npm - @dotsetlabs/bellwether - Versions diffs - 0.10.0 - Mend

@dotsetlabs/bellwether 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (403) hide show

package/CHANGELOG.md +291 -0
package/LICENSE +21 -0
package/README.md +739 -0
package/dist/auth/credentials.d.ts +64 -0
package/dist/auth/credentials.js +218 -0
package/dist/auth/index.d.ts +6 -0
package/dist/auth/index.js +6 -0
package/dist/auth/keychain.d.ts +64 -0
package/dist/auth/keychain.js +268 -0
package/dist/baseline/ab-testing.d.ts +80 -0
package/dist/baseline/ab-testing.js +236 -0
package/dist/baseline/ai-compatibility-scorer.d.ts +95 -0
package/dist/baseline/ai-compatibility-scorer.js +606 -0
package/dist/baseline/calibration.d.ts +77 -0
package/dist/baseline/calibration.js +136 -0
package/dist/baseline/category-matching.d.ts +85 -0
package/dist/baseline/category-matching.js +289 -0
package/dist/baseline/change-impact-analyzer.d.ts +98 -0
package/dist/baseline/change-impact-analyzer.js +592 -0
package/dist/baseline/comparator.d.ts +64 -0
package/dist/baseline/comparator.js +916 -0
package/dist/baseline/confidence.d.ts +55 -0
package/dist/baseline/confidence.js +122 -0
package/dist/baseline/converter.d.ts +61 -0
package/dist/baseline/converter.js +585 -0
package/dist/baseline/dependency-analyzer.d.ts +89 -0
package/dist/baseline/dependency-analyzer.js +567 -0
package/dist/baseline/deprecation-tracker.d.ts +133 -0
package/dist/baseline/deprecation-tracker.js +322 -0
package/dist/baseline/diff.d.ts +55 -0
package/dist/baseline/diff.js +1584 -0
package/dist/baseline/documentation-scorer.d.ts +205 -0
package/dist/baseline/documentation-scorer.js +466 -0
package/dist/baseline/embeddings.d.ts +118 -0
package/dist/baseline/embeddings.js +251 -0
package/dist/baseline/error-analyzer.d.ts +198 -0
package/dist/baseline/error-analyzer.js +721 -0
package/dist/baseline/evaluation/evaluator.d.ts +42 -0
package/dist/baseline/evaluation/evaluator.js +323 -0
package/dist/baseline/evaluation/expanded-dataset.d.ts +45 -0
package/dist/baseline/evaluation/expanded-dataset.js +1164 -0
package/dist/baseline/evaluation/golden-dataset.d.ts +58 -0
package/dist/baseline/evaluation/golden-dataset.js +717 -0
package/dist/baseline/evaluation/index.d.ts +15 -0
package/dist/baseline/evaluation/index.js +15 -0
package/dist/baseline/evaluation/types.d.ts +186 -0
package/dist/baseline/evaluation/types.js +8 -0
package/dist/baseline/external-dependency-detector.d.ts +181 -0
package/dist/baseline/external-dependency-detector.js +524 -0
package/dist/baseline/golden-output.d.ts +162 -0
package/dist/baseline/golden-output.js +636 -0
package/dist/baseline/health-scorer.d.ts +174 -0
package/dist/baseline/health-scorer.js +451 -0
package/dist/baseline/incremental-checker.d.ts +97 -0
package/dist/baseline/incremental-checker.js +174 -0
package/dist/baseline/index.d.ts +31 -0
package/dist/baseline/index.js +42 -0
package/dist/baseline/migration-generator.d.ts +137 -0
package/dist/baseline/migration-generator.js +554 -0
package/dist/baseline/migrations.d.ts +60 -0
package/dist/baseline/migrations.js +197 -0
package/dist/baseline/performance-tracker.d.ts +214 -0
package/dist/baseline/performance-tracker.js +577 -0
package/dist/baseline/pr-comment-generator.d.ts +117 -0
