npm - @bryan-thompson/inspector-assessment - Versions diffs - 1.5.0 → 1.7.0 - Mend

@bryan-thompson/inspector-assessment 1.5.0 → 1.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

package/cli/build/assess-security.js ADDED Viewed

@@ -0,0 +1,342 @@
+#!/usr/bin/env node
+/**
+ * Standalone Security Assessment Runner CLI
+ *
+ * Runs security assessment against an MCP server without the web UI.
+ * Focuses on prompt injection and vulnerability testing.
+ *
+ * Usage:
+ *   mcp-assess-security --server <server-name>
+ *   mcp-assess-security --server broken-mcp --tool vulnerable_tool
+ */
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
+import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
+import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+// Import from local client lib (will use package exports when published)
+import { SecurityAssessor } from "../../client/lib/services/assessment/modules/SecurityAssessor.js";
+import { DEFAULT_ASSESSMENT_CONFIG, } from "../../client/lib/lib/assessmentTypes.js";
+/**
+ * Load server configuration from Claude Code's MCP settings
+ */
+function loadServerConfig(serverName, configPath) {
+    const possiblePaths = [
+        configPath,
+        path.join(os.homedir(), ".config", "mcp", "servers", `${serverName}.json`),
+        path.join(os.homedir(), ".config", "claude", "claude_desktop_config.json"),
+    ].filter(Boolean);
+    for (const tryPath of possiblePaths) {
+        if (!fs.existsSync(tryPath))
+            continue;
+        const config = JSON.parse(fs.readFileSync(tryPath, "utf-8"));
+        if (config.mcpServers && config.mcpServers[serverName]) {
+            const serverConfig = config.mcpServers[serverName];
+            return {
+                transport: "stdio",
+                command: serverConfig.command,
+                args: serverConfig.args || [],
+                env: serverConfig.env || {},
+            };
+        }
+        if (config.url ||
+            config.transport === "http" ||
+            config.transport === "sse") {
+            if (!config.url) {
+                throw new Error(`Invalid server config: transport is '${config.transport}' but 'url' is missing`);
+            }
+            return {
+                transport: config.transport || "http",
+                url: config.url,
+            };
+        }
+        if (config.command) {
+            return {
+                transport: "stdio",
+                command: config.command,
+                args: config.args || [],
+                env: config.env || {},
+            };
+        }
+    }
+    throw new Error(`Server config not found for: ${serverName}\nTried: ${possiblePaths.join(", ")}`);
+}
+/**
+ * Connect to MCP server via configured transport
+ */
+async function connectToServer(config) {
+    let transport;
+    switch (config.transport) {
+        case "http":
+            if (!config.url)
+                throw new Error("URL required for HTTP transport");
+            transport = new StreamableHTTPClientTransport(new URL(config.url));
+            break;
+        case "sse":
+            if (!config.url)
+                throw new Error("URL required for SSE transport");
+            transport = new SSEClientTransport(new URL(config.url));
+            break;
+        case "stdio":
+        default:
+            if (!config.command)
+                throw new Error("Command required for stdio transport");
+            transport = new StdioClientTransport({
+                command: config.command,
+                args: config.args,
+                env: {
+                    ...Object.fromEntries(Object.entries(process.env).filter(([, v]) => v !== undefined)),
+                    ...config.env,
+                },
+                stderr: "pipe",
+            });
+            break;
+    }
+    const client = new Client({
+        name: "mcp-assess-security",
+        version: "1.0.0",
+    }, {
+        capabilities: {},
