@gleanwork/mcp-server-tester 0.12.0

package/dist/index.cjs

@@ -0,0 +1,3658 @@
+'use strict';
+
+var fs = require('fs/promises');
+var path2 = require('path');
+var zod = require('zod');
+var test$1 = require('@playwright/test');
+var auth_js = require('@modelcontextprotocol/sdk/client/auth.js');
+var createDebug = require('debug');
+var oauth2 = require('oauth4webapi');
+var os = require('os');
+var http = require('http');
+var index_js = require('@modelcontextprotocol/sdk/client/index.js');
+var stdio_js = require('@modelcontextprotocol/sdk/client/stdio.js');
+var streamableHttp_js = require('@modelcontextprotocol/sdk/client/streamableHttp.js');
+var claudeAgentSdk = require('@anthropic-ai/claude-agent-sdk');
+
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var fs__namespace = /*#__PURE__*/_interopNamespace(fs);
+var path2__namespace = /*#__PURE__*/_interopNamespace(path2);
+var createDebug__default = /*#__PURE__*/_interopDefault(createDebug);
+var oauth2__namespace = /*#__PURE__*/_interopNamespace(oauth2);
+var http__namespace = /*#__PURE__*/_interopNamespace(http);
+
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/auth/oauthClientProvider.ts
+var oauthClientProvider_exports = {};
+__export(oauthClientProvider_exports, {
+  PlaywrightOAuthClientProvider: () => exports.PlaywrightOAuthClientProvider,
+  loadOAuthState: () => loadOAuthState,
+  saveOAuthState: () => saveOAuthState
+});
+async function loadOAuthState(storagePath) {
+  try {
+    const content = await fs__namespace.readFile(storagePath, "utf-8");
+    return JSON.parse(content);
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return null;
+    }
+    throw error;
+  }
+}
+async function saveOAuthState(storagePath, state) {
+  state.savedAt = Date.now();
+  const dir = path2__namespace.dirname(storagePath);
+  await fs__namespace.mkdir(dir, { recursive: true });
+  await fs__namespace.writeFile(storagePath, JSON.stringify(state, null, 2), "utf-8");
+}
+exports.PlaywrightOAuthClientProvider = void 0;
+var init_oauthClientProvider = __esm({
+  "src/auth/oauthClientProvider.ts"() {
+    exports.PlaywrightOAuthClientProvider = class {
+      config;
+      cachedState = null;
+      stateParam = null;
+      constructor(config) {
+        this.config = config;
+      }
+      /**
+       * The URL to redirect the user agent to after authorization
+       */
+      get redirectUrl() {
+        return this.config.redirectUri;
+      }
+      /**
+       * Metadata about this OAuth client
+       */
+      get clientMetadata() {
+        return {
+          redirect_uris: [this.config.redirectUri],
+          token_endpoint_auth_method: this.config.clientSecret ? "client_secret_basic" : "none",
+          grant_types: ["authorization_code", "refresh_token"],
+          response_types: ["code"],
+          client_name: "@gleanwork/mcp-server-tester",
+          ...this.config.clientMetadata
+        };
+      }
+      /**
+       * Returns an OAuth2 state parameter
+       */
+      state() {
+        if (!this.stateParam) {
+          this.stateParam = this.generateRandomString(32);
+        }
+        return this.stateParam;
+      }
+      /**
+       * Loads information about this OAuth client
+       */
+      async clientInformation() {
+        if (this.config.clientId) {
+          return {
+            client_id: this.config.clientId,
+            client_secret: this.config.clientSecret,
+            redirect_uris: [this.config.redirectUri]
+          };
+        }
+        const state = await this.loadState();
+        if (state?.clientInfo) {
+          return {
+            client_id: state.clientInfo.clientId,
+            client_secret: state.clientInfo.clientSecret,
+            client_id_issued_at: state.clientInfo.clientIdIssuedAt,
+            client_secret_expires_at: state.clientInfo.clientSecretExpiresAt,
+            redirect_uris: [this.config.redirectUri]
+          };
+        }
+        return void 0;
+      }
+      /**
+       * Saves client information from Dynamic Client Registration
+       */
+      async saveClientInformation(clientInformation) {
+        const state = await this.loadState() ?? this.createEmptyState();
+        state.clientInfo = {
+          clientId: clientInformation.client_id,
+          clientSecret: clientInformation.client_secret,
+          clientIdIssuedAt: clientInformation.client_id_issued_at,
+          clientSecretExpiresAt: clientInformation.client_secret_expires_at
+        };
+        await this.saveState(state);
+      }
+      /**
+       * Loads any existing OAuth tokens for the current session
+       */
+      async tokens() {
+        const state = await this.loadState();
+        if (state?.tokens) {
+          return {
+            access_token: state.tokens.accessToken,
+            token_type: state.tokens.tokenType,
+            refresh_token: state.tokens.refreshToken,
+            expires_in: state.tokens.expiresAt ? Math.floor((state.tokens.expiresAt - Date.now()) / 1e3) : void 0
+          };
+        }
+        return void 0;
+      }
+      /**
+       * Stores new OAuth tokens for the current session
+       */
+      async saveTokens(tokens) {
+        const state = await this.loadState() ?? this.createEmptyState();
+        state.tokens = {
+          accessToken: tokens.access_token,
+          tokenType: tokens.token_type,
+          refreshToken: tokens.refresh_token,
+          expiresAt: tokens.expires_in ? Date.now() + tokens.expires_in * 1e3 : void 0
+        };
+        await this.saveState(state);
+      }
+      /**
+       * Invoked to redirect the user agent to the given URL
+       *
+       * In a testing context, this is typically handled by Playwright automation.
+       * This implementation throws an error to signal that the caller needs to
+       * handle the redirect externally.
+       */
+      async redirectToAuthorization(authorizationUrl) {
+        throw new Error(
+          `OAuth authorization required. Redirect to: ${authorizationUrl.toString()}
+In a testing context, use performOAuthSetup() in your Playwright globalSetup to complete the OAuth flow before running tests.`
+        );
+      }
+      /**
+       * Saves a PKCE code verifier for the current session
+       */
+      async saveCodeVerifier(codeVerifier) {
+        const state = await this.loadState() ?? this.createEmptyState();
+        state.codeVerifier = codeVerifier;
+        await this.saveState(state);
+      }
+      /**
+       * Loads the PKCE code verifier for the current session
+       */
+      async codeVerifier() {
+        const state = await this.loadState();
+        if (!state?.codeVerifier) {
+          throw new Error("No code verifier found in auth state");
+        }
+        return state.codeVerifier;
+      }
+      /**
+       * Invalidates the specified credentials
+       */
+      async invalidateCredentials(scope) {
+        const state = await this.loadState();
+        if (!state) {
+          return;
+        }
+        switch (scope) {
+          case "all":
+            await this.deleteState();
+            break;
+          case "client":
+            delete state.clientInfo;
+            await this.saveState(state);
+            break;
+          case "tokens":
+            delete state.tokens;
+            await this.saveState(state);
+            break;
+          case "verifier":
+            delete state.codeVerifier;
+            await this.saveState(state);
+            break;
+        }
+      }
+      // ---- Private helper methods ----
+      async loadState() {
+        if (this.cachedState) {
+          return this.cachedState;
+        }
+        try {
+          const content = await fs__namespace.readFile(this.config.storagePath, "utf-8");
+          this.cachedState = JSON.parse(content);
+          return this.cachedState;
+        } catch (error) {
+          if (error.code === "ENOENT") {
+            return null;
+          }
+          throw error;
+        }
+      }
+      async saveState(state) {
+        state.savedAt = Date.now();
+        this.cachedState = state;
+        const dir = path2__namespace.dirname(this.config.storagePath);
+        await fs__namespace.mkdir(dir, { recursive: true });
+        await fs__namespace.writeFile(
+          this.config.storagePath,
+          JSON.stringify(state, null, 2),
+          "utf-8"
+        );
+      }
+      async deleteState() {
+        this.cachedState = null;
+        try {
+          await fs__namespace.unlink(this.config.storagePath);
+        } catch (error) {
+          if (error.code !== "ENOENT") {
+            throw error;
+          }
+        }
+      }
+      createEmptyState() {
+        return {
+          savedAt: Date.now()
+        };
+      }
+      generateRandomString(length) {
+        const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+        let result = "";
+        const randomValues = new Uint8Array(length);
+        crypto.getRandomValues(randomValues);
+        for (let i = 0; i < length; i++) {
+          const randomValue = randomValues[i] ?? 0;
+          result += chars[randomValue % chars.length];
+        }
+        return result;
+      }
+    };
+  }
+});
+var MCPHostCapabilitiesSchema = zod.z.object({
+  sampling: zod.z.record(zod.z.unknown()).optional(),
+  roots: zod.z.object({
+    listChanged: zod.z.boolean()
+  }).optional()
+});
+var MCPOAuthConfigSchema = zod.z.object({
+  serverUrl: zod.z.string().url("serverUrl must be a valid URL"),
+  scopes: zod.z.array(zod.z.string()).optional(),
+  resource: zod.z.string().url().optional(),
+  authStatePath: zod.z.string().optional(),
+  clientId: zod.z.string().optional(),
+  clientSecret: zod.z.string().optional(),
+  redirectUri: zod.z.string().url().optional()
+});
+var MCPAuthConfigSchema = zod.z.object({
+  accessToken: zod.z.string().optional(),
+  oauth: MCPOAuthConfigSchema.optional()
+}).refine(
+  (data) => !(data.accessToken && data.oauth),
+  "Cannot specify both accessToken and oauth configuration"
+);
+var StdioConfigSchema = zod.z.object({
+  transport: zod.z.literal("stdio"),
+  command: zod.z.string().min(1, "command is required for stdio transport"),
+  args: zod.z.array(zod.z.string()).optional(),
+  cwd: zod.z.string().optional(),
+  capabilities: MCPHostCapabilitiesSchema.optional(),
+  connectTimeoutMs: zod.z.number().positive().optional(),
+  requestTimeoutMs: zod.z.number().positive().optional(),
+  quiet: zod.z.boolean().optional()
+});
+var HttpConfigSchema = zod.z.object({
+  transport: zod.z.literal("http"),
+  serverUrl: zod.z.string().url("serverUrl must be a valid URL"),
+  headers: zod.z.record(zod.z.string()).optional(),
+  capabilities: MCPHostCapabilitiesSchema.optional(),
+  connectTimeoutMs: zod.z.number().positive().optional(),
+  requestTimeoutMs: zod.z.number().positive().optional(),
+  auth: MCPAuthConfigSchema.optional()
+});
+var MCPConfigSchema = zod.z.discriminatedUnion("transport", [
+  StdioConfigSchema,
+  HttpConfigSchema
+]);
+function validateMCPConfig(config) {
+  return MCPConfigSchema.parse(config);
+}
+function isStdioConfig(config) {
+  return config.transport === "stdio" && typeof config.command === "string";
+}
+function isHttpConfig(config) {
+  return config.transport === "http" && typeof config.serverUrl === "string";
+}
+
+// src/index.ts
+init_oauthClientProvider();
+
+// src/auth/tokenAuth.ts
+function createTokenAuthHeaders(accessToken, tokenType = "Bearer") {
+  return {
+    Authorization: `${tokenType} ${accessToken}`
+  };
+}
+function validateAccessToken(accessToken) {
+  if (!accessToken) {
+    throw new Error("Access token is required but was not provided");
+  }
+  if (accessToken.trim().length === 0) {
+    throw new Error("Access token cannot be empty");
+  }
+}
+function isTokenExpired(accessToken) {
+  try {
+    const parts = accessToken.split(".");
+    if (parts.length !== 3) {
+      return false;
+    }
+    const payloadPart = parts[1];
+    if (!payloadPart) {
+      return false;
+    }
+    const payload = JSON.parse(
+      Buffer.from(payloadPart, "base64url").toString("utf-8")
+    );
+    if (typeof payload.exp === "number") {
+      return payload.exp * 1e3 < Date.now();
+    }
+    return false;
+  } catch {
+    return false;
+  }
+}
+function isTokenExpiringSoon(expiresAt, bufferMs = 6e4) {
+  if (expiresAt === void 0) {
+    return false;
+  }
+  return expiresAt - bufferMs < Date.now();
+}
+
+// src/auth/setupOAuth.ts
+init_oauthClientProvider();
+var NAMESPACE = "mcp-server-tester";
+var debugClient = createDebug__default.default(`${NAMESPACE}:client`);
+var debugOAuth = createDebug__default.default(`${NAMESPACE}:oauth`);
+createDebug__default.default(`${NAMESPACE}:eval`);
+
+// src/auth/setupOAuth.ts
+var DEFAULT_TIMEOUT_MS = 3e4;
+var DEFAULT_REDIRECT_URI = "http://localhost:3000/oauth/callback";
+async function performOAuthSetup(config) {
+  const timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  const redirectUri = config.redirectUri ?? DEFAULT_REDIRECT_URI;
+  const metadata = await auth_js.discoverAuthorizationServerMetadata(
+    config.authServerUrl
+  );
+  if (!metadata) {
+    throw new Error(
+      `Could not discover OAuth metadata at ${config.authServerUrl}`
+    );
+  }
+  const clientInformation = {
+    client_id: config.clientId ?? "mcp-server-tester-client",
+    client_secret: config.clientSecret
+  };
+  const { authorizationUrl, codeVerifier } = await auth_js.startAuthorization(
+    config.authServerUrl,
+    {
+      metadata,
+      clientInformation,
+      redirectUrl: redirectUri,
+      scope: config.scopes.join(" "),
+      resource: config.resource ? new URL(config.resource) : void 0
+    }
+  );
+  const browser = await test$1.chromium.launch({
+    headless: process.env.OAUTH_DEBUG !== "true"
+  });
+  try {
+    const context = await browser.newContext();
+    const page = await context.newPage();
+    page.setDefaultTimeout(timeoutMs);
+    await page.goto(authorizationUrl.toString());
+    await completeLoginForm(page, config);
+    await page.waitForURL(
+      (url) => url.href.startsWith(redirectUri) && url.searchParams.has("code"),
+      { timeout: timeoutMs }
+    );
+    const callbackUrl = new URL(page.url());
+    const code = callbackUrl.searchParams.get("code");
+    const error = callbackUrl.searchParams.get("error");
+    if (error) {
+      const errorDescription = callbackUrl.searchParams.get("error_description");
+      throw new Error(
+        `OAuth authorization failed: ${error}${errorDescription ? ` - ${errorDescription}` : ""}`
+      );
+    }
+    if (!code) {
+      throw new Error("No authorization code in callback URL");
+    }
+    const tokens = await auth_js.exchangeAuthorization(config.authServerUrl, {
+      metadata,
+      clientInformation,
+      authorizationCode: code,
+      codeVerifier,
+      redirectUri,
+      resource: config.resource ? new URL(config.resource) : void 0
+    });
+    const state = {
+      tokens: {
+        accessToken: tokens.access_token,
+        tokenType: tokens.token_type,
+        refreshToken: tokens.refresh_token,
+        expiresAt: tokens.expires_in ? Date.now() + tokens.expires_in * 1e3 : void 0
+      },
+      clientInfo: config.clientId ? {
+        clientId: config.clientId,
+        clientSecret: config.clientSecret
+      } : void 0,
+      codeVerifier,
+      savedAt: Date.now()
+    };
+    await saveOAuthState(config.outputPath, state);
