@bryan-thompson/inspector-assessment 1.41.0 → 1.42.0

package/cli/build/__tests__/assessment-runner/config-builder.test.js

@@ -293,6 +293,40 @@ describe("buildConfig", () => {
             expect(result.logging?.level).toBe("error");
         });
     });
+    describe("deprecation warning for v2.0 default change (Issue #190)", () => {
+        let consoleWarnSpy;
+        beforeEach(() => {
+            consoleWarnSpy = jest
+                .spyOn(console, "warn")
+                .mockImplementation(() => { });
+        });
+        afterEach(() => {
+            consoleWarnSpy.mockRestore();
+        });
+        it("should warn when running without --profile and no module filters", () => {
+            buildConfig({ serverName: "test" });
+            expect(consoleWarnSpy).toHaveBeenCalledWith(expect.stringContaining("Running without --profile will default to --profile security in v2.0"));
+        });
+        it("should NOT warn when using --profile", () => {
+            buildConfig({ serverName: "test", profile: "security" });
+            expect(consoleWarnSpy).not.toHaveBeenCalledWith(expect.stringContaining("Running without --profile"));
+        });
+        it("should NOT warn when using --only-modules", () => {
+            resolveModuleNames.mockReturnValue(["functionality"]);
+            buildConfig({ serverName: "test", onlyModules: ["functionality"] });
+            expect(consoleWarnSpy).not.toHaveBeenCalledWith(expect.stringContaining("Running without --profile"));
+        });
+        it("should NOT warn when using --skip-modules", () => {
+            resolveModuleNames.mockReturnValue(["temporal"]);
+            buildConfig({ serverName: "test", skipModules: ["temporal"] });
+            expect(consoleWarnSpy).not.toHaveBeenCalledWith(expect.stringContaining("Running without --profile"));
+        });
+        it("should include migration guidance in warning message", () => {
+            buildConfig({ serverName: "test" });
+            expect(consoleWarnSpy).toHaveBeenCalledWith(expect.stringContaining("--profile full or --profile dev"));
+            expect(consoleWarnSpy).toHaveBeenCalledWith(expect.stringContaining("docs/CLI_ASSESSMENT_GUIDE.md"));
+        });
+    });
     describe("config version validation (Issue #107)", () => {
         let consoleWarnSpy;
         beforeEach(() => {

package/cli/build/__tests__/flag-parsing.test.js

@@ -468,7 +468,7 @@ describe("Profile Validation", () => {
     /**
      * Profile validation logic from assess-full.ts
      */
-    const VALID_PROFILES = ["quick", "security", "compliance", "full"];
+    const VALID_PROFILES = ["quick", "security", "compliance", "full", "dev"];
     function isValidProfileName(name) {
         return VALID_PROFILES.includes(name);
     }
@@ -478,6 +478,7 @@ describe("Profile Validation", () => {
             expect(isValidProfileName("security")).toBe(true);
             expect(isValidProfileName("compliance")).toBe(true);
             expect(isValidProfileName("full")).toBe(true);
+            expect(isValidProfileName("dev")).toBe(true);
         });
     });
     describe("Invalid profiles", () => {

