@baichen_yu/mcp-guard 0.3.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,129 @@
+# mcp-guard
+
+[![CI](https://img.shields.io/github/actions/workflow/status/TomAs-1226/MCP-shariff/ci.yml?label=CI)](./.github/workflows/ci.yml)
+[![npm version](https://img.shields.io/npm/v/%40baichen_yu%2Fmcp-guard)](https://www.npmjs.com/package/@baichen_yu/mcp-guard)
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](./LICENSE)
+
+Security auditing and policy gating for MCP servers (local + CI), with deterministic tests and Markdown/SARIF outputs.
+
+> Formerly **mcp-doctor**.
+
+> [!IMPORTANT]
+> Remote mode supports **HTTP JSON-RPC only** (`--http`). SSE is not implemented.
+
+## Package name
+
+- npm package: `@baichen_yu/mcp-guard` (scoped to avoid name collisions)
+- CLI command after install: `mcp-guard`
+- first scoped publish: `npm publish --access public`
+
+## 30-second quickstart
+
+### A) No install (npx)
+
+```bash
+npx @baichen_yu/mcp-guard audit --stdio "node fixtures/servers/hello-mcp-server/server.cjs" --out reports --fail-on off
+```
+
+### B) Global install
+
+```bash
+npm i -g @baichen_yu/mcp-guard
+mcp-guard --help
+```
+
+### C) GitHub Action (paste into workflow)
+
+```yaml
+jobs:
+  mcp-audit:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+      - uses: ./.github/actions/mcp-guard
+        with:
+          stdio_command: node fixtures/servers/hello-mcp-server/server.cjs
+          fail_on: high
+```
+
+## Report preview
+
+```text
+# MCP Guard Report
+- Risk score: 100/100
+- Key findings: 0
+- Contract tests: 6/6
+- Target: node fixtures/servers/hello-mcp-server/server.cjs (stdio)
+```
+
+## Architecture
+
+```mermaid
+graph LR
+  CLI[mcp-guard CLI] --> T[Transports: stdio/http]
+  T --> RPC[JSON-RPC]
+  RPC --> RULES[Rules + Profiles]
+  RULES --> REP[Reports: md/json/sarif]
+  REP --> GATE[Policy Gate (--fail-on)]
+  GATE --> CI[CI / Code Scanning]
+```
+
+## Commands
+
+```bash
+mcp-guard validate --stdio "node server.cjs" --profile default --out reports
+mcp-guard test --stdio "node server.cjs" --out reports
+mcp-guard audit --stdio "node server.cjs" --profile strict --fail-on medium --sarif reports/report.sarif
+mcp-guard audit --http "http://127.0.0.1:4010" --timeout-ms 30000 --fail-on off
+mcp-guard scan --repo . --format md --out reports
+mcp-guard registry lint registry/servers.yaml
+mcp-guard registry verify registry/servers.yaml --sample 5
+mcp-guard registry score registry/servers.yaml
+```
+
+## Docs site (GitHub Pages)
+
+- Docs URL pattern: `https://<owner>.github.io/MCP-shariff/`
+- One-time setup: GitHub repo **Settings → Pages → Source → GitHub Actions**
+- Deploy workflow: `.github/workflows/deploy-pages.yml`
+
+## Links
+
+- Docs: https://tomas-1226.github.io/MCP-shariff/
+- GitHub: https://github.com/TomAs-1226/MCP-shariff
+- npm: https://www.npmjs.com/package/@baichen_yu/mcp-guard
+
+## Troubleshooting
+
+- Node `>=20` required
+- On Windows, wrap `--stdio` command in double quotes
+- If startup is slow, increase `--timeout-ms`
+- HTTP target must accept JSON-RPC over POST
+
+## Releasing
+
+See [`docs/releasing.md`](docs/releasing.md) and [`RELEASE.md`](RELEASE.md).
+
+### Local release bundle script
+
+Use this helper to generate a release-ready tarball locally:
+
+```bash
+./scripts/build-release-local.sh
+```
+
+### Publishing troubleshooting
+
+Run `npm publish` from the project root that contains `package.json`.
+If you hit `ENOENT` for `package.json`, you are publishing from the wrong directory.
+
+## License
+
+MIT. See [`LICENSE`](LICENSE).

