@gleanwork/mcp-server-tester 0.12.0

package/dist/index.js

@@ -0,0 +1,3582 @@
+import * as fs from 'fs/promises';
+import { readFile } from 'fs/promises';
+import * as path2 from 'path';
+import { z } from 'zod';
+import { expect as expect$1, test as test$1, chromium } from '@playwright/test';
+import { discoverAuthorizationServerMetadata, startAuthorization, exchangeAuthorization } from '@modelcontextprotocol/sdk/client/auth.js';
+import createDebug from 'debug';
+import * as oauth2 from 'oauth4webapi';
+import { homedir } from 'os';
+import * as http from 'http';
+import { Client } from '@modelcontextprotocol/sdk/client/index.js';
+import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
+import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+import { query } from '@anthropic-ai/claude-agent-sdk';
+
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/auth/oauthClientProvider.ts
+var oauthClientProvider_exports = {};
+__export(oauthClientProvider_exports, {
+  PlaywrightOAuthClientProvider: () => PlaywrightOAuthClientProvider,
+  loadOAuthState: () => loadOAuthState,
+  saveOAuthState: () => saveOAuthState
+});
+async function loadOAuthState(storagePath) {
+  try {
+    const content = await fs.readFile(storagePath, "utf-8");
+    return JSON.parse(content);
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return null;
+    }
+    throw error;
+  }
+}
+async function saveOAuthState(storagePath, state) {
+  state.savedAt = Date.now();
+  const dir = path2.dirname(storagePath);
+  await fs.mkdir(dir, { recursive: true });
+  await fs.writeFile(storagePath, JSON.stringify(state, null, 2), "utf-8");
+}
+var PlaywrightOAuthClientProvider;
+var init_oauthClientProvider = __esm({
+  "src/auth/oauthClientProvider.ts"() {
+    PlaywrightOAuthClientProvider = class {
+      config;
+      cachedState = null;
+      stateParam = null;
+      constructor(config) {
+        this.config = config;
+      }
+      /**
+       * The URL to redirect the user agent to after authorization
+       */
+      get redirectUrl() {
+        return this.config.redirectUri;
+      }
+      /**
+       * Metadata about this OAuth client
+       */
+      get clientMetadata() {
+        return {
+          redirect_uris: [this.config.redirectUri],
+          token_endpoint_auth_method: this.config.clientSecret ? "client_secret_basic" : "none",
+          grant_types: ["authorization_code", "refresh_token"],
+          response_types: ["code"],
+          client_name: "@gleanwork/mcp-server-tester",
+          ...this.config.clientMetadata
+        };
+      }
+      /**
+       * Returns an OAuth2 state parameter
+       */
+      state() {
+        if (!this.stateParam) {
+          this.stateParam = this.generateRandomString(32);
+        }
+        return this.stateParam;
+      }
+      /**
+       * Loads information about this OAuth client
+       */
+      async clientInformation() {
+        if (this.config.clientId) {
+          return {
+            client_id: this.config.clientId,
+            client_secret: this.config.clientSecret,
+            redirect_uris: [this.config.redirectUri]
+          };
+        }
+        const state = await this.loadState();
+        if (state?.clientInfo) {
+          return {
+            client_id: state.clientInfo.clientId,
+            client_secret: state.clientInfo.clientSecret,
+            client_id_issued_at: state.clientInfo.clientIdIssuedAt,
+            client_secret_expires_at: state.clientInfo.clientSecretExpiresAt,
+            redirect_uris: [this.config.redirectUri]
+          };
+        }
+        return void 0;
+      }
+      /**
+       * Saves client information from Dynamic Client Registration
+       */
+      async saveClientInformation(clientInformation) {
+        const state = await this.loadState() ?? this.createEmptyState();
+        state.clientInfo = {
+          clientId: clientInformation.client_id,
+          clientSecret: clientInformation.client_secret,
+          clientIdIssuedAt: clientInformation.client_id_issued_at,
+          clientSecretExpiresAt: clientInformation.client_secret_expires_at
+        };
+        await this.saveState(state);
+      }
+      /**
+       * Loads any existing OAuth tokens for the current session
+       */
+      async tokens() {
+        const state = await this.loadState();
+        if (state?.tokens) {
+          return {
+            access_token: state.tokens.accessToken,
+            token_type: state.tokens.tokenType,
+            refresh_token: state.tokens.refreshToken,
+            expires_in: state.tokens.expiresAt ? Math.floor((state.tokens.expiresAt - Date.now()) / 1e3) : void 0
+          };
+        }
+        return void 0;
+      }
+      /**
+       * Stores new OAuth tokens for the current session
+       */
+      async saveTokens(tokens) {
+        const state = await this.loadState() ?? this.createEmptyState();
+        state.tokens = {
+          accessToken: tokens.access_token,
+          tokenType: tokens.token_type,
+          refreshToken: tokens.refresh_token,
+          expiresAt: tokens.expires_in ? Date.now() + tokens.expires_in * 1e3 : void 0
+        };
+        await this.saveState(state);
+      }
+      /**
+       * Invoked to redirect the user agent to the given URL
+       *
+       * In a testing context, this is typically handled by Playwright automation.
+       * This implementation throws an error to signal that the caller needs to
+       * handle the redirect externally.
+       */
+      async redirectToAuthorization(authorizationUrl) {
+        throw new Error(
+          `OAuth authorization required. Redirect to: ${authorizationUrl.toString()}
+In a testing context, use performOAuthSetup() in your Playwright globalSetup to complete the OAuth flow before running tests.`
+        );
+      }
+      /**
+       * Saves a PKCE code verifier for the current session
+       */
+      async saveCodeVerifier(codeVerifier) {
+        const state = await this.loadState() ?? this.createEmptyState();
+        state.codeVerifier = codeVerifier;
+        await this.saveState(state);
+      }
+      /**
+       * Loads the PKCE code verifier for the current session
+       */
+      async codeVerifier() {
+        const state = await this.loadState();
+        if (!state?.codeVerifier) {
+          throw new Error("No code verifier found in auth state");
+        }
+        return state.codeVerifier;
+      }
+      /**
+       * Invalidates the specified credentials
+       */
+      async invalidateCredentials(scope) {
+        const state = await this.loadState();
+        if (!state) {
+          return;
+        }
+        switch (scope) {
+          case "all":
+            await this.deleteState();
+            break;
+          case "client":
+            delete state.clientInfo;
+            await this.saveState(state);
+            break;
+          case "tokens":
+            delete state.tokens;
+            await this.saveState(state);
+            break;
+          case "verifier":
+            delete state.codeVerifier;
+            await this.saveState(state);
+            break;
+        }
+      }
+      // ---- Private helper methods ----
+      async loadState() {
+        if (this.cachedState) {
+          return this.cachedState;
+        }
+        try {
+          const content = await fs.readFile(this.config.storagePath, "utf-8");
+          this.cachedState = JSON.parse(content);
+          return this.cachedState;
+        } catch (error) {
+          if (error.code === "ENOENT") {
+            return null;
+          }
+          throw error;
+        }
+      }
+      async saveState(state) {
+        state.savedAt = Date.now();
+        this.cachedState = state;
+        const dir = path2.dirname(this.config.storagePath);
+        await fs.mkdir(dir, { recursive: true });
+        await fs.writeFile(
+          this.config.storagePath,
+          JSON.stringify(state, null, 2),
+          "utf-8"
+        );
+      }
+      async deleteState() {
+        this.cachedState = null;
+        try {
+          await fs.unlink(this.config.storagePath);
+        } catch (error) {
+          if (error.code !== "ENOENT") {
+            throw error;
+          }
+        }
+      }
+      createEmptyState() {
+        return {
+          savedAt: Date.now()
+        };
+      }
+      generateRandomString(length) {
+        const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+        let result = "";
+        const randomValues = new Uint8Array(length);
+        crypto.getRandomValues(randomValues);
+        for (let i = 0; i < length; i++) {
+          const randomValue = randomValues[i] ?? 0;
+          result += chars[randomValue % chars.length];
+        }
+        return result;
+      }
+    };
+  }
+});
+var MCPHostCapabilitiesSchema = z.object({
+  sampling: z.record(z.unknown()).optional(),
+  roots: z.object({
+    listChanged: z.boolean()
+  }).optional()
+});
+var MCPOAuthConfigSchema = z.object({
+  serverUrl: z.string().url("serverUrl must be a valid URL"),
+  scopes: z.array(z.string()).optional(),
+  resource: z.string().url().optional(),
+  authStatePath: z.string().optional(),
+  clientId: z.string().optional(),
+  clientSecret: z.string().optional(),
+  redirectUri: z.string().url().optional()
+});
+var MCPAuthConfigSchema = z.object({
+  accessToken: z.string().optional(),
+  oauth: MCPOAuthConfigSchema.optional()
+}).refine(
+  (data) => !(data.accessToken && data.oauth),
+  "Cannot specify both accessToken and oauth configuration"
+);
+var StdioConfigSchema = z.object({
+  transport: z.literal("stdio"),
+  command: z.string().min(1, "command is required for stdio transport"),
+  args: z.array(z.string()).optional(),
+  cwd: z.string().optional(),
+  capabilities: MCPHostCapabilitiesSchema.optional(),
+  connectTimeoutMs: z.number().positive().optional(),
+  requestTimeoutMs: z.number().positive().optional(),
+  quiet: z.boolean().optional()
+});
+var HttpConfigSchema = z.object({
+  transport: z.literal("http"),
+  serverUrl: z.string().url("serverUrl must be a valid URL"),
+  headers: z.record(z.string()).optional(),
+  capabilities: MCPHostCapabilitiesSchema.optional(),
+  connectTimeoutMs: z.number().positive().optional(),
+  requestTimeoutMs: z.number().positive().optional(),
+  auth: MCPAuthConfigSchema.optional()
+});
+var MCPConfigSchema = z.discriminatedUnion("transport", [
+  StdioConfigSchema,
+  HttpConfigSchema
+]);
+function validateMCPConfig(config) {
+  return MCPConfigSchema.parse(config);
+}
+function isStdioConfig(config) {
+  return config.transport === "stdio" && typeof config.command === "string";
+}
+function isHttpConfig(config) {
+  return config.transport === "http" && typeof config.serverUrl === "string";
+}
+
+// src/index.ts
+init_oauthClientProvider();
+
+// src/auth/tokenAuth.ts
+function createTokenAuthHeaders(accessToken, tokenType = "Bearer") {
+  return {
+    Authorization: `${tokenType} ${accessToken}`
+  };
+}
+function validateAccessToken(accessToken) {
+  if (!accessToken) {
+    throw new Error("Access token is required but was not provided");
+  }
+  if (accessToken.trim().length === 0) {
+    throw new Error("Access token cannot be empty");
+  }
+}
+function isTokenExpired(accessToken) {
+  try {
+    const parts = accessToken.split(".");
+    if (parts.length !== 3) {
+      return false;
+    }
+    const payloadPart = parts[1];
+    if (!payloadPart) {
+      return false;
+    }
+    const payload = JSON.parse(
+      Buffer.from(payloadPart, "base64url").toString("utf-8")
+    );
+    if (typeof payload.exp === "number") {
+      return payload.exp * 1e3 < Date.now();
+    }
+    return false;
+  } catch {
+    return false;
+  }
+}
+function isTokenExpiringSoon(expiresAt, bufferMs = 6e4) {
+  if (expiresAt === void 0) {
+    return false;
+  }
+  return expiresAt - bufferMs < Date.now();
+}
+
+// src/auth/setupOAuth.ts
+init_oauthClientProvider();
+var NAMESPACE = "mcp-server-tester";
+var debugClient = createDebug(`${NAMESPACE}:client`);
+var debugOAuth = createDebug(`${NAMESPACE}:oauth`);
+createDebug(`${NAMESPACE}:eval`);
+
+// src/auth/setupOAuth.ts
+var DEFAULT_TIMEOUT_MS = 3e4;
+var DEFAULT_REDIRECT_URI = "http://localhost:3000/oauth/callback";
+async function performOAuthSetup(config) {
+  const timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  const redirectUri = config.redirectUri ?? DEFAULT_REDIRECT_URI;
+  const metadata = await discoverAuthorizationServerMetadata(
+    config.authServerUrl
+  );
+  if (!metadata) {
+    throw new Error(
+      `Could not discover OAuth metadata at ${config.authServerUrl}`
+    );
+  }
+  const clientInformation = {
+    client_id: config.clientId ?? "mcp-server-tester-client",
+    client_secret: config.clientSecret
+  };
+  const { authorizationUrl, codeVerifier } = await startAuthorization(
+    config.authServerUrl,
+    {
+      metadata,
+      clientInformation,
+      redirectUrl: redirectUri,
+      scope: config.scopes.join(" "),
+      resource: config.resource ? new URL(config.resource) : void 0
+    }
+  );
+  const browser = await chromium.launch({
+    headless: process.env.OAUTH_DEBUG !== "true"
+  });
+  try {
+    const context = await browser.newContext();
+    const page = await context.newPage();
+    page.setDefaultTimeout(timeoutMs);
+    await page.goto(authorizationUrl.toString());
+    await completeLoginForm(page, config);
+    await page.waitForURL(
+      (url) => url.href.startsWith(redirectUri) && url.searchParams.has("code"),
+      { timeout: timeoutMs }
+    );
+    const callbackUrl = new URL(page.url());
+    const code = callbackUrl.searchParams.get("code");
+    const error = callbackUrl.searchParams.get("error");
+    if (error) {
+      const errorDescription = callbackUrl.searchParams.get("error_description");
+      throw new Error(
+        `OAuth authorization failed: ${error}${errorDescription ? ` - ${errorDescription}` : ""}`
+      );
+    }
+    if (!code) {
+      throw new Error("No authorization code in callback URL");
+    }
+    const tokens = await exchangeAuthorization(config.authServerUrl, {
+      metadata,
+      clientInformation,
+      authorizationCode: code,
+      codeVerifier,
+      redirectUri,
+      resource: config.resource ? new URL(config.resource) : void 0
+    });
+    const state = {
+      tokens: {
+        accessToken: tokens.access_token,
+        tokenType: tokens.token_type,
+        refreshToken: tokens.refresh_token,
+        expiresAt: tokens.expires_in ? Date.now() + tokens.expires_in * 1e3 : void 0
+      },
+      clientInfo: config.clientId ? {
+        clientId: config.clientId,
+        clientSecret: config.clientSecret
+      } : void 0,
+      codeVerifier,
+      savedAt: Date.now()
+    };
+    await saveOAuthState(config.outputPath, state);
+    debugOAuth("Auth state saved to %s", config.outputPath);
+  } finally {
+    await browser.close();
+  }
+}
+async function completeLoginForm(page, config) {