package/cli/build/__tests__/profiles.test.js

@@ -5,15 +5,22 @@
  */
 /* eslint-disable @typescript-eslint/no-explicit-any */
 import { jest, describe, it, expect } from "@jest/globals";
-import { ASSESSMENT_PROFILES, PROFILE_METADATA, MODULE_ALIASES, DEPRECATED_MODULES, TIER_1_CORE_SECURITY, TIER_2_COMPLIANCE, TIER_3_CAPABILITY, TIER_4_EXTENDED, ALL_MODULES, resolveModuleNames, getProfileModules, isValidProfileName, getProfileHelpText, mapLegacyConfigToModules, modulesToLegacyConfig, } from "../profiles.js";
+import { ASSESSMENT_PROFILES, PROFILE_METADATA, MODULE_ALIASES, DEPRECATED_MODULES, TIER_1_CORE_SECURITY, TIER_2_COMPLIANCE, TIER_3_CAPABILITY, TIER_4_DEVELOPMENT, ALL_MODULES, OPT_IN_MODULES, STANDARD_MODULES, resolveModuleNames, getProfileModules, isValidProfileName, getProfileHelpText, mapLegacyConfigToModules, modulesToLegacyConfig, } from "../profiles.js";
 describe("Profile Definitions", () => {
     afterEach(() => {
         jest.restoreAllMocks();
     });
     describe("Profile Constants", () => {
-        it("should have four profiles defined", () => {
+        it("should have six profiles defined", () => {
             const profiles = Object.keys(ASSESSMENT_PROFILES);
-            expect(profiles).toEqual(["quick", "security", "compliance", "full"]);
+            expect(profiles).toEqual([
+                "quick",
+                "security",
+                "compliance",
+                "full",
+                "dev",
+                "all",
+            ]);
         });
         it("should have metadata for all profiles", () => {
             const profileNames = Object.keys(ASSESSMENT_PROFILES);
@@ -38,26 +45,36 @@ describe("Profile Definitions", () => {
         });
         it("should have Tier 2 compliance modules", () => {
             expect(TIER_2_COMPLIANCE).toContain("toolAnnotations");
-            expect(TIER_2_COMPLIANCE).toContain("prohibitedLibraries");
-            expect(TIER_2_COMPLIANCE).toContain("manifestValidation");
             expect(TIER_2_COMPLIANCE).toContain("authentication");
+            expect(TIER_2_COMPLIANCE).toHaveLength(2);
         });
         it("should have Tier 3 capability modules", () => {
             expect(TIER_3_CAPABILITY).toContain("resources");
             expect(TIER_3_CAPABILITY).toContain("prompts");
             expect(TIER_3_CAPABILITY).toContain("crossCapability");
         });
-        it("should have Tier 4 extended modules", () => {
-            expect(TIER_4_EXTENDED).toContain("developerExperience");
-            expect(TIER_4_EXTENDED).toContain("portability");
-            expect(TIER_4_EXTENDED).toContain("externalAPIScanner");
+        it("should have Tier 4 development modules", () => {
+            expect(TIER_4_DEVELOPMENT).toContain("developerExperience");
+            expect(TIER_4_DEVELOPMENT).toContain("portability");
+            expect(TIER_4_DEVELOPMENT).toHaveLength(2);
         });
-        it("should combine all tiers in ALL_MODULES", () => {
+        it("should have Opt-In modules", () => {
+            expect(OPT_IN_MODULES).toContain("prohibitedLibraries");
+            expect(OPT_IN_MODULES).toContain("manifestValidation");
+            expect(OPT_IN_MODULES).toContain("fileModularization");
+            expect(OPT_IN_MODULES).toContain("externalAPIScanner");
+            expect(OPT_IN_MODULES).toHaveLength(4);
+        });
+        it("should combine all tiers plus opt-in in ALL_MODULES", () => {
+            const expectedLength = STANDARD_MODULES.length + OPT_IN_MODULES.length;
+            expect(ALL_MODULES.length).toBe(expectedLength);
+        });
+        it("should have STANDARD_MODULES without opt-in", () => {
             const expectedLength = TIER_1_CORE_SECURITY.length +
                 TIER_2_COMPLIANCE.length +
                 TIER_3_CAPABILITY.length +
