@cyclonedx/cdxgen 12.3.0 → 12.3.2

package/lib/helpers/analyzer.js

@@ -1,10 +1,14 @@
 import { lstatSync, readdirSync, readFileSync } from "node:fs";
 import { basename, isAbsolute, join, relative, resolve } from "node:path";
 import process from "node:process";
+import { URL } from "node:url";
 
 import { parse } from "@babel/parser";
 import traverse from "@babel/traverse";
 
+import { classifyMcpReference } from "./mcp.js";
+import { isLocalHost, sanitizeMcpRefToken } from "./mcpDiscovery.js";
+
 const IGNORE_DIRS = process.env.ASTGEN_IGNORE_DIRS
   ? process.env.ASTGEN_IGNORE_DIRS.split(",")
   : [
@@ -1355,3 +1359,1768 @@ export const detectExtensionCapabilities = (src, deep = false) => {
   }
   return { capabilities: capabilityList, indicators: indicatorMap };
 };
+
+const MCP_STDIO_TRANSPORT_NAMES = new Set(["StdioServerTransport"]);
+const MCP_HTTP_TRANSPORT_NAMES = new Set([
+  "NodeStreamableHTTPServerTransport",
+  "StreamableHTTPServerTransport",
+]);
+const MCP_STDIO_CLIENT_TRANSPORT_NAMES = new Set(["StdioClientTransport"]);
+const MCP_HTTP_CLIENT_TRANSPORT_NAMES = new Set([
+  "NodeStreamableHTTPClientTransport",
+  "StreamableHTTPClientTransport",
+  "SSEClientTransport",
+]);
+const MCP_AUTH_HELPERS = new Set([
+  "requireBearerAuth",
+  "mcpAuthMetadataRouter",
+  "createProtectedResourceMetadataRouter",
+  "setupAuthServer",
+]);
+const MCP_APP_FACTORIES = new Set(["createMcpExpressApp"]);
+const MCP_CLIENT_CONSTRUCTOR_NAMES = new Set([
+  "Client",
+  "MCPClient",
+  "McpClient",
+]);
+const MCP_ROUTE_METHODS = new Set([
+  "all",
+  "delete",
+  "get",
+  "patch",
+  "post",
+  "put",
+  "use",
+]);
+const MCP_CAPABILITY_FLAGS = new Set(["listChanged", "subscribe"]);
+const MCP_CLIENT_USAGE_METHODS = new Set([
+  "callTool",
+  "complete",
+  "connect",
+  "getPrompt",
+  "listPrompts",
+  "listResources",
+  "listTools",
+  "readResource",
+  "subscribe",
+]);
+const MCP_NETWORK_METHODS = new Set([
+  "fetch",
+  "get",
+  "patch",
+  "post",
+  "put",
+  "request",
+]);
+const MCP_PROVIDER_IMPORT_PATTERNS = [
+  ["anthropic", /^(?:@anthropic-ai\/sdk|anthropic)$/i],
+  ["openai", /^(?:openai|@openai\/agents)$/i],
+  [
+    "google",
+    /^(?:@google\/genai|@google\/generative-ai|google-generativeai)$/i,
+  ],
+  ["mistral", /^@mistralai\/mistralai$/i],
+  ["deepseek", /^deepseek$/i],
+  ["ollama", /^ollama$/i],
+  ["groq", /^groq-sdk$/i],
+];
+const MCP_PROVIDER_HOST_PATTERNS = [
+  ["anthropic", /(?:^|\.)anthropic\.com$/i],
+  ["openai", /(?:^|\.)openai\.com$/i],
+  ["google", /(?:^|\.)googleapis\.com$/i],
+  ["google", /(?:^|\.)generativelanguage\.googleapis\.com$/i],
+  ["mistral", /(?:^|\.)mistral\.ai$/i],
+  ["deepseek", /(?:^|\.)deepseek\.com$/i],
+  ["ollama", /(?:^|\.)ollama\.com$/i],
+  ["groq", /(?:^|\.)groq\.com$/i],
+];
+
+const providerFamilyFromImportSource = (sourceValue) => {
+  if (!sourceValue) {
+    return undefined;
+  }
+  return MCP_PROVIDER_IMPORT_PATTERNS.find(([, pattern]) =>
+    pattern.test(sourceValue),
+  )?.[0];
+};
+
+const providerFamilyFromHost = (hostname) => {
+  if (!hostname) {
+    return undefined;
+  }
+  return MCP_PROVIDER_HOST_PATTERNS.find(([, pattern]) =>
+    pattern.test(hostname),
+  )?.[0];
+};
+
+const modelFamilyFromModelName = (modelName) => {
+  const normalized = String(modelName || "").toLowerCase();
+  if (!normalized) {
+    return undefined;
+  }
+  if (normalized.includes("claude")) {
+    return "claude";
+  }
+  if (normalized.includes("gpt") || /^o[13](?:$|[-:])/u.test(normalized)) {
+    return "gpt";
+  }
+  if (normalized.includes("gemini")) {
+    return "gemini";
+  }
+  if (normalized.includes("llama")) {
+    return "llama";
+  }
+  if (normalized.includes("mistral")) {
+    return "mistral";
+  }
+  if (normalized.includes("command")) {
+    return "command";
+  }
+  if (normalized.includes("deepseek")) {
+    return "deepseek";
+  }
+  if (normalized.includes("qwen")) {
+    return "qwen";
+  }
+  return normalized.split(/[:/,-]/u)[0] || undefined;
+};
+
+const providerFamilyFromModelName = (modelName) => {
+  const normalized = String(modelName || "").toLowerCase();
+  if (normalized.includes("claude")) {
+    return "anthropic";
+  }
+  if (normalized.includes("gpt") || /^o[13](?:$|[-:])/u.test(normalized)) {
+    return "openai";
+  }
+  if (normalized.includes("gemini")) {
+    return "google";
+  }
+  if (normalized.includes("mistral")) {
+    return "mistral";
+  }
+  if (normalized.includes("deepseek")) {
+    return "deepseek";
+  }
+  if (normalized.includes("llama")) {
+    return "meta";
+  }
+  return undefined;
+};
+
+const addUniqueProperty = (properties, name, value) => {
+  if (value === undefined || value === null || value === "") {
+    return;
+  }
+  if (properties.some((prop) => prop.name === name && prop.value === value)) {
+    return;
+  }
+  properties.push({ name, value });
+};
+
+const rootMemberName = (value) => String(value || "").split(".")[0];
+
+const classifyUrlValue = (urlValue) => {
+  if (!urlValue || typeof urlValue !== "string") {
+    return undefined;
+  }
+  if (urlValue.startsWith("/")) {
+    return {
+      exposureType: "local-only",
+      hostname: undefined,
+      isMcpEndpoint: urlValue.toLowerCase().includes("/mcp"),
+      isPublic: false,
+      normalized: urlValue,
+      providerFamily: undefined,
+    };
+  }
+  try {
+    const parsed = new URL(urlValue);
+    const hostname = parsed.hostname.toLowerCase();
+    const isPublic = !isLocalHost(hostname);
+    return {
+      exposureType: isPublic ? "networked-public" : "local-only",
+      hostname,
+      isMcpEndpoint:
+        parsed.pathname.toLowerCase().includes("/mcp") ||
+        hostname.includes("modelcontextprotocol"),
+      isPublic,
+      normalized: parsed.toString(),
+      providerFamily: providerFamilyFromHost(hostname),
+    };
+  } catch {
+    return undefined;
+  }
+};
+
+const getUrlStringValue = (node, urlLiteralByAlias) => {
+  const literalValue = getLiteralStringValue(node);
+  if (literalValue) {
+    return literalValue;
+  }
+  if (node?.type === "Identifier") {
+    return urlLiteralByAlias.get(node.name);
+  }
+  if (
+    node?.type === "NewExpression" &&
+    node.callee?.type === "Identifier" &&
+    node.callee.name === "URL"
+  ) {
+    return getLiteralStringValue(node.arguments?.[0]);
+  }
+  return undefined;
+};
+
+const recordMcpProvider = (serviceInfo, providerName) => {
+  if (!providerName) {
+    return;
+  }
+  serviceInfo.providerNames.add(providerName);
+  serviceInfo.providerFamilies.add(providerName);
+};
+
+const recordMcpModel = (serviceInfo, modelName) => {
+  if (!modelName) {
+    return;
+  }
+  serviceInfo.modelNames.add(modelName);
+  const modelFamily = modelFamilyFromModelName(modelName);
+  if (modelFamily) {
+    serviceInfo.modelFamilies.add(modelFamily);
+  }
+  const providerFamily = providerFamilyFromModelName(modelName);
+  if (providerFamily) {
+    serviceInfo.providerFamilies.add(providerFamily);
+  }
+};
+