package/dist/baseline/pr-comment-generator.js +546 -0
package/dist/baseline/response-fingerprint.d.ts +127 -0
package/dist/baseline/response-fingerprint.js +728 -0
package/dist/baseline/response-schema-tracker.d.ts +129 -0
package/dist/baseline/response-schema-tracker.js +420 -0
package/dist/baseline/risk-scorer.d.ts +54 -0
package/dist/baseline/risk-scorer.js +434 -0
package/dist/baseline/saver.d.ts +89 -0
package/dist/baseline/saver.js +554 -0
package/dist/baseline/scenario-generator.d.ts +151 -0
package/dist/baseline/scenario-generator.js +905 -0
package/dist/baseline/schema-compare.d.ts +86 -0
package/dist/baseline/schema-compare.js +557 -0
package/dist/baseline/schema-evolution.d.ts +189 -0
package/dist/baseline/schema-evolution.js +467 -0
package/dist/baseline/semantic.d.ts +203 -0
package/dist/baseline/semantic.js +908 -0
package/dist/baseline/synonyms.d.ts +60 -0
package/dist/baseline/synonyms.js +386 -0
package/dist/baseline/telemetry.d.ts +165 -0
package/dist/baseline/telemetry.js +294 -0
package/dist/baseline/test-pruner.d.ts +120 -0
package/dist/baseline/test-pruner.js +387 -0
package/dist/baseline/types.d.ts +449 -0
package/dist/baseline/types.js +5 -0
package/dist/baseline/version.d.ts +138 -0
package/dist/baseline/version.js +206 -0
package/dist/cache/index.d.ts +5 -0
package/dist/cache/index.js +5 -0
package/dist/cache/response-cache.d.ts +151 -0
package/dist/cache/response-cache.js +287 -0
package/dist/ci/index.d.ts +60 -0
package/dist/ci/index.js +342 -0
package/dist/cli/commands/auth.d.ts +12 -0
package/dist/cli/commands/auth.js +352 -0
package/dist/cli/commands/badge.d.ts +3 -0
package/dist/cli/commands/badge.js +74 -0
package/dist/cli/commands/baseline-accept.d.ts +15 -0
package/dist/cli/commands/baseline-accept.js +178 -0
package/dist/cli/commands/baseline-migrate.d.ts +12 -0
package/dist/cli/commands/baseline-migrate.js +164 -0
package/dist/cli/commands/baseline.d.ts +14 -0
package/dist/cli/commands/baseline.js +449 -0
package/dist/cli/commands/beta.d.ts +10 -0
package/dist/cli/commands/beta.js +231 -0
package/dist/cli/commands/check.d.ts +11 -0
package/dist/cli/commands/check.js +820 -0
package/dist/cli/commands/cloud/badge.d.ts +3 -0
package/dist/cli/commands/cloud/badge.js +74 -0
package/dist/cli/commands/cloud/diff.d.ts +6 -0
package/dist/cli/commands/cloud/diff.js +79 -0
package/dist/cli/commands/cloud/history.d.ts +6 -0
package/dist/cli/commands/cloud/history.js +102 -0
package/dist/cli/commands/cloud/link.d.ts +9 -0
package/dist/cli/commands/cloud/link.js +119 -0
package/dist/cli/commands/cloud/login.d.ts +7 -0
package/dist/cli/commands/cloud/login.js +499 -0
package/dist/cli/commands/cloud/projects.d.ts +6 -0
package/dist/cli/commands/cloud/projects.js +44 -0
package/dist/cli/commands/cloud/shared.d.ts +7 -0
package/dist/cli/commands/cloud/shared.js +42 -0
package/dist/cli/commands/cloud/teams.d.ts +8 -0
package/dist/cli/commands/cloud/teams.js +169 -0
package/dist/cli/commands/cloud/upload.d.ts +8 -0
package/dist/cli/commands/cloud/upload.js +181 -0
package/dist/cli/commands/contract.d.ts +11 -0
package/dist/cli/commands/contract.js +280 -0
package/dist/cli/commands/discover.d.ts +3 -0
package/dist/cli/commands/discover.js +82 -0
package/dist/cli/commands/eval.d.ts +9 -0