+  const { loginSelectors, credentials } = config;
+  await page.waitForSelector(loginSelectors.usernameInput, {
+    state: "visible"
+  });
+  await page.fill(loginSelectors.usernameInput, credentials.username);
+  await page.waitForSelector(loginSelectors.passwordInput, {
+    state: "visible"
+  });
+  await page.fill(loginSelectors.passwordInput, credentials.password);
+  await page.waitForSelector(loginSelectors.submitButton, {
+    state: "visible"
+  });
+  await page.click(loginSelectors.submitButton);
+  if (loginSelectors.consentButton) {
+    try {
+      await page.waitForSelector(loginSelectors.consentButton, {
+        state: "visible",
+        timeout: 5e3
+      });
+      await page.click(loginSelectors.consentButton);
+    } catch {
+    }
+  }
+}
+async function hasValidOAuthState(storagePath) {
+  try {
+    const { loadOAuthState: loadOAuthState2 } = await Promise.resolve().then(() => (init_oauthClientProvider(), oauthClientProvider_exports));
+    const state = await loadOAuthState2(storagePath);
+    if (!state?.tokens?.accessToken) {
+      return false;
+    }
+    if (state.tokens.expiresAt) {
+      const bufferMs = 6e4;
+      if (state.tokens.expiresAt - bufferMs < Date.now()) {
+        return false;
+      }
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function performOAuthSetupIfNeeded(config) {
+  const hasValid = await hasValidOAuthState(config.outputPath);
+  if (hasValid) {
+    debugOAuth("Using existing auth state from %s", config.outputPath);
+    return;
+  }
+  debugOAuth("No valid auth state found, performing OAuth flow...");
+  await performOAuthSetup(config);
+}
+var MCP_PROTOCOL_VERSION = "2025-06-18";
+async function discoverProtectedResource(mcpServerUrl) {
+  const url = new URL(mcpServerUrl);
+  const origin = url.origin;
+  const pathname = url.pathname;
+  const pathAwareUrl = `${origin}/.well-known/oauth-protected-resource${pathname}`;
+  try {
+    const metadata = await fetchProtectedResourceMetadata(pathAwareUrl);
+    return {
+      metadata,
+      discoveryUrl: pathAwareUrl,
+      usedPathAwareDiscovery: true
+    };
+  } catch (error) {
+    if (error instanceof DiscoveryError && error.status === 404) {
+      const baseUrl = `${origin}/.well-known/oauth-protected-resource`;
+      const metadata = await fetchProtectedResourceMetadata(baseUrl);
+      return {
+        metadata,
+        discoveryUrl: baseUrl,
+        usedPathAwareDiscovery: false
+      };
+    }
+    throw error;
+  }
+}
+var DiscoveryError = class extends Error {
+  constructor(message, status, url) {
+    super(message);
+    this.status = status;
+    this.url = url;
+    this.name = "DiscoveryError";
+  }
+};
+async function fetchProtectedResourceMetadata(discoveryUrl) {
+  const response = await fetch(discoveryUrl, {
+    method: "GET",
+    headers: {
+      Accept: "application/json",
+      "MCP-Protocol-Version": MCP_PROTOCOL_VERSION
+    }
+  });
+  if (!response.ok) {
+    throw new DiscoveryError(
+      `Protected resource discovery failed: ${response.status} ${response.statusText}`,
+      response.status,
+      discoveryUrl
+    );
+  }
+  const metadata = await response.json();
+  if (!metadata.resource) {
+    throw new DiscoveryError(
+      'Invalid protected resource metadata: missing required "resource" field',
+      void 0,
+      discoveryUrl
+    );
+  }
+  return metadata;
+}
+async function discoverAuthorizationServer(authServerUrl) {
+  const issuer = new URL(authServerUrl);
+  const response = await oauth2.discoveryRequest(issuer, {
+    algorithm: "oauth2",
+    headers: new Headers({
+      "MCP-Protocol-Version": MCP_PROTOCOL_VERSION
+    })
+  });
+  const metadata = await oauth2.processDiscoveryResponse(issuer, response);
+  return {
+    server: metadata,
+    issuer: authServerUrl
+  };
+}
+var ENV_VAR_NAMES = {
+  accessToken: "MCP_ACCESS_TOKEN",
+  refreshToken: "MCP_REFRESH_TOKEN",
+  tokenType: "MCP_TOKEN_TYPE",
+  expiresAt: "MCP_TOKEN_EXPIRES_AT"
+};
+var DEFAULT_EXPIRY_BUFFER_MS = 6e4;
+function generateServerKey(serverUrl) {
+  const url = new URL(serverUrl);
+  let key = url.hostname;
+  if (url.port) {
+    key += `_${url.port}`;
+  }
+  if (url.pathname && url.pathname !== "/") {
+    const cleanPath = url.pathname.replace(/^\/+|\/+$/g, "").replace(/\//g, "_");
+    if (cleanPath) {
+      key += `_${cleanPath}`;
+    }
+  }
+  return key.replace(/[^a-zA-Z0-9_.-]/g, "_");
+}
+function getStateDir(serverUrl, customDir) {
+  const serverKey = generateServerKey(serverUrl);
+  if (customDir) {
+    return path2.join(customDir, serverKey);
+  }
+  if (process.platform === "win32") {
+    const localAppData = process.env.LOCALAPPDATA;
+    if (localAppData) {
+      return path2.join(localAppData, "mcp-tests", serverKey);
+    }
+    return path2.join(homedir(), "AppData", "Local", "mcp-tests", serverKey);
+  }
+  if (process.platform === "linux" && process.env.XDG_STATE_HOME) {
+    return path2.join(process.env.XDG_STATE_HOME, "mcp-tests", serverKey);
+  }
+  return path2.join(homedir(), ".local", "state", "mcp-tests", serverKey);
+}
+function loadTokensFromEnv() {
+  const accessToken = process.env[ENV_VAR_NAMES.accessToken];
+  if (!accessToken) {
+    return null;
+  }
+  const expiresAtStr = process.env[ENV_VAR_NAMES.expiresAt];
+  const expiresAt = expiresAtStr ? parseInt(expiresAtStr, 10) : void 0;
+  return {
+    accessToken,
+    refreshToken: process.env[ENV_VAR_NAMES.refreshToken],
+    tokenType: process.env[ENV_VAR_NAMES.tokenType] ?? "Bearer",
+    expiresAt: expiresAt && !isNaN(expiresAt) ? expiresAt : void 0
+  };
+}
+async function injectTokens(serverUrl, tokens, stateDir) {
+  const storage = createFileOAuthStorage({ serverUrl, stateDir });
+  await storage.saveTokens(tokens);
+}
+async function loadTokens(serverUrl, stateDir) {
+  const storage = createFileOAuthStorage({ serverUrl, stateDir });
+  return storage.loadTokens();
+}
+async function hasValidTokens(serverUrl, options) {
+  const storage = createFileOAuthStorage({
+    serverUrl,
+    stateDir: options?.stateDir
+  });
+  return storage.hasValidToken(options?.bufferMs);
+}
+function createFileOAuthStorage(config) {
+  return new FileOAuthStorage(config);
+}
+var FileOAuthStorage = class {
+  stateDir;
+  constructor(config) {
+    this.stateDir = getStateDir(config.serverUrl, config.stateDir);
+  }
+  get serverMetadataPath() {
+    return path2.join(this.stateDir, "server.json");
+  }
+  get clientPath() {
+    return path2.join(this.stateDir, "client.json");
+  }
+  get tokensPath() {
+    return path2.join(this.stateDir, "tokens.json");
+  }
+  async loadServerMetadata() {
+    return this.loadFile(this.serverMetadataPath);
+  }
+  async saveServerMetadata(metadata) {
+    await this.atomicWrite(this.serverMetadataPath, metadata);
+  }
+  async loadClient() {
+    return this.loadFile(this.clientPath);
+  }
+  async saveClient(client) {
+    await this.atomicWrite(this.clientPath, client);
+  }
+  async loadTokens() {
+    return this.loadFile(this.tokensPath);
+  }
+  async saveTokens(tokens) {
+    await this.atomicWrite(this.tokensPath, tokens);
+  }
+  async deleteTokens() {
+    await this.deleteFile(this.tokensPath);
+  }
+  async hasValidToken(bufferMs = DEFAULT_EXPIRY_BUFFER_MS) {
+    const tokens = await this.loadTokens();
+    if (!tokens?.accessToken) {
+      return false;
+    }
+    if (!tokens.expiresAt) {
+      return true;
+    }
+    return tokens.expiresAt > Date.now() + bufferMs;
+  }
+  /**
+   * Load a JSON file, returning null if not found
+   */
+  async loadFile(filePath) {
+    try {
+      const content = await fs.readFile(filePath, "utf-8");
+      return JSON.parse(content);
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        return null;
+      }
+      throw error;
+    }
+  }
+  /**
+   * Write data atomically: write to .tmp file, then rename
+   * Files are created with 0o600 permissions (user read/write only)
+   */
+  async atomicWrite(filePath, data) {
+    await fs.mkdir(this.stateDir, { recursive: true, mode: 448 });
+    const tmpPath = `${filePath}.tmp`;
+    const content = JSON.stringify(data, null, 2);
+    await fs.writeFile(tmpPath, content, { encoding: "utf-8", mode: 384 });
+    await fs.rename(tmpPath, filePath);
+  }
+  /**
+   * Delete a file, ignoring errors if the file doesn't exist
+   */
+  async deleteFile(filePath) {
+    try {
+      await fs.unlink(filePath);
+    } catch (error) {
+      if (error.code !== "ENOENT") {
+        throw error;
+      }
+    }
+  }
+};
+async function generatePKCE() {
+  const codeVerifier = oauth2.generateRandomCodeVerifier();
+  const codeChallenge = await oauth2.calculatePKCECodeChallenge(codeVerifier);
+  return {
+    codeVerifier,
+    codeChallenge
+  };
+}
+function generateState() {
+  return oauth2.generateRandomState();
+}
+function buildAuthorizationUrl(config) {
+  const authorizationEndpoint = config.authServer.server.authorization_endpoint;
+  if (!authorizationEndpoint) {
+    throw new Error(
+      "Authorization server does not have an authorization_endpoint"
+    );
+  }
+  const authorizationUrl = new URL(authorizationEndpoint);
+  authorizationUrl.searchParams.set("client_id", config.clientId);
+  authorizationUrl.searchParams.set("redirect_uri", config.redirectUri);
+  authorizationUrl.searchParams.set("response_type", "code");
+  authorizationUrl.searchParams.set("scope", config.scopes.join(" "));
+  authorizationUrl.searchParams.set("code_challenge", config.codeChallenge);
+  authorizationUrl.searchParams.set("code_challenge_method", "S256");
+  authorizationUrl.searchParams.set("state", config.state);
+  if (config.resource) {
+    authorizationUrl.searchParams.set("resource", config.resource);
+  }
+  return authorizationUrl;
+}
+async function exchangeCodeForTokens(config) {
+  const client = {
+    client_id: config.clientId,
+    token_endpoint_auth_method: config.clientSecret ? "client_secret_basic" : "none"
+  };
+  const clientAuth = config.clientSecret ? oauth2.ClientSecretBasic(config.clientSecret) : oauth2.None();
+  const callbackUrl = new URL(config.redirectUri);
+  callbackUrl.searchParams.set("code", config.code);
+  callbackUrl.searchParams.set("state", config.state);
+  const validatedParams = oauth2.validateAuthResponse(
+    config.authServer.server,
+    client,
+    callbackUrl,
+    config.state
+  );
+  const response = await oauth2.authorizationCodeGrantRequest(
+    config.authServer.server,
+    client,
+    clientAuth,
+    validatedParams,
+    config.redirectUri,
+    config.codeVerifier
+  );
+  const result = await oauth2.processAuthorizationCodeResponse(
+    config.authServer.server,
+    client,
+    response
+  );
+  return {
+    accessToken: result.access_token,
+    tokenType: result.token_type,
+    expiresIn: result.expires_in,
+    refreshToken: result.refresh_token,
+    scope: result.scope
+  };
+}
+async function refreshAccessToken(config) {
+  const client = {
+    client_id: config.clientId,
+    token_endpoint_auth_method: config.clientSecret ? "client_secret_basic" : "none"
+  };
+  const clientAuth = config.clientSecret ? oauth2.ClientSecretBasic(config.clientSecret) : oauth2.None();
+  const response = await oauth2.refreshTokenGrantRequest(
+    config.authServer.server,
+    client,
+    clientAuth,
+    config.refreshToken
+  );
+  if (!response.ok) {
+    const contentType = response.headers.get("content-type") ?? "";
+    let errorMessage = `Token refresh failed: ${response.status} ${response.statusText}`;
+    try {
+      if (contentType.includes("application/json")) {
+        const errorBody = await response.clone().json();
+        if (errorBody.error) {
+          errorMessage = `Token refresh failed: ${errorBody.error}`;
+          if (errorBody.error_description) {
+            errorMessage += ` - ${errorBody.error_description}`;
+          }
+        }
+      } else {
+        const textBody = await response.clone().text();
+        if (textBody) {
+          errorMessage = `Token refresh failed: ${response.status} - ${textBody}`;
+        }
+      }
+    } catch {
+    }
+    throw new Error(errorMessage);
+  }
+  const result = await oauth2.processRefreshTokenResponse(
+    config.authServer.server,
+    client,
+    response
+  );
+  return {
+    accessToken: result.access_token,
+    tokenType: result.token_type,
+    expiresIn: result.expires_in,
+    refreshToken: result.refresh_token,
+    scope: result.scope
+  };
+}
+
+// src/auth/cli.ts
+var debug = createDebug("mcp-server-tester:cli-oauth");
+var DEFAULT_TIMEOUT_MS2 = 3e5;
+var DEFAULT_CLIENT_NAME = "@gleanwork/mcp-server-tester";
+var DEFAULT_METADATA_TTL_MS = 24 * 60 * 60 * 1e3;
+var CLIOAuthClient = class {
+  config;
+  storage;
+  constructor(config) {
+    this.config = config;
+    this.storage = createFileOAuthStorage({
+      serverUrl: config.mcpServerUrl,
+      stateDir: config.stateDir
+    });
+  }
+  /**
+   * Get a valid access token, authenticating if necessary
+   *
+   * Token resolution priority:
+   * 1. Check environment variables (for CI/CD)
+   * 2. Check file storage for cached tokens
+   * 3. Try to refresh if expired but refresh token exists
+   * 4. Run full OAuth flow if needed
+   */
+  async getAccessToken() {
+    const envTokens = loadTokensFromEnv();
+    if (envTokens) {
+      debug("Using tokens from environment variables");
+      return {
+        accessToken: envTokens.accessToken,
+        tokenType: envTokens.tokenType,
+        expiresAt: envTokens.expiresAt,
+        refreshed: false,
+        fromEnv: true
+      };
+    }
+    const storedTokens = await this.storage.loadTokens();
+    if (storedTokens?.accessToken) {
+      const isValid = await this.storage.hasValidToken();
+      if (isValid) {
+        debug("Using cached tokens from storage");
+        return {
+          accessToken: storedTokens.accessToken,
+          tokenType: storedTokens.tokenType,
+          expiresAt: storedTokens.expiresAt,
+          refreshed: false,
+          fromEnv: false
+        };
+      }
+      if (storedTokens.refreshToken) {
+        debug("Token expired, attempting refresh");
+        try {
+          const refreshedTokens = await this.refreshStoredToken(storedTokens);
+          return {
+            accessToken: refreshedTokens.accessToken,
+            tokenType: refreshedTokens.tokenType,
+            expiresAt: refreshedTokens.expiresAt,
+            refreshed: true,
+            fromEnv: false
+          };
+        } catch (error) {
+          debug("Token refresh failed, will re-authenticate:", error);
+        }
+      }
+    }
+    debug("Performing full OAuth authentication");
+    return this.authenticate();
+  }
+  /**
+   * Try to get a valid access token without triggering browser auth
+   *
+   * Returns null if no valid token is available (no stored tokens,
+   * expired without refresh token, or refresh failed). Unlike getAccessToken(),
+   * this will NOT open a browser for authentication.
