@yawlabs/mcp-compliance 0.1.1 → 0.1.2

package/README.md

@@ -27,8 +27,23 @@ mcp-compliance test https://my-server.com/mcp --format json
 
 # Strict mode — exits with code 1 on required test failure (for CI)
 mcp-compliance test https://my-server.com/mcp --strict
+
+# With authentication
+mcp-compliance test https://my-server.com/mcp --auth "Bearer tok123"
+
+# Custom headers (repeatable)
+mcp-compliance test https://my-server.com/mcp -H "Authorization: Bearer tok123" -H "X-Api-Key: abc"
 ```
 
+### Options
+
+| Option | Description |
+|--------|-------------|
+| `--format <format>` | Output format: `terminal` or `json` (default: `terminal`) |
+| `--strict` | Exit with code 1 on any required test failure (for CI) |
+| `-H, --header <header>` | Add header to all requests, format `"Key: Value"` (repeatable) |
+| `--auth <token>` | Shorthand for `-H "Authorization: <token>"` |
+
 ### Get badge markdown
 
 ```bash
@@ -119,13 +134,15 @@ Add to your Claude Code MCP config:
   "mcpServers": {
     "mcp-compliance": {
       "command": "npx",
-      "args": ["@yawlabs/mcp-compliance-server"]
+      "args": ["-y", "@yawlabs/mcp-compliance"],
+      "env": {},
+      "args_extra": ["mcp"]
     }
   }
 }
 ```
 
-Or if installed globally:
+Or run the MCP server directly:
 
