@yawlabs/mcp-compliance 0.10.1 → 0.12.0

package/README.md

@@ -5,7 +5,7 @@
 [![GitHub stars](https://img.shields.io/github/stars/YawLabs/mcp-compliance)](https://github.com/YawLabs/mcp-compliance/stargazers)
 [![CI](https://github.com/YawLabs/mcp-compliance/actions/workflows/ci.yml/badge.svg)](https://github.com/YawLabs/mcp-compliance/actions/workflows/ci.yml)
 
-**Test any MCP server for spec compliance.** 85-test suite covering transport, lifecycle, tools, resources, prompts, error handling, schema validation, and security against the [MCP specification](https://modelcontextprotocol.io/specification/2025-11-25). Works against **HTTP endpoints** (`https://my-server.com/mcp`) and **stdio servers** (`npx @modelcontextprotocol/server-filesystem /tmp`) alike. CLI, MCP server, and programmatic API.
+**Test any MCP server for spec compliance.** 88-test suite covering transport, lifecycle, tools, resources, prompts, error handling, schema validation, and security against the [MCP specification](https://modelcontextprotocol.io/specification/2025-11-25). Works against **HTTP endpoints** (`https://my-server.com/mcp`) and **stdio servers** (`npx @modelcontextprotocol/server-filesystem /tmp`) alike. CLI, MCP server, and programmatic API.
 
 Built and maintained by [Yaw Labs](https://yaw.sh).
 
@@ -479,7 +479,7 @@ Restart your MCP client and approve the server when prompted.
 
 ### Tools
 
-- **mcp_compliance_test** — Run the full 85-test suite against a URL or stdio command. Supports auth, custom headers, env vars, timeout, retries, and category/test filtering. Returns grade, score, and detailed results.
+- **mcp_compliance_test** — Run the full 88-test suite against a URL or stdio command. Supports auth, custom headers, env vars, timeout, retries, and category/test filtering. Returns grade, score, and detailed results.
 - **mcp_compliance_badge** — Get the badge markdown/HTML for a server. Supports auth and custom headers.
 - **mcp_compliance_explain** — Explain what a specific test ID checks and why it matters.
 
@@ -540,8 +540,16 @@ Consumer guidance:
 
 The compliance testing methodology is published as an open specification:
 
-- **[MCP Compliance Testing Specification](./MCP_COMPLIANCE_SPEC.md)** — test execution model, scoring algorithm, all 84 test rules with pass/fail criteria (CC BY 4.0)
+- **[MCP Compliance Testing Specification](./MCP_COMPLIANCE_SPEC.md)** — test execution model, scoring algorithm, all 88 test rules with pass/fail criteria (CC BY 4.0)
 - **[Machine-readable rule catalog](./mcp-compliance-rules.json)** — JSON Schema-compliant catalog for programmatic consumption
+- **[Why `mcp-compliance`](./docs/WHY.md)** — the problem, existing alternatives, what this tool does differently
+- **[Fixing common failures](./docs/FIXES.md)** — recipes for the most frequent test failures with code snippets
+- **[Spec version migration policy](./docs/SPEC_VERSION_MIGRATION.md)** — how this tool evolves with MCP spec releases
+- **[mcp.hosting external API](./docs/EXT_API.md)** — public submit/retrieve/badge/delete endpoints used by `mcp-compliance badge` and any custom integrations
+- **[Enterprise tier (draft)](./docs/ENTERPRISE.md)** — paid tier structure for organizations with scheduled/private/audit-track compliance needs
+- **[Performance deep-dive](./docs/PERFORMANCE.md)** — why the suite is sequential and what parallel execution would cost
+- **[Spec PR drafts](./docs/spec-prs/)** — our proposed MCP spec clarifications for ambiguous cases we've hit
+- **[mcp.hosting integration spec](./docs/mcp-hosting-integration.md)** — the contract between this engine and the mcp.hosting platform: URL surfaces, data flow, storage model, badge API, leaderboard, router integration
 