+   *
+   * Use this for CLI commands that should prompt the user to run `login`
+   * instead of automatically starting the OAuth flow.
+   */
+  async tryGetAccessToken() {
+    const envTokens = loadTokensFromEnv();
+    if (envTokens) {
+      debug("Using tokens from environment variables");
+      return {
+        accessToken: envTokens.accessToken,
+        tokenType: envTokens.tokenType,
+        expiresAt: envTokens.expiresAt,
+        refreshed: false,
+        fromEnv: true
+      };
+    }
+    const storedTokens = await this.storage.loadTokens();
+    if (storedTokens?.accessToken) {
+      const isValid = await this.storage.hasValidToken();
+      if (isValid) {
+        debug("Using cached tokens from storage");
+        return {
+          accessToken: storedTokens.accessToken,
+          tokenType: storedTokens.tokenType,
+          expiresAt: storedTokens.expiresAt,
+          refreshed: false,
+          fromEnv: false
+        };
+      }
+      if (storedTokens.refreshToken) {
+        debug("Token expired, attempting refresh");
+        try {
+          const refreshedTokens = await this.refreshStoredToken(storedTokens);
+          return {
+            accessToken: refreshedTokens.accessToken,
+            tokenType: refreshedTokens.tokenType,
+            expiresAt: refreshedTokens.expiresAt,
+            refreshed: true,
+            fromEnv: false
+          };
+        } catch (error) {
+          debug("Token refresh failed:", error);
+          return null;
+        }
+      }
+    }
+    debug("No valid token available");
+    return null;
+  }
+  /**
+   * Force a new authentication flow
+   */
+  async authenticate() {
+    const { protectedResource, authServer } = await this.discoverServers();
+    const client = await this.getOrRegisterClient(authServer);
+    const { tokens, requestedScopes } = await this.performOAuthFlow(
+      authServer,
+      client,
+      protectedResource
+    );
+    return {
+      accessToken: tokens.accessToken,
+      tokenType: tokens.tokenType,
+      expiresAt: tokens.expiresAt,
+      refreshed: false,
+      fromEnv: false,
+      requestedScopes
+    };
+  }
+  /**
+   * Check if stored credentials exist (may be expired)
+   */
+  async hasStoredCredentials() {
+    const tokens = await this.storage.loadTokens();
+    return tokens?.accessToken !== void 0;
+  }
+  /**
+   * Clear stored credentials
+   */
+  async clearCredentials() {
+    await this.storage.deleteTokens();
+    debug("Cleared stored credentials");
+  }
+  /**
+   * Discover protected resource and authorization server
+   */
+  async discoverServers() {
+    const cachedMetadata = await this.storage.loadServerMetadata();
+    if (cachedMetadata) {
+      const age = Date.now() - cachedMetadata.discoveredAt;
+      if (age < DEFAULT_METADATA_TTL_MS) {
+        debug("Using cached server metadata (age: %dms)", age);
+        debug(
+          "Cached protected resource scopes: %O",
+          cachedMetadata.protectedResource.scopes_supported
+        );
+        debug(
+          "Cached auth server scopes: %O",
+          cachedMetadata.authServer.server.scopes_supported
+        );
+        return {
+          protectedResource: cachedMetadata.protectedResource,
+          authServer: cachedMetadata.authServer
+        };
+      }
+      debug("Cached server metadata is stale (age: %dms), re-discovering", age);
+    }
+    debug("Discovering protected resource:", this.config.mcpServerUrl);
+    const prResult = await discoverProtectedResource(this.config.mcpServerUrl);
+    debug("Found protected resource:", prResult.metadata.resource);
+    debug(
+      "Protected resource scopes_supported: %O",
+      prResult.metadata.scopes_supported
+    );
+    const authServerUrl = prResult.metadata.authorization_servers?.[0];
+    if (!authServerUrl) {
+      throw new Error(
+        "No authorization servers found in protected resource metadata"
+      );
+    }
+    debug("Discovering authorization server:", authServerUrl);
+    const authServer = await discoverAuthorizationServer(authServerUrl);
+    debug("Found authorization server:", authServer.issuer);
+    debug(
+      "Auth server scopes_supported: %O",
+      authServer.server.scopes_supported
+    );
+    const metadata = {
+      authServer,
+      protectedResource: prResult.metadata,
+      discoveredAt: Date.now()
+    };
+    await this.storage.saveServerMetadata(metadata);
+    return {
+      protectedResource: prResult.metadata,
+      authServer
+    };
+  }
+  /**
+   * Get existing client or register new one via DCR
+   */
+  async getOrRegisterClient(authServer) {
+    if (this.config.clientId) {
+      debug("Using pre-configured client ID");
+      return {
+        clientId: this.config.clientId,
+        clientSecret: this.config.clientSecret
+      };
+    }
+    const cachedClient = await this.storage.loadClient();
+    if (cachedClient?.clientId) {
+      debug("Using cached client registration");
+      return cachedClient;
+    }
+    debug("Registering new client via DCR");
+    const client = await this.registerClient(authServer);
+    await this.storage.saveClient(client);
+    return client;
+  }
+  /**
+   * Register a new client via Dynamic Client Registration
+   */
+  async registerClient(authServer) {
+    const registrationEndpoint = authServer.server.registration_endpoint;
+    if (!registrationEndpoint) {
+      throw new Error(
+        "Authorization server does not support Dynamic Client Registration. Please provide a clientId in the configuration."
+      );
+    }
+    const redirectUri = "http://127.0.0.1:0/callback";
+    const response = await fetch(registrationEndpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "MCP-Protocol-Version": MCP_PROTOCOL_VERSION
+      },
+      body: JSON.stringify({
+        redirect_uris: [redirectUri],
+        token_endpoint_auth_method: "none",
+        grant_types: ["authorization_code", "refresh_token"],
+        response_types: ["code"],
+        client_name: this.config.clientName ?? DEFAULT_CLIENT_NAME
+      })
+    });
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(
+        `Dynamic Client Registration failed: ${response.status} ${response.statusText}
+${errorText}`
+      );
+    }
+    const data = await response.json();
+    debug("Client registered:", data.client_id);
+    return {
+      clientId: data.client_id,
+      clientSecret: data.client_secret,
+      clientIdIssuedAt: data.client_id_issued_at,
+      clientSecretExpiresAt: data.client_secret_expires_at
+    };
+  }
+  /**
+   * Perform the full OAuth authorization flow
+   */
+  async performOAuthFlow(authServer, client, protectedResource) {
+    const pkce = await generatePKCE();
+    const state = generateState();
+    const { port, codePromise, close } = await this.startCallbackServer(state);
+    const redirectUri = `http://127.0.0.1:${port}/callback`;
+    try {
+      const requestedScopes = this.config.scopes ?? protectedResource.scopes_supported ?? authServer.server.scopes_supported ?? ["openid"];
+      debug("Scope resolution:");
+      debug("  - User config scopes: %O", this.config.scopes);
+      debug(
+        "  - Protected resource scopes_supported: %O",
+        protectedResource.scopes_supported
+      );
+      debug(
+        "  - Auth server scopes_supported: %O",
+        authServer.server.scopes_supported
+      );
+      debug("  - Final requested scopes: %O", requestedScopes);
+      const authUrl = buildAuthorizationUrl({
+        authServer,
+        clientId: client.clientId,
+        redirectUri,
+        scopes: requestedScopes,
+        codeChallenge: pkce.codeChallenge,
+        state,
+        resource: protectedResource.resource
+      });
+      debug("Authorization URL: %s", authUrl.toString());
+      debug("Authorization URL params:");
+      debug("  - client_id: %s", authUrl.searchParams.get("client_id"));
+      debug("  - redirect_uri: %s", authUrl.searchParams.get("redirect_uri"));
+      debug("  - scope: %s", authUrl.searchParams.get("scope"));
+      debug("  - resource: %s", authUrl.searchParams.get("resource"));
+      await this.openBrowserOrPrintUrl(authUrl);
+      debug("Waiting for OAuth callback...");
+      const code = await codePromise;
+      debug("Received authorization code");
+      const tokenResult = await exchangeCodeForTokens({
+        authServer,
+        clientId: client.clientId,
+        clientSecret: client.clientSecret,
+        code,
+        state,
+        codeVerifier: pkce.codeVerifier,
+        redirectUri
+      });
+      const tokens = this.tokenResultToStoredTokens(
+        tokenResult,
+        client.clientId
+      );
+      await this.storage.saveTokens(tokens);
+      return { tokens, requestedScopes };
+    } finally {
+      close();
+    }
+  }
+  /**
+   * Refresh an expired token
+   *
+   * Uses the clientId stored with the tokens (if available) to ensure
+   * the refresh request uses the same client that obtained the original tokens.
+   * This is important because refresh tokens are bound to the client_id.