 ```json
 {

package/dist/{chunk-4AQGMM2X.js → chunk-OOJ4PMF7.js}

@@ -44,8 +44,7 @@ function generateBadge(url) {
   } catch {
     parsed = new URL("https://unknown");
   }
-  const hostname = parsed.hostname;
-  const encoded = encodeURIComponent(hostname);
+  const encoded = encodeURIComponent(parsed.href);
   const imageUrl = `https://mcp.hosting/api/compliance/${encoded}/badge`;
   const reportUrl = `https://mcp.hosting/compliance/${encoded}`;
   return {
@@ -91,8 +90,26 @@ function createIdCounter() {
   let id = 0;
   return () => ++id;
 }
+function parseSSEResponse(text) {
+  const lines = text.split("\n");
+  let lastJsonRpcResponse = null;
+  for (const line of lines) {
+    if (line.startsWith("data: ")) {
+      const data = line.slice(6).trim();
+      if (!data) continue;
+      try {
+        const parsed = JSON.parse(data);
+        if (parsed.jsonrpc === "2.0" && parsed.id !== void 0) {
+          lastJsonRpcResponse = parsed;
+        }
+      } catch {
+      }
+    }
+  }
+  return lastJsonRpcResponse;
+}
 var _defaultNextId = createIdCounter();
-async function mcpRequest(backendUrl, method, params, nextId = _defaultNextId) {
+async function mcpRequest(backendUrl, method, params, nextId = _defaultNextId, extraHeaders) {
   const id = nextId();
   const body = JSON.stringify({
     jsonrpc: "2.0",
@@ -100,12 +117,14 @@ async function mcpRequest(backendUrl, method, params, nextId = _defaultNextId) {
     method,
     params: params || {}
   });
+  const headers = {
+    "Content-Type": "application/json",
+    "Accept": "application/json, text/event-stream",
+    ...extraHeaders
+  };
   const res = await request(backendUrl, {
     method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "Accept": "application/json, text/event-stream"
-    },
+    headers,
     body,
     signal: AbortSignal.timeout(15e3)
   });
@@ -114,16 +133,32 @@ async function mcpRequest(backendUrl, method, params, nextId = _defaultNextId) {
   for (const [k, v] of Object.entries(res.headers)) {
     if (typeof v === "string") responseHeaders[k] = v;
   }
+  const contentType = (responseHeaders["content-type"] || "").toLowerCase();
+  if (contentType.includes("text/event-stream")) {
+    const parsed = parseSSEResponse(text);
+    if (parsed) {
+      return { statusCode: res.statusCode, body: parsed, headers: responseHeaders };
+    }
+    try {
+      return { statusCode: res.statusCode, body: JSON.parse(text), headers: responseHeaders };
+    } catch {
+      return { statusCode: res.statusCode, body: { _raw: text }, headers: responseHeaders };
+    }
+  }
   try {
     return { statusCode: res.statusCode, body: JSON.parse(text), headers: responseHeaders };
   } catch {
     return { statusCode: res.statusCode, body: { _raw: text }, headers: responseHeaders };
   }
 }
-async function mcpNotification(backendUrl, method, params) {
+async function mcpNotification(backendUrl, method, params, extraHeaders) {
+  const headers = {
+    "Content-Type": "application/json",
+    ...extraHeaders
+  };
   await request(backendUrl, {
     method: "POST",
-    headers: { "Content-Type": "application/json" },
+    headers,
     body: JSON.stringify({ jsonrpc: "2.0", method, ...params ? { params } : {} }),
     signal: AbortSignal.timeout(5e3)
   }).then((r) => r.body.text()).catch(() => {
@@ -143,7 +178,16 @@ async function runComplianceSuite(url, options = {}) {
   const backendUrl = url;
   const tests = [];
   const nextId = createIdCounter();
-  const rpc = (method, params) => mcpRequest(backendUrl, method, params, nextId);
+  let sessionId = null;
+  let negotiatedProtocolVersion = null;
+  const userHeaders = options.headers || {};
+  function buildHeaders() {
+    const h = { ...userHeaders };
+    if (sessionId) h["mcp-session-id"] = sessionId;
+    if (negotiatedProtocolVersion) h["mcp-protocol-version"] = negotiatedProtocolVersion;
+    return h;
+  }
+  const rpc = (method, params) => mcpRequest(backendUrl, method, params, nextId, buildHeaders());
   let serverInfo = {
     protocolVersion: null,
     name: null,
@@ -186,7 +230,7 @@ async function runComplianceSuite(url, options = {}) {
   await test("transport-post", "HTTP POST accepted", "transport", true, "basic/transports#streamable-http", async () => {
     const res = await request(backendUrl, {
       method: "POST",
-      headers: { "Content-Type": "application/json", "Accept": "application/json, text/event-stream" },
+      headers: { "Content-Type": "application/json", "Accept": "application/json, text/event-stream", ...userHeaders },
       body: JSON.stringify({ jsonrpc: "2.0", id: 1, method: "ping" }),
       signal: AbortSignal.timeout(1e4)
     });
@@ -198,7 +242,7 @@ async function runComplianceSuite(url, options = {}) {
   await test("transport-content-type", "Responds with JSON or SSE", "transport", true, "basic/transports#streamable-http", async () => {
     const res = await request(backendUrl, {
       method: "POST",
-      headers: { "Content-Type": "application/json", "Accept": "application/json, text/event-stream" },
+      headers: { "Content-Type": "application/json", "Accept": "application/json, text/event-stream", ...userHeaders },
       body: JSON.stringify({ jsonrpc: "2.0", id: 1, method: "ping" }),
       signal: AbortSignal.timeout(1e4)
     });
@@ -221,6 +265,9 @@ async function runComplianceSuite(url, options = {}) {
     serverInfo.name = result.serverInfo?.name || null;
     serverInfo.version = result.serverInfo?.version || null;
     serverInfo.capabilities = result.capabilities || {};
+    const sid = initRes.headers["mcp-session-id"];
+    if (sid) sessionId = sid;
