@gleanwork/mcp-server-tester 0.12.0 → 1.0.0-beta.1

package/dist/cli/index.js

@@ -13,11 +13,14 @@ import { jsxs, jsx, Fragment } from 'react/jsx-runtime';
 import { Client } from '@modelcontextprotocol/sdk/client/index.js';
 import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
 import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+import { SSEClientTransport } from '@modelcontextprotocol/sdk/client/sse.js';
 import { z } from 'zod';
 import createDebug from 'debug';
+import { ProxyAgent, Agent } from 'undici';
+import { readFileSync } from 'fs';
+import * as oauth from 'oauth4webapi';
 import { homedir } from 'os';
 import * as http from 'http';
-import * as oauth from 'oauth4webapi';
 
 function Spinner({ label }) {
   return /* @__PURE__ */ jsxs(Box, { children: [
@@ -75,6 +78,10 @@ function JsonPreview({ data, maxLines = 15 }) {
   );
 }
 
+// package.json
+var package_default = {
+  version: "1.0.0-beta.1"};
+
 // src/cli/templates/index.ts
 function getPlaywrightConfigTemplate(answers) {
   const mcpConfig = answers.transport === "stdio" ? `{
@@ -110,7 +117,6 @@ export default defineConfig({
     ['html'],
     ['@gleanwork/mcp-server-tester/reporters/mcpReporter', {
       outputDir: '.mcp-test-results',
-      autoOpen: true,
       historyLimit: 10
     }]
   ],
@@ -251,7 +257,7 @@ function getPackageJsonTemplate(projectName) {
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.0.4",
     "@playwright/test": "^1.49.0",
-    "@gleanwork/mcp-server-tester": "^0.9.0",
+    "@gleanwork/mcp-server-tester": "^${package_default.version}",
     "zod": "^3.24.1"
   },
   "devDependencies": {
@@ -539,9 +545,16 @@ var MCPOAuthConfigSchema = z.object({
   clientSecret: z.string().optional(),
   redirectUri: z.string().url().optional()
 });
+var MCPClientCredentialsConfigSchema = z.object({
+  clientId: z.string().optional(),
+  clientSecret: z.string().optional(),
+  tokenEndpoint: z.string().url("tokenEndpoint must be a valid URL").optional(),
+  scopes: z.array(z.string()).optional()
+});
 var MCPAuthConfigSchema = z.object({
   accessToken: z.string().optional(),
-  oauth: MCPOAuthConfigSchema.optional()
+  oauth: MCPOAuthConfigSchema.optional(),
+  clientCredentials: MCPClientCredentialsConfigSchema.optional()
 }).refine(
   (data) => !(data.accessToken && data.oauth),
   "Cannot specify both accessToken and oauth configuration"
@@ -551,19 +564,48 @@ var StdioConfigSchema = z.object({
   command: z.string().min(1, "command is required for stdio transport"),
   args: z.array(z.string()).optional(),
   cwd: z.string().optional(),
+  env: z.record(z.string(), z.string()).optional(),
   capabilities: MCPHostCapabilitiesSchema.optional(),
   connectTimeoutMs: z.number().positive().optional(),
   requestTimeoutMs: z.number().positive().optional(),
+  callTimeoutMs: z.number().positive().optional(),
   quiet: z.boolean().optional()
 });
+function isLocalhost(hostname) {
+  return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
+}
 var HttpConfigSchema = z.object({
   transport: z.literal("http"),
-  serverUrl: z.string().url("serverUrl must be a valid URL"),
+  serverUrl: z.string().url("serverUrl must be a valid URL").refine((url) => {
+    let parsed;
+    try {
+      parsed = new URL(url);
+    } catch {
+      return true;
+    }
+    if (parsed.protocol === "http:" && !isLocalhost(parsed.hostname)) {
+      console.warn(
+        `[mcp-server-tester] serverUrl uses http:// for non-localhost address "${parsed.hostname}". This transmits tokens unencrypted. Use https:// for remote servers.`
+      );
+    }
+    return true;
+  }),
   headers: z.record(z.string()).optional(),
   capabilities: MCPHostCapabilitiesSchema.optional(),
   connectTimeoutMs: z.number().positive().optional(),
   requestTimeoutMs: z.number().positive().optional(),
-  auth: MCPAuthConfigSchema.optional()
+  callTimeoutMs: z.number().positive().optional(),
+  auth: MCPAuthConfigSchema.optional(),
+  proxy: z.object({
+    url: z.string().url("proxy.url must be a valid URL")
+  }).optional(),
+  retryAttempts: z.number().int().min(0).optional(),
+  tls: z.object({
+    ca: z.string().optional(),
+    cert: z.string().optional(),
+    key: z.string().optional(),
+    rejectUnauthorized: z.boolean().optional()
+  }).optional()
 });
 var MCPConfigSchema = z.discriminatedUnion("transport", [
   StdioConfigSchema,
@@ -573,26 +615,241 @@ function validateMCPConfig(config) {
   return MCPConfigSchema.parse(config);
 }
 function isStdioConfig(config) {
-  return config.transport === "stdio" && typeof config.command === "string";
+  return config.transport === "stdio";