+    });
+    await client.connect(transport);
+    return client;
+}
+/**
+ * Get list of tools from MCP server
+ */
+async function getTools(client, toolNameFilter) {
+    const response = await client.listTools();
+    let tools = response.tools || [];
+    if (toolNameFilter) {
+        tools = tools.filter((t) => t.name === toolNameFilter);
+        if (tools.length === 0) {
+            throw new Error(`Tool not found: ${toolNameFilter}`);
+        }
+    }
+    return tools;
+}
+/**
+ * Create callTool wrapper for assessment context
+ */
+function createCallToolWrapper(client) {
+    return async (name, params) => {
+        try {
+            const response = await client.callTool({
+                name,
+                arguments: params,
+            });
+            return {
+                content: response.content,
+                isError: response.isError || false,
+                structuredContent: response
+                    .structuredContent,
+            };
+        }
+        catch (error) {
+            return {
+                content: [
+                    {
+                        type: "text",
+                        text: `Error: ${error instanceof Error ? error.message : String(error)}`,
+                    },
+                ],
+                isError: true,
+            };
+        }
+    };
+}
+/**
+ * Run security assessment
+ */
+async function runSecurityAssessment(options) {
+    console.log(`\n🔍 Connecting to MCP server: ${options.serverName}`);
+    const serverConfig = loadServerConfig(options.serverName, options.serverConfigPath);
+    const client = await connectToServer(serverConfig);
+    console.log("✅ Connected successfully");
+    const tools = await getTools(client, options.toolName);
+    console.log(`🔧 Found ${tools.length} tool${tools.length !== 1 ? "s" : ""}`);
+    if (options.toolName) {
+        console.log(`   Testing only: ${options.toolName}`);
+    }
+    const config = {
+        ...DEFAULT_ASSESSMENT_CONFIG,
+        securityPatternsToTest: 17,
+        reviewerMode: false,
+        testTimeout: 30000,
+    };
+    const context = {
+        serverName: options.serverName,
+        tools,
+        callTool: createCallToolWrapper(client),
+        config,
+    };
+    console.log(`🛡️  Running security assessment with 17 attack patterns...`);
+    const assessor = new SecurityAssessor(config);
+    const results = await assessor.assess(context);
+    await client.close();
+    return results;
+}
+/**
+ * Save results to JSON file
+ */
+function saveResults(serverName, results, outputPath) {
+    const defaultPath = `/tmp/inspector-security-assessment-${serverName}.json`;
+    const finalPath = outputPath || defaultPath;
+    const output = {
+        timestamp: new Date().toISOString(),
+        assessmentType: "security",
+        serverName,
+        security: results,
+    };
+    fs.writeFileSync(finalPath, JSON.stringify(output, null, 2));
+    return finalPath;
+}
+/**
+ * Display summary
+ */
+function displaySummary(results) {
+    const { promptInjectionTests, vulnerabilities, overallRiskLevel } = results;
+    const vulnerableCount = promptInjectionTests.filter((t) => t.vulnerable).length;
+    const totalTests = promptInjectionTests.length;
+    console.log("\n" + "=".repeat(60));
+    console.log("SECURITY ASSESSMENT RESULTS");
+    console.log("=".repeat(60));
+    console.log(`Total Tests: ${totalTests}`);
+    console.log(`Vulnerabilities Found: ${vulnerableCount}`);
+    console.log(`Overall Risk Level: ${overallRiskLevel}`);
+    console.log("=".repeat(60));
+    if (vulnerableCount > 0) {
+        console.log("\n⚠️  VULNERABILITIES DETECTED:\n");
+        const vulnerableTests = promptInjectionTests.filter((t) => t.vulnerable);
+        for (const test of vulnerableTests) {
+            console.log(`🚨 ${test.toolName} - ${test.testName}`);
+            console.log(`   Risk: ${test.riskLevel}`);