+    if (result.protocolVersion) negotiatedProtocolVersion = result.protocolVersion;
     return { passed: !!result.protocolVersion, details: `Protocol: ${result.protocolVersion || "missing"}` };
   });
   await test("lifecycle-proto-version", "Returns valid protocol version", "lifecycle", true, "basic/lifecycle#version-negotiation", async () => {
@@ -244,7 +291,7 @@ async function runComplianceSuite(url, options = {}) {
     const valid = body?.jsonrpc === "2.0" && body?.id !== void 0 && (body?.result !== void 0 || body?.error !== void 0);
     return { passed: valid, details: valid ? "Valid JSON-RPC 2.0 response" : `Missing fields: jsonrpc=${body?.jsonrpc}, id=${body?.id}` };
   });
-  await mcpNotification(backendUrl, "notifications/initialized");
+  await mcpNotification(backendUrl, "notifications/initialized", void 0, buildHeaders());
   await test("lifecycle-ping", "Responds to ping", "lifecycle", true, "basic/utilities#ping", async () => {
     const res = await rpc("ping");
     const body = res.body;
@@ -253,17 +300,18 @@ async function runComplianceSuite(url, options = {}) {
     return { passed: false, details: "No result in ping response" };
   });
   const hasTools = !!serverInfo.capabilities.tools;
+  let cachedToolsList = null;
   await test("tools-list", "tools/list returns valid response", "tools", hasTools, "server/tools#listing-tools", async () => {
     const res = await rpc("tools/list");
     const tools = res.body?.result?.tools;
     if (!Array.isArray(tools)) return { passed: false, details: "No tools array in result" };
+    cachedToolsList = tools;
     toolCount = tools.length;
     toolNames = tools.map((t) => t.name).filter(Boolean);
     return { passed: true, details: `${toolCount} tool(s): ${toolNames.slice(0, 5).join(", ")}${toolCount > 5 ? "..." : ""}` };
   });
   await test("tools-schema", "All tools have name and inputSchema", "schema", hasTools, "server/tools#data-types", async () => {
-    const res = await rpc("tools/list");
-    const tools = res.body?.result?.tools || [];
+    const tools = cachedToolsList ?? (await rpc("tools/list")).body?.result?.tools ?? [];
     const issues = [];
     const warnings = [];
     for (const tool of tools) {
@@ -319,16 +367,17 @@ async function runComplianceSuite(url, options = {}) {
   }
   const hasResources = !!serverInfo.capabilities.resources;
   if (hasResources) {
+    let cachedResourcesList = null;
     await test("resources-list", "resources/list returns valid response", "resources", true, "server/resources#listing-resources", async () => {
       const res = await rpc("resources/list");
       const resources = res.body?.result?.resources;
       if (!Array.isArray(resources)) return { passed: false, details: "No resources array" };
+      cachedResourcesList = resources;
       resourceCount = resources.length;
       return { passed: true, details: `${resourceCount} resource(s)` };
     });
     await test("resources-schema", "Resources have uri and name", "schema", true, "server/resources#data-types", async () => {
-      const res = await rpc("resources/list");
-      const resources = res.body?.result?.resources || [];
+      const resources = cachedResourcesList ?? (await rpc("resources/list")).body?.result?.resources ?? [];
       const issues = [];
       for (const r of resources) {
         if (!r.uri) issues.push("Resource missing uri");
@@ -381,17 +430,18 @@ async function runComplianceSuite(url, options = {}) {
   const hasPrompts = !!serverInfo.capabilities.prompts;
   if (hasPrompts) {
     let promptNames = [];
+    let cachedPromptsList = null;
     await test("prompts-list", "prompts/list returns valid response", "prompts", true, "server/prompts#listing-prompts", async () => {
       const res = await rpc("prompts/list");
       const prompts = res.body?.result?.prompts;
       if (!Array.isArray(prompts)) return { passed: false, details: "No prompts array" };
+      cachedPromptsList = prompts;
       promptCount = prompts.length;
       promptNames = prompts.map((p) => p.name).filter(Boolean);
       return { passed: true, details: `${promptCount} prompt(s): ${promptNames.slice(0, 5).join(", ")}${promptCount > 5 ? "..." : ""}` };
     });
     await test("prompts-schema", "Prompts have name field", "schema", true, "server/prompts#data-types", async () => {
-      const res = await rpc("prompts/list");
-      const prompts = res.body?.result?.prompts || [];
+      const prompts = cachedPromptsList ?? (await rpc("prompts/list")).body?.result?.prompts ?? [];
       const issues = [];
       for (const p of prompts) {
         if (!p.name) issues.push("Prompt missing name");
@@ -440,7 +490,7 @@ async function runComplianceSuite(url, options = {}) {
   await test("error-invalid-jsonrpc", "Handles malformed JSON-RPC", "errors", true, "basic", async () => {
     const res = await request(backendUrl, {
       method: "POST",
-      headers: { "Content-Type": "application/json" },
+      headers: { "Content-Type": "application/json", ...buildHeaders() },
       body: JSON.stringify({ not: "a valid jsonrpc message" }),
       signal: AbortSignal.timeout(1e4)
     });
@@ -459,7 +509,7 @@ async function runComplianceSuite(url, options = {}) {
   await test("error-invalid-json", "Handles invalid JSON body", "errors", false, "basic", async () => {
     const res = await request(backendUrl, {
       method: "POST",
-      headers: { "Content-Type": "application/json" },
+      headers: { "Content-Type": "application/json", ...buildHeaders() },
       body: "{this is not valid json!!!",
       signal: AbortSignal.timeout(1e4)
     });

