@bryan-thompson/inspector-assessment 1.43.2 → 1.43.4

package/cli/build/assess-security.js

@@ -11,73 +11,58 @@
  */
 import * as fs from "fs";
 import * as path from "path";
-import { execSync } from "child_process";
+import * as os from "os";
 import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
 import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
-// Import shared server config loading (Issue #84 - Zod validation)
-import { loadServerConfig } from "./lib/assessment-runner/server-config.js";
-/**
- * Validate that a command is safe to execute
- * - Must be an absolute path or resolvable via PATH
- * - Must not contain shell metacharacters
- */
-function validateCommand(command) {
-    // Check for shell metacharacters that could indicate injection
-    const dangerousChars = /[;&|`$(){}[\]<>!\\]/;
-    if (dangerousChars.test(command)) {
-        throw new Error(`Invalid command: contains shell metacharacters: ${command}`);
-    }
-    // Verify the command exists and is executable
-    try {
-        // Use 'which' on Unix-like systems, 'where' on Windows
-        const whichCmd = process.platform === "win32" ? "where" : "which";
-        execSync(`${whichCmd} "${command}"`, { stdio: "pipe" });
-    }
-    catch {
-        // Check if it's an absolute path that exists
-        if (path.isAbsolute(command) && fs.existsSync(command)) {
-            try {
-                fs.accessSync(command, fs.constants.X_OK);
-                return; // Command exists and is executable
-            }
-            catch {
-                throw new Error(`Command not executable: ${command}`);
-            }
-        }
-        throw new Error(`Command not found: ${command}`);
-    }
-}
+// Import from local client lib (will use package exports when published)
+import { SecurityAssessor } from "../../client/lib/services/assessment/modules/SecurityAssessor.js";
+import { DEFAULT_ASSESSMENT_CONFIG, } from "../../client/lib/lib/assessmentTypes.js";
 /**
- * Validate environment variables from config
- * - Keys must be valid env var names (alphanumeric + underscore)
- * - Values should not contain null bytes
+ * Load server configuration from Claude Code's MCP settings
  */
-function validateEnvVars(env) {
-    if (!env)
-        return {};
-    const validatedEnv = {};
-    const validKeyPattern = /^[a-zA-Z_][a-zA-Z0-9_]*$/;
-    for (const [key, value] of Object.entries(env)) {
-        // Validate key format
-        if (!validKeyPattern.test(key)) {
-            console.warn(`Skipping invalid environment variable name: ${key} (must match [a-zA-Z_][a-zA-Z0-9_]*)`);
+function loadServerConfig(serverName, configPath) {
+    const possiblePaths = [
+        configPath,
+        path.join(os.homedir(), ".config", "mcp", "servers", `${serverName}.json`),
+        path.join(os.homedir(), ".config", "claude", "claude_desktop_config.json"),
+    ].filter(Boolean);
+    for (const tryPath of possiblePaths) {
+        if (!fs.existsSync(tryPath))
             continue;
+        const config = JSON.parse(fs.readFileSync(tryPath, "utf-8"));
+        if (config.mcpServers && config.mcpServers[serverName]) {
+            const serverConfig = config.mcpServers[serverName];
+            return {
+                transport: "stdio",
+                command: serverConfig.command,
+                args: serverConfig.args || [],
+                env: serverConfig.env || {},
+            };
         }
-        // Check for null bytes in value (could truncate strings)
-        if (typeof value === "string" && value.includes("\0")) {
-            console.warn(`Skipping environment variable with null byte: ${key}`);
-            continue;
+        if (config.url ||
+            config.transport === "http" ||
+            config.transport === "sse") {
+            if (!config.url) {
+                throw new Error(`Invalid server config: transport is '${config.transport}' but 'url' is missing`);
+            }
+            return {
+                transport: config.transport || "http",
+                url: config.url,
+            };
+        }
+        if (config.command) {
+            return {
+                transport: "stdio",
