@kryptosai/mcp-observatory 0.22.0 → 0.24.0

package/dist/src/validate.js.map

@@ -1 +1 @@
-{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../src/validate.ts"],"names":[],"mappings":"AAEA,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,aAAa,CAAC,GAA4B,EAAE,KAAa,EAAE,KAAa;IAC/E,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC;IACzB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,+BAA+B,KAAK,IAAI,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,YAAY,CAAC,GAA4B,EAAE,KAAa,EAAE,KAAa;IAC9E,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC;IACzB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,+BAA+B,KAAK,wBAAwB,CAAC,CAAC;IACxF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,cAAc,CAAC,KAAa,EAAE,KAAa;IAClD,MAAM,KAAK,GACT,KAAK,CAAC,KAAK,CAAC,kCAAkC,CAAC;QAC/C,KAAK,CAAC,KAAK,CAAC,8BAA8B,CAAC;QAC3C,KAAK,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;IAChD,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;IACvB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACnC,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,6CAA6C,IAAI,IAAI,CAAC,CAAC;IACjF,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc,EAAE,KAAa,EAAE,MAAM,GAAG,KAAK;IACzE,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1C,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,wCAAwC,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,IAAI,GAAG,oBAAoB,CAAC,CAAC;QACvD,CAAC;QACD,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,GAAG,EAAE,GAAG,KAAK,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACtE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAc,EAAE,KAAa;IACxD,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,+BAA+B,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;QAC5B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,IAAI,CAAC,+BAA+B,CAAC,CAAC;QAChE,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,IAAa;IAChD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;IAClE,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IAEhE,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;QACxD,OAAO;YACL,QAAQ;YACR,OAAO,EAAE,MAAM;YACf,GAAG;YACH,SAAS,EAAE,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,yBAAyB,CAAC,CAAC,CAAC,CAAC,SAAS;YAC3H,OAAO,EAAE,oBAAoB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,uBAAuB,EAAE,IAAI,CAAC;YAC7E,SAAS,EAAE,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;YAChF,QAAQ,EAAE,oBAAoB,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,wBAAwB,CAAC;YAC1E,oBAAoB,EAAE,mBAAmB,CAAC,IAAI,CAAC,sBAAsB,CAAC,EAAE,oCAAoC,CAAC;YAC7G,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;SAC3D,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,KAAK,eAAe,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,0CAA0C,OAAO,wCAAwC,CAAC,CAAC;IAC7G,CAAC;IAED,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IAChE,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,eAAe,CAAC,CAAC;IAC5D,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;QAClC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,qBAAqB,CAAC,CAAC;QAChE,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,QAAQ;QACR,OAAO;QACP,OAAO;QACP,IAAI;QACJ,GAAG,EAAE,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;QAC9D,GAAG,EAAE,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,mBAAmB,EAAE,IAAI,CAAC;QACjE,SAAS,EAAE,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;QAChF,QAAQ,EAAE,oBAAoB,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,wBAAwB,CAAC;QAC1E,oBAAoB,EAAE,mBAAmB,CAAC,IAAI,CAAC,sBAAsB,CAAC,EAAE,oCAAoC,CAAC;QAC7G,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;KAC3D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,IAAa;IAC/C,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK,KAAK,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,iDAAiD,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,CAAC;IACrG,CAAC;IACD,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,cAAc,CAAC,CAAC;IAC7C,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC;IACjD,aAAa,CAAC,IAAI,EAAE,eAAe,EAAE,cAAc,CAAC,CAAC;IACrD,aAAa,CAAC,IAAI,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC;IACnD,YAAY,CAAC,IAAI,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC;IAE7C,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,+EAA+E;IAC/E,2EAA2E;IAC3E,OAAO,IAA8B,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,IAAa;IAChD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IACD,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK,MAAM,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,kDAAkD,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,CAAC;IACtG,CAAC;IACD,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAClD,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAClD,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAClD,aAAa,CAAC,IAAI,EAAE,eAAe,EAAE,eAAe,CAAC,CAAC;IAEtD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IAED,OAAO,IAA+B,CAAC;AACzC,CAAC"}
+{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../src/validate.ts"],"names":[],"mappings":"AAEA,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,aAAa,CAAC,GAA4B,EAAE,KAAa,EAAE,KAAa;IAC/E,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC;IACzB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,+BAA+B,KAAK,IAAI,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,YAAY,CAAC,GAA4B,EAAE,KAAa,EAAE,KAAa;IAC9E,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC;IACzB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,+BAA+B,KAAK,wBAAwB,CAAC,CAAC;IACxF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,cAAc,CAAC,GAA4B,EAAE,KAAa,EAAE,KAAa;IAChF,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC;IACzB,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,IAAI,KAAK,2BAA2B,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CAAC,GAA4B,EAAE,KAAa,EAAE,KAAa;IAC/E,MAAM,KAAK,GAAG,cAAc,CAAC,GAAG,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;IAChD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,+BAA+B,KAAK,IAAI,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CAAC,KAAc,EAAE,KAAa;IAClD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC;IACzF,