@mcpspec/core 1.0.0

package/dist/index.js

@@ -0,0 +1,3305 @@
+// src/errors/error-codes.ts
+import { EXIT_CODES } from "@mcpspec/shared";
+var ERROR_CODE_MAP = {
+  CONNECTION_TIMEOUT: EXIT_CODES.CONNECTION_ERROR,
+  CONNECTION_REFUSED: EXIT_CODES.CONNECTION_ERROR,
+  CONNECTION_LOST: EXIT_CODES.CONNECTION_ERROR,
+  PROCESS_SPAWN_FAILED: EXIT_CODES.ERROR,
+  PROCESS_CRASHED: EXIT_CODES.ERROR,
+  PROCESS_TIMEOUT: EXIT_CODES.TIMEOUT,
+  TOOL_NOT_FOUND: EXIT_CODES.ERROR,
+  TOOL_CALL_FAILED: EXIT_CODES.ERROR,
+  INVALID_RESPONSE: EXIT_CODES.ERROR,
+  SCHEMA_VALIDATION_FAILED: EXIT_CODES.VALIDATION_ERROR,
+  ASSERTION_FAILED: EXIT_CODES.TEST_FAILURE,
+  COLLECTION_PARSE_ERROR: EXIT_CODES.CONFIG_ERROR,
+  COLLECTION_VALIDATION_ERROR: EXIT_CODES.CONFIG_ERROR,
+  YAML_PARSE_ERROR: EXIT_CODES.CONFIG_ERROR,
+  YAML_TOO_LARGE: EXIT_CODES.CONFIG_ERROR,
+  YAML_TOO_DEEP: EXIT_CODES.CONFIG_ERROR,
+  TIMEOUT: EXIT_CODES.TIMEOUT,
+  RATE_LIMITED: EXIT_CODES.ERROR,
+  CONFIG_ERROR: EXIT_CODES.CONFIG_ERROR,
+  SECURITY_SCAN_ERROR: EXIT_CODES.SECURITY_FINDINGS,
+  NOT_IMPLEMENTED: EXIT_CODES.ERROR,
+  UNKNOWN_ERROR: EXIT_CODES.ERROR
+};
+
+// src/errors/mcpspec-error.ts
+var MCPSpecError = class extends Error {
+  code;
+  exitCode;
+  context;
+  constructor(code, message, context = {}) {
+    super(message);
+    this.name = "MCPSpecError";
+    this.code = code;
+    this.exitCode = ERROR_CODE_MAP[code];
+    this.context = context;
+  }
+};
+var NotImplementedError = class extends MCPSpecError {
+  constructor(feature) {
+    super("NOT_IMPLEMENTED", `${feature} is not yet implemented. Coming in a future release.`, {
+      feature
+    });
+    this.name = "NotImplementedError";
+  }
+};
+
+// src/errors/error-messages.ts
+var ERROR_TEMPLATES = {
+  CONNECTION_TIMEOUT: {
+    title: "Connection Timed Out",
+    description: "Could not connect to the MCP server within {{timeout}}ms.",
+    suggestions: [
+      "Verify the server is running",
+      "Check the command/URL is correct",
+      "Increase timeout with --timeout flag"
+    ],
+    docs: "https://mcpspec.dev/docs/troubleshooting#connection-timeout"
+  },
+  CONNECTION_REFUSED: {
+    title: "Connection Refused",
+    description: "The MCP server at {{target}} refused the connection.",
+    suggestions: [
+      "Verify the server is running and accepting connections",
+      "Check the port number is correct",
+      "Ensure no firewall is blocking the connection"
+    ],
+    docs: "https://mcpspec.dev/docs/troubleshooting#connection-refused"
+  },
+  PROCESS_SPAWN_FAILED: {
+    title: "Failed to Start Server",
+    description: "Could not spawn process: {{command}}",
+    suggestions: [
+      "Verify the command exists and is in PATH",
+      "Check that all required dependencies are installed",
+      "Try running the command directly in your terminal"
+    ]
+  },
+  PROCESS_CRASHED: {
+    title: "Server Process Crashed",
+    description: "The MCP server process exited unexpectedly with code {{exitCode}}.",
+    suggestions: [
+      "Check the server logs for errors",
+      "Ensure the server has the required environment variables",
+      "Try running the server command directly to see errors"
+    ]
+  },
+  TOOL_NOT_FOUND: {
+    title: "Tool Not Found",
+    description: 'The tool "{{toolName}}" does not exist on this server.',
+    suggestions: [
+      "Available tools: {{availableTools}}",
+      "Run `mcpspec inspect` to see all available tools",
+      "Check for typos in the tool name"
+    ]
+  },
+  COLLECTION_PARSE_ERROR: {
+    title: "Collection Parse Error",
+    description: "Failed to parse collection file: {{filePath}}",
+    suggestions: [
+      "Check YAML syntax is valid",
+      "Ensure the file is UTF-8 encoded",
+      "Validate against the collection schema"
+    ]
+  },
+  COLLECTION_VALIDATION_ERROR: {
+    title: "Collection Validation Error",
+    description: "Collection file has invalid structure: {{details}}",
+    suggestions: [
+      "Check required fields: name, server, tests",
+      "Ensure each test has a name and a tool/call",
+      "See collection docs for the correct format"
+    ],
+    docs: "https://mcpspec.dev/docs/collections"
+  },
+  YAML_TOO_LARGE: {
+    title: "YAML File Too Large",
+    description: "The YAML file exceeds the maximum size of {{maxSize}} bytes.",
+    suggestions: [
+      "Split large collections into multiple files",
+      "Remove unused tests or data"
+    ]
+  },
+  TIMEOUT: {
+    title: "Operation Timed Out",
+    description: "The operation did not complete within {{timeout}}ms.",
+    suggestions: [
+      "Increase the timeout in your collection or CLI flags",
+      "Check if the server is responding slowly",
+      "Reduce the complexity of the test"
+    ]
+  }
+};
+
+// src/errors/error-formatter.ts
+function formatError(error) {
+  if (error instanceof MCPSpecError) {
+    const template = ERROR_TEMPLATES[error.code];
+    if (template) {
+      return {
+        title: interpolate(template.title, error.context),
+        description: interpolate(template.description, error.context),
+        suggestions: template.suggestions.map((s) => interpolate(s, error.context)),
+        docs: template.docs,
+        code: error.code,
+        exitCode: error.exitCode
+      };
+    }
+    return {
+      title: error.code,
+      description: error.message,
+      suggestions: [],
+      code: error.code,
+      exitCode: error.exitCode
+    };
+  }
+  if (error instanceof Error) {
+    return {
+      title: "Unexpected Error",
+      description: error.message,
+      suggestions: ["This may be a bug. Please report it at https://github.com/mcpspec/mcpspec/issues"],
+      code: "UNKNOWN_ERROR",
+      exitCode: 2
+    };
+  }
+  return {
+    title: "Unknown Error",
+    description: String(error),
+    suggestions: [],
+    code: "UNKNOWN_ERROR",
+    exitCode: 2
+  };
+}
+function interpolate(template, context) {
+  return template.replace(/\{\{(\w+)\}\}/g, (_, key) => {
+    const value = context[key];
+    if (value === void 0) return `{{${key}}}`;
+    return String(value);
+  });
+}
+
+// src/utils/yaml-loader.ts
+import yaml from "js-yaml";
+var YAML_LIMITS = {
+  maxFileSize: 1024 * 1024,
+  // 1MB
+  maxNestingDepth: 10,
+  maxTests: 1e3
+};
+function loadYamlSafely(content) {
+  if (content.length > YAML_LIMITS.maxFileSize) {
+    throw new MCPSpecError("YAML_TOO_LARGE", `YAML content exceeds maximum size of ${YAML_LIMITS.maxFileSize} bytes`, {
+      maxSize: YAML_LIMITS.maxFileSize,
+      actualSize: content.length
+    });
+  }
+  let parsed;
+  try {
+    parsed = yaml.load(content, {
+      schema: yaml.FAILSAFE_SCHEMA
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    throw new MCPSpecError("YAML_PARSE_ERROR", `Failed to parse YAML: ${message}`, {
+      parseError: message
+    });
+  }
+  validateNestingDepth(parsed, 0);
+  return parsed;
+}
+function validateNestingDepth(value, depth) {
+  if (depth > YAML_LIMITS.maxNestingDepth) {
+    throw new MCPSpecError("YAML_TOO_DEEP", `YAML nesting exceeds maximum depth of ${YAML_LIMITS.maxNestingDepth}`, {
+      maxDepth: YAML_LIMITS.maxNestingDepth
+    });
+  }
+  if (Array.isArray(value)) {
+    for (const item of value) {
+      validateNestingDepth(item, depth + 1);
+    }
+  } else if (value !== null && typeof value === "object") {
+    for (const val of Object.values(value)) {
+      validateNestingDepth(val, depth + 1);
+    }
+  }
+}
+
+// src/utils/secret-masker.ts
+var SecretMasker = class _SecretMasker {
+  secrets = /* @__PURE__ */ new Set();
+  static REDACTED = "***REDACTED***";
+  static SECRET_PATTERNS = [
+    /api[_-]?key/i,
+    /password/i,
+    /secret/i,
+    /token/i,
+    /credential/i,
+    /auth/i,
+    /private[_-]?key/i
+  ];
+  static MIN_SECRET_LENGTH = 4;
+  register(secret) {
+    if (secret.length >= _SecretMasker.MIN_SECRET_LENGTH) {
+      this.secrets.add(secret);
+    }
+  }
+  registerFromEnv(env) {
+    for (const [key, value] of Object.entries(env)) {
+      if (_SecretMasker.SECRET_PATTERNS.some((p) => p.test(key)) && value.length >= _SecretMasker.MIN_SECRET_LENGTH) {
+        this.secrets.add(value);
+      }
+    }
+  }
+  mask(text) {
+    let masked = text;
+    for (const secret of this.secrets) {
+      masked = masked.replaceAll(secret, _SecretMasker.REDACTED);
+    }
+    return masked;
+  }
+  clear() {
+    this.secrets.clear();
+  }
+  get size() {
+    return this.secrets.size;
+  }
+};
+
+// src/utils/variable-resolver.ts
+var VARIABLE_PATTERN = /\{\{(\w+(?:\.\w+)*)\}\}/g;
+function resolveVariables(template, variables) {
+  return template.replace(VARIABLE_PATTERN, (match, path) => {
+    const value = getNestedValue(variables, path);
+    if (value === void 0) {
+      return match;
+    }
+    return String(value);
+  });
+}
+function resolveObjectVariables(obj, variables) {
+  if (typeof obj === "string") {
+    return resolveVariables(obj, variables);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item) => resolveObjectVariables(item, variables));
+  }
+  if (obj !== null && typeof obj === "object") {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      result[key] = resolveObjectVariables(value, variables);
+    }
+    return result;
+  }
+  return obj;
+}
+function getNestedValue(obj, path) {
+  const parts = path.split(".");
+  let current = obj;
+  for (const part of parts) {
+    if (current === null || current === void 0 || typeof current !== "object") {
+      return void 0;
+    }
+    current = current[part];
+  }
+  return current;
+}
+
+// src/utils/jsonpath.ts
+function queryJsonPath(data, path) {
+  if (!path.startsWith("$")) {
+    throw new Error(`Invalid JSONPath: must start with $. Got: ${path}`);
+  }
+  const remaining = path.slice(1);
+  if (remaining === "" || remaining === ".") {
+    return data;
+  }
+  const normalizedPath = remaining.startsWith(".") ? remaining.slice(1) : remaining;
+  const segments = parseSegments(normalizedPath);
+  let current = data;
+  for (const segment of segments) {
+    if (current === null || current === void 0) {
+      return void 0;
+    }
+    if (segment.type === "property") {
+      if (typeof current !== "object") {
+        return void 0;
+      }
+      current = current[segment.key];
+    } else if (segment.type === "index") {
+      if (!Array.isArray(current)) {
+        return void 0;
+      }
+      current = current[segment.index];
+    }
+  }
+  return current;
+}
+function parseSegments(path) {
+  const segments = [];
+  let i = 0;
+  while (i < path.length) {
+    if (path[i] === "[") {
+      const end = path.indexOf("]", i);
+      if (end === -1) {
+        throw new Error(`Invalid JSONPath: unclosed bracket at position ${i}`);
+      }
+      const indexStr = path.slice(i + 1, end);
+      const index = parseInt(indexStr, 10);
+      if (isNaN(index)) {
+        throw new Error(`Invalid JSONPath: non-numeric array index "${indexStr}"`);
+      }
+      segments.push({ type: "index", index });
+      i = end + 1;
+      if (i < path.length && path[i] === ".") {
+        i++;
+      }
+    } else {
+      let end = i;
+      while (end < path.length && path[end] !== "." && path[end] !== "[") {
+        end++;
+      }
+      const key = path.slice(i, end);
+      if (key.length > 0) {
+        segments.push({ type: "property", key });
+      }
+      i = end;
+      if (i < path.length && path[i] === ".") {
+        i++;
+      }
+    }
+  }
+  return segments;
+}
+function jsonPathExists(data, path) {
+  return queryJsonPath(data, path) !== void 0;
+}
+
+// src/utils/platform.ts
+import { platform, arch, release, tmpdir, homedir } from "os";
+import { join } from "path";
+function getPlatformInfo() {
+  const os = platform();
+  return {
+    os,
+    arch: arch(),
+    release: release(),
+    nodeVersion: process.version,
+    isWindows: os === "win32",
+    isMacOS: os === "darwin",
+    isLinux: os === "linux",
+    tmpDir: tmpdir(),
+    homeDir: homedir(),
+    dataDir: getDataDir(os)
+  };
+}
+function getDataDir(os) {
+  if (os === "win32") {
+    return join(process.env["APPDATA"] ?? join(homedir(), "AppData", "Roaming"), "mcpspec");
+  }
+  if (os === "darwin") {
+    return join(homedir(), "Library", "Application Support", "mcpspec");
+  }
+  return join(process.env["XDG_DATA_HOME"] ?? join(homedir(), ".local", "share"), "mcpspec");
+}
+
+// src/process/process-manager.ts
+import { execaCommand } from "execa";
+import { randomUUID } from "crypto";
+
+// src/process/process-registry.ts
+var ProcessRegistry = class {
+  processes = /* @__PURE__ */ new Map();
+  register(process2) {
+    this.processes.set(process2.id, process2);
+  }
+  unregister(id) {
+    this.processes.delete(id);
+  }
+  get(id) {
+    return this.processes.get(id);
+  }
+  getAll() {
+    return Array.from(this.processes.values());
+  }
+  has(id) {
+    return this.processes.has(id);
+  }
+  get size() {
+    return this.processes.size;
+  }
+  clear() {
+    this.processes.clear();
+  }
+};
+
+// src/process/process-manager.ts
+var ProcessManagerImpl = class {
+  registry;
+  defaultGracePeriod = 5e3;
+  constructor(registry) {
+    this.registry = registry ?? new ProcessRegistry();
+  }
+  async spawn(config) {
+    const id = randomUUID();
+    const fullCommand = [config.command, ...config.args].join(" ");
+    try {
+      const child = execaCommand(fullCommand, {
+        cwd: config.cwd,
+        env: { ...process.env, ...config.env },
+        stdin: "pipe",
+        stdout: "pipe",
+        stderr: "pipe",
+        buffer: false,
+        timeout: config.timeout
+      });
+      if (!child.pid || !child.stdin || !child.stdout || !child.stderr) {
+        throw new MCPSpecError("PROCESS_SPAWN_FAILED", `Failed to spawn process: ${fullCommand}`, {
+          command: fullCommand
+        });
+      }
+      const managed = {
+        id,
+        pid: child.pid,
+        command: config.command,
+        args: config.args,
+        startedAt: /* @__PURE__ */ new Date(),
+        stdin: child.stdin,
+        stdout: child.stdout,
+        stderr: child.stderr,
+        childProcess: child
+      };
+      this.registry.register(managed);
+      child.then(() => {
+        this.registry.unregister(id);
+      }).catch(() => {
+        this.registry.unregister(id);
+      });
+      return managed;
+    } catch (err) {
+      if (err instanceof MCPSpecError) throw err;
+      const message = err instanceof Error ? err.message : String(err);
+      throw new MCPSpecError("PROCESS_SPAWN_FAILED", `Failed to spawn process: ${message}`, {
+        command: fullCommand,
+        error: message
+      });
+    }
+  }
+  async shutdown(processId, gracePeriodMs) {
+    const managed = this.registry.get(processId);
+    if (!managed) return;
+    const grace = gracePeriodMs ?? this.defaultGracePeriod;
+    try {
+      managed.childProcess.kill("SIGTERM");
+      await Promise.race([
+        new Promise((resolve) => {
+          managed.childProcess.on("exit", () => resolve());
+        }),
+        new Promise(
+          (_, reject) => setTimeout(() => reject(new Error("Grace period exceeded")), grace)
+        )
+      ]);
+    } catch {
+      try {
+        managed.childProcess.kill("SIGKILL");
+      } catch {
+      }
+    } finally {
+      this.registry.unregister(processId);
+    }
+  }
+  async shutdownAll() {
+    const processes = this.registry.getAll();
+    await Promise.allSettled(processes.map((p) => this.shutdown(p.id)));
+  }
+  isAlive(processId) {
+    const managed = this.registry.get(processId);
+    if (!managed) return false;
+    try {
+      process.kill(managed.pid, 0);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  getRegistry() {
+    return this.registry;
+  }
+};
+
+// src/process/cleanup-handler.ts
+var registered = false;
+function registerCleanupHandlers(manager) {
+  if (registered) return;
+  registered = true;
+  const cleanup = async (signal) => {
+    process.stderr.write(`
+Received ${signal}, cleaning up processes...
