@yawlabs/mcp-compliance 0.12.2 → 0.13.1

package/README.md

@@ -15,13 +15,13 @@ MCP servers are multiplying fast — but most ship without compliance testing. B
 
 This tool solves that:
 
-- **84 tests across 8 categories** — transport, lifecycle, tools, resources, prompts, error handling, schema validation, and security. No gaps. (HTTP runs all 81 transport-applicable tests; stdio runs ~70 — HTTP-specific tests like CORS, TLS, session headers, and rate limiting are gated out.)
+- **88 tests across 8 categories** — transport, lifecycle, tools, resources, prompts, error handling, schema validation, and security. No gaps. (HTTP runs all 85 transport-applicable tests; stdio runs ~75 — HTTP-specific tests like CORS, TLS, session headers, and rate limiting are gated out.)
 - **Capability-driven** — tests adapt to what the server declares. If it says it supports tools, tool tests become required. No false failures for features the server doesn't claim.
 - **Graded scoring** — A-F letter grade with a weighted score (required tests 70%, optional 30%). One number to communicate compliance.
 - **CI-ready** — `--strict` mode exits with code 1 on required test failures. Drop it into any pipeline.
 - **Spec-referenced** — every test links to the exact section of the MCP specification it validates. No ambiguity about what's being tested or why.
 - **Three interfaces** — CLI for humans, MCP server for AI assistants, programmatic API for integration.
-- **Published specification** — the [testing methodology](./MCP_COMPLIANCE_SPEC.md) and [rule catalog](./mcp-compliance-rules.json) are open (CC BY 4.0) so anyone can implement compatible tooling.
+- **Published methodology** — the [testing methodology](./COMPLIANCE_RUBRIC.md) and [rule catalog](./mcp-compliance-rules.json) are open (CC BY 4.0) so anyone can build compatible tooling or fork the rules.
 
 ## Quick start
 
@@ -124,6 +124,7 @@ On Windows, `npx` and other `.cmd` shims are handled automatically by spawning t
 | `--retries <n>` | both | Number of retries for failed tests (default: `0`) |
 | `--only <items>` | both | Only run tests matching these categories or test IDs (comma-separated) |
 | `--skip <items>` | both | Skip tests matching these categories or test IDs (comma-separated) |
+| `--concurrency <n>` | both | Max parallel-safe tests in flight (default: `1`; raising reduces wall time but can perturb timing-sensitive servers) |
 | `--verbose` | both | Print each test result as it runs (also forwards stdio stderr) |
 
 ### CI integration
@@ -258,11 +259,12 @@ Then embed it in your README:
 
 The `test` command never publishes — use it for CI, debugging, and local iteration. `badge` is the only command that publishes to mcp.hosting.
 
-## What the 84 tests check
+## What the 88 tests check
 
 <details>
-<summary><strong>Transport (13 tests)</strong></summary>
+<summary><strong>Transport (16 tests)</strong></summary>
 
+HTTP-only (13):
 - **transport-post** — Server accepts HTTP POST requests (required)
 - **transport-content-type** — Responds with application/json or text/event-stream (required)
 - **transport-notification-202** — Notifications return exactly 202 Accepted
@@ -277,10 +279,15 @@ The `test` command never publishes — use it for CI, debugging, and local itera
 - **transport-concurrent** — Handles concurrent requests
 - **transport-sse-event-field** — SSE responses include required event: message field
 
+stdio-only (3):
+- **stdio-framing** — Newline-delimited JSON framing (required)
+- **stdio-unicode** — UTF-8 unicode roundtrip preserves non-ASCII payloads
+- **stdio-unknown-method-recovers** — Returns -32601 for unknown methods and keeps serving
+
 </details>
 
 <details>
-<summary><strong>Lifecycle (17 tests)</strong></summary>
+<summary><strong>Lifecycle (21 tests)</strong></summary>
 
