@kryptosai/mcp-observatory 0.20.3 → 0.22.0

package/dist/src/telemetry.js

@@ -11,6 +11,7 @@ const execFileAsync = promisify(execFile);
 const CONFIG_DIR = path.join(os.homedir(), ".mcp-observatory");
 const CONFIG_PATH = path.join(CONFIG_DIR, "config.json");
 const DEFAULT_ENDPOINT = "https://mcp-observatory-telemetry.kryptosai.workers.dev/v1/events";
+const FIRST_PARTY_GITHUB_REPOSITORY = "kryptosai/mcp-observatory";
 // ── Config cache ─────────────────────────────────────────────────────────────
 let _cachedConfig = null;
 export function configDir() {
@@ -71,9 +72,11 @@ export async function showFirstRunNotice() {
     const notice = [
         "",
         "  ┌─────────────────────────────────────────────────────────────┐",
-        "  │  MCP Observatory collects anonymous usage telemetry.       │",
+        "  │  MCP Observatory collects product usage telemetry.         │",
         "  │                                                            │",
-        "  │  No personal data, file paths, or server content is sent.  │",
+        "  │  It may include command names, server IDs/commands, CI     │",
+        "  │  info, git email/remote, hostname, and scan outcomes.      │",
+        "  │  Set MCP_OBSERVATORY_ORG / CONTACT for account reports.    │",
         "  │  To opt out: mcp-observatory telemetry disable             │",
         "  │  Or set:     DO_NOT_TRACK=1                                │",
         "  └─────────────────────────────────────────────────────────────┘",
@@ -134,6 +137,36 @@ export function detectCiProvider() {
         return "azure-pipelines";
     return undefined;
 }
+function envValue(name) {
+    const value = process.env[name]?.trim();
+    return value || undefined;
+}
+export function collectGitHubActionsMetadata() {
+    return {
+        githubRepository: envValue("GITHUB_REPOSITORY"),
+        githubWorkflow: envValue("GITHUB_WORKFLOW"),
+        githubRunId: envValue("GITHUB_RUN_ID"),
+        githubRunNumber: envValue("GITHUB_RUN_NUMBER"),
+        githubEventName: envValue("GITHUB_EVENT_NAME"),
+        githubRef: envValue("GITHUB_REF"),
+        githubActor: envValue("GITHUB_ACTOR"),
+    };
+}
+export function isFirstPartyGitHubRepository(repository) {
+    return repository?.trim().toLowerCase() === FIRST_PARTY_GITHUB_REPOSITORY;
+}
+export function classifyTelemetrySource(options) {
+    const isFirstParty = options.ciProvider === "github-actions" && isFirstPartyGitHubRepository(options.githubRepository);
+    if (isFirstParty)
+        return { isFirstParty, telemetrySource: "first_party_ci" };
+    if (options.isCI || options.ciProvider)
+        return { isFirstParty, telemetrySource: "external_ci" };
+    if (options.transport === "mcp")
+        return { isFirstParty, telemetrySource: "mcp" };
+    if (options.transport === "cli")
+        return { isFirstParty, telemetrySource: "local" };
+    return { isFirstParty, telemetrySource: "unknown" };
+}
 let _cachedIdentity = null;
 let _identityPromise = null;
 export function collectUserIdentity() {
@@ -143,6 +176,12 @@ export function collectUserIdentity() {
         return _identityPromise;
     _identityPromise = (async () => {
         const identity = { hostname: os.hostname() };
+        const org = process.env["MCP_OBSERVATORY_ORG"]?.trim();
+        const contact = process.env["MCP_OBSERVATORY_CONTACT"]?.trim();
+        if (org)
+            identity.org = org;
+        if (contact)
+            identity.contact = contact;
         try {
             const { stdout } = await execFileAsync("git", ["config", "user.email"], { timeout: 2000 });
             identity.gitEmail = stdout.trim() || undefined;
@@ -167,6 +206,15 @@ export function _resetIdentityCache() {
 export function buildEvent(event, command, transport, enrichment) {
     const ci = detectCI();
     const identity = _cachedIdentity;
+    const ciProvider = enrichment?.ciProvider ?? detectCiProvider();
+    const github = ciProvider === "github-actions" ? collectGitHubActionsMetadata() : {};
+    const githubRepository = enrichment?.githubRepository ?? github.githubRepository;
+    const classification = classifyTelemetrySource({
+        transport,
+        isCI: ci.isCI,
+        ciProvider,
+        githubRepository,
+    });
     return {
         event,
         version: TOOL_VERSION,
@@ -177,10 +225,16 @@ export function buildEvent(event, command, transport, enrichment) {
         isCI: ci.isCI,
         ciName: ci.ciName,
         transport,
-        ciProvider: enrichment?.ciProvider ?? detectCiProvider(),
+        ciProvider,
+        org: enrichment?.org ?? identity?.org,
+        contact: enrichment?.contact ?? identity?.contact,
         gitEmail: identity?.gitEmail,
         gitRemoteUrl: identity?.gitRemoteUrl,
         hostname: identity?.hostname,
+        ...github,
+        githubRepository,
+        isFirstParty: enrichment?.isFirstParty ?? classification.isFirstParty,
+        telemetrySource: enrichment?.telemetrySource ?? classification.telemetrySource,
         ...enrichment,
     };
 }