package/dist/index.js

@@ -3,6 +3,7 @@
 // src/index.ts
 import { Command } from "commander";
 import chalk2 from "chalk";
+import { createRequire } from "module";
 
 // src/runner.ts
 import { request } from "undici";
@@ -50,8 +51,7 @@ function generateBadge(url) {
   } catch {
     parsed = new URL("https://unknown");
   }
-  const hostname = parsed.hostname;
-  const encoded = encodeURIComponent(hostname);
+  const encoded = encodeURIComponent(parsed.href);
   const imageUrl = `https://mcp.hosting/api/compliance/${encoded}/badge`;
   const reportUrl = `https://mcp.hosting/compliance/${encoded}`;
   return {
@@ -69,8 +69,26 @@ function createIdCounter() {
   let id = 0;
   return () => ++id;
 }
+function parseSSEResponse(text) {
+  const lines = text.split("\n");
+  let lastJsonRpcResponse = null;
+  for (const line of lines) {
+    if (line.startsWith("data: ")) {
+      const data = line.slice(6).trim();
+      if (!data) continue;
+      try {
+        const parsed = JSON.parse(data);
+        if (parsed.jsonrpc === "2.0" && parsed.id !== void 0) {
+          lastJsonRpcResponse = parsed;
+        }
+      } catch {
+      }
+    }
+  }
+  return lastJsonRpcResponse;
+}
 var _defaultNextId = createIdCounter();
-async function mcpRequest(backendUrl, method, params, nextId = _defaultNextId) {
+async function mcpRequest(backendUrl, method, params, nextId = _defaultNextId, extraHeaders) {
   const id = nextId();
   const body = JSON.stringify({
     jsonrpc: "2.0",
@@ -78,12 +96,14 @@ async function mcpRequest(backendUrl, method, params, nextId = _defaultNextId) {
     method,
     params: params || {}
   });
+  const headers = {
+    "Content-Type": "application/json",
+    "Accept": "application/json, text/event-stream",
+    ...extraHeaders
+  };
   const res = await request(backendUrl, {
     method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "Accept": "application/json, text/event-stream"
-    },
+    headers,
     body,
     signal: AbortSignal.timeout(15e3)
   });
@@ -92,16 +112,32 @@ async function mcpRequest(backendUrl, method, params, nextId = _defaultNextId) {
   for (const [k, v] of Object.entries(res.headers)) {
     if (typeof v === "string") responseHeaders[k] = v;
   }
+  const contentType = (responseHeaders["content-type"] || "").toLowerCase();
+  if (contentType.includes("text/event-stream")) {
+    const parsed = parseSSEResponse(text);
+    if (parsed) {
+      return { statusCode: res.statusCode, body: parsed, headers: responseHeaders };
+    }
+    try {
+      return { statusCode: res.statusCode, body: JSON.parse(text), headers: responseHeaders };
+    } catch {
+      return { statusCode: res.statusCode, body: { _raw: text }, headers: responseHeaders };
+    }
+  }
   try {
     return { statusCode: res.statusCode, body: JSON.parse(text), headers: responseHeaders };
   } catch {
     return { statusCode: res.statusCode, body: { _raw: text }, headers: responseHeaders };
   }
 }
-async function mcpNotification(backendUrl, method, params) {
+async function mcpNotification(backendUrl, method, params, extraHeaders) {
+  const headers = {
+    "Content-Type": "application/json",
+    ...extraHeaders
+  };
   await request(backendUrl, {
     method: "POST",
-    headers: { "Content-Type": "application/json" },
+    headers,
     body: JSON.stringify({ jsonrpc: "2.0", method, ...params ? { params } : {} }),
     signal: AbortSignal.timeout(5e3)
   }).then((r) => r.body.text()).catch(() => {
@@ -121,7 +157,16 @@ async function runComplianceSuite(url, options = {}) {
   const backendUrl = url;
   const tests = [];
   const nextId = createIdCounter();
-  const rpc = (method, params) => mcpRequest(backendUrl, method, params, nextId);
+  let sessionId = null;
+  let negotiatedProtocolVersion = null;
+  const userHeaders = options.headers || {};
+  function buildHeaders() {
+    const h = { ...userHeaders };
+    if (sessionId) h["mcp-session-id"] = sessionId;
+    if (negotiatedProtocolVersion) h["mcp-protocol-version"] = negotiatedProtocolVersion;
+    return h;
+  }
+  const rpc = (method, params) => mcpRequest(backendUrl, method, params, nextId, buildHeaders());
   let serverInfo = {
     protocolVersion: null,
     name: null,
@@ -164,7 +209,7 @@ async function runComplianceSuite(url, options = {}) {
   await test("transport-post", "HTTP POST accepted", "transport", true, "basic/transports#streamable-http", async () => {
     const res = await request(backendUrl, {
       method: "POST",
-      headers: { "Content-Type": "application/json", "Accept": "application/json, text/event-stream" },
+      headers: { "Content-Type": "application/json", "Accept": "application/json, text/event-stream", ...userHeaders },
       body: JSON.stringify({ jsonrpc: "2.0", id: 1, method: "ping" }),
       signal: AbortSignal.timeout(1e4)
     });
@@ -176,7 +221,7 @@ async function runComplianceSuite(url, options = {}) {
   await test("transport-content-type", "Responds with JSON or SSE", "transport", true, "basic/transports#streamable-http", async () => {
     const res = await request(backendUrl, {
       method: "POST",
-      headers: { "Content-Type": "application/json", "Accept": "application/json, text/event-stream" },
+      headers: { "Content-Type": "application/json", "Accept": "application/json, text/event-stream", ...userHeaders },
       body: JSON.stringify({ jsonrpc: "2.0", id: 1, method: "ping" }),
       signal: AbortSignal.timeout(1e4)
     });
@@ -199,13 +244,16 @@ async function runComplianceSuite(url, options = {}) {
     serverInfo.name = result.serverInfo?.name || null;
     serverInfo.version = result.serverInfo?.version || null;
     serverInfo.capabilities = result.capabilities || {};
+    const sid = initRes.headers["mcp-session-id"];
+    if (sid) sessionId = sid;
+    if (result.protocolVersion) negotiatedProtocolVersion = result.protocolVersion;
     return { passed: !!result.protocolVersion, details: `Protocol: ${result.protocolVersion || "missing"}` };
   });
   await test("lifecycle-proto-version", "Returns valid protocol version", "lifecycle", true, "basic/lifecycle#version-negotiation", async () => {