+`);
+    await manager.shutdownAll();
+    process.exit(signal === "SIGINT" ? 130 : 0);
+  };
+  process.on("SIGINT", () => {
+    void cleanup("SIGINT");
+  });
+  process.on("SIGTERM", () => {
+    void cleanup("SIGTERM");
+  });
+  process.on("uncaughtException", (err) => {
+    process.stderr.write(`Uncaught exception: ${err.message}
+`);
+    void manager.shutdownAll().finally(() => process.exit(1));
+  });
+  process.on("unhandledRejection", (reason) => {
+    const message = reason instanceof Error ? reason.message : String(reason);
+    process.stderr.write(`Unhandled rejection: ${message}
+`);
+  });
+  process.on("exit", () => {
+    void manager.shutdownAll();
+  });
+}
+
+// src/client/mcp-client.ts
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
+
+// src/client/connection-manager.ts
+var VALID_TRANSITIONS = {
+  disconnected: ["connecting"],
+  connecting: ["connected", "error", "disconnected"],
+  connected: ["disconnecting", "reconnecting", "error"],
+  reconnecting: ["connected", "error", "disconnected"],
+  disconnecting: ["disconnected"],
+  error: ["connecting", "disconnected"]
+};
+var DEFAULT_CONNECTION_CONFIG = {
+  maxReconnectAttempts: 3,
+  reconnectBackoff: "exponential",
+  initialReconnectDelay: 1e3,
+  maxReconnectDelay: 3e4
+};
+var ConnectionManager = class {
+  state = "disconnected";
+  reconnectAttempts = 0;
+  config;
+  listeners = [];
+  constructor(config) {
+    this.config = { ...DEFAULT_CONNECTION_CONFIG, ...config };
+  }
+  getState() {
+    return this.state;
+  }
+  canTransition(to) {
+    const allowed = VALID_TRANSITIONS[this.state];
+    return allowed !== void 0 && allowed.includes(to);
+  }
+  transition(to) {
+    if (!this.canTransition(to)) {
+      throw new MCPSpecError(
+        "CONNECTION_LOST",
+        `Invalid state transition: ${this.state} -> ${to}`,
+        { from: this.state, to }
+      );
+    }
+    const from = this.state;
+    this.state = to;
+    if (to === "connected") {
+      this.reconnectAttempts = 0;
+    }
+    for (const listener of this.listeners) {
+      listener(from, to);
+    }
+  }
+  onTransition(listener) {
+    this.listeners.push(listener);
+    return () => {
+      this.listeners = this.listeners.filter((l) => l !== listener);
+    };
+  }
+  shouldReconnect() {
+    return this.reconnectAttempts < this.config.maxReconnectAttempts;
+  }
+  getReconnectDelay() {
+    const delay = this.config.initialReconnectDelay * Math.pow(2, this.reconnectAttempts);
+    this.reconnectAttempts++;
+    return Math.min(delay, this.config.maxReconnectDelay);
+  }
+  resetReconnectAttempts() {
+    this.reconnectAttempts = 0;
+  }
+  getConfig() {
+    return { ...this.config };
+  }
+};
+
+// src/rate-limiting/backoff.ts
+var DEFAULT_BACKOFF = {
+  initial: 1e3,
+  multiplier: 2,
+  max: 3e4
+};
+function calculateBackoff(attempt, config = DEFAULT_BACKOFF) {
+  const delay = config.initial * Math.pow(config.multiplier, attempt);
+  return Math.min(delay, config.max);
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// src/client/logging-transport.ts
+var LoggingTransport = class {
+  inner;
+  callback;
+  constructor(inner, callback) {
+    this.inner = inner;
+    this.callback = callback;
+  }
+  async start() {
+    return this.inner.start();
+  }
+  async send(message, options) {
+    this.callback("outgoing", message);
+    return this.inner.send(message, options);
+  }
+  async close() {
+    return this.inner.close();
+  }
+  get onclose() {
+    return this.inner.onclose;
+  }
+  set onclose(handler) {
+    this.inner.onclose = handler;
+  }
+  get onerror() {
+    return this.inner.onerror;
+  }
+  set onerror(handler) {
+    this.inner.onerror = handler;
+  }
+  get onmessage() {
+    return this.inner.onmessage;
+  }
+  set onmessage(handler) {
+    if (!handler) {
+      this.inner.onmessage = void 0;
+      return;
+    }
+    const cb = this.callback;
+    this.inner.onmessage = (message, extra) => {
+      cb("incoming", message);
+      handler(message, extra);
+    };
+  }
+  get sessionId() {
+    return this.inner.sessionId;
+  }
+  set sessionId(value) {
+    this.inner.sessionId = value;
+  }
+  get setProtocolVersion() {
+    return this.inner.setProtocolVersion;
+  }
+  set setProtocolVersion(handler) {
+    this.inner.setProtocolVersion = handler;
+  }
+};
+
+// src/client/mcp-client.ts
+var MCPClient = class {
+  client = null;
+  transport = null;
+  connectionManager;
+  processManager;
+  serverConfig;
+  serverInfo;
+  onProtocolMessage;
+  constructor(options) {
+    this.connectionManager = new ConnectionManager();
+    this.processManager = options.processManager ?? new ProcessManagerImpl();
+    this.serverConfig = this.normalizeConfig(options.serverConfig);
+    this.onProtocolMessage = options.onProtocolMessage;
+  }
+  normalizeConfig(config) {
+    if (typeof config === "string") {
+      const parts = config.split(/\s+/);
+      const command = parts[0];
+      const args = parts.slice(1);
+      if (!command) {
+        throw new MCPSpecError("CONFIG_ERROR", "Empty server command", { config });
+      }
+      return {
+        transport: "stdio",
+        command,
+        args
+      };
+    }
+    return config;
+  }
+  async connect() {
+    if (this.connectionManager.getState() === "connected") return;
+    this.connectionManager.transition("connecting");
+    try {
+      let transport = await this.createTransport();
+      if (this.onProtocolMessage) {
+        transport = new LoggingTransport(transport, this.onProtocolMessage);
+      }
+      this.transport = transport;
+      this.client = new Client(
+        { name: "mcpspec", version: "0.2.0" },
+        { capabilities: {} }
+      );
+      await this.client.connect(this.transport);
+      this.serverInfo = this.client.getServerVersion();
+      this.connectionManager.transition("connected");
+    } catch (err) {
+      this.connectionManager.transition("error");
+      if (this.connectionManager.shouldReconnect()) {
+        return this.reconnect();
+      }
+      if (err instanceof MCPSpecError) throw err;
+      const message = err instanceof Error ? err.message : String(err);
+      throw new MCPSpecError("CONNECTION_TIMEOUT", `Failed to connect to MCP server: ${message}`, {
+        command: this.serverConfig.command,
+        url: this.serverConfig.url,
+        error: message
+      });
+    }
+  }
+  async reconnect() {
+    this.connectionManager.transition("connecting");
+    const delay = this.connectionManager.getReconnectDelay();
+    await sleep(delay);
+    return this.connect();
+  }
+  async createTransport() {
+    const transport = this.serverConfig.transport ?? "stdio";
+    switch (transport) {
+      case "stdio": {
+        const { command, args } = this.serverConfig;
+        if (!command) {
+          throw new MCPSpecError("CONFIG_ERROR", "Server command is required for stdio transport", {
+            config: this.serverConfig
+          });
+        }
+        return new StdioClientTransport({
+          command,
+          args: args ?? [],
+          env: this.serverConfig.env
+        });
+      }
+      case "sse": {
+        const { url } = this.serverConfig;
+        if (!url) {
+          throw new MCPSpecError("CONFIG_ERROR", "Server URL is required for SSE transport", {
+            config: this.serverConfig
+          });
+        }
+        const { createSSETransport } = await import("./sse-NXEF5JDZ.js");
+        return createSSETransport(url);
+      }
+      case "streamable-http": {
+        const { url } = this.serverConfig;
+        if (!url) {
+          throw new MCPSpecError("CONFIG_ERROR", "Server URL is required for streamable-http transport", {
+            config: this.serverConfig
+          });
+        }
+        const { createStreamableHTTPTransport } = await import("./http-XUWKDMSR.js");
+        return createStreamableHTTPTransport(url);
+      }
+      default:
+        throw new MCPSpecError("CONFIG_ERROR", `Unknown transport type: ${transport}`, {
+          transport
+        });
+    }
+  }
+  async disconnect() {
+    if (this.connectionManager.getState() === "disconnected") return;
+    if (this.connectionManager.canTransition("disconnecting")) {
+      this.connectionManager.transition("disconnecting");
+    }
+    try {
+      if (this.transport) {
+        await this.transport.close();
+      }
+    } catch {
+    } finally {
+      this.client = null;
+      this.transport = null;
+      if (this.connectionManager.canTransition("disconnected")) {
+        this.connectionManager.transition("disconnected");
+      }
+    }
+  }
+  isConnected() {
+    return this.connectionManager.getState() === "connected";
+  }
+  async listTools() {
+    this.ensureConnected();
+    try {
+      const result = await this.client.listTools();
+      return (result.tools ?? []).map((t) => ({
+        name: t.name,
+        description: t.description,
+        inputSchema: t.inputSchema
+      }));
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      throw new MCPSpecError("TOOL_CALL_FAILED", `Failed to list tools: ${message}`, {
+        error: message
+      });
+    }
+  }
+  async listResources() {
+    this.ensureConnected();
+    try {
+      const result = await this.client.listResources();
+      return (result.resources ?? []).map((r) => ({
+        uri: r.uri,
+        name: r.name,
+        description: r.description,
+        mimeType: r.mimeType
+      }));
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      throw new MCPSpecError("TOOL_CALL_FAILED", `Failed to list resources: ${message}`, {
+        error: message
+      });
+    }
+  }
+  async callTool(name, args) {
+    this.ensureConnected();
+    try {
+      const result = await this.client.callTool({ name, arguments: args });
+      return {
+        content: result.content,
+        isError: result.isError === true ? true : void 0
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      throw new MCPSpecError("TOOL_CALL_FAILED", `Tool call "${name}" failed: ${message}`, {
+        toolName: name,
+        error: message
+      });
+    }
+  }
+  async readResource(uri) {
+    this.ensureConnected();
+    try {
+      const result = await this.client.readResource({ uri });
+      return { contents: result.contents };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      throw new MCPSpecError("TOOL_CALL_FAILED", `Failed to read resource "${uri}": ${message}`, {
+        uri,
+        error: message
+      });
+    }
+  }
+  getServerInfo() {
+    return this.serverInfo;
+  }
+  getConnectionState() {
+    return this.connectionManager.getState();
+  }
+  ensureConnected() {
+    if (!this.isConnected() || !this.client) {
+      throw new MCPSpecError("CONNECTION_LOST", "Not connected to MCP server. Call connect() first.", {});
+    }
+  }
+};
+
+// src/testing/test-executor.ts
+import { DEFAULT_TIMEOUTS } from "@mcpspec/shared";
+
+// src/testing/assertions/schema-assertion.ts
+function assertSchema(response, inputSchema) {
+  if (response === void 0 || response === null) {
+    return {
+      type: "schema",
+      passed: false,
+      message: "Response is null or undefined",
+      actual: typeof response
+    };
+  }
+  if (typeof response !== "object") {
+    return {
+      type: "schema",
+      passed: false,
+      message: `Response is not an object or array, got ${typeof response}`,
+      actual: typeof response
+    };
+  }
+  if (inputSchema && typeof inputSchema["properties"] === "object" && inputSchema["properties"] !== null) {
+    const properties = inputSchema["properties"];
+    const required = Array.isArray(inputSchema["required"]) ? inputSchema["required"] : [];
+    const missingFields = [];
+    for (const field of required) {
+      if (!jsonPathExists(response, `$.${field}`)) {
+        missingFields.push(field);
+      }
+    }
+    if (missingFields.length > 0) {
+      return {
+        type: "schema",
+        passed: false,
+        message: `Missing required fields: ${missingFields.join(", ")}`,
+        expected: Object.keys(properties),
+        actual: Object.keys(response)
+      };
+    }
+  }
+  return {
+    type: "schema",
+    passed: true,
+    message: "Response has valid structure",
+    actual: typeof response
+  };
+}
+
+// src/testing/assertions/equals-assertion.ts
+function assertEqual(response, path, expected) {
+  const actual = queryJsonPath(response, path);
+  const passed = JSON.stringify(actual) === JSON.stringify(expected);
+  return {
+    type: "equals",
+    passed,
+    message: passed ? `${path} equals expected value` : `${path} expected ${JSON.stringify(expected)}, got ${JSON.stringify(actual)}`,
+    expected,
+    actual
+  };
+}
+
+// src/testing/assertions/contains-assertion.ts
+function assertContains(response, path, value) {
+  const actual = queryJsonPath(response, path);
+  let passed = false;
+  if (Array.isArray(actual)) {
+    passed = actual.some((item) => JSON.stringify(item) === JSON.stringify(value));
+  } else if (typeof actual === "string" && typeof value === "string") {
+    passed = actual.includes(value);
+  }
+  return {
+    type: "contains",
+    passed,
+    message: passed ? `${path} contains ${JSON.stringify(value)}` : `${path} does not contain ${JSON.stringify(value)}`,
+    expected: value,
+    actual
+  };
+}
+
+// src/testing/assertions/exists-assertion.ts
+function assertExists(response, path) {
+  const passed = jsonPathExists(response, path);
+  return {
+    type: "exists",
+    passed,
+    message: passed ? `${path} exists` : `${path} does not exist`
+  };
+}
+
+// src/testing/assertions/regex-assertion.ts
+function assertMatches(response, path, pattern) {
+  const actual = queryJsonPath(response, path);
+  const actualStr = typeof actual === "string" ? actual : JSON.stringify(actual);
+  let passed = false;
+  try {
+    const regex = new RegExp(pattern);
+    passed = regex.test(actualStr ?? "");
+  } catch {
+    return {
+      type: "matches",
+      passed: false,
+      message: `Invalid regex pattern: ${pattern}`,
+      expected: pattern,
+      actual: actualStr
+    };
+  }
+  return {
+    type: "matches",
