@mcpspec/core 1.0.2 → 1.0.3

package/dist/index.d.ts

@@ -352,6 +352,7 @@ declare class ResultDiffer {
     diff(baseline: TestRunResult, current: TestRunResult, baselineName?: string): RunDiff;
 }
 
+declare const DANGEROUS_TOOL_PATTERNS: RegExp;
 declare class ScanConfig {
     readonly mode: SecurityScanMode;
     readonly rules: string[];
@@ -359,9 +360,12 @@ declare class ScanConfig {
     readonly acknowledgeRisk: boolean;
     readonly timeout: number;
     readonly maxProbesPerTool: number;
+    readonly excludeTools: string[];
+    readonly dryRun: boolean;
     constructor(config?: Partial<SecurityScanConfig>);
     requiresConfirmation(): boolean;
     meetsThreshold(severity: SeverityLevel): boolean;
+    isToolExcluded(toolName: string): boolean;
     private getRulesForMode;
 }
 
@@ -377,10 +381,27 @@ interface ScanProgress {
     onRuleComplete?: (ruleId: string, findingCount: number) => void;
     onFinding?: (finding: SecurityFinding) => void;
 }
+interface DryRunResult {
+    tools: Array<{
+        name: string;
+        included: boolean;
+        reason?: string;
+    }>;
+    rules: string[];
+    mode: string;
+}
 declare class SecurityScanner {
     private readonly rules;
     constructor();
     registerRule(rule: SecurityRule): void;
+    /**
+     * Preview which tools will be scanned without actually running payloads.
+     */
+    dryRun(client: MCPClientInterface, config: ScanConfig): Promise<DryRunResult>;
+    /**
+     * Filter tools based on config exclusions.
+     */
+    filterTools(tools: ToolInfo[], config: ScanConfig): ToolInfo[];
     scan(client: MCPClientInterface, config: ScanConfig, progress?: ScanProgress): Promise<SecurityScanResult>;
     private buildSummary;
     private registerBuiltinRules;
@@ -514,7 +535,7 @@ declare class MCPScoreCalculator {
     private scoreDocumentation;
     private scoreSchemaQuality;
     private scoreErrorHandling;
-    private scorePerformance;
+    private scoreResponsiveness;
     private scoreSecurity;
 }
 
@@ -523,4 +544,4 @@ declare class BadgeGenerator {
     getColor(score: number): string;
 }
 
-export { AuthBypassRule, BadgeGenerator, BaselineStore, type BenchmarkProgress, BenchmarkRunner, ConnectionManager, ConsoleReporter, DocGenerator, type DocGeneratorOptions, ERROR_CODE_MAP, ERROR_TEMPLATES, type ErrorCode, HtmlDocGenerator, HtmlReporter, InformationDisclosureRule, InjectionRule, InputValidationRule, JsonReporter, JunitReporter, LoggingTransport, MCPClient, type MCPClientInterface, MCPScoreCalculator, MCPSpecError, MarkdownGenerator, NotImplementedError, type OnProtocolMessage, PathTraversalRule, type PayloadSet, type PlatformPayload, ProcessManagerImpl, ProcessRegistry, Profiler, RateLimiter, ResourceExhaustionRule, ResultDiffer, type RunDiff, ScanConfig, type ScanProgress, type ScoreProgress, SecretMasker, type SecurityRule, SecurityScanner, type ServerDocData, TapReporter, type TestDiff, TestExecutor, type TestRunReporter, TestRunner, TestScheduler, WaterfallGenerator, YAML_LIMITS, computeStats, formatError, getPayloadsForMode, getPlatformInfo, getPlatformPayloads, getSafePayloads, loadYamlSafely, queryJsonPath, registerCleanupHandlers, resolveVariables };
+export { AuthBypassRule, BadgeGenerator, BaselineStore, type BenchmarkProgress, BenchmarkRunner, ConnectionManager, ConsoleReporter, DANGEROUS_TOOL_PATTERNS, DocGenerator, type DocGeneratorOptions, type DryRunResult, ERROR_CODE_MAP, ERROR_TEMPLATES, type ErrorCode, HtmlDocGenerator, HtmlReporter, InformationDisclosureRule, InjectionRule, InputValidationRule, JsonReporter, JunitReporter, LoggingTransport, MCPClient, type MCPClientInterface, MCPScoreCalculator, MCPSpecError, MarkdownGenerator, NotImplementedError, type OnProtocolMessage, PathTraversalRule, type PayloadSet, type PlatformPayload, ProcessManagerImpl, ProcessRegistry, Profiler, RateLimiter, ResourceExhaustionRule, ResultDiffer, type RunDiff, ScanConfig, type ScanProgress, type ScoreProgress, SecretMasker, type SecurityRule, SecurityScanner, type ServerDocData, TapReporter, type TestDiff, TestExecutor, type TestRunReporter, TestRunner, TestScheduler, WaterfallGenerator, YAML_LIMITS, computeStats, formatError, getPayloadsForMode, getPlatformInfo, getPlatformPayloads, getSafePayloads, loadYamlSafely, queryJsonPath, registerCleanupHandlers, resolveVariables };