 These are complementary to (not competing with) the [official MCP specification](https://modelcontextprotocol.io/specification/2025-11-25). The MCP spec defines what servers must do; this spec defines how to verify compliance.
 

package/dist/{chunk-7KISK3FS.js → chunk-M67VVIRO.js}

@@ -600,7 +600,8 @@ var TEST_DEFINITIONS = [
     required: true,
     specRef: "basic/utilities#ping",
     description: "Tests that the server responds to the ping method with an empty result object. This is a required utility method.",
-    recommendation: 'Implement a "ping" method handler that returns an empty result object {}. This is required by the MCP spec for keepalive and connectivity checking.'
+    recommendation: 'Implement a "ping" method handler that returns an empty result object {}. This is required by the MCP spec for keepalive and connectivity checking.',
+    parallelSafe: true
   },
   {
     id: "lifecycle-instructions",
@@ -609,7 +610,8 @@ var TEST_DEFINITIONS = [
     required: false,
     specRef: "basic/lifecycle#initialization",
     description: "If the server includes an instructions field in the initialize response, validates it is a string. Instructions provide guidance for how the client should interact with the server.",
-    recommendation: "If you include an instructions field in the initialize response, ensure it is a string. Remove the field or fix the type if it is not a string."
+    recommendation: "If you include an instructions field in the initialize response, ensure it is a string. Remove the field or fix the type if it is not a string.",
+    parallelSafe: true
   },
   {
     id: "lifecycle-id-match",
@@ -701,6 +703,36 @@ var TEST_DEFINITIONS = [
     description: "Sends a tools/call request with _meta.progressToken and checks if the server sends progress notifications via SSE. Progress support is optional but recommended for long-running operations.",
     recommendation: "When a request includes _meta.progressToken, send notifications/progress events via SSE to report progress. Include progressToken, progress (current), and optionally total fields."
   },
+  {
+    id: "lifecycle-sampling-capability",
+    name: "Sampling capability shape",
+    category: "lifecycle",
+    required: false,
+    specRef: "client/sampling",
+    description: "If the server's initialize response or serverInfo implies it uses client-side sampling (sampling/createMessage), verify the capability declaration shape. Currently this is an advisory shape check \u2014 actually exercising the server\u2192client flow requires a client-side sampling handler and is out of scope.",
+    recommendation: "Sampling is a client capability (the client provides LLM access to the server). Servers don't declare sampling in their own capabilities; they just call sampling/createMessage against clients that advertise it. No server-side action required.",
+    parallelSafe: true
+  },
+  {
+    id: "lifecycle-roots-capability",
+    name: "Roots capability shape",
+    category: "lifecycle",
+    required: false,
+    specRef: "client/roots",
+    description: "Roots (filesystem root paths) is a client capability. This test verifies that if a server sends roots/list requests, it handles gracefully when the client doesn't declare the roots capability (i.e., doesn't crash).",
+    recommendation: "Before calling roots/list, check if the initialized client capabilities include 'roots'. If not, skip the call \u2014 the client can't respond. Never assume roots is available; it's opt-in on the client side.",
+    parallelSafe: true
+  },
+  {
+    id: "lifecycle-elicitation-capability",
+    name: "Elicitation capability shape",
+    category: "lifecycle",
+    required: false,
+    specRef: "client/elicitation",
+    description: "Elicitation (asking the user for structured input mid-operation) is a client capability added in 2025-11-25. This test verifies servers that use elicitation/create handle the case where clients don't support it.",
+    recommendation: "Before calling elicitation/create, check the initialized client capabilities. If elicitation is absent, fall back to a safer default (ask once up-front via tool parameters, or fail cleanly with a clear error).",
+    parallelSafe: true
+  },
   {
     id: "lifecycle-meta-tolerance",
     name: "Tolerates _meta field on requests",
@@ -708,7 +740,8 @@ var TEST_DEFINITIONS = [
     required: false,
     specRef: "basic/utilities#_meta",
     description: "Sends a ping with params._meta = { extra: 'value' } and verifies the server doesn't error. The 2025-11-25 spec allows arbitrary _meta on any request; servers should ignore unknown _meta fields gracefully.",
