@bryan-thompson/inspector-assessment 1.43.0 → 1.43.1

package/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-cli",
-  "version": "1.43.0",
+  "version": "1.43.1",
   "description": "CLI for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",

package/client/dist/assets/{OAuthCallback-BEnTdTGR.js → OAuthCallback-ngu_aFUO.js}

@@ -1,4 +1,4 @@
-import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-DEeUx8Bb.js";
+import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-97IA_LWd.js";
 const OAuthCallback = ({ onConnect }) => {
   const { toast } = useToast();
   const hasProcessedRef = reactExports.useRef(false);

package/client/dist/assets/{OAuthDebugCallback-CTNSrDLW.js → OAuthDebugCallback-CsGYu8op.js}

@@ -1,4 +1,4 @@
-import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-DEeUx8Bb.js";
+import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-97IA_LWd.js";
 const OAuthDebugCallback = ({ onConnect }) => {
   reactExports.useEffect(() => {
     let isProcessed = false;

package/client/dist/assets/{index-DEeUx8Bb.js → index-97IA_LWd.js}

@@ -16373,7 +16373,7 @@ object({
   token_type_hint: string().optional()
 }).strip();
 const name = "@bryan-thompson/inspector-assessment-client";
-const version$1 = "1.43.0";
+const version$1 = "1.43.1";
 const packageJson = {
   name,
   version: version$1
@@ -49456,7 +49456,7 @@ const useTheme = () => {
     [theme, setThemeWithSideEffect]
   );
 };
-const version = "1.43.0";
+const version = "1.43.1";
 var [createTooltipContext] = createContextScope("Tooltip", [
   createPopperScope
 ]);
@@ -52799,13 +52799,13 @@ const App = () => {
   };
   if (window.location.pathname === "/oauth/callback") {
     const OAuthCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthCallback-BEnTdTGR.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthCallback-ngu_aFUO.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
   }
   if (window.location.pathname === "/oauth/callback/debug") {
     const OAuthDebugCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthDebugCallback-CTNSrDLW.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthDebugCallback-CsGYu8op.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
   }

package/client/dist/index.html

@@ -5,7 +5,7 @@
     <link rel="icon" type="image/svg+xml" href="/mcp.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>MCP Inspector</title>
-    <script type="module" crossorigin src="/assets/index-DEeUx8Bb.js"></script>
+    <script type="module" crossorigin src="/assets/index-97IA_LWd.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-BoUA5OL1.css">
   </head>
   <body>

