@gleanwork/mcp-server-tester 0.12.0

package/dist/fixtures/mcp.js

@@ -0,0 +1,2378 @@
+import { expect as expect$1, test as test$1 } from '@playwright/test';
+import { query } from '@anthropic-ai/claude-agent-sdk';
+import { Client } from '@modelcontextprotocol/sdk/client/index.js';
+import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
+import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+import { z } from 'zod';
+import createDebug from 'debug';
+import * as fs2 from 'fs/promises';
+import * as path2 from 'path';
+import * as http from 'http';
+import * as oauth from 'oauth4webapi';
+import { homedir } from 'os';
+
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
+// src/mcp/response.ts
+function normalizeToolResponse(result) {
+  const isError = result.isError ?? false;
+  const contentBlocks = [];
+  const textParts = [];
+  if (Array.isArray(result.content)) {
+    for (const block of result.content) {
+      if (block == null || typeof block !== "object") {
+        continue;
+      }
+      const b = block;
+      const contentBlock = {
+        type: typeof b.type === "string" ? b.type : "unknown"
+      };
+      if (typeof b.text === "string") {
+        contentBlock.text = b.text;
+        textParts.push(b.text);
+      }
+      if (b.data !== void 0) {
+        contentBlock.data = b.data;
+      }
+      if (typeof b.mimeType === "string") {
+        contentBlock.mimeType = b.mimeType;
+      }
+      contentBlocks.push(contentBlock);
+    }
+  }
+  let structuredContent = null;
+  if (result.structuredContent !== void 0) {
+    structuredContent = result.structuredContent;
+    if (textParts.length === 0) {
+      if (typeof result.structuredContent === "string") {
+        textParts.push(result.structuredContent);
+      } else if (result.structuredContent != null) {
+        textParts.push(JSON.stringify(result.structuredContent));
+      }
+    }
+  }
+  const text = textParts.join("\n");
+  return {
+    text,
+    raw: result,
+    isError,
+    contentBlocks,
+    structuredContent
+  };
+}
+function extractText(response) {
+  if (response == null) {
+    return "";
+  }
+  if (typeof response === "string") {
+    return response;
+  }
+  if (isNormalizedResponse(response)) {
+    return response.text;
+  }
+  if (isCallToolResult(response)) {
+    return normalizeToolResponse(response).text;
+  }
+  if (Array.isArray(response)) {
+    return extractTextFromContentArray(response);
+  }
+  if (typeof response === "object") {
+    const r = response;
+    if (Array.isArray(r.content)) {
+      return extractTextFromContentArray(r.content);
+    }
+    if (typeof r.content === "string") {
+      return r.content;
+    }
+    if (r.structuredContent !== void 0) {
+      if (typeof r.structuredContent === "string") {
+        return r.structuredContent;
+      }
+      return JSON.stringify(r.structuredContent);
+    }
+    if (typeof r.text === "string") {
+      return r.text;
+    }
+    return JSON.stringify(r);
+  }
+  if (typeof response === "number" || typeof response === "boolean" || typeof response === "bigint") {
+    return String(response);
+  }
+  return "";
+}
+function isNormalizedResponse(value) {
+  if (value == null || typeof value !== "object") {
+    return false;
+  }
+  const v = value;
+  return typeof v.text === "string" && typeof v.isError === "boolean" && Array.isArray(v.contentBlocks) && v.raw !== void 0;
+}
+function isCallToolResult(value) {
+  if (value == null || typeof value !== "object") {
+    return false;
+  }
+  const v = value;
+  return Array.isArray(v.content) || typeof v.isError === "boolean";
+}
+function extractTextFromContentArray(content) {
+  const textParts = [];
+  for (const block of content) {
+    if (block == null || typeof block !== "object") {
+      continue;
+    }
+    const b = block;
+    if (b.type === "text" && typeof b.text === "string") {
+      textParts.push(b.text);
+    }
+  }
+  if (textParts.length > 0) {
+    return textParts.join("\n");
+  }
+  return JSON.stringify(content);
+}
+
+// src/assertions/validators/utils.ts
+var extractText2 = extractText;
+function getResponseSizeBytes(response) {
+  if (response === null || response === void 0) {
+    return 0;
+  }
+  if (typeof response === "string") {
+    return Buffer.byteLength(response, "utf8");
+  }
+  const serialized = JSON.stringify(response, null, 2);
+  return Buffer.byteLength(serialized, "utf8");
+}
+function stringifyResponse(response) {
+  if (response === null || response === void 0) {
+    return "";
+  }
+  if (typeof response === "string") {
+    return response;
+  }
+  return JSON.stringify(response, null, 2);
+}
+function isErrorResponse(response) {
+  if (response === null || response === void 0) {
+    return false;
+  }
+  if (typeof response !== "object") {
+    return false;
+  }
+  const r = response;
+  if (r.isError === true) {
+    return true;
+  }
+  if ("raw" in r && typeof r.raw === "object" && r.raw !== null) {
+    const raw = r.raw;
+    return raw.isError === true;
+  }
+  return false;
+}
+function extractErrorMessage(response) {
+  if (!isErrorResponse(response)) {
+    return "";
+  }
+  return extractText2(response);
+}
+
+// src/assertions/validators/response.ts
+function validateResponse(actual, expected) {
+  const actualStr = stringifyResponse(actual);
+  const expectedStr = stringifyResponse(expected);
+  if (actualStr === expectedStr) {
+    return {
+      pass: true,
+      message: "Response matches expected value"
+    };
+  }
+  return {
+    pass: false,
+    message: `Response does not match expected value`,
+    details: {
+      actual: truncateForDisplay(actualStr),
+      expected: truncateForDisplay(expectedStr)
+    }
+  };
+}
+function truncateForDisplay(str, maxLength = 500) {
+  if (str.length <= maxLength) {
+    return str;
+  }
+  return str.slice(0, maxLength) + "... (truncated)";
+}
+
+// src/assertions/matchers/toMatchToolResponse.ts
+function toMatchToolResponse(received, expected) {
+  const result = validateResponse(received, expected);
+  return {
+    pass: result.pass,
+    message: () => {
+      if (this.isNot) {
+        return result.pass ? "Expected response NOT to match, but it did" : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+
+// src/assertions/validators/schema.ts
+function validateSchema(response, schema, options = {}) {
+  const valueToValidate = getValidatableValue(response);
+  if (options.strict && valueToValidate !== null) ;
+  try {
+    schema.parse(valueToValidate);
+    return {
+      pass: true,
+      message: "Response matches schema"
+    };
+  } catch (error) {
+    const zodError = error;
+    const issues = formatZodIssues(zodError);
+    return {
+      pass: false,
+      message: `Response does not match schema: ${issues}`,
+      details: {
+        issues: zodError.issues
+      }
+    };
+  }
+}
+function getValidatableValue(response) {
+  if (response === null || response === void 0) {
+    return null;
+  }
+  if (typeof response === "object" && !Array.isArray(response)) {
+    const r = response;
+    if ("structuredContent" in r && r.structuredContent !== void 0) {
+      return r.structuredContent;
+    }
+    if ("raw" in r && "text" in r && "isError" in r && "contentBlocks" in r) {
+      if (r.structuredContent !== void 0) {
+        return r.structuredContent;
+      }
+      const text = r.text;
+      return tryParseJson(text) ?? response;
+    }
+    if ("content" in r && Array.isArray(r.content)) {
+      const text = extractText2(response);
+      return tryParseJson(text) ?? response;
+    }
+    return response;
+  }
+  if (typeof response === "string") {
+    return tryParseJson(response) ?? response;
+  }
+  return response;
+}
+function tryParseJson(text) {
+  if (!text || typeof text !== "string") {
+    return null;
+  }
+  const trimmed = text.trim();
+  if (!(trimmed.startsWith("{") || trimmed.startsWith("[")) || !(trimmed.endsWith("}") || trimmed.endsWith("]"))) {
+    return null;
+  }
+  try {
+    return JSON.parse(trimmed);
+  } catch {
+    return null;
+  }
+}
+function formatZodIssues(error) {
+  const issues = error.issues.map((issue) => {
+    const path3 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `${path3}: ${issue.message}`;
+  });
+  return issues.join("; ");
+}
+
+// src/assertions/matchers/toMatchToolSchema.ts
+function toMatchToolSchema(received, schema, options = {}) {
+  const result = validateSchema(received, schema, options);
+  return {
+    pass: result.pass,
+    message: () => {
+      if (this.isNot) {
+        return result.pass ? "Expected response NOT to match schema, but it did" : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+
+// src/assertions/validators/text.ts
+function validateText(response, expected, options = {}) {
+  const { caseSensitive = true } = options;
+  const expectedStrings = Array.isArray(expected) ? expected : [expected];
+  const text = extractText2(response);
+  const compareText = caseSensitive ? text : text.toLowerCase();
+  const missing = [];
+  for (const substring of expectedStrings) {
+    const compareSubstring = caseSensitive ? substring : substring.toLowerCase();
+    if (!compareText.includes(compareSubstring)) {
+      missing.push(substring);
+    }
+  }
+  if (missing.length === 0) {
+    return {
+      pass: true,
+      message: expectedStrings.length === 1 ? `Response contains expected text` : `Response contains all ${expectedStrings.length} expected substrings`
+    };
+  }
+  return {
+    pass: false,
+    message: missing.length === 1 ? `Response does not contain expected text: "${missing[0]}"` : `Response is missing ${missing.length} expected substrings: ${missing.map((s) => `"${s}"`).join(", ")}`,
+    details: {
+      missing,
+      textLength: text.length,
+      textPreview: truncateForDisplay2(text)
+    }
+  };
+}
+function truncateForDisplay2(str, maxLength = 200) {
+  if (str.length <= maxLength) {
+    return str;