package/dist/src/telemetry.js.map

@@ -1 +1 @@
-{"version":3,"file":"telemetry.js","sourceRoot":"","sources":["../../src/telemetry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,IAAI,IAAI,KAAK,EAAE,MAAM,IAAI,OAAO,EAAE,MAAM,SAAS,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAqE1C,gFAAgF;AAEhF,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,kBAAkB,CAAC,CAAC;AAC/D,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;AACzD,MAAM,gBAAgB,GAAG,mEAAmE,CAAC;AAE7F,gFAAgF;AAEhF,IAAI,aAAa,GAA2B,IAAI,CAAC;AAEjD,MAAM,UAAU,SAAS;IACvB,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,IAAI,aAAa;QAAE,OAAO,aAAa,CAAC;IAExC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA6B,CAAC;QAC3D,aAAa,GAAG;YACd,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,KAAK,KAAK;YACnD,SAAS,EAAE,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,EAAE;YACjF,WAAW,EAAE,MAAM,CAAC,WAAW,KAAK,IAAI;YACxC,UAAU,EAAE,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;SAClF,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,kDAAkD;QAClD,aAAa,GAAG;YACd,gBAAgB,EAAE,IAAI;YACtB,SAAS,EAAE,UAAU,EAAE;YACvB,WAAW,EAAE,KAAK;SACnB,CAAC;IACJ,CAAC;IAED,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,MAAuB;IAC/D,MAAM,KAAK,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7C,MAAM,SAAS,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;IAC7E,aAAa,GAAG,MAAM,CAAC;AACzB,CAAC;AAED,yCAAyC;AACzC,MAAM,UAAU,iBAAiB;IAC/B,aAAa,GAAG,IAAI,CAAC;AACvB,CAAC;AAED,gFAAgF;AAEhF,MAAM,UAAU,kBAAkB;IAChC,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IACtD,IAAI,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IAC5E,IAAI,aAAa,IAAI,CAAC,aAAa,CAAC,gBAAgB;QAAE,OAAO,KAAK,CAAC;IACnE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,gFAAgF;AAEhF,MAAM,UAAU,QAAQ;IACtB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AAC1C,CAAC;AAED,gFAAgF;AAEhF,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACtC,MAAM,MAAM,GAAG,MAAM,mBAAmB,EAAE,CAAC;IAC3C,IAAI,MAAM,CAAC,WAAW;QAAE,OAAO;IAE/B,+EAA+E;IAC/E,MAAM,MAAM,GAAG;QACb,EAAE;QACF,mEAAmE;QACnE,kEAAkE;QAClE,kEAAkE;QAClE,kEAAkE;QAClE,kEAAkE;QAClE,kEAAkE;QAClE,mEAAmE;QACnE,EAAE;KACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAEpC,MAAM,CAAC,WAAW,GAAG,IAAI,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;IAC5D,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF,MAAM,UAAU,WAAW,CAAC,KAAqB;IAC/C,IAAI,CAAC,kBAAkB,EAAE;QAAE,OAAO;IAElC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC,KAAK,GAAG,CAAC;IACrE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,IAAI,gBAAgB,CAAC;IAElF,MAAM,MAAM,GAAG,aAAa,CAAC;IAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;QAC1B,GAAG,KAAK;QACR,SAAS,EAAE,MAAM,EAAE,SAAS,IAAI,SAAS;QACzC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC,CAAC;IAEH,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,IAAI,IAAI,CAAC,CAAC;QAC9C,OAAO;IACT,CAAC;IAED,KAAK,CAAC,QAAQ,EAAE;QACd,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI;QACJ,6EAA6E;QAC7E,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;KACnC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;QACZ,+DAA+D;IACjE,CAAC,CAAC,CAAC;AACL,CAAC;AAED,gFAAgF;AAEhF,MAAM,UAAU,gBAAgB;IAC9B,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;QAAE,OAAO,gBAAgB,CAAC;IAC3D,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;QAAE,OAAO,WAAW,CAAC;IACjD,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QAAE,OAAO,UAAU,CAAC;IAC/C,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;QAAE,OAAO,SAAS,CAAC;IACjD,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;QAAE,OAAO,WAAW,CAAC;IACjD,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC3C,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;QAAE,OAAO,eAAe,CAAC;IAC9D,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QAAE,OAAO,iBAAiB,CAAC;IACtD,OAAO,SAAS,CAAC;AACnB,CAAC;AAUD,IAAI,eAAe,GAAwB,IAAI,CAAC;AAChD,IAAI,gBAAgB,GAAiC,IAAI,CAAC;AAE1D,MAAM,UAAU,mBAAmB;IACjC,IAAI,eAAe;QAAE,OAAO,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC7D,IAAI,gBAAgB;QAAE,OAAO,gBAAgB,CAAC;IAE9C,gBAAgB,GAAG,CAAC,KAAK,IAAI,EAAE;QAC7B,MAAM,QAAQ,GAAiB,EAAE,QAAQ,EAAE,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC;QAE3D,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,YAAY,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;YAC3F,QAAQ,CAAC,QAAQ,GAAG,MAAM,CAAC,IAAI,EAAE,IAAI,SAAS,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC,CAAC,4CAA4C,CAAC,CAAC;QAExD,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;YAClG,QAAQ,CAAC,YAAY,GAAG,MAAM,CAAC,IAAI,EAAE,IAAI,SAAS,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC,CAAC,0BAA0B,CAAC,CAAC;QAEtC,eAAe,GAAG,QAAQ,CAAC;QAC3B,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC,EAAE,CAAC;IAEL,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED,0CAA0C;AAC1C,MAAM,UAAU,mBAAmB;IACjC,eAAe,GAAG,IAAI,CAAC;IACvB,gBAAgB,GAAG,IAAI,CAAC;AAC1B,CAAC;AAED,gFAAgF;AAEhF,MAAM,UAAU,UAAU,CACxB,KAAa,EACb,OAAe,EACf,SAAwB,EACxB,UAAgC;IAEhC,MAAM,EAAE,GAAG,QAAQ,EAAE,CAAC;IACtB,MAAM,QAAQ,GAAG,eAAe,CAAC;IACjC,OAAO;QACL,KAAK;QACL,OAAO,EAAE,YAAY;QACrB,OAAO;QACP,EAAE,EAAE,OAAO,CAAC,QAAQ;QACpB,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,WAAW,EAAE,OAAO,CAAC,OAAO;QAC5B,IAAI,EAAE,EAAE,CAAC,IAAI;QACb,MAAM,EAAE,EAAE,CAAC,MAAM;QACjB,SAAS;QACT,UAAU,EAAE,UAAU,EAAE,UAAU,IAAI,gBAAgB,EAAE;QACxD,QAAQ,EAAE,QAAQ,EAAE,QAAQ;QAC5B,YAAY,EAAE,QAAQ,EAAE,YAAY;QACpC,QAAQ,EAAE,QAAQ,EAAE,QAAQ;QAC5B,GAAG,UAAU;KACd,CAAC;AACJ,CAAC"}
+{"version":3,"file":"telemetry.js","sourceRoot":"","sources":["../../src/telemetry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,IAAI,IAAI,KAAK,EAAE,MAAM,IAAI,OAAO,EAAE,MAAM,SAAS,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAqF1C,gFAAgF;AAEhF,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,kBAAkB,CAAC,CAAC;AAC/D,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;AACzD,MAAM,gBAAgB,GAAG,mEAAmE,CAAC;AAC7F,MAAM,6BAA6B,GAAG,2BAA2B,CAAC;AAElE,gFAAgF;AAEhF,IAAI,aAAa,GAA2B,IAAI,CAAC;AAEjD,MAAM,UAAU,SAAS;IACvB,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,IAAI,aAAa;QAAE,OAAO,aAAa,CAAC;IAExC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA6B,CAAC;QAC3D,aAAa,GAAG;YACd,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,KAAK,KAAK;YACnD,SAAS,EAAE,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,EAAE;YACjF,WAAW,EAAE,MAAM,CAAC,WAAW,KAAK,IAAI;YACxC,UAAU,EAAE,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;SAClF,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,kDAAkD;QAClD,aAAa,GAAG;YACd,gBAAgB,EAAE,IAAI;YACtB,SAAS,EAAE,UAAU,EAAE;YACvB,WAAW,EAAE,KAAK;SACnB,CAAC;IACJ,CAAC;IAED,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,MAAuB;IAC/D,MAAM,KAAK,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7C,MAAM,SAAS,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;IAC7E,aAAa,GAAG,MAAM,CAAC;AACzB,CAAC;AAED,yCAAyC;AACzC,MAAM,UAAU,iBAAiB;IAC/B,aAAa,GAAG,IAAI,CAAC;AACvB,CAAC;AAED,gFAAgF;AAEhF,MAAM,UAAU,kBAAkB;IAChC,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IACtD,IAAI,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IAC5E,IAAI,aAAa,IAAI,CAAC,aAAa,CAAC,gBAAgB;QAAE,OAAO,KAAK,CAAC;IACnE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,gFAAgF;AAEhF,MAAM,UAAU,QAAQ;IACtB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AAC1C,CAAC;AAED,gFAAgF;AAEhF,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACtC,MAAM,MAAM,GAAG,MAAM,mBAAmB,EAAE,CAAC;IAC3C,IAAI,MAAM,CAAC,WAAW;QAAE,OAAO;IAE/B,+EAA+E;IAC/E,MAAM,MAAM,GAAG;QACb,EAAE;QACF,mEAAmE;QACnE,kEAAkE;QAClE,kEAAkE;QAClE,kEAAkE;QAClE,kEAAkE;QAClE,kEAAkE;QAClE,kEAAkE;QAClE,kEAAkE;QAClE,mEAAmE;QACnE,EAAE;KACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAEpC,MAAM,CAAC,WAAW,GAAG,IAAI,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;IAC5D,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF,MAAM,UAAU,WAAW,CAAC,KAAqB;IAC/C,IAAI,CAAC,kBAAkB,EAAE;QAAE,OAAO;IAElC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC,KAAK,GAAG,CAAC;IACrE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,IAAI,gBAAgB,CAAC;IAElF,MAAM,MAAM,GAAG,aAAa,CAAC;IAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;QAC1B,GAAG,KAAK;QACR,SAAS,EAAE,MAAM,EAAE,SAAS,IAAI,SAAS;QACzC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC,CAAC;IAEH,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,IAAI,IAAI,CAAC,CAAC;QAC9C,OAAO;IACT,CAAC;IAED,KAAK,CAAC,QAAQ,EAAE;QACd,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI;QACJ,6EAA6E;QAC7E,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;KACnC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;QACZ,+DAA+D;IACjE,CAAC,CAAC,CAAC;AACL,CAAC;AAED,gFAAgF;AAEhF,MAAM,UAAU,gBAAgB;IAC9B,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;QAAE,OAAO,gBAAgB,CAAC;IAC3D,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;QAAE,OAAO,WAAW,CAAC;IACjD,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QAAE,OAAO,UAAU,CAAC;IAC/C,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;QAAE,OAAO,SAAS,CAAC;IACjD,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;QAAE,OAAO,WAAW,CAAC;IACjD,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC3C,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;QAAE,OAAO,eAAe,CAAC;IAC9D,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QAAE,OAAO,iBAAiB,CAAC;IACtD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,QAAQ,CAAC,IAAY;IAC5B,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC;IACxC,OAAO,KAAK,IAAI,SAAS,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,4BAA4B;IAI1C,OAAO;QACL,gBAAgB,EAAE,QAAQ,CAAC,mBAAmB,CAAC;QAC/C,cAAc,EAAE,QAAQ,CAAC,iBAAiB,CAAC;QAC3C,WAAW,EAAE,QAAQ,CAAC,eAAe,CAAC;QACtC,eAAe,EAAE,QAAQ,CAAC,mBAAmB,CAAC;QAC9C,eAAe,EAAE,QAAQ,CAAC,mBAAmB,CAAC;QAC9C,SAAS,EAAE,QAAQ,CAAC,YAAY,CAAC;QACjC,WAAW,EAAE,QAAQ,CAAC,cAAc,CAAC;KACtC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,UAA8B;IACzE,OAAO,UAAU,EAAE,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,6BAA6B,CAAC;AAC5E,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,OAKvC;IACC,MAAM,YAAY,GAAG,OAAO,CAAC,UAAU,KAAK,gBAAgB,IAAI,4BAA4B,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACvH,IAAI,YAAY;QAAE,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,CAAC;IAC7E,IAAI,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,UAAU;QAAE,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,aAAa,EAAE,CAAC;IAChG,IAAI,OAAO,CAAC,SAAS,KAAK,KAAK;QAAE,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC;IACjF,IAAI,OAAO,CAAC,SAAS,KAAK,KAAK;QAAE,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,OAAO,EAAE,CAAC;IACnF,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,SAAS,EAAE,CAAC;AACtD,CAAC;AAYD,IAAI,eAAe,GAAwB,IAAI,CAAC;AAChD,IAAI,gBAAgB,GAAiC,IAAI,CAAC;AAE1D,MAAM,UAAU,mBAAmB;IACjC,IAAI,eAAe;QAAE,OAAO,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC7D,IAAI,gBAAgB;QAAE,OAAO,gBAAgB,CAAC;IAE9C,gBAAgB,GAAG,CAAC,KAAK,IAAI,EAAE;QAC7B,MAAM,QAAQ,GAAiB,EAAE,QAAQ,EAAE,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC;QAC3D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,EAAE,IAAI,EAAE,CAAC;QACvD,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,EAAE,IAAI,EAAE,CAAC;QAC/D,IAAI,GAAG;YAAE,QAAQ,CAAC,GAAG,GAAG,GAAG,CAAC;QAC5B,IAAI,OAAO;YAAE,QAAQ,CAAC,OAAO,GAAG,OAAO,CAAC;QAExC,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,YAAY,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;YAC3F,QAAQ,CAAC,QAAQ,GAAG,MAAM,CAAC,IAAI,EAAE,IAAI,SAAS,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC,CAAC,4CAA4C,CAAC,CAAC;QAExD,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;YAClG,QAAQ,CAAC,YAAY,GAAG,MAAM,CAAC,IAAI,EAAE,IAAI,SAAS,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC,CAAC,0BAA0B,CAAC,CAAC;QAEtC,eAAe,GAAG,QAAQ,CAAC;QAC3B,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC,EAAE,CAAC;IAEL,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED,0CAA0C;AAC1C,MAAM,UAAU,mBAAmB;IACjC,eAAe,GAAG,IAAI,CAAC;IACvB,gBAAgB,GAAG,IAAI,CAAC;AAC1B,CAAC;AAED,gFAAgF;AAEhF,MAAM,UAAU,UAAU,CACxB,KAAa,EACb,OAAe,EACf,SAAwB,EACxB,UAAgC;IAEhC,MAAM,EAAE,GAAG,QAAQ,EAAE,CAAC;IACtB,MAAM,QAAQ,GAAG,eAAe,CAAC;IACjC,MAAM,UAAU,GAAG,UAAU,EAAE,UAAU,IAAI,gBAAgB,EAAE,CAAC;IAChE,MAAM,MAAM,GAAG,UAAU,KAAK,gBAAgB,CAAC,CAAC,CAAC,4BAA4B,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACrF,MAAM,gBAAgB,GAAG,UAAU,EAAE,gBAAgB,IAAI,MAAM,CAAC,gBAAgB,CAAC;IACjF,MAAM,cAAc,GAAG,uBAAuB,CAAC;QAC7C,SAAS;QACT,IAAI,EAAE,EAAE,CAAC,IAAI;QACb,UAAU;QACV,gBAAgB;KACjB,CAAC,CAAC;IACH,OAAO;QACL,KAAK;QACL,OAAO,EAAE,YAAY;QACrB,OAAO;QACP,EAAE,EAAE,OAAO,CAAC,QAAQ;QACpB,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,WAAW,EAAE,OAAO,CAAC,OAAO;QAC5B,IAAI,EAAE,EAAE,CAAC,IAAI;QACb,MAAM,EAAE,EAAE,CAAC,MAAM;QACjB,SAAS;QACT,UAAU;QACV,GAAG,EAAE,UAAU,EAAE,GAAG,IAAI,QAAQ,EAAE,GAAG;QACrC,OAAO,EAAE,UAAU,EAAE,OAAO,IAAI,QAAQ,EAAE,OAAO;QACjD,QAAQ,EAAE,QAAQ,EAAE,QAAQ;QAC5B,YAAY,EAAE,QAAQ,EAAE,YAAY;QACpC,QAAQ,EAAE,QAAQ,EAAE,QAAQ;QAC5B,GAAG,MAAM;QACT,gBAAgB;QAChB,YAAY,EAAE,UAAU,EAAE,YAAY,IAAI,cAAc,CAAC,YAAY;QACrE,eAAe,EAAE,UAAU,EAAE,eAAe,IAAI,cAAc,CAAC,eAAe;QAC9E,GAAG,UAAU;KACd,CAAC;AACJ,CAAC"}