 - **lifecycle-init** — Initialize handshake succeeds (required)
 - **lifecycle-proto-version** — Returns valid YYYY-MM-DD protocol version (required)
@@ -299,6 +306,10 @@ The `test` command never publishes — use it for CI, debugging, and local itera
 - **lifecycle-progress** — Handles progress notifications gracefully
 - **lifecycle-list-changed** — Accepts listChanged notifications for declared capabilities
 - **lifecycle-progress-token** — Supports progress tokens in requests via SSE
+- **lifecycle-sampling-capability** — Advisory check for server-side use of the client sampling capability
+- **lifecycle-roots-capability** — Advisory check for server-side use of the client roots capability
+- **lifecycle-elicitation-capability** — Advisory check for the 2025-11-25 client elicitation capability
+- **lifecycle-meta-tolerance** — Server ignores unknown `_meta` fields on incoming requests
 
 </details>
 
@@ -399,7 +410,7 @@ The `test` command never publishes — use it for CI, debugging, and local itera
 | D     | 40-59  |
 | F     | 0-39   |
 
-Required tests are worth 70% of the score, optional tests 30%. See the [full scoring algorithm](./MCP_COMPLIANCE_SPEC.md#2-scoring-algorithm) in the specification.
+Required tests are worth 70% of the score, optional tests 30%. See the [full scoring algorithm](./COMPLIANCE_RUBRIC.md#2-scoring-algorithm) in the methodology doc.
 
 ## CI integration
 
@@ -536,11 +547,11 @@ Consumer guidance:
 - Within a major version, additions are non-breaking. Renames, removals, or type changes bump the version.
 - Two runs against the same server produce equivalent grade, score, and per-test pass/fail (modulo timings/timestamps).
 
-## Specification
+## Methodology & docs
 
-The compliance testing methodology is published as an open specification:
+The testing methodology is published openly so the grading is auditable:
 
-- **[MCP Compliance Testing Specification](./MCP_COMPLIANCE_SPEC.md)** — test execution model, scoring algorithm, all 88 test rules with pass/fail criteria (CC BY 4.0)
+- **[Testing methodology](./COMPLIANCE_RUBRIC.md)** — test execution model, scoring algorithm, all 88 test rules with pass/fail criteria (CC BY 4.0)
 - **[Machine-readable rule catalog](./mcp-compliance-rules.json)** — JSON Schema-compliant catalog for programmatic consumption
 - **[Why `mcp-compliance`](./docs/WHY.md)** — the problem, existing alternatives, what this tool does differently
 - **[Fixing common failures](./docs/FIXES.md)** — recipes for the most frequent test failures with code snippets
@@ -551,7 +562,7 @@ The compliance testing methodology is published as an open specification:
 - **[Spec PR drafts](./docs/spec-prs/)** — our proposed MCP spec clarifications for ambiguous cases we've hit
 - **[mcp.hosting integration spec](./docs/mcp-hosting-integration.md)** — the contract between this engine and the mcp.hosting platform: URL surfaces, data flow, storage model, badge API, leaderboard, router integration
 
-These are complementary to (not competing with) the [official MCP specification](https://modelcontextprotocol.io/specification/2025-11-25). The MCP spec defines what servers must do; this spec defines how to verify compliance.
+The methodology is not an authoritative conformance standard — it's one tool's choices, published so they can be inspected, adopted, or forked. The [official MCP specification](https://modelcontextprotocol.io/specification/2025-11-25) defines what servers must do; this document describes how `@yawlabs/mcp-compliance` verifies it.
 
 ## Requirements
 
@@ -583,7 +594,7 @@ npm test
 
 - [mcp.hosting](https://mcp.hosting) — Hosted MCP server infrastructure
 - [MCP Specification](https://modelcontextprotocol.io/specification/2025-11-25)
-- [MCP Compliance Testing Spec](./MCP_COMPLIANCE_SPEC.md)
+- [Testing methodology](./COMPLIANCE_RUBRIC.md)
 - [Yaw Labs](https://yaw.sh)
 
 ## License

package/dist/{chunk-G5K7CRWU.js → chunk-BX22BHC5.js}

@@ -63,7 +63,7 @@ import { request } from "undici";
 