package/dist/cli/commands/eval.js +187 -0
package/dist/cli/commands/explore.d.ts +11 -0
package/dist/cli/commands/explore.js +437 -0
package/dist/cli/commands/feedback.d.ts +9 -0
package/dist/cli/commands/feedback.js +174 -0
package/dist/cli/commands/golden.d.ts +12 -0
package/dist/cli/commands/golden.js +407 -0
package/dist/cli/commands/history.d.ts +10 -0
package/dist/cli/commands/history.js +202 -0
package/dist/cli/commands/init.d.ts +9 -0
package/dist/cli/commands/init.js +219 -0
package/dist/cli/commands/interview.d.ts +3 -0
package/dist/cli/commands/interview.js +903 -0
package/dist/cli/commands/link.d.ts +10 -0
package/dist/cli/commands/link.js +169 -0
package/dist/cli/commands/login.d.ts +7 -0
package/dist/cli/commands/login.js +499 -0
package/dist/cli/commands/preset.d.ts +33 -0
package/dist/cli/commands/preset.js +297 -0
package/dist/cli/commands/profile.d.ts +33 -0
package/dist/cli/commands/profile.js +286 -0
package/dist/cli/commands/registry.d.ts +11 -0
package/dist/cli/commands/registry.js +146 -0
package/dist/cli/commands/shared.d.ts +79 -0
package/dist/cli/commands/shared.js +196 -0
package/dist/cli/commands/teams.d.ts +8 -0
package/dist/cli/commands/teams.js +169 -0
package/dist/cli/commands/test.d.ts +9 -0
package/dist/cli/commands/test.js +500 -0
package/dist/cli/commands/upload.d.ts +8 -0
package/dist/cli/commands/upload.js +223 -0
package/dist/cli/commands/validate-config.d.ts +6 -0
package/dist/cli/commands/validate-config.js +35 -0
package/dist/cli/commands/verify.d.ts +11 -0
package/dist/cli/commands/verify.js +283 -0
package/dist/cli/commands/watch.d.ts +12 -0
package/dist/cli/commands/watch.js +253 -0
package/dist/cli/index.d.ts +3 -0
package/dist/cli/index.js +178 -0
package/dist/cli/interactive.d.ts +47 -0
package/dist/cli/interactive.js +216 -0
package/dist/cli/output/terminal-reporter.d.ts +19 -0
package/dist/cli/output/terminal-reporter.js +104 -0
package/dist/cli/output.d.ts +226 -0
package/dist/cli/output.js +438 -0
package/dist/cli/utils/env.d.ts +5 -0
package/dist/cli/utils/env.js +14 -0
package/dist/cli/utils/progress.d.ts +59 -0
package/dist/cli/utils/progress.js +206 -0
package/dist/cli/utils/server-context.d.ts +10 -0
package/dist/cli/utils/server-context.js +36 -0
package/dist/cloud/auth.d.ts +144 -0
package/dist/cloud/auth.js +374 -0
package/dist/cloud/client.d.ts +24 -0
package/dist/cloud/client.js +65 -0
package/dist/cloud/http-client.d.ts +38 -0
package/dist/cloud/http-client.js +215 -0
package/dist/cloud/index.d.ts +23 -0
package/dist/cloud/index.js +25 -0
package/dist/cloud/mock-client.d.ts +107 -0
package/dist/cloud/mock-client.js +545 -0
package/dist/cloud/types.d.ts +515 -0
package/dist/cloud/types.js +15 -0
package/dist/config/defaults.d.ts +160 -0
package/dist/config/defaults.js +169 -0
package/dist/config/loader.d.ts +24 -0
package/dist/config/loader.js +122 -0
package/dist/config/template.d.ts +42 -0
package/dist/config/template.js +647 -0
package/dist/config/validator.d.ts +2112 -0
package/dist/config/validator.js +658 -0
package/dist/constants/cloud.d.ts +107 -0
package/dist/constants/cloud.js +110 -0
package/dist/constants/core.d.ts +521 -0
package/dist/constants/core.js +556 -0
package/dist/constants/testing.d.ts +1283 -0