package/client/lib/services/assessment/helpers/StaticAnnotationScanner.d.ts

@@ -0,0 +1,137 @@
+/**
+ * Static Annotation Scanner
+ *
+ * Scans source code files for tool annotations using AST parsing.
+ * Detects annotations nested inside tool definition objects/arrays
+ * in ES module syntax that regex-based scanning would miss.
+ *
+ * Fixes Issue #192: Static annotation scanner misses nested annotations
+ * in ES module syntax like:
+ *   const TOOLS = [{ name: 'x', annotations: { readOnlyHint: true } }];
+ *
+ * @module helpers/StaticAnnotationScanner
+ */
+/**
+ * Evidence from static annotation scanning
+ */
+export interface StaticAnnotationEvidence {
+    /** File path where annotation was found */
+    filePath: string;
+    /** Tool name associated with the annotation */
+    toolName: string;
+    /** Confidence level */
+    confidence: "high" | "medium" | "low";
+    /** Description of how the annotation was found */
+    detail: string;
+    /** Line number in source file */
+    lineNumber?: number;
+}
+/**
+ * Extracted annotation from source code
+ */
+export interface StaticAnnotation {
+    toolName: string;
+    readOnlyHint?: boolean;
+    destructiveHint?: boolean;
+    idempotentHint?: boolean;
+    openWorldHint?: boolean;
+}
+/**
+ * Result of static annotation scanning
+ */
+export interface StaticAnnotationScanResult {
+    /** Map of tool name to extracted annotations */
+    annotations: Map<string, StaticAnnotation>;
+    /** Overall confidence of the scan */
+    confidence: "high" | "medium" | "low";
+    /** Evidence collected during scanning */
+    evidence: StaticAnnotationEvidence[];
+    /** Whether source code was scanned */
+    sourceCodeScanned: boolean;
+    /** Count of tools with annotations found */
+    annotatedToolCount: number;
+    /** Files that were scanned */
+    scannedFiles: string[];
+    /** Errors encountered during parsing */
+    parseErrors: Array<{
+        file: string;
+        error: string;
+    }>;
+}
+/**
+ * Scans source code for tool annotations using AST parsing.
+ *
+ * Detection approach:
+ * 1. Parse JS/TS files with acorn (ecmaVersion 2022, module syntax)
+ * 2. Walk AST looking for Property nodes with key 'annotations'
+ * 3. Extract annotation values (readOnlyHint, destructiveHint, etc.)
+ * 4. Find associated tool name from sibling 'name' property in parent object
+ *
+ * @public
+ */
+export declare class StaticAnnotationScanner {
+    /**
+     * File patterns to skip during source code scanning
+     * (same patterns as StdioTransportDetector for consistency)
+     */
+    private readonly SKIP_FILE_PATTERNS;
+    /** Maximum file size for source scanning (500KB) */
+    private readonly MAX_FILE_SIZE;
+    /** File extensions to scan */
+    private readonly SCANNABLE_EXTENSIONS;
+    /**
+     * Scan source files for tool annotations.
+     *
+     * @param sourceCodeFiles - Map of file paths to content
+     * @returns Static annotation scan results
+     */
+    scan(sourceCodeFiles?: Map<string, string>): StaticAnnotationScanResult;
+    /**
+     * Parse a single file for tool annotations.
+     *
+     * @param filePath - File path for error reporting
+     * @param content - File content to parse
+     * @returns Array of extracted annotations with line numbers
+     */
+    private parseFile;
+    /**
+     * Check if a property node is an 'annotations' property.
+     */
+    private isAnnotationsProperty;
+    /**
+     * Extract annotation values from an ObjectExpression node.
+     */
+    private extractAnnotationValues;
+    /**
+     * Get the string name of a property key.
+     */
+    private getPropertyKeyName;
+    /**
+     * Find the tool name from ancestor context.
+     * Looks for a sibling 'name' property in the parent ObjectExpression.
+     */
+    private findToolNameFromContext;
+    /**
+     * Strip common TypeScript syntax for basic parsing.
+     * This is a simple approach - just removes type annotations to allow JS parsing.
+     */
+    private stripTypeScript;
+    /**
+     * Check if file should be skipped during scanning.
+     */
+    private shouldSkipFile;
+    /**
+     * Check if file has a scannable extension.
+     */
+    private isScannableFile;
+    /**
+     * Compute overall confidence from collected evidence.
+     *
+     * Confidence rules:
+     * - High: 2+ annotations found with explicit 'annotations' objects
+     * - Medium: 1 annotation found
+     * - Low: No annotations found
+     */
+    private computeConfidence;
+}
+//# sourceMappingURL=StaticAnnotationScanner.d.ts.map

package/client/lib/services/assessment/helpers/StaticAnnotationScanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"StaticAnnotationScanner.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/helpers/StaticAnnotationScanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAKH;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,2CAA2C;IAC3C,QAAQ,EAAE,MAAM,CAAC;IACjB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,uBAAuB;IACvB,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACtC,kDAAkD;IAClD,MAAM,EAAE,MAAM,CAAC;IACf,iCAAiC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,gDAAgD;IAChD,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IAC3C,qCAAqC;IACrC,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACtC,yCAAyC;IACzC,QAAQ,EAAE,wBAAwB,EAAE,CAAC;IACrC,sCAAsC;IACtC,iBAAiB,EAAE,OAAO,CAAC;IAC3B,4CAA4C;IAC5C,kBAAkB,EAAE,MAAM,CAAC;IAC3B,8BAA8B;IAC9B,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,wCAAwC;IACxC,WAAW,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACrD;AA2CD;;;;;;;;;;GAUG;AACH,qBAAa,uBAAuB;IAClC;;;OAGG;IACH,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAejC;IAEF,oDAAoD;IACpD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAW;IAEzC,8BAA8B;IAC9B,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAOnC;IAEF;;;;;OAKG;IACH,IAAI,CAAC,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,0BAA0B;IAmEvE;;;;;;OAMG;IACH,OAAO,CAAC,SAAS;IAuEjB;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAY7B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA8C/B;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAU1B;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IA4B/B;;;OAGG;IACH,OAAO,CAAC,eAAe;IAkBvB;;OAEG;IACH,OAAO,CAAC,cAAc;IAItB;;OAEG;IACH,OAAO,CAAC,eAAe;IAMvB;;;;;;;OAOG;IACH,OAAO,CAAC,iBAAiB;CAsB1B"}