 // src/sse.ts
 function parseSSEResponse(text) {
-  const lines = text.split("\n");
+  const lines = text.split(/\r?\n/);
   let firstJsonRpcResponse = null;
   let currentData = [];
   function flushEvent() {
@@ -106,7 +106,8 @@ function createHttpTransport(opts) {
   function normalizeHeaders(raw) {
     const out = {};
     for (const [k, v] of Object.entries(raw)) {
-      if (typeof v === "string") out[k] = v;
+      if (v === void 0) continue;
+      out[k] = Array.isArray(v) ? v.join(", ") : v;
     }
     return out;
   }
@@ -250,6 +251,11 @@ function createStdioTransport(opts) {
       handleLine(line);
     }
     if (stdoutBuffer.length > stdoutBufferSize) {
+      stderrBuffer += `[mcp-compliance] stdout buffer exceeded ${stdoutBufferSize} bytes without a newline; discarding buffered data
+`;
+      if (stderrBuffer.length > stderrBufferSize) {
+        stderrBuffer = stderrBuffer.slice(stderrBuffer.length - stderrBufferSize);
+      }
       stdoutBuffer = "";
     }
   });
@@ -402,7 +408,7 @@ function createStdioTransport(opts) {
 // src/types.ts
 var REPORT_SCHEMA_VERSION = "1";
 var TEST_DEFINITIONS = [
-  // ── Transport (13 tests) ─────────────────────────────────────────
+  // ── Transport (16 tests: 13 HTTP + 3 stdio) ──────────────────────
   {
     id: "transport-post",
     name: "HTTP POST accepted",
@@ -551,7 +557,7 @@ var TEST_DEFINITIONS = [
     recommendation: "Return JSON-RPC error -32601 (Method not found) for unknown methods. Do not exit the process or disconnect \u2014 the client should be able to keep using the session after an error.",
     transports: ["stdio"]
   },
-  // ── Lifecycle (17 tests) ─────────────────────────────────────────
+  // ── Lifecycle (21 tests) ─────────────────────────────────────────
   {
     id: "lifecycle-init",
     name: "Initialize handshake",
@@ -1249,17 +1255,13 @@ var STACK_TRACE_PATTERNS = [
   // PHP
   /panicked\s+at\s+'/i,
   // Rust
-  /ENOENT|EACCES|EPERM/,
-  // Node.js system errors
   /node_modules\//,
-  // Node.js module paths
-  /\/usr\/local\/|\/home\//,
-  // Unix paths
-  /[A-Z]:\\.*\\/,
-  // Windows paths
-  /password|passwd|secret|credential/i,
-  // Sensitive terms
-  /jdbc:|mysql:|postgres:|mongodb:/i
+  // Node.js module paths (filesystem layout leak)
+  /\/usr\/local\/|\/home\/|\/root\//,
+  // Unix absolute paths
+  /[A-Z]:\\[\w\s.-]+\\[\w\s.-]+/,
+  // Windows absolute paths (drive + 2+ segments)
+  /jdbc:|mysql:\/\/|postgres(?:ql)?:\/\/|mongodb(?:\+srv)?:\/\//i
   // DB connection strings
 ];
 var INTERNAL_IP_PATTERNS = [
@@ -1278,6 +1280,20 @@ function createIdCounter(start = 0) {
   let id = start;
   return () => ++id;
 }
+function dedupAndCapWarnings(warnings, max) {
+  const seen = /* @__PURE__ */ new Set();
+  const deduped = [];
+  for (const w of warnings) {
+    if (seen.has(w)) continue;
+    seen.add(w);
+    deduped.push(w);
+  }
+  if (deduped.length > max) {
+    const truncated = deduped.length - max;
+    return [...deduped.slice(0, max), `... and ${truncated} more warning(s) suppressed`];
+  }
+  return deduped;
+}
 var STDIO_INCOMPATIBLE_IDS = /* @__PURE__ */ new Set([
   // Lifecycle tests that use raw undici for HTTP-specific checks
   "lifecycle-string-id",
@@ -4030,12 +4046,11 @@ async function runComplianceSuite(target, options = {}) {
         return { passed: true, details: "Unknown method returned JSON-RPC error; subsequent ping succeeded" };
       }
     );
-    const MAX_WARNINGS = 100;
-    if (warnings.length > MAX_WARNINGS) {
-      const truncated = warnings.length - MAX_WARNINGS;
-      warnings.splice(MAX_WARNINGS, truncated, `... and ${truncated} more warning(s) suppressed`);
-    }
     if (inFlight.size > 0) await drainPool();
+    const MAX_WARNINGS = 50;
+    const capped = dedupAndCapWarnings(warnings, MAX_WARNINGS);
+    warnings.length = 0;
+    warnings.push(...capped);
     const { score, grade, overall, summary, categories } = computeScore(tests);
     const badge = generateBadge(displayUrl);
     return {
@@ -4075,6 +4090,7 @@ export {
   TEST_DEFINITIONS,
   SPEC_VERSION,
   SPEC_BASE,
+  dedupAndCapWarnings,
   previewTests,
   runComplianceSuite
 };