 }
 function isHttpConfig(config) {
-  return config.transport === "http" && typeof config.serverUrl === "string";
+  return config.transport === "http";
 }
 var NAMESPACE = "mcp-server-tester";
 var debugClient = createDebug(`${NAMESPACE}:client`);
 createDebug(`${NAMESPACE}:oauth`);
 createDebug(`${NAMESPACE}:eval`);
+var debugHttp = createDebug(`${NAMESPACE}:http`);
+var debug = createDebug("mcp-server-tester:oauth-flow");
+async function generatePKCE() {
+  const codeVerifier = oauth.generateRandomCodeVerifier();
+  const codeChallenge = await oauth.calculatePKCECodeChallenge(codeVerifier);
+  return {
+    codeVerifier,
+    codeChallenge
+  };
+}
+function generateState() {
+  return oauth.generateRandomState();
+}
+function buildAuthorizationUrl(config) {
+  const authorizationEndpoint = config.authServer.server.authorization_endpoint;
+  if (!authorizationEndpoint) {
+    throw new Error(
+      "Authorization server does not have an authorization_endpoint"
+    );
+  }
+  const authorizationUrl = new URL(authorizationEndpoint);
+  authorizationUrl.searchParams.set("client_id", config.clientId);
+  authorizationUrl.searchParams.set("redirect_uri", config.redirectUri);
+  authorizationUrl.searchParams.set("response_type", "code");
+  authorizationUrl.searchParams.set("scope", config.scopes.join(" "));
+  authorizationUrl.searchParams.set("code_challenge", config.codeChallenge);
+  authorizationUrl.searchParams.set("code_challenge_method", "S256");
+  authorizationUrl.searchParams.set("state", config.state);
+  if (config.resource) {
+    authorizationUrl.searchParams.set("resource", config.resource);
+  }
+  return authorizationUrl;
+}
+async function exchangeCodeForTokens(config) {
+  const client = {
+    client_id: config.clientId,
+    token_endpoint_auth_method: config.clientSecret ? "client_secret_basic" : "none"
+  };
+  const clientAuth = config.clientSecret ? oauth.ClientSecretBasic(config.clientSecret) : oauth.None();
+  const callbackUrl = new URL(config.redirectUri);
+  callbackUrl.searchParams.set("code", config.code);
+  callbackUrl.searchParams.set("state", config.state);
+  const validatedParams = oauth.validateAuthResponse(
+    config.authServer.server,
+    client,
+    callbackUrl,
+    config.state
+  );
+  const response = await oauth.authorizationCodeGrantRequest(
+    config.authServer.server,
+    client,
+    clientAuth,
+    validatedParams,
+    config.redirectUri,
+    config.codeVerifier
+  );
+  const result = await oauth.processAuthorizationCodeResponse(
+    config.authServer.server,
+    client,
+    response
+  );
+  return {
+    accessToken: result.access_token,
+    tokenType: result.token_type,
+    expiresIn: result.expires_in,
+    refreshToken: result.refresh_token,
+    scope: result.scope
+  };
+}
+async function refreshAccessToken(config) {
+  const client = {
+    client_id: config.clientId,
+    token_endpoint_auth_method: config.clientSecret ? "client_secret_basic" : "none"
+  };
+  const clientAuth = config.clientSecret ? oauth.ClientSecretBasic(config.clientSecret) : oauth.None();
+  const response = await oauth.refreshTokenGrantRequest(
+    config.authServer.server,
+    client,
+    clientAuth,
+    config.refreshToken
+  );
+  if (!response.ok) {
+    const contentType = response.headers.get("content-type") ?? "";
+    let errorMessage = `Token refresh failed: ${response.status} ${response.statusText}`;
+    try {
+      if (contentType.includes("application/json")) {
+        const errorBody = await response.clone().json();
+        if (errorBody.error) {
+          errorMessage = `Token refresh failed: ${errorBody.error}`;
+          if (errorBody.error_description) {
+            errorMessage += ` - ${errorBody.error_description}`;
+          }
+        }
+      } else {
+        const textBody = await response.clone().text();
+        if (textBody) {
+          errorMessage = `Token refresh failed: ${response.status} - ${textBody}`;
+        }
+      }
+    } catch {
+    }
+    throw new Error(errorMessage);
+  }
+  const result = await oauth.processRefreshTokenResponse(
+    config.authServer.server,
+    client,
+    response
+  );
+  return {
+    accessToken: result.access_token,
+    tokenType: result.token_type,
+    expiresIn: result.expires_in,
+    refreshToken: result.refresh_token,
+    scope: result.scope
+  };
+}
+async function performClientCredentialsFlow(config) {
+  const tokenEndpointUrl = new URL(config.tokenEndpoint);
+  const authServer = {
+    issuer: tokenEndpointUrl.origin,
+    token_endpoint: config.tokenEndpoint
+  };