+    passed,
+    message: passed ? `${path} matches pattern /${pattern}/` : `${path} does not match pattern /${pattern}/`,
+    expected: pattern,
+    actual: actualStr
+  };
+}
+
+// src/testing/assertions/type-assertion.ts
+function assertType(response, path, expected) {
+  const value = queryJsonPath(response, path);
+  let actualType;
+  if (value === null) {
+    actualType = "null";
+  } else if (Array.isArray(value)) {
+    actualType = "array";
+  } else {
+    actualType = typeof value;
+  }
+  if (value === void 0) {
+    return {
+      type: "type",
+      passed: false,
+      message: `Path "${path}" does not exist`,
+      expected,
+      actual: "undefined"
+    };
+  }
+  const passed = actualType === expected;
+  return {
+    type: "type",
+    passed,
+    message: passed ? `Value at "${path}" is type "${expected}"` : `Expected type "${expected}" at "${path}", got "${actualType}"`,
+    expected,
+    actual: actualType
+  };
+}
+
+// src/testing/assertions/expression-assertion.ts
+import { Parser } from "expr-eval";
+function assertExpression(response, expr) {
+  try {
+    const parser = new Parser();
+    const result = parser.evaluate(expr, { response });
+    const passed = Boolean(result);
+    return {
+      type: "expression",
+      passed,
+      message: passed ? `Expression "${expr}" evaluated to true` : `Expression "${expr}" evaluated to false`,
+      expected: true,
+      actual: result
+    };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      type: "expression",
+      passed: false,
+      message: `Expression evaluation error: ${message}`,
+      expected: true,
+      actual: message
+    };
+  }
+}
+
+// src/testing/assertions/binary-assertion.ts
+function assertBinary(response, expected) {
+  let actual;
+  if (response && typeof response === "object") {
+    const obj = response;
+    if (typeof obj["mimeType"] === "string") {
+      actual = obj["mimeType"];
+    } else if (Array.isArray(obj["content"])) {
+      for (const item of obj["content"]) {
+        if (item && typeof item === "object" && typeof item["mimeType"] === "string") {
+          actual = item["mimeType"];
+          break;
+        }
+      }
+    }
+  }
+  if (actual === void 0) {
+    return {
+      type: "mimeType",
+      passed: false,
+      message: "No mimeType found in response",
+      expected,
+      actual: "undefined"
+    };
+  }
+  const passed = actual === expected;
+  return {
+    type: "mimeType",
+    passed,
+    message: passed ? `MIME type matches "${expected}"` : `Expected MIME type "${expected}", got "${actual}"`,
+    expected,
+    actual
+  };
+}
+
+// src/testing/test-executor.ts
+var TestExecutor = class {
+  variables = {};
+  rateLimiter;
+  constructor(initialVariables, rateLimiter) {
+    if (initialVariables) {
+      this.variables = { ...initialVariables };
+    }
+    this.rateLimiter = rateLimiter;
+  }
+  async execute(test, client) {
+    const timeout = test.timeout ?? DEFAULT_TIMEOUTS.test;
+    const retries = test.retries ?? 0;
+    let lastError;
+    for (let attempt = 0; attempt <= retries; attempt++) {
+      if (attempt > 0) {
+        const delay = calculateBackoff(attempt - 1);
+        await sleep(delay);
+      }
+      try {
+        return await this.executeWithTimeout(test, client, timeout);
+      } catch (err) {
+        lastError = err instanceof Error ? err : new Error(String(err));
+        if (attempt < retries) {
+          continue;
+        }
+      }
+    }
+    return {
+      testId: test.id ?? test.name,
+      testName: test.name,
+      status: "error",
+      duration: 0,
+      assertions: [],
+      error: lastError?.message ?? "Unknown error"
+    };
+  }
+  executeWithTimeout(test, client, timeoutMs) {
+    return Promise.race([
+      this.executeInternal(test, client),
+      new Promise(
+        (_, reject) => setTimeout(() => reject(new MCPSpecError("TIMEOUT", `Test "${test.name}" timed out after ${timeoutMs}ms`, {
+          testName: test.name,
+          timeout: timeoutMs
+        })), timeoutMs)
+      )
+    ]);
+  }
+  async executeInternal(test, client) {
+    const startTime = Date.now();
+    const testId = test.id ?? test.name;
+    const assertionResults = [];
+    try {
+      const toolName = test.call ?? test.tool;
+      if (!toolName) {
+        throw new MCPSpecError("CONFIG_ERROR", `Test "${test.name}" has no tool/call defined`, {
+          testName: test.name
+        });
+      }
+      const input = test.with ?? test.input ?? {};
+      const resolvedInput = resolveObjectVariables(input, this.variables);
+      let result;
+      try {
+        const callFn = () => client.callTool(toolName, resolvedInput);
+        result = this.rateLimiter ? await this.rateLimiter.schedule(callFn) : await callFn();
+      } catch (err) {
+        if (test.expectError) {
+          return {
+            testId,
+            testName: test.name,
+            status: "passed",
+            duration: Date.now() - startTime,
+            assertions: [
+              {
+                type: "schema",
+                passed: true,
+                message: "Expected error occurred"
+              }
+            ]
+          };
+        }
+        throw err;
+      }
+      if (test.expectError) {
+        if (result.isError) {
+          return {
+            testId,
+            testName: test.name,
+            status: "passed",
+            duration: Date.now() - startTime,
+            assertions: [
+              {
+                type: "schema",
+                passed: true,
+                message: "Expected error response received"
+              }
+            ]
+          };
+        }
+        assertionResults.push({
+          type: "schema",
+          passed: false,
+          message: "Expected error but got success"
+        });
+        return {
+          testId,
+          testName: test.name,
+          status: "failed",
+          duration: Date.now() - startTime,
+          assertions: assertionResults
+        };
+      }
+      const response = this.buildResponse(result);
+      if (test.assertions) {
+        for (const assertion of test.assertions) {
+          assertionResults.push(this.runAssertion(assertion, response, Date.now() - startTime));
+        }
+      }
+      if (test.expect) {
+        for (const expectation of test.expect) {
+          assertionResults.push(this.runSimpleExpectation(expectation, response));
+        }
+      }
+      if (!test.assertions && !test.expect) {
+        assertionResults.push(assertSchema(response));
+      }
+      const extractedVariables = {};
+      if (test.extract) {
+        for (const extraction of test.extract) {
+          const value = queryJsonPath(response, extraction.path);
+          extractedVariables[extraction.name] = value;
+          this.variables[extraction.name] = value;
+        }
+      }
+      const allPassed = assertionResults.every((r) => r.passed);
+      return {
+        testId,
+        testName: test.name,
+        status: allPassed ? "passed" : "failed",
+        duration: Date.now() - startTime,
+        assertions: assertionResults,
+        extractedVariables: Object.keys(extractedVariables).length > 0 ? extractedVariables : void 0
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return {
+        testId,
+        testName: test.name,
+        status: "error",
+        duration: Date.now() - startTime,
+        assertions: assertionResults,
+        error: message
+      };
+    }
+  }
+  buildResponse(result) {
+    const contents = result.content;
+    if (!Array.isArray(contents) || contents.length === 0) {
+      return {};
+    }
+    if (contents.length === 1) {
+      const item = contents[0];
+      if (item["type"] === "text" && typeof item["text"] === "string") {
+        try {
+          return JSON.parse(item["text"]);
+        } catch {
+          return { content: item["text"], text: item["text"] };
+        }
+      }
+      return item;
+    }
+    return { content: contents };
+  }
+  runAssertion(assertion, response, durationMs) {
+    switch (assertion.type) {
+      case "schema":
+        return assertSchema(response);
+      case "equals":
+        return assertEqual(response, assertion.path ?? "$", assertion.value);
+      case "contains":
+        return assertContains(response, assertion.path ?? "$", assertion.value);
+      case "exists":
+        return assertExists(response, assertion.path ?? "$");
+      case "matches":
+        return assertMatches(response, assertion.path ?? "$", assertion.pattern ?? "");
+      case "type":
+        return assertType(response, assertion.path ?? "$", assertion.expected ?? "object");
+      case "expression":
+        return assertExpression(response, assertion.expr ?? "");
+      case "mimeType":
+        return assertBinary(response, assertion.expected ?? "");
+      case "length": {
+        const value = queryJsonPath(response, assertion.path ?? "$");
+        const len = Array.isArray(value) ? value.length : typeof value === "string" ? value.length : -1;
+        if (len === -1) {
+          return {
+            type: "length",
+            passed: false,
+            message: `Value at "${assertion.path}" is not an array or string`,
+            actual: typeof value
+          };
+        }
+        const op = assertion.operator ?? "eq";
+        const target = typeof assertion.value === "number" ? assertion.value : Number(assertion.value);
+        let passed = false;
+        switch (op) {
+          case "eq":
+            passed = len === target;
+            break;
+          case "gt":
+            passed = len > target;
+            break;
+          case "gte":
+            passed = len >= target;
+            break;
+          case "lt":
+            passed = len < target;
+            break;
+          case "lte":
+            passed = len <= target;
+            break;
+          default:
+            passed = len === target;
+        }
+        return {
+          type: "length",
+          passed,
+          message: passed ? `Length ${len} satisfies ${op} ${target}` : `Length ${len} does not satisfy ${op} ${target}`,
+          expected: target,
+          actual: len
+        };
+      }
+      case "latency":
+        return {
+          type: "latency",
+          passed: durationMs <= (assertion.maxMs ?? 1e3),
+          message: durationMs <= (assertion.maxMs ?? 1e3) ? `Response time ${durationMs}ms within ${assertion.maxMs ?? 1e3}ms limit` : `Response time ${durationMs}ms exceeds ${assertion.maxMs ?? 1e3}ms limit`,
+          expected: assertion.maxMs,
+          actual: durationMs
+        };
+      default:
+        return {
+          type: assertion.type,
+          passed: false,
+          message: `Assertion type "${assertion.type}" not yet implemented`
+        };
+    }
+  }
+  runSimpleExpectation(expectation, response) {
+    if ("exists" in expectation) {
+      return assertExists(response, expectation.exists);
+    }
+    if ("equals" in expectation) {
+      const [path, value] = expectation.equals;
+      return assertEqual(response, path, value);
+    }
+    if ("contains" in expectation) {
+      const [path, value] = expectation.contains;
+      return assertContains(response, path, value);
+    }
+    if ("matches" in expectation) {
+      const [path, pattern] = expectation.matches;
+      return assertMatches(response, path, pattern);
+    }
+    return {
+      type: "schema",
+      passed: false,
+      message: "Unknown expectation type"
+    };
+  }
+  getVariables() {
+    return { ...this.variables };
+  }
+};
+
+// src/testing/test-scheduler.ts
+function normalizeTags(tags) {
+  return tags.map((t) => t.startsWith("@") ? t.slice(1) : t);
+}
+function matchesTags(test, filterTags) {
+  if (filterTags.length === 0) return true;
+  if (!test.tags || test.tags.length === 0) return false;
+  const normalized = normalizeTags(test.tags);
+  const normalizedFilter = normalizeTags(filterTags);
+  return normalizedFilter.some((ft) => normalized.includes(ft));
+}
+var TestScheduler = class {
+  async schedule(tests, client, options) {
+    const { parallelism, tags, reporter, rateLimiter, initialVariables } = options;
+    const filteredTests = tags && tags.length > 0 ? tests.filter((t) => matchesTags(t, tags)) : tests;
+    const skippedTests = tags && tags.length > 0 ? tests.filter((t) => !matchesTags(t, tags)) : [];
+    const skippedResults = skippedTests.map((t) => ({
+      testId: t.id ?? t.name,
+      testName: t.name,
+      status: "skipped",
+      duration: 0,
+      assertions: []
+    }));
+    if (filteredTests.length === 0) {
+      return skippedResults;
+    }
+    if (parallelism <= 1) {
+      const executor2 = new TestExecutor(initialVariables, rateLimiter);
+      const results2 = [];
+      for (const test of filteredTests) {
+        reporter?.onTestStart(test.name);
+        const result = await executor2.execute(test, client);
+        results2.push(result);
+        reporter?.onTestComplete(result);
+      }
+      return [...results2, ...skippedResults];
+    }
+    const executor = new TestExecutor(initialVariables, rateLimiter);
+    let running = 0;
+    const results = new Array(filteredTests.length);
+    const waitQueue = [];
+    function acquire() {
+      if (running < parallelism) {
+        running++;
+        return Promise.resolve();
+      }
+      return new Promise((resolve) => {
+        waitQueue.push(resolve);
+      });
+    }
+    function release2() {
+      running--;
+      const next = waitQueue.shift();
+      if (next) {
+        running++;
+        next();
+      }
+    }
+    const tasks = filteredTests.map((test, i) => {
+      return (async () => {
+        await acquire();
+        try {
+          reporter?.onTestStart(test.name);
+          const result = await executor.execute(test, client);
+          results[i] = result;
+          reporter?.onTestComplete(result);
+        } finally {
+          release2();
+        }
+      })();
+    });
+    await Promise.allSettled(tasks);
+    for (let i = 0; i < results.length; i++) {
+      if (!results[i]) {