+const recordUrlUsage = (
+  serviceInfo,
+  urlValue,
+  usageSignal,
+  trackEndpoint = false,
+) => {
+  const classified = classifyUrlValue(urlValue);
+  if (!classified) {
+    return;
+  }
+  if (trackEndpoint || classified.isMcpEndpoint) {
+    serviceInfo.endpoints.add(classified.normalized);
+  }
+  if (classified.hostname) {
+    serviceInfo.outboundHosts.add(classified.hostname);
+    if (classified.providerFamily) {
+      serviceInfo.providerFamilies.add(classified.providerFamily);
+    }
+  }
+  if (classified.isMcpEndpoint) {
+    serviceInfo.serviceKinds.add("client");
+  }
+  if (classified.isPublic) {
+    serviceInfo.publicNetwork = true;
+  }
+  if (classified.exposureType === "local-only") {
+    serviceInfo.localOnlySignals += 1;
+  }
+  if (usageSignal) {
+    serviceInfo.usageSignals.add(usageSignal);
+  }
+};
+
+const mcpFileBaseName = (fileRelativeLoc) =>
+  basename(fileRelativeLoc).replace(
+    /\.(js|jsx|cjs|mjs|ts|tsx|vue|svelte)$/i,
+    "",
+  );
+
+const objectExpressionProperty = (astNode, propertyName) => {
+  if (!astNode || astNode.type !== "ObjectExpression") {
+    return undefined;
+  }
+  return (astNode.properties || []).find((prop) => {
+    if (prop.type !== "ObjectProperty") {
+      return false;
+    }
+    return getMemberExpressionPropertyName(prop.key) === propertyName;
+  });
+};
+
+const objectExpressionStringValue = (astNode, propertyName) =>
+  getLiteralStringValue(objectExpressionProperty(astNode, propertyName)?.value);
+
+const ensureMcpService = (servicesByKey, file, fileRelativeLoc) => {
+  if (!servicesByKey.has(fileRelativeLoc)) {
+    servicesByKey.set(fileRelativeLoc, {
+      file,
+      fileRelativeLoc,
+      name: `${mcpFileBaseName(fileRelativeLoc)}-mcp-server`,
+      version: "latest",
+      description: undefined,
+      endpoints: new Set(),
+      transports: new Set(),
+      capabilities: new Set(),
+      capabilityFlags: new Map(),
+      sdkImports: new Set(),
+      officialSdk: undefined,
+      authenticated: undefined,
+      xTrustBoundary: undefined,
+      modelNames: new Set(),
+      modelFamilies: new Set(),
+      providerNames: new Set(),
+      providerFamilies: new Set(),
+      outboundHosts: new Set(),
+      usageSignals: new Set(),
+      serviceKinds: new Set(),
+      authModes: new Set(),
+      publicNetwork: false,
+      localOnlySignals: 0,
+      authMetadata: new Map(),
+      primitives: [],
+      sourceLine: undefined,
+    });
+  }
+  return servicesByKey.get(fileRelativeLoc);
+};
+
+const registerCapabilityObject = (serviceInfo, capabilitiesNode) => {
+  if (!capabilitiesNode || capabilitiesNode.type !== "ObjectExpression") {
+    return;
+  }
+  for (const prop of capabilitiesNode.properties || []) {
+    if (prop.type !== "ObjectProperty") {
+      continue;
+    }
+    const capabilityName = getMemberExpressionPropertyName(prop.key);
+    if (!capabilityName) {
+      continue;
+    }
+    serviceInfo.capabilities.add(capabilityName);
+    if (prop.value?.type !== "ObjectExpression") {
+      continue;
+    }
+    for (const nestedProp of prop.value.properties || []) {
+      if (nestedProp.type !== "ObjectProperty") {
+        continue;
+      }
+      const nestedName = getMemberExpressionPropertyName(nestedProp.key);
+      if (!nestedName || !MCP_CAPABILITY_FLAGS.has(nestedName)) {
+        continue;
+      }
+      if (nestedProp.value?.type === "BooleanLiteral") {
+        serviceInfo.capabilityFlags.set(
+          `${capabilityName}.${nestedName}`,
+          String(nestedProp.value.value),
+        );
+      }
+    }
+  }
+};
+
+const recordMcpSdkImport = (serviceInfo, sourceValue) => {
+  const classification = classifyMcpReference(sourceValue);
+  if (!classification.isMcp) {
+    return;
+  }
+  serviceInfo.sdkImports.add(sourceValue);
+  serviceInfo.usageSignals.add("mcp-sdk-import");
+  if (classification.isOfficial) {
+    serviceInfo.officialSdk = true;
+  } else if (typeof serviceInfo.officialSdk === "undefined") {
+    serviceInfo.officialSdk = false;
+  }
+};
+
+const recordMcpModelProperty = (serviceInfo, propertyNode) => {
+  const propertyName = getMemberExpressionPropertyName(propertyNode?.key);
+  if (!propertyName) {
+    return;
+  }
+  if (["model", "modelName"].includes(propertyName)) {
+    const modelValue = getLiteralStringValue(propertyNode.value);
+    recordMcpModel(serviceInfo, modelValue);
+  }
+  if (["provider", "providerName"].includes(propertyName)) {
+    const providerValue = getLiteralStringValue(propertyNode.value);
+    recordMcpProvider(serviceInfo, providerValue);
+  }
+  if (
+    ["endpoint", "baseUrl", "baseURL", "resourceServerUrl", "url"].includes(
+      propertyName,
+    )
+  ) {
+    const urlValue = getLiteralStringValue(propertyNode.value);
+    if (urlValue) {
+      recordUrlUsage(serviceInfo, urlValue, "configured-url");
+    }
+  }
+};
+
+const extractAuthMetadata = (astNode) => {
+  if (!astNode || astNode.type !== "ObjectExpression") {
+    return {};
+  }
+  return {
+    authorizationEndpoint: objectExpressionStringValue(
+      astNode,
+      "authorization_endpoint",
+    ),
+    issuer: objectExpressionStringValue(astNode, "issuer"),
+    tokenEndpoint: objectExpressionStringValue(astNode, "token_endpoint"),
+  };
+};
+
+const extractServerDefinition = (astNode) => {
+  const name = objectExpressionStringValue(astNode, "name");
+  const version = objectExpressionStringValue(astNode, "version");
+  const description =
+    objectExpressionStringValue(astNode, "instructions") ||
+    objectExpressionStringValue(astNode, "description");
+  return { description, name, version };
+};
+
+const recordAuthMetadata = (serviceInfo, metadata) => {
+  if (!metadata || typeof metadata !== "object") {
+    return;
+  }
+  if (metadata.authorizationEndpoint) {
+    serviceInfo.authMetadata.set(
+      "authorization_endpoint",
+      metadata.authorizationEndpoint,
+    );
+  }
+  if (metadata.issuer) {
+    serviceInfo.authMetadata.set("issuer", metadata.issuer);
+  }
+  if (metadata.tokenEndpoint) {
+    serviceInfo.authMetadata.set("token_endpoint", metadata.tokenEndpoint);
+  }
+};
+
+const primitiveComponentForMcp = (serviceInfo, primitive) => {
+  const primitiveName = primitive.name || primitive.uri || primitive.role;
+  const serviceToken = sanitizeMcpRefToken(serviceInfo.name);
+  const primitiveToken = sanitizeMcpRefToken(primitiveName);
+  const primitiveRef = `urn:mcp:${primitive.role}:${serviceToken}:${primitiveToken}`;
+  const properties = [
+    { name: "SrcFile", value: serviceInfo.file },
+    { name: "cdx:mcp:role", value: primitive.role },
+    { name: "cdx:mcp:serviceRef", value: serviceInfo["bom-ref"] },
+  ];
+  if (primitive.description) {
+    addUniqueProperty(properties, "cdx:mcp:description", primitive.description);
+  }
+  if (primitive.uri) {
+    addUniqueProperty(properties, "cdx:mcp:resourceUri", primitive.uri);
+  }
+  if (primitive.sourceLine) {
+    addUniqueProperty(
+      properties,