package/dist/index.js

@@ -16,6 +16,9 @@ var GRADE_COLORS = {
   F: "#e05d44"
 };
 var UNTESTED_COLOR = "#9f9f9f";
+function escXml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
 function renderBadgeSvg(input) {
   let gradeLabel = "unknown";
   let color = UNTESTED_COLOR;
@@ -27,14 +30,16 @@ function renderBadgeSvg(input) {
     title = `MCP Compliant: Grade ${input.grade}${input.score != null ? ` (${input.score}%)` : ""} - tested ${date}`;
   }
   const leftText = "MCP Compliant";
-  const rightText = gradeLabel;
+  const rightText = escXml(gradeLabel);
+  const ariaLabel = `${leftText}: ${escXml(gradeLabel)}`;
+  const titleEsc = escXml(title);
   const leftWidth = 95;
   const rightWidth = 40;
   const totalWidth = leftWidth + rightWidth;
   const leftX = leftWidth / 2;
   const rightX = leftWidth + rightWidth / 2;
-  return `<svg xmlns="http://www.w3.org/2000/svg" width="${totalWidth}" height="20" role="img" aria-label="${leftText}: ${rightText}">
-  <title>${title}</title>
+  return `<svg xmlns="http://www.w3.org/2000/svg" width="${totalWidth}" height="20" role="img" aria-label="${ariaLabel}">
+  <title>${titleEsc}</title>
   <linearGradient id="s" x2="0" y2="100%">
     <stop offset="0" stop-color="#bbb" stop-opacity=".1"/>
     <stop offset="1" stop-opacity=".1"/>
@@ -64,7 +69,7 @@ import { request } from "undici";
 
 // src/sse.ts
 function parseSSEResponse(text) {
-  const lines = text.split("\n");
+  const lines = text.split(/\r?\n/);
   let firstJsonRpcResponse = null;
   let currentData = [];
   function flushEvent() {
@@ -107,7 +112,8 @@ function createHttpTransport(opts) {
   function normalizeHeaders(raw) {
     const out = {};
     for (const [k, v] of Object.entries(raw)) {
-      if (typeof v === "string") out[k] = v;
+      if (v === void 0) continue;
+      out[k] = Array.isArray(v) ? v.join(", ") : v;
     }
     return out;
   }
@@ -251,6 +257,11 @@ function createStdioTransport(opts) {
       handleLine(line);
     }
     if (stdoutBuffer.length > stdoutBufferSize) {
+      stderrBuffer += `[mcp-compliance] stdout buffer exceeded ${stdoutBufferSize} bytes without a newline; discarding buffered data
+`;
+      if (stderrBuffer.length > stderrBufferSize) {
+        stderrBuffer = stderrBuffer.slice(stderrBuffer.length - stderrBufferSize);
+      }
       stdoutBuffer = "";
     }
   });
@@ -579,6 +590,11 @@ function validateTarget(t, source) {
 
 // src/diff.ts
 function diffReports(baseline, current) {
+  if (baseline.specVersion && current.specVersion && baseline.specVersion !== current.specVersion) {
+    throw new Error(
+      `Spec version mismatch: baseline is ${baseline.specVersion}, current is ${current.specVersion}. Re-run the baseline with this tool version (or downgrade the tool to match) before diffing.`
+    );
+  }
   const baseById = new Map(baseline.tests.map((t) => [t.id, t]));
   const curById = new Map(current.tests.map((t) => [t.id, t]));
   const regressions = [];
@@ -676,7 +692,7 @@ function hasRegressions(summary) {
 }
 