+  const client = {
+    client_id: config.clientId
+  };
+  const clientAuth = oauth.ClientSecretBasic(config.clientSecret);
+  const parameters = {};
+  if (config.scopes && config.scopes.length > 0) {
+    parameters["scope"] = config.scopes.join(" ");
+  }
+  const response = await oauth.clientCredentialsGrantRequest(
+    authServer,
+    client,
+    clientAuth,
+    parameters
+  );
+  const result = await oauth.processClientCredentialsResponse(
+    authServer,
+    client,
+    response
+  );
+  const requestedScopes = new Set(
+    config.scopes && config.scopes.length > 0 ? config.scopes : []
+  );
+  const grantedScopes = new Set(
+    (result.scope ?? "").split(" ").filter(Boolean)
+  );
+  const missingScopes = [...requestedScopes].filter(
+    (s) => !grantedScopes.has(s)
+  );
+  if (missingScopes.length > 0 && requestedScopes.size > 0 && grantedScopes.size > 0) {
+    debug(
+      "[oauth] Warning: Token server granted fewer scopes than requested. Missing: %s",
+      missingScopes.join(", ")
+    );
+  }
+  return {
+    accessToken: result.access_token,
+    tokenType: result.token_type,
+    expiresIn: result.expires_in,
+    scope: result.scope
+  };
+}
 
 // src/mcp/clientFactory.ts
+function getRetryAfterDelayMs(err) {
+  const response = err?.response;
+  const retryAfter = response?.headers?.get?.("Retry-After");
+  if (retryAfter) {
+    const seconds = parseInt(retryAfter, 10);
+    if (!isNaN(seconds)) return seconds * 1e3;
+  }
+  return null;
+}
+function isRateLimitError(err) {
+  const response = err?.response;
+  return response?.status === 429;
+}
+function isTransientNetworkError(err) {
+  if (!(err instanceof Error)) return false;
+  const msg = err.message.toLowerCase();
+  return msg.includes("econnreset") || msg.includes("econnrefused") || msg.includes("etimedout") || msg.includes("enotfound") || msg.includes("network") || msg.includes("socket hang up") || msg.includes("fetch failed");
+}
+function isRetryableError(err) {
+  return isTransientNetworkError(err) || isRateLimitError(err);
+}
+async function retryWithBackoff(fn, maxAttempts) {
+  let lastErr;
+  for (let attempt = 0; attempt <= maxAttempts; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      lastErr = err;
+      if (attempt < maxAttempts && isRetryableError(err)) {
+        const retryAfterMs = getRetryAfterDelayMs(err);
+        const delayMs = retryAfterMs !== null ? retryAfterMs : Math.min(1e3 * 2 ** attempt, 3e4);
+        debugClient(
+          "Retryable error on attempt %d/%d, retrying in %dms: %s",
+          attempt + 1,
+          maxAttempts + 1,
+          delayMs,
+          err.message
+        );
+        await new Promise((resolve3) => setTimeout(resolve3, delayMs));
+      } else {
+        throw err;
+      }
+    }
+  }
+  throw lastErr;
+}
+var agentRegistry = /* @__PURE__ */ new WeakMap();
 async function createMCPClientForConfig(config, options) {
   const validatedConfig = validateMCPConfig(config);
   const client = new Client(
     {
       name: "@gleanwork/mcp-server-tester",
-      version: "0.1.0"
+      version: package_default.version
     },
     {
-      capabilities: validatedConfig.capabilities ?? {}
+      capabilities: {
+        ...validatedConfig.capabilities ?? {},
+        // Only advertise sampling if a handler has been registered;
+        // declaring sampling capability without a handler violates the MCP spec
+        sampling: void 0
+      }
     }
   );
   if (isStdioConfig(validatedConfig)) {
@@ -601,33 +858,140 @@ async function createMCPClientForConfig(config, options) {
       args: validatedConfig.args ?? [],
       ...validatedConfig.cwd && { cwd: validatedConfig.cwd },
       // Suppress server stderr when quiet mode is enabled
-      ...validatedConfig.quiet && { stderr: "ignore" }
+      ...validatedConfig.quiet && { stderr: "ignore" },
+      ...validatedConfig.env && {
+        env: Object.fromEntries(
+          Object.entries({ ...process.env, ...validatedConfig.env }).filter(
+            (entry) => entry[1] !== void 0
+          )
+        )
+      }
     });
     debugClient("Connecting via stdio: %O", {
       command: validatedConfig.command,
       args: validatedConfig.args,
       cwd: validatedConfig.cwd
     });
-    await client.connect(transport);
+    await client.connect(
+      transport,
+      validatedConfig.connectTimeoutMs !== void 0 ? { timeout: validatedConfig.connectTimeoutMs } : void 0
+    );
   } else if (isHttpConfig(validatedConfig)) {
     const headers = { ...validatedConfig.headers };
+    if (validatedConfig.auth?.clientCredentials && true) {