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,wBAAwB,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACrE,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAAc,EAAE,KAAa;IACnD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,cAAc,EAAE,UAAU,EAAE,eAAe,EAAE,aAAa,EAAE,gBAAgB,CAAC,CAAC,CAAC;IACrI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QACjD,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,0BAA0B,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAc;IACxC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,MAAM,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC5D,CAAC;IACD,KAAK,MAAM,KAAK,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,OAAO,EAAE,SAAS,CAAC,EAAE,CAAC;QAC5F,aAAa,CAAC,KAAK,EAAE,KAAK,EAAE,sBAAsB,CAAC,CAAC;IACtD,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,KAAc,EAAE,KAAa;IAClD,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,uBAAuB,KAAK,sBAAsB,CAAC,CAAC;IACtE,CAAC;IACD,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,uBAAuB,KAAK,GAAG,CAAC,CAAC;IAC7D,cAAc,CAAC,KAAK,CAAC,YAAY,CAAC,EAAE,uBAAuB,KAAK,cAAc,CAAC,CAAC;IAChF,aAAa,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,uBAAuB,KAAK,GAAG,CAAC,CAAC;IAChE,aAAa,CAAC,KAAK,EAAE,YAAY,EAAE,uBAAuB,KAAK,GAAG,CAAC,CAAC;IACpE,aAAa,CAAC,KAAK,EAAE,SAAS,EAAE,uBAAuB,KAAK,GAAG,CAAC,CAAC;IACjE,YAAY,CAAC,KAAK,EAAE,UAAU,EAAE,uBAAuB,KAAK,GAAG,CAAC,CAAC;AACnE,CAAC;AAED,SAAS,cAAc,CAAC,KAAa,EAAE,KAAa;IAClD,MAAM,KAAK,GACT,KAAK,CAAC,KAAK,CAAC,kCAAkC,CAAC;QAC/C,KAAK,CAAC,KAAK,CAAC,8BAA8B,CAAC;QAC3C,KAAK,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;IAChD,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;IACvB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACnC,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,6CAA6C,IAAI,IAAI,CAAC,CAAC;IACjF,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc,EAAE,KAAa,EAAE,MAAM,GAAG,KAAK;IACzE,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1C,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,wCAAwC,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,IAAI,GAAG,oBAAoB,CAAC,CAAC;QACvD,CAAC;QACD,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,GAAG,EAAE,GAAG,KAAK,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACtE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAc,EAAE,KAAa;IACxD,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,+BAA+B,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;QAC5B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,IAAI,CAAC,+BAA+B,CAAC,CAAC;QAChE,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,IAAa;IAChD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;IAClE,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IAEhE,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;QACxD,OAAO;YACL,QAAQ;YACR,OAAO,EAAE,MAAM;YACf,GAAG;YACH,SAAS,EAAE,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,yBAAyB,CAAC,CAAC,CAAC,CAAC,SAAS;YAC3H,OAAO,EAAE,oBAAoB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,uBAAuB,EAAE,IAAI,CAAC;YAC7E,SAAS,EAAE,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;YAChF,QAAQ,EAAE,oBAAoB,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,wBAAwB,CAAC;YAC1E,oBAAoB,EAAE,mBAAmB,CAAC,IAAI,CAAC,sBAAsB,CAAC,EAAE,oCAAoC,CAAC;YAC7G,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;SAC3D,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,KAAK,eAAe,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,0CAA0C,OAAO,wCAAwC,CAAC,CAAC;IAC7G,CAAC;IAED,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IAChE,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,eAAe,CAAC,CAAC;IAC5D,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;QAClC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,qBAAqB,CAAC,CAAC;QAChE,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,QAAQ;QACR,OAAO;QACP,OAAO;QACP,IAAI;QACJ,GAAG,EAAE,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;QAC9D,GAAG,EAAE,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,mBAAmB,EAAE,IAAI,CAAC;QACjE,SAAS,EAAE,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;QAChF,QAAQ,EAAE,oBAAoB,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,wBAAwB,CAAC;QAC1E,oBAAoB,EAAE,mBAAmB,CAAC,IAAI,CAAC,sBAAsB,CAAC,EAAE,oCAAoC,CAAC;QAC7G,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;KAC3D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,IAAa;IAC/C,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK,KAAK,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,iDAAiD,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,CAAC;IACrG,CAAC;IACD,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,cAAc,CAAC,CAAC;IAC7C,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC;IACjD,aAAa,CAAC,IAAI,EAAE,eAAe,EAAE,cAAc,CAAC,CAAC;IACrD,aAAa,CAAC,IAAI,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC;IACnD,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC;IAE5D,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IACD,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,UAAU,EAAE,qBAAqB,CAAC,CAAC;IACjE,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,SAAS,EAAE,qBAAqB,CAAC,CAAC;IAChE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IACD,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,UAAU,EAAE,0BAA0B,CAAC,CAAC;IAC3E,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,aAAa,EAAE,0BAA0B,CAAC,CAAC;IAC9E,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;IACpC,KAAK,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;QAC9C,aAAa,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,+EAA+E;IAC/E,2EAA2E;IAC3E,OAAO,IAA8B,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,IAAa;IAChD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IACD,IAAI,IAAI,CAAC,cAAc,CAAC,KAAK,MAAM,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,kDAAkD,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,CAAC;IACtG,CAAC;IACD,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAClD,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAClD,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAClD,aAAa,CAAC,IAAI,EAAE,eAAe,EAAE,eAAe,CAAC,CAAC;IAEtD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IAED,OAAO,IAA+B,CAAC;AACzC,CAAC"}