package/dist/constants/testing.js +1568 -0
package/dist/constants.d.ts +10 -0
package/dist/constants.js +10 -0
package/dist/contract/index.d.ts +6 -0
package/dist/contract/index.js +5 -0
package/dist/contract/validator.d.ts +177 -0
package/dist/contract/validator.js +574 -0
package/dist/cost/index.d.ts +6 -0
package/dist/cost/index.js +5 -0
package/dist/cost/tracker.d.ts +134 -0
package/dist/cost/tracker.js +313 -0
package/dist/discovery/discovery.d.ts +16 -0
package/dist/discovery/discovery.js +173 -0
package/dist/discovery/types.d.ts +51 -0
package/dist/discovery/types.js +2 -0
package/dist/docs/agents.d.ts +3 -0
package/dist/docs/agents.js +995 -0
package/dist/docs/contract.d.ts +51 -0
package/dist/docs/contract.js +1681 -0
package/dist/docs/generator.d.ts +4 -0
package/dist/docs/generator.js +4 -0
package/dist/docs/html-reporter.d.ts +9 -0
package/dist/docs/html-reporter.js +757 -0
package/dist/docs/index.d.ts +10 -0
package/dist/docs/index.js +11 -0
package/dist/docs/junit-reporter.d.ts +18 -0
package/dist/docs/junit-reporter.js +210 -0
package/dist/docs/report.d.ts +14 -0
package/dist/docs/report.js +44 -0
package/dist/docs/sarif-reporter.d.ts +19 -0
package/dist/docs/sarif-reporter.js +335 -0
package/dist/docs/shared.d.ts +35 -0
package/dist/docs/shared.js +162 -0
package/dist/docs/templates.d.ts +12 -0
package/dist/docs/templates.js +76 -0
package/dist/errors/index.d.ts +6 -0
package/dist/errors/index.js +6 -0
package/dist/errors/retry.d.ts +92 -0
package/dist/errors/retry.js +323 -0
package/dist/errors/types.d.ts +321 -0
package/dist/errors/types.js +584 -0
package/dist/index.d.ts +32 -0
package/dist/index.js +32 -0
package/dist/interview/dependency-resolver.d.ts +11 -0
package/dist/interview/dependency-resolver.js +32 -0
package/dist/interview/interviewer.d.ts +232 -0
package/dist/interview/interviewer.js +1939 -0
package/dist/interview/mock-response-generator.d.ts +7 -0
package/dist/interview/mock-response-generator.js +102 -0
package/dist/interview/orchestrator.d.ts +237 -0
package/dist/interview/orchestrator.js +1296 -0
package/dist/interview/rate-limiter.d.ts +15 -0
package/dist/interview/rate-limiter.js +55 -0
package/dist/interview/response-validator.d.ts +10 -0
package/dist/interview/response-validator.js +132 -0
package/dist/interview/schema-inferrer.d.ts +8 -0
package/dist/interview/schema-inferrer.js +71 -0
package/dist/interview/schema-test-generator.d.ts +71 -0
package/dist/interview/schema-test-generator.js +834 -0
package/dist/interview/smart-value-generator.d.ts +155 -0
package/dist/interview/smart-value-generator.js +554 -0
package/dist/interview/stateful-test-runner.d.ts +19 -0
package/dist/interview/stateful-test-runner.js +106 -0
package/dist/interview/types.d.ts +561 -0
package/dist/interview/types.js +2 -0
package/dist/llm/anthropic.d.ts +41 -0
package/dist/llm/anthropic.js +355 -0
package/dist/llm/client.d.ts +123 -0
package/dist/llm/client.js +42 -0
package/dist/llm/factory.d.ts +38 -0
package/dist/llm/factory.js +145 -0
package/dist/llm/fallback.d.ts +140 -0
package/dist/llm/fallback.js +379 -0
package/dist/llm/index.d.ts +18 -0
package/dist/llm/index.js +15 -0
package/dist/llm/ollama.d.ts +37 -0
package/dist/llm/ollama.js +330 -0
package/dist/llm/openai.d.ts +25 -0