+        results[i] = {
+          testId: filteredTests[i].id ?? filteredTests[i].name,
+          testName: filteredTests[i].name,
+          status: "error",
+          duration: 0,
+          assertions: [],
+          error: "Test execution failed unexpectedly"
+        };
+      }
+    }
+    return [...results, ...skippedResults];
+  }
+};
+
+// src/rate-limiting/rate-limiter.ts
+import Bottleneck from "bottleneck";
+import { DEFAULT_RATE_LIMIT } from "@mcpspec/shared";
+var RateLimiter = class {
+  limiter;
+  config;
+  constructor(config) {
+    this.config = { ...DEFAULT_RATE_LIMIT, ...config };
+    this.limiter = new Bottleneck({
+      maxConcurrent: this.config.maxConcurrent,
+      minTime: Math.ceil(1e3 / this.config.maxCallsPerSecond)
+    });
+  }
+  async schedule(fn) {
+    return this.limiter.schedule(fn);
+  }
+  getConfig() {
+    return { ...this.config };
+  }
+  async stop() {
+    await this.limiter.stop();
+  }
+};
+
+// src/testing/test-runner.ts
+import { randomUUID as randomUUID2 } from "crypto";
+var TestRunner = class {
+  processManager;
+  constructor() {
+    this.processManager = new ProcessManagerImpl();
+    registerCleanupHandlers(this.processManager);
+  }
+  async run(collection, options) {
+    const runId = randomUUID2();
+    const startedAt = /* @__PURE__ */ new Date();
+    const reporter = options?.reporter;
+    const parallelism = options?.parallelism ?? 1;
+    const tags = options?.tags;
+    const secretMasker = new SecretMasker();
+    const serverConfig = this.resolveServerConfig(collection.server);
+    if (serverConfig.env) {
+      secretMasker.registerFromEnv(serverConfig.env);
+    }
+    if (reporter && typeof reporter.setSecretMasker === "function") {
+      reporter.setSecretMasker(secretMasker);
+    }
+    reporter?.onRunStart(collection.name, collection.tests.length);
+    let envVariables = {};
+    if (options?.environment && collection.environments) {
+      const env = collection.environments[options.environment];
+      if (!env) {
+        throw new MCPSpecError("CONFIG_ERROR", `Environment "${options.environment}" not found`, {
+          available: Object.keys(collection.environments)
+        });
+      }
+      envVariables = env.variables;
+    } else if (collection.defaultEnvironment && collection.environments) {
+      const env = collection.environments[collection.defaultEnvironment];
+      if (env) {
+        envVariables = env.variables;
+      }
+    }
+    const client = new MCPClient({
+      serverConfig,
+      processManager: this.processManager
+    });
+    let results;
+    try {
+      await client.connect();
+      const rateLimiter = options?.rateLimitConfig ? new RateLimiter(options.rateLimitConfig) : void 0;
+      const scheduler = new TestScheduler();
+      results = await scheduler.schedule(collection.tests, client, {
+        parallelism,
+        tags,
+        reporter,
+        rateLimiter,
+        initialVariables: envVariables
+      });
+      if (rateLimiter) {
+        await rateLimiter.stop();
+      }
+    } finally {
+      await client.disconnect();
+    }
+    const completedAt = /* @__PURE__ */ new Date();
+    const summary = this.computeSummary(results, completedAt.getTime() - startedAt.getTime());
+    const runResult = {
+      id: runId,
+      collectionName: collection.name,
+      startedAt,
+      completedAt,
+      duration: completedAt.getTime() - startedAt.getTime(),
+      results,
+      summary
+    };
+    reporter?.onRunComplete(runResult);
+    return runResult;
+  }
+  resolveServerConfig(server) {
+    if (typeof server === "string") {
+      const parts = server.split(/\s+/);
+      const command = parts[0];
+      if (!command) {
+        throw new MCPSpecError("CONFIG_ERROR", "Empty server command", {});
+      }
+      return {
+        transport: "stdio",
+        command,
+        args: parts.slice(1)
+      };
+    }
+    return server;
+  }
+  computeSummary(results, duration) {
+    return {
+      total: results.length,
+      passed: results.filter((r) => r.status === "passed").length,
+      failed: results.filter((r) => r.status === "failed").length,
+      skipped: results.filter((r) => r.status === "skipped").length,
+      errors: results.filter((r) => r.status === "error").length,
+      duration
+    };
+  }
+  async cleanup() {
+    await this.processManager.shutdownAll();
+  }
+};
+
+// src/testing/reporters/console-reporter.ts
+var COLORS = {
+  reset: "\x1B[0m",
+  green: "\x1B[32m",
+  red: "\x1B[31m",
+  yellow: "\x1B[33m",
+  gray: "\x1B[90m",
+  bold: "\x1B[1m",
+  cyan: "\x1B[36m"
+};
+var ICONS = {
+  pass: `${COLORS.green}\u2713${COLORS.reset}`,
+  fail: `${COLORS.red}\u2717${COLORS.reset}`,
+  error: `${COLORS.red}!${COLORS.reset}`,
+  skip: `${COLORS.yellow}-${COLORS.reset}`
+};
+var ConsoleReporter = class {
+  ci;
+  constructor(options) {
+    this.ci = options?.ci ?? false;
+  }
+  onRunStart(collectionName, testCount) {
+    if (!this.ci) {
+      console.log(
+        `
+${COLORS.bold}${COLORS.cyan}MCPSpec${COLORS.reset} running ${COLORS.bold}${collectionName}${COLORS.reset} (${testCount} tests)
+`
+      );
+    }
+  }
+  onTestStart(_testName) {
+  }
+  onTestComplete(result) {
+    const icon = this.getIcon(result.status);
+    const duration = `${COLORS.gray}(${result.duration}ms)${COLORS.reset}`;
+    console.log(`  ${icon} ${result.testName} ${duration}`);
+    if (result.status === "failed") {
+      for (const assertion of result.assertions) {
+        if (!assertion.passed) {
+          console.log(`    ${COLORS.red}${assertion.message}${COLORS.reset}`);
+        }
+      }
+    }
+    if (result.status === "error" && result.error) {
+      console.log(`    ${COLORS.red}${result.error}${COLORS.reset}`);
+    }
+  }
+  onRunComplete(result) {
+    const { summary } = result;
+    console.log("");
+    const parts = [];
+    if (summary.passed > 0) parts.push(`${COLORS.green}${summary.passed} passed${COLORS.reset}`);
+    if (summary.failed > 0) parts.push(`${COLORS.red}${summary.failed} failed${COLORS.reset}`);
+    if (summary.errors > 0) parts.push(`${COLORS.red}${summary.errors} errors${COLORS.reset}`);
+    if (summary.skipped > 0) parts.push(`${COLORS.yellow}${summary.skipped} skipped${COLORS.reset}`);
+    console.log(
+      `  ${COLORS.bold}Tests:${COLORS.reset}  ${parts.join(", ")} (${summary.total} total)`
+    );
+    console.log(
+      `  ${COLORS.bold}Time:${COLORS.reset}   ${(summary.duration / 1e3).toFixed(2)}s`
+    );
+    console.log("");
+  }
+  getIcon(status) {
+    switch (status) {
+      case "passed":
+        return ICONS.pass;
+      case "failed":
+        return ICONS.fail;
+      case "error":
+        return ICONS.error;
+      case "skipped":
+        return ICONS.skip;
+      default:
+        return " ";
+    }
+  }
+};
+
+// src/testing/reporters/json-reporter.ts
+var JsonReporter = class {
+  constructor(outputPath) {
+    this.outputPath = outputPath;
+  }
+  output;
+  onRunStart(_collectionName, _testCount) {
+  }
+  onTestStart(_testName) {
+  }
+  onTestComplete(_result) {
+  }
+  onRunComplete(result) {
+    const json = JSON.stringify(
+      {
+        id: result.id,
+        collectionName: result.collectionName,
+        startedAt: result.startedAt.toISOString(),
+        completedAt: result.completedAt.toISOString(),
+        duration: result.duration,
+        summary: result.summary,
+        results: result.results
+      },
+      null,
+      2
+    );
+    if (this.outputPath) {
+      this.output = json;
+    } else {
+      console.log(json);
+    }
+  }
+  getOutput() {
+    return this.output;
+  }
+};
+
+// src/testing/reporters/junit-reporter.ts
+function escapeXml(str) {
+  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
+var JunitReporter = class {
+  constructor(outputPath) {
+    this.outputPath = outputPath;
+  }
+  output;
+  secretMasker;
+  setSecretMasker(masker) {
+    this.secretMasker = masker;
+  }
+  onRunStart(_collectionName, _testCount) {
+  }
+  onTestStart(_testName) {
+  }
+  onTestComplete(_result) {
+  }
+  onRunComplete(result) {
+    const { summary, results, collectionName, duration } = result;
+    const lines = [];
+    lines.push('<?xml version="1.0" encoding="UTF-8"?>');
+    lines.push(
+      `<testsuites tests="${summary.total}" failures="${summary.failed}" errors="${summary.errors}" time="${(duration / 1e3).toFixed(3)}">`
+    );
+    lines.push(
+      `  <testsuite name="${escapeXml(collectionName)}" tests="${summary.total}" failures="${summary.failed}" errors="${summary.errors}" skipped="${summary.skipped}" time="${(duration / 1e3).toFixed(3)}">`
+    );
+    for (const test of results) {
+      const testTime = (test.duration / 1e3).toFixed(3);
+      lines.push(
+        `    <testcase name="${escapeXml(test.testName)}" classname="${escapeXml(collectionName)}" time="${testTime}">`
+      );
+      if (test.status === "failed") {
+        const failedAssertions = test.assertions.filter((a) => !a.passed);
+        const message = failedAssertions.map((a) => a.message).join("; ");
+        lines.push(
+          `      <failure message="${escapeXml(this.mask(message))}">${escapeXml(this.mask(message))}</failure>`
+        );
+      }
+      if (test.status === "error") {
+        const errorMessage = test.error ?? "Unknown error";
+        lines.push(
+          `      <error message="${escapeXml(this.mask(errorMessage))}">${escapeXml(this.mask(errorMessage))}</error>`
+        );
+      }
+      if (test.status === "skipped") {
+        lines.push("      <skipped/>");
+      }
+      lines.push("    </testcase>");
+    }
+    lines.push("  </testsuite>");
+    lines.push("</testsuites>");
+    const xml = lines.join("\n");
+    if (this.outputPath) {
+      this.output = xml;
+    } else {
+      console.log(xml);
+    }
+  }
+  getOutput() {
+    return this.output;
+  }
+  mask(text) {
+    return this.secretMasker ? this.secretMasker.mask(text) : text;
+  }
+};
+
+// src/testing/reporters/html-reporter.ts
+import Handlebars from "handlebars";
+var HTML_TEMPLATE = `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>MCPSpec Test Report - {{collectionName}}</title>
+<style>
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background: #f5f5f5; color: #333; padding: 24px; }
+  .container { max-width: 960px; margin: 0 auto; }
+  h1 { font-size: 24px; margin-bottom: 16px; }
+  .summary { display: flex; gap: 16px; margin-bottom: 24px; flex-wrap: wrap; }
+  .card { background: #fff; border-radius: 8px; padding: 16px 24px; box-shadow: 0 1px 3px rgba(0,0,0,0.1); }
+  .card .label { font-size: 12px; color: #888; text-transform: uppercase; }
+  .card .value { font-size: 28px; font-weight: 700; }
+  .passed .value { color: #22c55e; }
+  .failed .value { color: #ef4444; }
+  .errors .value { color: #f97316; }
+  .duration .value { color: #3b82f6; }
+  table { width: 100%; border-collapse: collapse; background: #fff; border-radius: 8px; overflow: hidden; box-shadow: 0 1px 3px rgba(0,0,0,0.1); }
+  th { background: #f9fafb; text-align: left; padding: 12px 16px; font-size: 12px; text-transform: uppercase; color: #888; border-bottom: 1px solid #e5e7eb; }
+  td { padding: 12px 16px; border-bottom: 1px solid #f3f4f6; vertical-align: top; }
+  tr:last-child td { border-bottom: none; }
+  .badge { display: inline-block; padding: 2px 8px; border-radius: 4px; font-size: 12px; font-weight: 600; }
+  .badge-passed { background: #dcfce7; color: #166534; }
+  .badge-failed { background: #fee2e2; color: #991b1b; }
+  .badge-error { background: #ffedd5; color: #9a3412; }
+  .badge-skipped { background: #fef9c3; color: #854d0e; }
+  .assertions { font-size: 13px; color: #666; margin-top: 4px; }
+  .assertion-fail { color: #ef4444; }
+  .footer { margin-top: 24px; font-size: 12px; color: #aaa; text-align: center; }
+</style>
+</head>
+<body>
+<div class="container">
+  <h1>MCPSpec: {{collectionName}}</h1>
+  <div class="summary">
+    <div class="card passed"><div class="label">Passed</div><div class="value">{{summary.passed}}</div></div>
+    <div class="card failed"><div class="label">Failed</div><div class="value">{{summary.failed}}</div></div>
+    <div class="card errors"><div class="label">Errors</div><div class="value">{{summary.errors}}</div></div>
+    <div class="card duration"><div class="label">Duration</div><div class="value">{{durationFormatted}}</div></div>
+  </div>
+  <table>
+    <thead><tr><th>Test</th><th>Status</th><th>Duration</th><th>Details</th></tr></thead>
+    <tbody>
+      {{#each results}}
+      <tr>
+        <td>{{this.testName}}</td>
+        <td><span class="badge badge-{{this.status}}">{{this.status}}</span></td>
+        <td>{{this.duration}}ms</td>
+        <td>
+          {{#if this.error}}<div class="assertion-fail">{{this.error}}</div>{{/if}}
+          {{#each this.assertions}}
+            {{#unless this.passed}}<div class="assertion-fail">{{this.message}}</div>{{/unless}}
+          {{/each}}
+          {{#if this.allPassed}}<span style="color:#22c55e">All assertions passed</span>{{/if}}
+        </td>
+      </tr>
+      {{/each}}
+    </tbody>
+  </table>
+  <div class="footer">Generated by MCPSpec at {{timestamp}}</div>
+</div>
+</body>
+</html>`;
+var HtmlReporter = class {
+  constructor(outputPath) {
+    this.outputPath = outputPath;
+  }
+  output;
+  secretMasker;
+  setSecretMasker(masker) {
+    this.secretMasker = masker;
+  }
+  onRunStart(_collectionName, _testCount) {
+  }
+  onTestStart(_testName) {
+  }
+  onTestComplete(_result) {
+  }
+  onRunComplete(result) {
+    const template = Handlebars.compile(HTML_TEMPLATE);
+    const data = {
+      collectionName: result.collectionName,
+      summary: result.summary,
+      durationFormatted: `${(result.duration / 1e3).toFixed(2)}s`,
+      timestamp: result.completedAt.toISOString(),
+      results: result.results.map((r) => ({
+        testName: r.testName,
+        status: r.status,
+        duration: r.duration,
+        error: r.error ? this.mask(r.error) : void 0,
+        assertions: r.assertions.map((a) => ({
+          passed: a.passed,
