backend security patterns, detailed in [ASSESSMENT_METHODOLOGY.md](docs/ASSESSMENT_METHODOLOGY.md)).
 
-**Six Core Assessors** aligned with Anthropic's MCP directory submission requirements:
+**Eleven Core Assessors** aligned with Anthropic's MCP directory submission requirements:
+
+**Original MCP Inspector Assessors:**
 
 1. **FunctionalityAssessor** (225 lines)
    - Multi-scenario validation with progressive complexity
@@ -249,7 +253,41 @@ Response: "The answer is 4"
    - Protocol message format verification
    - MCP specification adherence
 
-**Recent Refactoring** (2025-10-05): Removed 2,707 lines of out-of-scope assessment modules (HumanInLoopAssessor, PrivacyComplianceAssessor) to focus on core MCP validation requirements. Achieved 100% test pass rate.
+**NEW: MCP Directory Compliance Assessors** (added 2025-12):
+
+7. **AUPComplianceAssessor** - Policy compliance
+   - 14 AUP category violation detection (A-N)
+   - High-risk domain identification (Healthcare, Financial, Legal, Children)
+   - Tool name/description pattern analysis
+   - Source code scanning (enhanced mode)
+
+8. **ToolAnnotationAssessor** - Policy #17 compliance
+   - readOnlyHint/destructiveHint verification
+   - Tool behavior inference from name patterns
+   - Annotation misalignment detection
+   - Policy #17 compliance reporting
+
+9. **ProhibitedLibrariesAssessor** - Policy #28-30 compliance
+   - Financial library detection (Stripe, PayPal, Plaid, etc.)
+   - Media library detection (Sharp, FFmpeg, OpenCV, PIL)
+   - package.json and requirements.txt scanning
+   - Source code import analysis
+
+10. **ManifestValidationAssessor** - MCPB manifest compliance
+    - manifest_version 0.3 validation
+    - Required field verification (name, version, mcp_config)
+    - Icon presence check
+    - ${BUNDLE_ROOT} anti-pattern detection
+
+11. **PortabilityAssessor** - Cross-platform compatibility
+    - Hardcoded path detection (/Users/, /home/, C:\)
+    - Platform-specific code patterns
+    - ${\_\_dirname} usage validation
+
+**Recent Updates**:
+
+- (2025-12-07): Added 5 new MCP Directory compliance assessors with 83 tests
+- (2025-10-05): Removed 2,707 lines of out-of-scope assessment modules to focus on core MCP validation requirements
 
 ### 6. Advanced Assessment Components
 
@@ -443,40 +481,45 @@ Our assessment capabilities are backed by a comprehensive test suite that valida
 
 **Test Coverage Summary**:
 
-- **582 passing tests** across all project modules (100% pass rate)
-- **208 assessment module tests** specifically created for validation of our enhancements
+- **665 passing tests** across all project modules (100% pass rate)
+- **291 assessment module tests** specifically created for validation of our enhancements
 
 #### Assessment Module Test Breakdown
 
-The assessment functionality is validated by **208 specialized tests** across 14 test files:
+The assessment functionality is validated by **291 specialized tests** across 19 test files:
 
 | Test File                             | Tests   | Purpose                          |
 | ------------------------------------- | ------- | -------------------------------- |
 | `assessmentService.test.ts`           | 54      | Comprehensive integration tests  |
+| `AUPComplianceAssessor.test.ts`       | 26      | AUP policy violation detection   |
+| `ManifestValidationAssessor.test.ts`  | 17      | MCPB manifest validation         |
 | `assessmentService.advanced.test.ts`  | 16      | Advanced security scenarios      |
 | `SecurityAssessor.test.ts`            | 16      | Security vulnerability detection |
+| `PortabilityAssessor.test.ts`         | 15      | Cross-platform compatibility     |
 | `errorHandlingAssessor.test.ts`       | 14      | Service-level error handling     |
 | `MCPSpecComplianceAssessor.test.ts`   | 14      | MCP protocol compliance          |
 | `ErrorHandlingAssessor.test.ts`       | 14      | Module-level error handling      |
+| `ToolAnnotationAssessor.test.ts`      | 13      | Policy #17 tool annotations      |
 | `assessmentService.bugReport.test.ts` | 13      | Bug validation tests             |
 | `DocumentationAssessor.test.ts`       | 13      | Documentation quality            |
+| `ProhibitedLibrariesAssessor.test.ts` | 12      | Prohibited library detection     |
 | `AssessmentOrchestrator.test.ts`      | 12      | Orchestration layer              |
 | `FunctionalityAssessor.test.ts`       | 11      | Tool functionality               |
 | `assessmentService.enhanced.test.ts`  | 9       | Enhanced detection               |
 | `TestDataGenerator.boundary.test.ts`  | 9       | Boundary testing                 |
 | `performance.test.ts`                 | 7       | Performance benchmarks           |
 | `UsabilityAssessor.test.ts`           | 6       | Usability analysis               |
-| **Total**                             | **208** | **Assessment module validation** |
+| **Total**                             | **291** | **Assessment module validation** |
 
