@mcpspec/server 1.0.0

package/dist/index.js

@@ -0,0 +1,1312 @@
+// src/index.ts
+import { dirname as dirname2, join as join3 } from "path";
+import { fileURLToPath } from "url";
+
+// src/app.ts
+import { Hono } from "hono";
+import { cors } from "hono/cors";
+
+// src/middleware/localhost-only.ts
+var LOCALHOST_ADDRS = /* @__PURE__ */ new Set(["127.0.0.1", "::1", "::ffff:127.0.0.1", "localhost"]);
+function localhostOnly() {
+  return async (c, next) => {
+    const remoteAccess = process.env["MCPSPEC_REMOTE_ACCESS"] === "true";
+    if (remoteAccess) {
+      const token = process.env["MCPSPEC_TOKEN"];
+      if (token) {
+        const authHeader = c.req.header("Authorization");
+        if (authHeader !== `Bearer ${token}`) {
+          return c.json({ error: "unauthorized", message: "Invalid or missing token" }, 401);
+        }
+      }
+      return next();
+    }
+    const remoteAddr = c.req.header("x-forwarded-for") ?? c.req.header("x-real-ip");
+    if (remoteAddr && !LOCALHOST_ADDRS.has(remoteAddr)) {
+      return c.json(
+        { error: "forbidden", message: "Remote access is disabled. Set MCPSPEC_REMOTE_ACCESS=true to enable." },
+        403
+      );
+    }
+    return next();
+  };
+}
+
+// src/middleware/auth.ts
+function authMiddleware() {
+  return async (_c, next) => {
+    return next();
+  };
+}
+
+// src/routes/servers.ts
+import { createServerSchema, updateServerSchema } from "@mcpspec/shared";
+import { MCPClient, ProcessManagerImpl } from "@mcpspec/core";
+function serversRoutes(app, db) {
+  app.get("/api/servers", (c) => {
+    const servers = db.listServers();
+    return c.json({ data: servers, total: servers.length });
+  });
+  app.post("/api/servers", async (c) => {
+    const body = await c.req.json();
+    const parsed = createServerSchema.safeParse(body);
+    if (!parsed.success) {
+      return c.json({ error: "validation_error", message: parsed.error.message }, 400);
+    }
+    const server = db.createServer(parsed.data);
+    return c.json({ data: server }, 201);
+  });
+  app.get("/api/servers/:id", (c) => {
+    const server = db.getServer(c.req.param("id"));
+    if (!server) return c.json({ error: "not_found", message: "Server not found" }, 404);
+    return c.json({ data: server });
+  });
+  app.put("/api/servers/:id", async (c) => {
+    const body = await c.req.json();
+    const parsed = updateServerSchema.safeParse(body);
+    if (!parsed.success) {
+      return c.json({ error: "validation_error", message: parsed.error.message }, 400);
+    }
+    const server = db.updateServer(c.req.param("id"), parsed.data);
+    if (!server) return c.json({ error: "not_found", message: "Server not found" }, 404);
+    return c.json({ data: server });
+  });
+  app.delete("/api/servers/:id", (c) => {
+    const deleted = db.deleteServer(c.req.param("id"));
+    if (!deleted) return c.json({ error: "not_found", message: "Server not found" }, 404);
+    return c.json({ data: { deleted: true } });
+  });
+  app.post("/api/servers/:id/test", async (c) => {
+    const server = db.getServer(c.req.param("id"));
+    if (!server) return c.json({ error: "not_found", message: "Server not found" }, 404);
+    const processManager = new ProcessManagerImpl();
+    const config = {
+      name: server.name,
+      transport: server.transport,
+      command: server.command,
+      args: server.args,
+      url: server.url,
+      env: server.env
+    };
+    const client = new MCPClient({ serverConfig: config, processManager });
+    try {
+      await client.connect();
+      const tools = await client.listTools();
+      await client.disconnect();
+      await processManager.shutdownAll();
+      return c.json({ data: { connected: true, toolCount: tools.length } });
+    } catch (err) {
+      await processManager.shutdownAll();
+      const message = err instanceof Error ? err.message : "Connection failed";
+      return c.json({ data: { connected: false, error: message } });
+    }
+  });
+}
+
+// src/routes/collections.ts
+import { createCollectionSchema, updateCollectionSchema, collectionSchema } from "@mcpspec/shared";
+import { loadYamlSafely } from "@mcpspec/core";
+function collectionsRoutes(app, db) {
+  app.get("/api/collections", (c) => {
+    const collections = db.listCollections();
+    return c.json({ data: collections, total: collections.length });
+  });
+  app.post("/api/collections", async (c) => {
+    const body = await c.req.json();
+    const parsed = createCollectionSchema.safeParse(body);
+    if (!parsed.success) {
+      return c.json({ error: "validation_error", message: parsed.error.message }, 400);
+    }
+    const collection = db.createCollection(parsed.data);
+    return c.json({ data: collection }, 201);
+  });
+  app.get("/api/collections/:id", (c) => {
+    const collection = db.getCollection(c.req.param("id"));
+    if (!collection) return c.json({ error: "not_found", message: "Collection not found" }, 404);
+    return c.json({ data: collection });
+  });
+  app.put("/api/collections/:id", async (c) => {
+    const body = await c.req.json();
+    const parsed = updateCollectionSchema.safeParse(body);
+    if (!parsed.success) {
+      return c.json({ error: "validation_error", message: parsed.error.message }, 400);
+    }
+    const collection = db.updateCollection(c.req.param("id"), parsed.data);
+    if (!collection) return c.json({ error: "not_found", message: "Collection not found" }, 404);
+    return c.json({ data: collection });
+  });
+  app.delete("/api/collections/:id", (c) => {
+    const deleted = db.deleteCollection(c.req.param("id"));
+    if (!deleted) return c.json({ error: "not_found", message: "Collection not found" }, 404);
+    return c.json({ data: { deleted: true } });