package/client/lib/services/assessment/helpers/StaticAnnotationScanner.js

@@ -0,0 +1,345 @@
+/**
+ * Static Annotation Scanner
+ *
+ * Scans source code files for tool annotations using AST parsing.
+ * Detects annotations nested inside tool definition objects/arrays
+ * in ES module syntax that regex-based scanning would miss.
+ *
+ * Fixes Issue #192: Static annotation scanner misses nested annotations
+ * in ES module syntax like:
+ *   const TOOLS = [{ name: 'x', annotations: { readOnlyHint: true } }];
+ *
+ * @module helpers/StaticAnnotationScanner
+ */
+import * as acorn from "acorn";
+import * as walk from "acorn-walk";
+/**
+ * Scans source code for tool annotations using AST parsing.
+ *
+ * Detection approach:
+ * 1. Parse JS/TS files with acorn (ecmaVersion 2022, module syntax)
+ * 2. Walk AST looking for Property nodes with key 'annotations'
+ * 3. Extract annotation values (readOnlyHint, destructiveHint, etc.)
+ * 4. Find associated tool name from sibling 'name' property in parent object
+ *
+ * @public
+ */
+export class StaticAnnotationScanner {
+    /**
+     * File patterns to skip during source code scanning
+     * (same patterns as StdioTransportDetector for consistency)
+     */
+    SKIP_FILE_PATTERNS = [
+        /node_modules/i,
+        /\.test\.(ts|js|tsx|jsx|py)$/i,
+        /\.spec\.(ts|js|tsx|jsx|py)$/i,
+        /\.d\.ts$/i,
+        /package-lock\.json$/i,
+        /yarn\.lock$/i,
+        /\.map$/i,
+        /\.git\//i,
+        /dist\//i,
+        /build\//i,
+        /__tests__\//i,
+        /__mocks__\//i,
+        /__pycache__\//i,
+        /\.pytest_cache\//i,
+    ];
+    /** Maximum file size for source scanning (500KB) */
+    MAX_FILE_SIZE = 500_000;
+    /** File extensions to scan */
+    SCANNABLE_EXTENSIONS = [
+        ".js",
+        ".ts",
+        ".mjs",
+        ".cjs",
+        ".tsx",
+        ".jsx",
+    ];
+    /**
+     * Scan source files for tool annotations.
+     *
+     * @param sourceCodeFiles - Map of file paths to content
+     * @returns Static annotation scan results
+     */
+    scan(sourceCodeFiles) {
+        const annotations = new Map();
+        const evidence = [];
+        const scannedFiles = [];
+        const parseErrors = [];
+        if (!sourceCodeFiles || sourceCodeFiles.size === 0) {
+            return {
+                annotations,
+                confidence: "low",
+                evidence,
+                sourceCodeScanned: false,
+                annotatedToolCount: 0,
+                scannedFiles,
+                parseErrors,
+            };
+        }
+        sourceCodeFiles.forEach((content, filePath) => {
+            // Skip files that shouldn't be scanned
+            if (this.shouldSkipFile(filePath))
+                return;
+            // Skip oversized files
+            if (content.length > this.MAX_FILE_SIZE)
+                return;
+            // Only scan JS/TS files
+            if (!this.isScannableFile(filePath))
+                return;
+            scannedFiles.push(filePath);
+            try {
+                const fileAnnotations = this.parseFile(filePath, content);
+                for (const ann of fileAnnotations) {
+                    // Store annotation (later occurrences override earlier)
+                    annotations.set(ann.toolName, ann);
+                    // Record evidence
+                    evidence.push({
+                        filePath,
+                        toolName: ann.toolName,
+                        confidence: "high",
+                        detail: `Found annotations object in tool definition`,
+                        lineNumber: ann.lineNumber,
+                    });
+                }
+            }
+            catch (error) {
+                parseErrors.push({
+                    file: filePath,
+                    error: error instanceof Error ? error.message : String(error),
+                });
+            }
+        });
+        const confidence = this.computeConfidence(evidence);
+        return {
+            annotations,
+            confidence,
+            evidence,
+            sourceCodeScanned: scannedFiles.length > 0,
+            annotatedToolCount: annotations.size,
+            scannedFiles,
+            parseErrors,
+        };
+    }
+    /**
+     * Parse a single file for tool annotations.
+     *
+     * @param filePath - File path for error reporting
+     * @param content - File content to parse
+     * @returns Array of extracted annotations with line numbers
+     */
+    parseFile(filePath, content) {
+        const results = [];
+        // Try to parse as ES module first, fall back to script
+        let ast;
+        try {
+            ast = acorn.parse(content, {
+                ecmaVersion: 2022,
+                sourceType: "module",
+                locations: true,
+            });
+        }
+        catch {
+            // Try as script (CommonJS)
+            try {
+                ast = acorn.parse(content, {
+                    ecmaVersion: 2022,
+                    sourceType: "script",
+                    locations: true,
+                });
+            }
+            catch (scriptError) {
+                // For TypeScript files, try stripping type annotations
+                // (basic approach - strip common TS patterns)
+                const strippedContent = this.stripTypeScript(content);
+                try {
+                    ast = acorn.parse(strippedContent, {
+                        ecmaVersion: 2022,
+                        sourceType: "module",
+                        locations: true,
+                    });
+                }
+                catch {
+                    throw new Error(`Failed to parse ${filePath}: ${scriptError instanceof Error ? scriptError.message : String(scriptError)}`);
+                }
+            }
+        }
+        // Walk the AST with ancestor tracking
+        walk.ancestor(ast, {
+            Property: (node, ancestors) => {
+                const prop = node;
+                // Check if this is an 'annotations' property
+                if (!this.isAnnotationsProperty(prop))
+                    return;
+                // Value must be an object expression
+                if (prop.value.type !== "ObjectExpression")
+                    return;