-                TIER_4_EXTENDED.length;
-            expect(ALL_MODULES.length).toBe(expectedLength);
+                TIER_4_DEVELOPMENT.length;
+            expect(STANDARD_MODULES.length).toBe(expectedLength);
         });
     });
     describe("Profile Compositions", () => {
@@ -77,10 +94,32 @@ describe("Profile Definitions", () => {
                 expect(ASSESSMENT_PROFILES.compliance).toContain(module);
             }
         });
-        it("full profile should include all tiers", () => {
-            for (const module of ALL_MODULES) {
+        it("full profile should include all standard modules (excludes opt-in)", () => {
+            for (const module of STANDARD_MODULES) {
                 expect(ASSESSMENT_PROFILES.full).toContain(module);
             }
+            // Verify opt-in modules are NOT included
+            for (const module of OPT_IN_MODULES) {
+                expect(ASSESSMENT_PROFILES.full).not.toContain(module);
+            }
+        });
+        it("dev profile should include all standard modules (excludes opt-in)", () => {
+            for (const module of STANDARD_MODULES) {
+                expect(ASSESSMENT_PROFILES.dev).toContain(module);
+            }
+            // Verify opt-in modules are NOT included
+            for (const module of OPT_IN_MODULES) {
+                expect(ASSESSMENT_PROFILES.dev).not.toContain(module);
+            }
+        });
+        it("dev and full profiles should be equivalent in v1.x", () => {
+            expect(ASSESSMENT_PROFILES.dev).toEqual(ASSESSMENT_PROFILES.full);
+        });
+        it("all profile should include all modules including opt-in", () => {
+            for (const module of ALL_MODULES) {
+                expect(ASSESSMENT_PROFILES.all).toContain(module);
+            }
+            expect(ASSESSMENT_PROFILES.all.length).toBe(ALL_MODULES.length);
         });
     });
 });
@@ -188,6 +227,12 @@ describe("isValidProfileName", () => {
         expect(isValidProfileName("compliance")).toBe(true);
         expect(isValidProfileName("full")).toBe(true);
     });
+    it("should return true for dev profile", () => {
+        expect(isValidProfileName("dev")).toBe(true);
+    });
+    it("should return true for all profile", () => {
+        expect(isValidProfileName("all")).toBe(true);
+    });
     it("should return false for invalid profile names", () => {
         expect(isValidProfileName("invalid")).toBe(false);
         expect(isValidProfileName("")).toBe(false);
@@ -206,6 +251,8 @@ describe("getProfileHelpText", () => {
         expect(help).toContain("security");
         expect(help).toContain("compliance");
         expect(help).toContain("full");
+        expect(help).toContain("dev");
+        expect(help).toContain("all");
     });
     it("should contain module counts", () => {
         const help = getProfileHelpText();
@@ -308,5 +355,17 @@ describe("Profile Metadata", () => {
         expect(PROFILE_METADATA.security.tiers.length).toBe(1);
         expect(PROFILE_METADATA.compliance.tiers.length).toBe(2);
         expect(PROFILE_METADATA.full.tiers.length).toBe(4);
+        expect(PROFILE_METADATA.dev.tiers.length).toBe(4);
+        expect(PROFILE_METADATA.all.tiers.length).toBe(5); // All 4 tiers + Opt-In
+    });
+    it("should have dev profile metadata", () => {
+        expect(PROFILE_METADATA.dev).toBeDefined();
+        expect(PROFILE_METADATA.dev.description).toContain("development");
+        expect(PROFILE_METADATA.dev.moduleCount).toBe(ASSESSMENT_PROFILES.dev.length);
+    });
+    it("should have all profile metadata", () => {
+        expect(PROFILE_METADATA.all).toBeDefined();
+        expect(PROFILE_METADATA.all.description).toContain("opt-in");
+        expect(PROFILE_METADATA.all.moduleCount).toBe(ASSESSMENT_PROFILES.all.length);
     });
 });