+      "cdx:mcp:sourceLine",
+      String(primitive.sourceLine),
+    );
+  }
+  if (primitive.annotations) {
+    addUniqueProperty(
+      properties,
+      "cdx:mcp:toolAnnotations",
+      JSON.stringify(primitive.annotations),
+    );
+  }
+  return {
+    "bom-ref": primitiveRef,
+    description:
+      primitive.description ||
+      `${primitive.role} exposed by ${serviceInfo.name || "mcp-server"}`,
+    name: primitiveName,
+    properties,
+    scope: "required",
+    tags: ["mcp", `mcp-${primitive.role}`],
+    type: "application",
+    version: serviceInfo.version || "latest",
+  };
+};
+
+const inferMcpServiceType = (serviceInfo) => {
+  const hasServerSignals =
+    serviceInfo.serviceKinds.has("server") ||
+    serviceInfo.primitives.length > 0 ||
+    serviceInfo.capabilities.size > 0;
+  const hasClientSignals =
+    serviceInfo.serviceKinds.has("client") ||
+    serviceInfo.outboundHosts.size > 0 ||
+    serviceInfo.usageSignals.has("client-constructor");
+  if (hasServerSignals && hasClientSignals) {
+    return "gateway";
+  }
+  if (hasServerSignals) {
+    return "server";
+  }
+  if (hasClientSignals) {
+    return "client";
+  }
+  return "endpoint";
+};
+
+const inferMcpUsageConfidence = (serviceInfo) => {
+  if (
+    serviceInfo.usageSignals.has("server-constructor") ||
+    serviceInfo.usageSignals.has("client-constructor") ||
+    serviceInfo.usageSignals.has("registered-tool") ||
+    serviceInfo.usageSignals.has("registered-resource")
+  ) {
+    return "high";
+  }
+  if (
+    serviceInfo.outboundHosts.size ||
+    serviceInfo.providerFamilies.size ||
+    serviceInfo.modelNames.size
+  ) {
+    return "medium";
+  }
+  return "low";
+};
+
+const inferMcpExposureType = (serviceInfo) => {
+  if (serviceInfo.publicNetwork) {
+    return "networked-public";
+  }
+  if (serviceInfo.endpoints.size) {
+    return "local-only";
+  }
+  if (serviceInfo.outboundHosts.size) {
+    return "outbound-only";
+  }
+  return "code-only";
+};
+
+const inferMcpAuthMode = (serviceInfo) => {
+  const authModes = new Set(serviceInfo.authModes);
+  if (serviceInfo.authMetadata.size) {
+    authModes.add("oauth-metadata");
+  }
+  if (serviceInfo.authenticated === true && !authModes.size) {
+    authModes.add("authenticated");
+  }
+  if (
+    serviceInfo.authenticated === false &&
+    serviceInfo.transports.has("streamable-http")
+  ) {
+    authModes.add("none");
+  }
+  return Array.from(authModes).sort().join(",");
+};
+
+const inferMcpReviewNeeded = (serviceInfo, serviceType, exposureType) =>
+  serviceInfo.officialSdk === false ||
+  exposureType === "networked-public" ||
+  serviceType === "gateway" ||
+  (serviceType === "client" && serviceInfo.outboundHosts.size > 0);
+
+const serviceObjectForMcp = (serviceInfo) => {
+  const serviceName = serviceInfo.name || "mcp-server";
+  const serviceVersion = serviceInfo.version || "latest";
+  const serviceRef = `urn:service:mcp:${sanitizeMcpRefToken(serviceName)}:${sanitizeMcpRefToken(serviceVersion)}`;
+  const properties = [{ name: "SrcFile", value: serviceInfo.file }];
+  const serviceType = inferMcpServiceType(serviceInfo);
+  const usageConfidence = inferMcpUsageConfidence(serviceInfo);
+  const exposureType = inferMcpExposureType(serviceInfo);
+  const authMode = inferMcpAuthMode(serviceInfo);
+  const reviewNeeded = inferMcpReviewNeeded(
+    serviceInfo,
+    serviceType,
+    exposureType,
+  );
+  addUniqueProperty(properties, "cdx:mcp:serviceType", serviceType);
+  addUniqueProperty(
+    properties,
+    "cdx:mcp:inventorySource",
+    "source-code-analysis",
+  );
+  addUniqueProperty(properties, "cdx:mcp:usageConfidence", usageConfidence);
+  addUniqueProperty(properties, "cdx:mcp:exposureType", exposureType);
+  if (serviceInfo.transports.size) {
+    addUniqueProperty(
+      properties,
+      "cdx:mcp:transport",
+      Array.from(serviceInfo.transports).sort().join(","),
+    );
+  }
+  addUniqueProperty(
+    properties,
+    "cdx:mcp:officialSdk",
+    serviceInfo.officialSdk === true ? "true" : "false",
+  );
+  for (const capability of Array.from(serviceInfo.capabilities).sort()) {
+    addUniqueProperty(properties, `cdx:mcp:capabilities:${capability}`, "true");
+  }
+  for (const [flagName, flagValue] of Array.from(
+    serviceInfo.capabilityFlags.entries(),
+  ).sort((a, b) => a[0].localeCompare(b[0]))) {
+    addUniqueProperty(
+      properties,
+      `cdx:mcp:capabilities:${flagName}`,
+      flagValue,
+    );
+  }
+  if (serviceInfo.sdkImports.size) {
+    addUniqueProperty(
+      properties,
+      "cdx:mcp:sdkImports",
+      Array.from(serviceInfo.sdkImports).sort().join(","),
+    );
+  }
+  if (serviceInfo.modelNames.size) {
+    addUniqueProperty(
+      properties,
+      "cdx:mcp:modelNames",
+      Array.from(serviceInfo.modelNames).sort().join(","),
+    );
+  }
+  if (serviceInfo.modelFamilies.size) {
+    addUniqueProperty(
+      properties,
+      "cdx:mcp:modelFamilies",
+      Array.from(serviceInfo.modelFamilies).sort().join(","),
+    );
+  }
+  if (serviceInfo.providerNames.size) {
+    addUniqueProperty(
+      properties,
+      "cdx:mcp:providerNames",
+      Array.from(serviceInfo.providerNames).sort().join(","),
+    );
+  }
+  if (serviceInfo.providerFamilies.size) {
+    addUniqueProperty(
+      properties,
+      "cdx:mcp:providerFamilies",
+      Array.from(serviceInfo.providerFamilies).sort().join(","),
+    );
+  }
+  if (serviceInfo.outboundHosts.size) {
+    addUniqueProperty(
+      properties,
+      "cdx:mcp:outboundHosts",
+      Array.from(serviceInfo.outboundHosts).sort().join(","),
+    );
+  }
+  if (serviceInfo.usageSignals.size) {
+    addUniqueProperty(
+      properties,
+      "cdx:mcp:usageSignals",
+      Array.from(serviceInfo.usageSignals).sort().join(","),
+    );
+  }
+  if (authMode) {
+    addUniqueProperty(properties, "cdx:mcp:authMode", authMode);
+  }
+  if (reviewNeeded) {
+    addUniqueProperty(properties, "cdx:mcp:reviewNeeded", "true");
+  }
+  for (const [metadataKey, metadataValue] of Array.from(
+    serviceInfo.authMetadata.entries(),
+  ).sort((a, b) => a[0].localeCompare(b[0]))) {
+    addUniqueProperty(properties, `cdx:mcp:auth:${metadataKey}`, metadataValue);
+  }
+  addUniqueProperty(
+    properties,
+    "cdx:mcp:toolCount",
+    String(
+      serviceInfo.primitives.filter((item) => item.role === "tool").length,
+    ),
+  );
+  addUniqueProperty(
+    properties,
+    "cdx:mcp:promptCount",
+    String(
+      serviceInfo.primitives.filter((item) => item.role === "prompt").length,
+    ),
+  );
+  addUniqueProperty(
+    properties,
+    "cdx:mcp:resourceCount",
+    String(
+      serviceInfo.primitives.filter((item) =>
+        ["resource", "resource-template"].includes(item.role),
+      ).length,
+    ),
+  );
+  if (serviceInfo.sourceLine) {
+    addUniqueProperty(
+      properties,
+      "cdx:mcp:sourceLine",
+      String(serviceInfo.sourceLine),
+    );
+  }
+  serviceInfo["bom-ref"] = serviceRef;
+  return {