package/dist/index.js

@@ -1230,7 +1230,7 @@ var TestExecutor = class {
           assertions: assertionResults
         };
       }
-      const response = this.buildResponse(result);
+      const response = this.buildResponse(result, test.rawResponse);
       if (test.assertions) {
         for (const assertion of test.assertions) {
           assertionResults.push(this.runAssertion(assertion, response, Date.now() - startTime));
@@ -1273,7 +1273,7 @@ var TestExecutor = class {
       };
     }
   }
-  buildResponse(result) {
+  buildResponse(result, rawResponse) {
     const contents = result.content;
     if (!Array.isArray(contents) || contents.length === 0) {
       return {};
@@ -1281,6 +1281,9 @@ var TestExecutor = class {
     if (contents.length === 1) {
       const item = contents[0];
       if (item["type"] === "text" && typeof item["text"] === "string") {
+        if (rawResponse) {
+          return { content: item["text"], text: item["text"] };
+        }
         try {
           return JSON.parse(item["text"]);
         } catch {
@@ -1420,17 +1423,16 @@ var TestScheduler = class {
       return skippedResults;
     }
     if (parallelism <= 1) {
-      const executor2 = new TestExecutor(initialVariables, rateLimiter);
+      const executor = new TestExecutor(initialVariables, rateLimiter);
       const results2 = [];
       for (const test of filteredTests) {
         reporter?.onTestStart(test.name);
-        const result = await executor2.execute(test, client);
+        const result = await executor.execute(test, client);
         results2.push(result);
         reporter?.onTestComplete(result);
       }
       return [...results2, ...skippedResults];
     }
-    const executor = new TestExecutor(initialVariables, rateLimiter);
     let running = 0;
     const results = new Array(filteredTests.length);
     const waitQueue = [];
@@ -1455,6 +1457,7 @@ var TestScheduler = class {
       return (async () => {
         await acquire();
         try {
+          const executor = new TestExecutor(initialVariables, rateLimiter);
           reporter?.onTestStart(test.name);
           const result = await executor.execute(test, client);
           results[i] = result;
@@ -2086,6 +2089,7 @@ var ACTIVE_RULES = [
 var AGGRESSIVE_RULES = [...ACTIVE_RULES];
 var DEFAULT_TIMEOUT = 1e4;
 var DEFAULT_MAX_PROBES = 50;
+var DANGEROUS_TOOL_PATTERNS = /^(delete|drop|remove|destroy|kill|purge|truncate|wipe|reset|erase)[_-]|[_-](delete|drop|remove|destroy|kill|purge|truncate|wipe|reset|erase)$/i;
 var ScanConfig = class {
   mode;
   rules;
@@ -2093,12 +2097,16 @@ var ScanConfig = class {
   acknowledgeRisk;
   timeout;
   maxProbesPerTool;
+  excludeTools;
+  dryRun;
   constructor(config = {}) {
     this.mode = config.mode ?? "passive";
     this.severityThreshold = config.severityThreshold ?? "info";
     this.acknowledgeRisk = config.acknowledgeRisk ?? false;
     this.timeout = config.timeout ?? DEFAULT_TIMEOUT;
     this.maxProbesPerTool = config.maxProbesPerTool ?? DEFAULT_MAX_PROBES;
+    this.excludeTools = config.excludeTools ?? [];
+    this.dryRun = config.dryRun ?? false;
     const allRulesForMode = this.getRulesForMode(this.mode);
     if (config.rules && config.rules.length > 0) {
       this.rules = config.rules.filter((r) => allRulesForMode.includes(r));
@@ -2114,6 +2122,11 @@ var ScanConfig = class {
     const severityIdx = SEVERITY_ORDER.indexOf(severity);
     return severityIdx >= thresholdIdx;
   }
+  isToolExcluded(toolName) {
+    if (this.excludeTools.includes(toolName)) return true;
+    if (this.mode !== "passive" && DANGEROUS_TOOL_PATTERNS.test(toolName)) return true;
+    return false;
+  }
   getRulesForMode(mode) {
     switch (mode) {
       case "passive":
@@ -2690,10 +2703,47 @@ var SecurityScanner = class {
   registerRule(rule) {
     this.rules.set(rule.id, rule);
   }
+  /**
+   * Preview which tools will be scanned without actually running payloads.
+   */
+  async dryRun(client, config) {
+    const allTools = await client.listTools();
+    const toolResults = allTools.map((tool) => {
+      if (config.excludeTools.includes(tool.name)) {
+        return { name: tool.name, included: false, reason: "excluded by --exclude-tools" };
+      }
+      if (config.isToolExcluded(tool.name)) {
+        return { name: tool.name, included: false, reason: "auto-skipped (destructive name)" };
+      }