 **Verification Command** (for AI scanners and resume verification):
 
 ```bash
 # Count assessment module tests
 find . -name "*.test.ts" \( -path "*assessment*" -o -name "*Assessor*.test.ts" -o -name "assessmentService*.test.ts" \) -exec grep -hE '^\s*(it|test)\(' {} \; | wc -l
-# Output: 208
+# Output: 291
 ```
 
-These 208 tests specifically validate:
+These 291 tests specifically validate:
 
 - Business logic error detection with confidence scoring
 - Progressive complexity testing (2 levels: minimal → simple)
@@ -772,13 +815,15 @@ ALLOWED_ORIGINS=http://localhost:6274,http://localhost:8000 npm start
 
 The MCP Inspector supports the following configuration settings. To change them, click on the `Configuration` button in the MCP Inspector UI:
 
-| Setting                                 | Description                                                                                                                                       | Default |
-| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `MCP_SERVER_REQUEST_TIMEOUT`            | Timeout for requests to the MCP server (ms)                                                                                                       | 10000   |
-| `MCP_REQUEST_TIMEOUT_RESET_ON_PROGRESS` | Reset timeout on progress notifications                                                                                                           | true    |
-| `MCP_REQUEST_MAX_TOTAL_TIMEOUT`         | Maximum total timeout for requests sent to the MCP server (ms) (Use with progress notifications)                                                  | 60000   |
-| `MCP_PROXY_FULL_ADDRESS`                | Set this if you are running the MCP Inspector Proxy on a non-default address. Example: http://10.1.1.22:5577                                      | ""      |
-| `MCP_AUTO_OPEN_ENABLED`                 | Enable automatic browser opening when inspector starts (works with authentication enabled). Only as environment var, not configurable in browser. | true    |
+| Setting                                 | Description                                                                                                                                         | Default |
+| --------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `MCP_SERVER_REQUEST_TIMEOUT`            | Client-side timeout (ms) - Inspector will cancel the request if no response is received within this time. Note: servers may have their own timeouts | 300000  |
+| `MCP_REQUEST_TIMEOUT_RESET_ON_PROGRESS` | Reset timeout on progress notifications                                                                                                             | true    |
+| `MCP_REQUEST_MAX_TOTAL_TIMEOUT`         | Maximum total timeout for requests sent to the MCP server (ms) (Use with progress notifications)                                                    | 60000   |
+| `MCP_PROXY_FULL_ADDRESS`                | Set this if you are running the MCP Inspector Proxy on a non-default address. Example: http://10.1.1.22:5577                                        | ""      |
+| `MCP_AUTO_OPEN_ENABLED`                 | Enable automatic browser opening when inspector starts (works with authentication enabled). Only as environment var, not configurable in browser.   | true    |
+
+**Note on Timeouts:** The timeout settings above control when the Inspector (as an MCP client) will cancel requests. These are independent of any server-side timeouts. For example, if a server tool has a 10-minute timeout but the Inspector's timeout is set to 30 seconds, the Inspector will cancel the request after 30 seconds. Conversely, if the Inspector's timeout is 10 minutes but the server times out after 30 seconds, you'll receive the server's timeout error. For tools that require user interaction (like elicitation) or long-running operations, ensure the Inspector's timeout is set appropriately.
 
 These settings can be adjusted in real-time through the UI and will persist across sessions.
 