+      const ccConfig = validatedConfig.auth.clientCredentials;
+      const clientId = ccConfig.clientId ?? process.env["MCP_CLIENT_ID"];
+      const clientSecret = ccConfig.clientSecret ?? process.env["MCP_CLIENT_SECRET"];
+      if (!clientId || !clientSecret) {
+        throw new Error(
+          "Client credentials require clientId/clientSecret in config or MCP_CLIENT_ID/MCP_CLIENT_SECRET env vars"
+        );
+      }
+      if (!ccConfig.tokenEndpoint) {
+        throw new Error(
+          "Client credentials require tokenEndpoint in auth.clientCredentials config"
+        );
+      }
+      debugClient("Fetching token via client credentials grant");
+      const tokenResult = await performClientCredentialsFlow({
+        tokenEndpoint: ccConfig.tokenEndpoint,
+        clientId,
+        clientSecret,
+        scopes: ccConfig.scopes
+      });
+      headers.Authorization = `Bearer ${tokenResult.accessToken}`;
+    }
     if (validatedConfig.auth?.accessToken && true) {
       headers.Authorization = `Bearer ${validatedConfig.auth.accessToken}`;
     }
-    const transport = new StreamableHTTPClientTransport(
-      new URL(validatedConfig.serverUrl),
-      {
-        requestInit: Object.keys(headers).length > 0 ? { headers } : void 0,
-        // Pass auth provider for OAuth flow - MCP SDK handles it automatically
-        authProvider: options?.authProvider
+    const url = new URL(validatedConfig.serverUrl);
+    let requestInit = Object.keys(headers).length > 0 ? { headers } : void 0;
+    const proxyUrl = validatedConfig.proxy?.url ?? process.env["HTTPS_PROXY"] ?? process.env["HTTP_PROXY"];
+    if (proxyUrl) {
+      const proxyAgent = new ProxyAgent(proxyUrl);
+      try {
+        const sanitized = new URL(proxyUrl);
+        debugClient(
+          "Using proxy: %s://%s:%s",
+          sanitized.protocol.slice(0, -1),
+          sanitized.hostname,
+          sanitized.port
+        );
+      } catch {
+        debugClient("Using proxy (unparseable URL)");
+      }
+      requestInit = {
+        ...requestInit,
+        dispatcher: proxyAgent
+      };
+    }
+    if (validatedConfig.tls) {
+      const tlsCfg = validatedConfig.tls;
+      try {
+        const dispatcher = new Agent({
+          connect: {
+            ...tlsCfg.ca && { ca: readFileSync(tlsCfg.ca) },
+            ...tlsCfg.cert && { cert: readFileSync(tlsCfg.cert) },
+            ...tlsCfg.key && { key: readFileSync(tlsCfg.key) },
+            rejectUnauthorized: tlsCfg.rejectUnauthorized ?? true
+          }
+        });
+        agentRegistry.set(client, dispatcher);
+        requestInit = {
+          ...requestInit,
+          dispatcher
+        };
+        debugClient("TLS configuration applied");
+      } catch (error) {
+        const filePath = tlsCfg.ca ?? tlsCfg.cert ?? tlsCfg.key;
+        const fileType = tlsCfg.ca ? "CA certificate" : tlsCfg.cert ? "client certificate" : "client key";
+        throw new Error(
+          `Failed to load TLS ${fileType} from ${filePath}: ${error instanceof Error ? error.message : String(error)}`
+        );
       }
-    );
+    } else if (proxyUrl) {
+      const existingDispatcher = requestInit?.dispatcher;
+      if (existingDispatcher) {
+        agentRegistry.set(client, existingDispatcher);
+      }
+    }
     debugClient("Connecting via HTTP: %O", {
       serverUrl: validatedConfig.serverUrl,
       headers: Object.keys(headers).length > 0 ? Object.keys(headers) : void 0,
       hasAuthProvider: false
     });
-    await client.connect(transport);
+    debugHttp("Connecting to %s", validatedConfig.serverUrl);
+    if (Object.keys(headers).length > 0) {
+      debugHttp("Request header names: %O", Object.keys(headers));
+    }
+    const retryAttempts = validatedConfig.retryAttempts ?? 0;
+    const connectOptions = validatedConfig.connectTimeoutMs !== void 0 ? { timeout: validatedConfig.connectTimeoutMs } : void 0;
+    await retryWithBackoff(async () => {
+      try {
+        debugHttp("Attempting transport: streamableHttp");
+        const streamableTransport = new StreamableHTTPClientTransport(url, {
+          requestInit,
+          authProvider: options?.authProvider
+        });
+        await client.connect(streamableTransport, connectOptions);
+        debugClient("Connected via Streamable HTTP");
+        debugHttp("Connection established via streamableHttp");
+      } catch (err) {
+        debugHttp(
+          "streamableHttp failed (%s), falling back to SSE",
+          err.message
+        );
+        debugClient("Streamable HTTP failed, falling back to SSE transport");