+  });
+  app.post("/api/collections/:id/validate", (c) => {
+    const collection = db.getCollection(c.req.param("id"));
+    if (!collection) return c.json({ error: "not_found", message: "Collection not found" }, 404);
+    try {
+      const yamlContent = loadYamlSafely(collection.yaml);
+      const result = collectionSchema.safeParse(yamlContent);
+      if (!result.success) {
+        return c.json({ data: { valid: false, errors: result.error.issues } });
+      }
+      return c.json({ data: { valid: true } });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "YAML parse error";
+      return c.json({ data: { valid: false, errors: [{ message }] } });
+    }
+  });
+}
+
+// src/routes/runs.ts
+import { triggerRunSchema, collectionSchema as collectionSchema2 } from "@mcpspec/shared";
+import { loadYamlSafely as loadYamlSafely2, TestRunner } from "@mcpspec/core";
+function runsRoutes(app, db) {
+  app.get("/api/runs", (c) => {
+    const limit = Number(c.req.query("limit") ?? "50");
+    const runs = db.listRuns(limit);
+    return c.json({ data: runs, total: runs.length });
+  });
+  app.post("/api/runs", async (c) => {
+    const body = await c.req.json();
+    const parsed = triggerRunSchema.safeParse(body);
+    if (!parsed.success) {
+      return c.json({ error: "validation_error", message: parsed.error.message }, 400);
+    }
+    const collection = db.getCollection(parsed.data.collectionId);
+    if (!collection) {
+      return c.json({ error: "not_found", message: "Collection not found" }, 404);
+    }
+    let collectionDef;
+    try {
+      const raw = loadYamlSafely2(collection.yaml);
+      const validated = collectionSchema2.parse(raw);
+      collectionDef = coerceCollection(validated);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Invalid collection YAML";
+      return c.json({ error: "validation_error", message }, 400);
+    }
+    const run = db.createRun({
+      collectionId: collection.id,
+      collectionName: collectionDef.name,
+      serverId: parsed.data.serverId
+    });
+    executeRunInBackground(db, run.id, collectionDef, {
+      environment: parsed.data.environment,
+      tags: parsed.data.tags,
+      parallelism: parsed.data.parallelism
+    });
+    return c.json({ data: run }, 202);
+  });
+  app.get("/api/runs/:id", (c) => {
+    const run = db.getRun(c.req.param("id"));
+    if (!run) return c.json({ error: "not_found", message: "Run not found" }, 404);
+    return c.json({ data: run });
+  });
+  app.delete("/api/runs/:id", (c) => {
+    const deleted = db.deleteRun(c.req.param("id"));
+    if (!deleted) return c.json({ error: "not_found", message: "Run not found" }, 404);
+    return c.json({ data: { deleted: true } });
+  });
+}
+function executeRunInBackground(db, runId, collection, options) {
+  const runner = new TestRunner();
+  const results = [];
+  const reporter = {
+    onRunStart() {
+    },
+    onTestStart() {
+    },
+    onTestComplete(result) {
+      results.push(result);
+    },
+    onRunComplete(runResult) {
+      db.updateRun(runId, {
+        status: "completed",
+        summary: runResult.summary,
+        results: runResult.results,
+        completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        duration: runResult.duration
+      });
+    }
+  };
+  runner.run(collection, {
+    reporter,
+    environment: options.environment,
+    tags: options.tags,
+    parallelism: options.parallelism
+  }).catch((err) => {
+    db.updateRun(runId, {
+      status: "failed",
+      results,
+      completedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    console.error(`Run ${runId} failed:`, err instanceof Error ? err.message : err);
+  });
+}
+function coerceCollection(raw) {
+  const tests = raw["tests"];
+  return {
+    ...raw,
+    tests: tests.map((t) => ({
+      ...t,
+      timeout: t["timeout"] !== void 0 ? Number(t["timeout"]) : void 0,
+      retries: t["retries"] !== void 0 ? Number(t["retries"]) : void 0,
+      expectError: t["expectError"] !== void 0 ? t["expectError"] === "true" || t["expectError"] === true : void 0
+    }))
+  };
+}
+
+// src/routes/inspect.ts
+import { inspectConnectSchema, inspectCallSchema } from "@mcpspec/shared";
+import { MCPClient as MCPClient2, ProcessManagerImpl as ProcessManagerImpl2 } from "@mcpspec/core";
+import { randomUUID } from "crypto";
+var MAX_LOG_ENTRIES = 1e4;
+var sessions = /* @__PURE__ */ new Map();
+var SESSION_TIMEOUT_MS = 5 * 60 * 1e3;
+setInterval(() => {
+  const now = Date.now();
+  for (const [id, session] of sessions) {
+    if (now - session.lastUsed > SESSION_TIMEOUT_MS) {
+      session.client.disconnect().catch(() => {
+      });
+      session.processManager.shutdownAll().catch(() => {
+      });
+      sessions.delete(id);
+    }
+  }
+}, 6e4);
+function inspectRoutes(app, wsHandler) {
+  app.post("/api/inspect/connect", async (c) => {
+    const body = await c.req.json();
+    const parsed = inspectConnectSchema.safeParse(body);
+    if (!parsed.success) {
+      return c.json({ error: "validation_error", message: parsed.error.message }, 400);
+    }
+    const sessionId = randomUUID();
+    const processManager = new ProcessManagerImpl2();
+    const config = {
+      transport: parsed.data.transport,
+      command: parsed.data.command,
+      args: parsed.data.args,
+      url: parsed.data.url,
+      env: parsed.data.env
+    };
+    const session = {
+      client: null,
+      processManager,
+      lastUsed: Date.now(),
+      protocolLog: [],
+      pendingRequests: /* @__PURE__ */ new Map()
+    };
+    const onProtocolMessage = (direction, message) => {
+      const jsonrpcId = message.id;
+      const method = message.method;
+      const isError = message.error !== void 0;