+                command: config.command,
+                args: config.args || [],
+                env: config.env || {},
+            };
         }
-        validatedEnv[key] = String(value);
     }
-    return validatedEnv;
+    throw new Error(`Server config not found for: ${serverName}\nTried: ${possiblePaths.join(", ")}`);
 }
-// Import from local client lib (will use package exports when published)
-import { SecurityAssessor } from "../../client/lib/services/assessment/modules/SecurityAssessor.js";
-import { DEFAULT_ASSESSMENT_CONFIG, } from "../../client/lib/lib/assessmentTypes.js";
-import { loadPerformanceConfig } from "../../client/lib/services/assessment/config/performanceConfig.js";
 /**
  * Connect to MCP server via configured transport
  */
@@ -98,16 +83,12 @@ async function connectToServer(config) {
         default:
             if (!config.command)
                 throw new Error("Command required for stdio transport");
-            // Validate command before execution to prevent injection attacks
-            validateCommand(config.command);
-            // Validate and sanitize environment variables from config
-            const validatedEnv = validateEnvVars(config.env);
             transport = new StdioClientTransport({
                 command: config.command,
                 args: config.args,
                 env: {
                     ...Object.fromEntries(Object.entries(process.env).filter(([, v]) => v !== undefined)),
-                    ...validatedEnv,
+                    ...config.env,
                 },
                 stderr: "pipe",
             });
@@ -172,22 +153,6 @@ function createCallToolWrapper(client) {
 async function runSecurityAssessment(options) {
     console.log(`\n🔍 Connecting to MCP server: ${options.serverName}`);
     const serverConfig = loadServerConfig(options.serverName, options.serverConfigPath);
-    // Load custom performance config if provided (Issue #37)
-    // Note: Currently, modules use DEFAULT_PERFORMANCE_CONFIG directly.
-    // This validates the config file but doesn't override runtime values yet.
-    if (options.performanceConfigPath) {
-        try {
-            const performanceConfig = loadPerformanceConfig(options.performanceConfigPath);
-            console.log(`📊 Performance config loaded from: ${options.performanceConfigPath}`);
-            console.log(`   Batch interval: ${performanceConfig.batchFlushIntervalMs}ms, ` +
-                `Security batch: ${performanceConfig.securityBatchSize}`);
-            // TODO: Wire performanceConfig through to SecurityAssessor
-        }
-        catch (error) {
-            console.error(`❌ Failed to load performance config: ${error instanceof Error ? error.message : String(error)}`);
-            throw error;
-        }
-    }
     const client = await connectToServer(serverConfig);
     console.log("✅ Connected successfully");
     const tools = await getTools(client, options.toolName);
@@ -197,7 +162,7 @@ async function runSecurityAssessment(options) {
     }
     const config = {
         ...DEFAULT_ASSESSMENT_CONFIG,
-        securityPatternsToTest: 30,
+        securityPatternsToTest: 13,
         reviewerMode: false,
         testTimeout: 30000,
     };
@@ -206,8 +171,9 @@ async function runSecurityAssessment(options) {
         tools,
         callTool: createCallToolWrapper(client),
         config,
+        transportType: serverConfig.transport || "stdio",
     };
-    console.log(`🛡️  Running security assessment with 30 attack patterns...`);
+    console.log(`🛡️  Running security assessment with 13 attack patterns...`);
     const assessor = new SecurityAssessor(config);
     const results = await assessor.assess(context);
     await client.close();
@@ -287,9 +253,6 @@ function parseArgs() {
             case "-v":
                 options.verbose = true;
                 break;
-            case "--performance-config":
-                options.performanceConfigPath = args[++i];
-                break;
             case "--help":
             case "-h":
                 printHelp();
@@ -326,23 +289,24 @@ function printHelp() {
     console.log(`
 Usage: mcp-assess-security [options] [server-name]
 