+   */
+  async refreshStoredToken(storedTokens) {
+    if (!storedTokens.refreshToken) {
+      throw new Error("No refresh token available");
+    }
+    const metadata = await this.storage.loadServerMetadata();
+    if (!metadata) {
+      throw new Error("No cached server metadata for refresh");
+    }
+    let clientId;
+    let clientSecret;
+    if (storedTokens.clientId) {
+      debug("Using clientId from stored tokens for refresh");
+      clientId = storedTokens.clientId;
+      const storedClient = await this.storage.loadClient();
+      if (storedClient?.clientId === clientId) {
+        clientSecret = storedClient.clientSecret;
+      }
+    } else {
+      debug(
+        "No clientId in stored tokens, falling back to stored client (legacy behavior)"
+      );
+      const client = await this.getOrRegisterClient(metadata.authServer);
+      clientId = client.clientId;
+      clientSecret = client.clientSecret;
+    }
+    const tokenResult = await refreshAccessToken({
+      authServer: metadata.authServer,
+      clientId,
+      clientSecret,
+      refreshToken: storedTokens.refreshToken
+    });
+    const tokens = this.tokenResultToStoredTokens(tokenResult, clientId);
+    await this.storage.saveTokens(tokens);
+    return tokens;
+  }
+  /**
+   * Start local callback server
+   */
+  async startCallbackServer(expectedState) {
+    const timeoutMs = this.config.timeoutMs ?? DEFAULT_TIMEOUT_MS2;
+    return new Promise((resolve, reject) => {
+      const server = http.createServer();
+      const connections = /* @__PURE__ */ new Set();
+      server.on("connection", (socket) => {
+        connections.add(socket);
+        socket.on("close", () => connections.delete(socket));
+      });
+      const forceClose = () => {
+        for (const socket of connections) {
+          socket.destroy();
+        }
+        server.close();
+      };
+      let codeResolve;
+      let codeReject;
+      const codePromise = new Promise((res, rej) => {
+        codeResolve = res;
+        codeReject = rej;
+      });
+      const timeout = setTimeout(() => {
+        forceClose();
+        codeReject(new Error(`OAuth flow timed out after ${timeoutMs}ms`));
+      }, timeoutMs);
+      server.on("request", (req, res) => {
+        const url = new URL(
+          req.url ?? "/",
+          `http://127.0.0.1:${server.address().port}`
+        );
+        if (url.pathname !== "/callback") {
+          res.writeHead(404);
+          res.end("Not Found");
+          return;
+        }
+        const error = url.searchParams.get("error");
+        if (error) {
+          const errorDescription = url.searchParams.get("error_description");
+          clearTimeout(timeout);
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end(this.errorHtml(error, errorDescription ?? void 0));
+          codeReject(
+            new Error(
+              `OAuth error: ${error}${errorDescription ? ` - ${errorDescription}` : ""}`
+            )
+          );
+          return;
+        }
+        const state = url.searchParams.get("state");
+        if (state !== expectedState) {
+          clearTimeout(timeout);
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end(this.errorHtml("invalid_state", "State parameter mismatch"));
+          codeReject(new Error("OAuth state mismatch - possible CSRF attack"));
+          return;
+        }
+        const code = url.searchParams.get("code");
+        if (!code) {
+          clearTimeout(timeout);
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end(
+            this.errorHtml("missing_code", "No authorization code received")
+          );
+          codeReject(new Error("No authorization code in callback"));
+          return;
+        }
+        clearTimeout(timeout);
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(this.successHtml());
+        codeResolve(code);
+      });
+      const preferredPort = this.config.callbackPort ?? 0;
+      server.listen(preferredPort, "127.0.0.1", () => {
+        const address = server.address();
+        debug("Callback server listening on port", address.port);
+        resolve({ port: address.port, codePromise, close: forceClose });
+      });
+      server.on("error", (err) => {
+        reject(err);
+      });
+    });
+  }
+  /**
+   * Open browser or print URL for headless environments
+   */
+  async openBrowserOrPrintUrl(url) {
+    if (isHeadless()) {
+      console.log("\n" + "=".repeat(60));
+      console.log(
+        "Please open the following URL in your browser to authenticate:"
+      );
+      console.log("\n" + url.toString() + "\n");
+      console.log("=".repeat(60) + "\n");
+      return;
+    }
+    try {
+      const open = await import('open');
+      await open.default(url.toString());
+      debug("Opened browser for authentication");
+    } catch (error) {
+      debug("Failed to open browser:", error);
+      console.log("\nFailed to open browser automatically.");
+      console.log("Please open the following URL manually:\n");
+      console.log(url.toString() + "\n");
+    }
+  }
+  /**
+   * Convert TokenResult to StoredTokens
+   *
+   * @param result - Token result from exchange or refresh
+   * @param clientId - Client ID that was used to obtain these tokens
+   */
+  tokenResultToStoredTokens(result, clientId) {
+    return {
+      accessToken: result.accessToken,
+      tokenType: result.tokenType,
+      refreshToken: result.refreshToken,
+      expiresAt: result.expiresIn ? Date.now() + result.expiresIn * 1e3 : void 0,
+      clientId
+    };
+  }
+  /**
+   * HTML page for successful authentication
+   */
+  successHtml() {
+    return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>Authentication Successful</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+           display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0;
+           background: #f8fafc; }
+    .container { text-align: center; background: white; padding: 48px 64px; border-radius: 8px;
+                 border: 1px solid #e2e8f0; box-shadow: 0 1px 3px rgba(0,0,0,0.1); }
+    .icon { width: 48px; height: 48px; margin: 0 auto 24px; background: #dcfce7; border-radius: 50%;
+            display: flex; align-items: center; justify-content: center; }
+    .icon svg { width: 24px; height: 24px; color: #16a34a; }
+    h1 { color: #0f172a; margin: 0 0 8px 0; font-size: 20px; font-weight: 600; }
+    p { color: #64748b; margin: 0; font-size: 14px; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="icon">
+      <svg fill="none" stroke="currentColor" viewBox="0 0 24 24">
+        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+      </svg>
+    </div>
+    <h1>Authentication Successful</h1>
+    <p>You can close this window and return to the terminal.</p>
+  </div>
+</body>
+</html>`;
+  }
+  /**
+   * HTML page for authentication error
+   */
+  errorHtml(error, description) {
+    return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>Authentication Failed</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+           display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0;
+           background: #f8fafc; }
+    .container { text-align: center; background: white; padding: 48px 64px; border-radius: 8px;
+                 border: 1px solid #e2e8f0; box-shadow: 0 1px 3px rgba(0,0,0,0.1); }
+    .icon { width: 48px; height: 48px; margin: 0 auto 24px; background: #fee2e2; border-radius: 50%;
+            display: flex; align-items: center; justify-content: center; }
+    .icon svg { width: 24px; height: 24px; color: #dc2626; }
+    h1 { color: #0f172a; margin: 0 0 8px 0; font-size: 20px; font-weight: 600; }
+    p { color: #64748b; margin: 0 0 8px 0; font-size: 14px; }
+    code { background: #f1f5f9; padding: 2px 8px; border-radius: 4px; color: #dc2626; font-size: 13px; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="icon">
+      <svg fill="none" stroke="currentColor" viewBox="0 0 24 24">
+        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12"/>
+      </svg>
+    </div>
+    <h1>Authentication Failed</h1>
+    <p>Error: <code>${escapeHtml(error)}</code></p>
+    ${description ? `<p>${escapeHtml(description)}</p>` : ""}
+  </div>
+</body>
+</html>`;
+  }
+};
+function isHeadless() {
+  if (process.env.CI) {
+    return true;
+  }
+  if (!process.stdin.isTTY) {
+    return true;
+  }
+  if (process.platform === "linux" && !process.env.DISPLAY && !process.env.WAYLAND_DISPLAY) {
+    return true;
+  }
+  return false;
+}
+function escapeHtml(text) {
+  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+}
+async function createMCPClientForConfig(config, options) {
+  const validatedConfig = validateMCPConfig(config);
+  const client = new Client(
+    {
+      name: options?.clientInfo?.name ?? "@gleanwork/mcp-server-tester",
+      version: options?.clientInfo?.version ?? "0.1.0"
+    },
+    {
+      capabilities: validatedConfig.capabilities ?? {}
+    }
+  );
+  if (isStdioConfig(validatedConfig)) {
+    const transport = new StdioClientTransport({
+      command: validatedConfig.command,
+      args: validatedConfig.args ?? [],
+      ...validatedConfig.cwd && { cwd: validatedConfig.cwd },
+      // Suppress server stderr when quiet mode is enabled
+      ...validatedConfig.quiet && { stderr: "ignore" }
+    });
+    debugClient("Connecting via stdio: %O", {
+      command: validatedConfig.command,
+      args: validatedConfig.args,
+      cwd: validatedConfig.cwd
+    });
+    await client.connect(transport);
+  } else if (isHttpConfig(validatedConfig)) {
+    const headers = { ...validatedConfig.headers };
+    if (validatedConfig.auth?.accessToken && !options?.authProvider) {
+      headers.Authorization = `Bearer ${validatedConfig.auth.accessToken}`;
+    }
+    const transport = new StreamableHTTPClientTransport(
+      new URL(validatedConfig.serverUrl),
+      {
+        requestInit: Object.keys(headers).length > 0 ? { headers } : void 0,
+        // Pass auth provider for OAuth flow - MCP SDK handles it automatically
+        authProvider: options?.authProvider
+      }
+    );
+    debugClient("Connecting via HTTP: %O", {
+      serverUrl: validatedConfig.serverUrl,
+      headers: Object.keys(headers).length > 0 ? Object.keys(headers) : void 0,
+      hasAuthProvider: !!options?.authProvider
+    });
+    await client.connect(transport);
+  }
+  debugClient("Connected successfully");
+  const serverInfo = client.getServerVersion();
+  if (serverInfo) {
+    debugClient("Server info: %O", serverInfo);
+  }
+  return client;
+}
+async function closeMCPClient(client) {
+  try {
+    await client.close();
+  } catch (error) {
+    console.error("[MCP] Error closing client:", error);
+    throw error;
+  }
+}
+
+// src/mcp/response.ts
+function normalizeToolResponse(result) {
+  const isError = result.isError ?? false;
+  const contentBlocks = [];
+  const textParts = [];
+  if (Array.isArray(result.content)) {
+    for (const block of result.content) {
+      if (block == null || typeof block !== "object") {
+        continue;
+      }
+      const b = block;
+      const contentBlock = {
+        type: typeof b.type === "string" ? b.type : "unknown"
+      };
+      if (typeof b.text === "string") {
+        contentBlock.text = b.text;
+        textParts.push(b.text);
+      }
+      if (b.data !== void 0) {
+        contentBlock.data = b.data;
+      }
+      if (typeof b.mimeType === "string") {
+        contentBlock.mimeType = b.mimeType;
+      }
+      contentBlocks.push(contentBlock);
+    }
+  }
+  let structuredContent = null;
+  if (result.structuredContent !== void 0) {
+    structuredContent = result.structuredContent;
+    if (textParts.length === 0) {
+      if (typeof result.structuredContent === "string") {
+        textParts.push(result.structuredContent);
+      } else if (result.structuredContent != null) {
+        textParts.push(JSON.stringify(result.structuredContent));
+      }
+    }
+  }
+  const text = textParts.join("\n");
+  return {
+    text,
+    raw: result,
+    isError,
+    contentBlocks,
+    structuredContent
+  };
+}
+function extractText(response) {
+  if (response == null) {
+    return "";
+  }
+  if (typeof response === "string") {
+    return response;
+  }
+  if (isNormalizedResponse(response)) {
+    return response.text;
+  }
+  if (isCallToolResult(response)) {
+    return normalizeToolResponse(response).text;
+  }
+  if (Array.isArray(response)) {
+    return extractTextFromContentArray(response);
+  }
+  if (typeof response === "object") {
+    const r = response;
+    if (Array.isArray(r.content)) {
+      return extractTextFromContentArray(r.content);
+    }
+    if (typeof r.content === "string") {
+      return r.content;
+    }
+    if (r.structuredContent !== void 0) {
+      if (typeof r.structuredContent === "string") {
+        return r.structuredContent;
+      }
+      return JSON.stringify(r.structuredContent);
+    }
+    if (typeof r.text === "string") {
+      return r.text;
+    }
+    return JSON.stringify(r);
+  }
+  if (typeof response === "number" || typeof response === "boolean" || typeof response === "bigint") {
+    return String(response);
+  }
+  return "";
+}
+function isNormalizedResponse(value) {
+  if (value == null || typeof value !== "object") {
+    return false;
+  }
+  const v = value;
+  return typeof v.text === "string" && typeof v.isError === "boolean" && Array.isArray(v.contentBlocks) && v.raw !== void 0;
+}
+function isCallToolResult(value) {
+  if (value == null || typeof value !== "object") {
+    return false;
+  }
+  const v = value;
+  return Array.isArray(v.content) || typeof v.isError === "boolean";
+}
+function extractTextFromContentArray(content) {
+  const textParts = [];
+  for (const block of content) {
+    if (block == null || typeof block !== "object") {
+      continue;
+    }
+    const b = block;
+    if (b.type === "text" && typeof b.text === "string") {
+      textParts.push(b.text);
+    }
+  }
+  if (textParts.length > 0) {
+    return textParts.join("\n");
+  }
+  return JSON.stringify(content);
+}
+
+// src/assertions/validators/utils.ts
+var extractText2 = extractText;
+function getResponseSizeBytes(response) {
+  if (response === null || response === void 0) {
+    return 0;
+  }
+  if (typeof response === "string") {
+    return Buffer.byteLength(response, "utf8");
+  }
+  const serialized = JSON.stringify(response, null, 2);
+  return Buffer.byteLength(serialized, "utf8");
+}
+function stringifyResponse(response) {
+  if (response === null || response === void 0) {
+    return "";
+  }
+  if (typeof response === "string") {
+    return response;
+  }
+  return JSON.stringify(response, null, 2);
+}
+function isErrorResponse(response) {
+  if (response === null || response === void 0) {
+    return false;
+  }
+  if (typeof response !== "object") {
+    return false;
+  }
+  const r = response;
+  if (r.isError === true) {
+    return true;
+  }
+  if ("raw" in r && typeof r.raw === "object" && r.raw !== null) {
+    const raw = r.raw;
+    return raw.isError === true;
+  }
+  return false;
+}
+function extractErrorMessage(response) {
+  if (!isErrorResponse(response)) {
+    return "";
+  }
+  return extractText2(response);
+}
+function normalizeWhitespace(text) {
+  return text.replace(/\s+/g, " ").trim();
+}
+
+// src/assertions/validators/response.ts
+function validateResponse(actual, expected) {
+  const actualStr = stringifyResponse(actual);
+  const expectedStr = stringifyResponse(expected);
+  if (actualStr === expectedStr) {
+    return {
+      pass: true,
+      message: "Response matches expected value"
+    };
+  }
+  return {
+    pass: false,
+    message: `Response does not match expected value`,
+    details: {
+      actual: truncateForDisplay(actualStr),
+      expected: truncateForDisplay(expectedStr)
+    }
+  };
+}
+function truncateForDisplay(str, maxLength = 500) {
+  if (str.length <= maxLength) {
+    return str;
+  }
+  return str.slice(0, maxLength) + "... (truncated)";
+}
+
+// src/assertions/validators/schema.ts
+function validateSchema(response, schema, options = {}) {
+  const valueToValidate = getValidatableValue(response);
+  if (options.strict && valueToValidate !== null) ;
+  try {
+    schema.parse(valueToValidate);
+    return {
+      pass: true,
+      message: "Response matches schema"
+    };
+  } catch (error) {
+    const zodError = error;
+    const issues = formatZodIssues(zodError);
+    return {
+      pass: false,
+      message: `Response does not match schema: ${issues}`,
+      details: {
+        issues: zodError.issues
+      }
+    };
+  }
+}
+function getValidatableValue(response) {
+  if (response === null || response === void 0) {
+    return null;
+  }
+  if (typeof response === "object" && !Array.isArray(response)) {
+    const r = response;
+    if ("structuredContent" in r && r.structuredContent !== void 0) {
+      return r.structuredContent;
+    }
+    if ("raw" in r && "text" in r && "isError" in r && "contentBlocks" in r) {
+      if (r.structuredContent !== void 0) {
+        return r.structuredContent;
+      }
+      const text = r.text;
+      return tryParseJson(text) ?? response;
+    }
+    if ("content" in r && Array.isArray(r.content)) {
+      const text = extractText2(response);
+      return tryParseJson(text) ?? response;
+    }
+    return response;
+  }
+  if (typeof response === "string") {
+    return tryParseJson(response) ?? response;
+  }
+  return response;
+}
+function tryParseJson(text) {
+  if (!text || typeof text !== "string") {
+    return null;
+  }
+  const trimmed = text.trim();
+  if (!(trimmed.startsWith("{") || trimmed.startsWith("[")) || !(trimmed.endsWith("}") || trimmed.endsWith("]"))) {
+    return null;
+  }
+  try {
+    return JSON.parse(trimmed);
+  } catch {
+    return null;
+  }
+}
+function formatZodIssues(error) {
+  const issues = error.issues.map((issue) => {
+    const path3 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `${path3}: ${issue.message}`;
+  });
+  return issues.join("; ");
+}
+
+// src/assertions/validators/text.ts
+function validateText(response, expected, options = {}) {
+  const { caseSensitive = true } = options;
+  const expectedStrings = Array.isArray(expected) ? expected : [expected];
+  const text = extractText2(response);
+  const compareText = caseSensitive ? text : text.toLowerCase();
+  const missing = [];
+  for (const substring of expectedStrings) {
+    const compareSubstring = caseSensitive ? substring : substring.toLowerCase();
+    if (!compareText.includes(compareSubstring)) {
+      missing.push(substring);
+    }
+  }
+  if (missing.length === 0) {
+    return {
+      pass: true,
+      message: expectedStrings.length === 1 ? `Response contains expected text` : `Response contains all ${expectedStrings.length} expected substrings`
+    };
+  }