package/dist/llm/openai.js +320 -0
package/dist/llm/token-budget.d.ts +161 -0
package/dist/llm/token-budget.js +395 -0
package/dist/logging/logger.d.ts +70 -0
package/dist/logging/logger.js +130 -0
package/dist/metrics/collector.d.ts +106 -0
package/dist/metrics/collector.js +547 -0
package/dist/metrics/index.d.ts +7 -0
package/dist/metrics/index.js +7 -0
package/dist/metrics/prometheus.d.ts +20 -0
package/dist/metrics/prometheus.js +241 -0
package/dist/metrics/types.d.ts +209 -0
package/dist/metrics/types.js +5 -0
package/dist/persona/builtins.d.ts +54 -0
package/dist/persona/builtins.js +219 -0
package/dist/persona/index.d.ts +8 -0
package/dist/persona/index.js +8 -0
package/dist/persona/loader.d.ts +30 -0
package/dist/persona/loader.js +190 -0
package/dist/persona/types.d.ts +144 -0
package/dist/persona/types.js +5 -0
package/dist/persona/validation.d.ts +94 -0
package/dist/persona/validation.js +332 -0
package/dist/prompts/index.d.ts +5 -0
package/dist/prompts/index.js +5 -0
package/dist/prompts/templates.d.ts +180 -0
package/dist/prompts/templates.js +431 -0
package/dist/registry/client.d.ts +49 -0
package/dist/registry/client.js +191 -0
package/dist/registry/index.d.ts +7 -0
package/dist/registry/index.js +6 -0
package/dist/registry/types.d.ts +140 -0
package/dist/registry/types.js +6 -0
package/dist/scenarios/evaluator.d.ts +43 -0
package/dist/scenarios/evaluator.js +206 -0
package/dist/scenarios/index.d.ts +10 -0
package/dist/scenarios/index.js +9 -0
package/dist/scenarios/loader.d.ts +20 -0
package/dist/scenarios/loader.js +285 -0
package/dist/scenarios/types.d.ts +153 -0
package/dist/scenarios/types.js +8 -0
package/dist/security/index.d.ts +17 -0
package/dist/security/index.js +18 -0
package/dist/security/payloads.d.ts +61 -0
package/dist/security/payloads.js +268 -0
package/dist/security/security-tester.d.ts +42 -0
package/dist/security/security-tester.js +582 -0
package/dist/security/types.d.ts +166 -0
package/dist/security/types.js +8 -0
package/dist/transport/base-transport.d.ts +59 -0
package/dist/transport/base-transport.js +38 -0
package/dist/transport/http-transport.d.ts +67 -0
package/dist/transport/http-transport.js +238 -0
package/dist/transport/mcp-client.d.ts +141 -0
package/dist/transport/mcp-client.js +496 -0
package/dist/transport/sse-transport.d.ts +88 -0
package/dist/transport/sse-transport.js +316 -0
package/dist/transport/stdio-transport.d.ts +43 -0
package/dist/transport/stdio-transport.js +238 -0
package/dist/transport/types.d.ts +125 -0
package/dist/transport/types.js +16 -0
package/dist/utils/concurrency.d.ts +123 -0
package/dist/utils/concurrency.js +213 -0
package/dist/utils/formatters.d.ts +16 -0
package/dist/utils/formatters.js +37 -0
package/dist/utils/index.d.ts +8 -0
package/dist/utils/index.js +8 -0
package/dist/utils/jsonpath.d.ts +87 -0
package/dist/utils/jsonpath.js +326 -0
package/dist/utils/markdown.d.ts +113 -0
package/dist/utils/markdown.js +265 -0
package/dist/utils/network.d.ts +14 -0
package/dist/utils/network.js +17 -0
package/dist/utils/sanitize.d.ts +92 -0
package/dist/utils/sanitize.js +191 -0
package/dist/utils/semantic.d.ts +194 -0
package/dist/utils/semantic.js +1051 -0
package/dist/utils/smart-truncate.d.ts +94 -0