-    const version = initRes?.body?.result?.protocolVersion;
-    if (!version) return { passed: false, details: "No protocolVersion" };
-    const valid = /^\d{4}-\d{2}-\d{2}$/.test(version);
-    return { passed: valid, details: `Version: ${version}` };
+    const version2 = initRes?.body?.result?.protocolVersion;
+    if (!version2) return { passed: false, details: "No protocolVersion" };
+    const valid = /^\d{4}-\d{2}-\d{2}$/.test(version2);
+    return { passed: valid, details: `Version: ${version2}` };
   });
   await test("lifecycle-server-info", "Includes serverInfo", "lifecycle", false, "basic/lifecycle#initialization", async () => {
     const info = initRes?.body?.result?.serverInfo;
@@ -222,7 +270,7 @@ async function runComplianceSuite(url, options = {}) {
     const valid = body?.jsonrpc === "2.0" && body?.id !== void 0 && (body?.result !== void 0 || body?.error !== void 0);
     return { passed: valid, details: valid ? "Valid JSON-RPC 2.0 response" : `Missing fields: jsonrpc=${body?.jsonrpc}, id=${body?.id}` };
   });
-  await mcpNotification(backendUrl, "notifications/initialized");
+  await mcpNotification(backendUrl, "notifications/initialized", void 0, buildHeaders());
   await test("lifecycle-ping", "Responds to ping", "lifecycle", true, "basic/utilities#ping", async () => {
     const res = await rpc("ping");
     const body = res.body;
@@ -231,17 +279,18 @@ async function runComplianceSuite(url, options = {}) {
     return { passed: false, details: "No result in ping response" };
   });
   const hasTools = !!serverInfo.capabilities.tools;
+  let cachedToolsList = null;
   await test("tools-list", "tools/list returns valid response", "tools", hasTools, "server/tools#listing-tools", async () => {
     const res = await rpc("tools/list");
     const tools = res.body?.result?.tools;
     if (!Array.isArray(tools)) return { passed: false, details: "No tools array in result" };
+    cachedToolsList = tools;
     toolCount = tools.length;
     toolNames = tools.map((t) => t.name).filter(Boolean);
     return { passed: true, details: `${toolCount} tool(s): ${toolNames.slice(0, 5).join(", ")}${toolCount > 5 ? "..." : ""}` };
   });
   await test("tools-schema", "All tools have name and inputSchema", "schema", hasTools, "server/tools#data-types", async () => {
-    const res = await rpc("tools/list");
-    const tools = res.body?.result?.tools || [];
+    const tools = cachedToolsList ?? (await rpc("tools/list")).body?.result?.tools ?? [];
     const issues = [];
     const warnings = [];
     for (const tool of tools) {
@@ -297,16 +346,17 @@ async function runComplianceSuite(url, options = {}) {
   }
   const hasResources = !!serverInfo.capabilities.resources;
   if (hasResources) {
+    let cachedResourcesList = null;
     await test("resources-list", "resources/list returns valid response", "resources", true, "server/resources#listing-resources", async () => {
       const res = await rpc("resources/list");
       const resources = res.body?.result?.resources;
       if (!Array.isArray(resources)) return { passed: false, details: "No resources array" };
+      cachedResourcesList = resources;
       resourceCount = resources.length;
       return { passed: true, details: `${resourceCount} resource(s)` };
     });
     await test("resources-schema", "Resources have uri and name", "schema", true, "server/resources#data-types", async () => {
-      const res = await rpc("resources/list");
-      const resources = res.body?.result?.resources || [];
+      const resources = cachedResourcesList ?? (await rpc("resources/list")).body?.result?.resources ?? [];
       const issues = [];
       for (const r of resources) {
         if (!r.uri) issues.push("Resource missing uri");
@@ -359,17 +409,18 @@ async function runComplianceSuite(url, options = {}) {
   const hasPrompts = !!serverInfo.capabilities.prompts;
   if (hasPrompts) {
     let promptNames = [];
+    let cachedPromptsList = null;
     await test("prompts-list", "prompts/list returns valid response", "prompts", true, "server/prompts#listing-prompts", async () => {
       const res = await rpc("prompts/list");
       const prompts = res.body?.result?.prompts;
       if (!Array.isArray(prompts)) return { passed: false, details: "No prompts array" };
+      cachedPromptsList = prompts;
       promptCount = prompts.length;
       promptNames = prompts.map((p) => p.name).filter(Boolean);
       return { passed: true, details: `${promptCount} prompt(s): ${promptNames.slice(0, 5).join(", ")}${promptCount > 5 ? "..." : ""}` };
     });
     await test("prompts-schema", "Prompts have name field", "schema", true, "server/prompts#data-types", async () => {
-      const res = await rpc("prompts/list");
-      const prompts = res.body?.result?.prompts || [];
+      const prompts = cachedPromptsList ?? (await rpc("prompts/list")).body?.result?.prompts ?? [];
       const issues = [];
       for (const p of prompts) {
         if (!p.name) issues.push("Prompt missing name");
@@ -418,7 +469,7 @@ async function runComplianceSuite(url, options = {}) {
   await test("error-invalid-jsonrpc", "Handles malformed JSON-RPC", "errors", true, "basic", async () => {
     const res = await request(backendUrl, {
       method: "POST",
-      headers: { "Content-Type": "application/json" },
+      headers: { "Content-Type": "application/json", ...buildHeaders() },
       body: JSON.stringify({ not: "a valid jsonrpc message" }),
       signal: AbortSignal.timeout(1e4)
     });
@@ -437,7 +488,7 @@ async function runComplianceSuite(url, options = {}) {
   await test("error-invalid-json", "Handles invalid JSON body", "errors", false, "basic", async () => {
     const res = await request(backendUrl, {
       method: "POST",
-      headers: { "Content-Type": "application/json" },
+      headers: { "Content-Type": "application/json", ...buildHeaders() },
       body: "{this is not valid json!!!",
       signal: AbortSignal.timeout(1e4)
     });
@@ -578,16 +629,30 @@ function formatJson(report) {
 }
 