+  }
+  return str.slice(0, maxLength) + "... (truncated)";
+}
+
+// src/assertions/matchers/toContainToolText.ts
+function toContainToolText(received, expected, options = {}) {
+  const result = validateText(received, expected, options);
+  return {
+    pass: result.pass,
+    message: () => {
+      if (this.isNot) {
+        const expectedStr = Array.isArray(expected) ? expected.map((s) => `"${s}"`).join(", ") : `"${expected}"`;
+        return result.pass ? `Expected response NOT to contain ${expectedStr}, but it did` : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+
+// src/assertions/validators/pattern.ts
+function validatePattern(response, patterns, options = {}) {
+  const { caseSensitive = true } = options;
+  const caseInsensitive = !caseSensitive;
+  const patternList = Array.isArray(patterns) ? patterns : [patterns];
+  const text = extractText2(response);
+  const unmatched = [];
+  for (const pattern of patternList) {
+    const regex = toRegExp(pattern, caseInsensitive);
+    if (!regex.test(text)) {
+      unmatched.push(patternToString(pattern));
+    }
+  }
+  if (unmatched.length === 0) {
+    return {
+      pass: true,
+      message: patternList.length === 1 ? `Response matches pattern` : `Response matches all ${patternList.length} patterns`
+    };
+  }
+  return {
+    pass: false,
+    message: unmatched.length === 1 ? `Response does not match pattern: ${unmatched[0]}` : `Response does not match ${unmatched.length} patterns: ${unmatched.join(", ")}`,
+    details: {
+      unmatched,
+      textLength: text.length,
+      textPreview: truncateForDisplay3(text)
+    }
+  };
+}
+function toRegExp(pattern, caseInsensitive) {
+  if (pattern instanceof RegExp) {
+    if (caseInsensitive && !pattern.flags.includes("i")) {
+      return new RegExp(pattern.source, pattern.flags + "i");
+    }
+    return pattern;
+  }
+  const flags = caseInsensitive ? "i" : "";
+  return new RegExp(pattern, flags);
+}
+function patternToString(pattern) {
+  if (pattern instanceof RegExp) {
+    return pattern.toString();
+  }
+  return `/${pattern}/`;
+}
+function truncateForDisplay3(str, maxLength = 200) {
+  if (str.length <= maxLength) {
+    return str;
+  }
+  return str.slice(0, maxLength) + "... (truncated)";
+}
+
+// src/assertions/matchers/toMatchToolPattern.ts
+function toMatchToolPattern(received, patterns, options = {}) {
+  const result = validatePattern(received, patterns, options);
+  return {
+    pass: result.pass,
+    message: () => {
+      if (this.isNot) {
+        return result.pass ? "Expected response NOT to match pattern(s), but it did" : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+var BUILT_IN_PATTERNS = {
+  timestamp: {
+    pattern: /\b\d{10,13}\b/g,
+    replacement: "[TIMESTAMP]"
+  },
+  uuid: {
+    pattern: /\b[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}\b/gi,
+    replacement: "[UUID]"
+  },
+  "iso-date": {
+    pattern: /\b\d{4}-\d{2}-\d{2}(T\d{2}:\d{2}:\d{2}(\.\d{1,3})?(Z|[+-]\d{2}:?\d{2})?)?\b/g,
+    replacement: "[ISO_DATE]"
+  },
+  objectId: {
+    pattern: /\b[0-9a-f]{24}\b/gi,
+    replacement: "[OBJECT_ID]"
+  },
+  jwt: {
+    pattern: /\beyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\b/g,
+    replacement: "[JWT]"
+  }
+};
+function isRegexSanitizer(sanitizer) {
+  return typeof sanitizer === "object" && sanitizer !== null && "pattern" in sanitizer;
+}
+function isFieldRemovalSanitizer(sanitizer) {
+  return typeof sanitizer === "object" && sanitizer !== null && "remove" in sanitizer;
+}
+function applySanitizers(value, sanitizers) {
+  let result = value;
+  for (const sanitizer of sanitizers) {
+    if (typeof sanitizer === "string") {
+      const builtIn = BUILT_IN_PATTERNS[sanitizer];
+      if (builtIn) {
+        result = result.replace(builtIn.pattern, builtIn.replacement);
+      }
+      continue;
+    }
+    if (isRegexSanitizer(sanitizer)) {
+      const pattern = sanitizer.pattern instanceof RegExp ? sanitizer.pattern : new RegExp(sanitizer.pattern, "g");
+      const replacement = sanitizer.replacement ?? "[SANITIZED]";
+      result = result.replace(pattern, replacement);
+      continue;
+    }
+    if (isFieldRemovalSanitizer(sanitizer)) {
+      try {
+        const parsed = JSON.parse(result);
+        removeFields(parsed, sanitizer.remove);
+        result = JSON.stringify(parsed, null, 2);
+      } catch {
+      }
+    }
+  }
+  return result;
+}
+function removeFields(obj, paths) {
+  if (typeof obj !== "object" || obj === null) {
+    return;
+  }
+  for (const path3 of paths) {
+    const parts = path3.split(".");
+    if (parts.length === 0) {
+      continue;
+    }
+    let current = obj;
+    for (let i = 0; i < parts.length - 1; i++) {
+      if (typeof current !== "object" || current === null) {
+        break;
+      }
+      const key = parts[i];
+      if (key !== void 0) {
+        current = current[key];
+      }
+    }
+    if (typeof current === "object" && current !== null) {
+      const lastKey = parts[parts.length - 1];
+      if (lastKey !== void 0) {
+        delete current[lastKey];
+      }
+    }
+  }
+}
+async function toMatchToolSnapshot(received, name, sanitizers = []) {
+  let content = extractText2(received);
+  if (sanitizers.length > 0) {
+    content = applySanitizers(content, sanitizers);
+  }
+  if (this.isNot) {
+    try {
+      await expect$1(content).toMatchSnapshot(name);
+      return {
+        pass: false,
+        message: () => `Expected response NOT to match snapshot "${name}", but it did`
+      };
+    } catch {
+      return {
+        pass: true,
+        message: () => `Response does not match snapshot "${name}" as expected`
+      };
+    }
+  }
+  try {
+    await expect$1(content).toMatchSnapshot(name);
+    return {
+      pass: true,
+      message: () => `Response matches snapshot "${name}"`
+    };
+  } catch (error) {
+    return {
+      pass: false,
+      message: () => error instanceof Error ? error.message : `Response does not match snapshot "${name}"`
+    };
+  }
+}
+
+// src/assertions/validators/error.ts
+function validateError(response, expected = true) {
+  const actualIsError = isErrorResponse(response);
+  const errorMessage = actualIsError ? extractErrorMessage(response) : "";
+  if (typeof expected === "boolean") {
+    if (expected) {
+      if (actualIsError) {
+        return {
+          pass: true,
+          message: "Response is an error as expected"
+        };
+      }
+      return {
+        pass: false,
+        message: "Expected an error response but got success",
+        details: {
+          textPreview: truncateForDisplay4(extractText2(response))
+        }
+      };
+    } else {
+      if (!actualIsError) {
+        return {
+          pass: true,
+          message: "Response is not an error as expected"
+        };
+      }
+      return {
+        pass: false,
+        message: `Expected a success response but got error: "${truncateForDisplay4(errorMessage)}"`,
+        details: {
+          errorMessage
+        }
+      };
+    }
+  }
+  const expectedMessages = Array.isArray(expected) ? expected : [expected];
+  if (!actualIsError) {
+    return {
+      pass: false,
+      message: `Expected an error containing "${expectedMessages[0]}" but got success`,
+      details: {
+        textPreview: truncateForDisplay4(extractText2(response))
+      }
+    };
+  }
+  const matched = expectedMessages.some(
+    (msg) => errorMessage.toLowerCase().includes(msg.toLowerCase())
+  );
+  if (matched) {
+    return {
+      pass: true,
+      message: "Error message contains expected text"
+    };
+  }
+  return {
+    pass: false,
+    message: expectedMessages.length === 1 ? `Error message does not contain "${expectedMessages[0]}"` : `Error message does not contain any of: ${expectedMessages.map((m) => `"${m}"`).join(", ")}`,
+    details: {
+      actualErrorMessage: errorMessage,
+      expectedToContain: expectedMessages
+    }
+  };
+}
+function truncateForDisplay4(str, maxLength = 200) {
+  if (str.length <= maxLength) {
+    return str;
+  }
+  return str.slice(0, maxLength) + "... (truncated)";
+}
+
+// src/assertions/matchers/toBeToolError.ts
+function toBeToolError(received, expected = true) {
+  const effectiveExpected = this.isNot ? typeof expected === "boolean" ? !expected : false : expected;
+  const result = validateError(received, effectiveExpected);
+  return {
+    pass: this.isNot ? !result.pass : result.pass,
+    message: () => {
+      if (this.isNot) {
+        if (typeof expected === "boolean") {
+          return result.pass ? "Expected response NOT to be an error, but it was" : "Response is not an error as expected";
+        }
+        const expectedStr = Array.isArray(expected) ? expected.join(", ") : expected;
+        return result.pass ? `Expected response NOT to be an error with "${expectedStr}", but it was` : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+function createClaudeAgentJudge(config) {
+  const model = config.model ?? "claude-sonnet-4-20250514";
+  const maxBudgetUsd = config.maxBudgetUsd ?? 0.1;
+  const maxToolOutputSize = config.maxToolOutputSize;
+  return {
+    async evaluate(candidate, reference, rubric) {
+      const candidateStr = typeof candidate === "string" ? candidate : JSON.stringify(candidate, null, 2);
+      const candidateSizeBytes = Buffer.byteLength(candidateStr, "utf8");
+      if (maxToolOutputSize !== void 0 && candidateSizeBytes > maxToolOutputSize) {
+        return {
+          pass: false,
+          score: 0,
+          reasoning: `Tool output size (${candidateSizeBytes} bytes) exceeds maximum allowed size (${maxToolOutputSize} bytes)`,
+          candidateSizeBytes,
+          exceedsMaxToolOutputSize: true
+        };
+      }
+      const prompt = buildJudgePrompt(candidate, reference, rubric);
+      try {
+        let resultMessage;
+        for await (const message of query({
+          prompt,
+          options: {
+            model,