package/docs/certification-campaign-template.md

@@ -35,32 +35,32 @@ Skip:
 
 | Priority | Repo | Package/Command | Category | Stars/Downloads/Listing Signal | Activity Signal | Risk Notes | Status | PR URL | Accepted/Badge/Proof |
 | ---: | --- | --- | --- | --- | --- | --- | --- | --- | --- |
-| 1 | `modelcontextprotocol/servers` | `npx -y @modelcontextprotocol/server-everything` | Reference | Official/reference signal | verify active package path | Safe reference target; PR may need package-specific scope | researched | | |
+| 1 | `modelcontextprotocol/servers` | `npx -y @modelcontextprotocol/server-sequential-thinking@latest` | Reference | Official/reference signal | GitHub check passing on PR; local validation passed: 1 tool | Fork PR token is read-only, so workflow disables PR comment/status writes | pr-opened | https://github.com/modelcontextprotocol/servers/pull/4392 | Waiting for maintainer review |
 | 2 | `modelcontextprotocol/servers` | `npx -y @modelcontextprotocol/server-filesystem .` | Filesystem | Official/reference signal | verify package location | Needs harmless temp directory target | researched | | |
-| 3 | `upstash/context7` | `npx -y @upstash/context7-mcp` | Developer Tools | Directory/listing signal | verify current package name | Network behavior should be reviewed before fail gate | researched | | |
-| 4 | `executeautomation/mcp-playwright` | `npx -y @executeautomation/playwright-mcp-server` | Browser Automation | High-interest browser MCP category | verify current package name | Browser install may be slow; start workflow-only | researched | | |
+| 3 | `upstash/context7` | `npx -y @upstash/context7-mcp@latest` | Developer Tools | 57k+ stars / major MCP docs server | Local validation passed: 2 tools | `@latest` required for npx bin resolution | pr-opened | https://github.com/upstash/context7/pull/2800 | Waiting for maintainer review |
+| 4 | `executeautomation/mcp-playwright` | `npx -y @executeautomation/playwright-mcp-server@latest` | Browser Automation | 5k+ stars / high-interest browser MCP category | Local validation passed: 33 tools, 1 resource | Requires Chromium install; suppressed intentional `playwright_evaluate:shell-injection` finding | pr-opened | https://github.com/executeautomation/mcp-playwright/pull/225 | Waiting for maintainer review |
 | 5 | `browserbase/mcp-server-browserbase` | `npx -y @browserbasehq/mcp-server-browserbase` | Browser Automation | Hosted browser MCP category | verify auth-free startup | May require API key; issue-only if startup requires credentials | researched | | |
 | 6 | `smithery-ai/server-sequential-thinking` | `npx -y @smithery-ai/server-sequential-thinking` | Developer Tools | MCP directory ecosystem | verify package/repo naming | Good low-risk simple server if public package starts cleanly | researched | | |
-| 7 | `kazuph/mcp-taskmanager` | `npx -y mcp-taskmanager` | Developer Tools | Task/project MCP category | verify package | Confirm no destructive default actions | researched | | |
-| 8 | `cyanheads/filesystem-mcp-server` | `npx -y filesystem-mcp-server .` | Filesystem | Popular category | verify command | Needs harmless temp directory target | researched | | |
+| 7 | `kazuph/mcp-taskmanager` | `npx -y @kazuph/mcp-taskmanager@latest` | Developer Tools | 200+ stars / task/project MCP category | Local validation passed: 10 tools | Scoped package name corrected from tracker | pr-opened | https://github.com/kazuph/mcp-taskmanager/pull/11 | Waiting for maintainer review |
+| 8 | `cyanheads/filesystem-mcp-server` | `node dist/index.js` | Filesystem | Filesystem MCP category | Local validation passed after fix: 10 tools | Fixed real conformance bug: advertised resources without `resources/list`; workflow uses temp sandbox | closed-unmerged | https://github.com/cyanheads/filesystem-mcp-server/pull/19 | Closed by maintainer without merge |
 | 9 | `redis/mcp-redis` | `uvx mcp-redis` | Database | Enterprise database category | verify auth-free startup | Database target may require service; issue-only if credentials needed | researched | | |
 | 10 | `mongodb-js/mongodb-mcp-server` | `npx -y mongodb-mcp-server` | Database | Enterprise database category | verify auth-free startup | Likely needs connection string; issue-only first | researched | | |
 | 11 | `supabase-community/supabase-mcp` | `npx -y supabase-mcp` | Database | Enterprise/SaaS category | verify current package | Likely requires token; issue-only first | researched | | |
 | 12 | `cloudflare/mcp-server-cloudflare` | `npx -y @cloudflare/mcp-server-cloudflare` | Cloud | Enterprise cloud category | verify package | Likely requires auth; issue-only first | researched | | |
 | 13 | `stripe/agent-toolkit` | `npx -y @stripe/agent-toolkit` | Payments | Enterprise payments category | verify MCP mode | Likely requires API key; issue-only first | researched | | |
 | 14 | `github/github-mcp-server` | `docker run ghcr.io/github/github-mcp-server` | Developer Tools | Major platform category | verify image/startup | Auth required for useful checks; issue-only first | researched | | |
-| 15 | `microsoft/playwright-mcp` | `npx -y @playwright/mcp` | Browser Automation | Major platform category | verify package | Browser dependencies may be slow; workflow-only first | researched | | |
+| 15 | `microsoft/playwright-mcp` | `npx -y @playwright/mcp@latest` | Browser Automation | 34k+ stars / major platform category | Local validation passed: 23 tools | Uses `skipInvoke` and explicit suppressions for intentional browser-code tools | pr-opened | https://github.com/microsoft/playwright-mcp/pull/1657 | Waiting for maintainer review |
 | 16 | `jetbrains/mcpProxy` | `npx -y @jetbrains/mcp-proxy` | Developer Tools | IDE platform category | verify package | May depend on IDE process; issue-only first | researched | | |
-| 17 | `pydantic/pydantic-ai` | `uvx pydantic-ai-mcp` | AI Framework | Framework ecosystem | verify MCP server package | May be docs/example rather than standalone server | researched | | |
-| 18 | `langchain-ai/langchain-mcp-adapters` | `npx -y <example-server>` | AI Framework | Framework ecosystem | choose example server | Adapter repo may not expose standalone server | researched | | |
+| 17 | `BrowserMCP/mcp` | `npx -y @browsermcp/mcp` | Browser Automation | 6k+ stars / browser-control MCP category | Local validation passed: 12 tools | Browser automation trust boundary; workflow is inventory/security only | pr-opened | https://github.com/BrowserMCP/mcp/pull/189 | Waiting for maintainer review |
+| 18 | `UI5/mcp-server` | `npx -y @ui5/mcp-server` | Developer Tools | SAP/UI5 ecosystem MCP package | Local validation passed: 10 tools | Developer tooling surface; no credentials required for inventory | pr-opened | https://github.com/UI5/mcp-server/pull/348 | Waiting for maintainer review |
 | 19 | `apify/actors-mcp-server` | `npx -y @apify/actors-mcp-server` | SaaS/API | Automation platform category | verify auth-free startup | Likely requires token; issue-only first | researched | | |
-| 20 | `notionhq/notion-mcp-server` | `npx -y @notionhq/notion-mcp-server` | SaaS/API | Major SaaS category | verify package | Likely requires token; issue-only first | researched | | |
+| 20 | `makenotion/notion-mcp-server` | `npx -y @notionhq/notion-mcp-server` | SaaS/API | Major SaaS category | Local validation passed: 24 tools | Workspace-data MCP; PR is compatibility/schema/security inventory only | pr-opened | https://github.com/makenotion/notion-mcp-server/pull/324 | Waiting for maintainer review; external Semgrep check failing |
 | 21 | `linear/linear-mcp` | `npx -y @linear/mcp-server` | SaaS/API | Developer SaaS category | verify package | Likely requires token; issue-only first | researched | | |
 | 22 | `sentry/sentry-mcp` | `npx -y @sentry/mcp-server` | Observability | Developer SaaS category | verify package | Likely requires token; issue-only first | researched | | |
 | 23 | `elastic/mcp-server-elasticsearch` | `npx -y @elastic/mcp-server-elasticsearch` | Search | Enterprise search category | verify package | Likely requires service; issue-only first | researched | | |
 | 24 | `qdrant/mcp-server-qdrant` | `uvx mcp-server-qdrant` | Vector Database | AI infra category | verify package | May require service URL; issue-only first | researched | | |
 | 25 | `weaviate/mcp-server-weaviate` | `uvx mcp-server-weaviate` | Vector Database | AI infra category | verify package | May require service URL; issue-only first | researched | | |
-| 26 | `owner/repo` | `npx -y package` | Browser Automation | | | | researched | | |
+| 26 | `antvis/mcp-server-chart` | `npx -y @antv/mcp-server-chart` | Visualization/Data | 4k+ stars / chart-generation MCP category | Local validation passed: 27 tools | Generated chart artifacts; no credentials required for inventory | pr-opened | https://github.com/antvis/mcp-server-chart/pull/312 | Waiting for maintainer review |
 | 27 | `owner/repo` | `uvx package` | API | | | | researched | | |
 | 28 | `owner/repo` | `npx -y package` | Database | | | | researched | | |
 | 29 | `owner/repo` | `npx -y package` | Search | | | | researched | | |