+      const now = Date.now();
+      const entry = {
+        id: randomUUID(),
+        timestamp: now,
+        direction,
+        message,
+        jsonrpcId: jsonrpcId ?? void 0,
+        method,
+        isError: isError || void 0
+      };
+      if (direction === "outgoing" && jsonrpcId != null && method) {
+        session.pendingRequests.set(jsonrpcId, now);
+      } else if (direction === "incoming" && jsonrpcId != null) {
+        const sentAt = session.pendingRequests.get(jsonrpcId);
+        if (sentAt !== void 0) {
+          entry.roundTripMs = now - sentAt;
+          session.pendingRequests.delete(jsonrpcId);
+        }
+      }
+      if (session.protocolLog.length >= MAX_LOG_ENTRIES) {
+        session.protocolLog.shift();
+      }
+      session.protocolLog.push(entry);
+      if (wsHandler) {
+        wsHandler.broadcast(`inspect:${sessionId}`, "protocol-message", entry);
+      }
+    };
+    const client = new MCPClient2({ serverConfig: config, processManager, onProtocolMessage });
+    session.client = client;
+    try {
+      await client.connect();
+      sessions.set(sessionId, session);
+      return c.json({ data: { sessionId, connected: true } });
+    } catch (err) {
+      await processManager.shutdownAll();
+      const message = err instanceof Error ? err.message : "Connection failed";
+      return c.json({ error: "connection_error", message }, 500);
+    }
+  });
+  app.post("/api/inspect/tools", async (c) => {
+    const body = await c.req.json();
+    const sessionId = body?.sessionId;
+    if (!sessionId) {
+      return c.json({ error: "validation_error", message: "sessionId is required" }, 400);
+    }
+    const session = sessions.get(sessionId);
+    if (!session) {
+      return c.json({ error: "not_found", message: "Session not found or expired" }, 404);
+    }
+    session.lastUsed = Date.now();
+    try {
+      const tools = await session.client.listTools();
+      return c.json({ data: tools });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Failed to list tools";
+      return c.json({ error: "tool_error", message }, 500);
+    }
+  });
+  app.post("/api/inspect/call", async (c) => {
+    const body = await c.req.json();
+    const parsed = inspectCallSchema.safeParse(body);
+    if (!parsed.success) {
+      return c.json({ error: "validation_error", message: parsed.error.message }, 400);
+    }
+    const session = sessions.get(parsed.data.sessionId);
+    if (!session) {
+      return c.json({ error: "not_found", message: "Session not found or expired" }, 404);
+    }
+    session.lastUsed = Date.now();
+    try {
+      const result = await session.client.callTool(parsed.data.tool, parsed.data.input ?? {});
+      return c.json({ data: result });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Tool call failed";
+      return c.json({ error: "tool_error", message }, 500);
+    }
+  });
+  app.post("/api/inspect/resources", async (c) => {
+    const body = await c.req.json();
+    const sessionId = body?.sessionId;
+    if (!sessionId) {
+      return c.json({ error: "validation_error", message: "sessionId is required" }, 400);
+    }
+    const session = sessions.get(sessionId);
+    if (!session) {
+      return c.json({ error: "not_found", message: "Session not found or expired" }, 404);
+    }
+    session.lastUsed = Date.now();
+    try {
+      const resources = await session.client.listResources();
+      return c.json({ data: resources });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Failed to list resources";
+      return c.json({ error: "resource_error", message }, 500);
+    }
+  });
+  app.post("/api/inspect/messages", async (c) => {
+    const body = await c.req.json();
+    const sessionId = body?.sessionId;
+    if (!sessionId) {
+      return c.json({ error: "validation_error", message: "sessionId is required" }, 400);
+    }
+    const session = sessions.get(sessionId);
+    if (!session) {
+      return c.json({ error: "not_found", message: "Session not found or expired" }, 404);
+    }
+    session.lastUsed = Date.now();
+    const after = typeof body.after === "number" ? body.after : void 0;
+    let entries = session.protocolLog;
+    if (after !== void 0) {
+      entries = entries.filter((e) => e.timestamp > after);
+    }
+    return c.json({ data: entries, total: session.protocolLog.length });
+  });
+  app.post("/api/inspect/disconnect", async (c) => {
+    const body = await c.req.json();
+    const sessionId = body?.sessionId;
+    if (!sessionId) {
+      return c.json({ error: "validation_error", message: "sessionId is required" }, 400);
+    }
+    const session = sessions.get(sessionId);
+    if (!session) {
+      return c.json({ data: { disconnected: true } });
+    }
+    try {
+      await session.client.disconnect();
+      await session.processManager.shutdownAll();
+    } catch {
+    }
+    sessions.delete(sessionId);
+    return c.json({ data: { disconnected: true } });
+  });
+}
+
+// src/routes/audit.ts
+import { auditStartSchema } from "@mcpspec/shared";
+import { MCPClient as MCPClient3, ProcessManagerImpl as ProcessManagerImpl3, SecurityScanner, ScanConfig } from "@mcpspec/core";
+import { randomUUID as randomUUID2 } from "crypto";
+var sessions2 = /* @__PURE__ */ new Map();
+var SESSION_TIMEOUT_MS2 = 10 * 60 * 1e3;
+setInterval(() => {
+  const now = Date.now();
+  for (const [id, session] of sessions2) {
+    if (now - session.lastUsed > SESSION_TIMEOUT_MS2) {
+      session.client.disconnect().catch(() => {
+      });
+      session.processManager.shutdownAll().catch(() => {
+      });
+      sessions2.delete(id);
+    }
+  }
+}, 6e4);
+function auditRoutes(app, wsHandler) {
+  app.post("/api/audit/start", async (c) => {
