@yawlabs/mcp-compliance 0.13.0 → 0.13.2

package/dist/{chunk-G5K7CRWU.js → chunk-X5CVUDPW.js}

@@ -37,12 +37,28 @@ function computeScore(tests) {
   const failed = total - passed;
   const requiredTests = tests.filter((t) => t.required);
   const requiredPassed = requiredTests.filter((t) => t.passed).length;
-  const requiredScore = requiredTests.length > 0 ? requiredPassed / requiredTests.length * 70 : 70;
   const optionalTests = tests.filter((t) => !t.required);
   const optionalPassed = optionalTests.filter((t) => t.passed).length;
-  const optionalScore = optionalTests.length > 0 ? optionalPassed / optionalTests.length * 30 : 30;
-  const score = Math.round(requiredScore + optionalScore);
-  const overall = requiredPassed === requiredTests.length ? passed === total ? "pass" : "partial" : "fail";
+  let score;
+  if (total === 0) {
+    score = 0;
+  } else if (requiredTests.length === 0) {
+    score = Math.round(optionalPassed / optionalTests.length * 100);
+  } else if (optionalTests.length === 0) {
+    score = Math.round(requiredPassed / requiredTests.length * 100);
+  } else {
+    score = Math.round(requiredPassed / requiredTests.length * 70 + optionalPassed / optionalTests.length * 30);
+  }
+  let overall;
+  if (total === 0) {
+    overall = "fail";
+  } else if (requiredPassed < requiredTests.length) {
+    overall = "fail";
+  } else if (passed === total) {
+    overall = "pass";
+  } else {
+    overall = "partial";
+  }
   const categories = {};
   for (const t of tests) {
     if (!categories[t.category]) categories[t.category] = { passed: 0, total: 0 };
@@ -63,7 +79,7 @@ import { request } from "undici";
 
 // src/sse.ts
 function parseSSEResponse(text) {
-  const lines = text.split("\n");
+  const lines = text.split(/\r?\n/);
   let firstJsonRpcResponse = null;
   let currentData = [];
   function flushEvent() {
@@ -106,7 +122,8 @@ function createHttpTransport(opts) {
   function normalizeHeaders(raw) {
     const out = {};
     for (const [k, v] of Object.entries(raw)) {
-      if (typeof v === "string") out[k] = v;
+      if (v === void 0) continue;
+      out[k] = Array.isArray(v) ? v.join(", ") : v;
     }
     return out;
   }
@@ -197,6 +214,13 @@ function createHttpTransport(opts) {
 