-Run security assessment against an MCP server with 30 attack patterns.
+Run security assessment against an MCP server with 13 attack patterns.
 
 Options:
   --server, -s <name>    Server name (required, or pass as first positional arg)
   --config, -c <path>    Path to server config JSON
   --output, -o <path>    Output JSON path (default: /tmp/inspector-security-assessment-<server>.json)
   --tool, -t <name>      Test only specific tool (default: test all tools)
-  --performance-config <path>  Path to performance tuning JSON (batch sizes, timeouts, etc.)
   --verbose, -v          Enable verbose logging
   --help, -h             Show this help message
 
-Attack Patterns Tested (30 total):
-  • Command Injection, SQL Injection, Path Traversal
-  • Calculator Injection, Code Execution, XXE
-  • Data Exfiltration, Token Theft, NoSQL Injection
-  • Unicode Bypass, Nested Injection, Package Squatting
-  • Session Management, Auth Bypass, and more...
+Attack Patterns Tested (13 total):
+  • Command Injection        • SQL Injection
+  • Calculator Injection     • Path Traversal
+  • Type Safety              • Boundary Testing
+  • Required Fields          • MCP Error Format
+  • Timeout Handling         • Indirect Prompt Injection
+  • Unicode Bypass           • Nested Injection
+  • Package Squatting
 
 Examples:
   mcp-assess-security my-server

package/cli/build/lib/cli-parser.js

@@ -316,6 +316,11 @@ export function parseArgs(argv) {
                 // Issue #137: Stage B enrichment for Claude semantic analysis
                 options.stageBVerbose = true;
                 break;
+            case "--audit-mode":
+                // Reduced false positives for automated MCP auditing
+                options.auditMode = true;
+                options.profile = "audit";
+                break;
             case "--static-only":
                 // Issue #213: Static-only assessment without server connection
                 options.staticOnly = true;
@@ -417,6 +422,13 @@ export function parseArgs(argv) {
         options.helpRequested = true;
         return options;
     }
+    // Validate mutual exclusivity of --audit-mode with --profile (audit-mode sets profile internally)
+    if (options.auditMode && options.profile && options.profile !== "audit") {
+        console.error("Error: --audit-mode cannot be used with --profile (audit mode sets its own profile)");
+        setTimeout(() => process.exit(1), 10);
+        options.helpRequested = true;
+        return options;
+    }
     // Validate mutual exclusivity of --module with orchestrator options (Issue #184)
     if (options.singleModule &&
         (options.skipModules?.length ||
@@ -547,7 +559,8 @@ Options:
   --claude-http          Enable Claude Code via HTTP transport (connects to mcp-auditor proxy)
   --mcp-auditor-url <url>  mcp-auditor URL for HTTP transport (default: http://localhost:8085)
   --full                 Enable all assessment modules (default)
-  --profile <name>       Use predefined module profile (quick, security, compliance, full, dev)
+  --audit-mode           Reduced false positives for automated MCP auditing (sets --profile audit)
+  --profile <name>       Use predefined module profile (quick, security, compliance, full, dev, audit)
   --temporal-invocations <n>  Number of invocations per tool for rug pull detection (default: 3)
   --skip-temporal        Skip temporal/rug pull testing (faster assessment)
   --conformance          Enable official MCP conformance tests (experimental, requires HTTP/SSE transport)

package/cli/build/lib/cli-parserSchemas.js

@@ -24,6 +24,7 @@ export const AssessmentProfileNameSchema = z.enum([
     "full",
     "dev",
     "all",
+    "audit",
 ]);
 /**
  * Valid assessment module names.

package/cli/build/lib/result-output.js

@@ -303,6 +303,27 @@ export function displaySummary(results) {
             console.log(`   • ${rec}`);
         }
     }
+    // Audit mode summary
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const auditAnalysis = security?.auditAnalysis;
+    if (auditAnalysis) {
+        console.log("\n🔍 AUDIT ANALYSIS (reduced false positives):");
+        if (auditAnalysis.highConfidenceVulnerabilities?.length > 0) {
+            console.log(`   🚨 High-confidence vulnerabilities: ${auditAnalysis.highConfidenceVulnerabilities.length}`);
+            for (const vuln of auditAnalysis.highConfidenceVulnerabilities.slice(0, 5)) {
+                console.log(`      • ${vuln}`);
+            }
+        }
+        else {
+            console.log("   ✅ No high-confidence vulnerabilities detected");
+        }
+        if (auditAnalysis.needsReview?.length > 0) {
+            console.log(`   ⚠️  Needs manual review: ${auditAnalysis.needsReview.length}`);
+            for (const item of auditAnalysis.needsReview.slice(0, 3)) {
+                console.log(`      • ${item}`);
+            }
+        }
+    }
     console.log("\n" + "=".repeat(70));
 }
 // ============================================================================