-    recommendation: "Treat the _meta field as opaque \u2014 pass it through your request validator, but do not reject requests for unknown _meta keys. The MCP spec reserves _meta for protocol/transport metadata and forward-compat extensibility."
+    recommendation: "Treat the _meta field as opaque \u2014 pass it through your request validator, but do not reject requests for unknown _meta keys. The MCP spec reserves _meta for protocol/transport metadata and forward-compat extensibility.",
+    parallelSafe: true
   },
   // ── Tools (4 tests) ──────────────────────────────────────────────
   {
@@ -1407,8 +1440,14 @@ async function runComplianceSuite(target, options = {}) {
     let resourceNames = [];
     let promptCount = 0;
     let promptNames = [];
-    async function test(id, name, category, required, specRef, fn) {
-      if (!shouldRun2(id, category)) return;
+    const concurrency = Math.max(1, options.concurrency ?? 1);
+    const inFlight = /* @__PURE__ */ new Set();
+    async function drainPool() {
+      while (inFlight.size > 0) {
+        await Promise.race(inFlight);
+      }
+    }
+    async function runTestFn(id, name, category, required, specRef, fn) {
       const start = Date.now();
       let lastResult = { passed: false, details: "" };
       for (let attempt = 0; attempt <= retries; attempt++) {
@@ -1436,6 +1475,21 @@ async function runComplianceSuite(target, options = {}) {
       options.onProgress?.(id, lastResult.passed, lastResult.details);
       options.onTestComplete?.(result);
     }
+    async function test(id, name, category, required, specRef, fn) {
+      if (!shouldRun2(id, category)) return;
+      const def = TEST_DEFINITIONS_MAP.get(id);
+      const eligible = concurrency > 1 && def?.parallelSafe === true;
+      if (!eligible) {
+        if (inFlight.size > 0) await drainPool();
+        await runTestFn(id, name, category, required, specRef, fn);
+        return;
+      }
+      while (inFlight.size >= concurrency) await Promise.race(inFlight);
+      const p = runTestFn(id, name, category, required, specRef, fn).finally(() => {
+        inFlight.delete(p);
+      });
+      inFlight.add(p);
+    }
     await test(
       "transport-post",
       "HTTP POST accepted",
@@ -1604,7 +1658,11 @@ async function runComplianceSuite(target, options = {}) {
     try {
       initRes = await rpc("initialize", {
         protocolVersion: SPEC_VERSION,
-        capabilities: {},
+        capabilities: {
+          sampling: {},
+          roots: { listChanged: true },
+          elicitation: {}
+        },
         clientInfo: { name: "mcp-compliance", version: TOOL_VERSION }
       });
       const result = initRes?.body?.result;
@@ -2026,6 +2084,47 @@ async function runComplianceSuite(target, options = {}) {
         }
       }
     );
+    await test(
+      "lifecycle-sampling-capability",
+      "Sampling capability shape",
+      "lifecycle",
+      false,
+      "client/sampling",
+      async () => {
+        if (!initRes || initRes.body?.error) {
+          return { passed: false, details: "Server rejected initialize" };
+        }
+        return {
+          passed: true,
+          details: "Server accepted initialize with client sampling capability. Full server\u2192client sampling flow not exercised."
+        };
+      }
+    );
+    await test("lifecycle-roots-capability", "Roots capability shape", "lifecycle", false, "client/roots", async () => {
+      if (!initRes || initRes.body?.error) {
+        return { passed: false, details: "Server rejected initialize" };
+      }
+      return {
+        passed: true,
+        details: "Server accepted initialize. Full server\u2192client roots/list flow not exercised (requires a roots-aware client)."
+      };
+    });
+    await test(
+      "lifecycle-elicitation-capability",
+      "Elicitation capability shape",
+      "lifecycle",
+      false,
+      "client/elicitation",
+      async () => {
+        if (!initRes || initRes.body?.error) {
+          return { passed: false, details: "Server rejected initialize" };
+        }
+        return {
+          passed: true,
+          details: "Server accepted initialize. Full server\u2192client elicitation/create flow not exercised."
+        };
+      }
+    );
     await test(
       "lifecycle-meta-tolerance",
       "Tolerates _meta field on requests",
@@ -3927,6 +4026,7 @@ async function runComplianceSuite(target, options = {}) {
       const truncated = warnings.length - MAX_WARNINGS;
       warnings.splice(MAX_WARNINGS, truncated, `... and ${truncated} more warning(s) suppressed`);
     }
+    if (inFlight.size > 0) await drainPool();
     const { score, grade, overall, summary, categories } = computeScore(tests);
     const badge = generateBadge(displayUrl);
     return {
@@ -3958,6 +4058,7 @@ async function runComplianceSuite(target, options = {}) {
 }
 