+    debugOAuth("Auth state saved to %s", config.outputPath);
+  } finally {
+    await browser.close();
+  }
+}
+async function completeLoginForm(page, config) {
+  const { loginSelectors, credentials } = config;
+  await page.waitForSelector(loginSelectors.usernameInput, {
+    state: "visible"
+  });
+  await page.fill(loginSelectors.usernameInput, credentials.username);
+  await page.waitForSelector(loginSelectors.passwordInput, {
+    state: "visible"
+  });
+  await page.fill(loginSelectors.passwordInput, credentials.password);
+  await page.waitForSelector(loginSelectors.submitButton, {
+    state: "visible"
+  });
+  await page.click(loginSelectors.submitButton);
+  if (loginSelectors.consentButton) {
+    try {
+      await page.waitForSelector(loginSelectors.consentButton, {
+        state: "visible",
+        timeout: 5e3
+      });
+      await page.click(loginSelectors.consentButton);
+    } catch {
+    }
+  }
+}
+async function hasValidOAuthState(storagePath) {
+  try {
+    const { loadOAuthState: loadOAuthState2 } = await Promise.resolve().then(() => (init_oauthClientProvider(), oauthClientProvider_exports));
+    const state = await loadOAuthState2(storagePath);
+    if (!state?.tokens?.accessToken) {
+      return false;
+    }
+    if (state.tokens.expiresAt) {
+      const bufferMs = 6e4;
+      if (state.tokens.expiresAt - bufferMs < Date.now()) {
+        return false;
+      }
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function performOAuthSetupIfNeeded(config) {
+  const hasValid = await hasValidOAuthState(config.outputPath);
+  if (hasValid) {
+    debugOAuth("Using existing auth state from %s", config.outputPath);
+    return;
+  }
+  debugOAuth("No valid auth state found, performing OAuth flow...");
+  await performOAuthSetup(config);
+}
+var MCP_PROTOCOL_VERSION = "2025-06-18";
+async function discoverProtectedResource(mcpServerUrl) {
+  const url = new URL(mcpServerUrl);
+  const origin = url.origin;
+  const pathname = url.pathname;
+  const pathAwareUrl = `${origin}/.well-known/oauth-protected-resource${pathname}`;
+  try {
+    const metadata = await fetchProtectedResourceMetadata(pathAwareUrl);
+    return {
+      metadata,
+      discoveryUrl: pathAwareUrl,
+      usedPathAwareDiscovery: true
+    };
+  } catch (error) {
+    if (error instanceof DiscoveryError && error.status === 404) {
+      const baseUrl = `${origin}/.well-known/oauth-protected-resource`;
+      const metadata = await fetchProtectedResourceMetadata(baseUrl);
+      return {
+        metadata,
+        discoveryUrl: baseUrl,
+        usedPathAwareDiscovery: false
+      };
+    }
+    throw error;
+  }
+}
+var DiscoveryError = class extends Error {
+  constructor(message, status, url) {
+    super(message);
+    this.status = status;
+    this.url = url;
+    this.name = "DiscoveryError";
+  }
+};
+async function fetchProtectedResourceMetadata(discoveryUrl) {
+  const response = await fetch(discoveryUrl, {
+    method: "GET",
+    headers: {
+      Accept: "application/json",
+      "MCP-Protocol-Version": MCP_PROTOCOL_VERSION
+    }
+  });
+  if (!response.ok) {
+    throw new DiscoveryError(
+      `Protected resource discovery failed: ${response.status} ${response.statusText}`,
+      response.status,
+      discoveryUrl
+    );
+  }
+  const metadata = await response.json();
+  if (!metadata.resource) {
+    throw new DiscoveryError(
+      'Invalid protected resource metadata: missing required "resource" field',
+      void 0,
+      discoveryUrl
+    );
+  }
+  return metadata;
+}
+async function discoverAuthorizationServer(authServerUrl) {
+  const issuer = new URL(authServerUrl);
+  const response = await oauth2__namespace.discoveryRequest(issuer, {
+    algorithm: "oauth2",
+    headers: new Headers({
+      "MCP-Protocol-Version": MCP_PROTOCOL_VERSION
+    })
+  });
+  const metadata = await oauth2__namespace.processDiscoveryResponse(issuer, response);
+  return {
+    server: metadata,
+    issuer: authServerUrl
+  };
+}
+var ENV_VAR_NAMES = {
+  accessToken: "MCP_ACCESS_TOKEN",
+  refreshToken: "MCP_REFRESH_TOKEN",
+  tokenType: "MCP_TOKEN_TYPE",
+  expiresAt: "MCP_TOKEN_EXPIRES_AT"
+};
+var DEFAULT_EXPIRY_BUFFER_MS = 6e4;
+function generateServerKey(serverUrl) {
+  const url = new URL(serverUrl);
+  let key = url.hostname;
+  if (url.port) {
+    key += `_${url.port}`;
+  }
+  if (url.pathname && url.pathname !== "/") {
+    const cleanPath = url.pathname.replace(/^\/+|\/+$/g, "").replace(/\//g, "_");
+    if (cleanPath) {
+      key += `_${cleanPath}`;
+    }
+  }
+  return key.replace(/[^a-zA-Z0-9_.-]/g, "_");
+}
+function getStateDir(serverUrl, customDir) {
+  const serverKey = generateServerKey(serverUrl);
+  if (customDir) {
+    return path2__namespace.join(customDir, serverKey);
+  }
+  if (process.platform === "win32") {
+    const localAppData = process.env.LOCALAPPDATA;
+    if (localAppData) {
+      return path2__namespace.join(localAppData, "mcp-tests", serverKey);
+    }
+    return path2__namespace.join(os.homedir(), "AppData", "Local", "mcp-tests", serverKey);
+  }
+  if (process.platform === "linux" && process.env.XDG_STATE_HOME) {
+    return path2__namespace.join(process.env.XDG_STATE_HOME, "mcp-tests", serverKey);
+  }
+  return path2__namespace.join(os.homedir(), ".local", "state", "mcp-tests", serverKey);
+}
+function loadTokensFromEnv() {
+  const accessToken = process.env[ENV_VAR_NAMES.accessToken];
+  if (!accessToken) {
+    return null;
+  }
+  const expiresAtStr = process.env[ENV_VAR_NAMES.expiresAt];
+  const expiresAt = expiresAtStr ? parseInt(expiresAtStr, 10) : void 0;
+  return {
+    accessToken,
+    refreshToken: process.env[ENV_VAR_NAMES.refreshToken],
+    tokenType: process.env[ENV_VAR_NAMES.tokenType] ?? "Bearer",
+    expiresAt: expiresAt && !isNaN(expiresAt) ? expiresAt : void 0
+  };
+}
+async function injectTokens(serverUrl, tokens, stateDir) {
+  const storage = createFileOAuthStorage({ serverUrl, stateDir });
+  await storage.saveTokens(tokens);
+}
+async function loadTokens(serverUrl, stateDir) {
+  const storage = createFileOAuthStorage({ serverUrl, stateDir });
+  return storage.loadTokens();
+}
+async function hasValidTokens(serverUrl, options) {
+  const storage = createFileOAuthStorage({
+    serverUrl,
+    stateDir: options?.stateDir
+  });
+  return storage.hasValidToken(options?.bufferMs);
+}
+function createFileOAuthStorage(config) {
+  return new FileOAuthStorage(config);
+}
+var FileOAuthStorage = class {
+  stateDir;
+  constructor(config) {
+    this.stateDir = getStateDir(config.serverUrl, config.stateDir);
+  }
+  get serverMetadataPath() {
+    return path2__namespace.join(this.stateDir, "server.json");
+  }
+  get clientPath() {
+    return path2__namespace.join(this.stateDir, "client.json");
+  }
+  get tokensPath() {
+    return path2__namespace.join(this.stateDir, "tokens.json");
+  }
+  async loadServerMetadata() {
+    return this.loadFile(this.serverMetadataPath);
+  }
+  async saveServerMetadata(metadata) {
+    await this.atomicWrite(this.serverMetadataPath, metadata);
+  }
+  async loadClient() {
+    return this.loadFile(this.clientPath);
+  }
+  async saveClient(client) {
+    await this.atomicWrite(this.clientPath, client);
+  }
+  async loadTokens() {
+    return this.loadFile(this.tokensPath);
+  }
+  async saveTokens(tokens) {
+    await this.atomicWrite(this.tokensPath, tokens);
+  }
+  async deleteTokens() {
+    await this.deleteFile(this.tokensPath);
+  }
+  async hasValidToken(bufferMs = DEFAULT_EXPIRY_BUFFER_MS) {
+    const tokens = await this.loadTokens();
+    if (!tokens?.accessToken) {
+      return false;
+    }
+    if (!tokens.expiresAt) {
+      return true;
+    }
+    return tokens.expiresAt > Date.now() + bufferMs;
+  }
+  /**
+   * Load a JSON file, returning null if not found
+   */
+  async loadFile(filePath) {
+    try {
+      const content = await fs__namespace.readFile(filePath, "utf-8");
+      return JSON.parse(content);
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        return null;
+      }
+      throw error;
+    }
+  }
+  /**
+   * Write data atomically: write to .tmp file, then rename
+   * Files are created with 0o600 permissions (user read/write only)
+   */
+  async atomicWrite(filePath, data) {
+    await fs__namespace.mkdir(this.stateDir, { recursive: true, mode: 448 });
+    const tmpPath = `${filePath}.tmp`;
+    const content = JSON.stringify(data, null, 2);
+    await fs__namespace.writeFile(tmpPath, content, { encoding: "utf-8", mode: 384 });
+    await fs__namespace.rename(tmpPath, filePath);
+  }
+  /**
+   * Delete a file, ignoring errors if the file doesn't exist
+   */
+  async deleteFile(filePath) {
+    try {
+      await fs__namespace.unlink(filePath);
+    } catch (error) {
+      if (error.code !== "ENOENT") {
+        throw error;
+      }
+    }
+  }
+};
+async function generatePKCE() {
+  const codeVerifier = oauth2__namespace.generateRandomCodeVerifier();
+  const codeChallenge = await oauth2__namespace.calculatePKCECodeChallenge(codeVerifier);
+  return {
+    codeVerifier,
+    codeChallenge
+  };
+}
+function generateState() {
+  return oauth2__namespace.generateRandomState();
+}
+function buildAuthorizationUrl(config) {
+  const authorizationEndpoint = config.authServer.server.authorization_endpoint;
+  if (!authorizationEndpoint) {
+    throw new Error(
+      "Authorization server does not have an authorization_endpoint"
+    );
+  }
+  const authorizationUrl = new URL(authorizationEndpoint);
+  authorizationUrl.searchParams.set("client_id", config.clientId);
+  authorizationUrl.searchParams.set("redirect_uri", config.redirectUri);
+  authorizationUrl.searchParams.set("response_type", "code");
+  authorizationUrl.searchParams.set("scope", config.scopes.join(" "));
+  authorizationUrl.searchParams.set("code_challenge", config.codeChallenge);
+  authorizationUrl.searchParams.set("code_challenge_method", "S256");
+  authorizationUrl.searchParams.set("state", config.state);
+  if (config.resource) {
+    authorizationUrl.searchParams.set("resource", config.resource);
+  }
+  return authorizationUrl;
+}
+async function exchangeCodeForTokens(config) {
+  const client = {
+    client_id: config.clientId,
+    token_endpoint_auth_method: config.clientSecret ? "client_secret_basic" : "none"
+  };
+  const clientAuth = config.clientSecret ? oauth2__namespace.ClientSecretBasic(config.clientSecret) : oauth2__namespace.None();
+  const callbackUrl = new URL(config.redirectUri);
+  callbackUrl.searchParams.set("code", config.code);
+  callbackUrl.searchParams.set("state", config.state);
+  const validatedParams = oauth2__namespace.validateAuthResponse(
+    config.authServer.server,
+    client,
+    callbackUrl,
+    config.state
+  );
+  const response = await oauth2__namespace.authorizationCodeGrantRequest(
+    config.authServer.server,
+    client,
+    clientAuth,
+    validatedParams,
+    config.redirectUri,
+    config.codeVerifier
+  );
+  const result = await oauth2__namespace.processAuthorizationCodeResponse(
+    config.authServer.server,
+    client,
+    response
+  );
+  return {
+    accessToken: result.access_token,
+    tokenType: result.token_type,
+    expiresIn: result.expires_in,
+    refreshToken: result.refresh_token,
+    scope: result.scope
+  };
+}
+async function refreshAccessToken(config) {
+  const client = {
+    client_id: config.clientId,
+    token_endpoint_auth_method: config.clientSecret ? "client_secret_basic" : "none"
+  };
+  const clientAuth = config.clientSecret ? oauth2__namespace.ClientSecretBasic(config.clientSecret) : oauth2__namespace.None();
+  const response = await oauth2__namespace.refreshTokenGrantRequest(
+    config.authServer.server,
+    client,
+    clientAuth,
+    config.refreshToken
+  );
+  if (!response.ok) {
+    const contentType = response.headers.get("content-type") ?? "";
+    let errorMessage = `Token refresh failed: ${response.status} ${response.statusText}`;
+    try {
+      if (contentType.includes("application/json")) {
+        const errorBody = await response.clone().json();
+        if (errorBody.error) {
+          errorMessage = `Token refresh failed: ${errorBody.error}`;
+          if (errorBody.error_description) {
+            errorMessage += ` - ${errorBody.error_description}`;
+          }
+        }
+      } else {
+        const textBody = await response.clone().text();
+        if (textBody) {
+          errorMessage = `Token refresh failed: ${response.status} - ${textBody}`;
+        }
+      }
+    } catch {
+    }
+    throw new Error(errorMessage);
+  }
+  const result = await oauth2__namespace.processRefreshTokenResponse(
+    config.authServer.server,
+    client,
+    response
+  );
+  return {
+    accessToken: result.access_token,
+    tokenType: result.token_type,
+    expiresIn: result.expires_in,
+    refreshToken: result.refresh_token,
+    scope: result.scope
+  };
+}
+
+// src/auth/cli.ts
+var debug = createDebug__default.default("mcp-server-tester:cli-oauth");
+var DEFAULT_TIMEOUT_MS2 = 3e5;
+var DEFAULT_CLIENT_NAME = "@gleanwork/mcp-server-tester";
+var DEFAULT_METADATA_TTL_MS = 24 * 60 * 60 * 1e3;
+var CLIOAuthClient = class {
+  config;
+  storage;
+  constructor(config) {
+    this.config = config;
+    this.storage = createFileOAuthStorage({
+      serverUrl: config.mcpServerUrl,
+      stateDir: config.stateDir
+    });
+  }
+  /**
+   * Get a valid access token, authenticating if necessary
+   *
+   * Token resolution priority:
+   * 1. Check environment variables (for CI/CD)
+   * 2. Check file storage for cached tokens
+   * 3. Try to refresh if expired but refresh token exists
+   * 4. Run full OAuth flow if needed
+   */
+  async getAccessToken() {
+    const envTokens = loadTokensFromEnv();
+    if (envTokens) {
+      debug("Using tokens from environment variables");
+      return {
+        accessToken: envTokens.accessToken,
+        tokenType: envTokens.tokenType,
+        expiresAt: envTokens.expiresAt,
+        refreshed: false,
+        fromEnv: true
+      };
+    }
+    const storedTokens = await this.storage.loadTokens();
+    if (storedTokens?.accessToken) {
+      const isValid = await this.storage.hasValidToken();
+      if (isValid) {
+        debug("Using cached tokens from storage");
+        return {
+          accessToken: storedTokens.accessToken,
+          tokenType: storedTokens.tokenType,
+          expiresAt: storedTokens.expiresAt,
+          refreshed: false,
+          fromEnv: false
+        };
+      }
+      if (storedTokens.refreshToken) {
+        debug("Token expired, attempting refresh");
+        try {
+          const refreshedTokens = await this.refreshStoredToken(storedTokens);
+          return {
+            accessToken: refreshedTokens.accessToken,
+            tokenType: refreshedTokens.tokenType,
+            expiresAt: refreshedTokens.expiresAt,
+            refreshed: true,
+            fromEnv: false
+          };
+        } catch (error) {
+          debug("Token refresh failed, will re-authenticate:", error);
+        }
+      }
+    }
+    debug("Performing full OAuth authentication");
+    return this.authenticate();
+  }
+  /**
+   * Try to get a valid access token without triggering browser auth
+   *
+   * Returns null if no valid token is available (no stored tokens,
+   * expired without refresh token, or refresh failed). Unlike getAccessToken(),
+   * this will NOT open a browser for authentication.