 // src/mcp/server.ts
-import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
+import { existsSync as existsSync2, readFileSync as readFileSync2, realpathSync } from "fs";
 import { dirname, join as join2, resolve as resolve2 } from "path";
 import { fileURLToPath } from "url";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
@@ -748,7 +764,7 @@ function computeScore(tests) {
 // src/types.ts
 var REPORT_SCHEMA_VERSION = "1";
 var TEST_DEFINITIONS = [
-  // ── Transport (13 tests) ─────────────────────────────────────────
+  // ── Transport (16 tests: 13 HTTP + 3 stdio) ──────────────────────
   {
     id: "transport-post",
     name: "HTTP POST accepted",
@@ -897,7 +913,7 @@ var TEST_DEFINITIONS = [
     recommendation: "Return JSON-RPC error -32601 (Method not found) for unknown methods. Do not exit the process or disconnect \u2014 the client should be able to keep using the session after an error.",
     transports: ["stdio"]
   },
-  // ── Lifecycle (17 tests) ─────────────────────────────────────────
+  // ── Lifecycle (21 tests) ─────────────────────────────────────────
   {
     id: "lifecycle-init",
     name: "Initialize handshake",
@@ -1595,17 +1611,13 @@ var STACK_TRACE_PATTERNS = [
   // PHP
   /panicked\s+at\s+'/i,
   // Rust
-  /ENOENT|EACCES|EPERM/,
-  // Node.js system errors
   /node_modules\//,
-  // Node.js module paths
-  /\/usr\/local\/|\/home\//,
-  // Unix paths
-  /[A-Z]:\\.*\\/,
-  // Windows paths
-  /password|passwd|secret|credential/i,
-  // Sensitive terms
-  /jdbc:|mysql:|postgres:|mongodb:/i
+  // Node.js module paths (filesystem layout leak)
+  /\/usr\/local\/|\/home\/|\/root\//,
+  // Unix absolute paths
+  /[A-Z]:\\[\w\s.-]+\\[\w\s.-]+/,
+  // Windows absolute paths (drive + 2+ segments)
+  /jdbc:|mysql:\/\/|postgres(?:ql)?:\/\/|mongodb(?:\+srv)?:\/\//i
   // DB connection strings
 ];
 var INTERNAL_IP_PATTERNS = [
@@ -1624,6 +1636,20 @@ function createIdCounter(start = 0) {
   let id = start;
   return () => ++id;
 }
+function dedupAndCapWarnings(warnings, max) {
+  const seen = /* @__PURE__ */ new Set();
+  const deduped = [];
+  for (const w of warnings) {
+    if (seen.has(w)) continue;
+    seen.add(w);
+    deduped.push(w);
+  }
+  if (deduped.length > max) {
+    const truncated = deduped.length - max;
+    return [...deduped.slice(0, max), `... and ${truncated} more warning(s) suppressed`];
+  }
+  return deduped;
+}
 var STDIO_INCOMPATIBLE_IDS = /* @__PURE__ */ new Set([
   // Lifecycle tests that use raw undici for HTTP-specific checks
   "lifecycle-string-id",
@@ -4376,12 +4402,11 @@ async function runComplianceSuite(target, options = {}) {
         return { passed: true, details: "Unknown method returned JSON-RPC error; subsequent ping succeeded" };
       }
     );
-    const MAX_WARNINGS = 100;
-    if (warnings.length > MAX_WARNINGS) {
-      const truncated = warnings.length - MAX_WARNINGS;
-      warnings.splice(MAX_WARNINGS, truncated, `... and ${truncated} more warning(s) suppressed`);
-    }
     if (inFlight.size > 0) await drainPool();
+    const MAX_WARNINGS = 50;
+    const capped = dedupAndCapWarnings(warnings, MAX_WARNINGS);
+    warnings.length = 0;
+    warnings.push(...capped);
     const { score, grade, overall, summary, categories } = computeScore(tests);
     const badge = generateBadge(displayUrl);
     return {