+            maxBudgetUsd,
+            // Use empty tools array for response-only mode
+            tools: [],
+            // Bypass permissions since we're not using any tools
+            permissionMode: "bypassPermissions",
+            allowDangerouslySkipPermissions: true,
+            // Use a custom system prompt for JSON output
+            systemPrompt: buildSystemPrompt(),
+            // Limit to 1 turn since this is a simple evaluation
+            maxTurns: 1
+          }
+        })) {
+          if (message.type === "result") {
+            resultMessage = message;
+          }
+        }
+        if (!resultMessage) {
+          throw new Error("No result message received from Claude Agent SDK");
+        }
+        if (resultMessage.subtype !== "success" && resultMessage.errors?.length) {
+          throw new Error(
+            `Claude Agent SDK error: ${resultMessage.errors.join(", ")}`
+          );
+        }
+        const responseText = resultMessage.result ?? "";
+        const parsed = parseJudgeResponse(responseText);
+        const usage = {
+          inputTokens: resultMessage.usage?.input_tokens ?? 0,
+          outputTokens: resultMessage.usage?.output_tokens ?? 0,
+          totalCostUsd: resultMessage.total_cost_usd ?? 0,
+          durationMs: resultMessage.duration_ms ?? 0,
+          durationApiMs: resultMessage.duration_api_ms,
+          cacheReadInputTokens: resultMessage.usage?.cache_read_input_tokens,
+          cacheCreationInputTokens: resultMessage.usage?.cache_creation_input_tokens
+        };
+        return {
+          pass: parsed.pass ?? false,
+          score: parsed.score,
+          reasoning: parsed.reasoning,
+          usage,
+          candidateSizeBytes,
+          exceedsMaxToolOutputSize: false
+        };
+      } catch (error) {
+        throw new Error(
+          `Claude Agent judge evaluation failed: ${error instanceof Error ? error.message : String(error)}`
+        );
+      }
+    }
+  };
+}
+function buildSystemPrompt() {
+  return 'You are an expert evaluator. Evaluate the candidate response based on the rubric provided. Respond ONLY with valid JSON in this exact format: {"pass": boolean, "score": number (0-1), "reasoning": string}. Do not include any other text, markdown formatting, or code blocks.';
+}
+function buildJudgePrompt(candidate, reference, rubric) {
+  const parts = [];
+  parts.push("# Evaluation Task\n");
+  parts.push(rubric);
+  parts.push("\n\n# Candidate Response\n");
+  parts.push(
+    typeof candidate === "string" ? candidate : JSON.stringify(candidate, null, 2)
+  );
+  if (reference !== null && reference !== void 0) {
+    parts.push("\n\n# Reference Response\n");
+    parts.push(
+      typeof reference === "string" ? reference : JSON.stringify(reference, null, 2)
+    );
+  }
+  parts.push(
+    "\n\n# Instructions\nEvaluate the candidate response based on the rubric. " + (reference !== null && reference !== void 0 ? "Compare it against the reference response if helpful. " : "") + 'Respond with JSON containing "pass" (boolean), "score" (0-1), and "reasoning" (string).'
+  );
+  return parts.join("");
+}
+function parseJudgeResponse(text) {
+  let jsonText = text.trim();
+  if (jsonText.startsWith("```json")) {
+    jsonText = jsonText.slice(7);
+  }
+  if (jsonText.startsWith("```")) {
+    jsonText = jsonText.slice(3);
+  }
+  if (jsonText.endsWith("```")) {
+    jsonText = jsonText.slice(0, -3);
+  }
+  jsonText = jsonText.trim();
+  try {
+    return JSON.parse(jsonText);
+  } catch {
+    const jsonMatch = jsonText.match(/\{[\s\S]*"pass"[\s\S]*\}/);
+    if (jsonMatch) {
+      return JSON.parse(jsonMatch[0]);
+    }
+    throw new Error(`Failed to parse judge response as JSON: ${text}`);
+  }
+}
+
+// src/judge/judgeClient.ts
+function createJudge(config = {}) {
+  const provider = config.provider ?? "claude";
+  switch (provider) {
+    case "claude":
+    case "anthropic":
+      return createClaudeAgentJudge(config);
+    case "openai":
+      throw new Error(
+        'OpenAI provider is no longer supported. Please use createJudge() without specifying provider, or use provider: "claude". See migration guide at https://github.com/gleanwork/mcp-server-tester/blob/main/docs/migration-v0.11.md'
+      );
+    case "custom-http":
+      throw new Error(
+        "custom-http provider is no longer supported. Please use createJudge() without specifying provider."
+      );
+    default:
+      throw new Error(`Unsupported LLM provider: ${String(provider)}`);
+  }
+}
+
+// src/assertions/matchers/toPassToolJudge.ts
+var DEFAULT_PASSING_THRESHOLD = 0.7;
+var DEFAULT_JUDGE_CONFIG = {};
+async function toPassToolJudge(received, rubric, options = {}) {
+  const {
+    reference = null,
+    passingThreshold = DEFAULT_PASSING_THRESHOLD,
+    judgeConfig = DEFAULT_JUDGE_CONFIG
+  } = options;
+  const judge = createJudge(judgeConfig);
+  try {
+    const result = await judge.evaluate(received, reference, rubric);
+    const score = result.score ?? (result.pass ? 1 : 0);
+    const passes = score >= passingThreshold;
+    if (this.isNot) {
+      return {
+        pass: !passes,
+        message: () => passes ? `Expected judge evaluation to fail, but it passed with score ${score.toFixed(2)}` : `Judge evaluation failed as expected with score ${score.toFixed(2)}`
+      };
+    }
+    if (passes) {
+      return {
+        pass: true,
+        message: () => `Judge evaluation passed with score ${score.toFixed(2)} (threshold: ${passingThreshold})`
+      };
+    }
+    return {
+      pass: false,
+      message: () => `Judge evaluation failed with score ${score.toFixed(2)} (threshold: ${passingThreshold}). Reasoning: ${result.reasoning ?? "No reasoning provided"}`
+    };
+  } catch (error) {
+    return {
+      pass: false,
+      message: () => `Judge evaluation failed with error: ${error instanceof Error ? error.message : String(error)}`
+    };
+  }
+}
+
+// src/assertions/validators/size.ts
+function validateSize(response, options) {
+  const { maxBytes, minBytes } = options;
+  if (maxBytes === void 0 && minBytes === void 0) {
+    return {
+      pass: false,
+      message: "Size validation requires at least one of maxBytes or minBytes"
+    };
+  }
+  const actualSize = getResponseSizeBytes(response);
+  const issues = [];
+  if (minBytes !== void 0 && actualSize < minBytes) {
+    issues.push(
+      `Response size (${formatBytes(actualSize)}) is below minimum (${formatBytes(minBytes)})`
+    );
+  }
+  if (maxBytes !== void 0 && actualSize > maxBytes) {
+    issues.push(
+      `Response size (${formatBytes(actualSize)}) exceeds maximum (${formatBytes(maxBytes)})`
+    );
+  }
+  if (issues.length === 0) {
+    return {
+      pass: true,
+      message: `Response size (${formatBytes(actualSize)}) is within bounds`,
+      details: {
+        actualBytes: actualSize
+      }
+    };
+  }
+  return {
+    pass: false,
+    message: issues.join("; "),
+    details: {
+      actualBytes: actualSize,
+      minBytes,
+      maxBytes
+    }
+  };
+}
+function formatBytes(bytes) {
+  if (bytes < 1024) {
+    return `${bytes} bytes`;
+  }
+  if (bytes < 1024 * 1024) {
+    return `${(bytes / 1024).toFixed(1)} KB`;
+  }
+  return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+
+// src/assertions/matchers/toHaveToolResponseSize.ts
+function toHaveToolResponseSize(received, options) {
+  const result = validateSize(received, options);
+  return {
+    pass: result.pass,
+    message: () => {
+      if (this.isNot) {
+        return result.pass ? "Expected response size NOT to be within bounds, but it was" : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+
+// src/assertions/matchers/toSatisfyToolPredicate.ts
+function normalizeResult(result) {
+  if (typeof result === "boolean") {
+    return {
+      pass: result,
+      message: result ? "Predicate passed" : "Predicate returned false"
+    };
+  }
+  return result;
+}
+async function toSatisfyToolPredicate(received, predicate, description) {
+  const predicateDescription = description ?? "custom predicate";
+  try {
+    const text = extractText2(received);
+    const rawResult = await predicate(received, text);
+    const result = normalizeResult(rawResult);
+    if (this.isNot) {
+      return {
+        pass: !result.pass,
+        message: () => result.pass ? `Expected response NOT to satisfy ${predicateDescription}` : `Response does not satisfy ${predicateDescription} as expected`
+      };
+    }
+    return {
+      pass: result.pass,
+      message: () => result.pass ? result.message ?? `Response satisfies ${predicateDescription}` : result.message ?? `Expected response to satisfy ${predicateDescription}`
+    };
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    return {
+      pass: this.isNot,
+      // If using .not, an error means the predicate didn't pass
+      message: () => `Predicate threw error: ${errorMessage}`
+    };
+  }
+}
+
+// src/assertions/matchers/index.ts
+var expect = expect$1.extend({
+  toMatchToolResponse,
+  toMatchToolSchema,
+  toContainToolText,
+  toMatchToolPattern,
+  toMatchToolSnapshot,
+  toBeToolError,
+  toPassToolJudge,
+  toHaveToolResponseSize,
+  toSatisfyToolPredicate
+});
+var MCPHostCapabilitiesSchema = z.object({
+  sampling: z.record(z.unknown()).optional(),
+  roots: z.object({
+    listChanged: z.boolean()
+  }).optional()
+});
+var MCPOAuthConfigSchema = z.object({
+  serverUrl: z.string().url("serverUrl must be a valid URL"),
+  scopes: z.array(z.string()).optional(),
+  resource: z.string().url().optional(),
+  authStatePath: z.string().optional(),
+  clientId: z.string().optional(),
+  clientSecret: z.string().optional(),
+  redirectUri: z.string().url().optional()
+});
+var MCPAuthConfigSchema = z.object({
+  accessToken: z.string().optional(),
+  oauth: MCPOAuthConfigSchema.optional()
+}).refine(
+  (data) => !(data.accessToken && data.oauth),
+  "Cannot specify both accessToken and oauth configuration"