+          message: this.mask(a.message)
+        })),
+        allPassed: r.assertions.every((a) => a.passed) && !r.error
+      }))
+    };
+    const html = template(data);
+    if (this.outputPath) {
+      this.output = html;
+    } else {
+      console.log(html);
+    }
+  }
+  getOutput() {
+    return this.output;
+  }
+  mask(text) {
+    return this.secretMasker ? this.secretMasker.mask(text) : text;
+  }
+};
+
+// src/testing/reporters/tap-reporter.ts
+var TapReporter = class {
+  testIndex = 0;
+  secretMasker;
+  setSecretMasker(masker) {
+    this.secretMasker = masker;
+  }
+  onRunStart(_collectionName, testCount) {
+    console.log("TAP version 14");
+    console.log(`1..${testCount}`);
+  }
+  onTestStart(_testName) {
+  }
+  onTestComplete(result) {
+    this.testIndex++;
+    const status = result.status === "passed" ? "ok" : "not ok";
+    const directive = result.status === "skipped" ? " # SKIP" : "";
+    console.log(`${status} ${this.testIndex} - ${result.testName}${directive}`);
+    if (result.status === "failed") {
+      console.log("  ---");
+      console.log("  severity: fail");
+      const failedAssertions = result.assertions.filter((a) => !a.passed);
+      if (failedAssertions.length > 0) {
+        console.log("  failures:");
+        for (const a of failedAssertions) {
+          console.log(`    - message: "${this.mask(a.message)}"`);
+          if (a.expected !== void 0) console.log(`      expected: ${JSON.stringify(a.expected)}`);
+          if (a.actual !== void 0) console.log(`      actual: ${JSON.stringify(a.actual)}`);
+        }
+      }
+      console.log(`  duration_ms: ${result.duration}`);
+      console.log("  ...");
+    }
+    if (result.status === "error") {
+      console.log("  ---");
+      console.log("  severity: error");
+      console.log(`  message: "${this.mask(result.error ?? "Unknown error")}"`);
+      console.log(`  duration_ms: ${result.duration}`);
+      console.log("  ...");
+    }
+  }
+  onRunComplete(_result) {
+  }
+  mask(text) {
+    return this.secretMasker ? this.secretMasker.mask(text) : text;
+  }
+};
+
+// src/testing/comparison/baseline-store.ts
+import { readFileSync, writeFileSync, mkdirSync, readdirSync, existsSync } from "fs";
+import { join as join2 } from "path";
+var BaselineStore = class {
+  basePath;
+  constructor(basePath) {
+    this.basePath = basePath ?? join2(getPlatformInfo().dataDir, "baselines");
+  }
+  save(name, result) {
+    this.ensureDir();
+    const filePath = this.getFilePath(name);
+    const serialized = JSON.stringify(
+      {
+        id: result.id,
+        collectionName: result.collectionName,
+        startedAt: result.startedAt.toISOString(),
+        completedAt: result.completedAt.toISOString(),
+        duration: result.duration,
+        results: result.results,
+        summary: result.summary
+      },
+      null,
+      2
+    );
+    writeFileSync(filePath, serialized, "utf-8");
+    return filePath;
+  }
+  load(name) {
+    const filePath = this.getFilePath(name);
+    if (!existsSync(filePath)) {
+      return null;
+    }
+    const content = readFileSync(filePath, "utf-8");
+    const raw = JSON.parse(content);
+    return {
+      ...raw,
+      startedAt: new Date(raw.startedAt),
+      completedAt: new Date(raw.completedAt)
+    };
+  }
+  list() {
+    this.ensureDir();
+    return readdirSync(this.basePath).filter((f) => f.endsWith(".json")).map((f) => f.replace(/\.json$/, ""));
+  }
+  getFilePath(name) {
+    const safeName = name.replace(/[^a-zA-Z0-9_-]/g, "_");
+    return join2(this.basePath, `${safeName}.json`);
+  }
+  ensureDir() {
+    if (!existsSync(this.basePath)) {
+      mkdirSync(this.basePath, { recursive: true });
+    }
+  }
+};
+
+// src/testing/comparison/result-differ.ts
+var ResultDiffer = class {
+  diff(baseline, current, baselineName = "baseline") {
+    const baselineMap = /* @__PURE__ */ new Map();
+    for (const r of baseline.results) {
+      baselineMap.set(r.testName, r);
+    }
+    const currentMap = /* @__PURE__ */ new Map();
+    for (const r of current.results) {
+      currentMap.set(r.testName, r);
+    }
+    const regressions = [];
+    const fixes = [];
+    const newTests = [];
+    const removedTests = [];
+    const unchanged = [];
+    for (const [name, currentResult] of currentMap) {
+      const baselineResult = baselineMap.get(name);
+      if (!baselineResult) {
+        newTests.push({ testName: name, type: "new", after: currentResult });
+        continue;
+      }
+      const wasPassing = baselineResult.status === "passed";
+      const isPassing = currentResult.status === "passed";
+      if (wasPassing && !isPassing) {
+        regressions.push({ testName: name, type: "regression", before: baselineResult, after: currentResult });
+      } else if (!wasPassing && isPassing) {
+        fixes.push({ testName: name, type: "fix", before: baselineResult, after: currentResult });
+      } else {
+        unchanged.push({ testName: name, type: "unchanged", before: baselineResult, after: currentResult });
+      }
+    }
+    for (const [name, baselineResult] of baselineMap) {
+      if (!currentMap.has(name)) {
+        removedTests.push({ testName: name, type: "removed", before: baselineResult });
+      }
+    }
+    return {
+      baselineName,
+      currentRunId: current.id,
+      regressions,
+      fixes,
+      newTests,
+      removedTests,
+      unchanged,
+      summary: {
+        totalBefore: baseline.results.length,
+        totalAfter: current.results.length,
+        regressions: regressions.length,
+        fixes: fixes.length,
+        newTests: newTests.length,
+        removedTests: removedTests.length
+      }
+    };
+  }
+};
+
+// src/security/scan-config.ts
+var SEVERITY_ORDER = ["info", "low", "medium", "high", "critical"];
+var PASSIVE_RULES = [
+  "path-traversal",
+  "input-validation",
+  "information-disclosure"
+];
+var ACTIVE_RULES = [
+  ...PASSIVE_RULES,
+  "resource-exhaustion",
+  "auth-bypass",
+  "injection"
+];
+var AGGRESSIVE_RULES = [...ACTIVE_RULES];
+var DEFAULT_TIMEOUT = 1e4;
+var DEFAULT_MAX_PROBES = 50;
+var ScanConfig = class {
+  mode;
+  rules;
+  severityThreshold;
+  acknowledgeRisk;
+  timeout;
+  maxProbesPerTool;
+  constructor(config = {}) {
+    this.mode = config.mode ?? "passive";
+    this.severityThreshold = config.severityThreshold ?? "info";
+    this.acknowledgeRisk = config.acknowledgeRisk ?? false;
+    this.timeout = config.timeout ?? DEFAULT_TIMEOUT;
+    this.maxProbesPerTool = config.maxProbesPerTool ?? DEFAULT_MAX_PROBES;
+    const allRulesForMode = this.getRulesForMode(this.mode);
+    if (config.rules && config.rules.length > 0) {
+      this.rules = config.rules.filter((r) => allRulesForMode.includes(r));
+    } else {
+      this.rules = allRulesForMode;
+    }
+  }
+  requiresConfirmation() {
+    return this.mode !== "passive" && !this.acknowledgeRisk;
+  }
+  meetsThreshold(severity) {
+    const thresholdIdx = SEVERITY_ORDER.indexOf(this.severityThreshold);
+    const severityIdx = SEVERITY_ORDER.indexOf(severity);
+    return severityIdx >= thresholdIdx;
+  }
+  getRulesForMode(mode) {
+    switch (mode) {
+      case "passive":
+        return PASSIVE_RULES;
+      case "active":
+        return ACTIVE_RULES;
+      case "aggressive":
+        return AGGRESSIVE_RULES;
+    }
+  }
+};
+
+// src/security/security-scanner.ts
+import { randomUUID as randomUUID9 } from "crypto";
+
+// src/security/rules/path-traversal.ts
+import { randomUUID as randomUUID3 } from "crypto";
+
+// src/security/payloads/platform-payloads.ts
+function getPlatformPayloads() {
+  const info = getPlatformInfo();
+  const all = getAllPayloads();
+  return all.filter((p) => p.platforms.includes(info.os) || p.platforms.length === 0);
+}
+function getPayloadsForMode(mode) {
+  const modeOrder = ["passive", "active", "aggressive"];
+  const modeIdx = modeOrder.indexOf(mode);
+  return getPlatformPayloads().filter((p) => {
+    const payloadModeIdx = modeOrder.indexOf(p.minMode);
+    return payloadModeIdx <= modeIdx;
+  });
+}
+function getAllPayloads() {
+  return [
+    // Path traversal - active
+    { category: "path-traversal", label: "unix-parent", value: "../../../etc/passwd", description: "Unix parent directory traversal", minMode: "active", platforms: ["linux", "darwin"] },
+    { category: "path-traversal", label: "unix-absolute", value: "/etc/passwd", description: "Unix absolute path", minMode: "active", platforms: ["linux", "darwin"] },
+    { category: "path-traversal", label: "unix-home", value: "~/.ssh/id_rsa", description: "Unix home directory access", minMode: "active", platforms: ["linux", "darwin"] },
+    { category: "path-traversal", label: "win-parent", value: "..\\..\\..\\windows\\system32\\config\\sam", description: "Windows parent directory traversal", minMode: "active", platforms: ["win32"] },
+    { category: "path-traversal", label: "win-absolute", value: "C:\\Windows\\System32\\config\\sam", description: "Windows absolute path", minMode: "active", platforms: ["win32"] },
+    { category: "path-traversal", label: "encoded-traversal", value: "..%2F..%2F..%2Fetc%2Fpasswd", description: "URL-encoded traversal", minMode: "active", platforms: [] },
+    { category: "path-traversal", label: "null-byte", value: "../../etc/passwd\0.txt", description: "Null byte injection in path", minMode: "active", platforms: [] },
+    // Command injection - active
+    { category: "command-injection", label: "semicolon", value: "; echo vulnerable", description: "Semicolon command injection", minMode: "active", platforms: ["linux", "darwin"] },
+    { category: "command-injection", label: "pipe", value: "| echo vulnerable", description: "Pipe command injection", minMode: "active", platforms: [] },
+    { category: "command-injection", label: "backtick", value: "`echo vulnerable`", description: "Backtick command injection", minMode: "active", platforms: ["linux", "darwin"] },
+    { category: "command-injection", label: "dollar-paren", value: "$(echo vulnerable)", description: "Dollar-paren command injection", minMode: "active", platforms: ["linux", "darwin"] },
+    { category: "command-injection", label: "and-chain", value: "&& echo vulnerable", description: "AND chain command injection", minMode: "active", platforms: [] },
+    // SQL injection - active
+    { category: "sql-injection", label: "single-quote", value: "' OR '1'='1", description: "Classic SQL injection", minMode: "active", platforms: [] },
+    { category: "sql-injection", label: "union-select", value: "' UNION SELECT * FROM users --", description: "UNION SELECT injection", minMode: "active", platforms: [] },
+    { category: "sql-injection", label: "drop-table", value: "'; DROP TABLE users; --", description: "DROP TABLE injection", minMode: "active", platforms: [] },
+    { category: "sql-injection", label: "comment", value: "admin'--", description: "Comment-based SQL injection", minMode: "active", platforms: [] },
+    // Template injection - active
+    { category: "template-injection", label: "jinja", value: "{{7*7}}", description: "Jinja/Handlebars template injection", minMode: "active", platforms: [] },
+    { category: "template-injection", label: "erb", value: "<%= 7*7 %>", description: "ERB template injection", minMode: "active", platforms: [] },
+    { category: "template-injection", label: "expression", value: "${7*7}", description: "Expression language injection", minMode: "active", platforms: [] },
+    // Resource exhaustion - aggressive only
+    { category: "resource-exhaustion", label: "huge-string", value: "X".repeat(1e4), description: "Very long input string", minMode: "aggressive", platforms: [] },
+    { category: "resource-exhaustion", label: "deep-nesting", value: JSON.stringify(createDeepObject(20)), description: "Deeply nested object", minMode: "aggressive", platforms: [] },
+    { category: "resource-exhaustion", label: "many-keys", value: JSON.stringify(createManyKeys(100)), description: "Object with many keys", minMode: "aggressive", platforms: [] }
+  ];
+}
+function createDeepObject(depth) {
+  let obj = { value: "leaf" };
+  for (let i = 0; i < depth; i++) {
+    obj = { nested: obj };
+  }
+  return obj;
+}
+function createManyKeys(count) {
+  const obj = {};
+  for (let i = 0; i < count; i++) {
+    obj[`key_${i}`] = `value_${i}`;
+  }
+  return obj;
+}
+
+// src/security/rules/utils.ts
+async function callWithTimeout(client, toolName, args, timeout) {
+  try {
+    const result = await Promise.race([
+      client.callTool(toolName, args),
+      new Promise((resolve) => setTimeout(() => resolve(null), timeout))
+    ]);
+    return result;
+  } catch {
+    return null;
+  }
+}
+
+// src/security/rules/path-traversal.ts
+var PATH_PARAM_PATTERNS = /^(path|file|filename|filepath|dir|directory|folder|uri|url|location|src|dest|source|destination|target)$/i;
+var PathTraversalRule = class {
+  id = "path-traversal";
+  name = "Path Traversal";
+  description = "Tests for directory traversal vulnerabilities in path-based parameters";
+  async scan(client, tools, config) {
+    const findings = [];
+    const payloads = getPayloadsForMode(config.mode).filter((p) => p.category === "path-traversal");
+    for (const tool of tools) {
+      const pathParams = this.findPathParams(tool);
+      if (pathParams.length === 0) continue;
+      for (const param of pathParams) {
+        const passiveResult = await callWithTimeout(
+          client,
+          tool.name,
+          { [param]: "../test" },
+          config.timeout
+        );
+        if (passiveResult && !passiveResult.isError) {
+          findings.push({
+            id: randomUUID3(),
+            rule: this.id,
+            severity: "medium",
+            title: `Path traversal possible on ${tool.name}.${param}`,
+            description: `The tool "${tool.name}" accepted a relative path "../test" on parameter "${param}" without rejection.`,
+            evidence: JSON.stringify(passiveResult.content).slice(0, 200),
+            remediation: 'Validate and sanitize path inputs. Reject paths containing ".." and resolve to absolute paths within an allowed directory.'