package/cli/build/lib/assessment-runner/config-builder.js

@@ -37,6 +37,13 @@ export function buildConfig(options) {
             config.assessmentCategories = modulesToLegacyConfig(profileModules);
         }
         else {
+            // Issue #190: Deprecation warning for v2.0 default change
+            // Only warn if user didn't specify --only-modules or --skip-modules
+            if (!options.onlyModules?.length && !options.skipModules?.length) {
+                console.warn("⚠️  Warning: Running without --profile will default to --profile security in v2.0.\n" +
+                    "   To preserve current behavior (all modules), use --profile full or --profile dev.\n" +
+                    "   See docs/CLI_ASSESSMENT_GUIDE.md for profile details.");
+            }
             // Derive module config from ASSESSMENT_CATEGORY_METADATA (single source of truth)
             const allModules = getAllModulesConfig({
                 sourceCodePath: Boolean(options.sourceCodePath),

package/cli/build/lib/cli-parser.js

@@ -9,7 +9,7 @@
  * @module cli/lib/cli-parser
  */
 import { ASSESSMENT_CATEGORY_METADATA, } from "../../../client/lib/lib/assessmentTypes.js";
-import { ASSESSMENT_PROFILES, getProfileHelpText, TIER_1_CORE_SECURITY, TIER_2_COMPLIANCE, TIER_3_CAPABILITY, TIER_4_EXTENDED, } from "../profiles.js";
+import { ASSESSMENT_PROFILES, getProfileHelpText, TIER_1_CORE_SECURITY, TIER_2_COMPLIANCE, TIER_3_CAPABILITY, TIER_4_DEVELOPMENT, OPT_IN_MODULES, } from "../profiles.js";
 import packageJson from "../../package.json" with { type: "json" };
 import { safeParseModuleNames, LogLevelSchema, ReportFormatSchema, OutputFormatSchema, AssessmentProfileNameSchema, } from "./cli-parserSchemas.js";
 // ============================================================================
@@ -508,7 +508,7 @@ Options:
   --claude-http          Enable Claude Code via HTTP transport (connects to mcp-auditor proxy)
   --mcp-auditor-url <url>  mcp-auditor URL for HTTP transport (default: http://localhost:8085)
   --full                 Enable all assessment modules (default)
-  --profile <name>       Use predefined module profile (quick, security, compliance, full)
+  --profile <name>       Use predefined module profile (quick, security, compliance, full, dev)
   --temporal-invocations <n>  Number of invocations per tool for rug pull detection (default: 3)
   --skip-temporal        Skip temporal/rug pull testing (faster assessment)
   --conformance          Enable official MCP conformance tests (experimental, requires HTTP/SSE transport)
@@ -557,7 +557,7 @@ Module Selection:
     mcpSpecCompliance -> protocolCompliance
     protocolConformance -> protocolCompliance
 
-Module Tiers (16 total):
+Module Tiers (13 standard + 4 opt-in):
   Tier 1 - Core Security (Always Run):
     • Functionality      - Tests all tools work correctly
     • Security           - Prompt injection & vulnerability testing
@@ -568,8 +568,6 @@ Module Tiers (16 total):
 
   Tier 2 - Compliance (MCP Directory):
     • Tool Annotations   - readOnlyHint/destructiveHint validation
-    • Prohibited Libs    - Dependency security checks
-    • Manifest           - MCPB manifest.json validation
     • Authentication     - OAuth/auth evaluation
 
   Tier 3 - Capability-Based (Conditional):
@@ -577,10 +575,15 @@ Module Tiers (16 total):
     • Prompts            - Prompt capability assessment
     • Cross-Capability   - Chained vulnerability detection
 
-  Tier 4 - Extended (Optional):
+  Tier 4 - Development:
     • Developer Experience - Documentation + usability assessment
     • Portability        - Cross-platform compatibility
-    • External API       - External service detection
+
+  Opt-In Only (requires --profile all):
+    • Prohibited Libs    - Dependency security checks (narrow scope)
+    • Manifest           - MCPB manifest.json validation (bundles only)
+    • File Modularization - Code quality metrics (not security)
+    • External API       - External service detection (informational)
 
 Transport Options:
   --config, --http, and --sse are mutually exclusive.
@@ -597,6 +600,8 @@ Examples:
   mcp-assess-full my-server --profile security      # Security audit (~2-3min)
   mcp-assess-full my-server --profile compliance    # Directory submission (~5min)
   mcp-assess-full my-server --profile full          # Comprehensive audit (~10-15min)
+  mcp-assess-full my-server --profile dev           # Development-focused (standard modules)
+  mcp-assess-full my-server --profile all           # Everything including opt-in modules
 
   # Single module (fastest - bypasses orchestrator):
   mcp-assess-full my-server --http http://localhost:10900/mcp --module toolAnnotations
@@ -625,15 +630,17 @@ const MODULE_DESCRIPTIONS = {
     protocolCompliance: "MCP protocol + JSON-RPC validation",
     aupCompliance: "Acceptable use policy compliance",
     toolAnnotations: "Tool annotation validation (readOnlyHint, destructiveHint)",
-    prohibitedLibraries: "Prohibited library detection",
-    manifestValidation: "MCPB manifest.json validation",
     authentication: "OAuth/auth evaluation",
     resources: "Resource path traversal + sensitive data exposure",
     prompts: "Prompt AUP compliance + injection testing",
     crossCapability: "Cross-capability attack chain detection",
     developerExperience: "Documentation + usability assessment",
     portability: "Cross-platform compatibility",
-    externalAPIScanner: "External API detection (requires --source)",
+    // Opt-in modules (Issue #200)
+    prohibitedLibraries: "Prohibited library detection (~25 libs, opt-in)",
+    manifestValidation: "MCPB manifest.json validation (bundles only, opt-in)",
+    fileModularization: "Code quality metrics (not security, opt-in)",
+    externalAPIScanner: "External API detection (informational, opt-in)",
 };
 /**
  * Print available modules organized by tier
@@ -645,8 +652,13 @@ export function printModules() {
             "";
         return `  ${name.padEnd(22)} ${desc}`;
     };
+    const standardCount = TIER_1_CORE_SECURITY.length +
+        TIER_2_COMPLIANCE.length +
+        TIER_3_CAPABILITY.length +
+        TIER_4_DEVELOPMENT.length;
+    const totalCount = standardCount + OPT_IN_MODULES.length;
     console.log(`
-Available Assessment Modules (16 total):
+Available Assessment Modules (${standardCount} standard + ${OPT_IN_MODULES.length} opt-in = ${totalCount} total):
 