package/cli/build/profiles.js

@@ -160,6 +160,20 @@ export const ASSESSMENT_PROFILES = {
      * Includes: Tier 1-4 + opt-in (prohibitedLibraries, manifestValidation, etc.)
      */
     all: [...ALL_MODULES],
+    /**
+     * Audit profile: Optimized for automated MCP auditing with reduced false positives
+     * Use when: --audit-mode flag, CI/CD pipeline audits
+     * Time: ~8-12 minutes
+     * Includes: Core security + compliance + capability + tool annotations
+     */
+    audit: [
+        "functionality",
+        "security",
+        "errorHandling",
+        "protocolCompliance",
+        "aupCompliance",
+        "toolAnnotations",
+    ],
 };
 export const PROFILE_METADATA = {
     quick: {
@@ -214,6 +228,12 @@ export const PROFILE_METADATA = {
             "Opt-In",
         ],
     },
+    audit: {
+        description: "Automated MCP auditing with reduced false positives (--audit-mode)",
+        estimatedTime: "~8-12 minutes",
+        moduleCount: ASSESSMENT_PROFILES.audit.length,
+        tiers: ["Tier 1 (Core Security)", "Tier 2 (Compliance, partial)"],
+    },
 };
 /**
  * Resolve module names, applying aliases for deprecated names.

package/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-cli",
-  "version": "1.43.2",
+  "version": "1.43.4",
   "description": "CLI for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",

package/client/dist/assets/{OAuthCallback-BS8-A1sU.js → OAuthCallback-Chi58kRc.js}

@@ -1,4 +1,4 @@
-import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-DEhlIjy-.js";
+import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-KW2LwGdp.js";
 const OAuthCallback = ({ onConnect }) => {
   const { toast } = useToast();
   const hasProcessedRef = reactExports.useRef(false);

package/client/dist/assets/{OAuthDebugCallback-025_TM2i.js → OAuthDebugCallback-BluD_Wxg.js}

@@ -1,4 +1,4 @@
-import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-DEhlIjy-.js";
+import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-KW2LwGdp.js";
 const OAuthDebugCallback = ({ onConnect }) => {
   reactExports.useEffect(() => {
     let isProcessed = false;

package/client/dist/assets/{index-DEhlIjy-.js → index-KW2LwGdp.js}

@@ -16373,7 +16373,7 @@ object({
   token_type_hint: string().optional()
 }).strip();
 const name = "@bryan-thompson/inspector-assessment-client";
-const version$1 = "1.43.2";
+const version$1 = "1.43.4";
 const packageJson = {
   name,
   version: version$1
@@ -49456,7 +49456,7 @@ const useTheme = () => {
     [theme, setThemeWithSideEffect]
   );
 };
-const version = "1.43.2";
+const version = "1.43.4";
 var [createTooltipContext] = createContextScope("Tooltip", [
   createPopperScope
 ]);
@@ -52799,13 +52799,13 @@ const App = () => {
   };
   if (window.location.pathname === "/oauth/callback") {
     const OAuthCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthCallback-BS8-A1sU.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthCallback-Chi58kRc.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
   }
   if (window.location.pathname === "/oauth/callback/debug") {
     const OAuthDebugCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthDebugCallback-025_TM2i.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthDebugCallback-BluD_Wxg.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
   }

package/client/dist/index.html

@@ -5,7 +5,7 @@
     <link rel="icon" type="image/svg+xml" href="/mcp.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>MCP Inspector</title>
-    <script type="module" crossorigin src="/assets/index-DEhlIjy-.js"></script>
+    <script type="module" crossorigin src="/assets/index-KW2LwGdp.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-BoUA5OL1.css">
   </head>
   <body>