package/dist/src/types.d.ts

@@ -13,6 +13,8 @@ export interface LocalProcessTargetConfig {
     env?: Record<string, string>;
     timeoutMs?: number;
     metadata?: Record<string, string>;
+    /** Suppress known security findings by rule id, tool name, or toolName:ruleId. */
+    securitySuppressions?: string[];
     /** Skip tool invocation checks for this target even with `scan deep`. */
     skipInvoke?: boolean;
 }
@@ -24,6 +26,8 @@ export interface HttpTargetConfig {
     headers?: Record<string, string>;
     timeoutMs?: number;
     metadata?: Record<string, string>;
+    /** Suppress known security findings by rule id, tool name, or toolName:ruleId. */
+    securitySuppressions?: string[];
     /** Skip tool invocation checks for this target even with `scan deep`. */
     skipInvoke?: boolean;
 }
@@ -53,6 +57,7 @@ export interface EvidenceSummary {
     diagnostics?: string[];
     schemas?: Record<string, object>;
     responseSnapshots?: Record<string, unknown>;
+    findings?: Array<Record<string, unknown>>;
 }
 export interface CheckResult {
     id: CheckId;

package/dist/src/validate.js

@@ -15,6 +15,47 @@ function requireArray(obj, field, label) {
     }
     return value;
 }
+function expandEnvValue(value, label) {
+    const match = value.match(/^\$\{([A-Za-z_][A-Za-z0-9_]*)\}$/) ??
+        value.match(/^\$([A-Za-z_][A-Za-z0-9_]*)$/) ??
+        value.match(/^env:([A-Za-z_][A-Za-z0-9_]*)$/);
+    if (!match)
+        return value;
+    const name = match[1];
+    const envValue = process.env[name];
+    if (envValue === undefined) {
+        throw new Error(`${label} references missing environment variable '${name}'.`);
+    }
+    return envValue;
+}
+function optionalStringRecord(value, label, expand = false) {
+    if (value === undefined)
+        return undefined;
+    if (!isObject(value)) {
+        throw new Error(`${label} must be an object with string values.`);
+    }
+    const result = {};
+    for (const [key, raw] of Object.entries(value)) {
+        if (typeof raw !== "string") {
+            throw new Error(`${label}.${key} must be a string.`);
+        }
+        result[key] = expand ? expandEnvValue(raw, `${label}.${key}`) : raw;
+    }
+    return result;
+}
+function optionalStringArray(value, label) {
+    if (value === undefined)
+        return undefined;
+    if (!Array.isArray(value)) {
+        throw new Error(`${label} must be an array of strings.`);
+    }
+    return value.map((entry, i) => {
+        if (typeof entry !== "string" || entry.length === 0) {
+            throw new Error(`${label}[${i}] must be a non-empty string.`);
+        }
+        return entry;
+    });
+}
 export function validateTargetConfig(data) {
     if (!isObject(data)) {
         throw new Error("Target config must be a JSON object.");
@@ -27,10 +68,11 @@ export function validateTargetConfig(data) {
             targetId,
             adapter: "http",
             url,
-            authToken: typeof data["authToken"] === "string" ? data["authToken"] : undefined,
-            headers: isObject(data["headers"]) ? data["headers"] : undefined,
+            authToken: typeof data["authToken"] === "string" ? expandEnvValue(data["authToken"], "Target config authToken") : undefined,
+            headers: optionalStringRecord(data["headers"], "Target config headers", true),
             timeoutMs: typeof data["timeoutMs"] === "number" ? data["timeoutMs"] : undefined,
-            metadata: isObject(data["metadata"]) ? data["metadata"] : undefined,
+            metadata: optionalStringRecord(data["metadata"], "Target config metadata"),
+            securitySuppressions: optionalStringArray(data["securitySuppressions"], "Target config securitySuppressions"),
             skipInvoke: data["skipInvoke"] === true ? true : undefined,
         };
     }
@@ -51,9 +93,10 @@ export function validateTargetConfig(data) {
         command,
         args,
         cwd: typeof data["cwd"] === "string" ? data["cwd"] : undefined,
-        env: isObject(data["env"]) ? data["env"] : undefined,
+        env: optionalStringRecord(data["env"], "Target config env", true),
         timeoutMs: typeof data["timeoutMs"] === "number" ? data["timeoutMs"] : undefined,
-        metadata: isObject(data["metadata"]) ? data["metadata"] : undefined,
+        metadata: optionalStringRecord(data["metadata"], "Target config metadata"),
+        securitySuppressions: optionalStringArray(data["securitySuppressions"], "Target config securitySuppressions"),
         skipInvoke: data["skipInvoke"] === true ? true : undefined,
     };
 }

package/dist/src/validate.js.map

@@ -1 +1 @@
-{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../src/validate.ts"],"names":[],"mappings":"AAEA,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,aAAa,CAAC,GAA4B,EAAE,KAAa,EAAE,KAAa;IAC/E,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC;IACzB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,+BAA+B,KAAK,IAAI,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,YAAY,CAAC,GAA4B,EAAE,KAAa,EAAE,KAAa;IAC9E,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC;IACzB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,+BAA+B,KAAK,wBAAwB,CAAC,CAAC;IACxF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,IAAa;IAChD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;IAClE,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IAEhE,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;QACxD,OAAO;YACL,QAAQ;YACR,OAAO,EAAE,MAAM;YACf,GAAG;YACH,SAAS,EAAE,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;YAChF,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAA2B,CAAC,CAAC,CAAC,SAAS;YAC1F,SAAS,EAAE,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;YAChF,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAA2B,CAAC,CAAC,CAAC,SAAS;YAC7F,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;SAC3D,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,KAAK,eAAe,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,0CAA0C,OAAO,wCAAwC,CAAC,CAAC;IAC7G,CAAC;IAED,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IAChE,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,eAAe,CAAC,CAAC;IAC5D,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;QAClC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,qBAAqB,CAAC,CAAC;QAChE,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,QAAQ;QACR,OAAO;QACP,OAAO;QACP,IAAI;QACJ,GAAG,EAAE,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