package/dist/utils/smart-truncate.js +361 -0
package/dist/utils/timeout.d.ts +153 -0
package/dist/utils/timeout.js +205 -0
package/dist/utils/yaml-parser.d.ts +58 -0
package/dist/utils/yaml-parser.js +86 -0
package/dist/validation/index.d.ts +32 -0
package/dist/validation/index.js +32 -0
package/dist/validation/semantic-test-generator.d.ts +50 -0
package/dist/validation/semantic-test-generator.js +176 -0
package/dist/validation/semantic-types.d.ts +66 -0
package/dist/validation/semantic-types.js +94 -0
package/dist/validation/semantic-validator.d.ts +38 -0
package/dist/validation/semantic-validator.js +340 -0
package/dist/verification/index.d.ts +6 -0
package/dist/verification/index.js +5 -0
package/dist/verification/types.d.ts +133 -0
package/dist/verification/types.js +5 -0
package/dist/verification/verifier.d.ts +30 -0
package/dist/verification/verifier.js +309 -0
package/dist/version.d.ts +19 -0
package/dist/version.js +48 -0
package/dist/workflow/auto-generator.d.ts +27 -0
package/dist/workflow/auto-generator.js +513 -0
package/dist/workflow/discovery.d.ts +40 -0
package/dist/workflow/discovery.js +195 -0
package/dist/workflow/executor.d.ts +82 -0
package/dist/workflow/executor.js +611 -0
package/dist/workflow/index.d.ts +10 -0
package/dist/workflow/index.js +10 -0
package/dist/workflow/loader.d.ts +24 -0
package/dist/workflow/loader.js +194 -0
package/dist/workflow/state-tracker.d.ts +98 -0
package/dist/workflow/state-tracker.js +424 -0
package/dist/workflow/types.d.ts +337 -0
package/dist/workflow/types.js +5 -0
package/package.json +94 -0
package/schemas/bellwether-check.schema.json +651 -0

package/dist/security/payloads.js ADDED Viewed

@@ -0,0 +1,268 @@
+/**
+ * Deterministic security test payloads.
+ *
+ * These are well-known test patterns used for security testing that don't
+ * require LLM generation. Each payload is designed to test a specific
+ * vulnerability class.
+ *
+ * IMPORTANT: These payloads are for defensive security testing only.
+ * They help developers identify input validation gaps in their MCP servers.
+ */
+/**
+ * SQL injection test payloads.
+ * Tests for improper handling of SQL metacharacters in user input.
+ * CWE-89: Improper Neutralization of Special Elements used in an SQL Command
+ */
+export const SQL_INJECTION_PAYLOADS = [
+    {
+        category: 'sql_injection',
+        payload: "'; DROP TABLE users; --",
+        description: 'Classic SQL injection with table drop attempt',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'sql_injection',
+        payload: "1' OR '1'='1",
+        description: 'Boolean-based SQL injection (tautology)',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'sql_injection',
+        payload: "1; SELECT * FROM users WHERE '1'='1",
+        description: 'Stacked query injection',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'sql_injection',
+        payload: "admin'--",
+        description: 'Comment-based authentication bypass',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'sql_injection',
+        payload: "1 UNION SELECT username, password FROM users--",
+        description: 'UNION-based data extraction',
+        expectedBehavior: 'reject',
+    },
+];
+/**
+ * Cross-Site Scripting (XSS) test payloads.