+    "bom-ref": serviceRef,
+    authenticated: serviceInfo.authenticated,
+    description: serviceInfo.description,
+    endpoints: Array.from(serviceInfo.endpoints).sort(),
+    group: "mcp",
+    name: serviceName,
+    properties,
+    version: serviceVersion,
+    "x-trust-boundary": serviceInfo.xTrustBoundary,
+  };
+};
+
+const buildMcpInventoryFromServices = (servicesByKey) => {
+  const services = [];
+  const components = [];
+  const dependencies = [];
+  for (const serviceInfo of servicesByKey.values()) {
+    if (
+      !serviceInfo.primitives.length &&
+      !serviceInfo.transports.size &&
+      !serviceInfo.endpoints.size &&
+      !serviceInfo.capabilities.size &&
+      !serviceInfo.sourceLine &&
+      !serviceInfo.outboundHosts.size &&
+      !serviceInfo.usageSignals.size
+    ) {
+      continue;
+    }
+    if (
+      serviceInfo.endpoints.size &&
+      !serviceInfo.transports.has("stdio") &&
+      !serviceInfo.transports.size
+    ) {
+      serviceInfo.transports.add("streamable-http");
+    }
+    if (
+      serviceInfo.transports.has("streamable-http") &&
+      typeof serviceInfo.authenticated === "undefined"
+    ) {
+      serviceInfo.authenticated = false;
+    }
+    const service = serviceObjectForMcp(serviceInfo);
+    services.push(service);
+    const providedRefs = [];
+    for (const primitive of serviceInfo.primitives) {
+      const component = primitiveComponentForMcp(serviceInfo, primitive);
+      components.push(component);
+      providedRefs.push(component["bom-ref"]);
+    }
+    if (providedRefs.length) {
+      dependencies.push({
+        ref: service["bom-ref"],
+        dependsOn: [],
+        provides: providedRefs.sort(),
+      });
+    }
+  }
+  return { components, dependencies, services };
+};
+
+// Capture groups:
+// 1 = module path in `from x import y`
+// 2 = imported symbols in `from x import y`
+// 3 = imported modules in `import x, y`
+const PYTHON_IMPORT_PATTERN =
+  /^\s*(?:from\s+([a-zA-Z0-9_.]+)\s+import\s+([^\n#]+)|import\s+([^\n#]+))/gmu;
+const PYTHON_DECORATOR_PATTERN = /@([a-zA-Z_][a-zA-Z0-9_]*)\.(\w+)\s*\(/gmu;
+const PYTHON_STDIO_PATTERN = /\bstdio_server\s*\(/u;
+const PYTHON_HTTP_TRANSPORT_PATTERN = /\b(streamable|sse|http)\b/iu;
+
+const PYTHON_DECORATOR_ROLE_MAP = new Map([
+  ["call_tool", "tool"],
+  ["get_prompt", "prompt"],
+  ["list_prompts", "prompt"],
+  ["list_resources", "resource"],
+  ["list_tools", "tool"],
+  ["prompt", "prompt"],
+  ["read_resource", "resource"],
+  ["resource", "resource"],
+  ["resource_template", "resource-template"],
+  ["tool", "tool"],
+]);
+
+const lineNumberForIndex = (text, index) =>
+  text.slice(0, index).split("\n").length || 1;
+
+const extractPythonNamedString = (argumentText, key) => {
+  const directPattern = new RegExp(`${key}\\s*=\\s*["']([^"'\\n]+)["']`, "u");
+  const directMatch = argumentText.match(directPattern);
+  if (directMatch?.[1]) {
+    return directMatch[1];
+  }
+  const wrappedPattern = new RegExp(
+    `${key}\\s*=\\s*[a-zA-Z_][a-zA-Z0-9_.]*\\(\\s*["']([^"'\\n]+)["']`,
+    "u",
+  );
+  return argumentText.match(wrappedPattern)?.[1];
+};
+
+const extractFirstPythonString = (argumentText) =>
+  argumentText.match(/^\s*["']([^"'\n]+)["']/u)?.[1];
+
+const extractPythonCallArguments = (raw, alias) => {
+  const aliasPattern = new RegExp(
+    `(\\w+)\\s*=\\s*${alias.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\s*\\(`,
+    "gmu",
+  );
+  const calls = [];
+  for (const match of raw.matchAll(aliasPattern)) {
+    let callStart = -1;
+    for (let index = match.index; index < raw.length; index++) {
+      if (raw[index] === "(") {
+        callStart = index;
+        break;
+      }
+    }
+    if (callStart === -1) {
+      continue;
+    }
+    let depth = 0;
+    let callEnd = -1;
+    for (let index = callStart; index < raw.length; index++) {
+      if (raw[index] === "(") {
+        depth += 1;
+      } else if (raw[index] === ")") {
+        depth -= 1;
+        if (depth === 0) {
+          callEnd = index;
+          break;
+        }
+      }
+    }
+    if (callEnd === -1) {
+      continue;
+    }
+    calls.push({
+      argumentText: raw.slice(callStart + 1, callEnd),
+      index: match.index,
+      serviceVarName: match[1],
+    });
+  }
+  return calls;
+};
+
+const extractPythonFunctionCalls = (raw, callName) => {
+  const callPattern = new RegExp(
+    `${callName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\s*\\(`,
+    "gmu",
+  );
+  const calls = [];
+  for (const match of raw.matchAll(callPattern)) {
+    const callStart = match.index + match[0].lastIndexOf("(");
+    let depth = 0;
+    let callEnd = -1;
+    for (let index = callStart; index < raw.length; index++) {
+      if (raw[index] === "(") {
+        depth += 1;
+      } else if (raw[index] === ")") {
+        depth -= 1;
+        if (depth === 0) {
+          callEnd = index;
+          break;
+        }
+      }
+    }
+    if (callEnd === -1) {
+      continue;
+    }
+    calls.push({
+      argumentText: raw.slice(callStart + 1, callEnd),
+      index: match.index,
+    });
+  }
+  return calls;
+};
+
+const parsePythonImports = (raw) => {
+  const imports = [];
+  for (const match of raw.matchAll(PYTHON_IMPORT_PATTERN)) {
+    const fromSource = match[1];
+    const fromImports = match[2];
+    const directImports = match[3];
+    if (fromSource && fromImports) {
+      for (const importEntry of fromImports.split(",")) {
+        const [importedName, localName] = importEntry
+          .trim()
+          .split(/\s+as\s+/u)
+          .map((value) => value?.trim());
+        if (importedName) {
+          imports.push({
+            importedName,
+            localName: localName || importedName,
+            sourceValue: fromSource,
+          });
+        }
+      }
+      continue;
+    }
+    for (const importEntry of (directImports || "").split(",")) {
+      const [sourceValue, localName] = importEntry
+        .trim()
+        .split(/\s+as\s+/u)
+        .map((value) => value?.trim());
+      if (sourceValue) {
+        imports.push({
+          importedName: sourceValue.split(".").pop(),
+          localName: localName || sourceValue.split(".").pop(),
+          sourceValue,
+        });
+      }
+    }
+  }
+  return imports;
+};
+
+const registerPythonPrimitive = (
+  serviceInfo,
+  role,
+  name,
+  description,
+  uri,
+  sourceLine,
+) => {
+  if (!role) {
+    return;
+  }
+  const primitiveName =
+    name ||
+    uri ||
+    `${role}-${serviceInfo.primitives.filter((item) => item.role === role).length + 1}`;
+  serviceInfo.primitives.push({
+    description,
+    name: primitiveName,
+    role,
+    sourceLine,
+    uri,
+  });
+  if (role === "tool") {
+    serviceInfo.usageSignals.add("registered-tool");
+  }
+  if (["resource", "resource-template"].includes(role)) {
+    serviceInfo.usageSignals.add("registered-resource");
+  }
+};
+
+/**
+ * Detect MCP server inventory from Python source using import and decorator heuristics.