+  return {
+    pass: false,
+    message: missing.length === 1 ? `Response does not contain expected text: "${missing[0]}"` : `Response is missing ${missing.length} expected substrings: ${missing.map((s) => `"${s}"`).join(", ")}`,
+    details: {
+      missing,
+      textLength: text.length,
+      textPreview: truncateForDisplay2(text)
+    }
+  };
+}
+function truncateForDisplay2(str, maxLength = 200) {
+  if (str.length <= maxLength) {
+    return str;
+  }
+  return str.slice(0, maxLength) + "... (truncated)";
+}
+
+// src/assertions/validators/pattern.ts
+function validatePattern(response, patterns, options = {}) {
+  const { caseSensitive = true } = options;
+  const caseInsensitive = !caseSensitive;
+  const patternList = Array.isArray(patterns) ? patterns : [patterns];
+  const text = extractText2(response);
+  const unmatched = [];
+  for (const pattern of patternList) {
+    const regex = toRegExp(pattern, caseInsensitive);
+    if (!regex.test(text)) {
+      unmatched.push(patternToString(pattern));
+    }
+  }
+  if (unmatched.length === 0) {
+    return {
+      pass: true,
+      message: patternList.length === 1 ? `Response matches pattern` : `Response matches all ${patternList.length} patterns`
+    };
+  }
+  return {
+    pass: false,
+    message: unmatched.length === 1 ? `Response does not match pattern: ${unmatched[0]}` : `Response does not match ${unmatched.length} patterns: ${unmatched.join(", ")}`,
+    details: {
+      unmatched,
+      textLength: text.length,
+      textPreview: truncateForDisplay3(text)
+    }
+  };
+}
+function toRegExp(pattern, caseInsensitive) {
+  if (pattern instanceof RegExp) {
+    if (caseInsensitive && !pattern.flags.includes("i")) {
+      return new RegExp(pattern.source, pattern.flags + "i");
+    }
+    return pattern;
+  }
+  const flags = caseInsensitive ? "i" : "";
+  return new RegExp(pattern, flags);
+}
+function patternToString(pattern) {
+  if (pattern instanceof RegExp) {
+    return pattern.toString();
+  }
+  return `/${pattern}/`;
+}
+function truncateForDisplay3(str, maxLength = 200) {
+  if (str.length <= maxLength) {
+    return str;
+  }
+  return str.slice(0, maxLength) + "... (truncated)";
+}
+
+// src/assertions/validators/error.ts
+function validateError(response, expected = true) {
+  const actualIsError = isErrorResponse(response);
+  const errorMessage = actualIsError ? extractErrorMessage(response) : "";
+  if (typeof expected === "boolean") {
+    if (expected) {
+      if (actualIsError) {
+        return {
+          pass: true,
+          message: "Response is an error as expected"
+        };
+      }
+      return {
+        pass: false,
+        message: "Expected an error response but got success",
+        details: {
+          textPreview: truncateForDisplay4(extractText2(response))
+        }
+      };
+    } else {
+      if (!actualIsError) {
+        return {
+          pass: true,
+          message: "Response is not an error as expected"
+        };
+      }
+      return {
+        pass: false,
+        message: `Expected a success response but got error: "${truncateForDisplay4(errorMessage)}"`,
+        details: {
+          errorMessage
+        }
+      };
+    }
+  }
+  const expectedMessages = Array.isArray(expected) ? expected : [expected];
+  if (!actualIsError) {
+    return {
+      pass: false,
+      message: `Expected an error containing "${expectedMessages[0]}" but got success`,
+      details: {
+        textPreview: truncateForDisplay4(extractText2(response))
+      }
+    };
+  }
+  const matched = expectedMessages.some(
+    (msg) => errorMessage.toLowerCase().includes(msg.toLowerCase())
+  );
+  if (matched) {
+    return {
+      pass: true,
+      message: "Error message contains expected text"
+    };
+  }
+  return {
+    pass: false,
+    message: expectedMessages.length === 1 ? `Error message does not contain "${expectedMessages[0]}"` : `Error message does not contain any of: ${expectedMessages.map((m) => `"${m}"`).join(", ")}`,
+    details: {
+      actualErrorMessage: errorMessage,
+      expectedToContain: expectedMessages
+    }
+  };
+}
+function truncateForDisplay4(str, maxLength = 200) {
+  if (str.length <= maxLength) {
+    return str;
+  }
+  return str.slice(0, maxLength) + "... (truncated)";
+}
+
+// src/assertions/validators/size.ts
+function validateSize(response, options) {
+  const { maxBytes, minBytes } = options;
+  if (maxBytes === void 0 && minBytes === void 0) {
+    return {
+      pass: false,
+      message: "Size validation requires at least one of maxBytes or minBytes"
+    };
+  }
+  const actualSize = getResponseSizeBytes(response);
+  const issues = [];
+  if (minBytes !== void 0 && actualSize < minBytes) {
+    issues.push(
+      `Response size (${formatBytes(actualSize)}) is below minimum (${formatBytes(minBytes)})`
+    );
+  }
+  if (maxBytes !== void 0 && actualSize > maxBytes) {
+    issues.push(
+      `Response size (${formatBytes(actualSize)}) exceeds maximum (${formatBytes(maxBytes)})`
+    );
+  }
+  if (issues.length === 0) {
+    return {
+      pass: true,
+      message: `Response size (${formatBytes(actualSize)}) is within bounds`,
+      details: {
+        actualBytes: actualSize
+      }
+    };
+  }
+  return {
+    pass: false,
+    message: issues.join("; "),
+    details: {
+      actualBytes: actualSize,
+      minBytes,
+      maxBytes
+    }
+  };
+}
+function formatBytes(bytes) {
+  if (bytes < 1024) {
+    return `${bytes} bytes`;
+  }
+  if (bytes < 1024 * 1024) {
+    return `${(bytes / 1024).toFixed(1)} KB`;
+  }
+  return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+
+// src/mcp/fixtures/mcpFixture.ts
+var testStep = null;
+try {
+  const playwright = __require("@playwright/test");
+  if (playwright && playwright.test && playwright.test.step) {
+    testStep = playwright.test.step.bind(playwright.test);
+  }
+} catch {
+}
+function createMCPFixture(client, testInfo, options) {
+  const authType = options?.authType ?? "none";
+  const project = options?.project;
+  if (!testInfo) {
+    return {
+      client,
+      authType,
+      project,
+      async listTools() {
+        const result = await client.listTools();
+        return result.tools;
+      },
+      async callTool(name, args) {
+        const result = await client.callTool({
+          name,
+          arguments: args
+        });
+        return result;
+      },
+      getServerInfo() {
+        const serverVersion = client.getServerVersion();
+        if (!serverVersion) {
+          return null;
+        }
+        return {
+          name: serverVersion.name,
+          version: serverVersion.version
+        };
+      }
+    };
+  }
+  return {
+    client,
+    authType,
+    project,
+    async listTools() {
+      const execute = async () => {
+        const result = await client.listTools();
+        const tools = result.tools;
+        await testInfo.attach("mcp-list-tools", {
+          contentType: "application/json",
+          body: JSON.stringify(
+            {
+              operation: "listTools",
+              toolCount: tools.length,
+              tools: tools.map((t) => ({
+                name: t.name,
+                description: t.description
+              }))
+            },
+            null,
+            2
+          )
+        });
+        return tools;
+      };
+      return testStep ? testStep("MCP: listTools()", execute) : execute();
+    },
+    async callTool(name, args) {
+      const execute = async () => {
+        const startTime = Date.now();
+        const result = await client.callTool({
+          name,
+          arguments: args
+        });
+        const durationMs = Date.now() - startTime;
+        await testInfo.attach(`mcp-call-${name}`, {
+          contentType: "application/json",
+          body: JSON.stringify(
+            {
+              operation: "callTool",
+              toolName: name,
+              args,
+              result,
+              durationMs,
+              isError: result.isError || false,
+              authType,
+              project
+            },
+            null,
+            2
+          )
+        });
+        return result;
+      };
+      return testStep ? testStep(`MCP: callTool("${name}")`, execute) : execute();
+    },
+    getServerInfo() {
+      const serverVersion = client.getServerVersion();
+      const result = serverVersion ? {
+        name: serverVersion.name,
+        version: serverVersion.version
+      } : null;
+      testInfo.attach("mcp-server-info", {
+        contentType: "application/json",
+        body: JSON.stringify(
+          {
+            operation: "getServerInfo",
+            serverInfo: result
+          },
+          null,
+          2
+        )
+      }).catch(() => {
+      });
+      return result;
+    }
+  };
+}
+
+// src/assertions/matchers/toMatchToolResponse.ts
+function toMatchToolResponse(received, expected) {
+  const result = validateResponse(received, expected);
+  return {
+    pass: result.pass,
+    message: () => {
+      if (this.isNot) {
+        return result.pass ? "Expected response NOT to match, but it did" : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+
+// src/assertions/matchers/toMatchToolSchema.ts
+function toMatchToolSchema(received, schema, options = {}) {
+  const result = validateSchema(received, schema, options);
+  return {
+    pass: result.pass,
+    message: () => {
+      if (this.isNot) {
+        return result.pass ? "Expected response NOT to match schema, but it did" : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+
+// src/assertions/matchers/toContainToolText.ts
+function toContainToolText(received, expected, options = {}) {
+  const result = validateText(received, expected, options);
+  return {
+    pass: result.pass,
+    message: () => {
+      if (this.isNot) {
+        const expectedStr = Array.isArray(expected) ? expected.map((s) => `"${s}"`).join(", ") : `"${expected}"`;
+        return result.pass ? `Expected response NOT to contain ${expectedStr}, but it did` : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+
+// src/assertions/matchers/toMatchToolPattern.ts
+function toMatchToolPattern(received, patterns, options = {}) {
+  const result = validatePattern(received, patterns, options);
+  return {
+    pass: result.pass,
+    message: () => {
+      if (this.isNot) {
+        return result.pass ? "Expected response NOT to match pattern(s), but it did" : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+var BUILT_IN_PATTERNS = {
+  timestamp: {
+    pattern: /\b\d{10,13}\b/g,
+    replacement: "[TIMESTAMP]"
+  },
+  uuid: {
+    pattern: /\b[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}\b/gi,
+    replacement: "[UUID]"
+  },
+  "iso-date": {
+    pattern: /\b\d{4}-\d{2}-\d{2}(T\d{2}:\d{2}:\d{2}(\.\d{1,3})?(Z|[+-]\d{2}:?\d{2})?)?\b/g,
+    replacement: "[ISO_DATE]"
+  },
+  objectId: {
+    pattern: /\b[0-9a-f]{24}\b/gi,
+    replacement: "[OBJECT_ID]"
+  },
+  jwt: {
+    pattern: /\beyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\b/g,
+    replacement: "[JWT]"
+  }
+};
+function isRegexSanitizer(sanitizer) {
+  return typeof sanitizer === "object" && sanitizer !== null && "pattern" in sanitizer;
+}
+function isFieldRemovalSanitizer(sanitizer) {
+  return typeof sanitizer === "object" && sanitizer !== null && "remove" in sanitizer;
+}
+function applySanitizers(value, sanitizers) {
+  let result = value;
+  for (const sanitizer of sanitizers) {
+    if (typeof sanitizer === "string") {
+      const builtIn = BUILT_IN_PATTERNS[sanitizer];
+      if (builtIn) {
+        result = result.replace(builtIn.pattern, builtIn.replacement);
+      }
+      continue;
+    }
+    if (isRegexSanitizer(sanitizer)) {
+      const pattern = sanitizer.pattern instanceof RegExp ? sanitizer.pattern : new RegExp(sanitizer.pattern, "g");
+      const replacement = sanitizer.replacement ?? "[SANITIZED]";
+      result = result.replace(pattern, replacement);
+      continue;
+    }
+    if (isFieldRemovalSanitizer(sanitizer)) {
+      try {
+        const parsed = JSON.parse(result);
+        removeFields(parsed, sanitizer.remove);
+        result = JSON.stringify(parsed, null, 2);
+      } catch {
+      }
+    }
+  }
+  return result;
+}
+function removeFields(obj, paths) {
+  if (typeof obj !== "object" || obj === null) {
+    return;
+  }
+  for (const path3 of paths) {
+    const parts = path3.split(".");
+    if (parts.length === 0) {
+      continue;
+    }
+    let current = obj;
+    for (let i = 0; i < parts.length - 1; i++) {
+      if (typeof current !== "object" || current === null) {
+        break;
+      }
+      const key = parts[i];
+      if (key !== void 0) {
+        current = current[key];
+      }
+    }
+    if (typeof current === "object" && current !== null) {
+      const lastKey = parts[parts.length - 1];
+      if (lastKey !== void 0) {
+        delete current[lastKey];
+      }
+    }
+  }
+}
+async function toMatchToolSnapshot(received, name, sanitizers = []) {
+  let content = extractText2(received);
+  if (sanitizers.length > 0) {
+    content = applySanitizers(content, sanitizers);
+  }
+  if (this.isNot) {
+    try {
+      await expect$1(content).toMatchSnapshot(name);
+      return {
+        pass: false,
+        message: () => `Expected response NOT to match snapshot "${name}", but it did`
+      };
+    } catch {
+      return {
+        pass: true,
+        message: () => `Response does not match snapshot "${name}" as expected`
+      };
+    }
+  }
+  try {
+    await expect$1(content).toMatchSnapshot(name);
+    return {
+      pass: true,
+      message: () => `Response matches snapshot "${name}"`
+    };
+  } catch (error) {
+    return {
+      pass: false,
+      message: () => error instanceof Error ? error.message : `Response does not match snapshot "${name}"`
+    };
+  }
+}
+
+// src/assertions/matchers/toBeToolError.ts
+function toBeToolError(received, expected = true) {
+  const effectiveExpected = this.isNot ? typeof expected === "boolean" ? !expected : false : expected;
+  const result = validateError(received, effectiveExpected);
+  return {
+    pass: this.isNot ? !result.pass : result.pass,
+    message: () => {
+      if (this.isNot) {
+        if (typeof expected === "boolean") {
+          return result.pass ? "Expected response NOT to be an error, but it was" : "Response is not an error as expected";
+        }
+        const expectedStr = Array.isArray(expected) ? expected.join(", ") : expected;
+        return result.pass ? `Expected response NOT to be an error with "${expectedStr}", but it was` : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+function createClaudeAgentJudge(config) {
+  const model = config.model ?? "claude-sonnet-4-20250514";
+  const maxBudgetUsd = config.maxBudgetUsd ?? 0.1;
+  const maxToolOutputSize = config.maxToolOutputSize;
+  return {
+    async evaluate(candidate, reference, rubric) {
+      const candidateStr = typeof candidate === "string" ? candidate : JSON.stringify(candidate, null, 2);
+      const candidateSizeBytes = Buffer.byteLength(candidateStr, "utf8");
+      if (maxToolOutputSize !== void 0 && candidateSizeBytes > maxToolOutputSize) {
+        return {
+          pass: false,
+          score: 0,
+          reasoning: `Tool output size (${candidateSizeBytes} bytes) exceeds maximum allowed size (${maxToolOutputSize} bytes)`,
+          candidateSizeBytes,
+          exceedsMaxToolOutputSize: true
+        };
+      }
+      const prompt = buildJudgePrompt(candidate, reference, rubric);
+      try {
+        let resultMessage;
+        for await (const message of query({
+          prompt,
+          options: {
+            model,
+            maxBudgetUsd,
+            // Use empty tools array for response-only mode
+            tools: [],
+            // Bypass permissions since we're not using any tools
+            permissionMode: "bypassPermissions",
+            allowDangerouslySkipPermissions: true,
+            // Use a custom system prompt for JSON output
+            systemPrompt: buildSystemPrompt(),
+            // Limit to 1 turn since this is a simple evaluation
+            maxTurns: 1
+          }
+        })) {
+          if (message.type === "result") {
+            resultMessage = message;
+          }
+        }
+        if (!resultMessage) {
+          throw new Error("No result message received from Claude Agent SDK");
+        }
+        if (resultMessage.subtype !== "success" && resultMessage.errors?.length) {
+          throw new Error(
+            `Claude Agent SDK error: ${resultMessage.errors.join(", ")}`
+          );
+        }
+        const responseText = resultMessage.result ?? "";
+        const parsed = parseJudgeResponse(responseText);
+        const usage = {
+          inputTokens: resultMessage.usage?.input_tokens ?? 0,
+          outputTokens: resultMessage.usage?.output_tokens ?? 0,
+          totalCostUsd: resultMessage.total_cost_usd ?? 0,
+          durationMs: resultMessage.duration_ms ?? 0,
+          durationApiMs: resultMessage.duration_api_ms,
+          cacheReadInputTokens: resultMessage.usage?.cache_read_input_tokens,
+          cacheCreationInputTokens: resultMessage.usage?.cache_creation_input_tokens
+        };
+        return {
+          pass: parsed.pass ?? false,
+          score: parsed.score,
+          reasoning: parsed.reasoning,
+          usage,
+          candidateSizeBytes,
+          exceedsMaxToolOutputSize: false
+        };
+      } catch (error) {
+        throw new Error(
+          `Claude Agent judge evaluation failed: ${error instanceof Error ? error.message : String(error)}`
+        );
+      }
+    }
+  };
+}
+function buildSystemPrompt() {
+  return 'You are an expert evaluator. Evaluate the candidate response based on the rubric provided. Respond ONLY with valid JSON in this exact format: {"pass": boolean, "score": number (0-1), "reasoning": string}. Do not include any other text, markdown formatting, or code blocks.';
+}
+function buildJudgePrompt(candidate, reference, rubric) {
+  const parts = [];
+  parts.push("# Evaluation Task\n");
+  parts.push(rubric);
+  parts.push("\n\n# Candidate Response\n");
+  parts.push(
+    typeof candidate === "string" ? candidate : JSON.stringify(candidate, null, 2)
+  );
+  if (reference !== null && reference !== void 0) {
+    parts.push("\n\n# Reference Response\n");
+    parts.push(
+      typeof reference === "string" ? reference : JSON.stringify(reference, null, 2)
+    );
+  }
+  parts.push(
+    "\n\n# Instructions\nEvaluate the candidate response based on the rubric. " + (reference !== null && reference !== void 0 ? "Compare it against the reference response if helpful. " : "") + 'Respond with JSON containing "pass" (boolean), "score" (0-1), and "reasoning" (string).'