+        debugHttp("Attempting transport: sse");
+        const sseTransport = new SSEClientTransport(url, {
+          requestInit,
+          authProvider: options?.authProvider
+        });
+        await client.connect(sseTransport, connectOptions);
+        debugClient("Connected via SSE");
+        debugHttp("Connection established via sse");
+      }
+    }, retryAttempts);
   }
   debugClient("Connected successfully");
   const serverInfo = client.getServerVersion();
@@ -640,8 +1004,24 @@ async function closeMCPClient(client) {
   try {
     await client.close();
   } catch (error) {
-    console.error("[MCP] Error closing client:", error);
+    debugClient(
+      "Error closing client: %s",
+      error instanceof Error ? error.message : String(error)
+    );
     throw error;
+  } finally {
+    const agent = agentRegistry.get(client);
+    if (agent) {
+      agentRegistry.delete(client);
+      try {
+        await agent.close();
+      } catch (agentError) {
+        debugClient(
+          "Error closing undici agent: %s",
+          agentError.message
+        );
+      }
+    }
   }
 }
 var ENV_VAR_NAMES = {
@@ -820,119 +1200,27 @@ var FileOAuthStorage = class {
     }
   }
 };
-async function generatePKCE() {
-  const codeVerifier = oauth.generateRandomCodeVerifier();
-  const codeChallenge = await oauth.calculatePKCECodeChallenge(codeVerifier);
-  return {
-    codeVerifier,
-    codeChallenge
-  };
-}
-function generateState() {
-  return oauth.generateRandomState();
-}
-function buildAuthorizationUrl(config) {
-  const authorizationEndpoint = config.authServer.server.authorization_endpoint;
-  if (!authorizationEndpoint) {
-    throw new Error(
-      "Authorization server does not have an authorization_endpoint"
-    );
-  }
-  const authorizationUrl = new URL(authorizationEndpoint);
-  authorizationUrl.searchParams.set("client_id", config.clientId);
-  authorizationUrl.searchParams.set("redirect_uri", config.redirectUri);
-  authorizationUrl.searchParams.set("response_type", "code");
-  authorizationUrl.searchParams.set("scope", config.scopes.join(" "));
-  authorizationUrl.searchParams.set("code_challenge", config.codeChallenge);
-  authorizationUrl.searchParams.set("code_challenge_method", "S256");
-  authorizationUrl.searchParams.set("state", config.state);
-  if (config.resource) {
-    authorizationUrl.searchParams.set("resource", config.resource);
+function isLocalhostUrl(url) {
+  try {
+    const parsed = new URL(url);
+    const h = parsed.hostname;
+    return h === "localhost" || h === "127.0.0.1" || h === "::1";
+  } catch {
+    return false;
   }
-  return authorizationUrl;
-}
-async function exchangeCodeForTokens(config) {
-  const client = {
-    client_id: config.clientId,
-    token_endpoint_auth_method: config.clientSecret ? "client_secret_basic" : "none"
-  };
-  const clientAuth = config.clientSecret ? oauth.ClientSecretBasic(config.clientSecret) : oauth.None();
-  const callbackUrl = new URL(config.redirectUri);
-  callbackUrl.searchParams.set("code", config.code);
-  callbackUrl.searchParams.set("state", config.state);
-  const validatedParams = oauth.validateAuthResponse(
-    config.authServer.server,
-    client,
-    callbackUrl,
-    config.state
-  );
-  const response = await oauth.authorizationCodeGrantRequest(
-    config.authServer.server,
-    client,
-    clientAuth,
-    validatedParams,
-    config.redirectUri,
-    config.codeVerifier
-  );
-  const result = await oauth.processAuthorizationCodeResponse(
-    config.authServer.server,
-    client,
-    response
-  );
-  return {
-    accessToken: result.access_token,
-    tokenType: result.token_type,
-    expiresIn: result.expires_in,
-    refreshToken: result.refresh_token,
-    scope: result.scope
-  };
 }
-async function refreshAccessToken(config) {
-  const client = {
-    client_id: config.clientId,
-    token_endpoint_auth_method: config.clientSecret ? "client_secret_basic" : "none"
-  };
-  const clientAuth = config.clientSecret ? oauth.ClientSecretBasic(config.clientSecret) : oauth.None();
-  const response = await oauth.refreshTokenGrantRequest(
-    config.authServer.server,
-    client,
-    clientAuth,
-    config.refreshToken
-  );
-  if (!response.ok) {
-    const contentType = response.headers.get("content-type") ?? "";
-    let errorMessage = `Token refresh failed: ${response.status} ${response.statusText}`;
-    try {
-      if (contentType.includes("application/json")) {
-        const errorBody = await response.clone().json();
-        if (errorBody.error) {
-          errorMessage = `Token refresh failed: ${errorBody.error}`;