+                const annotationValues = this.extractAnnotationValues(prop.value);
+                if (!annotationValues)
+                    return;
+                // Find the tool name from parent context
+                const toolName = this.findToolNameFromContext(ancestors);
+                if (!toolName)
+                    return;
+                results.push({
+                    toolName,
+                    ...annotationValues,
+                    lineNumber: prop.loc?.start.line,
+                });
+            },
+        });
+        return results;
+    }
+    /**
+     * Check if a property node is an 'annotations' property.
+     */
+    isAnnotationsProperty(prop) {
+        // Handle Identifier key: annotations: {...}
+        if (prop.key.type === "Identifier") {
+            return prop.key.name === "annotations";
+        }
+        // Handle Literal key: 'annotations': {...} or "annotations": {...}
+        if (prop.key.type === "Literal") {
+            return prop.key.value === "annotations";
+        }
+        return false;
+    }
+    /**
+     * Extract annotation values from an ObjectExpression node.
+     */
+    extractAnnotationValues(obj) {
+        const result = {};
+        let hasAnyAnnotation = false;
+        for (const prop of obj.properties) {
+            if (prop.type !== "Property")
+                continue;
+            const propNode = prop;
+            const keyName = this.getPropertyKeyName(propNode);
+            if (!keyName)
+                continue;
+            // Only extract boolean values
+            if (propNode.value.type !== "Literal")
+                continue;
+            const literalValue = propNode.value.value;
+            if (typeof literalValue !== "boolean")
+                continue;
+            // Map property names (handle both *Hint and non-suffixed)
+            switch (keyName) {
+                case "readOnlyHint":
+                case "readOnly":
+                    result.readOnlyHint = literalValue;
+                    hasAnyAnnotation = true;
+                    break;
+                case "destructiveHint":
+                case "destructive":
+                    result.destructiveHint = literalValue;
+                    hasAnyAnnotation = true;
+                    break;
+                case "idempotentHint":
+                case "idempotent":
+                    result.idempotentHint = literalValue;
+                    hasAnyAnnotation = true;
+                    break;
+                case "openWorldHint":
+                case "openWorld":
+                    result.openWorldHint = literalValue;
+                    hasAnyAnnotation = true;
+                    break;
+            }
+        }
+        return hasAnyAnnotation ? result : null;
+    }
+    /**
+     * Get the string name of a property key.
+     */
+    getPropertyKeyName(prop) {
+        if (prop.key.type === "Identifier") {
+            return prop.key.name;
+        }
+        if (prop.key.type === "Literal" && typeof prop.key.value === "string") {
+            return prop.key.value;
+        }
+        return null;
+    }
+    /**
+     * Find the tool name from ancestor context.
+     * Looks for a sibling 'name' property in the parent ObjectExpression.
+     */
+    findToolNameFromContext(ancestors) {
+        // Walk up ancestors looking for ObjectExpression (the tool definition)
+        for (let i = ancestors.length - 1; i >= 0; i--) {
+            const ancestor = ancestors[i];
+            if (ancestor.type === "ObjectExpression") {
+                const objNode = ancestor;
+                // Look for sibling 'name' property
+                for (const prop of objNode.properties) {
+                    if (prop.type !== "Property")
+                        continue;
+                    const propNode = prop;
+                    const keyName = this.getPropertyKeyName(propNode);
+                    if (keyName === "name" && propNode.value.type === "Literal") {
+                        const nameValue = propNode.value.value;
+                        if (typeof nameValue === "string") {
+                            return nameValue;
+                        }
+                    }
+                }
+            }
+        }
+        return null;
+    }
+    /**
+     * Strip common TypeScript syntax for basic parsing.
+     * This is a simple approach - just removes type annotations to allow JS parsing.
+     */
+    stripTypeScript(content) {
+        return (content
+            // Remove type imports: import type { X } from 'y'
+            .replace(/import\s+type\s+\{[^}]*\}\s+from\s+['"][^'"]+['"];?/g, "")
+            // Remove type annotations: : Type
+            .replace(/:\s*[A-Z][a-zA-Z0-9<>[\],\s|&]*(?=[\s,;)=\]}])/g, "")
+            // Remove interface declarations
+            .replace(/interface\s+\w+\s*(\{[^}]*\}|\{[\s\S]*?\n\})/g, "")
+            // Remove type declarations
+            .replace(/type\s+\w+\s*=\s*[^;]+;/g, "")
+            // Remove as Type assertions
+            .replace(/\s+as\s+[A-Z][a-zA-Z0-9<>[\],\s|&]*/g, "")
+            // Remove generic parameters on function calls
+            .replace(/<[A-Z][a-zA-Z0-9<>[\],\s|&]*>(?=\()/g, ""));
+    }
+    /**
+     * Check if file should be skipped during scanning.
+     */
+    shouldSkipFile(filePath) {
+        return this.SKIP_FILE_PATTERNS.some((pattern) => pattern.test(filePath));
+    }
+    /**
+     * Check if file has a scannable extension.
+     */
+    isScannableFile(filePath) {
+        return this.SCANNABLE_EXTENSIONS.some((ext) => filePath.toLowerCase().endsWith(ext));
+    }
+    /**
+     * Compute overall confidence from collected evidence.
+     *
+     * Confidence rules:
+     * - High: 2+ annotations found with explicit 'annotations' objects
+     * - Medium: 1 annotation found
+     * - Low: No annotations found
+     */
+    computeConfidence(evidence) {
+        if (evidence.length === 0) {
+            return "low";
+        }
+        // Count high-confidence evidence
+        const highConfCount = evidence.filter((e) => e.confidence === "high").length;
+        if (highConfCount >= 2) {
+            return "high";
+        }
+        if (highConfCount >= 1) {
+            return "medium";
+        }
+        return "low";
+    }
+}