;QAC9D,GAAG,EAAE,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAA2B,CAAC,CAAC,CAAC,SAAS;QAC9E,SAAS,EAAE,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;QAChF,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAA2B,CAAC,CAAC,CAAC,SAAS;QAC7F,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;KAC3D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,IAAa;IAC/C,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK,KAAK,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,iDAAiD,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,CAAC;IACrG,CAAC;IACD,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,cAAc,CAAC,CAAC;IAC7C,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC;IACjD,aAAa,CAAC,IAAI,EAAE,eAAe,EAAE,cAAc,CAAC,CAAC;IACrD,aAAa,CAAC,IAAI,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC;IACnD,YAAY,CAAC,IAAI,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC;IAE7C,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,+EAA+E;IAC/E,2EAA2E;IAC3E,OAAO,IAA8B,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,IAAa;IAChD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IACD,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK,MAAM,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,kDAAkD,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,CAAC;IACtG,CAAC;IACD,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAClD,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAClD,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAClD,aAAa,CAAC,IAAI,EAAE,eAAe,EAAE,eAAe,CAAC,CAAC;IAEtD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IAED,OAAO,IAA+B,CAAC;AACzC,CAAC"}
+{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../src/validate.ts"],"names":[],"mappings":"AAEA,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,aAAa,CAAC,GAA4B,EAAE,KAAa,EAAE,KAAa;IAC/E,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC;IACzB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,+BAA+B,KAAK,IAAI,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,YAAY,CAAC,GAA4B,EAAE,KAAa,EAAE,KAAa;IAC9E,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC;IACzB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,+BAA+B,KAAK,wBAAwB,CAAC,CAAC;IACxF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,cAAc,CAAC,KAAa,EAAE,KAAa;IAClD,MAAM,KAAK,GACT,KAAK,CAAC,KAAK,CAAC,kCAAkC,CAAC;QAC/C,KAAK,CAAC,KAAK,CAAC,8BAA8B,CAAC;QAC3C,KAAK,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;IAChD,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;IACvB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACnC,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,6CAA6C,IAAI,IAAI,CAAC,CAAC;IACjF,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc,EAAE,KAAa,EAAE,MAAM,GAAG,KAAK;IACzE,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1C,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,wCAAwC,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,IAAI,GAAG,oBAAoB,CAAC,CAAC;QACvD,CAAC;QACD,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,GAAG,EAAE,GAAG,KAAK,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACtE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAc,EAAE,KAAa;IACxD,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,+BAA+B,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;QAC5B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,IAAI,CAAC,+BAA+B,CAAC,CAAC;QAChE,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,IAAa;IAChD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;IAClE,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IAEhE,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;QACxD,OAAO;YACL,QAAQ;YACR,OAAO,EAAE,MAAM;YACf,GAAG;YACH,SAAS,EAAE,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,yBAAyB,CAAC,CAAC,CAAC,CAAC,SAAS;YAC3H,OAAO,EAAE,oBAAoB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,uBAAuB,EAAE,IAAI,CAAC;YAC7E,SAAS,EAAE,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;YAChF,QAAQ,EAAE,oBAAoB,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,wBAAwB,CAAC;YAC1E,oBAAoB,EAAE,mBAAmB,CAAC,IAAI,CAAC,sBAAsB,CAAC,EAAE,oCAAoC,CAAC;YAC7G,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;SAC3D,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,KAAK,eAAe,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,0CAA0C,OAAO,wCAAwC,CAAC,CAAC;IAC7G,CAAC;IAED,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IAChE,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,eAAe,CAAC,CAAC;IAC5D,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;QAClC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,qBAAqB,CAAC,CAAC;QAChE,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,QAAQ;QACR,OAAO;QACP,OAAO;QACP,IAAI;QACJ,GAAG,EAAE,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;QAC9D,GAAG,EAAE,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,mBAAmB,EAAE,IAAI,CAAC;QACjE,SAAS,EAAE,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;QAChF,QAAQ,EAAE,oBAAoB,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,wBAAwB,CAAC;QAC1E,oBAAoB,EAAE,mBAAmB,CAAC,IAAI,CAAC,sBAAsB,CAAC,EAAE,oCAAoC,CAAC;QAC7G,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;KAC3D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,IAAa;IAC/C,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK,KAAK,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,iDAAiD,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,CAAC;IACrG,CAAC;IACD,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,cAAc,CAAC,CAAC;IAC7C,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC;IACjD,aAAa,CAAC,IAAI,EAAE,eAAe,EAAE,cAAc,CAAC,CAAC;IACrD,aAAa,CAAC,IAAI,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC;IACnD,YAAY,CAAC,IAAI,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC;IAE7C,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,+EAA+E;IAC/E,2EAA2E;IAC3E,OAAO,IAA8B,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,IAAa;IAChD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IACD,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK,MAAM,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,kDAAkD,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,CAAC;IACtG,CAAC;IACD,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAClD,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAClD,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAClD,aAAa,CAAC,IAAI,EAAE,eAAe,EAAE,eAAe,CAAC,CAAC;IAEtD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IAED,OAAO,IAA+B,CAAC;AACzC,CAAC"}