+   *
+   * Use this for CLI commands that should prompt the user to run `login`
+   * instead of automatically starting the OAuth flow.
+   */
+  async tryGetAccessToken() {
+    const envTokens = loadTokensFromEnv();
+    if (envTokens) {
+      debug("Using tokens from environment variables");
+      return {
+        accessToken: envTokens.accessToken,
+        tokenType: envTokens.tokenType,
+        expiresAt: envTokens.expiresAt,
+        refreshed: false,
+        fromEnv: true
+      };
+    }
+    const storedTokens = await this.storage.loadTokens();
+    if (storedTokens?.accessToken) {
+      const isValid = await this.storage.hasValidToken();
+      if (isValid) {
+        debug("Using cached tokens from storage");
+        return {
+          accessToken: storedTokens.accessToken,
+          tokenType: storedTokens.tokenType,
+          expiresAt: storedTokens.expiresAt,
+          refreshed: false,
+          fromEnv: false
+        };
+      }
+      if (storedTokens.refreshToken) {
+        debug("Token expired, attempting refresh");
+        try {
+          const refreshedTokens = await this.refreshStoredToken(storedTokens);
+          return {
+            accessToken: refreshedTokens.accessToken,
+            tokenType: refreshedTokens.tokenType,
+            expiresAt: refreshedTokens.expiresAt,
+            refreshed: true,
+            fromEnv: false
+          };
+        } catch (error) {
+          debug("Token refresh failed:", error);
+          return null;
+        }
+      }
+    }
+    debug("No valid token available");
+    return null;
+  }
+  /**
+   * Force a new authentication flow
+   */
+  async authenticate() {
+    const { protectedResource, authServer } = await this.discoverServers();
+    const client = await this.getOrRegisterClient(authServer);
+    const { tokens, requestedScopes } = await this.performOAuthFlow(
+      authServer,
+      client,
+      protectedResource
+    );
+    return {
+      accessToken: tokens.accessToken,
+      tokenType: tokens.tokenType,
+      expiresAt: tokens.expiresAt,
+      refreshed: false,
+      fromEnv: false,
+      requestedScopes
+    };
+  }
+  /**
+   * Check if stored credentials exist (may be expired)
+   */
+  async hasStoredCredentials() {
+    const tokens = await this.storage.loadTokens();
+    return tokens?.accessToken !== void 0;
+  }
+  /**
+   * Clear stored credentials
+   */
+  async clearCredentials() {
+    await this.storage.deleteTokens();
+    debug("Cleared stored credentials");
+  }
+  /**
+   * Discover protected resource and authorization server
+   */
+  async discoverServers() {
+    const cachedMetadata = await this.storage.loadServerMetadata();
+    if (cachedMetadata) {
+      const age = Date.now() - cachedMetadata.discoveredAt;
+      if (age < DEFAULT_METADATA_TTL_MS) {
+        debug("Using cached server metadata (age: %dms)", age);
+        debug(
+          "Cached protected resource scopes: %O",
+          cachedMetadata.protectedResource.scopes_supported
+        );
+        debug(
+          "Cached auth server scopes: %O",
+          cachedMetadata.authServer.server.scopes_supported
+        );
+        return {
+          protectedResource: cachedMetadata.protectedResource,
+          authServer: cachedMetadata.authServer
+        };
+      }
+      debug("Cached server metadata is stale (age: %dms), re-discovering", age);
+    }
+    debug("Discovering protected resource:", this.config.mcpServerUrl);
+    const prResult = await discoverProtectedResource(this.config.mcpServerUrl);
+    debug("Found protected resource:", prResult.metadata.resource);
+    debug(
+      "Protected resource scopes_supported: %O",
+      prResult.metadata.scopes_supported
+    );
+    const authServerUrl = prResult.metadata.authorization_servers?.[0];
+    if (!authServerUrl) {
+      throw new Error(
+        "No authorization servers found in protected resource metadata"
+      );
+    }
+    debug("Discovering authorization server:", authServerUrl);
+    const authServer = await discoverAuthorizationServer(authServerUrl);
+    debug("Found authorization server:", authServer.issuer);
+    debug(
+      "Auth server scopes_supported: %O",
+      authServer.server.scopes_supported
+    );
+    const metadata = {
+      authServer,
+      protectedResource: prResult.metadata,
+      discoveredAt: Date.now()
+    };
+    await this.storage.saveServerMetadata(metadata);
+    return {
+      protectedResource: prResult.metadata,
+      authServer
+    };
+  }
+  /**
+   * Get existing client or register new one via DCR
+   */
+  async getOrRegisterClient(authServer) {
+    if (this.config.clientId) {
+      debug("Using pre-configured client ID");
+      return {
+        clientId: this.config.clientId,
+        clientSecret: this.config.clientSecret
+      };
+    }
+    const cachedClient = await this.storage.loadClient();
+    if (cachedClient?.clientId) {
+      debug("Using cached client registration");
+      return cachedClient;
+    }
+    debug("Registering new client via DCR");
+    const client = await this.registerClient(authServer);
+    await this.storage.saveClient(client);
+    return client;
+  }
+  /**
+   * Register a new client via Dynamic Client Registration
+   */
+  async registerClient(authServer) {
+    const registrationEndpoint = authServer.server.registration_endpoint;
+    if (!registrationEndpoint) {
+      throw new Error(
+        "Authorization server does not support Dynamic Client Registration. Please provide a clientId in the configuration."
+      );
+    }
+    const redirectUri = "http://127.0.0.1:0/callback";
+    const response = await fetch(registrationEndpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "MCP-Protocol-Version": MCP_PROTOCOL_VERSION
+      },
+      body: JSON.stringify({
+        redirect_uris: [redirectUri],
+        token_endpoint_auth_method: "none",
+        grant_types: ["authorization_code", "refresh_token"],
+        response_types: ["code"],
+        client_name: this.config.clientName ?? DEFAULT_CLIENT_NAME
+      })
+    });
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(
+        `Dynamic Client Registration failed: ${response.status} ${response.statusText}
+${errorText}`
+      );
+    }
+    const data = await response.json();
+    debug("Client registered:", data.client_id);
+    return {
+      clientId: data.client_id,
+      clientSecret: data.client_secret,
+      clientIdIssuedAt: data.client_id_issued_at,
+      clientSecretExpiresAt: data.client_secret_expires_at
+    };
+  }
+  /**
+   * Perform the full OAuth authorization flow
+   */
+  async performOAuthFlow(authServer, client, protectedResource) {
+    const pkce = await generatePKCE();
+    const state = generateState();
+    const { port, codePromise, close } = await this.startCallbackServer(state);
+    const redirectUri = `http://127.0.0.1:${port}/callback`;
+    try {
+      const requestedScopes = this.config.scopes ?? protectedResource.scopes_supported ?? authServer.server.scopes_supported ?? ["openid"];
+      debug("Scope resolution:");
+      debug("  - User config scopes: %O", this.config.scopes);
+      debug(
+        "  - Protected resource scopes_supported: %O",
+        protectedResource.scopes_supported
+      );
+      debug(
+        "  - Auth server scopes_supported: %O",
+        authServer.server.scopes_supported
+      );
+      debug("  - Final requested scopes: %O", requestedScopes);
+      const authUrl = buildAuthorizationUrl({
+        authServer,
+        clientId: client.clientId,
+        redirectUri,
+        scopes: requestedScopes,
+        codeChallenge: pkce.codeChallenge,
+        state,
+        resource: protectedResource.resource
+      });
+      debug("Authorization URL: %s", authUrl.toString());
+      debug("Authorization URL params:");
+      debug("  - client_id: %s", authUrl.searchParams.get("client_id"));
+      debug("  - redirect_uri: %s", authUrl.searchParams.get("redirect_uri"));
+      debug("  - scope: %s", authUrl.searchParams.get("scope"));
+      debug("  - resource: %s", authUrl.searchParams.get("resource"));
+      await this.openBrowserOrPrintUrl(authUrl);
+      debug("Waiting for OAuth callback...");
+      const code = await codePromise;
+      debug("Received authorization code");
+      const tokenResult = await exchangeCodeForTokens({
+        authServer,
+        clientId: client.clientId,
+        clientSecret: client.clientSecret,
+        code,
+        state,
+        codeVerifier: pkce.codeVerifier,
+        redirectUri
+      });
+      const tokens = this.tokenResultToStoredTokens(
+        tokenResult,
+        client.clientId
+      );
+      await this.storage.saveTokens(tokens);
+      return { tokens, requestedScopes };
+    } finally {
+      close();
+    }
+  }
+  /**
+   * Refresh an expired token
+   *
+   * Uses the clientId stored with the tokens (if available) to ensure
+   * the refresh request uses the same client that obtained the original tokens.
+   * This is important because refresh tokens are bound to the client_id.