package/docs/certification-distribution.md

@@ -57,6 +57,11 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+  pull-requests: write
+  statuses: write
+
 jobs:
   mcp-observatory:
     runs-on: ubuntu-latest
@@ -70,6 +75,17 @@ jobs:
           comment-on-pr: true
 ```
 
+For production CI, pin the package version:
+
+```yaml
+- uses: KryptosAI/mcp-observatory/action@main
+  with:
+    command: npx -y <server-package>
+    package-version: 0.23.0
+    deep: true
+    security: true
+```
+
 For repos with a local target config:
 
 ```yaml

package/docs/directory-listing-copy.md

@@ -2,22 +2,24 @@
 
 ## Standard Positioning
 
-MCP Observatory helps teams test, secure, and monitor MCP servers before agents depend on them.
+MCP Observatory is the CI and security gate for MCP servers before agents depend on them.
 
 ## Short Description
 
-CI, security checks, schema drift detection, reports, and badges for MCP servers.
+CI, security checks, schema drift detection, lock files, reports, and badges for MCP servers.
 
 ## Medium Description
 
-MCP Observatory is a CLI, GitHub Action, and MCP server for testing MCP servers before agents depend on them. It checks tools, prompts, resources, schema quality, security footguns, regressions, and drift, then generates reports and badges maintainers can share.
+MCP Observatory is a CLI, GitHub Action, and MCP server for testing MCP servers before agents depend on them. It checks tools, prompts, resources, schema quality, security footguns, regressions, and drift, then generates lock files, reports, and badges maintainers can share.
 
 ## Long Description
 
-MCP Observatory gives MCP servers production safety rails: one-command CI setup, compatibility checks, security analysis, schema drift detection, record/replay/verify workflows, PR comments, health score badges, and static enterprise reports. It can run as a CLI, inside GitHub Actions, or as an MCP server that lets agents inspect other MCP servers.
+MCP Observatory gives MCP servers production safety rails: one-command CI setup, compatibility checks, security analysis, schema drift detection, lock-file verification, record/replay/verify workflows, PR comments, health score badges, and static enterprise reports. It can run as a CLI, inside GitHub Actions, or as an MCP server that lets agents inspect other MCP servers.
 
 Free for local OSS use. Paid pilots are available for hosted reporting, private repo CI history, recurring security reports, certification, support, and fleet visibility.
 
+For security and platform teams, see the MCP Server Security Field Guide and MCP Server Safety Index for agent security, AI supply chain security, and production MCP server review guidance.
+
 ## Primary CTA
 
 Add MCP CI in one command:
@@ -49,7 +51,6 @@ npx @kryptosai/mcp-observatory init-ci --all --command "npx -y my-mcp-server"
 - Developer Tools
 - Testing
 - CI/CD
-- Observability
 - Schema Drift
 - Regression Testing
 - AI Agents
@@ -66,6 +67,8 @@ npx @kryptosai/mcp-observatory init-ci --all --command "npx -y my-mcp-server"
 - `github-action`
 - `developer-tools`
 - `security`
+- `agent-security`
+- `ai-supply-chain`
 - `production-monitoring`
 - `enterprise-report`
 
@@ -73,6 +76,10 @@ npx @kryptosai/mcp-observatory init-ci --all --command "npx -y my-mcp-server"
 
 - README: `https://github.com/KryptosAI/mcp-observatory#readme`
 - GitHub Action: `https://github.com/KryptosAI/mcp-observatory/tree/main/action`
+- Security field guide: `https://github.com/KryptosAI/mcp-observatory/blob/main/docs/mcp-security-field-guide.md`
+- Reference evaluations: `https://github.com/KryptosAI/mcp-observatory/blob/main/docs/reference-evaluations.md`
+- Safety index: `https://github.com/KryptosAI/mcp-observatory/blob/main/docs/mcp-server-safety-index.md`
+- Lock files: `https://github.com/KryptosAI/mcp-observatory/blob/main/docs/mcp-lock-files.md`
 - Certification guide: `https://github.com/KryptosAI/mcp-observatory/blob/main/docs/certification-distribution.md`
 - Proof: `https://github.com/KryptosAI/mcp-observatory/blob/main/docs/proof.md`
 - Commercial pilots: `https://github.com/KryptosAI/mcp-observatory/blob/main/COMMERCIAL.md`

package/docs/distribution-launch.md

@@ -8,7 +8,7 @@ For public proof, use [MCP Observatory Proof](./proof.md).
 