+ * Tests for improper handling of HTML/JavaScript in user input.
+ * CWE-79: Improper Neutralization of Input During Web Page Generation
+ */
+export const XSS_PAYLOADS = [
+    {
+        category: 'xss',
+        payload: '<script>alert("xss")</script>',
+        description: 'Basic script tag injection',
+        expectedBehavior: 'sanitize',
+    },
+    {
+        category: 'xss',
+        payload: '"><img src=x onerror=alert(1)>',
+        description: 'Event handler injection via img tag',
+        expectedBehavior: 'sanitize',
+    },
+    {
+        category: 'xss',
+        payload: "javascript:alert('xss')",
+        description: 'JavaScript protocol handler',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'xss',
+        payload: '<svg onload=alert(1)>',
+        description: 'SVG-based XSS with onload event',
+        expectedBehavior: 'sanitize',
+    },
+    {
+        category: 'xss',
+        payload: '<body onpageshow=alert(1)>',
+        description: 'Body tag event handler injection',
+        expectedBehavior: 'sanitize',
+    },
+];
+/**
+ * Path traversal test payloads.
+ * Tests for improper handling of file path inputs.
+ * CWE-22: Improper Limitation of a Pathname to a Restricted Directory
+ */
+export const PATH_TRAVERSAL_PAYLOADS = [
+    {
+        category: 'path_traversal',
+        payload: '../../../etc/passwd',
+        description: 'Unix path traversal to /etc/passwd',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'path_traversal',
+        payload: '..\\..\\..\\windows\\system32\\config\\sam',
+        description: 'Windows path traversal to SAM database',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'path_traversal',
+        payload: '/etc/passwd',
+        description: 'Absolute path to sensitive Unix file',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'path_traversal',
+        payload: '%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd',
+        description: 'URL-encoded path traversal',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'path_traversal',
+        payload: '....//....//....//etc/passwd',
+        description: 'Double-dot bypass attempt',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'path_traversal',
+        payload: '/proc/self/environ',
+        description: 'Linux proc filesystem access',
+        expectedBehavior: 'reject',
+    },
+];
+/**
+ * Command injection test payloads.
+ * Tests for improper handling of shell metacharacters.
+ * CWE-78: Improper Neutralization of Special Elements used in an OS Command
+ */
+export const COMMAND_INJECTION_PAYLOADS = [
+    {
+        category: 'command_injection',
+        payload: '; ls -la',
+        description: 'Semicolon command chaining',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'command_injection',
+        payload: '| cat /etc/passwd',
+        description: 'Pipe command injection',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'command_injection',
+        payload: '$(whoami)',
+        description: 'Command substitution',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'command_injection',
+        payload: '`id`',
+        description: 'Backtick command execution',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'command_injection',
+        payload: '&& cat /etc/passwd',
+        description: 'AND operator command chaining',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'command_injection',
+        payload: '|| cat /etc/passwd',
+        description: 'OR operator command chaining',
+        expectedBehavior: 'reject',
+    },
+];
+/**
+ * Server-Side Request Forgery (SSRF) test payloads.
+ * Tests for improper URL validation allowing internal network access.