-          if (errorBody.error_description) {
-            errorMessage += ` - ${errorBody.error_description}`;
-          }
-        }
-      } else {
-        const textBody = await response.clone().text();
-        if (textBody) {
-          errorMessage = `Token refresh failed: ${response.status} - ${textBody}`;
-        }
-      }
-    } catch {
+function validateAuthServerEndpoints(authServer) {
+  const endpoints = [
+    { name: "authorization_endpoint", url: authServer.authorization_endpoint },
+    { name: "token_endpoint", url: authServer.token_endpoint }
+  ];
+  for (const { name, url } of endpoints) {
+    if (url && !url.startsWith("https://") && !isLocalhostUrl(url)) {
+      throw new Error(
+        `OAuth discovery returned an insecure ${name}: "${url}". Only HTTPS endpoints are permitted for OAuth flows to prevent token interception.`
+      );
     }
-    throw new Error(errorMessage);
   }
-  const result = await oauth.processRefreshTokenResponse(
-    config.authServer.server,
-    client,
-    response
-  );
-  return {
-    accessToken: result.access_token,
-    tokenType: result.token_type,
-    expiresIn: result.expires_in,
-    refreshToken: result.refresh_token,
-    scope: result.scope
-  };
 }
 var MCP_PROTOCOL_VERSION = "2025-06-18";
 async function discoverProtectedResource(mcpServerUrl) {
@@ -1002,6 +1290,7 @@ async function discoverAuthorizationServer(authServerUrl) {
     })
   });
   const metadata = await oauth.processDiscoveryResponse(issuer, response);
+  validateAuthServerEndpoints(metadata);
   return {
     server: metadata,
     issuer: authServerUrl
@@ -1009,7 +1298,7 @@ async function discoverAuthorizationServer(authServerUrl) {
 }
 
 // src/auth/cli.ts
-var debug = createDebug("mcp-server-tester:cli-oauth");
+var debug2 = createDebug("mcp-server-tester:cli-oauth");
 var DEFAULT_TIMEOUT_MS = 3e5;
 var DEFAULT_CLIENT_NAME = "@gleanwork/mcp-server-tester";
 var DEFAULT_METADATA_TTL_MS = 24 * 60 * 60 * 1e3;
@@ -1035,7 +1324,7 @@ var CLIOAuthClient = class {
   async getAccessToken() {
     const envTokens = loadTokensFromEnv();
     if (envTokens) {
-      debug("Using tokens from environment variables");
+      debug2("Using tokens from environment variables");
       return {
         accessToken: envTokens.accessToken,
         tokenType: envTokens.tokenType,
@@ -1048,7 +1337,7 @@ var CLIOAuthClient = class {
     if (storedTokens?.accessToken) {
       const isValid = await this.storage.hasValidToken();
       if (isValid) {
-        debug("Using cached tokens from storage");
+        debug2("Using cached tokens from storage");
         return {
           accessToken: storedTokens.accessToken,
           tokenType: storedTokens.tokenType,
@@ -1058,7 +1347,7 @@ var CLIOAuthClient = class {
         };
       }
       if (storedTokens.refreshToken) {
-        debug("Token expired, attempting refresh");
+        debug2("Token expired, attempting refresh");
         try {
           const refreshedTokens = await this.refreshStoredToken(storedTokens);
           return {
@@ -1069,11 +1358,11 @@ var CLIOAuthClient = class {
             fromEnv: false
           };
         } catch (error) {
-          debug("Token refresh failed, will re-authenticate:", error);
+          debug2("Token refresh failed, will re-authenticate:", error);
         }
       }
     }
-    debug("Performing full OAuth authentication");
+    debug2("Performing full OAuth authentication");
     return this.authenticate();
   }
   /**
@@ -1089,7 +1378,7 @@ var CLIOAuthClient = class {
   async tryGetAccessToken() {
     const envTokens = loadTokensFromEnv();
     if (envTokens) {
-      debug("Using tokens from environment variables");
+      debug2("Using tokens from environment variables");
       return {
         accessToken: envTokens.accessToken,
         tokenType: envTokens.tokenType,
@@ -1102,7 +1391,7 @@ var CLIOAuthClient = class {
     if (storedTokens?.accessToken) {
       const isValid = await this.storage.hasValidToken();
       if (isValid) {
-        debug("Using cached tokens from storage");
+        debug2("Using cached tokens from storage");
         return {
           accessToken: storedTokens.accessToken,
           tokenType: storedTokens.tokenType,
@@ -1112,7 +1401,7 @@ var CLIOAuthClient = class {
         };
       }
       if (storedTokens.refreshToken) {
-        debug("Token expired, attempting refresh");
+        debug2("Token expired, attempting refresh");
         try {
           const refreshedTokens = await this.refreshStoredToken(storedTokens);