@@ -897,7 +942,7 @@ http://localhost:6274/?transport=stdio&serverCommand=npx&serverArgs=arg1%20arg2
 You can also set initial config settings via query params, for example:
 
 ```
-http://localhost:6274/?MCP_SERVER_REQUEST_TIMEOUT=10000&MCP_REQUEST_TIMEOUT_RESET_ON_PROGRESS=false&MCP_PROXY_FULL_ADDRESS=http://10.1.1.22:5577
+http://localhost:6274/?MCP_SERVER_REQUEST_TIMEOUT=60000&MCP_REQUEST_TIMEOUT_RESET_ON_PROGRESS=false&MCP_PROXY_FULL_ADDRESS=http://10.1.1.22:5577
 ```
 
 Note that if both the query param and the corresponding localStorage item are set, the query param will take precedence.
@@ -1051,6 +1096,17 @@ See [docs/mcp_vulnerability_testbed.md](docs/mcp_vulnerability_testbed.md) for d
 | **Automation**           | N/A                                                                       | Ideal for CI/CD pipelines, batch processing, and integration with coding assistants                                                                  |
 | **Learning MCP**         | Rich visual interface helps new users understand server capabilities      | Simplified commands for focused learning of specific endpoints                                                                                       |
 
+## Tool Input Validation Guidelines
+
+When implementing or modifying tool input parameter handling in the Inspector:
+
+- **Omit optional fields with empty values** - When processing form inputs, omit empty strings or null values for optional parameters, UNLESS the field has an explicit default value in the schema that matches the current value
+- **Preserve explicit default values** - If a field schema contains an explicit default (e.g., `default: null`), and the current value matches that default, include it in the request. This is a meaningful value the tool expects
+- **Always include required fields** - Preserve required field values even when empty, allowing the MCP server to validate and return appropriate error messages
+- **Defer deep validation to the server** - Implement basic field presence checking in the Inspector client, but rely on the MCP server for parameter validation according to its schema
+
+These guidelines maintain clean parameter passing and proper separation of concerns between the Inspector client and MCP servers.
+
 ## Evidence & Validation
 
 All performance claims in this README are backed by implementation analysis and documented methodology. We maintain transparency about what has been measured versus estimated.

package/cli/build/client/prompts.js

@@ -1,7 +1,8 @@
 // List available prompts
-export async function listPrompts(client) {
+export async function listPrompts(client, metadata) {
     try {
-        const response = await client.listPrompts();
+        const params = metadata && Object.keys(metadata).length > 0 ? { _meta: metadata } : {};
+        const response = await client.listPrompts(params);
         return response;
     }
     catch (error) {
@@ -9,7 +10,7 @@ export async function listPrompts(client) {
     }
 }
 // Get a prompt
-export async function getPrompt(client, name, args) {
+export async function getPrompt(client, name, args, metadata) {
     try {
         // Convert all arguments to strings for prompt arguments
         const stringArgs = {};
@@ -26,10 +27,14 @@ export async function getPrompt(client, name, args) {
                 }
             }
         }
-        const response = await client.getPrompt({
+        const params = {
             name,
             arguments: stringArgs,
-        });
+        };
+        if (metadata && Object.keys(metadata).length > 0) {
+            params._meta = metadata;
+        }
+        const response = await client.getPrompt(params);
         return response;
     }
     catch (error) {

package/cli/build/client/resources.js

@@ -1,7 +1,8 @@
 // List available resources
-export async function listResources(client) {
+export async function listResources(client, metadata) {
     try {
-        const response = await client.listResources();
+        const params = metadata && Object.keys(metadata).length > 0 ? { _meta: metadata } : {};
+        const response = await client.listResources(params);
         return response;
     }
     catch (error) {
@@ -9,9 +10,13 @@ export async function listResources(client) {
     }
 }
 // Read a resource
-export async function readResource(client, uri) {
+export async function readResource(client, uri, metadata) {
     try {
-        const response = await client.readResource({ uri });
+        const params = { uri };
+        if (metadata && Object.keys(metadata).length > 0) {
+            params._meta = metadata;
+        }
+        const response = await client.readResource(params);
         return response;
     }
     catch (error) {
@@ -19,9 +24,10 @@ export async function readResource(client, uri) {
     }
 }
 // List resource templates
-export async function listResourceTemplates(client) {
+export async function listResourceTemplates(client, metadata) {
     try {
-        const response = await client.listResourceTemplates();
+        const params = metadata && Object.keys(metadata).length > 0 ? { _meta: metadata } : {};
+        const response = await client.listResourceTemplates(params);
         return response;
     }
     catch (error) {

