Skip to content

feat: Audit mode with FP reduction for automated MCP auditing#215

Open
bryan-anthropic wants to merge 3 commits intomainfrom
feat/audit-mode-fp-reduction
Open

feat: Audit mode with FP reduction for automated MCP auditing#215
bryan-anthropic wants to merge 3 commits intomainfrom
feat/audit-mode-fp-reduction

Conversation

@bryan-anthropic
Copy link
Collaborator

@bryan-anthropic bryan-anthropic commented Mar 5, 2026

Summary

  • --audit-mode CLI flag — runs only high-value modules (Functionality, Security, ErrorHandling, MCPSpecCompliance, ToolAnnotations), skips low-signal modules
  • Calculator injection scoping — skip calculator injection tests on non-math tools (major FP reduction for data-in/data-out servers like game-dev-mcp)
  • Transport-aware testing — skip path traversal on HTTP/SSE servers (no filesystem to traverse)
  • Audit-friendly outputvulnerableHighConfidence, toolCategory, auditAnalysis with pre-computed FP likelihood and response uniformity per tool
  • auditSummary in JSON output with recommendedAction (APPROVE/REVIEW/REJECT) for automation
  • Documentation drift fixes — pattern counts 17/18→13, test counts 464→696, archived 6 orphan docs
  • MCP spec updated — replaced 2025-06-18 spec with 2025-11-25 (Tasks, Extensions, Icons, enhanced auth)

Context

The mcp-auditor's Layer 1.5 (--with-audit) runs this inspector as Stage A against plugin MCP servers. E2E testing showed significant false positives (game-dev-mcp: 28 FPs, neural-memory: ~50% FPs). These changes reduce noise at the source.

Test plan

  • TypeScript type-check passes (npx tsc --noEmit -p client/tsconfig.json)
  • Prettier passes (npm run prettier-fix)
  • Rebase onto current main and resolve conflicts
  • Run against broken-mcp testbed — verify 0 FP on safe tools
  • Run mcp-assess-full --audit-mode against a test server
  • Verify version bump aligns with current main version

Note

This branch is based on v1.7.1. Main has advanced to v1.43.2 — rebase needed before merge.

Generated with Claude Code

bryan-anthropic and others added 3 commits March 5, 2026 09:52
@bryan-anthropic @claude
feat: Add --audit-mode for reduced false positives in automated MCP a…
ecbc01f 
…uditing

- Skip calculator injection tests on non-calculator tools (major FP reduction)
- Skip path traversal tests on HTTP/SSE transport (no filesystem to traverse)
- Add transportType to AssessmentContext for transport-aware security testing
- Add vulnerableHighConfidence and toolCategory fields to SecurityTestResult
- Add auditAnalysis to SecurityAssessment with pre-computed FP likelihood
- Add --audit-mode flag to CLI (runs only high-value modules)
- Add auditSummary to JSON output with recommendedAction for automation
- Fix stale pattern counts: 17/18 -> 13 in CLI help text and configs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@bryan-anthropic @claude
docs: Fix drift, archive orphan docs, update MCP spec to 2025-11-25
6d26d91 
- Fix CLAUDE.md test counts (464 -> 696 total, 669 passing, 27 timeouts)
- Fix security pattern counts across docs: 17/18 -> 13 patterns
- Archive 6 orphan implementation plan docs to docs/archive/
- Replace mcp_spec_06-2025.md with mcp_spec_11-2025.md (latest spec)
- Add MCP spec reference link to CLAUDE.md Feature Documentation
- Fix pattern count in REVIEWER_QUICK_START.md (18 -> 13)
- Fix comment in securityPatternFactory.ts (17 -> 13)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@bryan-anthropic @claude
chore: release v1.8.0
61d83f8 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bryan-anthropic