+ *
+ * @param {string} src Absolute or relative path to the project source directory
+ * @param {boolean} deep When true, also scans nested paths more aggressively
+ * @returns {{components: Object[], dependencies: Object[], services: Object[]}}
+ */
+export const detectPythonMcpInventory = (src, deep = false) => {
+  const servicesByKey = new Map();
+  let srcFiles = [];
+  try {
+    srcFiles = getAllFiles(deep, src, ".py");
+  } catch {
+    return { components: [], dependencies: [], services: [] };
+  }
+  for (const file of srcFiles) {
+    let raw;
+    try {
+      raw = readFileSync(file, "utf-8");
+    } catch {
+      continue;
+    }
+    const fileRelativeLoc = relative(src, file);
+    const serverConstructorAliases = new Set(["Server", "FastMCP"]);
+    const importEntries = parsePythonImports(raw);
+    let fileHasMcpImports = false;
+    for (const importEntry of importEntries) {
+      const sourceValue = importEntry.sourceValue;
+      const classification = classifyMcpReference(sourceValue);
+      if (!classification.isMcp && !sourceValue.startsWith("mcp")) {
+        continue;
+      }
+      fileHasMcpImports = true;
+      const serviceInfo = ensureMcpService(
+        servicesByKey,
+        file,
+        fileRelativeLoc,
+      );
+      if (sourceValue.startsWith("mcp")) {
+        serviceInfo.sdkImports.add(sourceValue);
+        serviceInfo.usageSignals.add("mcp-sdk-import");
+        serviceInfo.officialSdk = true;
+      } else {
+        recordMcpSdkImport(serviceInfo, sourceValue);
+      }
+      if (
+        sourceValue.startsWith("mcp.server") ||
+        sourceValue === "fastmcp" ||
+        /server/i.test(importEntry.importedName || "") ||
+        /server/i.test(importEntry.localName || "")
+      ) {
+        serverConstructorAliases.add(importEntry.localName);
+      }
+    }
+    for (const alias of serverConstructorAliases) {
+      for (const match of extractPythonCallArguments(raw, alias)) {
+        const serviceVarName = match.serviceVarName;
+        const argumentText = match.argumentText || "";
+        const serviceInfo = ensureMcpService(
+          servicesByKey,
+          file,
+          fileRelativeLoc,
+        );
+        serviceInfo.name =
+          extractPythonNamedString(argumentText, "name") ||
+          extractFirstPythonString(argumentText) ||
+          serviceInfo.name;
+        serviceInfo.version =
+          extractPythonNamedString(argumentText, "version") ||
+          serviceInfo.version;
+        serviceInfo.description =
+          extractPythonNamedString(argumentText, "instructions") ||
+          extractPythonNamedString(argumentText, "description") ||
+          serviceInfo.description;
+        serviceInfo.serviceKinds.add("server");
+        serviceInfo.usageSignals.add("server-constructor");
+        serviceInfo.sourceLine = lineNumberForIndex(raw, match.index);
+        for (const decoratorMatch of raw.matchAll(PYTHON_DECORATOR_PATTERN)) {
+          if (decoratorMatch[1] !== serviceVarName) {
+            continue;
+          }
+          const primitiveRole = PYTHON_DECORATOR_ROLE_MAP.get(
+            decoratorMatch[2],
+          );
+          if (!primitiveRole) {
+            continue;
+          }
+          if (primitiveRole === "tool") {
+            serviceInfo.capabilities.add("tools");
+          } else if (primitiveRole === "prompt") {
+            serviceInfo.capabilities.add("prompts");
+          } else {
+            serviceInfo.capabilities.add("resources");
+          }
+        }
+      }
+    }
+    if (PYTHON_STDIO_PATTERN.test(raw)) {
+      const serviceInfo = ensureMcpService(
+        servicesByKey,
+        file,
+        fileRelativeLoc,
+      );
+      serviceInfo.transports.add("stdio");
+    } else if (fileHasMcpImports && PYTHON_HTTP_TRANSPORT_PATTERN.test(raw)) {
+      const serviceInfo = ensureMcpService(
+        servicesByKey,
+        file,
+        fileRelativeLoc,
+      );
+      serviceInfo.transports.add("streamable-http");
+    }
+    const primitivePatterns = [
+      ["mtypes.Tool", "tool"],
+      ["mtypes.Prompt", "prompt"],
+      ["mtypes.Resource", "resource"],
+    ];
+    for (const [callName, role] of primitivePatterns) {
+      for (const match of extractPythonFunctionCalls(raw, callName)) {
+        const serviceInfo = ensureMcpService(
+          servicesByKey,
+          file,
+          fileRelativeLoc,
+        );
+        registerPythonPrimitive(
+          serviceInfo,
+          role,
+          extractPythonNamedString(match.argumentText || "", "name"),
+          extractPythonNamedString(match.argumentText || "", "description"),
+          extractPythonNamedString(match.argumentText || "", "uri"),
+          lineNumberForIndex(raw, match.index),
+        );
+      }
+    }
+    if (fileHasMcpImports) {
+      ensureMcpService(servicesByKey, file, fileRelativeLoc);
+    }
+  }
+  return buildMcpInventoryFromServices(servicesByKey);
+};
+
+/**
+ * Detect MCP server inventory from JavaScript/TypeScript source using AST analysis.