package/docs/architecture.md

@@ -0,0 +1,32 @@
+# Architecture
+
+MCP Observatory is intentionally small. The core data flow is:
+
+1. **Target config**
+   A JSON description of how to start a target via the local-process adapter.
+2. **Adapter**
+   The adapter starts an MCP server over stdio and establishes a client session.
+3. **Checks**
+   The runner executes `tools`, `prompts`, `resources`, and `semantics`.
+4. **Run artifact**
+   Results are normalized into a stable, versioned JSON artifact with a top-level `gate`.
+5. **Diff**
+   Two run artifacts can be compared to classify regressions and recoveries.
+6. **Report**
+   Run or diff artifacts render as terminal output, JSON, or Markdown.
+
+## Design Intent
+
+- keep the adapter boundary obvious so more target types can be added later
+- keep checks isolated and typed
+- treat artifacts as product surfaces, not incidental output
+- keep the Markdown report strong enough to stand on its own in issues, PRs, and CI
+
+## Stability Surfaces
+
+These are the most important surfaces to preserve carefully:
+
+- artifact schema
+- diff semantics
+- `unsupported` vs `failed` interpretation
+- Markdown report structure and usefulness

package/docs/certification-campaign-template.md

@@ -0,0 +1,181 @@
+# MCP Observatory Certification Campaign
+
+Use this tracker for outbound PR waves against MCP server repositories.
+
+## Campaign Goal
+
+Open helpful PRs that add MCP Observatory CI checks and a public compatibility/security badge to popular MCP server projects.
+
+One-shot campaign target:
+
+- 50 researched repos
+- 25 PRs opened
+- 10 accepted checks or badges
+- 5 public proof points added to launch materials
+- 3 production/security pilot conversations started
+
+## Qualification Rules
+
+Prioritize:
+
+- active MCP server repos
+- clear install/run command
+- recent commit or release in the last 90 days
+- 100+ stars, meaningful npm downloads, directory popularity, or enterprise category
+- developer tools, security, CI/CD, database, browser automation, SaaS, cloud, or finance servers
+
+Skip:
+
+- servers that require private credentials to start
+- repos with destructive default tools
+- abandoned repos unless they have major download volume
+- projects that already have equivalent MCP compatibility/security CI
+
+## Tracker
+
+| Priority | Repo | Package/Command | Category | Stars/Downloads/Listing Signal | Activity Signal | Risk Notes | Status | PR URL | Accepted/Badge/Proof |
+| ---: | --- | --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 | `modelcontextprotocol/servers` | `npx -y @modelcontextprotocol/server-everything` | Reference | Official/reference signal | verify active package path | Safe reference target; PR may need package-specific scope | researched | | |
+| 2 | `modelcontextprotocol/servers` | `npx -y @modelcontextprotocol/server-filesystem .` | Filesystem | Official/reference signal | verify package location | Needs harmless temp directory target | researched | | |
+| 3 | `upstash/context7` | `npx -y @upstash/context7-mcp` | Developer Tools | Directory/listing signal | verify current package name | Network behavior should be reviewed before fail gate | researched | | |
+| 4 | `executeautomation/mcp-playwright` | `npx -y @executeautomation/playwright-mcp-server` | Browser Automation | High-interest browser MCP category | verify current package name | Browser install may be slow; start workflow-only | researched | | |
+| 5 | `browserbase/mcp-server-browserbase` | `npx -y @browserbasehq/mcp-server-browserbase` | Browser Automation | Hosted browser MCP category | verify auth-free startup | May require API key; issue-only if startup requires credentials | researched | | |
+| 6 | `smithery-ai/server-sequential-thinking` | `npx -y @smithery-ai/server-sequential-thinking` | Developer Tools | MCP directory ecosystem | verify package/repo naming | Good low-risk simple server if public package starts cleanly | researched | | |
+| 7 | `kazuph/mcp-taskmanager` | `npx -y mcp-taskmanager` | Developer Tools | Task/project MCP category | verify package | Confirm no destructive default actions | researched | | |
+| 8 | `cyanheads/filesystem-mcp-server` | `npx -y filesystem-mcp-server .` | Filesystem | Popular category | verify command | Needs harmless temp directory target | researched | | |
+| 9 | `redis/mcp-redis` | `uvx mcp-redis` | Database | Enterprise database category | verify auth-free startup | Database target may require service; issue-only if credentials needed | researched | | |
+| 10 | `mongodb-js/mongodb-mcp-server` | `npx -y mongodb-mcp-server` | Database | Enterprise database category | verify auth-free startup | Likely needs connection string; issue-only first | researched | | |
+| 11 | `supabase-community/supabase-mcp` | `npx -y supabase-mcp` | Database | Enterprise/SaaS category | verify current package | Likely requires token; issue-only first | researched | | |
+| 12 | `cloudflare/mcp-server-cloudflare` | `npx -y @cloudflare/mcp-server-cloudflare` | Cloud | Enterprise cloud category | verify package | Likely requires auth; issue-only first | researched | | |
+| 13 | `stripe/agent-toolkit` | `npx -y @stripe/agent-toolkit` | Payments | Enterprise payments category | verify MCP mode | Likely requires API key; issue-only first | researched | | |
+| 14 | `github/github-mcp-server` | `docker run ghcr.io/github/github-mcp-server` | Developer Tools | Major platform category | verify image/startup | Auth required for useful checks; issue-only first | researched | | |
+| 15 | `microsoft/playwright-mcp` | `npx -y @playwright/mcp` | Browser Automation | Major platform category | verify package | Browser dependencies may be slow; workflow-only first | researched | | |
+| 16 | `jetbrains/mcpProxy` | `npx -y @jetbrains/mcp-proxy` | Developer Tools | IDE platform category | verify package | May depend on IDE process; issue-only first | researched | | |
+| 17 | `pydantic/pydantic-ai` | `uvx pydantic-ai-mcp` | AI Framework | Framework ecosystem | verify MCP server package | May be docs/example rather than standalone server | researched | | |
+| 18 | `langchain-ai/langchain-mcp-adapters` | `npx -y <example-server>` | AI Framework | Framework ecosystem | choose example server | Adapter repo may not expose standalone server | researched | | |