 Tier 1 - Core Security (${TIER_1_CORE_SECURITY.length} modules):
 ${TIER_1_CORE_SECURITY.map(formatModule).join("\n")}
@@ -657,17 +669,21 @@ ${TIER_2_COMPLIANCE.map(formatModule).join("\n")}
 Tier 3 - Capability-Based (${TIER_3_CAPABILITY.length} modules):
 ${TIER_3_CAPABILITY.map(formatModule).join("\n")}
 
-Tier 4 - Extended (${TIER_4_EXTENDED.length} modules):
-${TIER_4_EXTENDED.map(formatModule).join("\n")}
+Tier 4 - Development (${TIER_4_DEVELOPMENT.length} modules):
+${TIER_4_DEVELOPMENT.map(formatModule).join("\n")}
+
+Opt-In Only (${OPT_IN_MODULES.length} modules - requires --profile all):
+${OPT_IN_MODULES.map(formatModule).join("\n")}
 
 Usage:
   --only-modules <list>   Run only specified modules (comma-separated)
   --skip-modules <list>   Skip specified modules (comma-separated)
-  --profile <name>        Use predefined profile (quick, security, compliance, full)
+  --profile <name>        Use predefined profile (quick, security, compliance, full, dev, all)
 
 Examples:
   mcp-assess-full my-server --only-modules functionality,security
   mcp-assess-full my-server --skip-modules temporal,portability
   mcp-assess-full my-server --profile compliance
+  mcp-assess-full my-server --profile all  # Include opt-in modules
 `);
 }

package/cli/build/lib/cli-parserSchemas.js

@@ -15,12 +15,15 @@ export { LogLevelSchema, ReportFormatSchema, OutputFormatSchema, TransportTypeSc
 export { ZOD_SCHEMA_VERSION };
 /**
  * Valid assessment profile names.
+ * Note: 'all' profile includes opt-in modules (Issue #200)
  */
 export const AssessmentProfileNameSchema = z.enum([
     "quick",
     "security",
     "compliance",
     "full",
+    "dev",
+    "all",
 ]);
 /**
  * Valid assessment module names.