package/RELEASE.md

@@ -0,0 +1,21 @@
+# Release Checklist
+
+1. Freeze CLI/API flags for the target release.
+2. Set npm scope in `package.json` (`@<scope>/mcp-guard`) and verify package metadata.
+3. Run full checks:
+   - `npm run fixtures:gen`
+   - `npm run lint`
+   - `npm test`
+   - `npm run build`
+   - `npm run docs:build`
+   - `npm pack --dry-run`
+4. First scoped publish:
+   - `npm publish --access public`
+5. Tag + release:
+   - `git tag v0.3.0`
+   - `git push origin v0.3.0`
+6. Create GitHub Release notes with:
+   - highlights
+   - migration note (“formerly mcp-doctor”)
+   - limitation note (HTTP JSON-RPC only; no SSE)
+7. Confirm docs site is live on GitHub Pages.

package/dist/cli.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/cli.js

@@ -0,0 +1,257 @@
+#!/usr/bin/env node
+import { mkdir, readFile } from 'node:fs/promises';
+import { basename } from 'node:path';
+import { Command } from 'commander';
+import { HttpJsonRpcClient, StdioJsonRpcClient } from './mcp/jsonrpc.js';
+import { StdioTransport } from './mcp/transport_stdio.js';
+import { writeJsonReport } from './report/json.js';
+import { writeMarkdownReport } from './report/markdown.js';
+import { writeSarif } from './report/sarif.js';
+import { verifyRegistry, lintRegistry, parseRegistry } from './registry/validator.js';
+import { tuneFindingsForProfile } from './security/profiles.js';
+import { pathTraversalRule } from './security/rules/path_traversal.js';
+import { rawArgsRule } from './security/rules/raw_args.js';
+import { shellInjectionRule } from './security/rules/shell_injection.js';
+import { computeRiskScore } from './security/scorer.js';
+import { scanConfigs } from './scan/scanner.js';
+import { runCallToolTest } from './tests/contract/call_tool.js';
+import { runCancellationTest } from './tests/contract/cancellation.js';
+import { runErrorShapesTest } from './tests/contract/error_shapes.js';
+import { runLargePayloadTest } from './tests/contract/large_payload.js';
+import { runListToolsTest } from './tests/contract/list_tools.js';
+import { runTimeoutTest } from './tests/contract/timeout.js';
+import { runSchemaLints } from './validate/schema_lints.js';
+const program = new Command();
+function parseProfile(value) {
+    if (value === 'default' || value === 'strict' || value === 'paranoid')
+        return value;
+    throw new Error(`Invalid profile: ${value}`);
+}
+function parseFailOn(value) {
+    if (value === 'off' || value === 'low' || value === 'medium' || value === 'high')
+        return value;
+    throw new Error(`Invalid fail_on value: ${value}`);
+}
+function shouldFailByPolicy(findings, failOn) {
+    if (failOn === 'off')
+        return false;
+    const rank = { off: 99, low: 0, medium: 1, high: 2 };
+    const severityRank = { low: 0, medium: 1, high: 2 };
+    return findings.some((finding) => severityRank[finding.severity] >= rank[failOn]);
+}
+async function buildClient(options) {
+    if (!options.stdio && !options.http)
+        throw new Error('One of --stdio or --http is required.');
+    if (options.stdio && options.http)
+        throw new Error('Use only one transport: --stdio or --http.');
+    if (options.stdio) {
+        const transport = new StdioTransport();
+        await transport.start({ stdioCommand: options.stdio, silent: options.silent });
+        return { client: new StdioJsonRpcClient(transport, options.timeoutMs), target: options.stdio, transport: 'stdio' };
+    }
+    return { client: new HttpJsonRpcClient(options.http, options.timeoutMs), target: options.http, transport: 'http' };
+}
+async function executeSuite(params) {
+    const { client, target, transport } = await buildClient({ stdio: params.stdio, http: params.http, timeoutMs: params.timeoutMs, silent: false });
+    const findings = [];
+    let tools = [];
+    const tests = [];
+    let protocolVersion = 'unknown';
+    try {
+        const init = await client.request('initialize', {
+            clientInfo: { name: 'mcp-guard', version: '0.3.0' }
+        });
+        protocolVersion = init.protocolVersion ?? 'unknown';
+        const listResult = await runListToolsTest(client);
+        tools = listResult.tools;
+        if (params.runTests)
+            tests.push(listResult.result);