@@ -4416,7 +4441,7 @@ async function runComplianceSuite(target, options = {}) {
 function registerTools(server) {
   server.tool(
     "mcp_compliance_test",
-    "Run the full MCP compliance test suite against a server URL. Returns grade (A-F), score, and detailed results for all 81 tests covering transport, lifecycle, tools, resources, prompts, errors, schema validation, and security.",
+    "Run the full MCP compliance test suite against a server URL. Returns grade (A-F), score, and detailed results for all 88 tests covering transport, lifecycle, tools, resources, prompts, errors, schema validation, and security.",
     {
       url: z.string().url().describe("The MCP server URL to test (must be HTTP or HTTPS)"),
       auth: z.string().optional().describe('Authorization header value (e.g., "Bearer tok123")'),
@@ -4611,8 +4636,16 @@ async function startServer() {
   const transport = new StdioServerTransport();
   await server.connect(transport);
 }
-var isDirectRun = process.argv[1]?.endsWith("mcp/server.js") || process.argv[1]?.endsWith("mcp\\server.js");
-if (isDirectRun) {
+function isInvokedDirectly() {
+  const argv1 = process.argv[1];
+  if (!argv1) return false;
+  try {
+    return realpathSync(argv1) === realpathSync(fileURLToPath(import.meta.url));
+  } catch {
+    return false;
+  }
+}
+if (isInvokedDirectly()) {
   startServer().catch((err) => {
     console.error("MCP server error:", err);
     process.exit(1);
@@ -5380,7 +5413,9 @@ Testing ${describeTarget(transportTarget)}...
           skip,
           onProgress: verbose ? (testId, passed, details) => {
             const icon = passed ? chalk2.green("PASS") : chalk2.red("FAIL");
-            console.log(`  ${icon} ${testId} \u2014 ${details}`);
+            const stream = opts.format === "terminal" ? process.stdout : process.stderr;
+            stream.write(`  ${icon} ${testId} \u2014 ${details}
+`);
           } : void 0
         });
         if (verbose && opts.format === "terminal") {
@@ -5414,6 +5449,16 @@ Badge SVG written to ${opts.output}`));
           console.error(chalk2.red("\nError: --watch only applies to stdio targets (HTTP servers are remote).\n"));
           process.exit(1);
         }
+        if (opts.format !== "terminal" && opts.format !== "markdown" && opts.format !== "html") {
+          console.error(
+            chalk2.red(
+              `
+Error: --watch is incompatible with --format=${opts.format} (multi-run output would be unparseable). Use --format=terminal.
+`
+            )
+          );
+          process.exit(1);
+        }
         await runOnce();
         let pending = null;
         let running = false;
@@ -5427,8 +5472,9 @@ Badge SVG written to ${opts.output}`));
             if (running) return;
             running = true;
             try {
-              console.log(chalk2.dim(`
+              process.stderr.write(chalk2.dim(`
 [watch] ${f} changed \u2014 re-running...
+
 `));
               await runOnce();
             } catch (err) {
@@ -5440,7 +5486,7 @@ Badge SVG written to ${opts.output}`));
         });
         process.on("SIGINT", () => {
           watcher.close();
-          console.log(chalk2.dim("\n[watch] stopped"));
+          process.stderr.write(chalk2.dim("\n[watch] stopped\n"));
           process.exit(0);
         });
         await new Promise(() => {