 export {
+  urlHash,
   generateBadge,
   computeGrade,
   computeScore,

package/dist/index.js

@@ -946,7 +946,8 @@ var TEST_DEFINITIONS = [
     required: true,
     specRef: "basic/utilities#ping",
     description: "Tests that the server responds to the ping method with an empty result object. This is a required utility method.",
-    recommendation: 'Implement a "ping" method handler that returns an empty result object {}. This is required by the MCP spec for keepalive and connectivity checking.'
+    recommendation: 'Implement a "ping" method handler that returns an empty result object {}. This is required by the MCP spec for keepalive and connectivity checking.',
+    parallelSafe: true
   },
   {
     id: "lifecycle-instructions",
@@ -955,7 +956,8 @@ var TEST_DEFINITIONS = [
     required: false,
     specRef: "basic/lifecycle#initialization",
     description: "If the server includes an instructions field in the initialize response, validates it is a string. Instructions provide guidance for how the client should interact with the server.",
-    recommendation: "If you include an instructions field in the initialize response, ensure it is a string. Remove the field or fix the type if it is not a string."
+    recommendation: "If you include an instructions field in the initialize response, ensure it is a string. Remove the field or fix the type if it is not a string.",
+    parallelSafe: true
   },
   {
     id: "lifecycle-id-match",
@@ -1047,6 +1049,36 @@ var TEST_DEFINITIONS = [
     description: "Sends a tools/call request with _meta.progressToken and checks if the server sends progress notifications via SSE. Progress support is optional but recommended for long-running operations.",
     recommendation: "When a request includes _meta.progressToken, send notifications/progress events via SSE to report progress. Include progressToken, progress (current), and optionally total fields."
   },
+  {
+    id: "lifecycle-sampling-capability",
+    name: "Sampling capability shape",
+    category: "lifecycle",
+    required: false,
+    specRef: "client/sampling",
+    description: "If the server's initialize response or serverInfo implies it uses client-side sampling (sampling/createMessage), verify the capability declaration shape. Currently this is an advisory shape check \u2014 actually exercising the server\u2192client flow requires a client-side sampling handler and is out of scope.",
+    recommendation: "Sampling is a client capability (the client provides LLM access to the server). Servers don't declare sampling in their own capabilities; they just call sampling/createMessage against clients that advertise it. No server-side action required.",
+    parallelSafe: true
+  },
+  {
+    id: "lifecycle-roots-capability",
+    name: "Roots capability shape",
+    category: "lifecycle",
+    required: false,
+    specRef: "client/roots",
+    description: "Roots (filesystem root paths) is a client capability. This test verifies that if a server sends roots/list requests, it handles gracefully when the client doesn't declare the roots capability (i.e., doesn't crash).",
+    recommendation: "Before calling roots/list, check if the initialized client capabilities include 'roots'. If not, skip the call \u2014 the client can't respond. Never assume roots is available; it's opt-in on the client side.",
+    parallelSafe: true
+  },
+  {
+    id: "lifecycle-elicitation-capability",
+    name: "Elicitation capability shape",
+    category: "lifecycle",
+    required: false,
+    specRef: "client/elicitation",