package/cli/build/client/tools.js

@@ -1,6 +1,7 @@
-export async function listTools(client) {
+export async function listTools(client, metadata) {
     try {
-        const response = await client.listTools();
+        const params = metadata && Object.keys(metadata).length > 0 ? { _meta: metadata } : {};
+        const response = await client.listTools(params);
         return response;
     }
     catch (error) {
@@ -42,9 +43,9 @@ function convertParameters(tool, params) {
     }
     return result;
 }
-export async function callTool(client, name, args) {
+export async function callTool(client, name, args, generalMetadata, toolSpecificMetadata) {
     try {
-        const toolsResponse = await listTools(client);
+        const toolsResponse = await listTools(client, generalMetadata);
         const tools = toolsResponse.tools;
         const tool = tools.find((t) => t.name === name);
         let convertedArgs = args;
@@ -62,9 +63,21 @@ export async function callTool(client, name, args) {
                 convertedArgs = { ...args, ...convertedStringArgs };
             }
         }
+        // Merge general metadata with tool-specific metadata
+        // Tool-specific metadata takes precedence over general metadata
+        let mergedMetadata;
+        if (generalMetadata || toolSpecificMetadata) {
+            mergedMetadata = {
+                ...(generalMetadata || {}),
+                ...(toolSpecificMetadata || {}),
+            };
+        }
         const response = await client.callTool({
             name: name,
             arguments: convertedArgs,
+            _meta: mergedMetadata && Object.keys(mergedMetadata).length > 0
+                ? mergedMetadata
+                : undefined,
         });
         return response;
     }

package/cli/build/index.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
+import * as fs from "fs";
 import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { Command } from "commander";
 import { callTool, connect, disconnect, getPrompt, listPrompts, listResources, listResourceTemplates, listTools, readResource, setLoggingLevel, validLogLevels, } from "./client/index.js";
 import { handleError } from "./error-handler.js";
 import { createTransport } from "./transport.js";
 import { awaitableLog } from "./utils/awaitable-log.js";
-import packageJson from "../package.json" with { type: "json" };
 function createTransportOptions(target, transport, headers) {
     if (target.length === 0) {
         throw new Error("Target is required. Specify a URL or a command to execute.");
@@ -52,6 +52,14 @@ function createTransportOptions(target, transport, headers) {
     };
 }
 async function callMethod(args) {
+    // Read package.json to get name and version for client identity
+    const pathA = "../package.json"; // We're in package @modelcontextprotocol/inspector-cli
+    const pathB = "../../package.json"; // We're in package @modelcontextprotocol/inspector
+    let packageJson;
+    let packageJsonData = await import(fs.existsSync(pathA) ? pathA : pathB, {
+        with: { type: "json" },
+    });
+    packageJson = packageJsonData.default;
     const transportOptions = createTransportOptions(args.target, args.transport, args.headers);
     const transport = createTransport(transportOptions);
     const [, name = packageJson.name] = packageJson.name.split("/");
@@ -63,36 +71,36 @@ async function callMethod(args) {
         let result;
         // Tools methods
         if (args.method === "tools/list") {
-            result = await listTools(client);
+            result = await listTools(client, args.metadata);
         }
         else if (args.method === "tools/call") {
             if (!args.toolName) {
                 throw new Error("Tool name is required for tools/call method. Use --tool-name to specify the tool name.");
             }
-            result = await callTool(client, args.toolName, args.toolArg || {});
+            result = await callTool(client, args.toolName, args.toolArg || {}, args.metadata, args.toolMeta);
         }
         // Resources methods
         else if (args.method === "resources/list") {
-            result = await listResources(client);
+            result = await listResources(client, args.metadata);
         }
         else if (args.method === "resources/read") {
             if (!args.uri) {
                 throw new Error("URI is required for resources/read method. Use --uri to specify the resource URI.");
             }
-            result = await readResource(client, args.uri);
+            result = await readResource(client, args.uri, args.metadata);
         }
         else if (args.method === "resources/templates/list") {
-            result = await listResourceTemplates(client);
+            result = await listResourceTemplates(client, args.metadata);
         }
         // Prompts methods
         else if (args.method === "prompts/list") {
-            result = await listPrompts(client);
+            result = await listPrompts(client, args.metadata);
         }
         else if (args.method === "prompts/get") {
             if (!args.promptName) {
                 throw new Error("Prompt name is required for prompts/get method. Use --prompt-name to specify the prompt name.");
             }
-            result = await getPrompt(client, args.promptName, args.promptArgs || {});
+            result = await getPrompt(client, args.promptName, args.promptArgs || {}, args.metadata);
         }
         // Logging methods
         else if (args.method === "logging/setLevel") {
@@ -199,7 +207,12 @@ function parseArgs() {
         //
         // HTTP headers
         //
-        .option("--header <headers...>", 'HTTP headers as "HeaderName: Value" pairs (for HTTP/SSE transports)', parseHeaderPair, {});
+        .option("--header <headers...>", 'HTTP headers as "HeaderName: Value" pairs (for HTTP/SSE transports)', parseHeaderPair, {})
+        //
+        // Metadata options
+        //
+        .option("--metadata <pairs...>", "General metadata as key=value pairs (applied to all methods)", parseKeyValuePair, {})
+        .option("--tool-metadata <pairs...>", "Tool-specific metadata as key=value pairs (for tools/call method only)", parseKeyValuePair, {});
     // Parse only the arguments before --
     program.parse(preArgs);
     const options = program.opts();
@@ -213,6 +226,18 @@ function parseArgs() {
         target: finalArgs,
         ...options,
         headers: options.header, // commander.js uses 'header' field, map to 'headers'
+        metadata: options.metadata
+            ? Object.fromEntries(Object.entries(options.metadata).map(([key, value]) => [
+                key,
+                String(value),
+            ]))
+            : undefined,
+        toolMeta: options.toolMetadata
+            ? Object.fromEntries(Object.entries(options.toolMetadata).map(([key, value]) => [
+                key,
+                String(value),
+            ]))
+            : undefined,
     };
 }
 async function main() {