+        if (params.runTests) {
+            tests.push(await runCallToolTest(client));
+            tests.push(await runErrorShapesTest(client));
+            tests.push(await runCancellationTest(client));
+            tests.push(await runLargePayloadTest(client));
+            tests.push(await runTimeoutTest(client));
+        }
+        if (params.runAudit) {
+            findings.push(...runSchemaLints(tools, params.profile));
+            findings.push(...pathTraversalRule(tools));
+            findings.push(...shellInjectionRule(tools));
+            findings.push(...rawArgsRule(tools));
+        }
+    }
+    finally {
+        await client.close();
+    }
+    const tunedFindings = tuneFindingsForProfile(findings, params.profile);
+    const { score, breakdown } = computeRiskScore(tunedFindings, params.profile);
+    const report = {
+        server: { target, transport, protocolVersion },
+        tools,
+        findings: tunedFindings,
+        tests,
+        score,
+        scoreBreakdown: breakdown,
+        generatedAt: new Date().toISOString()
+    };
+    await mkdir(params.outDir, { recursive: true });
+    await writeJsonReport(report, params.outDir);
+    await writeMarkdownReport(report, params.outDir);
+    if (params.sarif) {
+        await writeSarif(tunedFindings, params.sarif);
+    }
+    if (tests.some((t) => !t.passed))
+        return 2;
+    if (shouldFailByPolicy(tunedFindings, params.failOn))
+        return 2;
+    if (tunedFindings.length > 0)
+        return 1;
+    return 0;
+}
+program
+    .name('mcp-guard')
+    .description('Validate, test, and security-audit MCP servers over STDIO or HTTP JSON-RPC')
+    .showHelpAfterError();
+for (const commandName of ['validate', 'test', 'audit']) {
+    program.command(commandName)
+        .description(`${commandName} an MCP server`)
+        .option('--stdio <cmd>', 'Command used to launch MCP server over stdio')
+        .option('--http <url>', 'HTTP JSON-RPC endpoint URL')
+        .option('--out <dir>', 'Output directory', 'reports')
+        .option('--sarif <file>', 'SARIF output file (mainly for audit)', 'reports/report.sarif')
+        .option('--profile <profile>', 'Rule profile: default|strict|paranoid', parseProfile, 'default')
+        .option('--timeout-ms <n>', 'Request timeout in milliseconds', (value) => Number(value), 30000)
+        .option('--fail-on <level>', 'Policy threshold: off|low|medium|high', parseFailOn, 'high')
+        .action(async (options) => {
+        const doTests = commandName === 'test' || commandName === 'audit';
+        const doAudit = commandName === 'audit' || commandName === 'validate';
+        const code = await executeSuite({
+            stdio: options.stdio,
+            http: options.http,
+            outDir: options.out,
+            runTests: doTests,
+            runAudit: doAudit,
+            sarif: options.sarif,
+            profile: options.profile,
+            timeoutMs: options.timeoutMs,
+            failOn: options.failOn
+        });
+        process.exit(code);
+    });
+}
+program.command('scan')
+    .description('Discover MCP server configs in local files and repositories')
+    .option('--repo <path>', 'Repository path to scan for known config files')
+    .option('--path <file>', 'Direct config file to parse')
+    .option('--format <format>', 'Output format: md|json|sarif', 'md')
+    .option('--out <dir>', 'Output directory', 'reports')
+    .action(async (options) => {
+    const result = await scanConfigs(options.repo, options.path);
+    for (const server of result.servers) {
+        if (server.transport !== 'stdio' || !server.rawCommand)
+            continue;
+        try {
+            const { client } = await buildClient({ stdio: server.rawCommand, timeoutMs: 1000, silent: true });
+            await client.request('initialize', { clientInfo: { name: 'mcp-guard-scan', version: '0.3.0' } }, 1000);
+            const listed = (await client.request('tools/list', undefined, 1000)).tools;
+            const localFindings = [
+                ...runSchemaLints(listed, 'default'),
+                ...pathTraversalRule(listed),
+                ...shellInjectionRule(listed),
+                ...rawArgsRule(listed)