+    description: "Elicitation (asking the user for structured input mid-operation) is a client capability added in 2025-11-25. This test verifies servers that use elicitation/create handle the case where clients don't support it.",
+    recommendation: "Before calling elicitation/create, check the initialized client capabilities. If elicitation is absent, fall back to a safer default (ask once up-front via tool parameters, or fail cleanly with a clear error).",
+    parallelSafe: true
+  },
   {
     id: "lifecycle-meta-tolerance",
     name: "Tolerates _meta field on requests",
@@ -1054,7 +1086,8 @@ var TEST_DEFINITIONS = [
     required: false,
     specRef: "basic/utilities#_meta",
     description: "Sends a ping with params._meta = { extra: 'value' } and verifies the server doesn't error. The 2025-11-25 spec allows arbitrary _meta on any request; servers should ignore unknown _meta fields gracefully.",
-    recommendation: "Treat the _meta field as opaque \u2014 pass it through your request validator, but do not reject requests for unknown _meta keys. The MCP spec reserves _meta for protocol/transport metadata and forward-compat extensibility."
+    recommendation: "Treat the _meta field as opaque \u2014 pass it through your request validator, but do not reject requests for unknown _meta keys. The MCP spec reserves _meta for protocol/transport metadata and forward-compat extensibility.",
+    parallelSafe: true
   },
   // ── Tools (4 tests) ──────────────────────────────────────────────
   {
@@ -1753,8 +1786,14 @@ async function runComplianceSuite(target, options = {}) {
     let resourceNames = [];
     let promptCount = 0;
     let promptNames = [];
-    async function test(id, name, category, required, specRef, fn) {
-      if (!shouldRun2(id, category)) return;
+    const concurrency = Math.max(1, options.concurrency ?? 1);
+    const inFlight = /* @__PURE__ */ new Set();
+    async function drainPool() {
+      while (inFlight.size > 0) {
+        await Promise.race(inFlight);
+      }
+    }
+    async function runTestFn(id, name, category, required, specRef, fn) {
       const start = Date.now();
       let lastResult = { passed: false, details: "" };
       for (let attempt = 0; attempt <= retries; attempt++) {
@@ -1782,6 +1821,21 @@ async function runComplianceSuite(target, options = {}) {
       options.onProgress?.(id, lastResult.passed, lastResult.details);
       options.onTestComplete?.(result);
     }
+    async function test(id, name, category, required, specRef, fn) {
+      if (!shouldRun2(id, category)) return;
+      const def = TEST_DEFINITIONS_MAP.get(id);
+      const eligible = concurrency > 1 && def?.parallelSafe === true;
+      if (!eligible) {
+        if (inFlight.size > 0) await drainPool();
+        await runTestFn(id, name, category, required, specRef, fn);
+        return;
+      }
+      while (inFlight.size >= concurrency) await Promise.race(inFlight);
+      const p = runTestFn(id, name, category, required, specRef, fn).finally(() => {
+        inFlight.delete(p);
+      });
+      inFlight.add(p);
+    }
     await test(
       "transport-post",
       "HTTP POST accepted",
@@ -1950,7 +2004,11 @@ async function runComplianceSuite(target, options = {}) {
     try {
       initRes = await rpc("initialize", {
         protocolVersion: SPEC_VERSION,
-        capabilities: {},
+        capabilities: {
+          sampling: {},
+          roots: { listChanged: true },
+          elicitation: {}
+        },
         clientInfo: { name: "mcp-compliance", version: TOOL_VERSION }
       });
       const result = initRes?.body?.result;
@@ -2372,6 +2430,47 @@ async function runComplianceSuite(target, options = {}) {
         }
       }
     );
+    await test(