+    const body = await c.req.json();
+    const parsed = auditStartSchema.safeParse(body);
+    if (!parsed.success) {
+      return c.json({ error: "validation_error", message: parsed.error.message }, 400);
+    }
+    const sessionId = randomUUID2();
+    const processManager = new ProcessManagerImpl3();
+    const config = {
+      transport: parsed.data.transport,
+      command: parsed.data.command,
+      args: parsed.data.args,
+      url: parsed.data.url,
+      env: parsed.data.env
+    };
+    const scanConfig = new ScanConfig({
+      mode: parsed.data.mode,
+      rules: parsed.data.rules,
+      acknowledgeRisk: true
+      // UI handles confirmation client-side
+    });
+    const session = {
+      client: null,
+      processManager,
+      status: "connecting",
+      progress: { completedRules: 0, totalRules: scanConfig.rules.length, findingsCount: 0 },
+      lastUsed: Date.now()
+    };
+    const client = new MCPClient3({ serverConfig: config, processManager });
+    session.client = client;
+    sessions2.set(sessionId, session);
+    (async () => {
+      try {
+        await client.connect();
+        session.status = "scanning";
+        const scanner = new SecurityScanner();
+        const result = await scanner.scan(client, scanConfig, {
+          onRuleStart: (ruleId, ruleName) => {
+            session.progress.currentRule = ruleName;
+            session.lastUsed = Date.now();
+            wsHandler?.broadcast(`scan:${sessionId}`, "rule-start", { ruleId, ruleName });
+          },
+          onRuleComplete: (ruleId, findingsCount) => {
+            session.progress.completedRules++;
+            session.lastUsed = Date.now();
+            wsHandler?.broadcast(`scan:${sessionId}`, "rule-complete", { ruleId, findingsCount });
+          },
+          onFinding: (finding) => {
+            session.progress.findingsCount++;
+            session.lastUsed = Date.now();
+            wsHandler?.broadcast(`scan:${sessionId}`, "finding", { finding });
+          }
+        });
+        session.result = result;
+        session.status = "completed";
+        session.lastUsed = Date.now();
+        wsHandler?.broadcast(`scan:${sessionId}`, "completed", { summary: result.summary });
+      } catch (err) {
+        session.status = "error";
+        session.error = err instanceof Error ? err.message : "Scan failed";
+        session.lastUsed = Date.now();
+        wsHandler?.broadcast(`scan:${sessionId}`, "error", { message: session.error });
+      }
+    })();
+    return c.json({ data: { sessionId } });
+  });
+  app.get("/api/audit/status/:sessionId", (c) => {
+    const sessionId = c.req.param("sessionId");
+    const session = sessions2.get(sessionId);
+    if (!session) {
+      return c.json({ error: "not_found", message: "Session not found or expired" }, 404);
+    }
+    session.lastUsed = Date.now();
+    return c.json({
+      data: {
+        status: session.status,
+        progress: session.progress,
+        error: session.error,
+        result: session.status === "completed" ? session.result : void 0
+      }
+    });
+  });
+  app.get("/api/audit/result/:sessionId", (c) => {
+    const sessionId = c.req.param("sessionId");
+    const session = sessions2.get(sessionId);
+    if (!session) {
+      return c.json({ error: "not_found", message: "Session not found or expired" }, 404);
+    }
+    if (session.status !== "completed" || !session.result) {
+      return c.json({ error: "not_ready", message: "Scan not completed yet" }, 404);
+    }
+    session.lastUsed = Date.now();
+    return c.json({ data: session.result });
+  });
+  app.post("/api/audit/stop/:sessionId", async (c) => {
+    const sessionId = c.req.param("sessionId");
+    const session = sessions2.get(sessionId);
+    if (!session) {
+      return c.json({ data: { stopped: true } });
+    }
+    try {
+      await session.client.disconnect();
+      await session.processManager.shutdownAll();
+    } catch {
+    }
+    sessions2.delete(sessionId);
+    return c.json({ data: { stopped: true } });
+  });
+}
+
+// src/routes/benchmark.ts
+import { benchmarkStartSchema } from "@mcpspec/shared";
+import { MCPClient as MCPClient4, ProcessManagerImpl as ProcessManagerImpl4, BenchmarkRunner } from "@mcpspec/core";
+import { randomUUID as randomUUID3 } from "crypto";
+var sessions3 = /* @__PURE__ */ new Map();
+var SESSION_TIMEOUT_MS3 = 10 * 60 * 1e3;
+setInterval(() => {
+  const now = Date.now();
+  for (const [id, session] of sessions3) {
+    if (now - session.lastUsed > SESSION_TIMEOUT_MS3) {
+      session.client.disconnect().catch(() => {
+      });
+      session.processManager.shutdownAll().catch(() => {
+      });
+      sessions3.delete(id);
+    }
+  }
+}, 6e4);
+function benchmarkRoutes(app, wsHandler) {
+  app.post("/api/benchmark/start", async (c) => {
+    const body = await c.req.json();
+    const parsed = benchmarkStartSchema.safeParse(body);
+    if (!parsed.success) {
+      return c.json({ error: "validation_error", message: parsed.error.message }, 400);
+    }
+    const sessionId = randomUUID3();
+    const processManager = new ProcessManagerImpl4();
+    const config = {
+      transport: parsed.data.transport,
+      command: parsed.data.command,
+      args: parsed.data.args,
+      url: parsed.data.url,
+      env: parsed.data.env
+    };
+    const session = {
+      client: null,
+      processManager,
+      status: "connecting",
+      progress: { completedIterations: 0, totalIterations: parsed.data.iterations, phase: "warmup" },
+      lastUsed: Date.now()
+    };
+    const client = new MCPClient4({ serverConfig: config, processManager });
+    session.client = client;
+    sessions3.set(sessionId, session);