 ## Positioning
 
-MCP Observatory helps teams test, secure, and monitor MCP servers before agents depend on them.
+MCP Observatory is the CI and security gate for MCP servers before agents depend on them.
 
 ## Public Surface Checklist
 
@@ -22,11 +22,11 @@ MCP Observatory helps teams test, secure, and monitor MCP servers before agents
 
 ## Launch Post Draft
 
-MCP servers are becoming production dependencies. If an agent depends on a server, that server needs regression tests, security checks, and monitoring before it breaks workflows.
+MCP servers are becoming production dependencies. If an agent depends on a server, that server needs regression tests, security checks, and drift gates before it breaks workflows.
 
 MCP Observatory scans MCP servers, verifies capabilities, detects schema drift, records/replays sessions, and can run in CI or as an MCP server itself.
 
-Free for local OSS use. Paid pilots are available for hosted reporting, private repo CI, security reports, production monitoring, certification, support, and fleet visibility.
+Free for local OSS use. Paid pilots are available for hosted reporting, private repo CI, recurring security reports, certification, support, and fleet visibility.
 
 Production MCP usage? Contact william@banksey.com.
 
@@ -36,9 +36,9 @@ Subject: MCP production testing and security checks
 
 Hi,
 
-I noticed signals that your team may be evaluating or using MCP servers. MCP Observatory helps teams test, secure, and monitor MCP servers before agents depend on them.
+I noticed signals that your team may be evaluating or using MCP servers. MCP Observatory is the CI and security gate for MCP servers before agents depend on them.
 
-We are running a small number of production pilots for hosted reports, private repo CI, security monitoring, certification, support, and fleet visibility.
+We are running a small number of production pilots for hosted reports, private repo CI, recurring security reviews, certification, support, and fleet visibility.
 
 Would it be useful to compare what your MCP servers look like today and where regressions or production risk could show up?
 

package/docs/enterprise-outreach-playbook.md

@@ -8,7 +8,7 @@ npm run telemetry:intelligence -- --input telemetry-exports/events-flat-full.jso
 
 Start from `reports/telemetry-usage-summary.html` to confirm external usage before reading account rankings. Do not treat first-party CI, release workflows, or internal/personal sessions as market traction.
 
-Do not include raw personal emails in public issues, posts, or docs. Use account domains, GitHub orgs, and aggregate telemetry evidence.
+Raw telemetry is allowed for internal account intelligence and may include git email, git remote URL, hostname, target command or URL, CI metadata, target IDs, and command outcomes. Do not include raw personal emails, hostnames, private URLs, target commands, tokens, or private telemetry exports in public issues, posts, docs, or customer-facing outreach. Use account domains, GitHub orgs, and aggregate telemetry evidence.
 
 ## Priority Accounts
 
@@ -35,7 +35,7 @@ If your team is running MCP servers in production, I can prepare a short evidenc
 - Feishu/Lark MCP compatibility
 - private HTTP MCP health checks
 - security findings and schema drift
-- CI history and production monitoring
+- CI history and controlled drift review
 - MCP fleet visibility across teams
 
 Would it be useful to compare notes this week?

package/docs/mcp-lock-files.md

@@ -0,0 +1,63 @@
+# MCP Lock Files
+
+MCP lock files are the package-lock for AI tools.
+
+They capture the MCP contract a server exposes to agents: tools, prompts, resources, and tool input schemas. Once committed, CI can verify that future changes are intentional before agents depend on a changed surface.
+
+## Core Flow
+
+Create the lock:
+
+```bash
+npx @kryptosai/mcp-observatory lock
+```
+
+Verify the live server still matches:
+
+```bash
+npx @kryptosai/mcp-observatory lock verify
+```
+
+Add CI:
+
+```bash
+npx @kryptosai/mcp-observatory init-ci --all --command "npx -y my-mcp-server"
+```
+
+## Why It Matters
+
+Agents call tools based on schemas and descriptions. If a tool is added, removed, renamed, or made more permissive, the agent-facing contract changed.
+
+Lock verification turns that into a reviewable event:
+
+- what changed
+- whether a tool, prompt, or resource was added or removed
+- whether a tool schema changed
+- whether the changed MCP surface should be accepted before release
+
+## Production Positioning
+
+For maintainers, lock files catch accidental breakage.
+
+For security and platform teams, lock files create an approval point for AI supply chain changes. A production MCP server can treat new tools, broader schemas, and high-risk capabilities like dependency changes that deserve review.
+
+## Recommended CI Policy
+
+- Commit `.mcp-observatory/lock.json` for production MCP servers.
+- Run `mcp-observatory lock verify` on pull requests.
+- Treat drift as blocking unless the PR intentionally updates the MCP surface.
+- Pair lock verification with `--security` checks before major releases.
+- Record suppressions with an owner, reason, and expiration when accepted risk is intentional.
+
+## Commercial Pilot Use
+
+Paid pilots can turn lock verification into a recurring MCP readiness report:
+
+- current MCP surface
+- drift since last approved lock
+- new or removed tools
+- schema changes
+- security findings
+- recommended review actions
+
+This is the simplest enterprise story: commit your MCP contract, then make drift visible before agents depend on it.

package/docs/mcp-safety-report-latest.md

@@ -1,9 +1,11 @@
 # MCP Safety Report
 
-Latest generated baseline: June 19, 2026.
+Latest generated baseline: June 20, 2026.
 