           return {
@@ -1123,12 +1412,12 @@ var CLIOAuthClient = class {
             fromEnv: false
           };
         } catch (error) {
-          debug("Token refresh failed:", error);
+          debug2("Token refresh failed:", error);
           return null;
         }
       }
     }
-    debug("No valid token available");
+    debug2("No valid token available");
     return null;
   }
   /**
@@ -1163,7 +1452,7 @@ var CLIOAuthClient = class {
    */
   async clearCredentials() {
     await this.storage.deleteTokens();
-    debug("Cleared stored credentials");
+    debug2("Cleared stored credentials");
   }
   /**
    * Discover protected resource and authorization server
@@ -1173,12 +1462,12 @@ var CLIOAuthClient = class {
     if (cachedMetadata) {
       const age = Date.now() - cachedMetadata.discoveredAt;
       if (age < DEFAULT_METADATA_TTL_MS) {
-        debug("Using cached server metadata (age: %dms)", age);
-        debug(
+        debug2("Using cached server metadata (age: %dms)", age);
+        debug2(
           "Cached protected resource scopes: %O",
           cachedMetadata.protectedResource.scopes_supported
         );
-        debug(
+        debug2(
           "Cached auth server scopes: %O",
           cachedMetadata.authServer.server.scopes_supported
         );
@@ -1187,12 +1476,12 @@ var CLIOAuthClient = class {
           authServer: cachedMetadata.authServer
         };
       }
-      debug("Cached server metadata is stale (age: %dms), re-discovering", age);
+      debug2("Cached server metadata is stale (age: %dms), re-discovering", age);
     }
-    debug("Discovering protected resource:", this.config.mcpServerUrl);
+    debug2("Discovering protected resource:", this.config.mcpServerUrl);
     const prResult = await discoverProtectedResource(this.config.mcpServerUrl);
-    debug("Found protected resource:", prResult.metadata.resource);
-    debug(
+    debug2("Found protected resource:", prResult.metadata.resource);
+    debug2(
       "Protected resource scopes_supported: %O",
       prResult.metadata.scopes_supported
     );
@@ -1202,10 +1491,10 @@ var CLIOAuthClient = class {
         "No authorization servers found in protected resource metadata"
       );
     }
-    debug("Discovering authorization server:", authServerUrl);
+    debug2("Discovering authorization server:", authServerUrl);
     const authServer = await discoverAuthorizationServer(authServerUrl);
-    debug("Found authorization server:", authServer.issuer);
-    debug(
+    debug2("Found authorization server:", authServer.issuer);
+    debug2(
       "Auth server scopes_supported: %O",
       authServer.server.scopes_supported
     );
@@ -1225,7 +1514,7 @@ var CLIOAuthClient = class {
    */
   async getOrRegisterClient(authServer) {
     if (this.config.clientId) {
-      debug("Using pre-configured client ID");
+      debug2("Using pre-configured client ID");
       return {
         clientId: this.config.clientId,
         clientSecret: this.config.clientSecret
@@ -1233,10 +1522,10 @@ var CLIOAuthClient = class {
     }
     const cachedClient = await this.storage.loadClient();
     if (cachedClient?.clientId) {
-      debug("Using cached client registration");
+      debug2("Using cached client registration");
       return cachedClient;
     }
-    debug("Registering new client via DCR");
+    debug2("Registering new client via DCR");
     const client = await this.registerClient(authServer);
     await this.storage.saveClient(client);
     return client;
@@ -1274,7 +1563,7 @@ ${errorText}`
       );
     }
     const data = await response.json();
-    debug("Client registered:", data.client_id);
+    debug2("Client registered:", data.client_id);
     return {
       clientId: data.client_id,
       clientSecret: data.client_secret,
@@ -1292,17 +1581,17 @@ ${errorText}`
     const redirectUri = `http://127.0.0.1:${port}/callback`;
     try {
       const requestedScopes = this.config.scopes ?? protectedResource.scopes_supported ?? authServer.server.scopes_supported ?? ["openid"];
-      debug("Scope resolution:");
-      debug("  - User config scopes: %O", this.config.scopes);
-      debug(
+      debug2("Scope resolution:");
+      debug2("  - User config scopes: %O", this.config.scopes);
+      debug2(
         "  - Protected resource scopes_supported: %O",
         protectedResource.scopes_supported
       );
-      debug(
+      debug2(
         "  - Auth server scopes_supported: %O",
         authServer.server.scopes_supported
       );
-      debug("  - Final requested scopes: %O", requestedScopes);