+    (async () => {
+      try {
+        await client.connect();
+        session.status = "running";
+        const runner = new BenchmarkRunner();
+        const result = await runner.run(
+          client,
+          parsed.data.tool,
+          parsed.data.toolArgs,
+          {
+            iterations: parsed.data.iterations,
+            warmupIterations: parsed.data.warmup,
+            timeout: parsed.data.timeout
+          },
+          {
+            onWarmupStart: () => {
+              session.progress.phase = "warmup";
+              session.lastUsed = Date.now();
+              wsHandler?.broadcast(`benchmark:${sessionId}`, "warmup-start", {});
+            },
+            onIterationComplete: (iteration, total, durationMs) => {
+              session.progress.phase = "measuring";
+              session.progress.completedIterations = iteration;
+              session.progress.totalIterations = total;
+              session.lastUsed = Date.now();
+              wsHandler?.broadcast(`benchmark:${sessionId}`, "iteration", {
+                iteration,
+                duration: durationMs,
+                success: true
+              });
+            },
+            onComplete: (benchResult) => {
+              session.result = benchResult;
+              session.status = "completed";
+              session.lastUsed = Date.now();
+              wsHandler?.broadcast(`benchmark:${sessionId}`, "completed", { result: benchResult });
+            }
+          }
+        );
+        if (session.status !== "completed") {
+          session.result = result;
+          session.status = "completed";
+          session.lastUsed = Date.now();
+        }
+      } catch (err) {
+        session.status = "error";
+        session.error = err instanceof Error ? err.message : "Benchmark failed";
+        session.lastUsed = Date.now();
+        wsHandler?.broadcast(`benchmark:${sessionId}`, "error", { message: session.error });
+      }
+    })();
+    return c.json({ data: { sessionId } });
+  });
+  app.get("/api/benchmark/status/:sessionId", (c) => {
+    const sessionId = c.req.param("sessionId");
+    const session = sessions3.get(sessionId);
+    if (!session) {
+      return c.json({ error: "not_found", message: "Session not found or expired" }, 404);
+    }
+    session.lastUsed = Date.now();
+    return c.json({
+      data: {
+        status: session.status,
+        progress: session.progress,
+        error: session.error,
+        result: session.status === "completed" ? session.result : void 0
+      }
+    });
+  });
+  app.get("/api/benchmark/result/:sessionId", (c) => {
+    const sessionId = c.req.param("sessionId");
+    const session = sessions3.get(sessionId);
+    if (!session) {
+      return c.json({ error: "not_found", message: "Session not found or expired" }, 404);
+    }
+    if (session.status !== "completed" || !session.result) {
+      return c.json({ error: "not_ready", message: "Benchmark not completed yet" }, 404);
+    }
+    session.lastUsed = Date.now();
+    return c.json({ data: session.result });
+  });
+  app.get("/api/benchmark/tools/:sessionId", async (c) => {
+    const sessionId = c.req.param("sessionId");
+    const session = sessions3.get(sessionId);
+    if (!session) {
+      return c.json({ error: "not_found", message: "Session not found or expired" }, 404);
+    }
+    session.lastUsed = Date.now();
+    try {
+      const tools = await session.client.listTools();
+      return c.json({ data: tools });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Failed to list tools";
+      return c.json({ error: "tool_error", message }, 500);
+    }
+  });
+  app.post("/api/benchmark/stop/:sessionId", async (c) => {
+    const sessionId = c.req.param("sessionId");
+    const session = sessions3.get(sessionId);
+    if (!session) {
+      return c.json({ data: { stopped: true } });
+    }
+    try {
+      await session.client.disconnect();
+      await session.processManager.shutdownAll();
+    } catch {
+    }
+    sessions3.delete(sessionId);
+    return c.json({ data: { stopped: true } });
+  });
+}
+
+// src/routes/docs.ts
+import { docsGenerateSchema } from "@mcpspec/shared";
+import { MCPClient as MCPClient5, ProcessManagerImpl as ProcessManagerImpl5, DocGenerator } from "@mcpspec/core";
+function docsRoutes(app) {
+  app.post("/api/docs/generate", async (c) => {
+    const body = await c.req.json();
+    const parsed = docsGenerateSchema.safeParse(body);
+    if (!parsed.success) {
+      return c.json({ error: "validation_error", message: parsed.error.message }, 400);
+    }
+    const processManager = new ProcessManagerImpl5();
+    const config = {
+      transport: parsed.data.transport,
+      command: parsed.data.command,
+      args: parsed.data.args,
+      url: parsed.data.url,
+      env: parsed.data.env
+    };
+    const client = new MCPClient5({ serverConfig: config, processManager });
+    try {
+      await client.connect();
+      const generator = new DocGenerator();
+      const content = await generator.generate(client, {
+        format: parsed.data.format
+      });
+      await client.disconnect();
+      await processManager.shutdownAll();
+      return c.json({ data: { content, format: parsed.data.format } });
+    } catch (err) {
+      await client.disconnect().catch(() => {
+      });
+      await processManager.shutdownAll().catch(() => {
+      });
+      return c.json(
+        { error: "generation_error", message: err instanceof Error ? err.message : "Failed to generate docs" },
+        500
+      );
+    }
+  });
+}
+
+// src/routes/score.ts
+import { scoreCalculateSchema } from "@mcpspec/shared";