+   */
+  async refreshStoredToken(storedTokens) {
+    if (!storedTokens.refreshToken) {
+      throw new Error("No refresh token available");
+    }
+    const metadata = await this.storage.loadServerMetadata();
+    if (!metadata) {
+      throw new Error("No cached server metadata for refresh");
+    }
+    let clientId;
+    let clientSecret;
+    if (storedTokens.clientId) {
+      debug("Using clientId from stored tokens for refresh");
+      clientId = storedTokens.clientId;
+      const storedClient = await this.storage.loadClient();
+      if (storedClient?.clientId === clientId) {
+        clientSecret = storedClient.clientSecret;
+      }
+    } else {
+      debug(
+        "No clientId in stored tokens, falling back to stored client (legacy behavior)"
+      );
+      const client = await this.getOrRegisterClient(metadata.authServer);
+      clientId = client.clientId;
+      clientSecret = client.clientSecret;
+    }
+    const tokenResult = await refreshAccessToken({
+      authServer: metadata.authServer,
+      clientId,
+      clientSecret,
+      refreshToken: storedTokens.refreshToken
+    });
+    const tokens = this.tokenResultToStoredTokens(tokenResult, clientId);
+    await this.storage.saveTokens(tokens);
+    return tokens;
+  }
+  /**
+   * Start local callback server
+   */
+  async startCallbackServer(expectedState) {
+    const timeoutMs = this.config.timeoutMs ?? DEFAULT_TIMEOUT_MS2;
+    return new Promise((resolve, reject) => {
+      const server = http__namespace.createServer();
+      const connections = /* @__PURE__ */ new Set();
+      server.on("connection", (socket) => {
+        connections.add(socket);
+        socket.on("close", () => connections.delete(socket));
+      });
+      const forceClose = () => {
+        for (const socket of connections) {
+          socket.destroy();
+        }
+        server.close();
+      };
+      let codeResolve;
+      let codeReject;
+      const codePromise = new Promise((res, rej) => {
+        codeResolve = res;
+        codeReject = rej;
+      });
+      const timeout = setTimeout(() => {
+        forceClose();
+        codeReject(new Error(`OAuth flow timed out after ${timeoutMs}ms`));
+      }, timeoutMs);
+      server.on("request", (req, res) => {
+        const url = new URL(
+          req.url ?? "/",
+          `http://127.0.0.1:${server.address().port}`
+        );
+        if (url.pathname !== "/callback") {
+          res.writeHead(404);
+          res.end("Not Found");
+          return;
+        }
+        const error = url.searchParams.get("error");
+        if (error) {
+          const errorDescription = url.searchParams.get("error_description");
+          clearTimeout(timeout);
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end(this.errorHtml(error, errorDescription ?? void 0));
+          codeReject(
+            new Error(
+              `OAuth error: ${error}${errorDescription ? ` - ${errorDescription}` : ""}`
+            )
+          );
+          return;
+        }
+        const state = url.searchParams.get("state");
+        if (state !== expectedState) {
+          clearTimeout(timeout);
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end(this.errorHtml("invalid_state", "State parameter mismatch"));
+          codeReject(new Error("OAuth state mismatch - possible CSRF attack"));
+          return;
+        }
+        const code = url.searchParams.get("code");
+        if (!code) {
+          clearTimeout(timeout);
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end(
+            this.errorHtml("missing_code", "No authorization code received")
+          );
+          codeReject(new Error("No authorization code in callback"));
+          return;
+        }
+        clearTimeout(timeout);
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(this.successHtml());
+        codeResolve(code);
+      });
+      const preferredPort = this.config.callbackPort ?? 0;
+      server.listen(preferredPort, "127.0.0.1", () => {
+        const address = server.address();
+        debug("Callback server listening on port", address.port);
+        resolve({ port: address.port, codePromise, close: forceClose });
+      });
+      server.on("error", (err) => {
+        reject(err);
+      });
+    });
+  }
+  /**
+   * Open browser or print URL for headless environments
+   */
+  async openBrowserOrPrintUrl(url) {
+    if (isHeadless()) {
+      console.log("\n" + "=".repeat(60));
+      console.log(
+        "Please open the following URL in your browser to authenticate:"
+      );
+      console.log("\n" + url.toString() + "\n");
+      console.log("=".repeat(60) + "\n");
+      return;
+    }
+    try {
+      const open = await import('open');
+      await open.default(url.toString());
+      debug("Opened browser for authentication");
+    } catch (error) {
+      debug("Failed to open browser:", error);
+      console.log("\nFailed to open browser automatically.");
+      console.log("Please open the following URL manually:\n");
+      console.log(url.toString() + "\n");
+    }
+  }
+  /**
+   * Convert TokenResult to StoredTokens
+   *
+   * @param result - Token result from exchange or refresh
+   * @param clientId - Client ID that was used to obtain these tokens
+   */
+  tokenResultToStoredTokens(result, clientId) {
+    return {
+      accessToken: result.accessToken,
+      tokenType: result.tokenType,
+      refreshToken: result.refreshToken,
+      expiresAt: result.expiresIn ? Date.now() + result.expiresIn * 1e3 : void 0,
+      clientId
+    };
+  }
+  /**
+   * HTML page for successful authentication
+   */
+  successHtml() {
+    return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>Authentication Successful</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+           display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0;
+           background: #f8fafc; }
+    .container { text-align: center; background: white; padding: 48px 64px; border-radius: 8px;
+                 border: 1px solid #e2e8f0; box-shadow: 0 1px 3px rgba(0,0,0,0.1); }
+    .icon { width: 48px; height: 48px; margin: 0 auto 24px; background: #dcfce7; border-radius: 50%;
+            display: flex; align-items: center; justify-content: center; }
+    .icon svg { width: 24px; height: 24px; color: #16a34a; }
+    h1 { color: #0f172a; margin: 0 0 8px 0; font-size: 20px; font-weight: 600; }
+    p { color: #64748b; margin: 0; font-size: 14px; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="icon">
+      <svg fill="none" stroke="currentColor" viewBox="0 0 24 24">
+        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+      </svg>
+    </div>
+    <h1>Authentication Successful</h1>
+    <p>You can close this window and return to the terminal.</p>
+  </div>
+</body>
+</html>`;
+  }
+  /**
+   * HTML page for authentication error
+   */
+  errorHtml(error, description) {
+    return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>Authentication Failed</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+           display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0;
+           background: #f8fafc; }
+    .container { text-align: center; background: white; padding: 48px 64px; border-radius: 8px;
+                 border: 1px solid #e2e8f0; box-shadow: 0 1px 3px rgba(0,0,0,0.1); }
+    .icon { width: 48px; height: 48px; margin: 0 auto 24px; background: #fee2e2; border-radius: 50%;
+            display: flex; align-items: center; justify-content: center; }
+    .icon svg { width: 24px; height: 24px; color: #dc2626; }
+    h1 { color: #0f172a; margin: 0 0 8px 0; font-size: 20px; font-weight: 600; }
+    p { color: #64748b; margin: 0 0 8px 0; font-size: 14px; }
+    code { background: #f1f5f9; padding: 2px 8px; border-radius: 4px; color: #dc2626; font-size: 13px; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="icon">
+      <svg fill="none" stroke="currentColor" viewBox="0 0 24 24">
+        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12"/>
+      </svg>
+    </div>
+    <h1>Authentication Failed</h1>
+    <p>Error: <code>${escapeHtml(error)}</code></p>
+    ${description ? `<p>${escapeHtml(description)}</p>` : ""}
+  </div>
+</body>
+</html>`;
+  }
+};
+function isHeadless() {
+  if (process.env.CI) {
+    return true;
+  }
+  if (!process.stdin.isTTY) {
+    return true;
+  }
+  if (process.platform === "linux" && !process.env.DISPLAY && !process.env.WAYLAND_DISPLAY) {
+    return true;
+  }
+  return false;
+}
+function escapeHtml(text) {
+  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+}
+async function createMCPClientForConfig(config, options) {
+  const validatedConfig = validateMCPConfig(config);
+  const client = new index_js.Client(
+    {
+      name: options?.clientInfo?.name ?? "@gleanwork/mcp-server-tester",
+      version: options?.clientInfo?.version ?? "0.1.0"
+    },
+    {
+      capabilities: validatedConfig.capabilities ?? {}
+    }
+  );
+  if (isStdioConfig(validatedConfig)) {
+    const transport = new stdio_js.StdioClientTransport({
+      command: validatedConfig.command,
+      args: validatedConfig.args ?? [],
+      ...validatedConfig.cwd && { cwd: validatedConfig.cwd },
+      // Suppress server stderr when quiet mode is enabled
+      ...validatedConfig.quiet && { stderr: "ignore" }
+    });
+    debugClient("Connecting via stdio: %O", {
+      command: validatedConfig.command,
+      args: validatedConfig.args,
+      cwd: validatedConfig.cwd
+    });
+    await client.connect(transport);
+  } else if (isHttpConfig(validatedConfig)) {
+    const headers = { ...validatedConfig.headers };
+    if (validatedConfig.auth?.accessToken && !options?.authProvider) {
+      headers.Authorization = `Bearer ${validatedConfig.auth.accessToken}`;
+    }
+    const transport = new streamableHttp_js.StreamableHTTPClientTransport(
+      new URL(validatedConfig.serverUrl),
+      {
+        requestInit: Object.keys(headers).length > 0 ? { headers } : void 0,
+        // Pass auth provider for OAuth flow - MCP SDK handles it automatically
+        authProvider: options?.authProvider
+      }
+    );
+    debugClient("Connecting via HTTP: %O", {
+      serverUrl: validatedConfig.serverUrl,
+      headers: Object.keys(headers).length > 0 ? Object.keys(headers) : void 0,
+      hasAuthProvider: !!options?.authProvider
+    });
+    await client.connect(transport);
+  }
+  debugClient("Connected successfully");
+  const serverInfo = client.getServerVersion();
+  if (serverInfo) {
+    debugClient("Server info: %O", serverInfo);
+  }
+  return client;
+}
+async function closeMCPClient(client) {
+  try {
+    await client.close();
+  } catch (error) {
+    console.error("[MCP] Error closing client:", error);
+    throw error;
+  }
+}
+
+// src/mcp/response.ts
+function normalizeToolResponse(result) {
+  const isError = result.isError ?? false;
+  const contentBlocks = [];
+  const textParts = [];
+  if (Array.isArray(result.content)) {
+    for (const block of result.content) {
+      if (block == null || typeof block !== "object") {
+        continue;
+      }
+      const b = block;
+      const contentBlock = {
+        type: typeof b.type === "string" ? b.type : "unknown"
+      };
+      if (typeof b.text === "string") {
+        contentBlock.text = b.text;
+        textParts.push(b.text);
+      }
+      if (b.data !== void 0) {
+        contentBlock.data = b.data;
+      }
+      if (typeof b.mimeType === "string") {
+        contentBlock.mimeType = b.mimeType;
+      }
+      contentBlocks.push(contentBlock);
+    }
+  }
+  let structuredContent = null;
+  if (result.structuredContent !== void 0) {
+    structuredContent = result.structuredContent;
+    if (textParts.length === 0) {
+      if (typeof result.structuredContent === "string") {
+        textParts.push(result.structuredContent);
+      } else if (result.structuredContent != null) {
+        textParts.push(JSON.stringify(result.structuredContent));
+      }
+    }
+  }
+  const text = textParts.join("\n");
+  return {
+    text,
+    raw: result,
+    isError,
+    contentBlocks,
+    structuredContent
+  };
+}
+function extractText(response) {
+  if (response == null) {
+    return "";
+  }
+  if (typeof response === "string") {
+    return response;
+  }
+  if (isNormalizedResponse(response)) {
+    return response.text;
+  }
+  if (isCallToolResult(response)) {
+    return normalizeToolResponse(response).text;
+  }
+  if (Array.isArray(response)) {
+    return extractTextFromContentArray(response);
+  }
+  if (typeof response === "object") {
+    const r = response;
+    if (Array.isArray(r.content)) {
+      return extractTextFromContentArray(r.content);
+    }
+    if (typeof r.content === "string") {
+      return r.content;
+    }
+    if (r.structuredContent !== void 0) {
+      if (typeof r.structuredContent === "string") {
+        return r.structuredContent;
+      }
+      return JSON.stringify(r.structuredContent);
+    }
+    if (typeof r.text === "string") {
+      return r.text;
+    }
+    return JSON.stringify(r);
+  }
+  if (typeof response === "number" || typeof response === "boolean" || typeof response === "bigint") {
+    return String(response);
+  }
+  return "";
+}
+function isNormalizedResponse(value) {
+  if (value == null || typeof value !== "object") {
+    return false;
+  }
+  const v = value;
+  return typeof v.text === "string" && typeof v.isError === "boolean" && Array.isArray(v.contentBlocks) && v.raw !== void 0;
+}
+function isCallToolResult(value) {
+  if (value == null || typeof value !== "object") {
+    return false;
+  }
+  const v = value;
+  return Array.isArray(v.content) || typeof v.isError === "boolean";
+}
+function extractTextFromContentArray(content) {
+  const textParts = [];
+  for (const block of content) {
+    if (block == null || typeof block !== "object") {
+      continue;
+    }
+    const b = block;
+    if (b.type === "text" && typeof b.text === "string") {
+      textParts.push(b.text);
+    }
+  }
+  if (textParts.length > 0) {
+    return textParts.join("\n");
+  }
+  return JSON.stringify(content);
+}
+
+// src/assertions/validators/utils.ts
+var extractText2 = extractText;
+function getResponseSizeBytes(response) {
+  if (response === null || response === void 0) {
+    return 0;
+  }
+  if (typeof response === "string") {
+    return Buffer.byteLength(response, "utf8");
+  }
+  const serialized = JSON.stringify(response, null, 2);
+  return Buffer.byteLength(serialized, "utf8");
+}
+function stringifyResponse(response) {
+  if (response === null || response === void 0) {
+    return "";
+  }
+  if (typeof response === "string") {
+    return response;
+  }
+  return JSON.stringify(response, null, 2);
+}
+function isErrorResponse(response) {
+  if (response === null || response === void 0) {
+    return false;
+  }
+  if (typeof response !== "object") {
+    return false;
+  }
+  const r = response;
+  if (r.isError === true) {
+    return true;
+  }
+  if ("raw" in r && typeof r.raw === "object" && r.raw !== null) {
+    const raw = r.raw;
+    return raw.isError === true;
+  }
+  return false;
+}
+function extractErrorMessage(response) {
+  if (!isErrorResponse(response)) {
+    return "";
+  }
+  return extractText2(response);
+}
+function normalizeWhitespace(text) {
+  return text.replace(/\s+/g, " ").trim();
+}
+
+// src/assertions/validators/response.ts
+function validateResponse(actual, expected) {
+  const actualStr = stringifyResponse(actual);
+  const expectedStr = stringifyResponse(expected);
+  if (actualStr === expectedStr) {
+    return {
+      pass: true,
+      message: "Response matches expected value"
+    };
+  }
+  return {
+    pass: false,
+    message: `Response does not match expected value`,
+    details: {
+      actual: truncateForDisplay(actualStr),
+      expected: truncateForDisplay(expectedStr)
+    }
+  };
+}
+function truncateForDisplay(str, maxLength = 500) {
+  if (str.length <= maxLength) {
+    return str;
+  }
+  return str.slice(0, maxLength) + "... (truncated)";
+}
+
+// src/assertions/validators/schema.ts
+function validateSchema(response, schema, options = {}) {
+  const valueToValidate = getValidatableValue(response);
+  if (options.strict && valueToValidate !== null) ;
+  try {
+    schema.parse(valueToValidate);
+    return {
+      pass: true,
+      message: "Response matches schema"
+    };
+  } catch (error) {
+    const zodError = error;
+    const issues = formatZodIssues(zodError);
+    return {
+      pass: false,
+      message: `Response does not match schema: ${issues}`,
+      details: {
+        issues: zodError.issues
+      }
+    };
+  }
+}
+function getValidatableValue(response) {
+  if (response === null || response === void 0) {
+    return null;
+  }
+  if (typeof response === "object" && !Array.isArray(response)) {
+    const r = response;
+    if ("structuredContent" in r && r.structuredContent !== void 0) {
+      return r.structuredContent;
+    }
+    if ("raw" in r && "text" in r && "isError" in r && "contentBlocks" in r) {
+      if (r.structuredContent !== void 0) {
+        return r.structuredContent;
+      }
+      const text = r.text;
+      return tryParseJson(text) ?? response;
+    }
+    if ("content" in r && Array.isArray(r.content)) {
+      const text = extractText2(response);
+      return tryParseJson(text) ?? response;
+    }
+    return response;
+  }
+  if (typeof response === "string") {
+    return tryParseJson(response) ?? response;
+  }
+  return response;
+}
+function tryParseJson(text) {
+  if (!text || typeof text !== "string") {
+    return null;
+  }
+  const trimmed = text.trim();
+  if (!(trimmed.startsWith("{") || trimmed.startsWith("[")) || !(trimmed.endsWith("}") || trimmed.endsWith("]"))) {
+    return null;
+  }
+  try {
+    return JSON.parse(trimmed);
+  } catch {
+    return null;
+  }
+}
+function formatZodIssues(error) {
+  const issues = error.issues.map((issue) => {
+    const path3 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `${path3}: ${issue.message}`;
+  });
+  return issues.join("; ");
+}
+
+// src/assertions/validators/text.ts
+function validateText(response, expected, options = {}) {
+  const { caseSensitive = true } = options;
+  const expectedStrings = Array.isArray(expected) ? expected : [expected];
+  const text = extractText2(response);
+  const compareText = caseSensitive ? text : text.toLowerCase();
+  const missing = [];
+  for (const substring of expectedStrings) {
+    const compareSubstring = caseSensitive ? substring : substring.toLowerCase();
+    if (!compareText.includes(compareSubstring)) {
+      missing.push(substring);
+    }
+  }
+  if (missing.length === 0) {
+    return {
+      pass: true,
+      message: expectedStrings.length === 1 ? `Response contains expected text` : `Response contains all ${expectedStrings.length} expected substrings`
+    };