+ *
+ * @param {string} src Absolute or relative path to the project source directory
+ * @param {boolean} deep When true, also scans nested paths more aggressively
+ * @returns {{components: Object[], dependencies: Object[], services: Object[]}}
+ */
+export const detectMcpInventory = (src, deep = false) => {
+  const servicesByKey = new Map();
+  let srcFiles = [];
+  try {
+    srcFiles = [
+      ...getAllFiles(deep, src, ".js"),
+      ...getAllFiles(deep, src, ".jsx"),
+      ...getAllFiles(deep, src, ".cjs"),
+      ...getAllFiles(deep, src, ".mjs"),
+      ...getAllFiles(deep, src, ".ts"),
+      ...getAllFiles(deep, src, ".tsx"),
+      ...getAllFiles(deep, src, ".vue"),
+      ...getAllFiles(deep, src, ".svelte"),
+    ];
+  } catch {
+    return { components: [], dependencies: [], services: [] };
+  }
+  for (const file of srcFiles) {
+    const fileRelativeLoc = relative(src, file);
+    const serverConstructorAliases = new Set(["McpServer", "MCPServer"]);
+    const clientConstructorAliases = new Set(MCP_CLIENT_CONSTRUCTOR_NAMES);
+    const authHelperAliases = new Set(MCP_AUTH_HELPERS);
+    const httpTransportAliases = new Set(MCP_HTTP_TRANSPORT_NAMES);
+    const stdioTransportAliases = new Set(MCP_STDIO_TRANSPORT_NAMES);
+    const httpClientTransportAliases = new Set(MCP_HTTP_CLIENT_TRANSPORT_NAMES);
+    const stdioClientTransportAliases = new Set(
+      MCP_STDIO_CLIENT_TRANSPORT_NAMES,
+    );
+    const appFactoryAliases = new Set(MCP_APP_FACTORIES);
+    const appAliases = new Set();
+    const clientAliases = new Set();
+    const providerAliases = new Map();
+    const transportAliasKinds = new Map();
+    const urlLiteralByAlias = new Map();
+    const authMetadataByAlias = new Map();
+    let fileHasMcpImports = false;
+    try {
+      const ast = parse(fileToParseableCode(file), babelParserOptions);
+      traverse.default(ast, {
+        ImportDeclaration: (path) => {
+          const sourceValue = getLiteralStringValue(path?.node?.source);
+          const classification = classifyMcpReference(sourceValue);
+          const providerFamily = providerFamilyFromImportSource(sourceValue);
+          if (classification.isMcp) {
+            fileHasMcpImports = true;
+            const serviceInfo = ensureMcpService(
+              servicesByKey,
+              file,
+              fileRelativeLoc,
+            );
+            recordMcpSdkImport(serviceInfo, sourceValue);
+          }
+          for (const specifier of path.node.specifiers || []) {
+            const localName = specifier.local?.name;
+            if (!localName) {
+              continue;
+            }
+            const importedName =
+              specifier.type === "ImportSpecifier"
+                ? specifier.imported?.name
+                : localName;
+            if (
+              classification.isMcp &&
+              (sourceValue?.includes("/server") ||
+                /server/i.test(localName) ||
+                importedName === "McpServer" ||
+                importedName === "Server")
+            ) {
+              serverConstructorAliases.add(localName);
+            }
+            if (
+              classification.isMcp &&
+              (sourceValue?.includes("/client") ||
+                /client/i.test(localName) ||
+                importedName === "Client")
+            ) {
+              clientConstructorAliases.add(localName);
+            }
+            if (MCP_AUTH_HELPERS.has(importedName)) {
+              authHelperAliases.add(localName);
+            }
+            if (MCP_HTTP_TRANSPORT_NAMES.has(importedName)) {
+              httpTransportAliases.add(localName);
+            }
+            if (MCP_STDIO_TRANSPORT_NAMES.has(importedName)) {
+              stdioTransportAliases.add(localName);
+            }
+            if (MCP_HTTP_CLIENT_TRANSPORT_NAMES.has(importedName)) {
+              httpClientTransportAliases.add(localName);
+            }
+            if (MCP_STDIO_CLIENT_TRANSPORT_NAMES.has(importedName)) {
+              stdioClientTransportAliases.add(localName);
+            }
+            if (MCP_APP_FACTORIES.has(importedName)) {
+              appFactoryAliases.add(localName);
+            }
+            if (sourceValue === "express") {
+              appFactoryAliases.add(localName);
+            }
+            if (providerFamily) {
+              providerAliases.set(localName, providerFamily);
+              const serviceInfo = servicesByKey.get(fileRelativeLoc);
+              if (serviceInfo) {
+                recordMcpProvider(serviceInfo, providerFamily);
+                serviceInfo.usageSignals.add("provider-sdk-import");
+              }
+            }
+          }
+        },
+        VariableDeclarator: (path) => {
+          const idNode = path?.node?.id;
+          const initNode = unwrapAwait(path?.node?.init);
+          if (!idNode || !initNode) {
+            return;
+          }
+          if (
+            initNode.type === "CallExpression" &&
+            initNode.callee?.type === "Identifier" &&
+            initNode.callee.name === "require"
+          ) {
+            const sourceValue = getLiteralStringValue(initNode.arguments?.[0]);
+            const classification = classifyMcpReference(sourceValue);
+            const providerFamily = providerFamilyFromImportSource(sourceValue);
+            if (classification.isMcp) {
+              fileHasMcpImports = true;
+              const serviceInfo = ensureMcpService(
+                servicesByKey,
+                file,
+                fileRelativeLoc,
+              );
+              recordMcpSdkImport(serviceInfo, sourceValue);
+              if (idNode.type === "Identifier") {
+                if (
+                  sourceValue?.includes("/server") ||
+                  /server/i.test(idNode.name)
+                ) {
+                  serverConstructorAliases.add(idNode.name);
+                }
+                if (
+                  sourceValue?.includes("/client") ||
+                  /client/i.test(idNode.name)
+                ) {
+                  clientConstructorAliases.add(idNode.name);
+                }
+              }
+              for (const moduleName of getNamedImportsFromObjectPattern(
+                idNode,
+              )) {
+                if (MCP_AUTH_HELPERS.has(moduleName)) {
+                  authHelperAliases.add(moduleName);
+                }
+                if (MCP_HTTP_TRANSPORT_NAMES.has(moduleName)) {
+                  httpTransportAliases.add(moduleName);
+                }
+                if (MCP_STDIO_TRANSPORT_NAMES.has(moduleName)) {
+                  stdioTransportAliases.add(moduleName);
+                }
+                if (MCP_HTTP_CLIENT_TRANSPORT_NAMES.has(moduleName)) {
+                  httpClientTransportAliases.add(moduleName);
+                }
+                if (MCP_STDIO_CLIENT_TRANSPORT_NAMES.has(moduleName)) {
+                  stdioClientTransportAliases.add(moduleName);
+                }
+                if (MCP_APP_FACTORIES.has(moduleName)) {
+                  appFactoryAliases.add(moduleName);
+                }
+                if (sourceValue === "express") {
+                  appFactoryAliases.add(moduleName);
+                }
+                if (
+                  sourceValue?.includes("/server") ||
+                  /server/i.test(moduleName) ||
+                  moduleName === "McpServer"
+                ) {
+                  serverConstructorAliases.add(moduleName);
+                }
+                if (
+                  sourceValue?.includes("/client") ||
+                  /client/i.test(moduleName) ||
+                  moduleName === "Client"
+                ) {
+                  clientConstructorAliases.add(moduleName);
+                }
+              }
+            }
+            if (providerFamily && idNode.type === "Identifier") {
+              providerAliases.set(idNode.name, providerFamily);
+              const serviceInfo = servicesByKey.get(fileRelativeLoc);
+              if (serviceInfo) {
+                recordMcpProvider(serviceInfo, providerFamily);
+                serviceInfo.usageSignals.add("provider-sdk-import");
+              }
+            }
+          }
+          if (
+            idNode.type === "Identifier" &&
+            initNode.type === "NewExpression" &&
+            initNode.callee?.type === "Identifier" &&
+            serverConstructorAliases.has(initNode.callee.name)
+          ) {
+            const serviceInfo = ensureMcpService(
+              servicesByKey,
+              file,
+              fileRelativeLoc,
+            );
+            const serverDefinition = extractServerDefinition(
+              initNode.arguments?.[0],
+            );
+            serviceInfo.name = serverDefinition.name || serviceInfo.name;
+            serviceInfo.version =
+              serverDefinition.version || serviceInfo.version;
+            serviceInfo.description =
+              serverDefinition.description || serviceInfo.description;
+            serviceInfo.sourceLine =
+              serviceInfo.sourceLine || path.node.loc?.start?.line;
+            serviceInfo.serviceKinds.add("server");
+            serviceInfo.usageSignals.add("server-constructor");
+            const capabilityNode =