+);
+var StdioConfigSchema = z.object({
+  transport: z.literal("stdio"),
+  command: z.string().min(1, "command is required for stdio transport"),
+  args: z.array(z.string()).optional(),
+  cwd: z.string().optional(),
+  capabilities: MCPHostCapabilitiesSchema.optional(),
+  connectTimeoutMs: z.number().positive().optional(),
+  requestTimeoutMs: z.number().positive().optional(),
+  quiet: z.boolean().optional()
+});
+var HttpConfigSchema = z.object({
+  transport: z.literal("http"),
+  serverUrl: z.string().url("serverUrl must be a valid URL"),
+  headers: z.record(z.string()).optional(),
+  capabilities: MCPHostCapabilitiesSchema.optional(),
+  connectTimeoutMs: z.number().positive().optional(),
+  requestTimeoutMs: z.number().positive().optional(),
+  auth: MCPAuthConfigSchema.optional()
+});
+var MCPConfigSchema = z.discriminatedUnion("transport", [
+  StdioConfigSchema,
+  HttpConfigSchema
+]);
+function validateMCPConfig(config) {
+  return MCPConfigSchema.parse(config);
+}
+function isStdioConfig(config) {
+  return config.transport === "stdio" && typeof config.command === "string";
+}
+function isHttpConfig(config) {
+  return config.transport === "http" && typeof config.serverUrl === "string";
+}
+var NAMESPACE = "mcp-server-tester";
+var debugClient = createDebug(`${NAMESPACE}:client`);
+createDebug(`${NAMESPACE}:oauth`);
+createDebug(`${NAMESPACE}:eval`);
+
+// src/mcp/clientFactory.ts
+async function createMCPClientForConfig(config, options) {
+  const validatedConfig = validateMCPConfig(config);
+  const client = new Client(
+    {
+      name: options?.clientInfo?.name ?? "@gleanwork/mcp-server-tester",
+      version: options?.clientInfo?.version ?? "0.1.0"
+    },
+    {
+      capabilities: validatedConfig.capabilities ?? {}
+    }
+  );
+  if (isStdioConfig(validatedConfig)) {
+    const transport = new StdioClientTransport({
+      command: validatedConfig.command,
+      args: validatedConfig.args ?? [],
+      ...validatedConfig.cwd && { cwd: validatedConfig.cwd },
+      // Suppress server stderr when quiet mode is enabled
+      ...validatedConfig.quiet && { stderr: "ignore" }
+    });
+    debugClient("Connecting via stdio: %O", {
+      command: validatedConfig.command,
+      args: validatedConfig.args,
+      cwd: validatedConfig.cwd
+    });
+    await client.connect(transport);
+  } else if (isHttpConfig(validatedConfig)) {
+    const headers = { ...validatedConfig.headers };
+    if (validatedConfig.auth?.accessToken && !options?.authProvider) {
+      headers.Authorization = `Bearer ${validatedConfig.auth.accessToken}`;
+    }
+    const transport = new StreamableHTTPClientTransport(
+      new URL(validatedConfig.serverUrl),
+      {
+        requestInit: Object.keys(headers).length > 0 ? { headers } : void 0,
+        // Pass auth provider for OAuth flow - MCP SDK handles it automatically
+        authProvider: options?.authProvider
+      }
+    );
+    debugClient("Connecting via HTTP: %O", {
+      serverUrl: validatedConfig.serverUrl,
+      headers: Object.keys(headers).length > 0 ? Object.keys(headers) : void 0,
+      hasAuthProvider: !!options?.authProvider
+    });
+    await client.connect(transport);
+  }
+  debugClient("Connected successfully");
+  const serverInfo = client.getServerVersion();
+  if (serverInfo) {
+    debugClient("Server info: %O", serverInfo);
+  }
+  return client;
+}
+async function closeMCPClient(client) {
+  try {
+    await client.close();
+  } catch (error) {
+    console.error("[MCP] Error closing client:", error);
+    throw error;
+  }
+}
+
+// src/mcp/fixtures/mcpFixture.ts
+var testStep = null;
+try {
+  const playwright = __require("@playwright/test");
+  if (playwright && playwright.test && playwright.test.step) {
+    testStep = playwright.test.step.bind(playwright.test);
+  }
+} catch {
+}
+function createMCPFixture(client, testInfo, options) {
+  const authType = options?.authType ?? "none";
+  const project = options?.project;
+  if (!testInfo) {
+    return {
+      client,
+      authType,
+      project,
+      async listTools() {
+        const result = await client.listTools();
+        return result.tools;
+      },
+      async callTool(name, args) {
+        const result = await client.callTool({
+          name,
+          arguments: args
+        });
+        return result;
+      },
+      getServerInfo() {
+        const serverVersion = client.getServerVersion();
+        if (!serverVersion) {
+          return null;
+        }
+        return {
+          name: serverVersion.name,
+          version: serverVersion.version
+        };
+      }
+    };
+  }
+  return {
+    client,
+    authType,
+    project,
+    async listTools() {
+      const execute = async () => {
+        const result = await client.listTools();
+        const tools = result.tools;
+        await testInfo.attach("mcp-list-tools", {
+          contentType: "application/json",
+          body: JSON.stringify(
+            {
+              operation: "listTools",
+              toolCount: tools.length,
+              tools: tools.map((t) => ({
+                name: t.name,
+                description: t.description
+              }))
+            },
+            null,
+            2
+          )
+        });
+        return tools;
+      };
+      return testStep ? testStep("MCP: listTools()", execute) : execute();
+    },
+    async callTool(name, args) {
+      const execute = async () => {
+        const startTime = Date.now();
+        const result = await client.callTool({
+          name,
+          arguments: args
+        });
+        const durationMs = Date.now() - startTime;
+        await testInfo.attach(`mcp-call-${name}`, {
+          contentType: "application/json",
+          body: JSON.stringify(
+            {
+              operation: "callTool",
+              toolName: name,
+              args,
+              result,
+              durationMs,
+              isError: result.isError || false,
+              authType,
+              project
+            },
+            null,
+            2
+          )
+        });
+        return result;
+      };
+      return testStep ? testStep(`MCP: callTool("${name}")`, execute) : execute();
+    },
+    getServerInfo() {
+      const serverVersion = client.getServerVersion();
+      const result = serverVersion ? {
+        name: serverVersion.name,
+        version: serverVersion.version
+      } : null;
+      testInfo.attach("mcp-server-info", {
+        contentType: "application/json",
+        body: JSON.stringify(
+          {
+            operation: "getServerInfo",
+            serverInfo: result
+          },
+          null,
+          2
+        )
+      }).catch(() => {
+      });
+      return result;
+    }
+  };
+}
+var PlaywrightOAuthClientProvider = class {
+  config;
+  cachedState = null;
+  stateParam = null;
+  constructor(config) {
+    this.config = config;
+  }
+  /**
+   * The URL to redirect the user agent to after authorization
+   */
+  get redirectUrl() {
+    return this.config.redirectUri;
+  }
+  /**
+   * Metadata about this OAuth client
+   */
+  get clientMetadata() {
+    return {
+      redirect_uris: [this.config.redirectUri],
+      token_endpoint_auth_method: this.config.clientSecret ? "client_secret_basic" : "none",
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      client_name: "@gleanwork/mcp-server-tester",
+      ...this.config.clientMetadata
+    };
+  }
+  /**
+   * Returns an OAuth2 state parameter
+   */
+  state() {
+    if (!this.stateParam) {
+      this.stateParam = this.generateRandomString(32);
+    }
+    return this.stateParam;
+  }
+  /**
+   * Loads information about this OAuth client
+   */
+  async clientInformation() {
+    if (this.config.clientId) {
+      return {
+        client_id: this.config.clientId,
+        client_secret: this.config.clientSecret,
+        redirect_uris: [this.config.redirectUri]
+      };
+    }
+    const state = await this.loadState();
+    if (state?.clientInfo) {
+      return {
+        client_id: state.clientInfo.clientId,
+        client_secret: state.clientInfo.clientSecret,
+        client_id_issued_at: state.clientInfo.clientIdIssuedAt,
+        client_secret_expires_at: state.clientInfo.clientSecretExpiresAt,
+        redirect_uris: [this.config.redirectUri]
+      };
+    }
+    return void 0;
+  }
+  /**
+   * Saves client information from Dynamic Client Registration
+   */
+  async saveClientInformation(clientInformation) {
+    const state = await this.loadState() ?? this.createEmptyState();
+    state.clientInfo = {
+      clientId: clientInformation.client_id,
+      clientSecret: clientInformation.client_secret,
+      clientIdIssuedAt: clientInformation.client_id_issued_at,
+      clientSecretExpiresAt: clientInformation.client_secret_expires_at
+    };
+    await this.saveState(state);
+  }
+  /**
+   * Loads any existing OAuth tokens for the current session
+   */
+  async tokens() {
+    const state = await this.loadState();
+    if (state?.tokens) {
+      return {
+        access_token: state.tokens.accessToken,
+        token_type: state.tokens.tokenType,
+        refresh_token: state.tokens.refreshToken,
+        expires_in: state.tokens.expiresAt ? Math.floor((state.tokens.expiresAt - Date.now()) / 1e3) : void 0
+      };
+    }
+    return void 0;
+  }
+  /**
+   * Stores new OAuth tokens for the current session
+   */
+  async saveTokens(tokens) {
+    const state = await this.loadState() ?? this.createEmptyState();
+    state.tokens = {
+      accessToken: tokens.access_token,
+      tokenType: tokens.token_type,
+      refreshToken: tokens.refresh_token,
+      expiresAt: tokens.expires_in ? Date.now() + tokens.expires_in * 1e3 : void 0
+    };
+    await this.saveState(state);
+  }
+  /**
+   * Invoked to redirect the user agent to the given URL
+   *
+   * In a testing context, this is typically handled by Playwright automation.