 // src/index.ts
+var require2 = createRequire(import.meta.url);
+var { version } = require2("../package.json");
+function parseHeaderArg(value, prev) {
+  const idx = value.indexOf(":");
+  if (idx === -1) {
+    throw new Error(`Invalid header format: "${value}" (expected "Key: Value")`);
+  }
+  const key = value.slice(0, idx).trim();
+  const val = value.slice(idx + 1).trim();
+  prev[key] = val;
+  return prev;
+}
 var program = new Command();
-program.name("mcp-compliance").description("Test MCP servers for spec compliance").version("0.1.0");
-program.command("test").description("Run the full compliance test suite against an MCP server").argument("<url>", "MCP server URL to test").option("--format <format>", "Output format: terminal or json", "terminal").option("--strict", "Exit with code 1 on any required test failure (for CI)").action(async (url, opts) => {
+program.name("mcp-compliance").description("Test MCP servers for spec compliance").version(version);
+program.command("test").description("Run the full compliance test suite against an MCP server").argument("<url>", "MCP server URL to test").option("--format <format>", "Output format: terminal or json", "terminal").option("--strict", "Exit with code 1 on any required test failure (for CI)").option("-H, --header <header>", 'Add header to all requests (format: "Key: Value", repeatable)', parseHeaderArg, {}).option("--auth <token>", 'Shorthand for -H "Authorization: <token>"').action(async (url, opts) => {
   try {
+    const headers = { ...opts.header };
+    if (opts.auth) headers["Authorization"] = opts.auth;
     if (opts.format === "terminal") {
       console.log(chalk2.dim(`
 Testing ${url}...
 `));
     }
-    const report = await runComplianceSuite(url);
+    const report = await runComplianceSuite(url, { headers });
     if (opts.format === "json") {
       console.log(formatJson(report));
     } else {
@@ -607,12 +672,14 @@ Error: ${err.message}
     process.exit(1);
   }
 });
-program.command("badge").description("Run tests and output just the badge markdown embed code").argument("<url>", "MCP server URL to test").action(async (url) => {
+program.command("badge").description("Run tests and output just the badge markdown embed code").argument("<url>", "MCP server URL to test").option("-H, --header <header>", 'Add header to all requests (format: "Key: Value", repeatable)', parseHeaderArg, {}).option("--auth <token>", 'Shorthand for -H "Authorization: <token>"').action(async (url, opts) => {
   try {
+    const headers = { ...opts.header };
+    if (opts.auth) headers["Authorization"] = opts.auth;
     console.log(chalk2.dim(`
 Testing ${url}...
 `));
-    const report = await runComplianceSuite(url);
+    const report = await runComplianceSuite(url, { headers });
     console.log(`Grade: ${report.grade} (${report.score}%)
 `);
     console.log(report.badge.markdown);