+  }
+  return {
+    pass: false,
+    message: missing.length === 1 ? `Response does not contain expected text: "${missing[0]}"` : `Response is missing ${missing.length} expected substrings: ${missing.map((s) => `"${s}"`).join(", ")}`,
+    details: {
+      missing,
+      textLength: text.length,
+      textPreview: truncateForDisplay2(text)
+    }
+  };
+}
+function truncateForDisplay2(str, maxLength = 200) {
+  if (str.length <= maxLength) {
+    return str;
+  }
+  return str.slice(0, maxLength) + "... (truncated)";
+}
+
+// src/assertions/validators/pattern.ts
+function validatePattern(response, patterns, options = {}) {
+  const { caseSensitive = true } = options;
+  const caseInsensitive = !caseSensitive;
+  const patternList = Array.isArray(patterns) ? patterns : [patterns];
+  const text = extractText2(response);
+  const unmatched = [];
+  for (const pattern of patternList) {
+    const regex = toRegExp(pattern, caseInsensitive);
+    if (!regex.test(text)) {
+      unmatched.push(patternToString(pattern));
+    }
+  }
+  if (unmatched.length === 0) {
+    return {
+      pass: true,
+      message: patternList.length === 1 ? `Response matches pattern` : `Response matches all ${patternList.length} patterns`
+    };
+  }
+  return {
+    pass: false,
+    message: unmatched.length === 1 ? `Response does not match pattern: ${unmatched[0]}` : `Response does not match ${unmatched.length} patterns: ${unmatched.join(", ")}`,
+    details: {
+      unmatched,
+      textLength: text.length,
+      textPreview: truncateForDisplay3(text)
+    }
+  };
+}
+function toRegExp(pattern, caseInsensitive) {
+  if (pattern instanceof RegExp) {
+    if (caseInsensitive && !pattern.flags.includes("i")) {
+      return new RegExp(pattern.source, pattern.flags + "i");
+    }
+    return pattern;
+  }
+  const flags = caseInsensitive ? "i" : "";
+  return new RegExp(pattern, flags);
+}
+function patternToString(pattern) {
+  if (pattern instanceof RegExp) {
+    return pattern.toString();
+  }
+  return `/${pattern}/`;
+}
+function truncateForDisplay3(str, maxLength = 200) {
+  if (str.length <= maxLength) {
+    return str;
+  }
+  return str.slice(0, maxLength) + "... (truncated)";
+}
+
+// src/assertions/validators/error.ts
+function validateError(response, expected = true) {
+  const actualIsError = isErrorResponse(response);
+  const errorMessage = actualIsError ? extractErrorMessage(response) : "";
+  if (typeof expected === "boolean") {
+    if (expected) {
+      if (actualIsError) {
+        return {
+          pass: true,
+          message: "Response is an error as expected"
+        };
+      }
+      return {
+        pass: false,
+        message: "Expected an error response but got success",
+        details: {
+          textPreview: truncateForDisplay4(extractText2(response))
+        }
+      };
+    } else {
+      if (!actualIsError) {
+        return {
+          pass: true,
+          message: "Response is not an error as expected"
+        };
+      }
+      return {
+        pass: false,
+        message: `Expected a success response but got error: "${truncateForDisplay4(errorMessage)}"`,
+        details: {
+          errorMessage
+        }
+      };
+    }
+  }
+  const expectedMessages = Array.isArray(expected) ? expected : [expected];
+  if (!actualIsError) {
+    return {
+      pass: false,
+      message: `Expected an error containing "${expectedMessages[0]}" but got success`,
+      details: {
+        textPreview: truncateForDisplay4(extractText2(response))
+      }
+    };
+  }
+  const matched = expectedMessages.some(
+    (msg) => errorMessage.toLowerCase().includes(msg.toLowerCase())
+  );
+  if (matched) {
+    return {
+      pass: true,
+      message: "Error message contains expected text"
+    };
+  }
+  return {
+    pass: false,
+    message: expectedMessages.length === 1 ? `Error message does not contain "${expectedMessages[0]}"` : `Error message does not contain any of: ${expectedMessages.map((m) => `"${m}"`).join(", ")}`,
+    details: {
+      actualErrorMessage: errorMessage,
+      expectedToContain: expectedMessages
+    }
+  };
+}
+function truncateForDisplay4(str, maxLength = 200) {
+  if (str.length <= maxLength) {
+    return str;
+  }
+  return str.slice(0, maxLength) + "... (truncated)";
+}
+
+// src/assertions/validators/size.ts
+function validateSize(response, options) {
+  const { maxBytes, minBytes } = options;
+  if (maxBytes === void 0 && minBytes === void 0) {
+    return {
+      pass: false,
+      message: "Size validation requires at least one of maxBytes or minBytes"
+    };
+  }
+  const actualSize = getResponseSizeBytes(response);
+  const issues = [];
+  if (minBytes !== void 0 && actualSize < minBytes) {
+    issues.push(
+      `Response size (${formatBytes(actualSize)}) is below minimum (${formatBytes(minBytes)})`
+    );
+  }
+  if (maxBytes !== void 0 && actualSize > maxBytes) {
+    issues.push(
+      `Response size (${formatBytes(actualSize)}) exceeds maximum (${formatBytes(maxBytes)})`
+    );
+  }
+  if (issues.length === 0) {
+    return {
+      pass: true,
+      message: `Response size (${formatBytes(actualSize)}) is within bounds`,
+      details: {
+        actualBytes: actualSize
+      }
+    };
+  }
+  return {
+    pass: false,
+    message: issues.join("; "),
+    details: {
+      actualBytes: actualSize,
+      minBytes,
+      maxBytes
+    }
+  };
+}
+function formatBytes(bytes) {
+  if (bytes < 1024) {
+    return `${bytes} bytes`;
+  }
+  if (bytes < 1024 * 1024) {
+    return `${(bytes / 1024).toFixed(1)} KB`;
+  }
+  return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+
+// src/mcp/fixtures/mcpFixture.ts
+var testStep = null;
+try {
+  const playwright = __require("@playwright/test");
+  if (playwright && playwright.test && playwright.test.step) {
+    testStep = playwright.test.step.bind(playwright.test);
+  }
+} catch {
+}
+function createMCPFixture(client, testInfo, options) {
+  const authType = options?.authType ?? "none";
+  const project = options?.project;
+  if (!testInfo) {
+    return {
+      client,
+      authType,
+      project,
+      async listTools() {
+        const result = await client.listTools();
+        return result.tools;
+      },
+      async callTool(name, args) {
+        const result = await client.callTool({
+          name,
+          arguments: args
+        });
+        return result;
+      },
+      getServerInfo() {
+        const serverVersion = client.getServerVersion();
+        if (!serverVersion) {
+          return null;
+        }
+        return {
+          name: serverVersion.name,
+          version: serverVersion.version
+        };
+      }
+    };
+  }
+  return {
+    client,
+    authType,
+    project,
+    async listTools() {
+      const execute = async () => {
+        const result = await client.listTools();
+        const tools = result.tools;
+        await testInfo.attach("mcp-list-tools", {
+          contentType: "application/json",
+          body: JSON.stringify(
+            {
+              operation: "listTools",
+              toolCount: tools.length,
+              tools: tools.map((t) => ({
+                name: t.name,
+                description: t.description
+              }))
+            },
+            null,
+            2
+          )
+        });
+        return tools;
+      };
+      return testStep ? testStep("MCP: listTools()", execute) : execute();
+    },
+    async callTool(name, args) {
+      const execute = async () => {
+        const startTime = Date.now();
+        const result = await client.callTool({
+          name,
+          arguments: args
+        });
+        const durationMs = Date.now() - startTime;
+        await testInfo.attach(`mcp-call-${name}`, {
+          contentType: "application/json",
+          body: JSON.stringify(
+            {
+              operation: "callTool",
+              toolName: name,
+              args,
+              result,
+              durationMs,
+              isError: result.isError || false,
+              authType,
+              project
+            },
+            null,
+            2
+          )
+        });
+        return result;
+      };
+      return testStep ? testStep(`MCP: callTool("${name}")`, execute) : execute();
+    },
+    getServerInfo() {
+      const serverVersion = client.getServerVersion();
+      const result = serverVersion ? {
+        name: serverVersion.name,
+        version: serverVersion.version
+      } : null;
+      testInfo.attach("mcp-server-info", {
+        contentType: "application/json",
+        body: JSON.stringify(
+          {
+            operation: "getServerInfo",
+            serverInfo: result
+          },
+          null,
+          2
+        )
+      }).catch(() => {
+      });
+      return result;
+    }
+  };
+}
+
+// src/assertions/matchers/toMatchToolResponse.ts
+function toMatchToolResponse(received, expected) {
+  const result = validateResponse(received, expected);
+  return {
+    pass: result.pass,
+    message: () => {
+      if (this.isNot) {
+        return result.pass ? "Expected response NOT to match, but it did" : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+
+// src/assertions/matchers/toMatchToolSchema.ts
+function toMatchToolSchema(received, schema, options = {}) {
+  const result = validateSchema(received, schema, options);
+  return {
+    pass: result.pass,
+    message: () => {
+      if (this.isNot) {
+        return result.pass ? "Expected response NOT to match schema, but it did" : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+
+// src/assertions/matchers/toContainToolText.ts
+function toContainToolText(received, expected, options = {}) {
+  const result = validateText(received, expected, options);
+  return {
+    pass: result.pass,
+    message: () => {
+      if (this.isNot) {
+        const expectedStr = Array.isArray(expected) ? expected.map((s) => `"${s}"`).join(", ") : `"${expected}"`;
+        return result.pass ? `Expected response NOT to contain ${expectedStr}, but it did` : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+
+// src/assertions/matchers/toMatchToolPattern.ts
+function toMatchToolPattern(received, patterns, options = {}) {
+  const result = validatePattern(received, patterns, options);
+  return {
+    pass: result.pass,
+    message: () => {
+      if (this.isNot) {
+        return result.pass ? "Expected response NOT to match pattern(s), but it did" : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+var BUILT_IN_PATTERNS = {
+  timestamp: {
+    pattern: /\b\d{10,13}\b/g,
+    replacement: "[TIMESTAMP]"
+  },
+  uuid: {
+    pattern: /\b[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}\b/gi,
+    replacement: "[UUID]"
+  },
+  "iso-date": {
+    pattern: /\b\d{4}-\d{2}-\d{2}(T\d{2}:\d{2}:\d{2}(\.\d{1,3})?(Z|[+-]\d{2}:?\d{2})?)?\b/g,
+    replacement: "[ISO_DATE]"
+  },
+  objectId: {
+    pattern: /\b[0-9a-f]{24}\b/gi,
+    replacement: "[OBJECT_ID]"
+  },
+  jwt: {
+    pattern: /\beyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\b/g,
+    replacement: "[JWT]"
+  }
+};
+function isRegexSanitizer(sanitizer) {
+  return typeof sanitizer === "object" && sanitizer !== null && "pattern" in sanitizer;
+}
+function isFieldRemovalSanitizer(sanitizer) {
+  return typeof sanitizer === "object" && sanitizer !== null && "remove" in sanitizer;
+}
+function applySanitizers(value, sanitizers) {
+  let result = value;
+  for (const sanitizer of sanitizers) {
+    if (typeof sanitizer === "string") {
+      const builtIn = BUILT_IN_PATTERNS[sanitizer];
+      if (builtIn) {
+        result = result.replace(builtIn.pattern, builtIn.replacement);
+      }
+      continue;
+    }
+    if (isRegexSanitizer(sanitizer)) {
+      const pattern = sanitizer.pattern instanceof RegExp ? sanitizer.pattern : new RegExp(sanitizer.pattern, "g");
+      const replacement = sanitizer.replacement ?? "[SANITIZED]";
+      result = result.replace(pattern, replacement);
+      continue;
+    }
+    if (isFieldRemovalSanitizer(sanitizer)) {
+      try {
+        const parsed = JSON.parse(result);
+        removeFields(parsed, sanitizer.remove);
+        result = JSON.stringify(parsed, null, 2);
+      } catch {
+      }
+    }
+  }
+  return result;
+}
+function removeFields(obj, paths) {
+  if (typeof obj !== "object" || obj === null) {
+    return;
+  }
+  for (const path3 of paths) {
+    const parts = path3.split(".");
+    if (parts.length === 0) {
+      continue;
+    }
+    let current = obj;
+    for (let i = 0; i < parts.length - 1; i++) {
+      if (typeof current !== "object" || current === null) {
+        break;
+      }
+      const key = parts[i];
+      if (key !== void 0) {
+        current = current[key];
+      }
+    }
+    if (typeof current === "object" && current !== null) {
+      const lastKey = parts[parts.length - 1];
+      if (lastKey !== void 0) {
+        delete current[lastKey];
+      }
+    }
+  }
+}
+async function toMatchToolSnapshot(received, name, sanitizers = []) {
+  let content = extractText2(received);
+  if (sanitizers.length > 0) {
+    content = applySanitizers(content, sanitizers);
+  }
+  if (this.isNot) {
+    try {
+      await test$1.expect(content).toMatchSnapshot(name);
+      return {
+        pass: false,
+        message: () => `Expected response NOT to match snapshot "${name}", but it did`
+      };
+    } catch {
+      return {
+        pass: true,
+        message: () => `Response does not match snapshot "${name}" as expected`
+      };
+    }
+  }
+  try {
+    await test$1.expect(content).toMatchSnapshot(name);
+    return {
+      pass: true,
+      message: () => `Response matches snapshot "${name}"`
+    };
+  } catch (error) {
+    return {
+      pass: false,
+      message: () => error instanceof Error ? error.message : `Response does not match snapshot "${name}"`
+    };
+  }
+}
+
+// src/assertions/matchers/toBeToolError.ts
+function toBeToolError(received, expected = true) {
+  const effectiveExpected = this.isNot ? typeof expected === "boolean" ? !expected : false : expected;
+  const result = validateError(received, effectiveExpected);
+  return {
+    pass: this.isNot ? !result.pass : result.pass,
+    message: () => {
+      if (this.isNot) {
+        if (typeof expected === "boolean") {
+          return result.pass ? "Expected response NOT to be an error, but it was" : "Response is not an error as expected";
+        }
+        const expectedStr = Array.isArray(expected) ? expected.join(", ") : expected;
+        return result.pass ? `Expected response NOT to be an error with "${expectedStr}", but it was` : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+function createClaudeAgentJudge(config) {
+  const model = config.model ?? "claude-sonnet-4-20250514";
+  const maxBudgetUsd = config.maxBudgetUsd ?? 0.1;
+  const maxToolOutputSize = config.maxToolOutputSize;
+  return {
+    async evaluate(candidate, reference, rubric) {
+      const candidateStr = typeof candidate === "string" ? candidate : JSON.stringify(candidate, null, 2);
+      const candidateSizeBytes = Buffer.byteLength(candidateStr, "utf8");
+      if (maxToolOutputSize !== void 0 && candidateSizeBytes > maxToolOutputSize) {
+        return {
+          pass: false,
+          score: 0,
+          reasoning: `Tool output size (${candidateSizeBytes} bytes) exceeds maximum allowed size (${maxToolOutputSize} bytes)`,
+          candidateSizeBytes,
+          exceedsMaxToolOutputSize: true
+        };
+      }
+      const prompt = buildJudgePrompt(candidate, reference, rubric);
+      try {
+        let resultMessage;
+        for await (const message of claudeAgentSdk.query({
+          prompt,
+          options: {
+            model,
+            maxBudgetUsd,
+            // Use empty tools array for response-only mode
+            tools: [],
+            // Bypass permissions since we're not using any tools
+            permissionMode: "bypassPermissions",
+            allowDangerouslySkipPermissions: true,
+            // Use a custom system prompt for JSON output
+            systemPrompt: buildSystemPrompt(),
+            // Limit to 1 turn since this is a simple evaluation
+            maxTurns: 1
+          }
+        })) {
+          if (message.type === "result") {
+            resultMessage = message;
+          }
+        }
+        if (!resultMessage) {
+          throw new Error("No result message received from Claude Agent SDK");
+        }
+        if (resultMessage.subtype !== "success" && resultMessage.errors?.length) {
+          throw new Error(
+            `Claude Agent SDK error: ${resultMessage.errors.join(", ")}`
+          );
+        }
+        const responseText = resultMessage.result ?? "";
+        const parsed = parseJudgeResponse(responseText);
+        const usage = {
+          inputTokens: resultMessage.usage?.input_tokens ?? 0,
+          outputTokens: resultMessage.usage?.output_tokens ?? 0,
+          totalCostUsd: resultMessage.total_cost_usd ?? 0,
+          durationMs: resultMessage.duration_ms ?? 0,
+          durationApiMs: resultMessage.duration_api_ms,
+          cacheReadInputTokens: resultMessage.usage?.cache_read_input_tokens,
+          cacheCreationInputTokens: resultMessage.usage?.cache_creation_input_tokens
+        };
+        return {
+          pass: parsed.pass ?? false,
+          score: parsed.score,
+          reasoning: parsed.reasoning,
+          usage,
+          candidateSizeBytes,
+          exceedsMaxToolOutputSize: false
+        };
+      } catch (error) {
+        throw new Error(
+          `Claude Agent judge evaluation failed: ${error instanceof Error ? error.message : String(error)}`
+        );
+      }
+    }
+  };
+}
+function buildSystemPrompt() {
+  return 'You are an expert evaluator. Evaluate the candidate response based on the rubric provided. Respond ONLY with valid JSON in this exact format: {"pass": boolean, "score": number (0-1), "reasoning": string}. Do not include any other text, markdown formatting, or code blocks.';
+}
+function buildJudgePrompt(candidate, reference, rubric) {
+  const parts = [];
+  parts.push("# Evaluation Task\n");
+  parts.push(rubric);
+  parts.push("\n\n# Candidate Response\n");
+  parts.push(
+    typeof candidate === "string" ? candidate : JSON.stringify(candidate, null, 2)
+  );
+  if (reference !== null && reference !== void 0) {
+    parts.push("\n\n# Reference Response\n");
+    parts.push(
+      typeof reference === "string" ? reference : JSON.stringify(reference, null, 2)
+    );
+  }
+  parts.push(
+    "\n\n# Instructions\nEvaluate the candidate response based on the rubric. " + (reference !== null && reference !== void 0 ? "Compare it against the reference response if helpful. " : "") + 'Respond with JSON containing "pass" (boolean), "score" (0-1), and "reasoning" (string).'