package/cli/build/profiles.js

@@ -2,19 +2,25 @@
  * Assessment Profiles
  *
  * Pre-configured module sets for common assessment scenarios.
- * Profiles map to the 4-tier module organization:
+ * Profiles map to the 4-tier + opt-in module organization:
  *
  * Tier 1: Core Security (Always Run)
  *   - functionality, security, temporal, errorHandling, protocolCompliance, aupCompliance
  *
  * Tier 2: Compliance (MCP Directory)
- *   - toolAnnotations, prohibitedLibraries, manifestValidation, authentication
+ *   - toolAnnotations, authentication
  *
  * Tier 3: Capability-Based (Conditional)
  *   - resources, prompts, crossCapability
  *
- * Tier 4: Extended (Optional)
- *   - developerExperience, portability, externalAPIScanner
+ * Tier 4: Development
+ *   - developerExperience, portability
+ *
+ * Opt-In Only (Issue #200 - requires explicit --profile all or --enable-*)
+ *   - prohibitedLibraries: Narrow scope (~25 libs)
+ *   - manifestValidation: Only for MCPB bundles
+ *   - fileModularization: Code quality metric, not security
+ *   - externalAPIScanner: Informational only
  *
  * @module cli/profiles
  */
@@ -49,13 +55,9 @@ export const TIER_1_CORE_SECURITY = [
 /**
  * Tier 2: Compliance modules
  * Required for MCP Directory submission compliance
+ * Note: prohibitedLibraries and manifestValidation moved to OPT_IN_MODULES (Issue #200)
  */
-export const TIER_2_COMPLIANCE = [
-    "toolAnnotations",
-    "prohibitedLibraries",
-    "manifestValidation",
-    "authentication",
-];
+export const TIER_2_COMPLIANCE = ["toolAnnotations", "authentication"];
 /**
  * Tier 3: Capability-Based modules
  * Only run when server has corresponding capabilities
@@ -66,23 +68,50 @@ export const TIER_3_CAPABILITY = [
     "crossCapability",
 ];
 /**
- * Tier 4: Extended modules
- * Optional assessments for comprehensive audits
+ * Tier 4: Development modules
+ * Development-focused assessments (code quality, portability)
+ * Note: externalAPIScanner moved to OPT_IN_MODULES (Issue #200)
  */
-export const TIER_4_EXTENDED = [
+export const TIER_4_DEVELOPMENT = [
     "developerExperience",
     "portability",
+];
+/**
+ * @deprecated Use TIER_4_DEVELOPMENT instead. Will be removed in v2.0.
+ */
+export const TIER_4_EXTENDED = TIER_4_DEVELOPMENT;
+/**
+ * Opt-in only modules (Issue #200)
+ * These modules NEVER run by default, even in --profile full or --profile dev.
+ * Requires explicit --profile all or --enable-<module> flag.
+ *
+ * Rationale for each:
+ * - prohibitedLibraries: Very narrow scope (~25 financial/media libs)
+ * - manifestValidation: Only applicable to MCPB bundles with manifest.json
+ * - fileModularization: Code quality metric, not security-relevant
+ * - externalAPIScanner: Informational only, doesn't detect vulnerabilities
+ */
+export const OPT_IN_MODULES = [
+    "prohibitedLibraries",
+    "manifestValidation",
+    "fileModularization",
     "externalAPIScanner",
 ];
 /**
- * All available modules (new naming)
+ * Standard modules (excludes opt-in)
+ * These run with --profile full
  */
-export const ALL_MODULES = [
+export const STANDARD_MODULES = [
     ...TIER_1_CORE_SECURITY,
     ...TIER_2_COMPLIANCE,
     ...TIER_3_CAPABILITY,
-    ...TIER_4_EXTENDED,
+    ...TIER_4_DEVELOPMENT,
 ];
+/**
+ * All available modules including opt-in (new naming)
+ * These run with --profile all
+ */
+export const ALL_MODULES = [...STANDARD_MODULES, ...OPT_IN_MODULES];
 /**
  * Assessment profile definitions
  * Each profile includes a specific set of modules optimized for the use case.
@@ -111,16 +140,26 @@ export const ASSESSMENT_PROFILES = {
      */
     compliance: [...TIER_1_CORE_SECURITY, ...TIER_2_COMPLIANCE],
     /**
-     * Full profile: All modules (Tier 1 + 2 + 3 + 4)
+     * Full profile: All standard modules (Tier 1 + 2 + 3 + 4, excludes opt-in)
      * Use when: Comprehensive audits, initial server review
      * Time: ~8-12 minutes
+     * Note: Does NOT include opt-in modules (Issue #200)
+     */
+    full: [...STANDARD_MODULES],
+    /**
+     * Dev profile: Same as full (standard modules, no opt-in)
+     * Use when: Development-focused testing
+     * Time: ~8-12 minutes
+     * Note: Does NOT include opt-in modules (Issue #200)
+     */
+    dev: [...STANDARD_MODULES],
+    /**
+     * All profile: Every module including opt-in (Issue #200)
+     * Use when: Comprehensive audit including niche modules
+     * Time: ~10-15 minutes
+     * Includes: Tier 1-4 + opt-in (prohibitedLibraries, manifestValidation, etc.)
      */
-    full: [
-        ...TIER_1_CORE_SECURITY,
-        ...TIER_2_COMPLIANCE,
-        ...TIER_3_CAPABILITY,
-        ...TIER_4_EXTENDED,
-    ],
+    all: [...ALL_MODULES],
 };
 export const PROFILE_METADATA = {
     quick: {
@@ -142,14 +181,37 @@ export const PROFILE_METADATA = {
         tiers: ["Tier 1 (Core Security)", "Tier 2 (Compliance)"],
     },
     full: {
-        description: "Comprehensive audit with all assessment modules",
+        description: "All standard modules (excludes opt-in)",
         estimatedTime: "~8-12 minutes",
         moduleCount: ASSESSMENT_PROFILES.full.length,
         tiers: [
             "Tier 1 (Core Security)",
             "Tier 2 (Compliance)",
             "Tier 3 (Capability)",
-            "Tier 4 (Extended)",
+            "Tier 4 (Development)",
+        ],
+    },
+    dev: {
+        description: "Same as full - standard modules for development",
+        estimatedTime: "~8-12 minutes",
+        moduleCount: ASSESSMENT_PROFILES.dev.length,
+        tiers: [
+            "Tier 1 (Core Security)",
+            "Tier 2 (Compliance)",
+            "Tier 3 (Capability)",
+            "Tier 4 (Development)",
+        ],
+    },
+    all: {
+        description: "Every module including opt-in (niche modules)",
+        estimatedTime: "~10-15 minutes",
+        moduleCount: ASSESSMENT_PROFILES.all.length,
+        tiers: [
+            "Tier 1 (Core Security)",
+            "Tier 2 (Compliance)",
+            "Tier 3 (Capability)",
+            "Tier 4 (Development)",
+            "Opt-In",
         ],
     },
 };
@@ -269,6 +331,7 @@ export function modulesToLegacyConfig(modules) {
         prompts: false,
         crossCapability: false,
         protocolConformance: false,
+        fileModularization: false, // Issue #200: Opt-in module
     };
     // Enable requested modules, mapping new names to old where needed
     for (const module of modules) {