+   * This implementation throws an error to signal that the caller needs to
+   * handle the redirect externally.
+   */
+  async redirectToAuthorization(authorizationUrl) {
+    throw new Error(
+      `OAuth authorization required. Redirect to: ${authorizationUrl.toString()}
+In a testing context, use performOAuthSetup() in your Playwright globalSetup to complete the OAuth flow before running tests.`
+    );
+  }
+  /**
+   * Saves a PKCE code verifier for the current session
+   */
+  async saveCodeVerifier(codeVerifier) {
+    const state = await this.loadState() ?? this.createEmptyState();
+    state.codeVerifier = codeVerifier;
+    await this.saveState(state);
+  }
+  /**
+   * Loads the PKCE code verifier for the current session
+   */
+  async codeVerifier() {
+    const state = await this.loadState();
+    if (!state?.codeVerifier) {
+      throw new Error("No code verifier found in auth state");
+    }
+    return state.codeVerifier;
+  }
+  /**
+   * Invalidates the specified credentials
+   */
+  async invalidateCredentials(scope) {
+    const state = await this.loadState();
+    if (!state) {
+      return;
+    }
+    switch (scope) {
+      case "all":
+        await this.deleteState();
+        break;
+      case "client":
+        delete state.clientInfo;
+        await this.saveState(state);
+        break;
+      case "tokens":
+        delete state.tokens;
+        await this.saveState(state);
+        break;
+      case "verifier":
+        delete state.codeVerifier;
+        await this.saveState(state);
+        break;
+    }
+  }
+  // ---- Private helper methods ----
+  async loadState() {
+    if (this.cachedState) {
+      return this.cachedState;
+    }
+    try {
+      const content = await fs2.readFile(this.config.storagePath, "utf-8");
+      this.cachedState = JSON.parse(content);
+      return this.cachedState;
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        return null;
+      }
+      throw error;
+    }
+  }
+  async saveState(state) {
+    state.savedAt = Date.now();
+    this.cachedState = state;
+    const dir = path2.dirname(this.config.storagePath);
+    await fs2.mkdir(dir, { recursive: true });
+    await fs2.writeFile(
+      this.config.storagePath,
+      JSON.stringify(state, null, 2),
+      "utf-8"
+    );
+  }
+  async deleteState() {
+    this.cachedState = null;
+    try {
+      await fs2.unlink(this.config.storagePath);
+    } catch (error) {
+      if (error.code !== "ENOENT") {
+        throw error;
+      }
+    }
+  }
+  createEmptyState() {
+    return {
+      savedAt: Date.now()
+    };
+  }
+  generateRandomString(length) {
+    const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+    let result = "";
+    const randomValues = new Uint8Array(length);
+    crypto.getRandomValues(randomValues);
+    for (let i = 0; i < length; i++) {
+      const randomValue = randomValues[i] ?? 0;
+      result += chars[randomValue % chars.length];
+    }
+    return result;
+  }
+};
+async function generatePKCE() {
+  const codeVerifier = oauth.generateRandomCodeVerifier();
+  const codeChallenge = await oauth.calculatePKCECodeChallenge(codeVerifier);
+  return {
+    codeVerifier,
+    codeChallenge
+  };
+}
+function generateState() {
+  return oauth.generateRandomState();
+}
+function buildAuthorizationUrl(config) {
+  const authorizationEndpoint = config.authServer.server.authorization_endpoint;
+  if (!authorizationEndpoint) {
+    throw new Error(
+      "Authorization server does not have an authorization_endpoint"
+    );
+  }
+  const authorizationUrl = new URL(authorizationEndpoint);
+  authorizationUrl.searchParams.set("client_id", config.clientId);
+  authorizationUrl.searchParams.set("redirect_uri", config.redirectUri);
+  authorizationUrl.searchParams.set("response_type", "code");
+  authorizationUrl.searchParams.set("scope", config.scopes.join(" "));
+  authorizationUrl.searchParams.set("code_challenge", config.codeChallenge);
+  authorizationUrl.searchParams.set("code_challenge_method", "S256");
+  authorizationUrl.searchParams.set("state", config.state);
+  if (config.resource) {
+    authorizationUrl.searchParams.set("resource", config.resource);
+  }
+  return authorizationUrl;
+}
+async function exchangeCodeForTokens(config) {
+  const client = {
+    client_id: config.clientId,
+    token_endpoint_auth_method: config.clientSecret ? "client_secret_basic" : "none"
+  };
+  const clientAuth = config.clientSecret ? oauth.ClientSecretBasic(config.clientSecret) : oauth.None();
+  const callbackUrl = new URL(config.redirectUri);
+  callbackUrl.searchParams.set("code", config.code);
+  callbackUrl.searchParams.set("state", config.state);
+  const validatedParams = oauth.validateAuthResponse(
+    config.authServer.server,
+    client,
+    callbackUrl,
+    config.state
+  );
+  const response = await oauth.authorizationCodeGrantRequest(
+    config.authServer.server,
+    client,
+    clientAuth,
+    validatedParams,
+    config.redirectUri,
+    config.codeVerifier
+  );
+  const result = await oauth.processAuthorizationCodeResponse(
+    config.authServer.server,
+    client,
+    response
+  );
+  return {
+    accessToken: result.access_token,
+    tokenType: result.token_type,
+    expiresIn: result.expires_in,
+    refreshToken: result.refresh_token,
+    scope: result.scope
+  };
+}
+async function refreshAccessToken(config) {
+  const client = {
+    client_id: config.clientId,
+    token_endpoint_auth_method: config.clientSecret ? "client_secret_basic" : "none"
+  };
+  const clientAuth = config.clientSecret ? oauth.ClientSecretBasic(config.clientSecret) : oauth.None();
+  const response = await oauth.refreshTokenGrantRequest(
+    config.authServer.server,
+    client,
+    clientAuth,
+    config.refreshToken
+  );
+  if (!response.ok) {
+    const contentType = response.headers.get("content-type") ?? "";
+    let errorMessage = `Token refresh failed: ${response.status} ${response.statusText}`;
+    try {
+      if (contentType.includes("application/json")) {
+        const errorBody = await response.clone().json();
+        if (errorBody.error) {
+          errorMessage = `Token refresh failed: ${errorBody.error}`;
+          if (errorBody.error_description) {
+            errorMessage += ` - ${errorBody.error_description}`;
+          }
+        }
+      } else {
+        const textBody = await response.clone().text();
+        if (textBody) {
+          errorMessage = `Token refresh failed: ${response.status} - ${textBody}`;
+        }
+      }
+    } catch {
+    }
+    throw new Error(errorMessage);
+  }
+  const result = await oauth.processRefreshTokenResponse(
+    config.authServer.server,
+    client,
+    response
+  );
+  return {
+    accessToken: result.access_token,
+    tokenType: result.token_type,
+    expiresIn: result.expires_in,
+    refreshToken: result.refresh_token,
+    scope: result.scope
+  };
+}
+var MCP_PROTOCOL_VERSION = "2025-06-18";
+async function discoverProtectedResource(mcpServerUrl) {
+  const url = new URL(mcpServerUrl);
+  const origin = url.origin;
+  const pathname = url.pathname;
+  const pathAwareUrl = `${origin}/.well-known/oauth-protected-resource${pathname}`;
+  try {
+    const metadata = await fetchProtectedResourceMetadata(pathAwareUrl);
+    return {
+      metadata,
+      discoveryUrl: pathAwareUrl,
+      usedPathAwareDiscovery: true
+    };
+  } catch (error) {
+    if (error instanceof DiscoveryError && error.status === 404) {
+      const baseUrl = `${origin}/.well-known/oauth-protected-resource`;
+      const metadata = await fetchProtectedResourceMetadata(baseUrl);
+      return {
+        metadata,
+        discoveryUrl: baseUrl,
+        usedPathAwareDiscovery: false
+      };
+    }
+    throw error;
+  }
+}
+var DiscoveryError = class extends Error {
+  constructor(message, status, url) {
+    super(message);
+    this.status = status;
+    this.url = url;
+    this.name = "DiscoveryError";
+  }
+};