package/dist/mcp/server.js

@@ -2,10 +2,10 @@ import {
   SPEC_BASE,
   TEST_DEFINITIONS,
   runComplianceSuite
-} from "../chunk-G5K7CRWU.js";
+} from "../chunk-BX22BHC5.js";
 
 // src/mcp/server.ts
-import { existsSync, readFileSync } from "fs";
+import { existsSync, readFileSync, realpathSync } from "fs";
 import { dirname, join, resolve } from "path";
 import { fileURLToPath } from "url";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
@@ -16,7 +16,7 @@ import { z } from "zod";
 function registerTools(server) {
   server.tool(
     "mcp_compliance_test",
-    "Run the full MCP compliance test suite against a server URL. Returns grade (A-F), score, and detailed results for all 81 tests covering transport, lifecycle, tools, resources, prompts, errors, schema validation, and security.",
+    "Run the full MCP compliance test suite against a server URL. Returns grade (A-F), score, and detailed results for all 88 tests covering transport, lifecycle, tools, resources, prompts, errors, schema validation, and security.",
     {
       url: z.string().url().describe("The MCP server URL to test (must be HTTP or HTTPS)"),
       auth: z.string().optional().describe('Authorization header value (e.g., "Bearer tok123")'),
@@ -211,8 +211,16 @@ async function startServer() {
   const transport = new StdioServerTransport();
   await server.connect(transport);
 }
-var isDirectRun = process.argv[1]?.endsWith("mcp/server.js") || process.argv[1]?.endsWith("mcp\\server.js");
-if (isDirectRun) {
+function isInvokedDirectly() {
+  const argv1 = process.argv[1];
+  if (!argv1) return false;
+  try {
+    return realpathSync(argv1) === realpathSync(fileURLToPath(import.meta.url));
+  } catch {
+    return false;
+  }
+}
+if (isInvokedDirectly()) {
   startServer().catch((err) => {
     console.error("MCP server error:", err);
     process.exit(1);

package/dist/runner.d.ts

@@ -89,7 +89,7 @@ type TransportTarget = {
     cwd?: string;
     verbose?: boolean;
 };
-/** All 81 test IDs with descriptions for the explain command */
+/** All 88 test IDs with descriptions for the explain command */
 declare const TEST_DEFINITIONS: TestDefinition[];
 
 declare function computeGrade(score: number): Grade;
@@ -142,6 +142,14 @@ declare function parseSSEResponse(text: string): any;
 
 declare const SPEC_VERSION = "2025-11-25";
 declare const SPEC_BASE = "https://modelcontextprotocol.io/specification/2025-11-25";
+/**
+ * Dedupe and cap a list of warnings, preserving insertion order and
+ * appending a truncation sentinel when capped. Extracted so the cap
+ * semantics can be unit-tested without spinning up a suite run.
+ *
+ * @internal Exported for testing.
+ */
+declare function dedupAndCapWarnings(warnings: readonly string[], max: number): string[];
 
 interface PreviewOptions {
     /** Transport to filter against. Defaults to "http". */
@@ -206,4 +214,4 @@ interface RunOptions {
  */
 declare function runComplianceSuite(target: string | TransportTarget, options?: RunOptions): Promise<ComplianceReport>;
 
-export { type ComplianceReport, type PreviewOptions, type RunOptions, SPEC_BASE, SPEC_VERSION, TEST_DEFINITIONS, type TestResult, computeGrade, computeScore, generateBadge, parseSSEResponse, previewTests, runComplianceSuite, urlHash };
+export { type ComplianceReport, type PreviewOptions, type RunOptions, SPEC_BASE, SPEC_VERSION, TEST_DEFINITIONS, type TestResult, computeGrade, computeScore, dedupAndCapWarnings, generateBadge, parseSSEResponse, previewTests, runComplianceSuite, urlHash };

package/dist/runner.js

@@ -4,18 +4,20 @@ import {
   TEST_DEFINITIONS,
   computeGrade,
   computeScore,
+  dedupAndCapWarnings,
   generateBadge,
   parseSSEResponse,
   previewTests,
   runComplianceSuite,
   urlHash
-} from "./chunk-G5K7CRWU.js";
+} from "./chunk-BX22BHC5.js";
 export {
   SPEC_BASE,
   SPEC_VERSION,
   TEST_DEFINITIONS,
   computeGrade,
   computeScore,
+  dedupAndCapWarnings,
   generateBadge,
   parseSSEResponse,
   previewTests,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/mcp-compliance",
-  "version": "0.12.2",
+  "version": "0.13.1",
   "description": "CLI tool and MCP server that tests MCP servers for spec compliance",
   "license": "MIT",
   "author": "Yaw Labs <contact@yaw.sh> (https://yaw.sh)",
@@ -42,7 +42,7 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",
     "chalk": "^5.4.1",
-    "commander": "^13.1.0",
+    "commander": "^14.0.3",
     "undici": "^7.8.0",
     "zod": "^3.24.4"
   },
@@ -57,7 +57,7 @@
     "vitest": "^3.1.1"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "keywords": [
     "mcp",