 MCP servers are becoming production dependencies. When agents depend on a server, that server needs repeatable compatibility checks, security review, schema drift detection, and visible trust signals.
 
+For a broader security framing, see the [MCP Server Security Field Guide](./mcp-security-field-guide.md). For public examples, see [Reference Evaluations](./reference-evaluations.md).
+
 ## What Observatory Checks
 
 MCP Observatory checks:
@@ -22,11 +24,18 @@ Safe aggregate telemetry from the latest local export:
 
 | Metric | Value |
 | --- | ---: |
-| Total telemetry events | 10,278 |
-| Unique sessions | 7,211 |
-| External sessions | 5,368 |
-| External CI sessions | 2,434 |
-| Attributed company/org sessions | 128 |
+| Total telemetry events | 11,481 |
+| Total sessions | 7,571 |
+| External sessions | 5,389 |
+| External CI sessions | 2,446 |
+| Attributed company/org sessions | 148 |
+| Attributed company/org candidates | 12 |
+| Latest external activity | June 21, 2026 |
+| npm downloads snapshot | 511 downloads, June 11-20, 2026 |
+| GitHub clones in visible traffic window | 745 |
+| Unique cloners in visible traffic window | 232 |
+| GitHub page views in visible traffic window | 12 |
+| Unique GitHub viewers in visible traffic window | 9 |
 
 Top external commands:
 
@@ -70,7 +79,7 @@ Production teams can use MCP Observatory for:
 - support and rollout review
 - fleet visibility across teams and repos
 
-Contact `william@banksey.com` for pilots.
+See [Commercial Pilots](../COMMERCIAL.md) for production/private MCP usage.
 
 ## Launch Post
 

package/docs/mcp-security-field-guide.md

@@ -0,0 +1,97 @@
+# MCP Server Security Field Guide
+
+MCP servers are becoming part of AI agent infrastructure. They expose tools that agents can call, often with access to files, browsers, cloud APIs, databases, documents, and internal systems. That makes MCP security a practical engineering problem: teams need to know which tools exist, what they can touch, how their schemas change, and whether they are safe enough for production agent workflows.
+
+MCP Observatory is built around that control point. It gives maintainers and platform teams a repeatable way to test production MCP servers, add MCP server CI, detect schema drift, and surface agent security risk before agents depend on a tool.
+
+## Why MCP Servers Are An Agent-Facing Attack Surface
+
+Traditional libraries run inside an application boundary. MCP servers sit beside an agent and expose capabilities the model may choose to call. A small schema mistake, broad tool surface, or unreliable startup path can become an operational risk when the server is wired into an autonomous workflow.
+
+Important MCP risk patterns include:
+
+- **Tool overreach:** tools that expose shell, browser, filesystem, network, or data-write behavior with weak constraints.
+- **Schema ambiguity:** vague names, missing parameter descriptions, permissive object schemas, or unclear required fields that make agent calls less predictable.
+- **Prompt injection paths:** tools that retrieve untrusted content and return it directly to an agent context.
+- **Secret exposure:** responses, logs, headers, or environment-backed tools that can leak credentials or internal details.
+- **Schema drift:** changed tool names, parameters, or capabilities that break dependent agents without warning.
+- **Unreliable startup:** packages that work locally but hang, exit early, or fail under CI and production runners.
+- **Capability mismatch:** servers that advertise tools, prompts, or resources but do not return valid MCP responses.
+
+## What Can Go Wrong When Agents Depend On Tools
+
+An MCP server can look harmless during manual evaluation and still fail in production agent infrastructure. The most common failure modes are not exotic. They are basic integration risks amplified by agent autonomy:
+
+- a tool disappears or changes shape after an upgrade
+- a server starts on a laptop but fails in GitHub Actions
+- a broad filesystem or browser automation tool is exposed without a clear trust boundary
+- a tool returns untrusted text that gets treated as instruction-like context
+- a schema is technically valid but too vague for reliable model use
+- a private or credential-backed tool is added without audit visibility
+
+For security and platform teams, the goal is not to block every MCP server. The goal is to make tool invocation observable, testable, auditable, and safe enough for the workflow that depends on it.
+
+## What MCP Observatory Checks Today
+
+MCP Observatory focuses on model context protocol testing that can run locally, in CI, or through its own MCP server mode. It checks:
+
+- tools, prompts, and resources list/respond correctly
+- advertised capabilities match observed behavior
+- safe read-only tools can be invoked
+- schemas have enough structure for agents to call them reliably
+- risky schema patterns are surfaced before production use
+- runs can be compared for regressions and schema drift detection
+- artifacts can be rendered as JSON, Markdown, HTML, JUnit, SARIF, or PR comments
+- health scores and badges can create visible trust signals for MCP maintainers
+
+This is intentionally practical. It is not a formal proof of semantic safety. It is a CI-friendly control that helps teams find obvious compatibility, drift, and security issues before they become agent failures.
+
+## What CI Should Catch Before Deployment
+
+A useful MCP server CI gate should answer a few operational questions:
+
+- Does the server start reliably in a clean environment?
+- Do tools, prompts, and resources respond with valid MCP shapes?
+- Did any tool, parameter, prompt, or resource drift from the previous known-good run?
+- Are there broad filesystem, shell, browser, network, or credential-sensitive tools?
+- Are generated reports readable by maintainers and security reviewers?
+- Can the run produce artifacts for later audit, diffing, or enterprise review?
+
+MCP Observatory is designed to make that a one-command adoption path:
+
+```bash
+npx @kryptosai/mcp-observatory init-ci --all --command "npx -y my-mcp-server"
+```
+
+For a direct check:
+
+```bash
+npx @kryptosai/mcp-observatory test --security npx -y my-mcp-server
+```
+
+## How Security And Platform Teams Can Adopt MCP Checks
+
+For open source maintainers, start with the generated GitHub Action and a public badge. This creates a visible compatibility/security signal without requiring an account.
+
+For private teams, start with static artifacts:
+
+- run MCP checks in CI
+- store JSON and Markdown artifacts
+- compare releases with `diff`
+- use SARIF where security review tools expect it
+- generate a static enterprise report for owner review
+
+For production MCP fleets, the next layer is hosted history, recurring security reports, certification review, support, and fleet visibility across repositories and agent environments.
+
+## Future Direction
+
+The next generation of secure agentic systems will need more than ad hoc tool installs. Useful controls will include:
+
+- policy for which tools agents may call
+- provenance for MCP packages and server configurations
+- schema locks and controlled drift review
+- runtime monitoring for production agent tool use
+- certification signals for high-trust MCP servers
+- fleet inventory across teams, repositories, and hosts
+
+MCP Observatory starts with the smallest durable wedge: make MCP servers testable, visible, and auditable before agents depend on them.