+  );
+  return parts.join("");
+}
+function parseJudgeResponse(text) {
+  let jsonText = text.trim();
+  if (jsonText.startsWith("```json")) {
+    jsonText = jsonText.slice(7);
+  }
+  if (jsonText.startsWith("```")) {
+    jsonText = jsonText.slice(3);
+  }
+  if (jsonText.endsWith("```")) {
+    jsonText = jsonText.slice(0, -3);
+  }
+  jsonText = jsonText.trim();
+  try {
+    return JSON.parse(jsonText);
+  } catch {
+    const jsonMatch = jsonText.match(/\{[\s\S]*"pass"[\s\S]*\}/);
+    if (jsonMatch) {
+      return JSON.parse(jsonMatch[0]);
+    }
+    throw new Error(`Failed to parse judge response as JSON: ${text}`);
+  }
+}
+
+// src/judge/judgeClient.ts
+function createJudge(config = {}) {
+  const provider = config.provider ?? "claude";
+  switch (provider) {
+    case "claude":
+    case "anthropic":
+      return createClaudeAgentJudge(config);
+    case "openai":
+      throw new Error(
+        'OpenAI provider is no longer supported. Please use createJudge() without specifying provider, or use provider: "claude". See migration guide at https://github.com/gleanwork/mcp-server-tester/blob/main/docs/migration-v0.11.md'
+      );
+    case "custom-http":
+      throw new Error(
+        "custom-http provider is no longer supported. Please use createJudge() without specifying provider."
+      );
+    default:
+      throw new Error(`Unsupported LLM provider: ${String(provider)}`);
+  }
+}
+
+// src/assertions/matchers/toPassToolJudge.ts
+var DEFAULT_PASSING_THRESHOLD = 0.7;
+var DEFAULT_JUDGE_CONFIG = {};
+async function toPassToolJudge(received, rubric, options = {}) {
+  const {
+    reference = null,
+    passingThreshold = DEFAULT_PASSING_THRESHOLD,
+    judgeConfig = DEFAULT_JUDGE_CONFIG
+  } = options;
+  const judge = createJudge(judgeConfig);
+  try {
+    const result = await judge.evaluate(received, reference, rubric);
+    const score = result.score ?? (result.pass ? 1 : 0);
+    const passes = score >= passingThreshold;
+    if (this.isNot) {
+      return {
+        pass: !passes,
+        message: () => passes ? `Expected judge evaluation to fail, but it passed with score ${score.toFixed(2)}` : `Judge evaluation failed as expected with score ${score.toFixed(2)}`
+      };
+    }
+    if (passes) {
+      return {
+        pass: true,
+        message: () => `Judge evaluation passed with score ${score.toFixed(2)} (threshold: ${passingThreshold})`
+      };
+    }
+    return {
+      pass: false,
+      message: () => `Judge evaluation failed with score ${score.toFixed(2)} (threshold: ${passingThreshold}). Reasoning: ${result.reasoning ?? "No reasoning provided"}`
+    };
+  } catch (error) {
+    return {
+      pass: false,
+      message: () => `Judge evaluation failed with error: ${error instanceof Error ? error.message : String(error)}`
+    };
+  }
+}
+
+// src/assertions/matchers/toHaveToolResponseSize.ts
+function toHaveToolResponseSize(received, options) {
+  const result = validateSize(received, options);
+  return {
+    pass: result.pass,
+    message: () => {
+      if (this.isNot) {
+        return result.pass ? "Expected response size NOT to be within bounds, but it was" : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+
+// src/assertions/matchers/toSatisfyToolPredicate.ts
+function normalizeResult(result) {
+  if (typeof result === "boolean") {
+    return {
+      pass: result,
+      message: result ? "Predicate passed" : "Predicate returned false"
+    };
+  }
+  return result;
+}
+async function toSatisfyToolPredicate(received, predicate, description) {
+  const predicateDescription = description ?? "custom predicate";
+  try {
+    const text = extractText2(received);
+    const rawResult = await predicate(received, text);
+    const result = normalizeResult(rawResult);
+    if (this.isNot) {
+      return {
+        pass: !result.pass,
+        message: () => result.pass ? `Expected response NOT to satisfy ${predicateDescription}` : `Response does not satisfy ${predicateDescription} as expected`
+      };
+    }
+    return {
+      pass: result.pass,
+      message: () => result.pass ? result.message ?? `Response satisfies ${predicateDescription}` : result.message ?? `Expected response to satisfy ${predicateDescription}`
+    };
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    return {
+      pass: this.isNot,
+      // If using .not, an error means the predicate didn't pass
+      message: () => `Predicate threw error: ${errorMessage}`
+    };
+  }
+}
+
+// src/assertions/matchers/index.ts
+var expect = expect$1.extend({
+  toMatchToolResponse,
+  toMatchToolSchema,
+  toContainToolText,
+  toMatchToolPattern,
+  toMatchToolSnapshot,
+  toBeToolError,
+  toPassToolJudge,
+  toHaveToolResponseSize,
+  toSatisfyToolPredicate
+});
+
+// src/fixtures/mcp.ts
+init_oauthClientProvider();
+var test = test$1.extend({
+  /**
+   * Internal fixture state - tracks resolved auth type between fixtures
+   */
+  _mcpFixtureState: [
+    // eslint-disable-next-line no-empty-pattern
+    async ({}, use) => {
+      const state = { resolvedAuthType: "none" };
+      await use(state);
+    },
+    { scope: "test" }
+  ],
+  /**
+   * mcpClient fixture: Creates and connects an MCP client
+   *
+   * The client configuration is read from the project's `use.mcpConfig`
+   * setting in playwright.config.ts
+   *
+   * Authentication resolution order:
+   * 1. Explicit authStatePath → uses PlaywrightOAuthClientProvider
+   * 2. Explicit accessToken → uses static Bearer token
+   * 3. HTTP transport with no auth → tries CLI-stored tokens (from `mcp-server-tester login`)
+   *    with automatic token refresh
+   */
+  mcpClient: async ({ _mcpFixtureState }, use, testInfo) => {
+    const useConfig = testInfo.project.use;
+    const mcpConfig = useConfig.mcpConfig;
+    if (!mcpConfig) {
+      throw new Error(
+        `Missing mcpConfig in project.use for project "${testInfo.project.name}". Please add mcpConfig to your project configuration in playwright.config.ts`
+      );
+    }
+    let resolvedAuthType = "none";
+    let authProvider;
+    if (mcpConfig.auth?.oauth?.authStatePath) {
+      authProvider = new PlaywrightOAuthClientProvider({
+        storagePath: mcpConfig.auth.oauth.authStatePath,
+        redirectUri: mcpConfig.auth.oauth.redirectUri ?? "http://localhost:3000/oauth/callback",
+        clientId: mcpConfig.auth.oauth.clientId,
+        clientSecret: mcpConfig.auth.oauth.clientSecret
+      });
+      resolvedAuthType = "oauth";
+    }
+    let effectiveConfig = mcpConfig;
+    if (mcpConfig.auth?.accessToken) {
+      resolvedAuthType = "api-token";
+    }
+    if (isHttpConfig(mcpConfig) && !mcpConfig.auth?.accessToken && !mcpConfig.auth?.oauth?.authStatePath) {
+      const cliClient = new CLIOAuthClient({
+        mcpServerUrl: mcpConfig.serverUrl
+      });
+      const tokenResult = await cliClient.tryGetAccessToken();
+      if (tokenResult) {
+        effectiveConfig = {
+          ...mcpConfig,
+          auth: {
+            ...mcpConfig.auth,
+            accessToken: tokenResult.accessToken
+          }
+        };
+        resolvedAuthType = "oauth";
+      }
+    }
+    _mcpFixtureState.resolvedAuthType = resolvedAuthType;
+    const client = await createMCPClientForConfig(effectiveConfig, {
+      clientInfo: {
+        name: "@gleanwork/mcp-server-tester",
+        version: "0.1.0"
+      },
+      authProvider
+    });
+    try {
+      await use(client);
+    } finally {
+      await closeMCPClient(client);
+    }
+  },
+  /**
+   * mcp fixture: High-level test API built on mcpClient
+   *
+   * Depends on mcpClient fixture
+   * Automatically tracks all MCP operations for the reporter
+   */
+  mcp: async ({ mcpClient, _mcpFixtureState }, use, testInfo) => {
+    const api = createMCPFixture(mcpClient, testInfo, {
+      authType: _mcpFixtureState.resolvedAuthType,
+      project: testInfo.project.name
+    });
+    await use(api);
+  }
+});
+var LLMHostConfigSchema = z.object({
+  provider: z.enum(["openai", "anthropic"]),
+  apiKeyEnvVar: z.string().optional(),
+  model: z.string().optional(),
+  maxTokens: z.number().optional(),
+  temperature: z.number().optional(),
+  maxToolCalls: z.number().optional()
+});
+var SnapshotSanitizerSchema = z.union([
+  // Built-in sanitizers
+  z.enum(["timestamp", "uuid", "iso-date", "objectId", "jwt"]),
+  // Custom regex sanitizer
+  z.object({
+    pattern: z.string(),
+    replacement: z.string().optional()
+  }),
+  // Field removal sanitizer
+  z.object({
+    remove: z.array(z.string())
+  })
+]);
+var EvalExpectBlockSchema = z.object({
+  response: z.unknown().optional(),
+  schema: z.string().optional(),
+  containsText: z.union([z.string(), z.array(z.string())]).optional(),
+  matchesPattern: z.union([z.string(), z.array(z.string())]).optional(),
+  snapshot: z.string().optional(),
+  snapshotSanitizers: z.array(SnapshotSanitizerSchema).optional(),
+  isError: z.union([z.boolean(), z.string(), z.array(z.string())]).optional(),
+  passesJudge: z.object({
+    rubric: z.string(),
+    reference: z.unknown().optional(),
+    threshold: z.number().min(0).max(1).optional(),
+    configId: z.string().optional()
+  }).optional(),
+  responseSize: z.object({
+    maxBytes: z.number().optional(),
+    minBytes: z.number().optional()
+  }).optional()
+});
+var EvalCaseSchema = z.object({
+  id: z.string().min(1, "id must not be empty"),
+  description: z.string().optional(),
+  mode: z.enum(["direct", "llm_host"]).optional(),
+  toolName: z.string().min(1, "toolName must not be empty").optional(),
+  args: z.record(z.unknown()).optional(),
+  scenario: z.string().optional(),
+  llmHostConfig: LLMHostConfigSchema.optional(),
+  metadata: z.record(z.unknown()).optional(),
+  expect: EvalExpectBlockSchema.optional()
+});
+var EvalDatasetSchema = z.object({
+  name: z.string().min(1, "name must not be empty"),
+  description: z.string().optional(),
+  cases: z.array(EvalCaseSchema).min(1, "dataset must have at least one case"),
+  metadata: z.record(z.unknown()).optional()
+});
+function validateEvalCase(evalCase) {
+  return EvalCaseSchema.parse(evalCase);
+}
+function validateEvalDataset(dataset) {
+  return EvalDatasetSchema.parse(dataset);
+}
+async function loadEvalDataset(filePath, options = {}) {
+  const { schemas, validate = true } = options;
+  try {
+    const fileContents = await readFile(filePath, "utf-8");
+    const rawData = JSON.parse(fileContents);
+    const serializedDataset = validate ? validateEvalDataset(rawData) : rawData;
+    const dataset = {
+      ...serializedDataset,
+      schemas: schemas ?? {}
+    };
+    return dataset;
+  } catch (error) {
+    if (error instanceof SyntaxError) {
+      throw new Error(
+        `Failed to parse JSON from ${filePath}: ${error.message}`
+      );
+    }
+    throw error;
+  }
+}
+function loadEvalDatasetFromObject(data, options = {}) {
+  const { schemas, validate = true } = options;
+  const serializedDataset = validate ? validateEvalDataset(data) : data;
+  const dataset = {
+    ...serializedDataset,
+    schemas: schemas ?? {}
+  };
+  return dataset;
+}
+
+// src/evals/llmHost/adapter.ts
+var adapters = /* @__PURE__ */ new Map();
+function registerAdapter(provider, factory) {
+  adapters.set(provider, factory);
+}
+function getAdapter(provider) {
+  const factory = adapters.get(provider);
+  if (!factory) {
+    throw new Error(
+      `No adapter registered for provider: ${provider}. Available: ${Array.from(adapters.keys()).join(", ")}`
+    );
+  }
+  return factory();
+}
+function hasAdapter(provider) {
+  return adapters.has(provider);
+}
+
+// src/evals/llmHost/retry.ts
+var DEFAULT_OPTIONS = {
+  maxAttempts: 3,
+  baseDelayMs: 1e3,
+  maxDelayMs: 3e4,
+  isRetryable: isRetryableError
+};
+async function withRetry(fn, options = {}) {
+  const {
+    maxAttempts = DEFAULT_OPTIONS.maxAttempts,
+    baseDelayMs = DEFAULT_OPTIONS.baseDelayMs,
+    maxDelayMs = DEFAULT_OPTIONS.maxDelayMs,
+    isRetryable = DEFAULT_OPTIONS.isRetryable,
+    onRetry
+  } = options;
+  let lastError;
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    try {
+      return await fn();
+    } catch (error) {
+      lastError = error;
+      if (attempt >= maxAttempts || !isRetryable(error)) {
+        throw error;
+      }
+      const exponentialDelay = baseDelayMs * Math.pow(2, attempt - 1);
+      const jitter = Math.random() * 0.1 * exponentialDelay;
+      const delayMs = Math.min(exponentialDelay + jitter, maxDelayMs);
+      if (onRetry) {
+        onRetry(error, attempt, delayMs);
+      }
+      await sleep(delayMs);
+    }
+  }
+  throw lastError;
+}
+function isRetryableError(error) {
+  const statusCode = extractStatusCode(error);
+  if (statusCode !== null) {
+    return [429, 500, 502, 503, 504].includes(statusCode);
+  }
+  const message = extractErrorMessage2(error).toLowerCase();