+| 19 | `apify/actors-mcp-server` | `npx -y @apify/actors-mcp-server` | SaaS/API | Automation platform category | verify auth-free startup | Likely requires token; issue-only first | researched | | |
+| 20 | `notionhq/notion-mcp-server` | `npx -y @notionhq/notion-mcp-server` | SaaS/API | Major SaaS category | verify package | Likely requires token; issue-only first | researched | | |
+| 21 | `linear/linear-mcp` | `npx -y @linear/mcp-server` | SaaS/API | Developer SaaS category | verify package | Likely requires token; issue-only first | researched | | |
+| 22 | `sentry/sentry-mcp` | `npx -y @sentry/mcp-server` | Observability | Developer SaaS category | verify package | Likely requires token; issue-only first | researched | | |
+| 23 | `elastic/mcp-server-elasticsearch` | `npx -y @elastic/mcp-server-elasticsearch` | Search | Enterprise search category | verify package | Likely requires service; issue-only first | researched | | |
+| 24 | `qdrant/mcp-server-qdrant` | `uvx mcp-server-qdrant` | Vector Database | AI infra category | verify package | May require service URL; issue-only first | researched | | |
+| 25 | `weaviate/mcp-server-weaviate` | `uvx mcp-server-weaviate` | Vector Database | AI infra category | verify package | May require service URL; issue-only first | researched | | |
+| 26 | `owner/repo` | `npx -y package` | Browser Automation | | | | researched | | |
+| 27 | `owner/repo` | `uvx package` | API | | | | researched | | |
+| 28 | `owner/repo` | `npx -y package` | Database | | | | researched | | |
+| 29 | `owner/repo` | `npx -y package` | Search | | | | researched | | |
+| 30 | `owner/repo` | `docker run image` | Cloud | | | | researched | | |
+| 31 | `owner/repo` | `npx -y package` | Developer Tools | | | | researched | | |
+| 32 | `owner/repo` | `uvx package` | Security | | | | researched | | |
+| 33 | `owner/repo` | `npx -y package` | SaaS | | | | researched | | |
+| 34 | `owner/repo` | `npx -y package` | Data | | | | researched | | |
+| 35 | `owner/repo` | `docker run image` | Infrastructure | | | | researched | | |
+| 36 | `owner/repo` | `npx -y package` | Finance | | | | researched | | |
+| 37 | `owner/repo` | `uvx package` | Browser Automation | | | | researched | | |
+| 38 | `owner/repo` | `npx -y package` | API | | | | researched | | |
+| 39 | `owner/repo` | `npx -y package` | Database | | | | researched | | |
+| 40 | `owner/repo` | `docker run image` | Security | | | | researched | | |
+| 41 | `owner/repo` | `npx -y package` | Developer Tools | | | | researched | | |
+| 42 | `owner/repo` | `uvx package` | Data | | | | researched | | |
+| 43 | `owner/repo` | `npx -y package` | Search | | | | researched | | |
+| 44 | `owner/repo` | `npx -y package` | SaaS | | | | researched | | |
+| 45 | `owner/repo` | `docker run image` | Cloud | | | | researched | | |
+| 46 | `owner/repo` | `npx -y package` | Filesystem | | | | researched | | |
+| 47 | `owner/repo` | `uvx package` | Security | | | | researched | | |
+| 48 | `owner/repo` | `npx -y package` | Developer Tools | | | | researched | | |
+| 49 | `owner/repo` | `npx -y package` | Infrastructure | | | | researched | | |
+| 50 | `owner/repo` | `docker run image` | Browser Automation | | | | researched | | |
+
+Statuses:
+
+- `researched`
+- `branch-ready`
+- `pr-opened`
+- `accepted`
+- `declined`
+- `needs-maintainer-input`
+- `proof-captured`
+- `pilot-lead`
+
+## PR Checklist
+
+- Generate the local kit first:
+  `npx @kryptosai/mcp-observatory init-ci --all --command "<safe startup command>"`
+- Add `.github/workflows/mcp-observatory.yml`
+- Add `mcp-observatory.target.json` when the startup command needs args, cwd, or env placeholders
+- Use `deep: true` and `security: true`
+- Keep `fail-on-regression: true` unless the repo is noisy
+- Add README badge only when it fits the repo style
+- Include the generated maintainer PR body from `docs/mcp-observatory-pr-body.md`
+- Do not include raw telemetry, private evidence, or sales pricing
+- Prefer issue-only fallback when the server requires credentials, paid services, destructive tools, or unclear startup
+
+## PR Templates
+
+### Workflow-Only PR
+
+```md
+This adds a lightweight MCP Observatory check for this MCP server.
+
+Why it helps:
+
+- verifies MCP tools/prompts/resources still respond correctly
+- catches schema drift and common security footguns before release
+- posts a readable PR report for maintainers
+- gives users a compatibility signal when evaluating MCP servers
+
+It runs in GitHub Actions and does not require an account. If the check is too strict for this repo, `fail-on-regression: false` can be used while keeping the report visible.
+```
+
+### Workflow + Badge PR
+
+```md
+This adds MCP Observatory CI plus a small README badge so users can see this server is checked for MCP compatibility, schema drift, and common security issues.
+
+The workflow runs on PRs and pushes to `main`. The badge links back to MCP Observatory for context and can be removed if it does not fit the repo style.
+```
+
+### Issue-Only Fallback
+
+~~~md
+I tried preparing a small MCP Observatory CI check for this server, but did not want to open a PR without confirming the safest startup command.
+
+Would you accept a workflow that runs:
+
+```bash
+npx @kryptosai/mcp-observatory test <server command> --security --deep
+```
+
+The goal is to give users a visible compatibility/security signal and catch schema drift before releases.
+~~~
+
+## Generated PR Body Printer
+
+After running `init-ci --all`, print the generated maintainer copy with:
+
+```bash
+npm run certification:pr-body -- docs/mcp-observatory-pr-body.md
+```
+
+For a repo-specific body, run the command from the target branch after generating the local adoption kit.
+
+## Proof Capture
+
+For accepted PRs, record:
+
+- repo
+- PR URL
+- category
+- accepted date
+- badge added: yes/no
+- CI status
+- quote or maintainer reaction if public
+- whether the repo appears in Glama, PulseMCP, Smithery, or awesome-MCP lists
+
+Use accepted PRs as proof for:
+
+- README traction section
+- launch posts
+- enterprise outreach
+- directory listing copy
+- weekly MCP safety report