package/client/lib/services/assessment/modules/ToolAnnotationAssessor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ToolAnnotationAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ToolAnnotationAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EACV,wBAAwB,EACxB,uBAAuB,EACxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,wBAAwB,EAG9B,MAAM,8BAA8B,CAAC;AAGtC,OAAO,EAiBL,KAAK,4BAA4B,EAClC,MAAM,eAAe,CAAC;AAKvB;;;GAGG;AACH,OAAO,EAAE,4BAA4B,EAAE,CAAC;AAExC;;GAEG;AACH,MAAM,WAAW,gCAAiC,SAAQ,wBAAwB;IAChF,WAAW,EAAE,4BAA4B,EAAE,CAAC;IAC5C,cAAc,EAAE,OAAO,CAAC;IACxB,2BAA2B,EAAE,4BAA4B,EAAE,CAAC;CAC7D;AAED,qBAAa,sBAAuB,SAAQ,YAAY;IACtD,OAAO,CAAC,YAAY,CAAC,CAAmB;IACxC,OAAO,CAAC,gBAAgB,CAAmB;IAC3C,OAAO,CAAC,kBAAkB,CAAC,CAA2B;gBAE1C,MAAM,EAAE,uBAAuB;IAK3C;;OAEG;IACH,qBAAqB,IAAI,wBAAwB,GAAG,SAAS;IAI7D;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,gBAAgB,GAAG,IAAI;IAK7C;;OAEG;IACH,eAAe,CAAC,MAAM,EAAE,gBAAgB,GAAG,IAAI;IAK/C;;OAEG;IACH,eAAe,IAAI,OAAO;IAO1B;;OAEG;IACG,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,wBAAwB,GAAG,gCAAgC,CAAC;CA8SxE"}
+{"version":3,"file":"ToolAnnotationAssessor.d.ts","sourceRoot":"","sources":["../../../../src/services/assessment/modules/ToolAnnotationAssessor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EACV,wBAAwB,EACxB,uBAAuB,EACxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,wBAAwB,EAG9B,MAAM,8BAA8B,CAAC;AAGtC,OAAO,EAiBL,KAAK,4BAA4B,EAClC,MAAM,eAAe,CAAC;AAQvB;;;GAGG;AACH,OAAO,EAAE,4BAA4B,EAAE,CAAC;AAExC;;GAEG;AACH,MAAM,WAAW,gCAAiC,SAAQ,wBAAwB;IAChF,WAAW,EAAE,4BAA4B,EAAE,CAAC;IAC5C,cAAc,EAAE,OAAO,CAAC;IACxB,2BAA2B,EAAE,4BAA4B,EAAE,CAAC;CAC7D;AAED,qBAAa,sBAAuB,SAAQ,YAAY;IACtD,OAAO,CAAC,YAAY,CAAC,CAAmB;IACxC,OAAO,CAAC,gBAAgB,CAAmB;IAC3C,OAAO,CAAC,kBAAkB,CAAC,CAA2B;gBAE1C,MAAM,EAAE,uBAAuB;IAK3C;;OAEG;IACH,qBAAqB,IAAI,wBAAwB,GAAG,SAAS;IAI7D;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,gBAAgB,GAAG,IAAI;IAK7C;;OAEG;IACH,eAAe,CAAC,MAAM,EAAE,gBAAgB,GAAG,IAAI;IAK/C;;OAEG;IACH,eAAe,IAAI,OAAO;IAO1B;;OAEG;IACG,MAAM,CACV,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,wBAAwB,GAAG,gCAAgC,CAAC;CA8TxE"}