+async function fetchProtectedResourceMetadata(discoveryUrl) {
+  const response = await fetch(discoveryUrl, {
+    method: "GET",
+    headers: {
+      Accept: "application/json",
+      "MCP-Protocol-Version": MCP_PROTOCOL_VERSION
+    }
+  });
+  if (!response.ok) {
+    throw new DiscoveryError(
+      `Protected resource discovery failed: ${response.status} ${response.statusText}`,
+      response.status,
+      discoveryUrl
+    );
+  }
+  const metadata = await response.json();
+  if (!metadata.resource) {
+    throw new DiscoveryError(
+      'Invalid protected resource metadata: missing required "resource" field',
+      void 0,
+      discoveryUrl
+    );
+  }
+  return metadata;
+}
+async function discoverAuthorizationServer(authServerUrl) {
+  const issuer = new URL(authServerUrl);
+  const response = await oauth.discoveryRequest(issuer, {
+    algorithm: "oauth2",
+    headers: new Headers({
+      "MCP-Protocol-Version": MCP_PROTOCOL_VERSION
+    })
+  });
+  const metadata = await oauth.processDiscoveryResponse(issuer, response);
+  return {
+    server: metadata,
+    issuer: authServerUrl
+  };
+}
+var ENV_VAR_NAMES = {
+  accessToken: "MCP_ACCESS_TOKEN",
+  refreshToken: "MCP_REFRESH_TOKEN",
+  tokenType: "MCP_TOKEN_TYPE",
+  expiresAt: "MCP_TOKEN_EXPIRES_AT"
+};
+var DEFAULT_EXPIRY_BUFFER_MS = 6e4;
+function generateServerKey(serverUrl) {
+  const url = new URL(serverUrl);
+  let key = url.hostname;
+  if (url.port) {
+    key += `_${url.port}`;
+  }
+  if (url.pathname && url.pathname !== "/") {
+    const cleanPath = url.pathname.replace(/^\/+|\/+$/g, "").replace(/\//g, "_");
+    if (cleanPath) {
+      key += `_${cleanPath}`;
+    }
+  }
+  return key.replace(/[^a-zA-Z0-9_.-]/g, "_");
+}
+function getStateDir(serverUrl, customDir) {
+  const serverKey = generateServerKey(serverUrl);
+  if (customDir) {
+    return path2.join(customDir, serverKey);
+  }
+  if (process.platform === "win32") {
+    const localAppData = process.env.LOCALAPPDATA;
+    if (localAppData) {
+      return path2.join(localAppData, "mcp-tests", serverKey);
+    }
+    return path2.join(homedir(), "AppData", "Local", "mcp-tests", serverKey);
+  }
+  if (process.platform === "linux" && process.env.XDG_STATE_HOME) {
+    return path2.join(process.env.XDG_STATE_HOME, "mcp-tests", serverKey);
+  }
+  return path2.join(homedir(), ".local", "state", "mcp-tests", serverKey);
+}
+function loadTokensFromEnv() {
+  const accessToken = process.env[ENV_VAR_NAMES.accessToken];
+  if (!accessToken) {
+    return null;
+  }
+  const expiresAtStr = process.env[ENV_VAR_NAMES.expiresAt];
+  const expiresAt = expiresAtStr ? parseInt(expiresAtStr, 10) : void 0;
+  return {
+    accessToken,
+    refreshToken: process.env[ENV_VAR_NAMES.refreshToken],
+    tokenType: process.env[ENV_VAR_NAMES.tokenType] ?? "Bearer",
+    expiresAt: expiresAt && !isNaN(expiresAt) ? expiresAt : void 0
+  };
+}
+function createFileOAuthStorage(config) {
+  return new FileOAuthStorage(config);
+}
+var FileOAuthStorage = class {
+  stateDir;
+  constructor(config) {
+    this.stateDir = getStateDir(config.serverUrl, config.stateDir);
+  }
+  get serverMetadataPath() {
+    return path2.join(this.stateDir, "server.json");
+  }
+  get clientPath() {
+    return path2.join(this.stateDir, "client.json");
+  }
+  get tokensPath() {
+    return path2.join(this.stateDir, "tokens.json");
+  }
+  async loadServerMetadata() {
+    return this.loadFile(this.serverMetadataPath);
+  }
+  async saveServerMetadata(metadata) {
+    await this.atomicWrite(this.serverMetadataPath, metadata);
+  }
+  async loadClient() {
+    return this.loadFile(this.clientPath);
+  }
+  async saveClient(client) {
+    await this.atomicWrite(this.clientPath, client);
+  }
+  async loadTokens() {
+    return this.loadFile(this.tokensPath);
+  }
+  async saveTokens(tokens) {
+    await this.atomicWrite(this.tokensPath, tokens);
+  }
+  async deleteTokens() {
+    await this.deleteFile(this.tokensPath);
+  }
+  async hasValidToken(bufferMs = DEFAULT_EXPIRY_BUFFER_MS) {
+    const tokens = await this.loadTokens();
+    if (!tokens?.accessToken) {
+      return false;
+    }
+    if (!tokens.expiresAt) {
+      return true;
+    }
+    return tokens.expiresAt > Date.now() + bufferMs;
+  }
+  /**
+   * Load a JSON file, returning null if not found
+   */
+  async loadFile(filePath) {
+    try {
+      const content = await fs2.readFile(filePath, "utf-8");
+      return JSON.parse(content);
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        return null;
+      }
+      throw error;
+    }
+  }
+  /**
+   * Write data atomically: write to .tmp file, then rename
+   * Files are created with 0o600 permissions (user read/write only)
+   */
+  async atomicWrite(filePath, data) {
+    await fs2.mkdir(this.stateDir, { recursive: true, mode: 448 });
+    const tmpPath = `${filePath}.tmp`;
+    const content = JSON.stringify(data, null, 2);
+    await fs2.writeFile(tmpPath, content, { encoding: "utf-8", mode: 384 });
+    await fs2.rename(tmpPath, filePath);
+  }
+  /**
+   * Delete a file, ignoring errors if the file doesn't exist
+   */
+  async deleteFile(filePath) {
+    try {
+      await fs2.unlink(filePath);
+    } catch (error) {
+      if (error.code !== "ENOENT") {
+        throw error;
+      }
+    }
+  }
+};
+
+// src/auth/cli.ts
+var debug = createDebug("mcp-server-tester:cli-oauth");
+var DEFAULT_TIMEOUT_MS = 3e5;
+var DEFAULT_CLIENT_NAME = "@gleanwork/mcp-server-tester";
+var DEFAULT_METADATA_TTL_MS = 24 * 60 * 60 * 1e3;
+var CLIOAuthClient = class {
+  config;
+  storage;
+  constructor(config) {
+    this.config = config;
+    this.storage = createFileOAuthStorage({
+      serverUrl: config.mcpServerUrl,
+      stateDir: config.stateDir
+    });
+  }
+  /**
+   * Get a valid access token, authenticating if necessary
+   *
+   * Token resolution priority:
+   * 1. Check environment variables (for CI/CD)
+   * 2. Check file storage for cached tokens
+   * 3. Try to refresh if expired but refresh token exists
+   * 4. Run full OAuth flow if needed
+   */
+  async getAccessToken() {
+    const envTokens = loadTokensFromEnv();
+    if (envTokens) {
+      debug("Using tokens from environment variables");
+      return {
+        accessToken: envTokens.accessToken,
+        tokenType: envTokens.tokenType,
+        expiresAt: envTokens.expiresAt,
+        refreshed: false,
+        fromEnv: true
+      };
+    }
+    const storedTokens = await this.storage.loadTokens();
+    if (storedTokens?.accessToken) {
+      const isValid = await this.storage.hasValidToken();
+      if (isValid) {
+        debug("Using cached tokens from storage");
+        return {
+          accessToken: storedTokens.accessToken,
+          tokenType: storedTokens.tokenType,
+          expiresAt: storedTokens.expiresAt,
+          refreshed: false,
+          fromEnv: false
+        };
+      }
+      if (storedTokens.refreshToken) {
+        debug("Token expired, attempting refresh");
+        try {
+          const refreshedTokens = await this.refreshStoredToken(storedTokens);
+          return {
+            accessToken: refreshedTokens.accessToken,
+            tokenType: refreshedTokens.tokenType,
+            expiresAt: refreshedTokens.expiresAt,
+            refreshed: true,
+            fromEnv: false
+          };
+        } catch (error) {
+          debug("Token refresh failed, will re-authenticate:", error);
+        }
+      }
+    }
+    debug("Performing full OAuth authentication");
+    return this.authenticate();
+  }
+  /**
+   * Try to get a valid access token without triggering browser auth
+   *
+   * Returns null if no valid token is available (no stored tokens,
+   * expired without refresh token, or refresh failed). Unlike getAccessToken(),
+   * this will NOT open a browser for authentication.
+   *
+   * Use this for CLI commands that should prompt the user to run `login`
+   * instead of automatically starting the OAuth flow.