+            console.log(`   Evidence: ${test.evidence}`);
+            console.log("");
+        }
+    }
+    else {
+        console.log("\n✅ No vulnerabilities detected\n");
+    }
+}
+/**
+ * Parse command-line arguments
+ */
+function parseArgs() {
+    const args = process.argv.slice(2);
+    const options = {};
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        if (!arg)
+            continue;
+        switch (arg) {
+            case "--server":
+            case "-s":
+                options.serverName = args[++i];
+                break;
+            case "--config":
+            case "-c":
+                options.serverConfigPath = args[++i];
+                break;
+            case "--output":
+            case "-o":
+                options.outputPath = args[++i];
+                break;
+            case "--tool":
+            case "-t":
+                options.toolName = args[++i];
+                break;
+            case "--verbose":
+            case "-v":
+                options.verbose = true;
+                break;
+            case "--help":
+            case "-h":
+                printHelp();
+                options.helpRequested = true;
+                return options;
+            default:
+                if (!arg.startsWith("-")) {
+                    if (!options.serverName) {
+                        options.serverName = arg;
+                    }
+                }
+                else {
+                    console.error(`Unknown argument: ${arg}`);
+                    printHelp();
+                    setTimeout(() => process.exit(1), 10);
+                    options.helpRequested = true;
+                    return options;
+                }
+        }
+    }
+    if (!options.serverName) {
+        console.error("Error: --server is required");
+        printHelp();
+        setTimeout(() => process.exit(1), 10);
+        options.helpRequested = true;
+        return options;
+    }
+    return options;
+}
+/**
+ * Print help message
+ */
+function printHelp() {
+    console.log(`
+Usage: mcp-assess-security [options] [server-name]
+Run security assessment against an MCP server with 17 attack patterns.
+Options:
+  --server, -s <name>    Server name (required, or pass as first positional arg)
+  --config, -c <path>    Path to server config JSON
+  --output, -o <path>    Output JSON path (default: /tmp/inspector-security-assessment-<server>.json)
+  --tool, -t <name>      Test only specific tool (default: test all tools)
+  --verbose, -v          Enable verbose logging
+  --help, -h             Show this help message
+Attack Patterns Tested (17 total):
+  • Direct prompt injection
+  • Indirect prompt injection
+  • Instruction override
+  • Role-playing attacks
+  • Encoding bypass
+  • Multi-turn manipulation
+  • Context poisoning
+  • And more...
+Examples:
+  mcp-assess-security my-server
+  mcp-assess-security --server broken-mcp --tool vulnerable_calculator_tool
+  mcp-assess-security --server my-server --output ./security-results.json
+  `);
+}
+/**
+ * Main execution
+ */
+async function main() {
+    try {
+        const options = parseArgs();
+        if (options.helpRequested) {
+            return;
+        }
+        const results = await runSecurityAssessment(options);
+        displaySummary(results);
+        const outputPath = saveResults(options.serverName, results, options.outputPath);
+        console.log(`📄 Results saved to: ${outputPath}\n`);
+        const exitCode = results.vulnerabilities.length > 0 ? 1 : 0;
+        setTimeout(() => process.exit(exitCode), 10);
+    }
+    catch (error) {
+        console.error("\n❌ Error:", error instanceof Error ? error.message : String(error));
+        if (error instanceof Error && error.stack && process.env.DEBUG) {
+            console.error("\nStack trace:");
+            console.error(error.stack);
+        }
+        setTimeout(() => process.exit(1), 10);
+    }
+}
+main();