+          });
+        }
+        for (const payload of payloads) {
+          const result = await callWithTimeout(
+            client,
+            tool.name,
+            { [param]: payload.value },
+            config.timeout
+          );
+          if (!result) continue;
+          const contentStr = JSON.stringify(result.content);
+          const hasSensitiveContent = /root:|admin:|password|shadow|id_rsa|PRIVATE KEY|sam|SYSTEM/i.test(contentStr);
+          const hasPathDisclosure = /\/etc\/|\/home\/|C:\\Users|C:\\Windows/i.test(contentStr);
+          if (!result.isError && (hasSensitiveContent || hasPathDisclosure)) {
+            findings.push({
+              id: randomUUID3(),
+              rule: this.id,
+              severity: hasSensitiveContent ? "critical" : "high",
+              title: `Path traversal: ${payload.label} on ${tool.name}.${param}`,
+              description: `The tool "${tool.name}" returned sensitive content when given "${payload.label}" payload on parameter "${param}".`,
+              evidence: contentStr.slice(0, 500),
+              remediation: "Restrict file access to a specific directory. Validate paths against an allow-list. Use chroot or similar sandboxing."
+            });
+          }
+        }
+      }
+    }
+    return findings;
+  }
+  findPathParams(tool) {
+    const schema = tool.inputSchema;
+    if (!schema || typeof schema !== "object") return [];
+    const properties = schema["properties"];
+    if (!properties || typeof properties !== "object") return [];
+    return Object.keys(properties).filter(
+      (key) => PATH_PARAM_PATTERNS.test(key)
+    );
+  }
+};
+
+// src/security/rules/input-validation.ts
+import { randomUUID as randomUUID4 } from "crypto";
+
+// src/security/payloads/safe-payloads.ts
+function getSafePayloads() {
+  return [
+    // Empty values
+    { category: "empty", label: "empty-string", value: "", description: "Empty string input" },
+    { category: "empty", label: "null-value", value: null, description: "Null value input" },
+    { category: "empty", label: "undefined-value", value: void 0, description: "Undefined value input" },
+    // Boundary values
+    { category: "boundary", label: "zero", value: 0, description: "Zero numeric input" },
+    { category: "boundary", label: "negative", value: -1, description: "Negative numeric input" },
+    { category: "boundary", label: "max-int", value: Number.MAX_SAFE_INTEGER, description: "Maximum safe integer" },
+    { category: "boundary", label: "min-int", value: Number.MIN_SAFE_INTEGER, description: "Minimum safe integer" },
+    { category: "boundary", label: "float", value: 1.5, description: "Float value where int expected" },
+    // Long strings
+    { category: "long-string", label: "long-256", value: "A".repeat(256), description: "256-char string" },
+    { category: "long-string", label: "long-1024", value: "B".repeat(1024), description: "1024-char string" },
+    // Special characters
+    { category: "special-chars", label: "unicode", value: "\0\uFFFF", description: "Unicode control characters" },
+    { category: "special-chars", label: "newlines", value: "line1\nline2\rline3", description: "Newline characters" },
+    { category: "special-chars", label: "tabs", value: "			", description: "Tab characters" },
+    { category: "special-chars", label: "quotes", value: "\"'`", description: "Quote characters" },
+    { category: "special-chars", label: "backslash", value: "\\\\\\", description: "Backslash characters" },
+    // Type confusion
+    { category: "type-confusion", label: "string-number", value: "123", description: "Numeric string where number expected" },
+    { category: "type-confusion", label: "string-boolean", value: "true", description: "Boolean string where boolean expected" },
+    { category: "type-confusion", label: "array-value", value: [1, 2, 3], description: "Array where scalar expected" },
+    { category: "type-confusion", label: "object-value", value: { key: "value" }, description: "Object where scalar expected" },
+    { category: "type-confusion", label: "boolean-value", value: true, description: "Boolean where string expected" }
+  ];
+}
+
+// src/security/rules/input-validation.ts
+var InputValidationRule = class {
+  id = "input-validation";
+  name = "Input Validation";
+  description = "Tests for missing or inadequate input validation";
+  async scan(client, tools, config) {
+    const findings = [];
+    const payloads = getSafePayloads();
+    for (const tool of tools) {
+      const emptyResult = await callWithTimeout(client, tool.name, {}, config.timeout);
+      if (emptyResult && !emptyResult.isError) {
+        const required = this.getRequiredFields(tool);
+        if (required.length > 0) {
+          findings.push({
+            id: randomUUID4(),
+            rule: this.id,
+            severity: "medium",
+            title: `Missing required field validation on ${tool.name}`,
+            description: `The tool "${tool.name}" accepted a call with no arguments despite having required fields: ${required.join(", ")}.`,
+            evidence: JSON.stringify(emptyResult.content).slice(0, 200),
+            remediation: "Validate that all required parameters are present before processing the request."
+          });
+        }
+      }
+      const properties = this.getProperties(tool);
+      for (const [param, schema] of Object.entries(properties)) {
+        const expectedType = schema["type"];
+        if (!expectedType) continue;
+        const wrongTypePayloads = payloads.filter((p) => p.category === "type-confusion");
+        for (const payload of wrongTypePayloads) {
+          const result = await callWithTimeout(
+            client,
+            tool.name,
+            { [param]: payload.value },
+            config.timeout
+          );
+          if (result && !result.isError) {
+            const actualType = typeof payload.value;
+            const isArray = Array.isArray(payload.value);
+            const payloadType = isArray ? "array" : actualType;
+            if (payloadType !== expectedType && expectedType !== "any") {
+              findings.push({
+                id: randomUUID4(),
+                rule: this.id,
+                severity: "low",
+                title: `Type confusion accepted on ${tool.name}.${param}`,
+                description: `The tool "${tool.name}" accepted ${payloadType} for parameter "${param}" which expects ${expectedType}.`,
+                evidence: `Input: ${JSON.stringify(payload.value)}, Response: ${JSON.stringify(result.content).slice(0, 200)}`,
+                remediation: "Validate parameter types match the declared schema before processing."
+              });
+              break;
+            }
+          }
+        }
+      }
+    }
+    return findings;
+  }
+  getRequiredFields(tool) {
+    const schema = tool.inputSchema;
+    if (!schema || typeof schema !== "object") return [];
+    const required = schema["required"];
+    if (!Array.isArray(required)) return [];
+    return required;
+  }
+  getProperties(tool) {
+    const schema = tool.inputSchema;
+    if (!schema || typeof schema !== "object") return {};
+    const properties = schema["properties"];
+    if (!properties || typeof properties !== "object") return {};
+    return properties;
+  }
+};
+
+// src/security/rules/resource-exhaustion.ts
+import { randomUUID as randomUUID5 } from "crypto";
+var LARGE_STRING = "X".repeat(1e4);
+var VERY_LARGE_STRING = "Y".repeat(1e5);
+var SLOW_THRESHOLD_MS = 5e3;
+var ResourceExhaustionRule = class {
+  id = "resource-exhaustion";
+  name = "Resource Exhaustion";
+  description = "Tests for resource exhaustion vulnerabilities (DoS potential)";
+  async scan(client, tools, config) {
+    const findings = [];
+    for (const tool of tools) {
+      const params = this.getStringParams(tool);
+      const firstParam = params[0];
+      if (!firstParam) continue;
+      const param = firstParam;
+      const largeStr = config.mode === "aggressive" ? VERY_LARGE_STRING : LARGE_STRING;
+      const start = Date.now();
+      const result = await callWithTimeout(client, tool.name, { [param]: largeStr }, config.timeout);
+      const elapsed = Date.now() - start;
+      if (result === null) {
+        findings.push({
+          id: randomUUID5(),
+          rule: this.id,
+          severity: "high",
+          title: `Timeout with large input on ${tool.name}`,
+          description: `The tool "${tool.name}" timed out when given a ${largeStr.length}-character string for parameter "${param}". This could indicate a resource exhaustion vulnerability.`,
+          remediation: "Implement input size limits. Add timeouts to processing. Validate input length before processing."
+        });
+      } else if (elapsed > SLOW_THRESHOLD_MS) {
+        findings.push({
+          id: randomUUID5(),
+          rule: this.id,
+          severity: "medium",
+          title: `Slow response with large input on ${tool.name}`,
+          description: `The tool "${tool.name}" took ${elapsed}ms to process a ${largeStr.length}-character string for parameter "${param}".`,
+          evidence: `Response time: ${elapsed}ms`,
+          remediation: "Implement input size limits and processing timeouts to prevent slow responses."
+        });
+      }
+      if (config.mode === "aggressive") {
+        const deepObj = this.createDeepObject(50);
+        const deepStart = Date.now();
+        const deepResult = await callWithTimeout(client, tool.name, { [param]: deepObj }, config.timeout);
+        const deepElapsed = Date.now() - deepStart;
+        if (deepResult === null) {
+          findings.push({
+            id: randomUUID5(),
+            rule: this.id,
+            severity: "high",
+            title: `Timeout with deeply nested input on ${tool.name}`,
+            description: `The tool "${tool.name}" timed out when given a deeply nested object (50 levels) for parameter "${param}".`,
+            remediation: "Implement nesting depth limits on JSON input parsing."
+          });
+        } else if (deepElapsed > SLOW_THRESHOLD_MS) {
+          findings.push({
+            id: randomUUID5(),
+            rule: this.id,
+            severity: "medium",
+            title: `Slow response with nested input on ${tool.name}`,
+            description: `The tool "${tool.name}" took ${deepElapsed}ms to process a deeply nested object for parameter "${param}".`,
+            evidence: `Response time: ${deepElapsed}ms`,
+            remediation: "Implement nesting depth limits on JSON input parsing."
+          });
+        }
+      }
+    }
+    return findings;
+  }
+  getStringParams(tool) {
+    const schema = tool.inputSchema;
+    if (!schema || typeof schema !== "object") return [];
+    const properties = schema["properties"];
+    if (!properties || typeof properties !== "object") return [];
+    return Object.entries(properties).filter(([, v]) => v["type"] === "string").map(([k]) => k);
+  }
+  createDeepObject(depth) {
+    let obj = { value: "leaf" };
+    for (let i = 0; i < depth; i++) {
+      obj = { nested: obj };
+    }
+    return obj;
+  }
+};
+
+// src/security/rules/auth-bypass.ts
+import { randomUUID as randomUUID6 } from "crypto";
+var ADMIN_PATTERNS = /^(admin|delete|remove|drop|create|update|write|modify|set|config|configure|manage|grant|revoke|reset|destroy|purge|execute|exec|run|deploy|install|uninstall)_?/i;
+var AuthBypassRule = class {
+  id = "auth-bypass";
+  name = "Auth Bypass";
+  description = "Tests for unrestricted access to administrative or privileged tools";
+  async scan(client, tools, config) {
+    const findings = [];
+    const adminTools = tools.filter((t) => ADMIN_PATTERNS.test(t.name));
+    for (const tool of adminTools) {
+      const result = await callWithTimeout(client, tool.name, {}, config.timeout);
+      if (result && !result.isError) {
+        findings.push({
+          id: randomUUID6(),
+          rule: this.id,
+          severity: "high",
+          title: `Unrestricted access to ${tool.name}`,
+          description: `The administrative tool "${tool.name}" was callable with empty arguments without any authentication or authorization check.`,
+          evidence: JSON.stringify(result.content).slice(0, 200),
+          remediation: "Implement authentication and authorization checks for administrative tools. Require valid credentials or tokens."
+        });
+      }
+      const required = this.getRequiredFields(tool);
+      if (required.length > 0) {
+        const minimalArgs = {};
+        for (const field of required) {
+          minimalArgs[field] = "test";
+        }
+        const minResult = await callWithTimeout(client, tool.name, minimalArgs, config.timeout);
+        if (minResult && !minResult.isError) {
+          findings.push({
+            id: randomUUID6(),
+            rule: this.id,
+            severity: "high",
+            title: `Admin tool ${tool.name} accessible without auth`,
+            description: `The administrative tool "${tool.name}" accepted minimal arguments without authentication verification.`,
+            evidence: JSON.stringify(minResult.content).slice(0, 200),
+            remediation: "Implement proper authentication and authorization before allowing access to administrative operations."