+   */
+  async tryGetAccessToken() {
+    const envTokens = loadTokensFromEnv();
+    if (envTokens) {
+      debug("Using tokens from environment variables");
+      return {
+        accessToken: envTokens.accessToken,
+        tokenType: envTokens.tokenType,
+        expiresAt: envTokens.expiresAt,
+        refreshed: false,
+        fromEnv: true
+      };
+    }
+    const storedTokens = await this.storage.loadTokens();
+    if (storedTokens?.accessToken) {
+      const isValid = await this.storage.hasValidToken();
+      if (isValid) {
+        debug("Using cached tokens from storage");
+        return {
+          accessToken: storedTokens.accessToken,
+          tokenType: storedTokens.tokenType,
+          expiresAt: storedTokens.expiresAt,
+          refreshed: false,
+          fromEnv: false
+        };
+      }
+      if (storedTokens.refreshToken) {
+        debug("Token expired, attempting refresh");
+        try {
+          const refreshedTokens = await this.refreshStoredToken(storedTokens);
+          return {
+            accessToken: refreshedTokens.accessToken,
+            tokenType: refreshedTokens.tokenType,
+            expiresAt: refreshedTokens.expiresAt,
+            refreshed: true,
+            fromEnv: false
+          };
+        } catch (error) {
+          debug("Token refresh failed:", error);
+          return null;
+        }
+      }
+    }
+    debug("No valid token available");
+    return null;
+  }
+  /**
+   * Force a new authentication flow
+   */
+  async authenticate() {
+    const { protectedResource, authServer } = await this.discoverServers();
+    const client = await this.getOrRegisterClient(authServer);
+    const { tokens, requestedScopes } = await this.performOAuthFlow(
+      authServer,
+      client,
+      protectedResource
+    );
+    return {
+      accessToken: tokens.accessToken,
+      tokenType: tokens.tokenType,
+      expiresAt: tokens.expiresAt,
+      refreshed: false,
+      fromEnv: false,
+      requestedScopes
+    };
+  }
+  /**
+   * Check if stored credentials exist (may be expired)
+   */
+  async hasStoredCredentials() {
+    const tokens = await this.storage.loadTokens();
+    return tokens?.accessToken !== void 0;
+  }
+  /**
+   * Clear stored credentials
+   */
+  async clearCredentials() {
+    await this.storage.deleteTokens();
+    debug("Cleared stored credentials");
+  }
+  /**
+   * Discover protected resource and authorization server
+   */
+  async discoverServers() {
+    const cachedMetadata = await this.storage.loadServerMetadata();
+    if (cachedMetadata) {
+      const age = Date.now() - cachedMetadata.discoveredAt;
+      if (age < DEFAULT_METADATA_TTL_MS) {
+        debug("Using cached server metadata (age: %dms)", age);
+        debug(
+          "Cached protected resource scopes: %O",
+          cachedMetadata.protectedResource.scopes_supported
+        );
+        debug(
+          "Cached auth server scopes: %O",
+          cachedMetadata.authServer.server.scopes_supported
+        );
+        return {
+          protectedResource: cachedMetadata.protectedResource,
+          authServer: cachedMetadata.authServer
+        };
+      }
+      debug("Cached server metadata is stale (age: %dms), re-discovering", age);
+    }
+    debug("Discovering protected resource:", this.config.mcpServerUrl);
+    const prResult = await discoverProtectedResource(this.config.mcpServerUrl);
+    debug("Found protected resource:", prResult.metadata.resource);
+    debug(
+      "Protected resource scopes_supported: %O",
+      prResult.metadata.scopes_supported
+    );
+    const authServerUrl = prResult.metadata.authorization_servers?.[0];
+    if (!authServerUrl) {
+      throw new Error(
+        "No authorization servers found in protected resource metadata"
+      );
+    }
+    debug("Discovering authorization server:", authServerUrl);
+    const authServer = await discoverAuthorizationServer(authServerUrl);
+    debug("Found authorization server:", authServer.issuer);
+    debug(
+      "Auth server scopes_supported: %O",
+      authServer.server.scopes_supported
+    );
+    const metadata = {
+      authServer,
+      protectedResource: prResult.metadata,
+      discoveredAt: Date.now()
+    };
+    await this.storage.saveServerMetadata(metadata);
+    return {
+      protectedResource: prResult.metadata,
+      authServer
+    };
+  }
+  /**
+   * Get existing client or register new one via DCR
+   */
+  async getOrRegisterClient(authServer) {
+    if (this.config.clientId) {
+      debug("Using pre-configured client ID");
+      return {
+        clientId: this.config.clientId,
+        clientSecret: this.config.clientSecret
+      };
+    }
+    const cachedClient = await this.storage.loadClient();
+    if (cachedClient?.clientId) {
+      debug("Using cached client registration");
+      return cachedClient;
+    }
+    debug("Registering new client via DCR");
+    const client = await this.registerClient(authServer);
+    await this.storage.saveClient(client);
+    return client;
+  }
+  /**
+   * Register a new client via Dynamic Client Registration
+   */
+  async registerClient(authServer) {
+    const registrationEndpoint = authServer.server.registration_endpoint;
+    if (!registrationEndpoint) {
+      throw new Error(
+        "Authorization server does not support Dynamic Client Registration. Please provide a clientId in the configuration."
+      );
+    }
+    const redirectUri = "http://127.0.0.1:0/callback";
+    const response = await fetch(registrationEndpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "MCP-Protocol-Version": MCP_PROTOCOL_VERSION
+      },
+      body: JSON.stringify({
+        redirect_uris: [redirectUri],
+        token_endpoint_auth_method: "none",
+        grant_types: ["authorization_code", "refresh_token"],
+        response_types: ["code"],
+        client_name: this.config.clientName ?? DEFAULT_CLIENT_NAME
+      })
+    });
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(
+        `Dynamic Client Registration failed: ${response.status} ${response.statusText}
+${errorText}`
+      );
+    }
+    const data = await response.json();
+    debug("Client registered:", data.client_id);
+    return {
+      clientId: data.client_id,
+      clientSecret: data.client_secret,
+      clientIdIssuedAt: data.client_id_issued_at,
+      clientSecretExpiresAt: data.client_secret_expires_at
+    };
+  }
+  /**
+   * Perform the full OAuth authorization flow
+   */
+  async performOAuthFlow(authServer, client, protectedResource) {
+    const pkce = await generatePKCE();
+    const state = generateState();
+    const { port, codePromise, close } = await this.startCallbackServer(state);
+    const redirectUri = `http://127.0.0.1:${port}/callback`;
+    try {
+      const requestedScopes = this.config.scopes ?? protectedResource.scopes_supported ?? authServer.server.scopes_supported ?? ["openid"];
+      debug("Scope resolution:");
+      debug("  - User config scopes: %O", this.config.scopes);
+      debug(
+        "  - Protected resource scopes_supported: %O",
+        protectedResource.scopes_supported
+      );
+      debug(
+        "  - Auth server scopes_supported: %O",
+        authServer.server.scopes_supported
+      );
+      debug("  - Final requested scopes: %O", requestedScopes);
+      const authUrl = buildAuthorizationUrl({
+        authServer,
+        clientId: client.clientId,
+        redirectUri,
+        scopes: requestedScopes,
+        codeChallenge: pkce.codeChallenge,
+        state,
+        resource: protectedResource.resource
+      });
+      debug("Authorization URL: %s", authUrl.toString());
+      debug("Authorization URL params:");
+      debug("  - client_id: %s", authUrl.searchParams.get("client_id"));
+      debug("  - redirect_uri: %s", authUrl.searchParams.get("redirect_uri"));
+      debug("  - scope: %s", authUrl.searchParams.get("scope"));
+      debug("  - resource: %s", authUrl.searchParams.get("resource"));
+      await this.openBrowserOrPrintUrl(authUrl);
+      debug("Waiting for OAuth callback...");
+      const code = await codePromise;
+      debug("Received authorization code");
+      const tokenResult = await exchangeCodeForTokens({
+        authServer,
+        clientId: client.clientId,
+        clientSecret: client.clientSecret,
+        code,
+        state,
+        codeVerifier: pkce.codeVerifier,
+        redirectUri
+      });
+      const tokens = this.tokenResultToStoredTokens(
+        tokenResult,
+        client.clientId
+      );
+      await this.storage.saveTokens(tokens);
+      return { tokens, requestedScopes };
+    } finally {
+      close();
+    }
+  }
+  /**
+   * Refresh an expired token
+   *
+   * Uses the clientId stored with the tokens (if available) to ensure
+   * the refresh request uses the same client that obtained the original tokens.
+   * This is important because refresh tokens are bound to the client_id.