+  return message.includes("rate limit") || message.includes("429") || message.includes("too many requests") || message.includes("timeout") || message.includes("temporarily unavailable") || message.includes("service unavailable") || message.includes("internal server error");
+}
+function extractStatusCode(error) {
+  if (error == null || typeof error !== "object") {
+    return null;
+  }
+  const e = error;
+  if (typeof e.status === "number") {
+    return e.status;
+  }
+  if (typeof e.statusCode === "number") {
+    return e.statusCode;
+  }
+  if (e.response && typeof e.response === "object") {
+    const response = e.response;
+    if (typeof response.status === "number") {
+      return response.status;
+    }
+  }
+  if (typeof e.code === "number") {
+    return e.code;
+  }
+  return null;
+}
+function extractErrorMessage2(error) {
+  if (error == null) {
+    return "";
+  }
+  if (typeof error === "string") {
+    return error;
+  }
+  if (error instanceof Error) {
+    return error.message;
+  }
+  if (typeof error === "object") {
+    const e = error;
+    if (typeof e.message === "string") {
+      return e.message;
+    }
+    if (typeof e.error === "string") {
+      return e.error;
+    }
+    return JSON.stringify(error);
+  }
+  if (typeof error === "number" || typeof error === "boolean") {
+    return String(error);
+  }
+  return "Unknown error";
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// src/evals/llmHost/orchestrator.ts
+async function runSimulation(adapter, mcp, scenario, config, options = {}) {
+  const maxIterations = config.maxToolCalls || 10;
+  const retryOptions = options.retry || {};
+  const allToolCalls = [];
+  const conversationHistory = [];
+  try {
+    const client = await adapter.createClient(config);
+    const mcpTools = await mcp.listTools();
+    const formattedTools = adapter.formatTools(mcpTools);
+    const messages = [adapter.createUserMessage(scenario)];
+    conversationHistory.push({ role: "user", content: scenario });
+    let finalResponse = "";
+    for (let iteration = 0; iteration < maxIterations; iteration++) {
+      const chatResult = await withRetry(
+        () => adapter.chat(client, messages, formattedTools, config),
+        retryOptions
+      );
+      if (chatResult.wantsToolCalls && chatResult.toolCalls.length > 0) {
+        messages.push(adapter.createAssistantMessage(chatResult));
+        const toolResultMessages = [];
+        for (const toolCall of chatResult.toolCalls) {
+          allToolCalls.push(toolCall);
+          const mcpResult = await mcp.callTool(
+            toolCall.name,
+            toolCall.arguments
+          );
+          const resultText = extractText(mcpResult);
+          const resultMessage = adapter.createToolResultMessage(
+            toolCall,
+            resultText
+          );
+          toolResultMessages.push(resultMessage);
+          conversationHistory.push({ role: "tool", content: resultText });
+        }
+        if (adapter.provider === "anthropic") {
+          messages.push({
+            role: "user",
+            content: toolResultMessages
+          });
+        } else {
+          for (const msg of toolResultMessages) {
+            messages.push(msg);
+          }
+        }
+      } else {
+        finalResponse = chatResult.textContent || "";
+        conversationHistory.push({ role: "assistant", content: finalResponse });
+        break;
+      }
+    }
+    return {
+      success: true,
+      toolCalls: allToolCalls,
+      response: finalResponse,
+      conversationHistory
+    };
+  } catch (error) {
+    return {
+      success: false,
+      toolCalls: allToolCalls,
+      error: error instanceof Error ? error.message : String(error),
+      conversationHistory
+    };
+  }
+}
+
+// src/evals/llmHost/adapters/openai.ts
+function createOpenAIAdapter() {
+  return {
+    provider: "openai",
+    async createClient(config) {
+      let OpenAI;
+      try {
+        const module = await import('openai');
+        OpenAI = module.OpenAI;
+      } catch {
+        throw new Error(
+          "OpenAI SDK is not installed. Install it with: npm install openai"
+        );
+      }
+      const apiKeyEnvVar = config.apiKeyEnvVar || "OPENAI_API_KEY";
+      const apiKey = process.env[apiKeyEnvVar];
+      if (!apiKey) {
+        throw new Error(
+          `OpenAI API key not found in environment variable ${apiKeyEnvVar}`
+        );
+      }
+      return new OpenAI({ apiKey });
+    },
+    formatTools(tools) {
+      return tools.map((tool) => ({
+        type: "function",
+        function: {
+          name: tool.name,
+          description: tool.description || "",
+          parameters: tool.inputSchema || {}
+        }
+      }));
+    },
+    async chat(client, messages, tools, config) {
+      const openai = client;
+      const response = await openai.chat.completions.create({
+        model: config.model || "gpt-4o",
+        messages,
+        tools,
+        temperature: config.temperature ?? 0,
+        max_tokens: config.maxTokens
+      });
+      const resp = response;
+      const message = resp.choices[0]?.message;
+      if (!message) {
+        throw new Error("No response from OpenAI");
+      }
+      if (message.tool_calls && message.tool_calls.length > 0) {
+        const toolCalls = message.tool_calls.map((tc) => ({
+          name: tc.function.name,
+          arguments: JSON.parse(tc.function.arguments),
+          id: tc.id
+        }));
+        return {
+          wantsToolCalls: true,
+          toolCalls,
+          textContent: message.content,
+          rawResponse: response
+        };
+      }
+      return {
+        wantsToolCalls: false,
+        toolCalls: [],
+        textContent: message.content,
+        rawResponse: response
+      };
+    },
+    createUserMessage(scenario) {
+      return {
+        role: "user",
+        content: scenario
+      };
+    },
+    createAssistantMessage(chatResult) {
+      const rawResponse = chatResult.rawResponse;
+      return {
+        role: "assistant",
+        content: chatResult.textContent,
+        tool_calls: rawResponse.choices[0]?.message?.tool_calls
+      };
+    },
+    createToolResultMessage(toolCall, result) {
+      return {
+        role: "tool",
+        tool_call_id: toolCall.id,
+        content: result
+      };
+    }
+  };
+}
+
+// src/evals/llmHost/adapters/anthropic.ts
+function createAnthropicAdapter() {
+  return {
+    provider: "anthropic",
+    async createClient(config) {
+      let Anthropic;
+      try {
+        const module = await import('@anthropic-ai/sdk');
+        Anthropic = module.default;
+      } catch {
+        throw new Error(
+          "Anthropic SDK is not installed. Install it with: npm install @anthropic-ai/sdk"
+        );
+      }
+      const apiKeyEnvVar = config.apiKeyEnvVar || "ANTHROPIC_API_KEY";
+      const apiKey = process.env[apiKeyEnvVar];
+      if (!apiKey) {
+        throw new Error(
+          `Anthropic API key not found in environment variable ${apiKeyEnvVar}`
+        );
+      }
+      return new Anthropic({ apiKey });
+    },
+    formatTools(tools) {
+      return tools.map((tool) => ({
+        name: tool.name,
+        description: tool.description || "",
+        input_schema: tool.inputSchema || {}
+      }));
+    },
+    async chat(client, messages, tools, config) {
+      const anthropic = client;
+      const response = await anthropic.messages.create({
+        model: config.model || "claude-3-5-sonnet-20241022",
+        max_tokens: config.maxTokens || 4096,
+        temperature: config.temperature ?? 0,
+        messages,
+        tools
+      });
+      const resp = response;
+      const textBlock = resp.content.find((c) => c.type === "text");
+      const textContent = textBlock?.text || null;
+      if (resp.stop_reason === "tool_use") {
+        const toolUses = resp.content.filter((c) => c.type === "tool_use");
+        const toolCalls = toolUses.map((tu) => ({
+          name: tu.name,
+          arguments: tu.input,
+          id: tu.id
+        }));
+        return {
+          wantsToolCalls: true,
+          toolCalls,
+          textContent,
+          rawResponse: response
+        };
+      }
+      if (resp.stop_reason === "max_tokens") {
+        throw new Error("Response exceeded max tokens");
+      }
+      return {
+        wantsToolCalls: false,
+        toolCalls: [],
+        textContent,
+        rawResponse: response
+      };
+    },
+    createUserMessage(scenario) {
+      return {
+        role: "user",
+        content: scenario
+      };
+    },
+    createAssistantMessage(chatResult) {
+      const rawResponse = chatResult.rawResponse;
+      return {
+        role: "assistant",
+        content: rawResponse.content
+      };
+    },
+    createToolResultMessage(toolCall, result) {
+      return {
+        type: "tool_result",
+        tool_use_id: toolCall.id,
+        content: result
+      };
+    }
+  };
+}
+
+// src/evals/llmHost/llmHostSimulation.ts
+registerAdapter("openai", createOpenAIAdapter);
+registerAdapter("anthropic", createAnthropicAdapter);
+async function simulateLLMHost(mcp, scenario, config) {
+  const adapter = getAdapter(config.provider);
+  return runSimulation(adapter, mcp, scenario, config, {
+    retry: {
+      maxAttempts: 3,
+      baseDelayMs: 1e3,
+      maxDelayMs: 3e4
+    }
+  });
+}
+function isProviderAvailable(provider) {
+  return hasAdapter(provider);
+}
+function getMissingDependencyMessage(provider) {
+  switch (provider) {
+    case "openai":
+      return "OpenAI SDK is not installed. Install it with: npm install openai";
+    case "anthropic":
+      return "Anthropic SDK is not installed. Install it with: npm install @anthropic-ai/sdk";
+    default:
+      return `Unknown provider: ${String(provider)}`;
+  }
+}
+
+// src/evals/evalRunner.ts
+async function executeToolCall(evalCase, mcp) {
+  const mode = evalCase.mode || "direct";
+  try {
+    if (mode === "llm_host") {
+      if (!evalCase.scenario) {
+        throw new Error(
+          `Eval case ${evalCase.id}: scenario is required for llm_host mode`
+        );
+      }
+      if (!evalCase.llmHostConfig) {
+        throw new Error(
+          `Eval case ${evalCase.id}: llmHostConfig is required for llm_host mode`
+        );
+      }
+      const simulationResult = await simulateLLMHost(
+        mcp,
+        evalCase.scenario,
+        evalCase.llmHostConfig
+      );
+      if (!simulationResult.success) {
+        throw new Error(simulationResult.error || "LLM host simulation failed");
+      }
+      return { response: simulationResult };
+    } else {
+      if (!evalCase.toolName) {
+        throw new Error(
+          `Eval case ${evalCase.id}: toolName is required for direct mode`
+        );
+      }
+      if (!evalCase.args) {
+        throw new Error(
+          `Eval case ${evalCase.id}: args is required for direct mode`
+        );
+      }
+      const result = await mcp.callTool(evalCase.toolName, evalCase.args);
+      if (evalCase.expect?.isError !== void 0) {
+        return { response: result };
+      }
+      return { response: result.structuredContent ?? result.content };
+    }
+  } catch (err) {
+    return {
+      response: void 0,
+      error: err instanceof Error ? err.message : String(err)
+    };
+  }
+}
+function didCasePass(error, expectations) {
+  return !error && Object.values(expectations).every(
+    (result) => result === void 0 || result.pass
+  );
+}
+async function runExpectBlockValidations(expectBlock, response, config) {
+  const results = {};
+  if (expectBlock.response !== void 0) {
+    const validation = validateResponse(response, expectBlock.response);
+    results.exact = {
+      pass: validation.pass,
+      details: validation.message
+    };
+  }
+  if (expectBlock.schema !== void 0) {
+    const schema = config.schemas?.[expectBlock.schema];
+    if (!schema) {
+      results.schema = {
+        pass: false,
+        details: `Schema "${expectBlock.schema}" not found in schemas registry`
+      };
+    } else {
+      const validation = validateSchema(response, schema);
+      results.schema = {
+        pass: validation.pass,
+        details: validation.message
+      };
+    }
+  }
+  if (expectBlock.containsText !== void 0) {
+    const validation = validateText(response, expectBlock.containsText);
+    results.textContains = {
+      pass: validation.pass,
+      details: validation.message
+    };
+  }
+  if (expectBlock.matchesPattern !== void 0) {
+    const validation = validatePattern(response, expectBlock.matchesPattern);
+    results.regex = {
+      pass: validation.pass,
+      details: validation.message
+    };
+  }
+  if (expectBlock.isError !== void 0) {
+    const validation = validateError(response, expectBlock.isError);
+    results.error = {
+      pass: validation.pass,
+      details: validation.message
+    };
+  }
+  if (expectBlock.responseSize !== void 0) {
+    const validation = validateSize(response, expectBlock.responseSize);
+    results.size = {