package/docs/mcp-server-safety-index.md

@@ -0,0 +1,61 @@
+# MCP Server Safety Index v1
+
+The MCP Server Safety Index is an evidence standard for MCP readiness. It is not a leaderboard and does not rank maintainers.
+
+Each row links to a reproducible command, a JSON run artifact, and a Markdown report generated by MCP Observatory. The goal is to show which failure classes matter before teams let agents depend on MCP servers.
+
+For the rules behind this page, see the [Safety Methodology](./methodology.md).
+
+## Snapshot
+
+- Evaluated servers: 13
+- Ready for CI: 10
+- Needs review before production: 1
+- Unsafe default posture: 2
+- Not reproducible: 0
+- Latest run: 2026-06-24T02:07:44.894Z
+
+## Evaluations
+
+| # | Server | Category | Verdict | Failure Class | Reproduce | Evidence | Notes |
+| ---: | --- | --- | --- | --- | --- | --- | --- |
+| 1 | [Official everything server](https://github.com/modelcontextprotocol/servers) | Reference | **Ready for CI** | Broad protocol surface | `npx -y @modelcontextprotocol/server-everything` | [JSON](./safety-index/artifacts/everything-server.json) / [report](./safety-index/artifacts/everything-server.md) | Zero-config official package; useful as a broad protocol baseline. [public proof](https://github.com/modelcontextprotocol/servers/pull/4392) |
+| 2 | [Official sequential thinking server](https://github.com/modelcontextprotocol/servers) | Reference | **Ready for CI** | Tool schema clarity | `npx -y @modelcontextprotocol/server-sequential-thinking` | [JSON](./safety-index/artifacts/sequential-thinking-server.json) / [report](./safety-index/artifacts/sequential-thinking-server.md) | Zero-config official package. |
+| 3 | [Official memory server](https://github.com/modelcontextprotocol/servers) | Reference / Memory | **Ready for CI** | Persistent state tools | `npx -y @modelcontextprotocol/server-memory` | [JSON](./safety-index/artifacts/memory-server.json) / [report](./safety-index/artifacts/memory-server.md) | Zero-config official package. |
+| 4 | [Official filesystem server](https://github.com/modelcontextprotocol/servers) | Filesystem | **Needs review before production** | Sandboxed filesystem access | `npx -y @modelcontextprotocol/server-filesystem examples/filesystem-fixture` | [JSON](./safety-index/artifacts/filesystem-server.json) / [report](./safety-index/artifacts/filesystem-server.md) | Runs against the checked-in harmless fixture directory. |
+| 5 | [Context7](https://github.com/upstash/context7) | Documentation / Search | **Ready for CI** | Prompt-injection-sensitive retrieval | `npx -y @upstash/context7-mcp` | [JSON](./safety-index/artifacts/context7-server.json) / [report](./safety-index/artifacts/context7-server.md) | Zero-config public package. |
+| 6 | [Promptopia](https://www.npmjs.com/package/promptopia-mcp) | Prompts | **Ready for CI** | Prompt/resource contract | `npx -y promptopia-mcp` | [JSON](./safety-index/artifacts/promptopia-server.json) / [report](./safety-index/artifacts/promptopia-server.md) | Uses the checked-in prompt fixture through package defaults. |
+| 7 | [Ref tools](https://www.npmjs.com/package/ref-tools-mcp) | Developer Tools | **Ready for CI** | Prompt/tool inventory | `npx -y ref-tools-mcp` | [JSON](./safety-index/artifacts/ref-tools-server.json) / [report](./safety-index/artifacts/ref-tools-server.md) | Zero-config public package. |
+| 8 | [OpenTofu MCP server](https://github.com/opentofu/opentofu-mcp-server) | Infrastructure | **Ready for CI** | Infrastructure tool surface | `npx -y @opentofu/opentofu-mcp-server` | [JSON](./safety-index/artifacts/opentofu-server.json) / [report](./safety-index/artifacts/opentofu-server.md) | Zero-config public package. |
+| 9 | [Puppeteer MCP server](https://www.npmjs.com/package/puppeteer-mcp-server) | Browser Automation | **Ready for CI** | Browser/code execution boundary | `npx -y puppeteer-mcp-server` | [JSON](./safety-index/artifacts/puppeteer-server.json) / [report](./safety-index/artifacts/puppeteer-server.md) | Intentional browser evaluation is suppressed so remaining findings stay readable. |
+| 10 | [BrowserMCP](https://github.com/BrowserMCP/mcp) | Browser Automation | **Ready for CI** | Browser-control boundary | `npx -y @browsermcp/mcp` | [JSON](./safety-index/artifacts/browsermcp-server.json) / [report](./safety-index/artifacts/browsermcp-server.md) | Zero-config public package. [public proof](https://github.com/BrowserMCP/mcp/pull/189) |
+| 11 | [Microsoft Playwright MCP](https://github.com/microsoft/playwright-mcp) | Browser Automation | **Unsafe default posture** | Browser/code execution boundary | `npx -y @playwright/mcp` | [JSON](./safety-index/artifacts/playwright-mcp-server.json) / [report](./safety-index/artifacts/playwright-mcp-server.md) | Zero-config public package; security findings represent policy-review prompts, not a vulnerability claim. |
+| 12 | [AntV chart MCP server](https://github.com/antvis/mcp-server-chart) | Visualization | **Ready for CI** | Artifact-producing tools | `npx -y @antv/mcp-server-chart` | [JSON](./safety-index/artifacts/antv-chart-server.json) / [report](./safety-index/artifacts/antv-chart-server.md) | Zero-config public package. [public proof](https://github.com/antvis/mcp-server-chart/pull/312) |
+| 13 | [ExecuteAutomation Playwright MCP](https://github.com/executeautomation/mcp-playwright) | Browser Automation | **Unsafe default posture** | Startup/listing reproducibility | `npx -y @executeautomation/playwright-mcp-server` | [JSON](./safety-index/artifacts/executeautomation-playwright-server.json) / [report](./safety-index/artifacts/executeautomation-playwright-server.md) | Evaluated as a public package; current result should be treated as a maintainer conversation starter. [public proof](https://github.com/executeautomation/mcp-playwright/pull/225) |
+
+## Patterns Observed
+
+- Browser/code execution boundary: 2 server(s)
+- Artifact-producing tools: 1 server(s)
+- Broad protocol surface: 1 server(s)
+- Browser-control boundary: 1 server(s)
+- Infrastructure tool surface: 1 server(s)
+- Persistent state tools: 1 server(s)
+- Prompt-injection-sensitive retrieval: 1 server(s)
+- Prompt/resource contract: 1 server(s)
+- Prompt/tool inventory: 1 server(s)
+- Sandboxed filesystem access: 1 server(s)
+- Startup/listing reproducibility: 1 server(s)
+- Tool schema clarity: 1 server(s)
+
+## Publication Rules
+
+- Use only public repositories, public package commands, public PRs, and generated sanitized artifacts.
+- Treat findings as reproducible evidence, not public shaming.
+- Prefer “needs review” language unless there is clear artifact-backed proof of a dangerous default.
+- Keep raw telemetry, emails, hostnames, private URLs, tokens, and customer claims out of public materials.
+- Send maintainers the report first; open CI PRs only when the report is useful and the target can run safely.
+
+## Next Step
+
+Use this index to start maintainer conversations and private readiness reviews. The buyer-facing offer is a private MCP readiness review with CI rollout, drift/security reporting, and safe-for-agent-dependency verdicts.