+  );
+  return parts.join("");
+}
+function parseJudgeResponse(text) {
+  let jsonText = text.trim();
+  if (jsonText.startsWith("```json")) {
+    jsonText = jsonText.slice(7);
+  }
+  if (jsonText.startsWith("```")) {
+    jsonText = jsonText.slice(3);
+  }
+  if (jsonText.endsWith("```")) {
+    jsonText = jsonText.slice(0, -3);
+  }
+  jsonText = jsonText.trim();
+  try {
+    return JSON.parse(jsonText);
+  } catch {
+    const jsonMatch = jsonText.match(/\{[\s\S]*"pass"[\s\S]*\}/);
+    if (jsonMatch) {
+      return JSON.parse(jsonMatch[0]);
+    }
+    throw new Error(`Failed to parse judge response as JSON: ${text}`);
+  }
+}
+
+// src/judge/judgeClient.ts
+function createJudge(config = {}) {
+  const provider = config.provider ?? "claude";
+  switch (provider) {
+    case "claude":
+    case "anthropic":
+      return createClaudeAgentJudge(config);
+    case "openai":
+      throw new Error(
+        'OpenAI provider is no longer supported. Please use createJudge() without specifying provider, or use provider: "claude". See migration guide at https://github.com/gleanwork/mcp-server-tester/blob/main/docs/migration-v0.11.md'
+      );
+    case "custom-http":
+      throw new Error(
+        "custom-http provider is no longer supported. Please use createJudge() without specifying provider."
+      );
+    default:
+      throw new Error(`Unsupported LLM provider: ${String(provider)}`);
+  }
+}
+
+// src/assertions/matchers/toPassToolJudge.ts
+var DEFAULT_PASSING_THRESHOLD = 0.7;
+var DEFAULT_JUDGE_CONFIG = {};
+async function toPassToolJudge(received, rubric, options = {}) {
+  const {
+    reference = null,
+    passingThreshold = DEFAULT_PASSING_THRESHOLD,
+    judgeConfig = DEFAULT_JUDGE_CONFIG
+  } = options;
+  const judge = createJudge(judgeConfig);
+  try {
+    const result = await judge.evaluate(received, reference, rubric);
+    const score = result.score ?? (result.pass ? 1 : 0);
+    const passes = score >= passingThreshold;
+    if (this.isNot) {
+      return {
+        pass: !passes,
+        message: () => passes ? `Expected judge evaluation to fail, but it passed with score ${score.toFixed(2)}` : `Judge evaluation failed as expected with score ${score.toFixed(2)}`
+      };
+    }
+    if (passes) {
+      return {
+        pass: true,
+        message: () => `Judge evaluation passed with score ${score.toFixed(2)} (threshold: ${passingThreshold})`
+      };
+    }
+    return {
+      pass: false,
+      message: () => `Judge evaluation failed with score ${score.toFixed(2)} (threshold: ${passingThreshold}). Reasoning: ${result.reasoning ?? "No reasoning provided"}`
+    };
+  } catch (error) {
+    return {
+      pass: false,
+      message: () => `Judge evaluation failed with error: ${error instanceof Error ? error.message : String(error)}`
+    };
+  }
+}
+
+// src/assertions/matchers/toHaveToolResponseSize.ts
+function toHaveToolResponseSize(received, options) {
+  const result = validateSize(received, options);
+  return {
+    pass: result.pass,
+    message: () => {
+      if (this.isNot) {
+        return result.pass ? "Expected response size NOT to be within bounds, but it was" : result.message;
+      }
+      return result.message;
+    }
+  };
+}
+
+// src/assertions/matchers/toSatisfyToolPredicate.ts
+function normalizeResult(result) {
+  if (typeof result === "boolean") {
+    return {
+      pass: result,
+      message: result ? "Predicate passed" : "Predicate returned false"
+    };
+  }
+  return result;
+}
+async function toSatisfyToolPredicate(received, predicate, description) {
+  const predicateDescription = description ?? "custom predicate";
+  try {
+    const text = extractText2(received);
+    const rawResult = await predicate(received, text);
+    const result = normalizeResult(rawResult);
+    if (this.isNot) {
+      return {
+        pass: !result.pass,
+        message: () => result.pass ? `Expected response NOT to satisfy ${predicateDescription}` : `Response does not satisfy ${predicateDescription} as expected`
+      };
+    }
+    return {
+      pass: result.pass,
+      message: () => result.pass ? result.message ?? `Response satisfies ${predicateDescription}` : result.message ?? `Expected response to satisfy ${predicateDescription}`
+    };
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    return {
+      pass: this.isNot,
+      // If using .not, an error means the predicate didn't pass
+      message: () => `Predicate threw error: ${errorMessage}`
+    };
+  }
+}
+
+// src/assertions/matchers/index.ts
+var expect = test$1.expect.extend({
+  toMatchToolResponse,
+  toMatchToolSchema,
+  toContainToolText,
+  toMatchToolPattern,
+  toMatchToolSnapshot,
+  toBeToolError,
+  toPassToolJudge,
+  toHaveToolResponseSize,
+  toSatisfyToolPredicate
+});
+
+// src/fixtures/mcp.ts
+init_oauthClientProvider();
+var test = test$1.test.extend({
+  /**
+   * Internal fixture state - tracks resolved auth type between fixtures
+   */
+  _mcpFixtureState: [
+    // eslint-disable-next-line no-empty-pattern
+    async ({}, use) => {
+      const state = { resolvedAuthType: "none" };
+      await use(state);
+    },
+    { scope: "test" }
+  ],
+  /**
+   * mcpClient fixture: Creates and connects an MCP client
+   *
+   * The client configuration is read from the project's `use.mcpConfig`
+   * setting in playwright.config.ts
+   *
+   * Authentication resolution order:
+   * 1. Explicit authStatePath → uses PlaywrightOAuthClientProvider
+   * 2. Explicit accessToken → uses static Bearer token
+   * 3. HTTP transport with no auth → tries CLI-stored tokens (from `mcp-server-tester login`)
+   *    with automatic token refresh
+   */
+  mcpClient: async ({ _mcpFixtureState }, use, testInfo) => {
+    const useConfig = testInfo.project.use;
+    const mcpConfig = useConfig.mcpConfig;
+    if (!mcpConfig) {
+      throw new Error(
+        `Missing mcpConfig in project.use for project "${testInfo.project.name}". Please add mcpConfig to your project configuration in playwright.config.ts`
+      );
+    }
+    let resolvedAuthType = "none";
+    let authProvider;
+    if (mcpConfig.auth?.oauth?.authStatePath) {
+      authProvider = new exports.PlaywrightOAuthClientProvider({
+        storagePath: mcpConfig.auth.oauth.authStatePath,
+        redirectUri: mcpConfig.auth.oauth.redirectUri ?? "http://localhost:3000/oauth/callback",
+        clientId: mcpConfig.auth.oauth.clientId,
+        clientSecret: mcpConfig.auth.oauth.clientSecret
+      });
+      resolvedAuthType = "oauth";
+    }
+    let effectiveConfig = mcpConfig;
+    if (mcpConfig.auth?.accessToken) {
+      resolvedAuthType = "api-token";
+    }
+    if (isHttpConfig(mcpConfig) && !mcpConfig.auth?.accessToken && !mcpConfig.auth?.oauth?.authStatePath) {
+      const cliClient = new CLIOAuthClient({
+        mcpServerUrl: mcpConfig.serverUrl
+      });
+      const tokenResult = await cliClient.tryGetAccessToken();
+      if (tokenResult) {
+        effectiveConfig = {
+          ...mcpConfig,
+          auth: {
+            ...mcpConfig.auth,
+            accessToken: tokenResult.accessToken
+          }
+        };
+        resolvedAuthType = "oauth";
+      }
+    }
+    _mcpFixtureState.resolvedAuthType = resolvedAuthType;
+    const client = await createMCPClientForConfig(effectiveConfig, {
+      clientInfo: {
+        name: "@gleanwork/mcp-server-tester",
+        version: "0.1.0"
+      },
+      authProvider
+    });
+    try {
+      await use(client);
+    } finally {
+      await closeMCPClient(client);
+    }
+  },
+  /**
+   * mcp fixture: High-level test API built on mcpClient
+   *
+   * Depends on mcpClient fixture
+   * Automatically tracks all MCP operations for the reporter
+   */
+  mcp: async ({ mcpClient, _mcpFixtureState }, use, testInfo) => {
+    const api = createMCPFixture(mcpClient, testInfo, {
+      authType: _mcpFixtureState.resolvedAuthType,
+      project: testInfo.project.name
+    });
+    await use(api);
+  }
+});
+var LLMHostConfigSchema = zod.z.object({
+  provider: zod.z.enum(["openai", "anthropic"]),
+  apiKeyEnvVar: zod.z.string().optional(),
+  model: zod.z.string().optional(),
+  maxTokens: zod.z.number().optional(),
+  temperature: zod.z.number().optional(),
+  maxToolCalls: zod.z.number().optional()
+});
+var SnapshotSanitizerSchema = zod.z.union([
+  // Built-in sanitizers
+  zod.z.enum(["timestamp", "uuid", "iso-date", "objectId", "jwt"]),
+  // Custom regex sanitizer
+  zod.z.object({
+    pattern: zod.z.string(),
+    replacement: zod.z.string().optional()
+  }),
+  // Field removal sanitizer
+  zod.z.object({
+    remove: zod.z.array(zod.z.string())
+  })
+]);
+var EvalExpectBlockSchema = zod.z.object({
+  response: zod.z.unknown().optional(),
+  schema: zod.z.string().optional(),
+  containsText: zod.z.union([zod.z.string(), zod.z.array(zod.z.string())]).optional(),
+  matchesPattern: zod.z.union([zod.z.string(), zod.z.array(zod.z.string())]).optional(),
+  snapshot: zod.z.string().optional(),
+  snapshotSanitizers: zod.z.array(SnapshotSanitizerSchema).optional(),
+  isError: zod.z.union([zod.z.boolean(), zod.z.string(), zod.z.array(zod.z.string())]).optional(),
+  passesJudge: zod.z.object({
+    rubric: zod.z.string(),
+    reference: zod.z.unknown().optional(),
+    threshold: zod.z.number().min(0).max(1).optional(),
+    configId: zod.z.string().optional()
+  }).optional(),
+  responseSize: zod.z.object({
+    maxBytes: zod.z.number().optional(),
+    minBytes: zod.z.number().optional()
+  }).optional()
+});
+var EvalCaseSchema = zod.z.object({
+  id: zod.z.string().min(1, "id must not be empty"),
+  description: zod.z.string().optional(),
+  mode: zod.z.enum(["direct", "llm_host"]).optional(),
+  toolName: zod.z.string().min(1, "toolName must not be empty").optional(),
+  args: zod.z.record(zod.z.unknown()).optional(),
+  scenario: zod.z.string().optional(),
+  llmHostConfig: LLMHostConfigSchema.optional(),
+  metadata: zod.z.record(zod.z.unknown()).optional(),
+  expect: EvalExpectBlockSchema.optional()
+});
+var EvalDatasetSchema = zod.z.object({
+  name: zod.z.string().min(1, "name must not be empty"),
+  description: zod.z.string().optional(),
+  cases: zod.z.array(EvalCaseSchema).min(1, "dataset must have at least one case"),
+  metadata: zod.z.record(zod.z.unknown()).optional()
+});
+function validateEvalCase(evalCase) {
+  return EvalCaseSchema.parse(evalCase);
+}
+function validateEvalDataset(dataset) {
+  return EvalDatasetSchema.parse(dataset);
+}
+async function loadEvalDataset(filePath, options = {}) {
+  const { schemas, validate = true } = options;
+  try {
+    const fileContents = await fs.readFile(filePath, "utf-8");
+    const rawData = JSON.parse(fileContents);
+    const serializedDataset = validate ? validateEvalDataset(rawData) : rawData;
+    const dataset = {
+      ...serializedDataset,
+      schemas: schemas ?? {}
+    };
+    return dataset;
+  } catch (error) {
+    if (error instanceof SyntaxError) {
+      throw new Error(
+        `Failed to parse JSON from ${filePath}: ${error.message}`
+      );
+    }
+    throw error;
+  }
+}
+function loadEvalDatasetFromObject(data, options = {}) {
+  const { schemas, validate = true } = options;
+  const serializedDataset = validate ? validateEvalDataset(data) : data;
+  const dataset = {
+    ...serializedDataset,
+    schemas: schemas ?? {}
+  };
+  return dataset;
+}
+
+// src/evals/llmHost/adapter.ts
+var adapters = /* @__PURE__ */ new Map();
+function registerAdapter(provider, factory) {
+  adapters.set(provider, factory);
+}
+function getAdapter(provider) {
+  const factory = adapters.get(provider);
+  if (!factory) {
+    throw new Error(
+      `No adapter registered for provider: ${provider}. Available: ${Array.from(adapters.keys()).join(", ")}`
+    );
+  }
+  return factory();
+}
+function hasAdapter(provider) {
+  return adapters.has(provider);
+}
+
+// src/evals/llmHost/retry.ts
+var DEFAULT_OPTIONS = {
+  maxAttempts: 3,
+  baseDelayMs: 1e3,
+  maxDelayMs: 3e4,
+  isRetryable: isRetryableError
+};
+async function withRetry(fn, options = {}) {
+  const {
+    maxAttempts = DEFAULT_OPTIONS.maxAttempts,
+    baseDelayMs = DEFAULT_OPTIONS.baseDelayMs,
+    maxDelayMs = DEFAULT_OPTIONS.maxDelayMs,
+    isRetryable = DEFAULT_OPTIONS.isRetryable,
+    onRetry
+  } = options;
+  let lastError;
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    try {
+      return await fn();
+    } catch (error) {
+      lastError = error;
+      if (attempt >= maxAttempts || !isRetryable(error)) {
+        throw error;
+      }
+      const exponentialDelay = baseDelayMs * Math.pow(2, attempt - 1);
+      const jitter = Math.random() * 0.1 * exponentialDelay;
+      const delayMs = Math.min(exponentialDelay + jitter, maxDelayMs);
+      if (onRetry) {
+        onRetry(error, attempt, delayMs);
+      }
+      await sleep(delayMs);
+    }
+  }
+  throw lastError;
+}
+function isRetryableError(error) {
+  const statusCode = extractStatusCode(error);
+  if (statusCode !== null) {
+    return [429, 500, 502, 503, 504].includes(statusCode);
+  }
+  const message = extractErrorMessage2(error).toLowerCase();
+  return message.includes("rate limit") || message.includes("429") || message.includes("too many requests") || message.includes("timeout") || message.includes("temporarily unavailable") || message.includes("service unavailable") || message.includes("internal server error");
+}
+function extractStatusCode(error) {
+  if (error == null || typeof error !== "object") {