+            ];
+            server.reachable = true;
+            server.findingsCount = localFindings.length;
+            await client.close();
+        }
+        catch {
+            server.reachable = false;
+        }
+    }
+    const output = {
+        generatedAt: new Date().toISOString(),
+        scannedPaths: result.scannedPaths,
+        servers: result.servers
+    };
+    await mkdir(options.out, { recursive: true });
+    if (options.format === 'json') {
+        await writeJsonReport(output, options.out, 'scan_report.json');
+    }
+    else if (options.format === 'sarif') {
+        await writeSarif([], `${options.out}/scan_report.sarif`);
+    }
+    else {
+        const pseudoReport = {
+            server: { target: options.repo ?? options.path ?? '.', transport: 'stdio' },
+            tools: [],
+            findings: [],
+            tests: [],
+            score: 100,
+            scoreBreakdown: [],
+            generatedAt: new Date().toISOString()
+        };
+        await writeMarkdownReport(pseudoReport, options.out, 'scan_report.md');
+        const lines = ['# Scan Report', '', '| Source | Name | Transport | Reachable | Findings | Command |', '| --- | --- | --- | --- | --- | --- |'];
+        for (const server of result.servers) {
+            lines.push(`| ${server.source} | ${server.name} | ${server.transport} | ${server.reachable ?? false} | ${server.findingsCount ?? '-'} | ${server.command ?? ''} |`);
+        }
+        await import('node:fs/promises').then((fs) => fs.writeFile(`${options.out}/scan_report.md`, `${lines.join('\n')}\n`, 'utf8'));
+    }
+    // eslint-disable-next-line no-console
+    console.log(`Discovered ${result.servers.length} server definitions`);
+    process.exit(0);
+});
+const registry = program.command('registry').description('Registry utilities');
+registry.command('lint')
+    .description('Validate registry schema and metadata')
+    .argument('<file>', 'Registry yaml file')
+    .action(async (file) => {
+    const raw = await readFile(file, 'utf8');
+    const issues = lintRegistry(raw);
+    if (issues.length === 0) {
+        // eslint-disable-next-line no-console
+        console.log(`Registry lint ok: ${parseRegistry(raw).length} entries`);
+        process.exit(0);
+    }
+    for (const issue of issues) {
+        // eslint-disable-next-line no-console
+        console.log(`${issue.severity.toUpperCase()} L${issue.line}: ${issue.message}`);
+    }
+    process.exit(issues.some((issue) => issue.severity === 'error') ? 2 : 1);
+});
+registry.command('score')
+    .description('Write local registry scoreboard')
+    .argument('<file>', 'Registry yaml file')
+    .action(async (file) => {
+    const raw = await readFile(file, 'utf8');
+    const entries = parseRegistry(raw);
+    const rows = ['# Registry Scoreboard', '', '| Server | Score |', '| --- | --- |'];
+    for (const entry of entries) {
+        const score = entry.permissions && entry.permissions.length > 0 ? 90 : 70;
+        rows.push(`| ${String(entry.name ?? basename(file))} | ${score} |`);
+    }
+    await mkdir('results', { recursive: true });
+    await import('node:fs/promises').then((fs) => fs.writeFile('results/scoreboard.md', `${rows.join('\n')}\n`, 'utf8'));
+    // eslint-disable-next-line no-console
+    console.log('Wrote results/scoreboard.md');
+    process.exit(0);
+});
+registry.command('verify')
+    .description('Offline validation for completeness and unsafe command patterns')
+    .argument('<file>', 'Registry yaml file')
+    .option('--sample <n>', 'Number of entries to verify', (value) => Number(value), 5)
+    .action(async (file, options) => {
+    const raw = await readFile(file, 'utf8');
+    const issues = verifyRegistry(raw, options.sample);
+    if (issues.length === 0) {
+        // eslint-disable-next-line no-console
+        console.log('Registry verify passed with no issues');
+        process.exit(0);
+    }
+    for (const issue of issues) {
+        // eslint-disable-next-line no-console
+        console.log(`${issue.severity.toUpperCase()} L${issue.line}: ${issue.message}`);
+    }
+    process.exit(issues.some((issue) => issue.severity === 'error') ? 2 : 1);
+});
+program.parseAsync(process.argv);