+import { MCPClient as MCPClient6, ProcessManagerImpl as ProcessManagerImpl6, MCPScoreCalculator, BadgeGenerator } from "@mcpspec/core";
+import { randomUUID as randomUUID4 } from "crypto";
+function scoreRoutes(app, wsHandler) {
+  app.post("/api/score/calculate", async (c) => {
+    const body = await c.req.json();
+    const parsed = scoreCalculateSchema.safeParse(body);
+    if (!parsed.success) {
+      return c.json({ error: "validation_error", message: parsed.error.message }, 400);
+    }
+    const sessionId = randomUUID4();
+    const processManager = new ProcessManagerImpl6();
+    const config = {
+      transport: parsed.data.transport,
+      command: parsed.data.command,
+      args: parsed.data.args,
+      url: parsed.data.url,
+      env: parsed.data.env
+    };
+    const client = new MCPClient6({ serverConfig: config, processManager });
+    try {
+      await client.connect();
+      const calculator = new MCPScoreCalculator();
+      const score = await calculator.calculate(client, {
+        onCategoryStart: (category) => {
+          wsHandler?.broadcast(`score:${sessionId}`, "category-start", { category });
+        },
+        onCategoryComplete: (category, categoryScore) => {
+          wsHandler?.broadcast(`score:${sessionId}`, "category-complete", { category, score: categoryScore });
+        }
+      });
+      await client.disconnect();
+      await processManager.shutdownAll();
+      return c.json({ data: { sessionId, score } });
+    } catch (err) {
+      await client.disconnect().catch(() => {
+      });
+      await processManager.shutdownAll().catch(() => {
+      });
+      return c.json(
+        { error: "score_error", message: err instanceof Error ? err.message : "Failed to calculate score" },
+        500
+      );
+    }
+  });
+  app.post("/api/score/badge", async (c) => {
+    const body = await c.req.json();
+    const score = body.score;
+    if (!score || typeof score.overall !== "number") {
+      return c.json({ error: "validation_error", message: "Invalid score object" }, 400);
+    }
+    const generator = new BadgeGenerator();
+    const svg = generator.generate(score);
+    return c.json({ data: { svg } });
+  });
+}
+
+// src/routes/index.ts
+function registerRoutes(app, db, wsHandler) {
+  serversRoutes(app, db);
+  collectionsRoutes(app, db);
+  runsRoutes(app, db);
+  inspectRoutes(app, wsHandler);
+  auditRoutes(app, wsHandler);
+  benchmarkRoutes(app, wsHandler);
+  docsRoutes(app);
+  scoreRoutes(app, wsHandler);
+}
+
+// src/app.ts
+import { readFileSync, existsSync } from "fs";
+import { join, extname } from "path";
+var MIME_TYPES = {
+  ".html": "text/html",
+  ".js": "application/javascript",
+  ".css": "text/css",
+  ".json": "application/json",
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".svg": "image/svg+xml",
+  ".ico": "image/x-icon",
+  ".woff": "font/woff",
+  ".woff2": "font/woff2"
+};
+function createApp(options) {
+  const app = new Hono();
+  app.use("*", localhostOnly());
+  app.use("*", cors({ origin: "*" }));
+  app.use("/api/*", authMiddleware());
+  registerRoutes(app, options.db, options.wsHandler);
+  if (options.uiDistPath) {
+    app.get("*", (c) => {
+      const urlPath = new URL(c.req.url).pathname;
+      const filePath = join(options.uiDistPath, urlPath === "/" ? "index.html" : urlPath);
+      if (existsSync(filePath) && !filePath.endsWith("/")) {
+        const ext = extname(filePath);
+        const mime = MIME_TYPES[ext] ?? "application/octet-stream";
+        const content = readFileSync(filePath);
+        return c.body(content, 200, { "Content-Type": mime });
+      }
+      const indexPath = join(options.uiDistPath, "index.html");
+      if (existsSync(indexPath)) {
+        const content = readFileSync(indexPath, "utf-8");
+        return c.html(content);
+      }
+      return c.json({ error: "not_found", message: "UI not found" }, 404);
+    });
+  }
+  return app;
+}
+
+// src/start.ts
+import { serve } from "@hono/node-server";
+
+// src/websocket.ts
+import { WebSocketServer, WebSocket } from "ws";
+var WebSocketHandler = class {
+  wss;
+  subscriptions = /* @__PURE__ */ new Map();
+  constructor() {
+    this.wss = new WebSocketServer({ noServer: true });
+    this.wss.on("connection", (ws) => this.onConnection(ws));
+  }
+  handleUpgrade(req, socket, head) {
+    this.wss.handleUpgrade(req, socket, head, (ws) => {
+      this.wss.emit("connection", ws, req);
+    });
+  }
+  onConnection(ws) {
+    this.subscriptions.set(ws, /* @__PURE__ */ new Set());
+    ws.on("message", (raw) => {
+      try {
+        const msg = JSON.parse(raw.toString());
+        this.handleMessage(ws, msg);
+      } catch {
+      }
+    });
+    ws.on("close", () => {
+      this.subscriptions.delete(ws);
+    });
+    ws.on("error", () => {
+      this.subscriptions.delete(ws);
+    });
+  }
+  handleMessage(ws, msg) {
+    switch (msg.type) {
+      case "subscribe": {
+        const channels = this.subscriptions.get(ws);
+        if (channels) {
+          channels.add(msg.channel);
+          this.send(ws, { type: "subscribed", channel: msg.channel });
+        }
+        break;
+      }
+      case "unsubscribe": {
+        const channels = this.subscriptions.get(ws);
+        if (channels) {
+          channels.delete(msg.channel);
+        }
+        break;
+      }
+      case "ping": {
+        this.send(ws, { type: "pong" });
+        break;
+      }
+    }
+  }
+  broadcast(channel, event, data) {
+    const message = { type: "event", channel, event, data };
+    const payload = JSON.stringify(message);
+    for (const [ws, channels] of this.subscriptions) {
+      if (channels.has(channel) && ws.readyState === WebSocket.OPEN) {
+        ws.send(payload);
+      }
+    }
+  }
+  send(ws, msg) {