+    return null;
+  }
+  const e = error;
+  if (typeof e.status === "number") {
+    return e.status;
+  }
+  if (typeof e.statusCode === "number") {
+    return e.statusCode;
+  }
+  if (e.response && typeof e.response === "object") {
+    const response = e.response;
+    if (typeof response.status === "number") {
+      return response.status;
+    }
+  }
+  if (typeof e.code === "number") {
+    return e.code;
+  }
+  return null;
+}
+function extractErrorMessage2(error) {
+  if (error == null) {
+    return "";
+  }
+  if (typeof error === "string") {
+    return error;
+  }
+  if (error instanceof Error) {
+    return error.message;
+  }
+  if (typeof error === "object") {
+    const e = error;
+    if (typeof e.message === "string") {
+      return e.message;
+    }
+    if (typeof e.error === "string") {
+      return e.error;
+    }
+    return JSON.stringify(error);
+  }
+  if (typeof error === "number" || typeof error === "boolean") {
+    return String(error);
+  }
+  return "Unknown error";
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// src/evals/llmHost/orchestrator.ts
+async function runSimulation(adapter, mcp, scenario, config, options = {}) {
+  const maxIterations = config.maxToolCalls || 10;
+  const retryOptions = options.retry || {};
+  const allToolCalls = [];
+  const conversationHistory = [];
+  try {
+    const client = await adapter.createClient(config);
+    const mcpTools = await mcp.listTools();
+    const formattedTools = adapter.formatTools(mcpTools);
+    const messages = [adapter.createUserMessage(scenario)];
+    conversationHistory.push({ role: "user", content: scenario });
+    let finalResponse = "";
+    for (let iteration = 0; iteration < maxIterations; iteration++) {
+      const chatResult = await withRetry(
+        () => adapter.chat(client, messages, formattedTools, config),
+        retryOptions
+      );
+      if (chatResult.wantsToolCalls && chatResult.toolCalls.length > 0) {
+        messages.push(adapter.createAssistantMessage(chatResult));
+        const toolResultMessages = [];
+        for (const toolCall of chatResult.toolCalls) {
+          allToolCalls.push(toolCall);
+          const mcpResult = await mcp.callTool(
+            toolCall.name,
+            toolCall.arguments
+          );
+          const resultText = extractText(mcpResult);
+          const resultMessage = adapter.createToolResultMessage(
+            toolCall,
+            resultText
+          );
+          toolResultMessages.push(resultMessage);
+          conversationHistory.push({ role: "tool", content: resultText });
+        }
+        if (adapter.provider === "anthropic") {
+          messages.push({
+            role: "user",
+            content: toolResultMessages
+          });
+        } else {
+          for (const msg of toolResultMessages) {
+            messages.push(msg);
+          }
+        }
+      } else {
+        finalResponse = chatResult.textContent || "";
+        conversationHistory.push({ role: "assistant", content: finalResponse });
+        break;
+      }
+    }
+    return {
+      success: true,
+      toolCalls: allToolCalls,
+      response: finalResponse,
+      conversationHistory
+    };
+  } catch (error) {
+    return {
+      success: false,
+      toolCalls: allToolCalls,
+      error: error instanceof Error ? error.message : String(error),
+      conversationHistory
+    };
+  }
+}
+
+// src/evals/llmHost/adapters/openai.ts
+function createOpenAIAdapter() {
+  return {
+    provider: "openai",
+    async createClient(config) {
+      let OpenAI;
+      try {
+        const module = await import('openai');
+        OpenAI = module.OpenAI;
+      } catch {
+        throw new Error(
+          "OpenAI SDK is not installed. Install it with: npm install openai"
+        );
+      }
+      const apiKeyEnvVar = config.apiKeyEnvVar || "OPENAI_API_KEY";
+      const apiKey = process.env[apiKeyEnvVar];
+      if (!apiKey) {
+        throw new Error(
+          `OpenAI API key not found in environment variable ${apiKeyEnvVar}`
+        );
+      }
+      return new OpenAI({ apiKey });
+    },
+    formatTools(tools) {
+      return tools.map((tool) => ({
+        type: "function",
+        function: {
+          name: tool.name,
+          description: tool.description || "",
+          parameters: tool.inputSchema || {}
+        }
+      }));
+    },
+    async chat(client, messages, tools, config) {
+      const openai = client;
+      const response = await openai.chat.completions.create({
+        model: config.model || "gpt-4o",
+        messages,
+        tools,
+        temperature: config.temperature ?? 0,
+        max_tokens: config.maxTokens
+      });
+      const resp = response;
+      const message = resp.choices[0]?.message;
+      if (!message) {
+        throw new Error("No response from OpenAI");
+      }
+      if (message.tool_calls && message.tool_calls.length > 0) {
+        const toolCalls = message.tool_calls.map((tc) => ({
+          name: tc.function.name,
+          arguments: JSON.parse(tc.function.arguments),
+          id: tc.id
+        }));
+        return {
+          wantsToolCalls: true,
+          toolCalls,
+          textContent: message.content,
+          rawResponse: response
+        };
+      }
+      return {
+        wantsToolCalls: false,
+        toolCalls: [],
+        textContent: message.content,
+        rawResponse: response
+      };
+    },
+    createUserMessage(scenario) {
+      return {
+        role: "user",
+        content: scenario
+      };
+    },
+    createAssistantMessage(chatResult) {
+      const rawResponse = chatResult.rawResponse;
+      return {
+        role: "assistant",
+        content: chatResult.textContent,
+        tool_calls: rawResponse.choices[0]?.message?.tool_calls
+      };
+    },
+    createToolResultMessage(toolCall, result) {
+      return {
+        role: "tool",
+        tool_call_id: toolCall.id,
+        content: result
+      };
+    }
+  };
+}
+
+// src/evals/llmHost/adapters/anthropic.ts
+function createAnthropicAdapter() {
+  return {
+    provider: "anthropic",
+    async createClient(config) {
+      let Anthropic;
+      try {
+        const module = await import('@anthropic-ai/sdk');
+        Anthropic = module.default;
+      } catch {
+        throw new Error(
+          "Anthropic SDK is not installed. Install it with: npm install @anthropic-ai/sdk"
+        );
+      }
+      const apiKeyEnvVar = config.apiKeyEnvVar || "ANTHROPIC_API_KEY";
+      const apiKey = process.env[apiKeyEnvVar];
+      if (!apiKey) {
+        throw new Error(
+          `Anthropic API key not found in environment variable ${apiKeyEnvVar}`
+        );
+      }
+      return new Anthropic({ apiKey });
+    },
+    formatTools(tools) {
+      return tools.map((tool) => ({
+        name: tool.name,
+        description: tool.description || "",
+        input_schema: tool.inputSchema || {}
+      }));
+    },
+    async chat(client, messages, tools, config) {
+      const anthropic = client;
+      const response = await anthropic.messages.create({
+        model: config.model || "claude-3-5-sonnet-20241022",
+        max_tokens: config.maxTokens || 4096,
+        temperature: config.temperature ?? 0,
+        messages,
+        tools
+      });
+      const resp = response;
+      const textBlock = resp.content.find((c) => c.type === "text");
+      const textContent = textBlock?.text || null;
+      if (resp.stop_reason === "tool_use") {
+        const toolUses = resp.content.filter((c) => c.type === "tool_use");
+        const toolCalls = toolUses.map((tu) => ({
+          name: tu.name,
+          arguments: tu.input,
+          id: tu.id
+        }));
+        return {
+          wantsToolCalls: true,
+          toolCalls,
+          textContent,
+          rawResponse: response
+        };
+      }
+      if (resp.stop_reason === "max_tokens") {
+        throw new Error("Response exceeded max tokens");
+      }
+      return {
+        wantsToolCalls: false,
+        toolCalls: [],
+        textContent,
+        rawResponse: response
+      };
+    },
+    createUserMessage(scenario) {
+      return {
+        role: "user",
+        content: scenario
+      };
+    },
+    createAssistantMessage(chatResult) {
+      const rawResponse = chatResult.rawResponse;
+      return {
+        role: "assistant",
+        content: rawResponse.content
+      };
+    },
+    createToolResultMessage(toolCall, result) {
+      return {
+        type: "tool_result",
+        tool_use_id: toolCall.id,
+        content: result
+      };
+    }
+  };
+}
+
+// src/evals/llmHost/llmHostSimulation.ts
+registerAdapter("openai", createOpenAIAdapter);
+registerAdapter("anthropic", createAnthropicAdapter);
+async function simulateLLMHost(mcp, scenario, config) {
+  const adapter = getAdapter(config.provider);
+  return runSimulation(adapter, mcp, scenario, config, {
+    retry: {
+      maxAttempts: 3,
+      baseDelayMs: 1e3,
+      maxDelayMs: 3e4
+    }
+  });
+}
+function isProviderAvailable(provider) {
+  return hasAdapter(provider);
+}
+function getMissingDependencyMessage(provider) {
+  switch (provider) {
+    case "openai":
+      return "OpenAI SDK is not installed. Install it with: npm install openai";
+    case "anthropic":
+      return "Anthropic SDK is not installed. Install it with: npm install @anthropic-ai/sdk";
+    default:
+      return `Unknown provider: ${String(provider)}`;
+  }
+}
+
+// src/evals/evalRunner.ts
+async function executeToolCall(evalCase, mcp) {
+  const mode = evalCase.mode || "direct";
+  try {
+    if (mode === "llm_host") {
+      if (!evalCase.scenario) {
+        throw new Error(
+          `Eval case ${evalCase.id}: scenario is required for llm_host mode`
+        );
+      }
+      if (!evalCase.llmHostConfig) {
+        throw new Error(
+          `Eval case ${evalCase.id}: llmHostConfig is required for llm_host mode`
+        );
+      }
+      const simulationResult = await simulateLLMHost(
+        mcp,
+        evalCase.scenario,
+        evalCase.llmHostConfig
+      );
+      if (!simulationResult.success) {
+        throw new Error(simulationResult.error || "LLM host simulation failed");
+      }
+      return { response: simulationResult };
+    } else {
+      if (!evalCase.toolName) {
+        throw new Error(
+          `Eval case ${evalCase.id}: toolName is required for direct mode`
+        );
+      }
+      if (!evalCase.args) {
+        throw new Error(
+          `Eval case ${evalCase.id}: args is required for direct mode`
+        );
+      }
+      const result = await mcp.callTool(evalCase.toolName, evalCase.args);
+      if (evalCase.expect?.isError !== void 0) {
+        return { response: result };
+      }
+      return { response: result.structuredContent ?? result.content };
+    }
+  } catch (err) {
+    return {
+      response: void 0,
+      error: err instanceof Error ? err.message : String(err)
+    };
+  }
+}
+function didCasePass(error, expectations) {
+  return !error && Object.values(expectations).every(
+    (result) => result === void 0 || result.pass
+  );
+}
+async function runExpectBlockValidations(expectBlock, response, config) {
+  const results = {};
+  if (expectBlock.response !== void 0) {
+    const validation = validateResponse(response, expectBlock.response);
+    results.exact = {
+      pass: validation.pass,
+      details: validation.message
+    };
+  }
+  if (expectBlock.schema !== void 0) {
+    const schema = config.schemas?.[expectBlock.schema];
+    if (!schema) {
+      results.schema = {
+        pass: false,
+        details: `Schema "${expectBlock.schema}" not found in schemas registry`
+      };
+    } else {
+      const validation = validateSchema(response, schema);
+      results.schema = {
+        pass: validation.pass,
+        details: validation.message
+      };
+    }
+  }
+  if (expectBlock.containsText !== void 0) {
+    const validation = validateText(response, expectBlock.containsText);
+    results.textContains = {
+      pass: validation.pass,
+      details: validation.message
+    };
+  }
+  if (expectBlock.matchesPattern !== void 0) {
+    const validation = validatePattern(response, expectBlock.matchesPattern);
+    results.regex = {
+      pass: validation.pass,
+      details: validation.message
+    };
+  }
+  if (expectBlock.isError !== void 0) {
+    const validation = validateError(response, expectBlock.isError);
+    results.error = {
+      pass: validation.pass,
+      details: validation.message
+    };
+  }
+  if (expectBlock.responseSize !== void 0) {
+    const validation = validateSize(response, expectBlock.responseSize);
+    results.size = {
+      pass: validation.pass,
+      details: validation.message
+    };
+  }
+  if (expectBlock.passesJudge !== void 0) {
+    const {
+      rubric,
+      reference,
+      threshold = 0.7,
+      configId
+    } = expectBlock.passesJudge;
+    const judgeConfig = configId ? config.judgeConfigs?.[configId] ?? {} : {};
+    try {
+      const judge = createJudge(judgeConfig);
+      const judgeResult = await judge.evaluate(
+        response,
+        reference ?? null,
+        rubric
+      );
+      const score = judgeResult.score ?? (judgeResult.pass ? 1 : 0);
+      const passed = score >= threshold;
+      results.judge = {
+        pass: passed,
+        details: passed ? `Judge passed with score ${score.toFixed(2)}` : `Judge failed with score ${score.toFixed(2)} (threshold: ${threshold}). ${judgeResult.reasoning ?? ""}`