+          });
+        }
+      }
+    }
+    return findings;
+  }
+  getRequiredFields(tool) {
+    const schema = tool.inputSchema;
+    if (!schema || typeof schema !== "object") return [];
+    const required = schema["required"];
+    if (!Array.isArray(required)) return [];
+    return required;
+  }
+};
+
+// src/security/rules/injection.ts
+import { randomUUID as randomUUID7 } from "crypto";
+var SQL_ERROR_PATTERNS = /sql|syntax error|sqlite|mysql|postgresql|ora-\d|unterminated|unexpected token/i;
+var INJECTION_ECHO_PATTERNS = /vulnerable|<script>|alert\(|onerror=/i;
+var InjectionRule = class {
+  id = "injection";
+  name = "Injection";
+  description = "Tests for SQL injection, command injection, and template injection vulnerabilities";
+  async scan(client, tools, config) {
+    const findings = [];
+    const categories = ["sql-injection", "command-injection", "template-injection"];
+    const payloads = getPayloadsForMode(config.mode).filter((p) => categories.includes(p.category));
+    for (const tool of tools) {
+      const stringParams = this.getStringParams(tool);
+      if (stringParams.length === 0) continue;
+      for (const param of stringParams) {
+        for (const payload of payloads) {
+          const result = await callWithTimeout(
+            client,
+            tool.name,
+            { [param]: payload.value },
+            config.timeout
+          );
+          if (!result) continue;
+          const contentStr = JSON.stringify(result.content);
+          if (payload.category === "sql-injection" && SQL_ERROR_PATTERNS.test(contentStr)) {
+            findings.push({
+              id: randomUUID7(),
+              rule: this.id,
+              severity: "critical",
+              title: `SQL injection on ${tool.name}.${param}`,
+              description: `The tool "${tool.name}" returned SQL error messages when given SQL injection payload "${payload.label}" on parameter "${param}".`,
+              evidence: contentStr.slice(0, 500),
+              remediation: "Use parameterized queries or prepared statements. Never concatenate user input into SQL queries."
+            });
+            break;
+          }
+          if (payload.category === "command-injection" && INJECTION_ECHO_PATTERNS.test(contentStr)) {
+            findings.push({
+              id: randomUUID7(),
+              rule: this.id,
+              severity: "critical",
+              title: `Command injection on ${tool.name}.${param}`,
+              description: `The tool "${tool.name}" appears to execute injected commands via parameter "${param}" using payload "${payload.label}".`,
+              evidence: contentStr.slice(0, 500),
+              remediation: "Never pass user input directly to shell commands. Use parameterized APIs or allow-lists for commands."
+            });
+            break;
+          }
+          if (payload.category === "template-injection" && /49/.test(contentStr) && !result.isError) {
+            findings.push({
+              id: randomUUID7(),
+              rule: this.id,
+              severity: "high",
+              title: `Template injection on ${tool.name}.${param}`,
+              description: `The tool "${tool.name}" evaluated a template expression via parameter "${param}" using payload "${payload.label}".`,
+              evidence: contentStr.slice(0, 500),
+              remediation: "Sanitize user input before passing to template engines. Use sandboxed template rendering."
+            });
+            break;
+          }
+        }
+      }
+    }
+    return findings;
+  }
+  getStringParams(tool) {
+    const schema = tool.inputSchema;
+    if (!schema || typeof schema !== "object") return [];
+    const properties = schema["properties"];
+    if (!properties || typeof properties !== "object") return [];
+    return Object.entries(properties).filter(([, v]) => v["type"] === "string").map(([k]) => k);
+  }
+};
+
+// src/security/rules/information-disclosure.ts
+import { randomUUID as randomUUID8 } from "crypto";
+var STACK_TRACE_PATTERNS = /at\s+\w+\s+\(|Error:\s+|Traceback\s+\(|stack.*trace|\.js:\d+:\d+|\.ts:\d+:\d+|\.py", line \d+/i;
+var INTERNAL_PATH_PATTERNS = /\/home\/\w+|\/Users\/\w+|C:\\Users\\\w+|\/var\/|\/opt\/|\/srv\//;
+var CONFIG_PATTERNS = /DATABASE_URL|DB_PASSWORD|API_KEY|SECRET_KEY|PRIVATE_KEY|ACCESS_TOKEN|AWS_SECRET/i;
+var VERSION_PATTERNS = /node\/\d+\.\d+|express\/\d+|nginx\/\d+|apache\/\d+|python\/\d+/i;
+var InformationDisclosureRule = class {
+  id = "information-disclosure";
+  name = "Information Disclosure";
+  description = "Tests for unintended information disclosure in error messages and responses";
+  async scan(client, tools, config) {
+    const findings = [];
+    for (const tool of tools) {
+      const errorTriggers = [
+        {},
+        { nonexistent_param: "test" },
+        { [this.getFirstParam(tool) ?? "id"]: null },
+        { [this.getFirstParam(tool) ?? "id"]: "" }
+      ];
+      for (const args of errorTriggers) {
+        const result = await callWithTimeout(client, tool.name, args, config.timeout);
+        if (!result) continue;
+        const contentStr = JSON.stringify(result.content);
+        if (STACK_TRACE_PATTERNS.test(contentStr)) {
+          findings.push({
+            id: randomUUID8(),
+            rule: this.id,
+            severity: "medium",
+            title: `Stack trace disclosed by ${tool.name}`,
+            description: `The tool "${tool.name}" exposed a stack trace in its error response, potentially revealing internal implementation details.`,
+            evidence: contentStr.slice(0, 500),
+            remediation: "Return generic error messages to clients. Log detailed errors server-side only."
+          });
+          break;
+        }
+        if (INTERNAL_PATH_PATTERNS.test(contentStr)) {
+          findings.push({
+            id: randomUUID8(),
+            rule: this.id,
+            severity: "low",
+            title: `Internal path disclosed by ${tool.name}`,
+            description: `The tool "${tool.name}" exposed internal file system paths in its response.`,
+            evidence: contentStr.slice(0, 500),
+            remediation: "Sanitize error messages to remove internal file paths before returning to clients."
+          });
+          break;
+        }
+        if (CONFIG_PATTERNS.test(contentStr)) {
+          findings.push({
+            id: randomUUID8(),
+            rule: this.id,
+            severity: "high",
+            title: `Configuration data disclosed by ${tool.name}`,
+            description: `The tool "${tool.name}" exposed configuration values or secrets in its response.`,
+            evidence: contentStr.slice(0, 500),
+            remediation: "Never include configuration values, secrets, or environment variables in error responses."
+          });
+          break;
+        }
+        if (VERSION_PATTERNS.test(contentStr)) {
+          findings.push({
+            id: randomUUID8(),
+            rule: this.id,
+            severity: "info",
+            title: `Version information disclosed by ${tool.name}`,
+            description: `The tool "${tool.name}" exposed server/runtime version information in its response.`,
+            evidence: contentStr.slice(0, 500),
+            remediation: "Remove version headers and version information from error responses."
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+  getFirstParam(tool) {
+    const schema = tool.inputSchema;
+    if (!schema || typeof schema !== "object") return void 0;
+    const properties = schema["properties"];
+    if (!properties || typeof properties !== "object") return void 0;
+    const keys = Object.keys(properties);
+    return keys[0];
+  }
+};
+
+// src/security/security-scanner.ts
+var SEVERITY_ORDER2 = ["info", "low", "medium", "high", "critical"];
+var SecurityScanner = class {
+  rules = /* @__PURE__ */ new Map();
+  constructor() {
+    this.registerBuiltinRules();
+  }
+  registerRule(rule) {
+    this.rules.set(rule.id, rule);
+  }
+  async scan(client, config, progress) {
+    const startedAt = /* @__PURE__ */ new Date();
+    const findings = [];
+    const tools = await client.listTools();
+    for (const ruleId of config.rules) {
+      const rule = this.rules.get(ruleId);
+      if (!rule) continue;
+      progress?.onRuleStart?.(rule.id, rule.name);
+      try {
+        const ruleFindings = await rule.scan(client, tools, config);
+        for (const finding of ruleFindings) {
+          findings.push(finding);
+          progress?.onFinding?.(finding);
+        }
+        progress?.onRuleComplete?.(rule.id, ruleFindings.length);
+      } catch (err) {
+        const errorFinding = {
+          id: randomUUID9(),
+          rule: ruleId,
+          severity: "info",
+          title: `Rule "${ruleId}" failed to complete`,
+          description: `The security rule "${ruleId}" encountered an error during scanning: ${err instanceof Error ? err.message : String(err)}`
+        };
+        findings.push(errorFinding);
+        progress?.onFinding?.(errorFinding);
+        progress?.onRuleComplete?.(ruleId, 0);
+      }
+    }
+    findings.sort((a, b) => {
+      return SEVERITY_ORDER2.indexOf(b.severity) - SEVERITY_ORDER2.indexOf(a.severity);
+    });
+    const completedAt = /* @__PURE__ */ new Date();
+    const serverInfo = client.getServerInfo();
+    return {
+      id: randomUUID9(),
+      serverName: serverInfo?.name ?? "unknown",
+      mode: config.mode,
+      startedAt,
+      completedAt,
+      findings,
+      summary: this.buildSummary(findings)
+    };
+  }
+  buildSummary(findings) {
+    const bySeverity = {
+      info: 0,
+      low: 0,
+      medium: 0,
+      high: 0,
+      critical: 0
+    };
+    const byRule = {};
+    for (const finding of findings) {
+      bySeverity[finding.severity]++;
+      byRule[finding.rule] = (byRule[finding.rule] ?? 0) + 1;
+    }
+    return {
+      totalFindings: findings.length,
+      bySeverity,
+      byRule
+    };
+  }
+  registerBuiltinRules() {
+    this.registerRule(new PathTraversalRule());
+    this.registerRule(new InputValidationRule());
+    this.registerRule(new ResourceExhaustionRule());
+    this.registerRule(new AuthBypassRule());
+    this.registerRule(new InjectionRule());
+    this.registerRule(new InformationDisclosureRule());
+  }
+};
+
+// src/performance/profiler.ts
+import { performance as performance2 } from "perf_hooks";
+function computeStats(sortedDurations) {
+  if (sortedDurations.length === 0) {
+    return { min: 0, max: 0, mean: 0, median: 0, p95: 0, p99: 0, stddev: 0 };
+  }
+  const n = sortedDurations.length;
+  const min = sortedDurations[0];
+  const max = sortedDurations[n - 1];
+  const sum = sortedDurations.reduce((a, b) => a + b, 0);
+  const mean = sum / n;
+  const median = n % 2 === 0 ? (sortedDurations[n / 2 - 1] + sortedDurations[n / 2]) / 2 : sortedDurations[Math.floor(n / 2)];
+  const p95 = sortedDurations[Math.ceil(n * 0.95) - 1];
+  const p99 = sortedDurations[Math.ceil(n * 0.99) - 1];
+  const variance = sortedDurations.reduce((acc, val) => acc + (val - mean) ** 2, 0) / n;
+  const stddev = Math.sqrt(variance);
+  return { min, max, mean, median, p95, p99, stddev };
+}
+var Profiler = class {
+  entries = [];
+  async profileCall(client, toolName, args) {
+    const startMs = performance2.now();
+    let success = true;
+    let error;
+    try {
+      const result = await client.callTool(toolName, args);
+      if (result.isError) {
+        success = false;
+        error = JSON.stringify(result.content).slice(0, 200);
+      }
+    } catch (err) {
+      success = false;
+      error = err instanceof Error ? err.message : String(err);
+    }
+    const durationMs = performance2.now() - startMs;
+    const entry = {
+      toolName,
+      startMs,
+      durationMs,
+      success,
+      error
+    };
+    this.entries.push(entry);
+    return entry;
+  }
+  getEntries() {
+    return [...this.entries];
+  }
+  getStats(toolName) {
+    const filtered = toolName ? this.entries.filter((e) => e.toolName === toolName && e.success) : this.entries.filter((e) => e.success);
+    const durations = filtered.map((e) => e.durationMs).sort((a, b) => a - b);
+    return computeStats(durations);
+  }
+  clear() {
+    this.entries = [];
+  }
+};
+
+// src/performance/benchmark-runner.ts
+import { performance as performance3 } from "perf_hooks";
+var DEFAULT_CONFIG = {
+  iterations: 100,
+  warmupIterations: 5,
+  concurrency: 1,
+  timeout: 3e4
+};
+var BenchmarkRunner = class {
+  async run(client, toolName, args, config = {}, progress) {
+    const cfg = { ...DEFAULT_CONFIG, ...config };
+    const startedAt = /* @__PURE__ */ new Date();
+    if (cfg.warmupIterations > 0) {
+      progress?.onWarmupStart?.(cfg.warmupIterations);
+      for (let i = 0; i < cfg.warmupIterations; i++) {
+        await this.runSingleIteration(client, toolName, args, cfg.timeout);
+      }
+    }
+    const durations = [];
+    let errors = 0;
+    for (let i = 0; i < cfg.iterations; i++) {
+      const result = await this.runSingleIteration(client, toolName, args, cfg.timeout);
+      if (result.success) {
+        durations.push(result.durationMs);
+      } else {
+        errors++;
+      }
+      progress?.onIterationComplete?.(i + 1, cfg.iterations, result.durationMs);
+    }
+    durations.sort((a, b) => a - b);
+    const stats = computeStats(durations);
+    const completedAt = /* @__PURE__ */ new Date();
+    const benchResult = {
+      toolName,
+      iterations: cfg.iterations,
+      stats,
+      errors,
+      startedAt,
+      completedAt
+    };
+    progress?.onComplete?.(benchResult);
+    return benchResult;
+  }
+  async runSingleIteration(client, toolName, args, timeout) {
+    const start = performance3.now();
+    try {
+      const result = await Promise.race([
+        client.callTool(toolName, args),
+        new Promise((resolve) => setTimeout(() => resolve(null), timeout))
+      ]);
+      const durationMs = performance3.now() - start;
+      if (result === null) {