+    if (ws.readyState === WebSocket.OPEN) {
+      ws.send(JSON.stringify(msg));
+    }
+  }
+  closeAll() {
+    for (const ws of this.subscriptions.keys()) {
+      ws.close();
+    }
+    this.subscriptions.clear();
+    this.wss.close();
+  }
+  get clientCount() {
+    return this.subscriptions.size;
+  }
+};
+
+// src/db/database.ts
+import initSqlJs from "sql.js";
+import { mkdirSync, readFileSync as readFileSync2, writeFileSync, existsSync as existsSync2 } from "fs";
+import { dirname } from "path";
+import { randomUUID as randomUUID5 } from "crypto";
+
+// src/db/migrations.ts
+var MIGRATIONS = [
+  {
+    version: 1,
+    up: [
+      `CREATE TABLE IF NOT EXISTS schema_version (
+        version INTEGER NOT NULL
+      )`,
+      `CREATE TABLE IF NOT EXISTS server_connections (
+        id TEXT PRIMARY KEY,
+        name TEXT NOT NULL,
+        transport TEXT NOT NULL DEFAULT 'stdio',
+        command TEXT,
+        args TEXT, -- JSON array
+        url TEXT,
+        env TEXT, -- JSON object
+        created_at TEXT NOT NULL DEFAULT (datetime('now')),
+        updated_at TEXT NOT NULL DEFAULT (datetime('now'))
+      )`,
+      `CREATE TABLE IF NOT EXISTS collections (
+        id TEXT PRIMARY KEY,
+        name TEXT NOT NULL,
+        description TEXT,
+        yaml TEXT NOT NULL,
+        created_at TEXT NOT NULL DEFAULT (datetime('now')),
+        updated_at TEXT NOT NULL DEFAULT (datetime('now'))
+      )`,
+      `CREATE TABLE IF NOT EXISTS test_runs (
+        id TEXT PRIMARY KEY,
+        collection_id TEXT,
+        collection_name TEXT NOT NULL,
+        server_id TEXT,
+        status TEXT NOT NULL DEFAULT 'running',
+        summary TEXT, -- JSON
+        results TEXT, -- JSON
+        started_at TEXT NOT NULL DEFAULT (datetime('now')),
+        completed_at TEXT,
+        duration INTEGER
+      )`,
+      `INSERT INTO schema_version (version) VALUES (1)`
+    ]
+  }
+];
+function getSchemaVersion(db) {
+  try {
+    const result = db.exec("SELECT version FROM schema_version ORDER BY version DESC LIMIT 1");
+    if (result.length > 0 && result[0].values.length > 0) {
+      return result[0].values[0][0];
+    }
+  } catch {
+  }
+  return 0;
+}
+function runMigrations(db) {
+  const currentVersion = getSchemaVersion(db);
+  for (const migration of MIGRATIONS) {
+    if (migration.version > currentVersion) {
+      for (const sql of migration.up) {
+        db.run(sql);
+      }
+    }
+  }
+}
+
+// src/db/database.ts
+var Database = class {
+  db;
+  dbPath;
+  constructor(dbPath) {
+    this.dbPath = dbPath ?? null;
+  }
+  async init() {
+    const SQL = await initSqlJs();
+    if (this.dbPath && existsSync2(this.dbPath)) {
+      const buffer = readFileSync2(this.dbPath);
+      this.db = new SQL.Database(buffer);
+    } else {
+      this.db = new SQL.Database();
+    }
+    this.db.run("PRAGMA journal_mode=WAL");
+    this.db.run("PRAGMA foreign_keys=ON");
+    runMigrations(this.db);
+    this.save();
+  }
+  save() {
+    if (!this.dbPath) return;
+    mkdirSync(dirname(this.dbPath), { recursive: true });
+    const data = this.db.export();
+    writeFileSync(this.dbPath, Buffer.from(data));
+  }
+  close() {
+    this.db.close();
+  }
+  // --- Server Connections ---
+  listServers() {
+    const stmt = this.db.prepare("SELECT * FROM server_connections ORDER BY updated_at DESC");
+    const rows = [];
+    while (stmt.step()) {
+      rows.push(this.rowToServer(stmt.getAsObject()));
+    }
+    stmt.free();
+    return rows;
+  }
+  getServer(id) {
+    const stmt = this.db.prepare("SELECT * FROM server_connections WHERE id = ?");
+    stmt.bind([id]);
+    if (!stmt.step()) {
+      stmt.free();
+      return null;
+    }
+    const row = this.rowToServer(stmt.getAsObject());
+    stmt.free();
+    return row;
+  }
+  createServer(data) {
+    const id = randomUUID5();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    this.db.run(
+      `INSERT INTO server_connections (id, name, transport, command, args, url, env, created_at, updated_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+      [id, data.name, data.transport, data.command ?? null, data.args ? JSON.stringify(data.args) : null, data.url ?? null, data.env ? JSON.stringify(data.env) : null, now, now]
+    );
+    this.save();
+    return this.getServer(id);
+  }
+  updateServer(id, data) {
+    const existing = this.getServer(id);
+    if (!existing) return null;
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    this.db.run(
+      `UPDATE server_connections SET name=?, transport=?, command=?, args=?, url=?, env=?, updated_at=? WHERE id=?`,
+      [
+        data.name ?? existing.name,
+        data.transport ?? existing.transport,
+        data.command !== void 0 ? data.command ?? null : existing.command ?? null,
+        data.args !== void 0 ? data.args ? JSON.stringify(data.args) : null : existing.args ? JSON.stringify(existing.args) : null,
+        data.url !== void 0 ? data.url ?? null : existing.url ?? null,
+        data.env !== void 0 ? data.env ? JSON.stringify(data.env) : null : existing.env ? JSON.stringify(existing.env) : null,
+        now,
+        id
+      ]
+    );
+    this.save();
+    return this.getServer(id);
+  }
+  deleteServer(id) {
+    const existing = this.getServer(id);
+    if (!existing) return false;
+    this.db.run("DELETE FROM server_connections WHERE id = ?", [id]);
+    this.save();
+    return true;
+  }
+  // --- Collections ---
+  listCollections() {
+    const stmt = this.db.prepare("SELECT * FROM collections ORDER BY updated_at DESC");
+    const rows = [];
+    while (stmt.step()) {
+      rows.push(this.rowToCollection(stmt.getAsObject()));
+    }
+    stmt.free();
+    return rows;
+  }
+  getCollection(id) {