package/client/lib/services/assessment/modules/ToolAnnotationAssessor.js

@@ -36,6 +36,8 @@ emitAnnotationEvents,
 enhanceWithClaudeInference, createPatternBasedInference, } from "./annotations/index.js";
 // Issue #207: Runtime annotation verification
 import { verifyRuntimeAnnotations } from "../helpers/RuntimeAnnotationVerifier.js";
+// Issue #192: Static source code annotation scanning
+import { StaticAnnotationScanner } from "../helpers/StaticAnnotationScanner.js";
 export class ToolAnnotationAssessor extends BaseAssessor {
     claudeBridge;
     compiledPatterns;
@@ -108,6 +110,15 @@ export class ToolAnnotationAssessor extends BaseAssessor {
                 this.logger.debug(`Tool ${detail.toolName}: annotations found at ${detail.location} (${detail.foundHints.join(", ")})`);
             }
         }
+        // Issue #192: Scan source code for static annotations
+        const staticScanner = new StaticAnnotationScanner();
+        const staticScanResult = staticScanner.scan(context.sourceCodeFiles);
+        if (staticScanResult.sourceCodeScanned) {
+            this.logger.info(`Static annotation scan: ${staticScanResult.annotatedToolCount}/${context.tools.length} tools have annotations in source code (${staticScanResult.scannedFiles.length} files scanned)`);
+            if (staticScanResult.parseErrors.length > 0) {
+                this.logger.debug(`Static scan parse errors: ${staticScanResult.parseErrors.length} files failed to parse`);
+            }
+        }
         // Issue #57: Detect server architecture
         const architectureContext = {
             tools: context.tools.map((t) => ({
@@ -138,7 +149,8 @@ export class ToolAnnotationAssessor extends BaseAssessor {
         for (const tool of context.tools) {
             this.testCount++;
             // Use extracted assessSingleTool function
-            const result = assessSingleTool(tool, this.compiledPatterns, this.persistenceContext);
+            // Issue #192: Pass static annotations for fallback when MCP annotations missing
+            const result = assessSingleTool(tool, this.compiledPatterns, this.persistenceContext, staticScanResult.annotations);
             // Enhance with Claude inference if available
             if (useClaudeInference) {
                 const enhancedResult = await enhanceWithClaudeInference(tool, result, this.claudeBridge, this.logger);