+        return { success: false, durationMs };
+      }
+      return { success: !result.isError, durationMs };
+    } catch {
+      const durationMs = performance3.now() - start;
+      return { success: false, durationMs };
+    }
+  }
+};
+
+// src/performance/waterfall-generator.ts
+var WaterfallGenerator = class {
+  generate(entries) {
+    if (entries.length === 0) return [];
+    const minStart = Math.min(...entries.map((e) => e.startMs));
+    return entries.map((entry) => ({
+      label: `${entry.toolName}${entry.success ? "" : " (ERR)"}`,
+      startMs: entry.startMs - minStart,
+      durationMs: entry.durationMs
+    }));
+  }
+  toAscii(entries, width = 60) {
+    if (entries.length === 0) return "";
+    const maxEnd = Math.max(...entries.map((e) => e.startMs + e.durationMs));
+    if (maxEnd === 0) return "";
+    const maxLabelLen = Math.max(...entries.map((e) => e.label.length));
+    const barWidth = width - maxLabelLen - 12;
+    const lines = [];
+    for (const entry of entries) {
+      const label = entry.label.padEnd(maxLabelLen);
+      const startCol = Math.floor(entry.startMs / maxEnd * barWidth);
+      const endCol = Math.max(startCol + 1, Math.floor((entry.startMs + entry.durationMs) / maxEnd * barWidth));
+      const prefix = " ".repeat(startCol);
+      const bar = "\u2588".repeat(endCol - startCol);
+      const suffix = ` ${entry.durationMs.toFixed(1)}ms`;
+      lines.push(`${label} |${prefix}${bar}${suffix}`);
+    }
+    return lines.join("\n");
+  }
+};
+
+// src/documentation/doc-generator.ts
+import { writeFileSync as writeFileSync2, mkdirSync as mkdirSync2 } from "fs";
+import { join as join3 } from "path";
+
+// src/documentation/markdown-generator.ts
+var MarkdownGenerator = class {
+  generate(data) {
+    const lines = [];
+    const version = data.serverVersion ? ` v${data.serverVersion}` : "";
+    lines.push(`# ${data.serverName}${version}`);
+    lines.push("");
+    if (data.tools.length > 0) {
+      lines.push("## Tools");
+      lines.push("");
+      lines.push("| Name | Description |");
+      lines.push("|------|-------------|");
+      for (const tool of data.tools) {
+        const desc = tool.description ?? "-";
+        lines.push(`| ${tool.name} | ${desc} |`);
+      }
+      lines.push("");
+      for (const tool of data.tools) {
+        lines.push(`### ${tool.name}`);
+        lines.push("");
+        if (tool.description) {
+          lines.push(tool.description);
+          lines.push("");
+        }
+        if (tool.inputSchema) {
+          lines.push("**Input Schema:**");
+          lines.push("");
+          lines.push("```json");
+          lines.push(JSON.stringify(tool.inputSchema, null, 2));
+          lines.push("```");
+          lines.push("");
+        }
+      }
+    } else {
+      lines.push("## Tools");
+      lines.push("");
+      lines.push("No tools available.");
+      lines.push("");
+    }
+    if (data.resources.length > 0) {
+      lines.push("## Resources");
+      lines.push("");
+      lines.push("| URI | Name | Description | MIME Type |");
+      lines.push("|-----|------|-------------|-----------|");
+      for (const res of data.resources) {
+        const name = res.name ?? "-";
+        const desc = res.description ?? "-";
+        const mime = res.mimeType ?? "-";
+        lines.push(`| ${res.uri} | ${name} | ${desc} | ${mime} |`);
+      }
+      lines.push("");
+    }
+    lines.push("---");
+    lines.push("");
+    lines.push(`*Generated by MCPSpec on ${data.generatedAt.toISOString()}*`);
+    lines.push("");
+    return lines.join("\n");
+  }
+};
+
+// src/documentation/html-generator.ts
+import Handlebars2 from "handlebars";
+var HTML_TEMPLATE2 = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>{{serverName}} Documentation</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; color: #1a1a2e; background: #f8f9fa; line-height: 1.6; }
+    .container { max-width: 960px; margin: 0 auto; padding: 2rem; }
+    h1 { font-size: 2rem; margin-bottom: 0.5rem; color: #2D5A27; }
+    h2 { font-size: 1.5rem; margin: 2rem 0 1rem; border-bottom: 2px solid #e0e0e0; padding-bottom: 0.5rem; }
+    h3 { font-size: 1.15rem; margin: 1.5rem 0 0.5rem; }
+    .version { color: #666; font-size: 1rem; font-weight: normal; }
+    .tool-card { background: #fff; border: 1px solid #e0e0e0; border-radius: 8px; padding: 1rem 1.25rem; margin-bottom: 1rem; }
+    .tool-card h3 { margin-top: 0; }
+    .tool-card p { color: #555; margin-bottom: 0.75rem; }
+    pre { background: #1e1e2e; color: #cdd6f4; padding: 1rem; border-radius: 6px; overflow-x: auto; font-size: 0.85rem; }
+    code { font-family: 'SF Mono', 'Fira Code', monospace; }
+    table { width: 100%; border-collapse: collapse; margin: 1rem 0; }
+    th, td { text-align: left; padding: 0.5rem 0.75rem; border: 1px solid #e0e0e0; }
+    th { background: #f1f3f5; font-weight: 600; }
+    .footer { margin-top: 3rem; padding-top: 1rem; border-top: 1px solid #e0e0e0; color: #888; font-size: 0.85rem; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>{{serverName}} {{#if serverVersion}}<span class="version">v{{serverVersion}}</span>{{/if}}</h1>
+
+    <h2>Tools</h2>
+    {{#if tools.length}}
+    {{#each tools}}
+    <div class="tool-card">
+      <h3>{{this.name}}</h3>
+      {{#if this.description}}<p>{{this.description}}</p>{{/if}}
+      {{#if this.inputSchema}}
+      <strong>Input Schema:</strong>
+      <pre><code>{{jsonPretty this.inputSchema}}</code></pre>
+      {{/if}}
+    </div>
+    {{/each}}
+    {{else}}
+    <p>No tools available.</p>
+    {{/if}}
+
+    {{#if resources.length}}
+    <h2>Resources</h2>
+    <table>
+      <thead>
+        <tr><th>URI</th><th>Name</th><th>Description</th><th>MIME Type</th></tr>
+      </thead>
+      <tbody>
+        {{#each resources}}
+        <tr>
+          <td>{{this.uri}}</td>
+          <td>{{or this.name "-"}}</td>
+          <td>{{or this.description "-"}}</td>
+          <td>{{or this.mimeType "-"}}</td>
+        </tr>
+        {{/each}}
+      </tbody>
+    </table>
+    {{/if}}
+
+    <div class="footer">
+      Generated by MCPSpec on {{generatedAt}}
+    </div>
+  </div>
+</body>
+</html>`;
+var HtmlDocGenerator = class {
+  template;
+  constructor() {
+    Handlebars2.registerHelper("jsonPretty", (obj) => {
+      return new Handlebars2.SafeString(JSON.stringify(obj, null, 2));
+    });
+    Handlebars2.registerHelper("or", (a, b) => a || b);
+    this.template = Handlebars2.compile(HTML_TEMPLATE2);
+  }
+  generate(data) {
+    return this.template({
+      ...data,
+      generatedAt: data.generatedAt.toISOString()
+    });
+  }
+};
+
+// src/documentation/doc-generator.ts
+var DocGenerator = class {
+  async introspect(client) {
+    const serverInfo = client.getServerInfo();
+    const tools = await client.listTools();
+    let resources = [];
+    try {
+      resources = await client.listResources();
+    } catch {
+    }
+    return {
+      serverName: serverInfo?.name ?? "Unknown Server",
+      serverVersion: serverInfo?.version,
+      tools,
+      resources,
+      generatedAt: /* @__PURE__ */ new Date()
+    };
+  }
+  async generate(client, options) {
+    const data = await this.introspect(client);
+    let content;
+    if (options.format === "html") {
+      const generator = new HtmlDocGenerator();
+      content = generator.generate(data);
+    } else {
+      const generator = new MarkdownGenerator();
+      content = generator.generate(data);
+    }
+    if (options.outputDir) {
+      mkdirSync2(options.outputDir, { recursive: true });
+      const filename = options.format === "html" ? "index.html" : "README.md";
+      writeFileSync2(join3(options.outputDir, filename), content, "utf-8");
+    }
+    return content;
+  }
+};
+
+// src/scoring/mcp-score.ts
+var MCPScoreCalculator = class {
+  async calculate(client, progress) {
+    const tools = await client.listTools();
+    let resources = [];
+    try {
+      resources = await client.listResources();
+    } catch {
+    }
+    progress?.onCategoryStart?.("documentation");
+    const documentation = this.scoreDocumentation(tools, resources);
+    progress?.onCategoryComplete?.("documentation", documentation);
+    progress?.onCategoryStart?.("schemaQuality");
+    const schemaQuality = this.scoreSchemaQuality(tools);
+    progress?.onCategoryComplete?.("schemaQuality", schemaQuality);
+    progress?.onCategoryStart?.("errorHandling");
+    const errorHandling = await this.scoreErrorHandling(client, tools);
+    progress?.onCategoryComplete?.("errorHandling", errorHandling);
+    progress?.onCategoryStart?.("performance");
+    const performance4 = await this.scorePerformance(client, tools);
+    progress?.onCategoryComplete?.("performance", performance4);
+    progress?.onCategoryStart?.("security");
+    const security = await this.scoreSecurity(client);
+    progress?.onCategoryComplete?.("security", security);
+    const overall = Math.round(
+      documentation * 0.25 + schemaQuality * 0.25 + errorHandling * 0.2 + performance4 * 0.15 + security * 0.15
+    );
+    return {
+      overall,
+      categories: {
+        documentation,
+        schemaQuality,
+        errorHandling,
+        performance: performance4,
+        security
+      }
+    };
+  }
+  scoreDocumentation(tools, resources) {
+    const items = [...tools, ...resources];
+    if (items.length === 0) return 0;
+    const withDescription = items.filter((item) => {
+      const desc = "description" in item ? item.description : void 0;
+      return desc && desc.trim().length > 0;
+    }).length;
+    return Math.round(withDescription / items.length * 100);
+  }
+  scoreSchemaQuality(tools) {
+    if (tools.length === 0) return 0;
+    let totalPoints = 0;
+    for (const tool of tools) {
+      const schema = tool.inputSchema;
+      if (!schema) continue;
+      let toolPoints = 0;
+      if (schema.type) toolPoints += 1 / 3;
+      if (schema.properties && typeof schema.properties === "object") toolPoints += 1 / 3;
+      if (schema.required && Array.isArray(schema.required)) toolPoints += 1 / 3;
+      totalPoints += toolPoints;
+    }
+    return Math.round(totalPoints / tools.length * 100);
+  }
+  async scoreErrorHandling(client, tools) {
+    if (tools.length === 0) return 0;
+    const testTools = tools.slice(0, 5);
+    let totalScore = 0;
+    for (const tool of testTools) {
+      try {
+        const result = await client.callTool(tool.name, {});
+        if (result.isError) {
+          totalScore += 100;
+        } else {
+          totalScore += 50;
+        }
+      } catch {
+        totalScore += 0;
+      }
+    }
+    return Math.round(totalScore / testTools.length);
+  }
+  async scorePerformance(client, tools) {
+    if (tools.length === 0) return 20;
+    const tool = tools[0];
+    const latencies = [];
+    for (let i = 0; i < 5; i++) {
+      const start = performance.now();
+      try {
+        await client.callTool(tool.name, {});
+      } catch {
+      }
+      latencies.push(performance.now() - start);
+    }
+    latencies.sort((a, b) => a - b);
+    const median = latencies[Math.floor(latencies.length / 2)];
+    if (median < 100) return 100;
+    if (median < 500) return 80;
+    if (median < 1e3) return 60;
+    if (median < 5e3) return 40;
+    return 20;
+  }
+  async scoreSecurity(client) {
+    try {
+      const scanner = new SecurityScanner();
+      const config = new ScanConfig({ mode: "passive" });
+      const result = await scanner.scan(client, config);
+      const findingCount = result.summary.totalFindings;
+      if (findingCount === 0) return 100;
+      if (findingCount <= 2) return 70;
+      if (findingCount <= 5) return 40;
+      return 20;
+    } catch {
+      return 50;
+    }
+  }
+};
+
+// src/scoring/badge-generator.ts
+var BadgeGenerator = class {
+  generate(score) {
+    const color = this.getColor(score.overall);
+    const label = "MCP Score";
+    const value = `${score.overall}/100`;
+    const labelWidth = 70;
+    const valueWidth = 50;
+    const totalWidth = labelWidth + valueWidth;
+    return `<svg xmlns="http://www.w3.org/2000/svg" width="${totalWidth}" height="20" role="img" aria-label="${label}: ${value}">
+  <title>${label}: ${value}</title>
+  <linearGradient id="s" x2="0" y2="100%">
+    <stop offset="0" stop-color="#bbb" stop-opacity=".1"/>
+    <stop offset="1" stop-opacity=".1"/>
+  </linearGradient>
+  <clipPath id="r">
+    <rect width="${totalWidth}" height="20" rx="3" fill="#fff"/>
+  </clipPath>
+  <g clip-path="url(#r)">
+    <rect width="${labelWidth}" height="20" fill="#555"/>
+    <rect x="${labelWidth}" width="${valueWidth}" height="20" fill="${color}"/>
+    <rect width="${totalWidth}" height="20" fill="url(#s)"/>
+  </g>
+  <g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="11">
+    <text x="${labelWidth / 2}" y="14">${label}</text>
+    <text x="${labelWidth + valueWidth / 2}" y="14">${value}</text>
+  </g>
+</svg>`;
+  }
+  getColor(score) {
+    if (score >= 80) return "#4c1";
+    if (score >= 60) return "#dfb317";
+    return "#e05d44";
+  }
+};
+export {
+  AuthBypassRule,
+  BadgeGenerator,
+  BaselineStore,
+  BenchmarkRunner,
+  ConnectionManager,
+  ConsoleReporter,
+  DocGenerator,
+  ERROR_CODE_MAP,
+  ERROR_TEMPLATES,
+  HtmlDocGenerator,
+  HtmlReporter,
+  InformationDisclosureRule,
+  InjectionRule,
+  InputValidationRule,
+  JsonReporter,
+  JunitReporter,
+  LoggingTransport,
+  MCPClient,
+  MCPScoreCalculator,
+  MCPSpecError,
+  MarkdownGenerator,
+  NotImplementedError,
+  PathTraversalRule,
+  ProcessManagerImpl,
+  ProcessRegistry,
+  Profiler,
+  RateLimiter,
+  ResourceExhaustionRule,
+  ResultDiffer,
+  ScanConfig,
+  SecretMasker,
+  SecurityScanner,
+  TapReporter,
+  TestExecutor,
+  TestRunner,
+  TestScheduler,
+  WaterfallGenerator,
+  YAML_LIMITS,
+  computeStats,
+  formatError,
+  getPayloadsForMode,
+  getPlatformInfo,
+  getPlatformPayloads,
+  getSafePayloads,
+  loadYamlSafely,
+  queryJsonPath,
+  registerCleanupHandlers,
+  resolveVariables
+};