+    const stmt = this.db.prepare("SELECT * FROM collections WHERE id = ?");
+    stmt.bind([id]);
+    if (!stmt.step()) {
+      stmt.free();
+      return null;
+    }
+    const row = this.rowToCollection(stmt.getAsObject());
+    stmt.free();
+    return row;
+  }
+  createCollection(data) {
+    const id = randomUUID5();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    this.db.run(
+      `INSERT INTO collections (id, name, description, yaml, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?)`,
+      [id, data.name, data.description ?? null, data.yaml, now, now]
+    );
+    this.save();
+    return this.getCollection(id);
+  }
+  updateCollection(id, data) {
+    const existing = this.getCollection(id);
+    if (!existing) return null;
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    this.db.run(
+      `UPDATE collections SET name=?, description=?, yaml=?, updated_at=? WHERE id=?`,
+      [
+        data.name ?? existing.name,
+        data.description !== void 0 ? data.description ?? null : existing.description ?? null,
+        data.yaml ?? existing.yaml,
+        now,
+        id
+      ]
+    );
+    this.save();
+    return this.getCollection(id);
+  }
+  deleteCollection(id) {
+    const existing = this.getCollection(id);
+    if (!existing) return false;
+    this.db.run("DELETE FROM collections WHERE id = ?", [id]);
+    this.save();
+    return true;
+  }
+  // --- Test Runs ---
+  listRuns(limit = 50) {
+    const stmt = this.db.prepare("SELECT * FROM test_runs ORDER BY started_at DESC LIMIT ?");
+    stmt.bind([limit]);
+    const rows = [];
+    while (stmt.step()) {
+      rows.push(this.rowToRun(stmt.getAsObject()));
+    }
+    stmt.free();
+    return rows;
+  }
+  getRun(id) {
+    const stmt = this.db.prepare("SELECT * FROM test_runs WHERE id = ?");
+    stmt.bind([id]);
+    if (!stmt.step()) {
+      stmt.free();
+      return null;
+    }
+    const row = this.rowToRun(stmt.getAsObject());
+    stmt.free();
+    return row;
+  }
+  createRun(data) {
+    const id = randomUUID5();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    this.db.run(
+      `INSERT INTO test_runs (id, collection_id, collection_name, server_id, status, started_at) VALUES (?, ?, ?, ?, 'running', ?)`,
+      [id, data.collectionId ?? null, data.collectionName, data.serverId ?? null, now]
+    );
+    this.save();
+    return this.getRun(id);
+  }
+  updateRun(id, data) {
+    const existing = this.getRun(id);
+    if (!existing) return null;
+    this.db.run(
+      `UPDATE test_runs SET status=?, summary=?, results=?, completed_at=?, duration=? WHERE id=?`,
+      [
+        data.status ?? existing.status,
+        data.summary ? JSON.stringify(data.summary) : existing.summary ? JSON.stringify(existing.summary) : null,
+        data.results ? JSON.stringify(data.results) : existing.results ? JSON.stringify(existing.results) : null,
+        data.completedAt ?? existing.completedAt ?? null,
+        data.duration ?? existing.duration ?? null,
+        id
+      ]
+    );
+    this.save();
+    return this.getRun(id);
+  }
+  deleteRun(id) {
+    const existing = this.getRun(id);
+    if (!existing) return false;
+    this.db.run("DELETE FROM test_runs WHERE id = ?", [id]);
+    this.save();
+    return true;
+  }
+  // --- Row mappers ---
+  rowToServer(row) {
+    return {
+      id: row["id"],
+      name: row["name"],
+      transport: row["transport"],
+      command: row["command"] || void 0,
+      args: row["args"] ? JSON.parse(row["args"]) : void 0,
+      url: row["url"] || void 0,
+      env: row["env"] ? JSON.parse(row["env"]) : void 0,
+      createdAt: row["created_at"],
+      updatedAt: row["updated_at"]
+    };
+  }
+  rowToCollection(row) {
+    return {
+      id: row["id"],
+      name: row["name"],
+      description: row["description"] || void 0,
+      yaml: row["yaml"],
+      createdAt: row["created_at"],
+      updatedAt: row["updated_at"]
+    };
+  }
+  rowToRun(row) {
+    return {
+      id: row["id"],
+      collectionId: row["collection_id"] || void 0,
+      collectionName: row["collection_name"],
+      serverId: row["server_id"] || void 0,
+      status: row["status"],
+      summary: row["summary"] ? JSON.parse(row["summary"]) : void 0,
+      results: row["results"] ? JSON.parse(row["results"]) : void 0,
+      startedAt: row["started_at"],
+      completedAt: row["completed_at"] || void 0,
+      duration: row["duration"] || void 0
+    };
+  }
+};
+
+// src/start.ts
+import { getPlatformInfo } from "@mcpspec/core";
+import { join as join2 } from "path";
+async function startServer(options = {}) {
+  const port = options.port ?? 6274;
+  const host = options.host ?? "127.0.0.1";
+  const dbPath = options.dbPath ?? join2(getPlatformInfo().dataDir, "mcpspec.db");
+  const db = new Database(dbPath);
+  await db.init();
+  const wsHandler = new WebSocketHandler();
+  const app = createApp({ db, uiDistPath: options.uiDistPath, wsHandler });
+  const server = serve({ fetch: app.fetch, port, hostname: host }, (info) => {
+    console.log(`MCPSpec server running at http://${host}:${info.port}`);
+  });
+  server.on("upgrade", (req, socket, head) => {
+    if (req.url === "/ws") {
+      wsHandler.handleUpgrade(req, socket, head);
+    } else {
+      socket.destroy();
+    }
+  });
+  return {
+    port,
+    host,
+    app,
+    db,
+    wsHandler,
+    close: () => {
+      wsHandler.closeAll();
+      db.close();
+      server.close();
+    }
+  };
+}
+
+// src/index.ts
+var __serverDir = dirname2(fileURLToPath(import.meta.url));
+var UI_DIST_PATH = join3(__serverDir, "..", "ui-dist");
+export {
+  Database,
+  UI_DIST_PATH,
+  WebSocketHandler,
+  createApp,
+  startServer
+};