package/client/lib/services/assessment/modules/annotations/AlignmentChecker.d.ts

@@ -8,6 +8,7 @@ import type { Tool } from "@modelcontextprotocol/sdk/types.js";
 import type { ToolAnnotationResult, AssessmentStatus, ToolParamProgress, AnnotationSource } from "../../../../lib/assessmentTypes.js";
 import type { CompiledPatterns, ServerPersistenceContext } from "../../config/annotationPatterns.js";
 import { type PoisoningScanResult } from "./DescriptionPoisoningDetector.js";
+import type { StaticAnnotation } from "../../helpers/StaticAnnotationScanner.js";
 /**
  * Extracted annotation structure from a tool
  */
@@ -66,8 +67,13 @@ export declare function extractToolParams(schema: unknown): ToolParamProgress[];
 export declare function scanInputSchemaDescriptions(tool: Tool): PoisoningScanResult;
 /**
  * Assess a single tool's annotations
+ *
+ * @param tool - The tool to assess
+ * @param compiledPatterns - Compiled name patterns for behavior inference
+ * @param persistenceContext - Server persistence context
+ * @param staticAnnotations - Optional map of static annotations from source code (Issue #192)
  */
-export declare function assessSingleTool(tool: Tool, compiledPatterns: CompiledPatterns, persistenceContext?: ServerPersistenceContext): ToolAnnotationResult;
+export declare function assessSingleTool(tool: Tool, compiledPatterns: CompiledPatterns, persistenceContext?: ServerPersistenceContext, staticAnnotations?: Map<string, StaticAnnotation>): ToolAnnotationResult;
 /**
  * Determine overall status based on tool results
  */

package/client/lib/services/assessment/modules/annotations/AlignmentChecker.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AlignmentChecker.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/AlignmentChecker.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC/D,OAAO,KAAK,EACV,oBAAoB,EACpB,gBAAgB,EAEhB,iBAAiB,EACjB,gBAAgB,EACjB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EACV,gBAAgB,EAChB,wBAAwB,EACzB,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EAEL,KAAK,mBAAmB,EACzB,MAAM,gCAAgC,CAAC;AAuFxC;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,MAAM,EAAE,gBAAgB,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE;QACP,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,WAAW,EAAE,MAAM,CAAC;QACpB,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC;IACF,kBAAkB,EAAE;QAClB,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,MAAM,CAAC;QACnB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;CACH;AA0CD;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAE7D;AAED;;GAEG;AACH,wBAAgB,wBAAwB,IAAI,OAAO,CAElD;AAED,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,IAAI,GAAG,oBAAoB,CAkNnE;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,IAAI,GACT,oBAAoB,CAAC,kBAAkB,CAAC,CA6D1C;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,OAAO,GAAG,iBAAiB,EAAE,CAqBtE;AAED;;;;;;GAMG;AACH,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,IAAI,GAAG,mBAAmB,CAmD3E;AAqCD;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,IAAI,EACV,gBAAgB,EAAE,gBAAgB,EAClC,kBAAkB,CAAC,EAAE,wBAAwB,GAC5C,oBAAoB,CA0JtB;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,oBAAoB,EAAE,EAC/B,UAAU,EAAE,MAAM,GACjB,gBAAgB,CAoClB;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,oBAAoB,EAAE,EAC/B,UAAU,EAAE,MAAM,GACjB,sBAAsB,CA2BxB"}
+{"version":3,"file":"AlignmentChecker.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/annotations/AlignmentChecker.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC/D,OAAO,KAAK,EACV,oBAAoB,EACpB,gBAAgB,EAEhB,iBAAiB,EACjB,gBAAgB,EACjB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EACV,gBAAgB,EAChB,wBAAwB,EACzB,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EAEL,KAAK,mBAAmB,EACzB,MAAM,gCAAgC,CAAC;AACxC,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uCAAuC,CAAC;AAuF9E;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,MAAM,EAAE,gBAAgB,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE;QACP,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,WAAW,EAAE,MAAM,CAAC;QACpB,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC;IACF,kBAAkB,EAAE;QAClB,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,MAAM,CAAC;QACnB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;CACH;AA0CD;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAE7D;AAED;;GAEG;AACH,wBAAgB,wBAAwB,IAAI,OAAO,CAElD;AAED,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,IAAI,GAAG,oBAAoB,CAkNnE;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,IAAI,GACT,oBAAoB,CAAC,kBAAkB,CAAC,CA6D1C;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,OAAO,GAAG,iBAAiB,EAAE,CAqBtE;AAED;;;;;;GAMG;AACH,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,IAAI,GAAG,mBAAmB,CAmD3E;AAqCD;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,IAAI,EACV,gBAAgB,EAAE,gBAAgB,EAClC,kBAAkB,CAAC,EAAE,wBAAwB,EAC7C,iBAAiB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC,GAChD,oBAAoB,CAgLtB;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,oBAAoB,EAAE,EAC/B,UAAU,EAAE,MAAM,GACjB,gBAAgB,CAoClB;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,oBAAoB,EAAE,EAC/B,UAAU,EAAE,MAAM,GACjB,sBAAsB,CA2BxB"}