package/docs/certification-distribution.md

@@ -0,0 +1,129 @@
+# Certification Distribution Loop
+
+Use this when opening helpful PRs to MCP server projects. The motion is simple: run MCP Observatory, give the maintainer a useful security/compatibility check, and leave them with a badge/report they can keep.
+
+## Offer
+
+MCP Observatory gives MCP server maintainers:
+
+- CI coverage for tools, prompts, resources, schema quality, and security checks
+- A PR comment report on every change
+- A README badge they can show publicly
+- A local-first OSS path with no account required
+- A paid production path only if they need hosted history, private repo reporting, support, certification, or fleet visibility
+
+## Copy-Paste Badge
+
+For repos that add the GitHub Action, suggest this README badge:
+
+```md
+[![MCP Observatory](https://img.shields.io/badge/MCP%20Observatory-enabled-2563eb)](https://github.com/KryptosAI/mcp-observatory)
+```
+
+For repos that generate a score badge, suggest:
+
+```bash
+npx @kryptosai/mcp-observatory badge npx -y <server-package> --output docs/mcp-health.svg
+```
+
+```md
+[![MCP Health](./docs/mcp-health.svg)](https://github.com/KryptosAI/mcp-observatory)
+```
+
+## GitHub Action Template
+
+Fast path:
+
+```bash
+npx @kryptosai/mcp-observatory init-ci --all --command "npx -y <server-package>"
+```
+
+That creates:
+
+- `.github/workflows/mcp-observatory.yml`
+- `docs/mcp-observatory-badge.md`
+- `mcp-observatory.target.json`
+- `docs/mcp-observatory-pr-body.md`
+- `docs/mcp-observatory-issue.md`
+- `docs/mcp-observatory-score-badge.md`
+
+Manual template:
+
+```yaml
+name: MCP Observatory
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  mcp-observatory:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: KryptosAI/mcp-observatory/action@main
+        with:
+          command: npx -y <server-package>
+          deep: true
+          security: true
+          comment-on-pr: true
+```
+
+For repos with a local target config:
+
+```yaml
+- uses: KryptosAI/mcp-observatory/action@main
+  with:
+    target: ./observatory-target.json
+    deep: true
+    security: true
+```
+
+## Maintainer PR Body
+
+```md
+This adds a lightweight MCP Observatory check for this server.
+
+Why it helps:
+
+- verifies MCP tools/prompts/resources still respond correctly
+- catches schema drift and common security footguns before release
+- posts a readable PR report for maintainers
+- creates a public compatibility signal for users evaluating MCP servers
+
+It runs locally/inside GitHub Actions and does not require an account. If the check is too strict for this repo, `fail-on-regression: false` can be used while keeping the PR report visible.
+```
+
+## Comment For Passing Repos
+
+```md
+Nice, this server passes MCP Observatory checks. If you want the signal in the README, you can add:
+
+```md
+[![MCP Observatory](https://img.shields.io/badge/MCP%20Observatory-enabled-2563eb)](https://github.com/KryptosAI/mcp-observatory)
+```
+
+That gives users a quick compatibility/security signal when they are choosing MCP servers.
+```
+
+## Targeting Order
+
+Prioritize repos with:
+
+- 100+ GitHub stars or visible npm downloads
+- active releases in the last 90 days
+- MCP servers used by developer tools, security, CI/CD, databases, browser automation, or enterprise SaaS
+- no existing MCP compatibility/security CI
+- clear package command that can run in GitHub Actions
+
+Avoid drive-by PRs where the server requires private credentials, paid services, or destructive default actions.
+
+## Directory Follow-Through
+
+After a repo accepts the check or badge:
+
+- ask the maintainer to mention “tested with MCP Observatory” in their MCP directory listing
+- update the MCP Observatory launch/story docs with the accepted repo
+- use accepted PRs as proof in enterprise outreach
+- invite production users to hosted reporting or certification pilots