+              objectExpressionProperty(initNode.arguments?.[1], "capabilities")
+                ?.value ||
+              (initNode.arguments?.[1]?.type === "ObjectExpression"
+                ? initNode.arguments[1]
+                : undefined);
+            registerCapabilityObject(serviceInfo, capabilityNode);
+          }
+          if (
+            idNode.type === "Identifier" &&
+            initNode.type === "CallExpression" &&
+            initNode.callee?.type === "Identifier" &&
+            appFactoryAliases.has(initNode.callee.name)
+          ) {
+            appAliases.add(idNode.name);
+          }
+          if (
+            idNode.type === "Identifier" &&
+            initNode.type === "NewExpression" &&
+            initNode.callee?.type === "Identifier" &&
+            clientConstructorAliases.has(initNode.callee.name)
+          ) {
+            const serviceInfo = ensureMcpService(
+              servicesByKey,
+              file,
+              fileRelativeLoc,
+            );
+            clientAliases.add(idNode.name);
+            serviceInfo.serviceKinds.add("client");
+            serviceInfo.sourceLine =
+              serviceInfo.sourceLine || path.node.loc?.start?.line;
+            serviceInfo.usageSignals.add("client-constructor");
+          }
+          if (
+            idNode.type === "Identifier" &&
+            initNode.type === "NewExpression" &&
+            initNode.callee?.type === "Identifier" &&
+            providerAliases.has(initNode.callee.name) &&
+            servicesByKey.has(fileRelativeLoc)
+          ) {
+            const serviceInfo = ensureMcpService(
+              servicesByKey,
+              file,
+              fileRelativeLoc,
+            );
+            recordMcpProvider(
+              serviceInfo,
+              providerAliases.get(initNode.callee.name),
+            );
+            serviceInfo.serviceKinds.add("client");
+            serviceInfo.usageSignals.add("provider-sdk-client");
+          }
+          if (
+            idNode.type === "Identifier" &&
+            initNode.type === "NewExpression" &&
+            initNode.callee?.type === "Identifier"
+          ) {
+            if (httpTransportAliases.has(initNode.callee.name)) {
+              transportAliasKinds.set(idNode.name, "streamable-http");
+            }
+            if (stdioTransportAliases.has(initNode.callee.name)) {
+              transportAliasKinds.set(idNode.name, "stdio");
+            }
+            if (httpClientTransportAliases.has(initNode.callee.name)) {
+              transportAliasKinds.set(idNode.name, "streamable-http");
+              const serviceInfo = ensureMcpService(
+                servicesByKey,
+                file,
+                fileRelativeLoc,
+              );
+              serviceInfo.serviceKinds.add("client");
+              serviceInfo.usageSignals.add("client-http-transport");
+              recordUrlUsage(
+                serviceInfo,
+                getUrlStringValue(initNode.arguments?.[0], urlLiteralByAlias),
+                "outbound-mcp-endpoint",
+              );
+            }
+            if (stdioClientTransportAliases.has(initNode.callee.name)) {
+              transportAliasKinds.set(idNode.name, "stdio");
+              const serviceInfo = ensureMcpService(
+                servicesByKey,
+                file,
+                fileRelativeLoc,
+              );
+              serviceInfo.serviceKinds.add("client");
+              serviceInfo.usageSignals.add("client-stdio-transport");
+            }
+            if (initNode.callee.name === "URL") {
+              const urlValue = getLiteralStringValue(initNode.arguments?.[0]);
+              if (urlValue) {
+                urlLiteralByAlias.set(idNode.name, urlValue);
+                const classifiedUrl = classifyUrlValue(urlValue);
+                if (
+                  servicesByKey.has(fileRelativeLoc) ||
+                  classifiedUrl?.isMcpEndpoint ||
+                  classifiedUrl?.providerFamily
+                ) {
+                  const serviceInfo = ensureMcpService(
+                    servicesByKey,
+                    file,
+                    fileRelativeLoc,
+                  );
+                  recordUrlUsage(serviceInfo, urlValue, "configured-url", true);
+                  if (urlValue.includes("/mcp")) {
+                    serviceInfo.transports.add("streamable-http");
+                  }
+                }
+              }
+            }
+          }
+          if (
+            idNode.type === "Identifier" &&
+            initNode.type === "ObjectExpression" &&
+            (objectExpressionProperty(initNode, "authorization_endpoint") ||
+              objectExpressionProperty(initNode, "token_endpoint") ||
+              objectExpressionProperty(initNode, "issuer"))
+          ) {
+            authMetadataByAlias.set(idNode.name, extractAuthMetadata(initNode));
+          }
+          if (idNode.type === "Identifier") {
+            const literalValue = getLiteralStringValue(initNode);
+            const serviceInfo = servicesByKey.get(fileRelativeLoc);
+            if (literalValue && serviceInfo) {
+              if (["model", "modelName"].includes(idNode.name)) {
+                recordMcpModel(serviceInfo, literalValue);
+              }
+              if (["provider", "providerName"].includes(idNode.name)) {
+                recordMcpProvider(serviceInfo, literalValue);
+              }
+              if (
+                [
+                  "endpoint",
+                  "mcpEndpoint",
+                  "resourceServerUrl",
+                  "url",
+                ].includes(idNode.name)
+              ) {
+                recordUrlUsage(serviceInfo, literalValue, "configured-url");
+              }
+            }
+            if (
+              providerAliases.has(idNode.name) &&
+              servicesByKey.has(fileRelativeLoc)
+            ) {
+              const serviceInfo = ensureMcpService(
+                servicesByKey,
+                file,
+                fileRelativeLoc,
+              );
+              recordMcpProvider(serviceInfo, providerAliases.get(idNode.name));
+            }
+          }
+        },
+        ObjectProperty: (path) => {
+          const serviceInfo = servicesByKey.get(fileRelativeLoc);
+          if (!serviceInfo) {
+            return;
+          }
+          recordMcpModelProperty(serviceInfo, path.node);
+        },
+        NewExpression: (path) => {
+          if (path?.node?.callee?.type !== "Identifier") {
+            return;
+          }
+          const serviceInfo = servicesByKey.get(fileRelativeLoc);
+          if (!serviceInfo) {
+            return;
+          }
+          if (httpTransportAliases.has(path.node.callee.name)) {
+            serviceInfo.transports.add("streamable-http");
+          }
+          if (stdioTransportAliases.has(path.node.callee.name)) {
+            serviceInfo.transports.add("stdio");
+          }
+          if (httpClientTransportAliases.has(path.node.callee.name)) {
+            serviceInfo.serviceKinds.add("client");
+            serviceInfo.usageSignals.add("client-http-transport");
+            recordUrlUsage(
+              serviceInfo,
+              getUrlStringValue(path.node.arguments?.[0], urlLiteralByAlias),
+              "outbound-mcp-endpoint",
+            );
+          }
+          if (stdioClientTransportAliases.has(path.node.callee.name)) {
+            serviceInfo.serviceKinds.add("client");
+            serviceInfo.usageSignals.add("client-stdio-transport");
+          }
+        },
+        CallExpression: (path) => {
+          const callNode = path?.node;
+          if (!callNode) {
+            return;
+          }
+          const serviceInfo = servicesByKey.get(fileRelativeLoc);
+          const callee = callNode.callee;
+          if (
+            callee.type === "Identifier" &&
+            authHelperAliases.has(callee.name)
+          ) {
+            const ensuredService = ensureMcpService(
+              servicesByKey,
+              file,
+              fileRelativeLoc,
+            );
+            ensuredService.authenticated = true;
+            ensuredService.xTrustBoundary = true;
+            ensuredService.usageSignals.add("auth-helper");
+            if (callee.name === "requireBearerAuth") {
+              ensuredService.authModes.add("bearer");
+            }
+            if (callee.name === "mcpAuthMetadataRouter") {
+              ensuredService.authModes.add("oauth-metadata");
+            }
+            if (callee.name === "createProtectedResourceMetadataRouter") {
+              ensuredService.authModes.add("protected-resource-metadata");
+            }
+            if (
+              callNode.arguments?.[0]?.type === "ObjectExpression" &&
+              callee.name === "mcpAuthMetadataRouter"
+            ) {
+              const authMetadataNode = objectExpressionProperty(
+                callNode.arguments[0],
+                "oauthMetadata",
+              )?.value;
+              if (authMetadataNode?.type === "Identifier") {
+                recordAuthMetadata(
+                  ensuredService,
+                  authMetadataByAlias.get(authMetadataNode.name),
+                );
+              } else {