package/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-cli",
-  "version": "1.41.0",
+  "version": "1.42.0",
   "description": "CLI for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",

package/client/dist/assets/{OAuthCallback-BncWs0fE.js → OAuthCallback-Bbgu1k5Q.js}

@@ -1,4 +1,4 @@
-import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-BfUEP2vZ.js";
+import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-DhZHooka.js";
 const OAuthCallback = ({ onConnect }) => {
   const { toast } = useToast();
   const hasProcessedRef = reactExports.useRef(false);

package/client/dist/assets/{OAuthDebugCallback-C7SkhlxI.js → OAuthDebugCallback-BNMp3ajr.js}

@@ -1,4 +1,4 @@
-import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-BfUEP2vZ.js";
+import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-DhZHooka.js";
 const OAuthDebugCallback = ({ onConnect }) => {
   reactExports.useEffect(() => {
     let isProcessed = false;

package/client/dist/assets/{index-BfUEP2vZ.js → index-DhZHooka.js}

@@ -16373,7 +16373,7 @@ object({
   token_type_hint: string().optional()
 }).strip();
 const name = "@bryan-thompson/inspector-assessment-client";
-const version$1 = "1.41.0";
+const version$1 = "1.42.0";
 const packageJson = {
   name,
   version: version$1
@@ -49456,7 +49456,7 @@ const useTheme = () => {
     [theme, setThemeWithSideEffect]
   );
 };
-const version = "1.41.0";
+const version = "1.42.0";
 var [createTooltipContext] = createContextScope("Tooltip", [
   createPopperScope
 ]);
@@ -52799,13 +52799,13 @@ const App = () => {
   };
   if (window.location.pathname === "/oauth/callback") {
     const OAuthCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthCallback-BncWs0fE.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthCallback-Bbgu1k5Q.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
   }
   if (window.location.pathname === "/oauth/callback/debug") {
     const OAuthDebugCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthDebugCallback-C7SkhlxI.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthDebugCallback-BNMp3ajr.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
   }

package/client/dist/index.html

@@ -5,7 +5,7 @@
     <link rel="icon" type="image/svg+xml" href="/mcp.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>MCP Inspector</title>
-    <script type="module" crossorigin src="/assets/index-BfUEP2vZ.js"></script>
+    <script type="module" crossorigin src="/assets/index-DhZHooka.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-BoUA5OL1.css">
   </head>
   <body>