+   */
+  async refreshStoredToken(storedTokens) {
+    if (!storedTokens.refreshToken) {
+      throw new Error("No refresh token available");
+    }
+    const metadata = await this.storage.loadServerMetadata();
+    if (!metadata) {
+      throw new Error("No cached server metadata for refresh");
+    }
+    let clientId;
+    let clientSecret;
+    if (storedTokens.clientId) {
+      debug("Using clientId from stored tokens for refresh");
+      clientId = storedTokens.clientId;
+      const storedClient = await this.storage.loadClient();
+      if (storedClient?.clientId === clientId) {
+        clientSecret = storedClient.clientSecret;
+      }
+    } else {
+      debug(
+        "No clientId in stored tokens, falling back to stored client (legacy behavior)"
+      );
+      const client = await this.getOrRegisterClient(metadata.authServer);
+      clientId = client.clientId;
+      clientSecret = client.clientSecret;
+    }
+    const tokenResult = await refreshAccessToken({
+      authServer: metadata.authServer,
+      clientId,
+      clientSecret,
+      refreshToken: storedTokens.refreshToken
+    });
+    const tokens = this.tokenResultToStoredTokens(tokenResult, clientId);
+    await this.storage.saveTokens(tokens);
+    return tokens;
+  }
+  /**
+   * Start local callback server
+   */
+  async startCallbackServer(expectedState) {
+    const timeoutMs = this.config.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    return new Promise((resolve, reject) => {
+      const server = http.createServer();
+      const connections = /* @__PURE__ */ new Set();
+      server.on("connection", (socket) => {
+        connections.add(socket);
+        socket.on("close", () => connections.delete(socket));
+      });
+      const forceClose = () => {
+        for (const socket of connections) {
+          socket.destroy();
+        }
+        server.close();
+      };
+      let codeResolve;
+      let codeReject;
+      const codePromise = new Promise((res, rej) => {
+        codeResolve = res;
+        codeReject = rej;
+      });
+      const timeout = setTimeout(() => {
+        forceClose();
+        codeReject(new Error(`OAuth flow timed out after ${timeoutMs}ms`));
+      }, timeoutMs);
+      server.on("request", (req, res) => {
+        const url = new URL(
+          req.url ?? "/",
+          `http://127.0.0.1:${server.address().port}`
+        );
+        if (url.pathname !== "/callback") {
+          res.writeHead(404);
+          res.end("Not Found");
+          return;
+        }
+        const error = url.searchParams.get("error");
+        if (error) {
+          const errorDescription = url.searchParams.get("error_description");
+          clearTimeout(timeout);
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end(this.errorHtml(error, errorDescription ?? void 0));
+          codeReject(
+            new Error(
+              `OAuth error: ${error}${errorDescription ? ` - ${errorDescription}` : ""}`
+            )
+          );
+          return;
+        }
+        const state = url.searchParams.get("state");
+        if (state !== expectedState) {
+          clearTimeout(timeout);
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end(this.errorHtml("invalid_state", "State parameter mismatch"));
+          codeReject(new Error("OAuth state mismatch - possible CSRF attack"));
+          return;
+        }
+        const code = url.searchParams.get("code");
+        if (!code) {
+          clearTimeout(timeout);
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end(
+            this.errorHtml("missing_code", "No authorization code received")
+          );
+          codeReject(new Error("No authorization code in callback"));
+          return;
+        }
+        clearTimeout(timeout);
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(this.successHtml());
+        codeResolve(code);
+      });
+      const preferredPort = this.config.callbackPort ?? 0;
+      server.listen(preferredPort, "127.0.0.1", () => {
+        const address = server.address();
+        debug("Callback server listening on port", address.port);
+        resolve({ port: address.port, codePromise, close: forceClose });
+      });
+      server.on("error", (err) => {
+        reject(err);
+      });
+    });
+  }
+  /**
+   * Open browser or print URL for headless environments
+   */
+  async openBrowserOrPrintUrl(url) {
+    if (isHeadless()) {
+      console.log("\n" + "=".repeat(60));
+      console.log(
+        "Please open the following URL in your browser to authenticate:"
+      );
+      console.log("\n" + url.toString() + "\n");
+      console.log("=".repeat(60) + "\n");
+      return;
+    }
+    try {
+      const open = await import('open');
+      await open.default(url.toString());
+      debug("Opened browser for authentication");
+    } catch (error) {
+      debug("Failed to open browser:", error);
+      console.log("\nFailed to open browser automatically.");
+      console.log("Please open the following URL manually:\n");
+      console.log(url.toString() + "\n");
+    }
+  }
+  /**
+   * Convert TokenResult to StoredTokens
+   *
+   * @param result - Token result from exchange or refresh
+   * @param clientId - Client ID that was used to obtain these tokens
+   */
+  tokenResultToStoredTokens(result, clientId) {
+    return {
+      accessToken: result.accessToken,
+      tokenType: result.tokenType,
+      refreshToken: result.refreshToken,
+      expiresAt: result.expiresIn ? Date.now() + result.expiresIn * 1e3 : void 0,
+      clientId
+    };
+  }
+  /**
+   * HTML page for successful authentication
+   */
+  successHtml() {
+    return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>Authentication Successful</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+           display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0;
+           background: #f8fafc; }
+    .container { text-align: center; background: white; padding: 48px 64px; border-radius: 8px;
+                 border: 1px solid #e2e8f0; box-shadow: 0 1px 3px rgba(0,0,0,0.1); }
+    .icon { width: 48px; height: 48px; margin: 0 auto 24px; background: #dcfce7; border-radius: 50%;
+            display: flex; align-items: center; justify-content: center; }
+    .icon svg { width: 24px; height: 24px; color: #16a34a; }
+    h1 { color: #0f172a; margin: 0 0 8px 0; font-size: 20px; font-weight: 600; }
+    p { color: #64748b; margin: 0; font-size: 14px; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="icon">
+      <svg fill="none" stroke="currentColor" viewBox="0 0 24 24">
+        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+      </svg>
+    </div>
+    <h1>Authentication Successful</h1>
+    <p>You can close this window and return to the terminal.</p>
+  </div>
+</body>
+</html>`;
+  }
+  /**
+   * HTML page for authentication error
+   */
+  errorHtml(error, description) {
+    return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>Authentication Failed</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+           display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0;
+           background: #f8fafc; }
+    .container { text-align: center; background: white; padding: 48px 64px; border-radius: 8px;
+                 border: 1px solid #e2e8f0; box-shadow: 0 1px 3px rgba(0,0,0,0.1); }
+    .icon { width: 48px; height: 48px; margin: 0 auto 24px; background: #fee2e2; border-radius: 50%;
+            display: flex; align-items: center; justify-content: center; }
+    .icon svg { width: 24px; height: 24px; color: #dc2626; }
+    h1 { color: #0f172a; margin: 0 0 8px 0; font-size: 20px; font-weight: 600; }
+    p { color: #64748b; margin: 0 0 8px 0; font-size: 14px; }
+    code { background: #f1f5f9; padding: 2px 8px; border-radius: 4px; color: #dc2626; font-size: 13px; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="icon">
+      <svg fill="none" stroke="currentColor" viewBox="0 0 24 24">
+        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12"/>
+      </svg>
+    </div>
+    <h1>Authentication Failed</h1>
+    <p>Error: <code>${escapeHtml(error)}</code></p>
+    ${description ? `<p>${escapeHtml(description)}</p>` : ""}
+  </div>
+</body>
+</html>`;
+  }
+};
+function isHeadless() {
+  if (process.env.CI) {
+    return true;
+  }
+  if (!process.stdin.isTTY) {
+    return true;
+  }
+  if (process.platform === "linux" && !process.env.DISPLAY && !process.env.WAYLAND_DISPLAY) {
+    return true;
+  }
+  return false;
+}
+function escapeHtml(text) {
+  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+}
+
+// src/fixtures/mcp.ts
+var test = test$1.extend({
+  /**
+   * Internal fixture state - tracks resolved auth type between fixtures
+   */
+  _mcpFixtureState: [
+    // eslint-disable-next-line no-empty-pattern
+    async ({}, use) => {
+      const state = { resolvedAuthType: "none" };
+      await use(state);
+    },
+    { scope: "test" }
+  ],
+  /**
+   * mcpClient fixture: Creates and connects an MCP client
+   *
+   * The client configuration is read from the project's `use.mcpConfig`
+   * setting in playwright.config.ts
+   *
+   * Authentication resolution order:
+   * 1. Explicit authStatePath → uses PlaywrightOAuthClientProvider
+   * 2. Explicit accessToken → uses static Bearer token
+   * 3. HTTP transport with no auth → tries CLI-stored tokens (from `mcp-server-tester login`)
+   *    with automatic token refresh
+   */
+  mcpClient: async ({ _mcpFixtureState }, use, testInfo) => {
+    const useConfig = testInfo.project.use;
+    const mcpConfig = useConfig.mcpConfig;
+    if (!mcpConfig) {
+      throw new Error(
+        `Missing mcpConfig in project.use for project "${testInfo.project.name}". Please add mcpConfig to your project configuration in playwright.config.ts`
+      );
+    }
+    let resolvedAuthType = "none";
+    let authProvider;
+    if (mcpConfig.auth?.oauth?.authStatePath) {
+      authProvider = new PlaywrightOAuthClientProvider({
+        storagePath: mcpConfig.auth.oauth.authStatePath,
+        redirectUri: mcpConfig.auth.oauth.redirectUri ?? "http://localhost:3000/oauth/callback",
+        clientId: mcpConfig.auth.oauth.clientId,
+        clientSecret: mcpConfig.auth.oauth.clientSecret
+      });
+      resolvedAuthType = "oauth";
+    }
+    let effectiveConfig = mcpConfig;
+    if (mcpConfig.auth?.accessToken) {
+      resolvedAuthType = "api-token";
+    }
+    if (isHttpConfig(mcpConfig) && !mcpConfig.auth?.accessToken && !mcpConfig.auth?.oauth?.authStatePath) {
+      const cliClient = new CLIOAuthClient({
+        mcpServerUrl: mcpConfig.serverUrl
+      });
+      const tokenResult = await cliClient.tryGetAccessToken();
+      if (tokenResult) {
+        effectiveConfig = {
+          ...mcpConfig,
+          auth: {
+            ...mcpConfig.auth,
+            accessToken: tokenResult.accessToken
+          }
+        };
+        resolvedAuthType = "oauth";
+      }
+    }
+    _mcpFixtureState.resolvedAuthType = resolvedAuthType;
+    const client = await createMCPClientForConfig(effectiveConfig, {
+      clientInfo: {
+        name: "@gleanwork/mcp-server-tester",
+        version: "0.1.0"
+      },
+      authProvider
+    });
+    try {
+      await use(client);
+    } finally {
+      await closeMCPClient(client);
+    }
+  },
+  /**
+   * mcp fixture: High-level test API built on mcpClient
+   *
+   * Depends on mcpClient fixture
+   * Automatically tracks all MCP operations for the reporter
+   */
+  mcp: async ({ mcpClient, _mcpFixtureState }, use, testInfo) => {
+    const api = createMCPFixture(mcpClient, testInfo, {
+      authType: _mcpFixtureState.resolvedAuthType,
+      project: testInfo.project.name
+    });
+    await use(api);
+  }
+});
+
+export { expect, test };
+//# sourceMappingURL=mcp.js.map
+//# sourceMappingURL=mcp.js.map