+                recordAuthMetadata(
+                  ensuredService,
+                  extractAuthMetadata(authMetadataNode),
+                );
+              }
+              const resourceServerNode = objectExpressionProperty(
+                callNode.arguments[0],
+                "resourceServerUrl",
+              )?.value;
+              if (
+                resourceServerNode?.type === "Identifier" &&
+                urlLiteralByAlias.has(resourceServerNode.name)
+              ) {
+                recordUrlUsage(
+                  ensuredService,
+                  urlLiteralByAlias.get(resourceServerNode.name),
+                  "configured-url",
+                  true,
+                );
+              }
+            }
+            return;
+          }
+          if (callee.type === "Identifier") {
+            if (serviceInfo && MCP_NETWORK_METHODS.has(callee.name)) {
+              recordUrlUsage(
+                serviceInfo,
+                getUrlStringValue(callNode.arguments?.[0], urlLiteralByAlias),
+                "outbound-network",
+              );
+            }
+            return;
+          }
+          if (callee.type !== "MemberExpression") {
+            return;
+          }
+          const objectName = getMemberChainString(callee.object);
+          const methodName = getMemberExpressionPropertyName(callee.property);
+          if (!methodName) {
+            return;
+          }
+          if (methodName === "connect" && serviceInfo) {
+            const transportArg = callNode.arguments?.[0];
+            if (clientAliases.has(objectName)) {
+              serviceInfo.serviceKinds.add("client");
+              serviceInfo.usageSignals.add("client-connect");
+            }
+            if (transportArg?.type === "Identifier") {
+              const transportKind = transportAliasKinds.get(transportArg.name);
+              if (transportKind) {
+                serviceInfo.transports.add(transportKind);
+              }
+            } else if (
+              transportArg?.type === "NewExpression" &&
+              transportArg.callee?.type === "Identifier"
+            ) {
+              if (httpTransportAliases.has(transportArg.callee.name)) {
+                serviceInfo.transports.add("streamable-http");
+              }
+              if (stdioTransportAliases.has(transportArg.callee.name)) {
+                serviceInfo.transports.add("stdio");
+              }
+              if (httpClientTransportAliases.has(transportArg.callee.name)) {
+                serviceInfo.serviceKinds.add("client");
+                serviceInfo.usageSignals.add("client-connect");
+                recordUrlUsage(
+                  serviceInfo,
+                  getUrlStringValue(
+                    transportArg.arguments?.[0],
+                    urlLiteralByAlias,
+                  ),
+                  "outbound-mcp-endpoint",
+                );
+              }
+            }
+          }
+          if (
+            serviceInfo &&
+            ["registerPrompt", "registerResource", "registerTool"].includes(
+              methodName,
+            )
+          ) {
+            const primitive = {
+              annotations: undefined,
+              description: undefined,
+              name: undefined,
+              role:
+                methodName === "registerTool"
+                  ? "tool"
+                  : methodName === "registerPrompt"
+                    ? "prompt"
+                    : "resource",
+              sourceLine: callNode.loc?.start?.line,
+              uri: undefined,
+            };
+            primitive.name = getLiteralStringValue(callNode.arguments?.[0]);
+            if (methodName === "registerTool") {
+              primitive.description = objectExpressionStringValue(
+                callNode.arguments?.[1],
+                "description",
+              );
+              const annotationsNode = objectExpressionProperty(
+                callNode.arguments?.[1],
+                "annotations",
+              )?.value;
+              if (annotationsNode?.type === "ObjectExpression") {
+                const annotations = {};
+                for (const prop of annotationsNode.properties || []) {
+                  if (prop.type !== "ObjectProperty") {
+                    continue;
+                  }
+                  const keyName = getMemberExpressionPropertyName(prop.key);
+                  const boolValue =
+                    prop.value?.type === "BooleanLiteral"
+                      ? prop.value.value
+                      : undefined;
+                  const stringValue = getLiteralStringValue(prop.value);
+                  if (keyName && typeof boolValue === "boolean") {
+                    annotations[keyName] = boolValue;
+                  } else if (keyName && stringValue) {
+                    annotations[keyName] = stringValue;
+                  }
+                }
+                if (Object.keys(annotations).length) {
+                  primitive.annotations = annotations;
+                }
+              }
+              serviceInfo.capabilities.add("tools");
+            } else if (methodName === "registerPrompt") {
+              primitive.description = objectExpressionStringValue(
+                callNode.arguments?.[1],
+                "description",
+              );
+              serviceInfo.capabilities.add("prompts");
+            } else if (methodName === "registerResource") {
+              primitive.uri = getLiteralStringValue(callNode.arguments?.[1]);
+              primitive.description = objectExpressionStringValue(
+                callNode.arguments?.[2],
+                "description",
+              );
+              if (
+                primitive.uri?.includes("{") ||
+                primitive.uri?.includes("}")
+              ) {
+                primitive.role = "resource-template";
+              }
+              serviceInfo.capabilities.add("resources");
+            }
+            if (primitive.name || primitive.uri) {
+              serviceInfo.primitives.push(primitive);
+            }
+            serviceInfo.serviceKinds.add("server");
+            serviceInfo.usageSignals.add(`registered-${primitive.role}`);
+            return;
+          }
+          if (serviceInfo && MCP_CLIENT_USAGE_METHODS.has(methodName)) {
+            serviceInfo.serviceKinds.add("client");
+            serviceInfo.usageSignals.add(`client-${methodName}`);
+          }
+          if (
+            serviceInfo &&
+            appAliases.has(objectName) &&
+            MCP_ROUTE_METHODS.has(methodName)
+          ) {
+            const routePath = getLiteralStringValue(callNode.arguments?.[0]);
+            if (routePath?.includes("/mcp")) {
+              recordUrlUsage(serviceInfo, routePath, "route-endpoint", true);
+              serviceInfo.transports.add("streamable-http");
+              serviceInfo.serviceKinds.add("server");
+            }
+            if (
+              routePath?.includes("/.well-known/oauth-authorization-server") ||
+              routePath?.includes("/.well-known/oauth-protected-resource")
+            ) {
+              serviceInfo.authenticated = true;
+              serviceInfo.xTrustBoundary = true;
+              serviceInfo.authModes.add("oauth-metadata");
+              recordUrlUsage(serviceInfo, routePath, "auth-discovery", true);
+            }
+            for (const arg of callNode.arguments || []) {
+              if (
+                arg?.type === "Identifier" &&
+                authHelperAliases.has(arg.name)
+              ) {
+                serviceInfo.authenticated = true;
+                serviceInfo.xTrustBoundary = true;
+                serviceInfo.authModes.add("bearer");
+              }
+              if (
+                arg?.type === "CallExpression" &&
+                arg.callee?.type === "Identifier" &&
+                authHelperAliases.has(arg.callee.name)
+              ) {
+                serviceInfo.authenticated = true;
+                serviceInfo.xTrustBoundary = true;
+                serviceInfo.authModes.add("bearer");
+              }
+            }
+          }
+          if (!serviceInfo) {
+            return;
+          }
+          const outboundUrl = getUrlStringValue(
+            callNode.arguments?.[0],
+            urlLiteralByAlias,
+          );
+          const objectRootName = rootMemberName(objectName);
+          if (providerAliases.has(objectRootName)) {
+            recordMcpProvider(serviceInfo, providerAliases.get(objectRootName));
+            serviceInfo.serviceKinds.add("client");
+            serviceInfo.usageSignals.add("provider-sdk-call");
+          }
+          if (outboundUrl && MCP_NETWORK_METHODS.has(methodName)) {
+            recordUrlUsage(serviceInfo, outboundUrl, "outbound-network");
+          }
+          if (outboundUrl?.includes("/mcp")) {
+            recordUrlUsage(serviceInfo, outboundUrl, "outbound-mcp-endpoint");
+          }
+        },
+      });
+    } catch {
+      // Skip parse failures and continue scanning
+    }
+    if (fileHasMcpImports && !servicesByKey.has(fileRelativeLoc)) {
+      ensureMcpService(servicesByKey, file, fileRelativeLoc);
+    }
+  }
+  return buildMcpInventoryFromServices(servicesByKey);
+};