+      };
+    } catch (err) {
+      results.judge = {
+        pass: false,
+        details: `Judge evaluation error: ${err instanceof Error ? err.message : String(err)}`
+      };
+    }
+  }
+  if (expectBlock.snapshot !== void 0) {
+    if (!config.playwrightExpect) {
+      results.snapshot = {
+        pass: false,
+        details: "Snapshot testing requires expect in context"
+      };
+    } else {
+      try {
+        const sanitizers = expectBlock.snapshotSanitizers ?? [];
+        await config.playwrightExpect(response).toMatchToolSnapshot(
+          expectBlock.snapshot,
+          sanitizers
+        );
+        results.snapshot = {
+          pass: true,
+          details: `Matches snapshot "${expectBlock.snapshot}"`
+        };
+      } catch (err) {
+        results.snapshot = {
+          pass: false,
+          details: err instanceof Error ? err.message : String(err)
+        };
+      }
+    }
+  }
+  return results;
+}
+async function runEvalCase(evalCase, context, options = {}) {
+  const startTime = Date.now();
+  const mode = evalCase.mode || "direct";
+  const { response, error } = await executeToolCall(evalCase, context.mcp);
+  let expectationResults = {};
+  if (!error && evalCase.expect) {
+    expectationResults = await runExpectBlockValidations(
+      evalCase.expect,
+      response,
+      {
+        schemas: options.schemas,
+        judgeConfigs: options.judgeConfigs,
+        playwrightExpect: context.expect
+      }
+    );
+  }
+  return {
+    id: evalCase.id,
+    datasetName: options.datasetName ?? "single-case",
+    toolName: evalCase.toolName ?? evalCase.scenario ?? "unknown",
+    mode,
+    source: "eval",
+    pass: didCasePass(error, expectationResults),
+    response,
+    error,
+    expectations: expectationResults,
+    authType: context.mcp.authType,
+    project: context.mcp.project,
+    durationMs: Date.now() - startTime
+  };
+}
+async function runEvalDataset(options, context) {
+  const {
+    dataset,
+    schemas,
+    judgeConfigs,
+    stopOnFailure = false,
+    onCaseComplete
+  } = options;
+  const startTime = Date.now();
+  const caseResults = [];
+  const enrichedContext = context;
+  const allSchemas = {
+    ...dataset.schemas,
+    ...schemas
+  };
+  for (const evalCase of dataset.cases) {
+    const result2 = await runEvalCase(evalCase, enrichedContext, {
+      datasetName: dataset.name,
+      schemas: allSchemas,
+      judgeConfigs
+    });
+    caseResults.push(result2);
+    if (onCaseComplete) {
+      await onCaseComplete(result2);
+    }
+    if (stopOnFailure && !result2.pass) {
+      break;
+    }
+  }
+  const total = caseResults.length;
+  const passed = caseResults.filter((r) => r.pass).length;
+  const result = {
+    total,
+    passed,
+    failed: total - passed,
+    caseResults,
+    durationMs: Date.now() - startTime
+  };
+  if (context.testInfo) {
+    await context.testInfo.attach("mcp-test-results", {
+      contentType: "application/json",
+      body: Buffer.from(JSON.stringify({ caseResults }))
+    });
+  }
+  return result;
+}
+
+// src/evals/llmHost/toolCallExpectation.ts
+function argumentsMatch(actual, expected) {
+  for (const key of Object.keys(expected)) {
+    if (!(key in actual)) {
+      return false;
+    }
+    const actualValue = actual[key];
+    const expectedValue = expected[key];
+    if (JSON.stringify(actualValue) !== JSON.stringify(expectedValue)) {
+      return false;
+    }
+  }
+  return true;
+}
+function findMatchingCall(expected, actualCalls) {
+  for (const actualCall of actualCalls) {
+    if (actualCall.name !== expected.name) {
+      continue;
+    }
+    if (!expected.arguments) {
+      return actualCall;
+    }
+    if (argumentsMatch(actualCall.arguments, expected.arguments)) {
+      return actualCall;
+    }
+  }
+  return null;
+}
+function createToolCallValidator() {
+  return async (evalCase, response) => {
+    const expectedCalls = evalCase.metadata?.expectedToolCalls;
+    if (!expectedCalls || expectedCalls.length === 0) {
+      return {
+        pass: true,
+        details: "No expected tool calls specified"
+      };
+    }
+    const responseObj = response;
+    const actualCalls = responseObj?.toolCalls;
+    if (!actualCalls || actualCalls.length === 0) {
+      const requiredCalls = expectedCalls.filter(
+        (call) => call.required !== false
+      );
+      if (requiredCalls.length > 0) {
+        return {
+          pass: false,
+          details: `Expected ${requiredCalls.length} tool call(s), but LLM made no tool calls`
+        };
+      }
+      return {
+        pass: true,
+        details: "No tool calls expected or made"
+      };
+    }
+    const missingCalls = [];
+    for (const expectedCall of expectedCalls) {
+      const matchingCall = findMatchingCall(expectedCall, actualCalls);
+      if (!matchingCall) {
+        if (expectedCall.required !== false) {
+          missingCalls.push(expectedCall);
+        }
+      }
+    }
+    if (missingCalls.length > 0) {
+      const missingDetails = missingCalls.map((call) => `${call.name}(${JSON.stringify(call.arguments || {})})`).join(", ");
+      return {
+        pass: false,
+        details: `Missing required tool call(s): ${missingDetails}. Actual calls: ${actualCalls.map((c) => c.name).join(", ")}`
+      };
+    }
+    return {
+      pass: true,
+      details: `All ${expectedCalls.length} expected tool call(s) were made correctly`
+    };
+  };
+}
+
+// src/spec/conformanceChecks.ts
+async function runConformanceChecks(mcp, options = {}, testInfo) {
+  const {
+    requiredTools = [],
+    validateSchemas = true,
+    checkServerInfo = true,
+    checkResources = true,
+    checkPrompts = true
+  } = options;
+  const checks = [];
+  const raw = {
+    serverInfo: null,
+    capabilities: null,
+    tools: [],
+    resources: null,
+    prompts: null
+  };
+  const serverInfo = mcp.getServerInfo();
+  if (serverInfo) {
+    raw.serverInfo = serverInfo;
+  }
+  if (checkServerInfo) {
+    checks.push({
+      name: "server_info_present",
+      pass: serverInfo !== null,
+      message: serverInfo ? `Server info: ${serverInfo.name ?? "unknown"} v${serverInfo.version ?? "unknown"}` : "Server info is missing"
+    });
+  }
+  const capabilities = mcp.client.getServerCapabilities();
+  if (capabilities) {
+    raw.capabilities = capabilities;
+  }
+  checks.push({
+    name: "capabilities_valid",
+    pass: capabilities !== void 0,
+    message: capabilities ? `Server capabilities: ${formatCapabilities(capabilities)}` : "Server capabilities not available"
+  });
+  let tools = [];
+  try {
+    tools = await mcp.listTools();
+    raw.tools = tools;
+    checks.push({
+      name: "list_tools_succeeds",
+      pass: true,
+      message: `listTools returned ${tools.length} tools`
+    });
+  } catch (error) {
+    checks.push({
+      name: "list_tools_succeeds",
+      pass: false,
+      message: `listTools failed: ${error instanceof Error ? error.message : String(error)}`
+    });
+    const pass2 = checks.every((check) => check.pass);
+    return { pass: pass2, checks, raw };
+  }
+  if (requiredTools.length > 0) {
+    const toolNames = new Set(tools.map((t) => t.name));
+    const missingTools = requiredTools.filter((name) => !toolNames.has(name));
+    checks.push({
+      name: "required_tools_present",
+      pass: missingTools.length === 0,
+      message: missingTools.length === 0 ? `All ${requiredTools.length} required tools are present` : `Missing required tools: ${missingTools.join(", ")}`
+    });
+  }
+  if (validateSchemas && tools.length > 0) {
+    const invalidTools = [];
+    for (const tool of tools) {
+      if (!tool.name) {
+        invalidTools.push(`(unnamed tool): missing name`);
+        continue;
+      }
+      if (!tool.inputSchema) {
+        invalidTools.push(`${tool.name}: missing inputSchema`);
+        continue;
+      }
+      if (tool.inputSchema.type !== "object") {
+        invalidTools.push(
+          `${tool.name}: inputSchema.type must be "object", got "${String(tool.inputSchema.type)}"`
+        );
+      }
+    }
+    checks.push({
+      name: "tool_schemas_valid",
+      pass: invalidTools.length === 0,
+      message: invalidTools.length === 0 ? `All ${tools.length} tools have valid schemas` : `Invalid tool schemas:
+  ${invalidTools.join("\n  ")}`
+    });
+  }
+  if (checkResources && capabilities?.resources) {
+    try {
+      const resourcesResult = await mcp.client.listResources();
+      raw.resources = resourcesResult.resources;
+      checks.push({
+        name: "list_resources_succeeds",
+        pass: true,
+        message: `listResources returned ${resourcesResult.resources.length} resources`
+      });
+    } catch (error) {
+      checks.push({
+        name: "list_resources_succeeds",
+        pass: false,
+        message: `listResources failed: ${error instanceof Error ? error.message : String(error)}`
+      });
+    }
+  }
+  if (checkPrompts && capabilities?.prompts) {
+    try {
+      const promptsResult = await mcp.client.listPrompts();
+      raw.prompts = promptsResult.prompts;
+      checks.push({
+        name: "list_prompts_succeeds",
+        pass: true,
+        message: `listPrompts returned ${promptsResult.prompts.length} prompts`
+      });
+    } catch (error) {
+      checks.push({
+        name: "list_prompts_succeeds",
+        pass: false,
+        message: `listPrompts failed: ${error instanceof Error ? error.message : String(error)}`
+      });
+    }
+  }
+  try {
+    const result2 = await mcp.callTool("__nonexistent_tool__", {});
+    const hasError = result2.isError === true;
+    checks.push({
+      name: "invalid_tool_returns_error",
+      pass: hasError,
+      message: hasError ? "Nonexistent tool correctly returned an error" : "Calling nonexistent tool should have returned an error"
+    });
+  } catch {
+    checks.push({
+      name: "invalid_tool_returns_error",
+      pass: true,
+      message: "Nonexistent tool correctly threw an error"
+    });
+  }
+  const pass = checks.every((check) => check.pass);
+  const result = { pass, checks, raw };
+  if (testInfo) {
+    await testInfo.attach("mcp-conformance-checks", {
+      contentType: "application/json",
+      body: JSON.stringify(
+        {
+          operation: "conformanceChecks",
+          pass,
+          checks,
+          serverInfo: raw.serverInfo,
+          capabilities: raw.capabilities,
+          toolCount: raw.tools.length,
+          authType: mcp.authType,
+          project: mcp.project
+        },
+        null,
+        2
+      )
+    });
+  }
+  return result;
+}
+function formatCapabilities(capabilities) {
+  const parts = [];
+  if (capabilities.tools) parts.push("tools");
+  if (capabilities.resources) parts.push("resources");
+  if (capabilities.prompts) parts.push("prompts");
+  if (capabilities.logging) parts.push("logging");
+  if (capabilities.completions) parts.push("completions");
+  if (capabilities.experimental) parts.push("experimental");
+  return parts.length > 0 ? parts.join(", ") : "none declared";
+}
+
+exports.CLIOAuthClient = CLIOAuthClient;
+exports.DiscoveryError = DiscoveryError;
+exports.ENV_VAR_NAMES = ENV_VAR_NAMES;
+exports.EvalCaseSchema = EvalCaseSchema;
+exports.EvalDatasetSchema = EvalDatasetSchema;
+exports.MCPConfigSchema = MCPConfigSchema;
+exports.MCP_PROTOCOL_VERSION = MCP_PROTOCOL_VERSION;
+exports.closeMCPClient = closeMCPClient;
+exports.createJudge = createJudge;
+exports.createMCPClientForConfig = createMCPClientForConfig;
+exports.createMCPFixture = createMCPFixture;
+exports.createTokenAuthHeaders = createTokenAuthHeaders;
+exports.createToolCallValidator = createToolCallValidator;
+exports.discoverAuthorizationServer = discoverAuthorizationServer;
+exports.discoverProtectedResource = discoverProtectedResource;
+exports.expect = expect;
+exports.extractText = extractText;
+exports.extractTextFromResponse = extractText;
+exports.getMissingDependencyMessage = getMissingDependencyMessage;
+exports.getResponseSizeBytes = getResponseSizeBytes;
+exports.hasValidTokens = hasValidTokens;
+exports.injectTokens = injectTokens;
+exports.isHttpConfig = isHttpConfig;
+exports.isProviderAvailable = isProviderAvailable;
+exports.isStdioConfig = isStdioConfig;
+exports.isTokenExpired = isTokenExpired;
+exports.isTokenExpiringSoon = isTokenExpiringSoon;
+exports.loadEvalDataset = loadEvalDataset;
+exports.loadEvalDatasetFromObject = loadEvalDatasetFromObject;
+exports.loadTokens = loadTokens;
+exports.loadTokensFromEnv = loadTokensFromEnv;
+exports.normalizeToolResponse = normalizeToolResponse;
+exports.normalizeWhitespace = normalizeWhitespace;
+exports.performOAuthSetup = performOAuthSetup;
+exports.performOAuthSetupIfNeeded = performOAuthSetupIfNeeded;
+exports.runConformanceChecks = runConformanceChecks;
+exports.runEvalCase = runEvalCase;
+exports.runEvalDataset = runEvalDataset;
+exports.simulateLLMHost = simulateLLMHost;
+exports.test = test;
+exports.validateAccessToken = validateAccessToken;
+exports.validateError = validateError;
+exports.validateEvalCase = validateEvalCase;
+exports.validateEvalDataset = validateEvalDataset;
+exports.validateMCPConfig = validateMCPConfig;
+exports.validatePattern = validatePattern;
+exports.validateResponse = validateResponse;
+exports.validateSchema = validateSchema;
+exports.validateSize = validateSize;
+exports.validateText = validateText;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map