package/dist/mcp/jsonrpc.d.ts

@@ -0,0 +1,23 @@
+import { StdioTransport } from './transport_stdio.js';
+import { NormalizedError, RpcClient } from './types.js';
+export declare class StdioJsonRpcClient implements RpcClient {
+    private readonly transport;
+    private readonly timeoutMs;
+    private nextId;
+    private pending;
+    constructor(transport: StdioTransport, timeoutMs?: number);
+    request<T>(method: string, params?: unknown, timeoutOverrideMs?: number): Promise<T>;
+    normalizeError(error: unknown): NormalizedError;
+    close(): Promise<void>;
+    private handleLine;
+}
+export declare class HttpJsonRpcClient implements RpcClient {
+    private readonly url;
+    private readonly timeoutMs;
+    private nextId;
+    constructor(url: string, timeoutMs?: number);
+    request<T>(method: string, params?: unknown, timeoutOverrideMs?: number): Promise<T>;
+    normalizeError(error: unknown): NormalizedError;
+    close(): Promise<void>;
+}
+export declare function normalizeError(error: unknown): NormalizedError;

package/dist/mcp/jsonrpc.js

@@ -0,0 +1,124 @@
+export class StdioJsonRpcClient {
+    transport;
+    timeoutMs;
+    nextId = 1;
+    pending = new Map();
+    constructor(transport, timeoutMs = 5000) {
+        this.transport = transport;
+        this.timeoutMs = timeoutMs;
+        this.transport.onLine((line) => this.handleLine(line));
+    }
+    async request(method, params, timeoutOverrideMs) {
+        const id = this.nextId++;
+        const payload = {
+            jsonrpc: '2.0',
+            id,
+            method,
+            params
+        };
+        return new Promise((resolve, reject) => {
+            const timer = setTimeout(() => {
+                this.pending.delete(id);
+                reject(new Error(`Request timed out: ${method}`));
+            }, timeoutOverrideMs ?? this.timeoutMs);
+            this.pending.set(id, { resolve: resolve, reject, timer });
+            this.transport.send(JSON.stringify(payload));
+        });
+    }
+    normalizeError(error) {
+        return normalizeError(error);
+    }
+    async close() {
+        await this.transport.stop();
+    }
+    handleLine(line) {
+        let parsed;
+        try {
+            parsed = JSON.parse(line);
+        }
+        catch {
+            return;
+        }
+        const pending = this.pending.get(parsed.id);
+        if (!pending) {
+            return;
+        }
+        clearTimeout(pending.timer);
+        this.pending.delete(parsed.id);
+        if ('error' in parsed) {
+            const err = parsed.error;
+            pending.reject(err);
+            return;
+        }
+        pending.resolve(parsed.result);
+    }
+}
+export class HttpJsonRpcClient {
+    url;
+    timeoutMs;
+    nextId = 1;
+    constructor(url, timeoutMs = 5000) {
+        this.url = url;
+        this.timeoutMs = timeoutMs;
+    }
+    async request(method, params, timeoutOverrideMs) {
+        const id = this.nextId++;
+        const payload = { jsonrpc: '2.0', id, method, params };
+        const maxAttempts = 3;
+        for (let attempt = 1; attempt <= maxAttempts; attempt += 1) {
+            const controller = new AbortController();
+            const timeout = setTimeout(() => controller.abort(), timeoutOverrideMs ?? this.timeoutMs);
+            try {
+                const response = await fetch(this.url, {
+                    method: 'POST',
+                    headers: { 'content-type': 'application/json' },
+                    body: JSON.stringify(payload),
+                    signal: controller.signal
+                });
+                const parsed = (await response.json());
+                if ('error' in parsed) {
+                    throw parsed.error;
+                }
+                return parsed.result;
+            }
+            catch (error) {
+                if (attempt === maxAttempts || !(error instanceof Error) || !error.message.includes('fetch')) {
+                    throw error;
+                }
+                const backoff = 50 * 2 ** (attempt - 1);
+                await new Promise((resolve) => setTimeout(resolve, backoff));
+            }
+            finally {
+                clearTimeout(timeout);
+            }
+        }
+        throw new Error('Unreachable retry state');
+    }
+    normalizeError(error) {
+        return normalizeError(error);
+    }
+    async close() {
+        await Promise.resolve();
+    }
+}
+export function normalizeError(error) {
+    if (typeof error === 'object' && error !== null && 'code' in error && 'message' in error) {
+        const err = error;
+        return {
+            code: Number(err.code),
+            message: String(err.message),
+            data: err.data
+        };
+    }
+    if (error instanceof Error) {
+        return {
+            code: -32000,
+            message: error.message
+        };
+    }
+    return {
+        code: -32001,
+        message: 'Unknown error',
+        data: error
+    };
+}