package/client/lib/services/assessment/modules/annotations/AlignmentChecker.js

@@ -324,13 +324,37 @@ function mergePoisoningScanResults(primary, secondary) {
 }
 /**
  * Assess a single tool's annotations
+ *
+ * @param tool - The tool to assess
+ * @param compiledPatterns - Compiled name patterns for behavior inference
+ * @param persistenceContext - Server persistence context
+ * @param staticAnnotations - Optional map of static annotations from source code (Issue #192)
  */
-export function assessSingleTool(tool, compiledPatterns, persistenceContext) {
+export function assessSingleTool(tool, compiledPatterns, persistenceContext, staticAnnotations) {
     const issues = [];
     const recommendations = [];
-    const annotations = extractAnnotations(tool);
-    const hasAnnotations = annotations.readOnlyHint !== undefined ||
+    // First try runtime annotation extraction
+    let annotations = extractAnnotations(tool);
+    let hasAnnotations = annotations.readOnlyHint !== undefined ||
         annotations.destructiveHint !== undefined;
+    // Issue #192: Fall back to static source code annotations if no runtime annotations
+    if (!hasAnnotations && staticAnnotations?.has(tool.name)) {
+        const staticAnn = staticAnnotations.get(tool.name);
+        const hasStaticAnnotations = staticAnn.readOnlyHint !== undefined ||
+            staticAnn.destructiveHint !== undefined;
+        if (hasStaticAnnotations) {
+            annotations = {
+                readOnlyHint: staticAnn.readOnlyHint,
+                destructiveHint: staticAnn.destructiveHint,
+                idempotentHint: staticAnn.idempotentHint,
+                openWorldHint: staticAnn.openWorldHint,
+                title: annotations.title,
+                description: annotations.description,
+                source: "source-code",
+            };
+            hasAnnotations = true;
+        }
+    }
     const inferredBehavior = inferBehavior(tool.name, tool.description, compiledPatterns, persistenceContext);
     let alignmentStatus = "ALIGNED";
     if (!hasAnnotations) {

package/client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-client",
-  "version": "1.43.0",
+  "version": "1.43.1",
   "description": "Client-side application for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment",
-  "version": "1.43.0",
+  "version": "1.43.1",
   "description": "Enhanced MCP Inspector with comprehensive assessment capabilities for server validation",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",
@@ -132,6 +132,8 @@
   "dependencies": {
     "@modelcontextprotocol/conformance": "^0.1.9",
     "@modelcontextprotocol/sdk": "^1.25.2",
+    "acorn": "^8.14.0",
+    "acorn-walk": "^8.3.4",
     "commander": "^14.0.2",
     "node-fetch": "^3.3.2",
     "open": "^10.2.0",

package/server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-server",
-  "version": "1.43.0",
+  "version": "1.43.1",
   "description": "Server-side application for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",