+      "lifecycle-sampling-capability",
+      "Sampling capability shape",
+      "lifecycle",
+      false,
+      "client/sampling",
+      async () => {
+        if (!initRes || initRes.body?.error) {
+          return { passed: false, details: "Server rejected initialize" };
+        }
+        return {
+          passed: true,
+          details: "Server accepted initialize with client sampling capability. Full server\u2192client sampling flow not exercised."
+        };
+      }
+    );
+    await test("lifecycle-roots-capability", "Roots capability shape", "lifecycle", false, "client/roots", async () => {
+      if (!initRes || initRes.body?.error) {
+        return { passed: false, details: "Server rejected initialize" };
+      }
+      return {
+        passed: true,
+        details: "Server accepted initialize. Full server\u2192client roots/list flow not exercised (requires a roots-aware client)."
+      };
+    });
+    await test(
+      "lifecycle-elicitation-capability",
+      "Elicitation capability shape",
+      "lifecycle",
+      false,
+      "client/elicitation",
+      async () => {
+        if (!initRes || initRes.body?.error) {
+          return { passed: false, details: "Server rejected initialize" };
+        }
+        return {
+          passed: true,
+          details: "Server accepted initialize. Full server\u2192client elicitation/create flow not exercised."
+        };
+      }
+    );
     await test(
       "lifecycle-meta-tolerance",
       "Tolerates _meta field on requests",
@@ -4273,6 +4372,7 @@ async function runComplianceSuite(target, options = {}) {
       const truncated = warnings.length - MAX_WARNINGS;
       warnings.splice(MAX_WARNINGS, truncated, `... and ${truncated} more warning(s) suppressed`);
     }
+    if (inFlight.size > 0) await drainPool();
     const { score, grade, overall, summary, categories } = computeScore(tests);
     const badge = generateBadge(displayUrl);
     return {
@@ -5203,7 +5303,11 @@ program.command("test").description("Run the full compliance test suite against
   "--timeout <ms>",
   "Request timeout in milliseconds (bump to 30000+ for stdio servers with slow startup)",
   "15000"
-).option("--no-color", "Disable colored output (also honors NO_COLOR env var)").option("--watch", "Re-run tests when files in the cwd change (stdio targets only)").option("--preflight-timeout <ms>", "Preflight connectivity check timeout in milliseconds").option("--retries <n>", "Number of retries for failed tests", "0").option(
+).option("--no-color", "Disable colored output (also honors NO_COLOR env var)").option("--watch", "Re-run tests when files in the cwd change (stdio targets only)").option(
+  "--concurrency <n>",
+  "Max parallel-safe tests in flight (default 1; see docs/PERFORMANCE.md before raising)",
+  "1"
+).option("--preflight-timeout <ms>", "Preflight connectivity check timeout in milliseconds").option("--retries <n>", "Number of retries for failed tests", "0").option(
   "--only <items>",
   'Only run matching categories or test IDs, comma-separated (e.g., "transport,lifecycle" or "transport-post,lifecycle-init")',
   parseList
@@ -5262,6 +5366,7 @@ Testing ${describeTarget(transportTarget)}...
           timeout: parsePositiveInt(opts.timeout, "--timeout", 1),
           preflightTimeout: opts.preflightTimeout ? parsePositiveInt(opts.preflightTimeout, "--preflight-timeout", 1) : config?.preflightTimeout,
           retries: parsePositiveInt(opts.retries, "--retries"),
+          concurrency: parsePositiveInt(opts.concurrency, "--concurrency", 1),
           only,
           skip,
           onProgress: verbose ? (testId, passed, details) => {