+ * CWE-918: Server-Side Request Forgery (SSRF)
+ */
+export const SSRF_PAYLOADS = [
+    {
+        category: 'ssrf',
+        payload: 'http://localhost:22',
+        description: 'Localhost SSH port access',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'ssrf',
+        payload: 'http://127.0.0.1:3306',
+        description: 'Loopback MySQL port access',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'ssrf',
+        payload: 'http://169.254.169.254/latest/meta-data/',
+        description: 'AWS metadata endpoint (IMDS)',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'ssrf',
+        payload: 'http://[::1]:80',
+        description: 'IPv6 localhost access',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'ssrf',
+        payload: 'file:///etc/passwd',
+        description: 'File protocol access',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'ssrf',
+        payload: 'http://0.0.0.0:80',
+        description: 'Null IP address access',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'ssrf',
+        payload: 'http://10.0.0.1/',
+        description: 'Private network (10.x.x.x) access',
+        expectedBehavior: 'reject',
+    },
+    {
+        category: 'ssrf',
+        payload: 'http://192.168.1.1/',
+        description: 'Private network (192.168.x.x) access',
+        expectedBehavior: 'reject',
+    },
+];
+/**
+ * Map of security categories to their payloads.
+ */
+const PAYLOAD_MAP = {
+    sql_injection: SQL_INJECTION_PAYLOADS,
+    xss: XSS_PAYLOADS,
+    path_traversal: PATH_TRAVERSAL_PAYLOADS,
+    command_injection: COMMAND_INJECTION_PAYLOADS,
+    ssrf: SSRF_PAYLOADS,
+    error_disclosure: [], // Error disclosure is tested differently
+};
+/**
+ * Get payloads for a specific security category.
+ *
+ * @param category - The security category to get payloads for
+ * @returns Array of payloads for that category
+ */
+export function getPayloadsForCategory(category) {
+    return PAYLOAD_MAP[category] ?? [];
+}
+/**
+ * Get all security payloads across all categories.
+ *
+ * @returns Array of all security payloads
+ */
+export function getAllSecurityPayloads() {
+    return [
+        ...SQL_INJECTION_PAYLOADS,
+        ...XSS_PAYLOADS,
+        ...PATH_TRAVERSAL_PAYLOADS,
+        ...COMMAND_INJECTION_PAYLOADS,
+        ...SSRF_PAYLOADS,
+    ];
+}
+/**
+ * Get all available security categories.
+ *
+ * @returns Array of all security category identifiers
+ */
+export function getAllSecurityCategories() {
+    return Object.keys(PAYLOAD_MAP);
+}
+//# sourceMappingURL=payloads.js.map

package/dist/security/security-tester.d.ts ADDED Viewed

@@ -0,0 +1,42 @@
+/**
+ * Deterministic security tester for check mode.
+ *
+ * Runs security payloads against MCP tools and analyzes responses to detect
+ * potential vulnerabilities. All testing is deterministic (no LLM required)
+ * and uses well-known security test patterns.
+ *
+ * This module is the core of the security baseline feature, enabling users
+ * to detect common vulnerability patterns in their MCP servers.
+ */
+import type { SecurityCategory, SecurityFingerprint, SecurityTestOptions, SecurityTestContext, SecurityDiff, RiskLevel } from './types.js';
+/**
+ * Run security tests for a single tool.
+ *
+ * @param context - The tool context including call function
+ * @param options - Security test configuration options
+ * @returns Security fingerprint with findings
+ */
+export declare function runSecurityTests(context: SecurityTestContext, options?: SecurityTestOptions): Promise<SecurityFingerprint>;
+/**
+ * Compare two security fingerprints to detect changes.
+ *
+ * @param previous - Previous security fingerprint (may be undefined)
+ * @param current - Current security fingerprint (may be undefined)
+ * @returns Security diff showing what changed
+ */
+export declare function compareSecurityFingerprints(previous: SecurityFingerprint | undefined, current: SecurityFingerprint | undefined): SecurityDiff;
+/**
+ * Get risk level classification from a risk score.
+ *
+ * @param score - Risk score (0-100)
+ * @returns Risk level
+ */
+export declare function getRiskLevelFromScore(score: number): RiskLevel;
+/**
+ * Parse security categories from a comma-separated string.
+ *
+ * @param categoriesString - Comma-separated category names
+ * @returns Array of valid security categories
+ */
+export declare function parseSecurityCategories(categoriesString: string): SecurityCategory[];
+//# sourceMappingURL=security-tester.d.ts.map