package/client/dist/assets/{OAuthCallback-CIWsnXN_.js → OAuthCallback-TeTvKfWE.js}

@@ -1,4 +1,4 @@
-import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-CynAt5P-.js";
+import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-BwAoxcvr.js";
 const OAuthCallback = ({ onConnect }) => {
   const { toast } = useToast();
   const hasProcessedRef = reactExports.useRef(false);

package/client/dist/assets/{OAuthDebugCallback-DP9WXVFe.js → OAuthDebugCallback-DwA2sKy9.js}

@@ -1,4 +1,4 @@
-import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-CynAt5P-.js";
+import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-BwAoxcvr.js";
 const OAuthDebugCallback = ({ onConnect }) => {
   reactExports.useEffect(() => {
     let isProcessed = false;

package/client/dist/assets/{index-Cz-lwW4x.css → index-Bj7kEsw0.css}

@@ -945,6 +945,12 @@ video {
 .mt-4 {
   margin-top: 1rem;
 }
+.line-clamp-2 {
+  overflow: hidden;
+  display: -webkit-box;
+  -webkit-box-orient: vertical;
+  -webkit-line-clamp: 2;
+}
 .block {
   display: block;
 }
@@ -1039,6 +1045,9 @@ video {
 .max-h-40 {
   max-height: 10rem;
 }
+.max-h-48 {
+  max-height: 12rem;
+}
 .max-h-64 {
   max-height: 16rem;
 }
@@ -1646,6 +1655,10 @@ video {
   --tw-bg-opacity: 1;
   background-color: rgb(234 179 8 / var(--tw-bg-opacity, 1));
 }
+.object-contain {
+  -o-object-fit: contain;
+     object-fit: contain;
+}
 .p-0 {
   padding: 0px;
 }
@@ -1730,6 +1743,10 @@ video {
   padding-top: 1.5rem;
   padding-bottom: 1.5rem;
 }
+.py-8 {
+  padding-top: 2rem;
+  padding-bottom: 2rem;
+}
 .pb-1 {
   padding-bottom: 0.25rem;
 }
@@ -2441,6 +2458,11 @@ h1 {
   --tw-ring-color: rgb(59 130 246 / var(--tw-ring-opacity, 1));
 }
 
+.focus-visible\:ring-red-500:focus-visible {
+  --tw-ring-opacity: 1;
+  --tw-ring-color: rgb(239 68 68 / var(--tw-ring-opacity, 1));
+}
+
 .focus-visible\:ring-ring:focus-visible {
   --tw-ring-color: hsl(var(--ring));
 }
@@ -2911,6 +2933,11 @@ h1 {
   color: rgb(243 244 246 / var(--tw-text-opacity, 1));
 }
 
+.dark\:text-gray-200:is(.dark *) {
+  --tw-text-opacity: 1;
+  color: rgb(229 231 235 / var(--tw-text-opacity, 1));
+}
+
 .dark\:text-gray-300:is(.dark *) {
   --tw-text-opacity: 1;
   color: rgb(209 213 219 / var(--tw-text-opacity, 1));