+      debug2("  - Final requested scopes: %O", requestedScopes);
       const authUrl = buildAuthorizationUrl({
         authServer,
         clientId: client.clientId,
@@ -1312,16 +1601,19 @@ ${errorText}`
         state,
         resource: protectedResource.resource
       });
-      debug("Authorization URL: %s", authUrl.toString());
-      debug("Authorization URL params:");
-      debug("  - client_id: %s", authUrl.searchParams.get("client_id"));
-      debug("  - redirect_uri: %s", authUrl.searchParams.get("redirect_uri"));
-      debug("  - scope: %s", authUrl.searchParams.get("scope"));
-      debug("  - resource: %s", authUrl.searchParams.get("resource"));
+      debug2(
+        "Authorization URL (base): %s",
+        `${authUrl.origin}${authUrl.pathname}`
+      );
+      debug2("Authorization URL params:");
+      debug2("  - client_id: %s", authUrl.searchParams.get("client_id"));
+      debug2("  - redirect_uri: %s", authUrl.searchParams.get("redirect_uri"));
+      debug2("  - scope: %s", authUrl.searchParams.get("scope"));
+      debug2("  - resource: %s", authUrl.searchParams.get("resource"));
       await this.openBrowserOrPrintUrl(authUrl);
-      debug("Waiting for OAuth callback...");
+      debug2("Waiting for OAuth callback...");
       const code = await codePromise;
-      debug("Received authorization code");
+      debug2("Received authorization code");
       const tokenResult = await exchangeCodeForTokens({
         authServer,
         clientId: client.clientId,
@@ -1359,14 +1651,14 @@ ${errorText}`
     let clientId;
     let clientSecret;
     if (storedTokens.clientId) {
-      debug("Using clientId from stored tokens for refresh");
+      debug2("Using clientId from stored tokens for refresh");
       clientId = storedTokens.clientId;
       const storedClient = await this.storage.loadClient();
       if (storedClient?.clientId === clientId) {
         clientSecret = storedClient.clientSecret;
       }
     } else {
-      debug(
+      debug2(
         "No clientId in stored tokens, falling back to stored client (legacy behavior)"
       );
       const client = await this.getOrRegisterClient(metadata.authServer);
@@ -1460,7 +1752,7 @@ ${errorText}`
       const preferredPort = this.config.callbackPort ?? 0;
       server.listen(preferredPort, "127.0.0.1", () => {
         const address = server.address();
-        debug("Callback server listening on port", address.port);
+        debug2("Callback server listening on port", address.port);
         resolve3({ port: address.port, codePromise, close: forceClose });
       });
       server.on("error", (err) => {
@@ -1484,9 +1776,9 @@ ${errorText}`
     try {
       const open = await import('open');
       await open.default(url.toString());
-      debug("Opened browser for authentication");
+      debug2("Opened browser for authentication");
     } catch (error) {
-      debug("Failed to open browser:", error);
+      debug2("Failed to open browser:", error);
       console.log("\nFailed to open browser automatically.");
       console.log("Please open the following URL manually:\n");
       console.log(url.toString() + "\n");
@@ -1697,7 +1989,7 @@ function isCallToolResult(value) {
     return false;
   }
   const v = value;
-  return Array.isArray(v.content) || typeof v.isError === "boolean";
+  return Array.isArray(v.content);
 }
 function extractTextFromContentArray(content) {
   const textParts = [];
@@ -2770,7 +3062,7 @@ async function token(serverUrl, options) {
 
 // src/cli/index.ts
 var program = new Command();
-program.name("mcp-server-tester").description("CLI tools for MCP server evaluation and testing").version("0.1.0");
+program.name("mcp-server-tester").description("CLI tools for MCP server evaluation and testing").version(package_default.version);
 program.command("init").description("Initialize a new MCP evaluation project").option("-n, --name <name>", "Project name").option("-d, --dir <directory>", "Target directory", ".").action(init);
 program.command("generate").alias("gen").description("Generate eval dataset by interacting with MCP server").option("-c, --config <path>", "Path to MCP config").option("-o, --output <path>", "Output dataset path", "data/dataset.json").option("-s, --snapshot", "Use Playwright snapshot testing for all cases").action(generate);
 program.command("login").description("Authenticate with an MCP server via OAuth").argument("<server-url>", "MCP server URL to authenticate with").option("--force", "Force re-authentication even if valid token exists").option("--state-dir <dir>", "Custom directory for token storage").option(