package/dist/mcp/server.js

@@ -2,7 +2,7 @@ import {
   SPEC_BASE,
   TEST_DEFINITIONS,
   runComplianceSuite
-} from "../chunk-7KISK3FS.js";
+} from "../chunk-M67VVIRO.js";
 
 // src/mcp/server.ts
 import { existsSync, readFileSync } from "fs";

package/dist/runner.d.ts

@@ -63,6 +63,18 @@ interface TestDefinition {
     recommendation: string;
     /** Transports this test applies to. Omit = all transports. */
     transports?: ("http" | "stdio")[];
+    /**
+     * Declares this test safe to run concurrently with other parallel-safe
+     * tests. Default = false (serialized with other tests in the runner
+     * loop). Tests are parallel-safe when they:
+     *   - don't mutate shared closure state (sessionId, cachedToolsList, …)
+     *   - don't depend on the result of another concurrently-running test
+     *   - tolerate the server seeing >1 in-flight request at a time
+     *
+     * Setup tests (init, notifications/initialized) and tests that
+     * populate caches (tools/list, resources/list) must stay `false`.
+     */
+    parallelSafe?: boolean;
 }
 /** Describes the server under test. URL string = HTTP for backwards compat. */
 type TransportTarget = {
@@ -98,6 +110,16 @@ declare function computeScore(tests: TestResult[]): {
     }>;
 };
 
+/**
+ * Generate a short, deterministic hash of a URL for badge paths.
+ * SHA-256 truncated to 24 hex chars (96 bits of entropy) — matches the
+ * server-side hash width used by mcp.hosting for `/compliance/ext/<hash>`.
+ *
+ * Exported so mcp.hosting (and other consumers) can compute matching
+ * hashes when looking up reports/badges by URL. The hash is the canonical
+ * key for `/compliance/ext/<hash>` and `/api/compliance/ext/<hash>/badge`.
+ */
+declare function urlHash(url: string): string;
 /**
  * Generate badge URLs and markdown for a compliance report.
  * Badge images are served by mcp.hosting.
@@ -158,6 +180,14 @@ interface RunOptions {
     skip?: string[];
     /** Preflight connectivity check timeout in milliseconds (default: min(timeout, 10000)) */
     preflightTimeout?: number;
+    /**
+     * Maximum number of parallel-safe tests in flight at once. Default 1
+     * (strictly sequential — matches pre-0.12 behavior). Tests are only
+     * eligible for parallel execution when their `TestDefinition.parallelSafe`
+     * is true; everything else stays sequential regardless. See
+     * docs/PERFORMANCE.md for the design.
+     */
+    concurrency?: number;
 }
 /**
  * Run the full MCP compliance test suite. Accepts either a URL string
@@ -165,4 +195,4 @@ interface RunOptions {
  */
 declare function runComplianceSuite(target: string | TransportTarget, options?: RunOptions): Promise<ComplianceReport>;
 
-export { type ComplianceReport, type PreviewOptions, type RunOptions, SPEC_BASE, SPEC_VERSION, TEST_DEFINITIONS, type TestResult, computeGrade, computeScore, generateBadge, parseSSEResponse, previewTests, runComplianceSuite };
+export { type ComplianceReport, type PreviewOptions, type RunOptions, SPEC_BASE, SPEC_VERSION, TEST_DEFINITIONS, type TestResult, computeGrade, computeScore, generateBadge, parseSSEResponse, previewTests, runComplianceSuite, urlHash };

package/dist/runner.js

@@ -7,8 +7,9 @@ import {
   generateBadge,
   parseSSEResponse,
   previewTests,
-  runComplianceSuite
-} from "./chunk-7KISK3FS.js";
+  runComplianceSuite,
+  urlHash
+} from "./chunk-M67VVIRO.js";
 export {
   SPEC_BASE,
   SPEC_VERSION,
@@ -18,5 +19,6 @@ export {
   generateBadge,
   parseSSEResponse,
   previewTests,
-  runComplianceSuite
+  runComplianceSuite,
+  urlHash
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/mcp-compliance",
-  "version": "0.10.1",
+  "version": "0.12.0",
   "description": "CLI tool and MCP server that tests MCP servers for spec compliance",
   "license": "MIT",
   "author": "Yaw Labs <contact@yaw.sh> (https://yaw.sh)",
@@ -51,6 +51,7 @@
     "ajv": "^8.18.0",
     "ajv-formats": "^3.0.1",
     "tsup": "^8.4.0",
+    "tsx": "^4.21.0",
     "typescript": "^5.8.3",
     "vitest": "^3.1.1"
   },