package/dist/mcp/server.js

@@ -1,15 +1,18 @@
 import {
   TEST_DEFINITIONS,
   runComplianceSuite
-} from "../chunk-4AQGMM2X.js";
+} from "../chunk-OOJ4PMF7.js";
 
 // src/mcp/server.ts
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
+import { createRequire } from "module";
+var require2 = createRequire(import.meta.url);
+var { version } = require2("../../package.json");
 var server = new McpServer({
   name: "mcp-compliance",
-  version: "0.1.0"
+  version
 });
 server.tool(
   "mcp_compliance_test",

package/dist/runner.d.ts

@@ -90,6 +90,8 @@ declare function generateBadge(url: string): {
 interface RunOptions {
     /** Optional callback for progress updates */
     onProgress?: (testId: string, passed: boolean, details: string) => void;
+    /** Extra headers to include on all requests */
+    headers?: Record<string, string>;
 }
 /**
  * Run the full MCP compliance test suite against a URL.

package/dist/runner.js

@@ -4,7 +4,7 @@ import {
   computeScore,
   generateBadge,
   runComplianceSuite
-} from "./chunk-4AQGMM2X.js";
+} from "./chunk-OOJ4PMF7.js";
 export {
   TEST_DEFINITIONS,
   computeGrade,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/mcp-compliance",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "description": "CLI tool and MCP server that tests MCP servers for spec compliance",
   "license": "MIT",
   "author": "Yaw Labs (https://yaw.sh)",