package/docs/methodology.md

@@ -0,0 +1,90 @@
+# MCP Observatory Safety Methodology
+
+MCP Observatory treats MCP servers as agent-facing dependencies. The Safety Index is designed to answer one practical question:
+
+> Is this server ready for agents and teams to depend on, and what evidence supports that answer?
+
+The index is not a leaderboard. It is a reproducible evidence standard for maintainers, security teams, platform teams, and buyers evaluating MCP servers.
+
+## What Gets Tested
+
+Each public evaluation runs MCP Observatory against a public repository or package command. A useful entry includes:
+
+- server name and public source
+- exact command and arguments
+- run date
+- MCP Observatory version
+- JSON run artifact
+- Markdown report
+- verdict
+- failure class
+- reproduction notes
+
+The default public check verifies startup, tools, prompts, resources, schema quality, and lightweight security findings. Some entries also include deeper security checks when the target can be evaluated without private credentials.
+
+## Verdicts
+
+- **Ready for CI:** the server starts, lists expected MCP surfaces, and has no high- or medium-severity security finding in the generated artifact.
+- **Needs review before production:** the server is reproducible but has findings or partial results a maintainer/security reviewer should inspect before production use.
+- **Not reproducible:** the server cannot complete a basic startup or listing check from the documented public command.
+- **Unsafe default posture:** the artifact contains high-severity security findings that deserve explicit policy review before agent dependency.
+- **Could not evaluate:** the public command cannot be evaluated without credentials, private infrastructure, or maintainer-provided safe configuration.
+
+These verdicts are intentionally operational. They are not formal vulnerability claims.
+
+## Scoring Inputs
+
+MCP Observatory uses the same run artifact model across CLI, CI, reports, and the Safety Index. The health score considers:
+
+- protocol compliance
+- schema quality
+- security and security-lite checks
+- reliability/startup behavior
+- performance where latency data is available
+
+The Safety Index does not rank by score. Scores are supporting evidence; failure classes are the story.
+
+## Failure Classes
+
+Common MCP readiness patterns include:
+
+- startup/listing reproducibility
+- browser/code execution boundary
+- filesystem boundary
+- prompt-injection-sensitive retrieval
+- persistent state tools
+- infrastructure or cloud control surfaces
+- artifact-producing tools
+- schema clarity and drift
+- token-safe configuration
+
+The first public index emphasizes these classes so maintainers can improve concrete surfaces rather than argue about a single trust score.
+
+## Reproducibility Rules
+
+An index row should be included only when it can be reproduced from public information:
+
+- public repo, package, or container reference
+- no private telemetry
+- no private customer evidence
+- no raw emails, hostnames, private URLs, tokens, or response bodies
+- a generated JSON artifact and Markdown report
+- clear notes when credentials or maintainer context are required
+
+If the safe public command is not known, the right next step is a maintainer note, not a drive-by CI PR.
+
+## Maintainer Posture
+
+The index is constructive by default:
+
+- send the report first
+- describe the failure class, not the maintainer
+- offer a CI PR only if the target can run safely and the maintainer wants it
+- prefer read-only workflows and pinned action refs for third-party repos
+- use issue-first outreach for token-backed SaaS, cloud, payments, database, and browser-control servers
+
+## Limitations
+
+MCP Observatory cannot prove semantic safety. A passing result does not mean a server is safe for every workflow. It means the server produced reproducible evidence for compatibility, schema quality, and common security footguns under the tested command.
+
+Production teams should pair these checks with their own threat model, policy, credential boundaries, sandboxing, approvals, and runtime monitoring.