+      pass: validation.pass,
+      details: validation.message
+    };
+  }
+  if (expectBlock.passesJudge !== void 0) {
+    const {
+      rubric,
+      reference,
+      threshold = 0.7,
+      configId
+    } = expectBlock.passesJudge;
+    const judgeConfig = configId ? config.judgeConfigs?.[configId] ?? {} : {};
+    try {
+      const judge = createJudge(judgeConfig);
+      const judgeResult = await judge.evaluate(
+        response,
+        reference ?? null,
+        rubric
+      );
+      const score = judgeResult.score ?? (judgeResult.pass ? 1 : 0);
+      const passed = score >= threshold;
+      results.judge = {
+        pass: passed,
+        details: passed ? `Judge passed with score ${score.toFixed(2)}` : `Judge failed with score ${score.toFixed(2)} (threshold: ${threshold}). ${judgeResult.reasoning ?? ""}`
+      };
+    } catch (err) {
+      results.judge = {
+        pass: false,
+        details: `Judge evaluation error: ${err instanceof Error ? err.message : String(err)}`
+      };
+    }
+  }
+  if (expectBlock.snapshot !== void 0) {
+    if (!config.playwrightExpect) {
+      results.snapshot = {
+        pass: false,
+        details: "Snapshot testing requires expect in context"
+      };
+    } else {
+      try {
+        const sanitizers = expectBlock.snapshotSanitizers ?? [];
+        await config.playwrightExpect(response).toMatchToolSnapshot(
+          expectBlock.snapshot,
+          sanitizers
+        );
+        results.snapshot = {
+          pass: true,
+          details: `Matches snapshot "${expectBlock.snapshot}"`
+        };
+      } catch (err) {
+        results.snapshot = {
+          pass: false,
+          details: err instanceof Error ? err.message : String(err)
+        };
+      }
+    }
+  }
+  return results;
+}
+async function runEvalCase(evalCase, context, options = {}) {
+  const startTime = Date.now();
+  const mode = evalCase.mode || "direct";
+  const { response, error } = await executeToolCall(evalCase, context.mcp);
+  let expectationResults = {};
+  if (!error && evalCase.expect) {
+    expectationResults = await runExpectBlockValidations(
+      evalCase.expect,
+      response,
+      {
+        schemas: options.schemas,
+        judgeConfigs: options.judgeConfigs,
+        playwrightExpect: context.expect
+      }
+    );
+  }
+  return {
+    id: evalCase.id,
+    datasetName: options.datasetName ?? "single-case",
+    toolName: evalCase.toolName ?? evalCase.scenario ?? "unknown",
+    mode,
+    source: "eval",
+    pass: didCasePass(error, expectationResults),
+    response,
+    error,
+    expectations: expectationResults,
+    authType: context.mcp.authType,
+    project: context.mcp.project,
+    durationMs: Date.now() - startTime
+  };
+}
+async function runEvalDataset(options, context) {
+  const {
+    dataset,
+    schemas,
+    judgeConfigs,
+    stopOnFailure = false,
+    onCaseComplete
+  } = options;
+  const startTime = Date.now();
+  const caseResults = [];
+  const enrichedContext = context;
+  const allSchemas = {
+    ...dataset.schemas,
+    ...schemas
+  };
+  for (const evalCase of dataset.cases) {
+    const result2 = await runEvalCase(evalCase, enrichedContext, {
+      datasetName: dataset.name,
+      schemas: allSchemas,
+      judgeConfigs
+    });
+    caseResults.push(result2);
+    if (onCaseComplete) {
+      await onCaseComplete(result2);
+    }
+    if (stopOnFailure && !result2.pass) {
+      break;
+    }
+  }
+  const total = caseResults.length;
+  const passed = caseResults.filter((r) => r.pass).length;
+  const result = {
+    total,
+    passed,
+    failed: total - passed,
+    caseResults,
+    durationMs: Date.now() - startTime
+  };
+  if (context.testInfo) {
+    await context.testInfo.attach("mcp-test-results", {
+      contentType: "application/json",
+      body: Buffer.from(JSON.stringify({ caseResults }))
+    });
+  }
+  return result;
+}
+
+// src/evals/llmHost/toolCallExpectation.ts
+function argumentsMatch(actual, expected) {
+  for (const key of Object.keys(expected)) {
+    if (!(key in actual)) {
+      return false;
+    }
+    const actualValue = actual[key];
+    const expectedValue = expected[key];
+    if (JSON.stringify(actualValue) !== JSON.stringify(expectedValue)) {
+      return false;
+    }
+  }
+  return true;
+}
+function findMatchingCall(expected, actualCalls) {
+  for (const actualCall of actualCalls) {
+    if (actualCall.name !== expected.name) {
+      continue;
+    }
+    if (!expected.arguments) {
+      return actualCall;
+    }
+    if (argumentsMatch(actualCall.arguments, expected.arguments)) {
+      return actualCall;
+    }
+  }
+  return null;
+}
+function createToolCallValidator() {
+  return async (evalCase, response) => {
+    const expectedCalls = evalCase.metadata?.expectedToolCalls;
+    if (!expectedCalls || expectedCalls.length === 0) {
+      return {
+        pass: true,
+        details: "No expected tool calls specified"
+      };
+    }
+    const responseObj = response;
+    const actualCalls = responseObj?.toolCalls;
+    if (!actualCalls || actualCalls.length === 0) {
+      const requiredCalls = expectedCalls.filter(
+        (call) => call.required !== false
+      );
+      if (requiredCalls.length > 0) {
+        return {
+          pass: false,
+          details: `Expected ${requiredCalls.length} tool call(s), but LLM made no tool calls`
+        };
+      }
+      return {
+        pass: true,
+        details: "No tool calls expected or made"
+      };
+    }
+    const missingCalls = [];
+    for (const expectedCall of expectedCalls) {
+      const matchingCall = findMatchingCall(expectedCall, actualCalls);
+      if (!matchingCall) {
+        if (expectedCall.required !== false) {
+          missingCalls.push(expectedCall);
+        }
+      }
+    }
+    if (missingCalls.length > 0) {
+      const missingDetails = missingCalls.map((call) => `${call.name}(${JSON.stringify(call.arguments || {})})`).join(", ");
+      return {
+        pass: false,
+        details: `Missing required tool call(s): ${missingDetails}. Actual calls: ${actualCalls.map((c) => c.name).join(", ")}`
+      };
+    }
+    return {
+      pass: true,
+      details: `All ${expectedCalls.length} expected tool call(s) were made correctly`
+    };
+  };
+}
+
+// src/spec/conformanceChecks.ts
+async function runConformanceChecks(mcp, options = {}, testInfo) {
+  const {
+    requiredTools = [],
+    validateSchemas = true,
+    checkServerInfo = true,
+    checkResources = true,
+    checkPrompts = true
+  } = options;
+  const checks = [];
+  const raw = {
+    serverInfo: null,
+    capabilities: null,
+    tools: [],
+    resources: null,
+    prompts: null
+  };
+  const serverInfo = mcp.getServerInfo();
+  if (serverInfo) {
+    raw.serverInfo = serverInfo;
+  }
+  if (checkServerInfo) {
+    checks.push({
+      name: "server_info_present",
+      pass: serverInfo !== null,
+      message: serverInfo ? `Server info: ${serverInfo.name ?? "unknown"} v${serverInfo.version ?? "unknown"}` : "Server info is missing"
+    });
+  }
+  const capabilities = mcp.client.getServerCapabilities();
+  if (capabilities) {
+    raw.capabilities = capabilities;
+  }
+  checks.push({
+    name: "capabilities_valid",
+    pass: capabilities !== void 0,
+    message: capabilities ? `Server capabilities: ${formatCapabilities(capabilities)}` : "Server capabilities not available"
+  });
+  let tools = [];
+  try {
+    tools = await mcp.listTools();
+    raw.tools = tools;
+    checks.push({
+      name: "list_tools_succeeds",
+      pass: true,
+      message: `listTools returned ${tools.length} tools`
+    });
+  } catch (error) {
+    checks.push({
+      name: "list_tools_succeeds",
+      pass: false,
+      message: `listTools failed: ${error instanceof Error ? error.message : String(error)}`
+    });
+    const pass2 = checks.every((check) => check.pass);
+    return { pass: pass2, checks, raw };
+  }
+  if (requiredTools.length > 0) {
+    const toolNames = new Set(tools.map((t) => t.name));
+    const missingTools = requiredTools.filter((name) => !toolNames.has(name));
+    checks.push({
+      name: "required_tools_present",
+      pass: missingTools.length === 0,
+      message: missingTools.length === 0 ? `All ${requiredTools.length} required tools are present` : `Missing required tools: ${missingTools.join(", ")}`
+    });
+  }
+  if (validateSchemas && tools.length > 0) {
+    const invalidTools = [];
+    for (const tool of tools) {
+      if (!tool.name) {
+        invalidTools.push(`(unnamed tool): missing name`);
+        continue;
+      }
+      if (!tool.inputSchema) {
+        invalidTools.push(`${tool.name}: missing inputSchema`);
+        continue;
+      }
+      if (tool.inputSchema.type !== "object") {
+        invalidTools.push(
+          `${tool.name}: inputSchema.type must be "object", got "${String(tool.inputSchema.type)}"`
+        );
+      }
+    }
+    checks.push({
+      name: "tool_schemas_valid",
+      pass: invalidTools.length === 0,
+      message: invalidTools.length === 0 ? `All ${tools.length} tools have valid schemas` : `Invalid tool schemas:
+  ${invalidTools.join("\n  ")}`
+    });
+  }
+  if (checkResources && capabilities?.resources) {
+    try {
+      const resourcesResult = await mcp.client.listResources();
+      raw.resources = resourcesResult.resources;
+      checks.push({
+        name: "list_resources_succeeds",
+        pass: true,
+        message: `listResources returned ${resourcesResult.resources.length} resources`
+      });
+    } catch (error) {
+      checks.push({
+        name: "list_resources_succeeds",
+        pass: false,
+        message: `listResources failed: ${error instanceof Error ? error.message : String(error)}`
+      });
+    }
+  }
+  if (checkPrompts && capabilities?.prompts) {
+    try {
+      const promptsResult = await mcp.client.listPrompts();
+      raw.prompts = promptsResult.prompts;
+      checks.push({
+        name: "list_prompts_succeeds",
+        pass: true,
+        message: `listPrompts returned ${promptsResult.prompts.length} prompts`
+      });
+    } catch (error) {
+      checks.push({
+        name: "list_prompts_succeeds",
+        pass: false,
+        message: `listPrompts failed: ${error instanceof Error ? error.message : String(error)}`
+      });
+    }
+  }
+  try {
+    const result2 = await mcp.callTool("__nonexistent_tool__", {});
+    const hasError = result2.isError === true;
+    checks.push({
+      name: "invalid_tool_returns_error",
+      pass: hasError,
+      message: hasError ? "Nonexistent tool correctly returned an error" : "Calling nonexistent tool should have returned an error"
+    });
+  } catch {
+    checks.push({
+      name: "invalid_tool_returns_error",
+      pass: true,
+      message: "Nonexistent tool correctly threw an error"
+    });
+  }
+  const pass = checks.every((check) => check.pass);
+  const result = { pass, checks, raw };
+  if (testInfo) {
+    await testInfo.attach("mcp-conformance-checks", {
+      contentType: "application/json",
+      body: JSON.stringify(
+        {
+          operation: "conformanceChecks",
+          pass,
+          checks,
+          serverInfo: raw.serverInfo,
+          capabilities: raw.capabilities,
+          toolCount: raw.tools.length,
+          authType: mcp.authType,
+          project: mcp.project
+        },
+        null,
+        2
+      )
+    });
+  }
+  return result;
+}
+function formatCapabilities(capabilities) {
+  const parts = [];
+  if (capabilities.tools) parts.push("tools");
+  if (capabilities.resources) parts.push("resources");
+  if (capabilities.prompts) parts.push("prompts");
+  if (capabilities.logging) parts.push("logging");
+  if (capabilities.completions) parts.push("completions");
+  if (capabilities.experimental) parts.push("experimental");
+  return parts.length > 0 ? parts.join(", ") : "none declared";
+}
+
+export { CLIOAuthClient, DiscoveryError, ENV_VAR_NAMES, EvalCaseSchema, EvalDatasetSchema, MCPConfigSchema, MCP_PROTOCOL_VERSION, PlaywrightOAuthClientProvider, closeMCPClient, createJudge, createMCPClientForConfig, createMCPFixture, createTokenAuthHeaders, createToolCallValidator, discoverAuthorizationServer, discoverProtectedResource, expect, extractText, extractText as extractTextFromResponse, getMissingDependencyMessage, getResponseSizeBytes, hasValidTokens, injectTokens, isHttpConfig, isProviderAvailable, isStdioConfig, isTokenExpired, isTokenExpiringSoon, loadEvalDataset, loadEvalDatasetFromObject, loadTokens, loadTokensFromEnv, normalizeToolResponse, normalizeWhitespace, performOAuthSetup, performOAuthSetupIfNeeded, runConformanceChecks, runEvalCase, runEvalDataset, simulateLLMHost, test, validateAccessToken, validateError, validateEvalCase, validateEvalDataset, validateMCPConfig, validatePattern, validateResponse, validateSchema, validateSize, validateText };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map