package/dist/mcp/transport_stdio.d.ts

@@ -0,0 +1,10 @@
+import { ServerConfig } from './types.js';
+export declare class StdioTransport {
+    private proc;
+    private buffer;
+    private listeners;
+    start(config: ServerConfig): Promise<void>;
+    onLine(cb: (line: string) => void): void;
+    send(line: string): void;
+    stop(): Promise<void>;
+}

package/dist/mcp/transport_stdio.js

@@ -0,0 +1,69 @@
+import { spawn } from 'node:child_process';
+import { once } from 'node:events';
+export class StdioTransport {
+    proc = null;
+    buffer = '';
+    listeners = [];
+    async start(config) {
+        if (this.proc) {
+            throw new Error('Transport already started');
+        }
+        if (!config.stdioCommand) {
+            throw new Error('stdioCommand is required for StdioTransport');
+        }
+        const env = { ...process.env, ...(config.env ?? {}) };
+        const proc = spawn(config.stdioCommand, {
+            cwd: config.cwd,
+            env,
+            shell: true,
+            stdio: ['pipe', 'pipe', 'pipe']
+        });
+        this.proc = proc;
+        proc.stdout.on('data', (chunk) => {
+            this.buffer += chunk.toString('utf8');
+            let idx = this.buffer.indexOf('\n');
+            while (idx >= 0) {
+                const line = this.buffer.slice(0, idx).trim();
+                this.buffer = this.buffer.slice(idx + 1);
+                if (line) {
+                    this.listeners.forEach((cb) => cb(line));
+                }
+                idx = this.buffer.indexOf('\n');
+            }
+        });
+        proc.stderr.on('data', (chunk) => {
+            const message = chunk.toString('utf8').trim();
+            if (!config.silent && message.length > 0) {
+                // eslint-disable-next-line no-console
+                console.error(`[server stderr] ${message}`);
+            }
+        });
+        proc.once('exit', (code, signal) => {
+            if (!config.silent && code !== 0 && signal !== 'SIGTERM') {
+                // eslint-disable-next-line no-console
+                console.error(`Server exited unexpectedly (code=${code}, signal=${signal})`);
+            }
+        });
+        await once(proc, 'spawn');
+    }
+    onLine(cb) {
+        this.listeners.push(cb);
+    }
+    send(line) {
+        if (!this.proc) {
+            throw new Error('Transport not started');
+        }
+        this.proc.stdin.write(`${line}\n`);
+    }
+    async stop() {
+        if (!this.proc) {
+            return;
+        }
+        const proc = this.proc;
+        this.proc = null;
+        proc.kill('SIGTERM');
+        const timeout = setTimeout(() => proc.kill('SIGKILL'), 1000);
+        await once(proc, 'exit').catch(() => undefined);
+        clearTimeout(timeout);
+    }
+}