package/cli/build/cli.js CHANGED Viewed

@@ -46,6 +46,10 @@ async function runWebClient(args) {
     if (args.serverUrl) {
         startArgs.push("--server-url", args.serverUrl);
     }
+    // Pass Claude Code flag if enabled
+    if (args.claudeEnabled) {
+        startArgs.push("--claude-enabled");
+    }
     // Pass command and args (using -- to separate them)
     if (args.command) {
         startArgs.push("--", args.command, ...args.args);
@@ -171,7 +175,8 @@ function parseArgs() {
         .option("--cli", "enable CLI mode")
         .option("--transport <type>", "transport type (stdio, sse, http)")
         .option("--server-url <url>", "server URL for SSE/HTTP transport")
-        .option("--header <headers...>", 'HTTP headers as "HeaderName: Value" pairs (for HTTP/SSE transports)', parseHeaderPair, {});
+        .option("--header <headers...>", 'HTTP headers as "HeaderName: Value" pairs (for HTTP/SSE transports)', parseHeaderPair, {})
+        .option("--claude-enabled", "enable Claude Code integration for intelligent analysis (requires Claude CLI)");
     // Parse only the arguments before --
     program.parse(preArgs);
     const options = program.opts();
@@ -214,6 +219,7 @@ function parseArgs() {
                 cli: options.cli || false,
                 transport: "stdio",
                 headers: options.header,
+                claudeEnabled: options.claudeEnabled || false,
             };
         }
         else if (config.type === "sse" || config.type === "streamable-http") {
@@ -225,6 +231,7 @@ function parseArgs() {
                 transport: config.type,
                 serverUrl: config.url,
                 headers: options.header,
+                claudeEnabled: options.claudeEnabled || false,
             };
         }
         else {
@@ -236,6 +243,7 @@ function parseArgs() {
                 cli: options.cli || false,
                 transport: "stdio",
                 headers: options.header,
+                claudeEnabled: options.claudeEnabled || false,
             };
         }
     }
@@ -255,6 +263,7 @@ function parseArgs() {
         transport: transport,
         serverUrl: options.serverUrl,
         headers: options.header,
+        claudeEnabled: options.claudeEnabled || false,
     };
 }
 async function main() {

package/client/dist/assets/{OAuthCallback-TeTvKfWE.js → OAuthCallback-Xo9zS7pv.js} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-BwAoxcvr.js";
+import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-nCPw6E-c.js";
 const OAuthCallback = ({ onConnect }) => {
   const { toast } = useToast();
   const hasProcessedRef = reactExports.useRef(false);

package/client/dist/assets/{OAuthDebugCallback-DwA2sKy9.js → OAuthDebugCallback-CaIey8K_.js} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-BwAoxcvr.js";
+import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-nCPw6E-c.js";
 const OAuthDebugCallback = ({ onConnect }) => {
   reactExports.useEffect(() => {
     let isProcessed = false;

package/client/dist/assets/{index-BwAoxcvr.js → index-nCPw6E-c.js} RENAMED Viewed

@@ -16279,7 +16279,7 @@ object({
   token_type_hint: string().optional()
 }).strip();
 const name = "@bryan-thompson/inspector-assessment-client";
-const version$1 = "1.5.0";
+const version$1 = "1.7.0";
 const packageJson = {
   name,
   version: version$1
@@ -48464,7 +48464,7 @@ const useTheme = () => {
     [theme, setThemeWithSideEffect]
   );
 };
-const version = "1.5.0";
+const version = "1.7.0";
 var [createTooltipContext] = createContextScope("Tooltip", [
   createPopperScope
 ]);
@@ -60340,13 +60340,13 @@ const App = () => {
   ) });
   if (window.location.pathname === "/oauth/callback") {
     const OAuthCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthCallback-TeTvKfWE.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthCallback-Xo9zS7pv.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
   }
   if (window.location.pathname === "/oauth/callback/debug") {
     const OAuthDebugCallback = React.lazy(
-      () => __vitePreload(() => import("./OAuthDebugCallback-DwA2sKy9.js"), true ? [] : void 0)
+      () => __vitePreload(() => import("./OAuthDebugCallback-CaIey8K_.js"), true ? [] : void 0)
     );
     return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
   }

package/client/dist/index.html CHANGED Viewed

@@ -5,7 +5,7 @@
     <link rel="icon" type="image/svg+xml" href="/mcp.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>MCP Inspector</title>
-    <script type="module" crossorigin src="/assets/index-BwAoxcvr.js"></script>
+    <script type="module" crossorigin src="/assets/index-nCPw6E-c.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-Bj7kEsw0.css">
   </head>
   <body>