+      return { name: tool.name, included: true };
+    });
+    return {
+      tools: toolResults,
+      rules: [...config.rules],
+      mode: config.mode
+    };
+  }
+  /**
+   * Filter tools based on config exclusions.
+   */
+  filterTools(tools, config) {
+    return tools.filter((tool) => !config.isToolExcluded(tool.name));
+  }
   async scan(client, config, progress) {
     const startedAt = /* @__PURE__ */ new Date();
     const findings = [];
-    const tools = await client.listTools();
+    const allTools = await client.listTools();
+    const tools = this.filterTools(allTools, config);
+    const skippedCount = allTools.length - tools.length;
+    if (skippedCount > 0) {
+      findings.push({
+        id: randomUUID9(),
+        rule: "safety-filter",
+        severity: "info",
+        title: `${skippedCount} tool(s) excluded from scan`,
+        description: `${skippedCount} tool(s) were excluded from scanning due to safety filters or --exclude-tools.`
+      });
+    }
     for (const ruleId of config.rules) {
       const rule = this.rules.get(ruleId);
       if (!rule) continue;
@@ -3121,14 +3171,14 @@ var MCPScoreCalculator = class {
     progress?.onCategoryStart?.("errorHandling");
     const errorHandling = await this.scoreErrorHandling(client, tools);
     progress?.onCategoryComplete?.("errorHandling", errorHandling);
-    progress?.onCategoryStart?.("performance");
-    const performance4 = await this.scorePerformance(client, tools);
-    progress?.onCategoryComplete?.("performance", performance4);
+    progress?.onCategoryStart?.("responsiveness");
+    const responsiveness = await this.scoreResponsiveness(client, tools);
+    progress?.onCategoryComplete?.("responsiveness", responsiveness);
     progress?.onCategoryStart?.("security");
     const security = await this.scoreSecurity(client);
     progress?.onCategoryComplete?.("security", security);
     const overall = Math.round(
-      documentation * 0.25 + schemaQuality * 0.25 + errorHandling * 0.2 + performance4 * 0.15 + security * 0.15
+      documentation * 0.25 + schemaQuality * 0.25 + errorHandling * 0.2 + responsiveness * 0.15 + security * 0.15
     );
     return {
       overall,
@@ -3136,7 +3186,7 @@ var MCPScoreCalculator = class {
         documentation,
         schemaQuality,
         errorHandling,
-        performance: performance4,
+        responsiveness,
         security
       }
     };
@@ -3172,9 +3222,26 @@ var MCPScoreCalculator = class {
       try {
         const result = await client.callTool(tool.name, {});
         if (result.isError) {
-          totalScore += 100;
+          const content = result.content;
+          let isStructured = false;
+          if (Array.isArray(content) && content.length > 0) {
+            isStructured = content.some((c) => {
+              const item = c;
+              const text = item["text"];
+              if (typeof text !== "string") return false;
+              try {
+                const parsed = JSON.parse(text);
+                return typeof parsed === "object" && parsed !== null && ("code" in parsed || "message" in parsed || "error" in parsed);
+              } catch {
+                return false;
+              }
+            });
+          }
+          totalScore += isStructured ? 100 : 80;
         } else {
-          totalScore += 50;
+          const schema = tool.inputSchema;
+          const hasRequired = schema && Array.isArray(schema.required) && schema.required.length > 0;
+          totalScore += hasRequired ? 30 : 50;
         }
       } catch {
         totalScore += 0;
@@ -3182,7 +3249,7 @@ var MCPScoreCalculator = class {
     }
     return Math.round(totalScore / testTools.length);
   }
-  async scorePerformance(client, tools) {
+  async scoreResponsiveness(client, tools) {
     if (tools.length === 0) return 20;
     const tool = tools[0];
     const latencies = [];
@@ -3260,6 +3327,7 @@ export {
   BenchmarkRunner,
   ConnectionManager,
   ConsoleReporter,
+  DANGEROUS_TOOL_PATTERNS,
   DocGenerator,
   ERROR_CODE_MAP,
   ERROR_TEMPLATES,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mcpspec/core",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -31,7 +31,7 @@
     "expr-eval": "^2.0.2",
     "handlebars": "^4.7.8",
     "zod": "^3.22.0",
-    "@mcpspec/shared": "1.0.2"
+    "@mcpspec/shared": "1.0.3"
   },
   "devDependencies": {
     "@types/js-yaml": "^4.0.9",