 // src/transport/stdio.ts
 import { spawn } from "child_process";
+function exitDiagnostic(code, signal) {
+  if (signal) return `server terminated by signal ${signal} before completing the request`;
+  if (code === 0) {
+    return "server exited cleanly (code 0) before completing the request. This usually means the command is a one-shot CLI, not a long-running MCP stdio server. If the server needs a subcommand to start (e.g. `serve`, `mcp`, `start`), include it in the command.";
+  }
+  return `server crashed with exit code ${code} before completing the request`;
+}
 function createStdioTransport(opts) {
   const { command, args = [], env, cwd, verbose = false } = opts;
   const stderrBufferSize = opts.stderrBufferSize ?? 64 * 1024;
@@ -236,8 +260,7 @@ function createStdioTransport(opts) {
     exited = true;
     exitCode = code;
     if (pending.size > 0) {
-      const reason = signal ? `child exited (signal ${signal})` : `child exited with code ${code}`;
-      rejectAllPending(new Error(reason));
+      rejectAllPending(new Error(exitDiagnostic(code, signal)));
     }
   });
   child.stdout?.setEncoding("utf8");
@@ -250,6 +273,11 @@ function createStdioTransport(opts) {
       handleLine(line);
     }
     if (stdoutBuffer.length > stdoutBufferSize) {
+      stderrBuffer += `[mcp-compliance] stdout buffer exceeded ${stdoutBufferSize} bytes without a newline; discarding buffered data
+`;
+      if (stderrBuffer.length > stderrBufferSize) {
+        stderrBuffer = stderrBuffer.slice(stderrBuffer.length - stderrBufferSize);
+      }
       stdoutBuffer = "";
     }
   });
@@ -307,7 +335,7 @@ function createStdioTransport(opts) {
       }
     }
     if (exited) {
-      throw new Error(annotateWithStderr(`stdio transport: child has exited (code ${exitCode})`));
+      throw new Error(annotateWithStderr(`stdio transport: ${exitDiagnostic(exitCode, null)}`));
     }
     if (spawnError) throw new Error(annotateWithStderr(`stdio transport: spawn failed \u2014 ${spawnError.message}`));
     const stdin = child.stdin;
@@ -402,7 +430,7 @@ function createStdioTransport(opts) {
 // src/types.ts
 var REPORT_SCHEMA_VERSION = "1";
 var TEST_DEFINITIONS = [
-  // ── Transport (13 tests) ─────────────────────────────────────────
+  // ── Transport (16 tests: 13 HTTP + 3 stdio) ──────────────────────
   {
     id: "transport-post",
     name: "HTTP POST accepted",
@@ -551,7 +579,7 @@ var TEST_DEFINITIONS = [
     recommendation: "Return JSON-RPC error -32601 (Method not found) for unknown methods. Do not exit the process or disconnect \u2014 the client should be able to keep using the session after an error.",
     transports: ["stdio"]
   },
-  // ── Lifecycle (17 tests) ─────────────────────────────────────────
+  // ── Lifecycle (21 tests) ─────────────────────────────────────────
   {
     id: "lifecycle-init",
     name: "Initialize handshake",
@@ -1249,17 +1277,13 @@ var STACK_TRACE_PATTERNS = [
   // PHP
   /panicked\s+at\s+'/i,
   // Rust
-  /ENOENT|EACCES|EPERM/,
-  // Node.js system errors
   /node_modules\//,
-  // Node.js module paths
-  /\/usr\/local\/|\/home\//,
-  // Unix paths
-  /[A-Z]:\\.*\\/,
-  // Windows paths
-  /password|passwd|secret|credential/i,
-  // Sensitive terms
-  /jdbc:|mysql:|postgres:|mongodb:/i
+  // Node.js module paths (filesystem layout leak)
+  /\/usr\/local\/|\/home\/|\/root\//,
+  // Unix absolute paths
+  /[A-Z]:\\[\w\s.-]+\\[\w\s.-]+/,
+  // Windows absolute paths (drive + 2+ segments)
+  /jdbc:|mysql:\/\/|postgres(?:ql)?:\/\/|mongodb(?:\+srv)?:\/\//i
   // DB connection strings
 ];
 var INTERNAL_IP_PATTERNS = [
@@ -1278,6 +1302,20 @@ function createIdCounter(start = 0) {
   let id = start;
   return () => ++id;
 }
+function dedupAndCapWarnings(warnings, max) {
+  const seen = /* @__PURE__ */ new Set();
+  const deduped = [];
+  for (const w of warnings) {
+    if (seen.has(w)) continue;
+    seen.add(w);
+    deduped.push(w);
+  }
+  if (deduped.length > max) {
+    const truncated = deduped.length - max;
+    return [...deduped.slice(0, max), `... and ${truncated} more warning(s) suppressed`];
+  }
+  return deduped;
+}
 var STDIO_INCOMPATIBLE_IDS = /* @__PURE__ */ new Set([
   // Lifecycle tests that use raw undici for HTTP-specific checks
   "lifecycle-string-id",
@@ -4030,14 +4068,13 @@ async function runComplianceSuite(target, options = {}) {
         return { passed: true, details: "Unknown method returned JSON-RPC error; subsequent ping succeeded" };
       }
     );
-    const MAX_WARNINGS = 100;
-    if (warnings.length > MAX_WARNINGS) {
-      const truncated = warnings.length - MAX_WARNINGS;
-      warnings.splice(MAX_WARNINGS, truncated, `... and ${truncated} more warning(s) suppressed`);
-    }
     if (inFlight.size > 0) await drainPool();
+    const MAX_WARNINGS = 50;
+    const capped = dedupAndCapWarnings(warnings, MAX_WARNINGS);
+    warnings.length = 0;
+    warnings.push(...capped);
     const { score, grade, overall, summary, categories } = computeScore(tests);
-    const badge = generateBadge(displayUrl);
+    const badge = displayUrl.startsWith("stdio:") ? { imageUrl: "", reportUrl: "", markdown: "", html: "" } : generateBadge(displayUrl);
     return {
       schemaVersion: REPORT_SCHEMA_VERSION,
       specVersion: SPEC_VERSION,
@@ -4075,6 +4112,7 @@ export {
   TEST_DEFINITIONS,
   SPEC_VERSION,
   SPEC_BASE,
+  dedupAndCapWarnings,
   previewTests,
   runComplianceSuite
 };

package/dist/index.js

@@ -16,6 +16,9 @@ var GRADE_COLORS = {
   F: "#e05d44"
 };
 var UNTESTED_COLOR = "#9f9f9f";
+function escXml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
 function renderBadgeSvg(input) {
   let gradeLabel = "unknown";
   let color = UNTESTED_COLOR;
@@ -27,14 +30,16 @@ function renderBadgeSvg(input) {
     title = `MCP Compliant: Grade ${input.grade}${input.score != null ? ` (${input.score}%)` : ""} - tested ${date}`;
   }
   const leftText = "MCP Compliant";
-  const rightText = gradeLabel;
+  const rightText = escXml(gradeLabel);
+  const ariaLabel = `${leftText}: ${escXml(gradeLabel)}`;
+  const titleEsc = escXml(title);
   const leftWidth = 95;
   const rightWidth = 40;
   const totalWidth = leftWidth + rightWidth;
   const leftX = leftWidth / 2;
   const rightX = leftWidth + rightWidth / 2;
-  return `<svg xmlns="http://www.w3.org/2000/svg" width="${totalWidth}" height="20" role="img" aria-label="${leftText}: ${rightText}">
-  <title>${title}</title>
+  return `<svg xmlns="http://www.w3.org/2000/svg" width="${totalWidth}" height="20" role="img" aria-label="${ariaLabel}">
+  <title>${titleEsc}</title>
   <linearGradient id="s" x2="0" y2="100%">
     <stop offset="0" stop-color="#bbb" stop-opacity=".1"/>
     <stop offset="1" stop-opacity=".1"/>
@@ -64,7 +69,7 @@ import { request } from "undici";
 
 // src/sse.ts
 function parseSSEResponse(text) {
-  const lines = text.split("\n");
+  const lines = text.split(/\r?\n/);
   let firstJsonRpcResponse = null;
   let currentData = [];
   function flushEvent() {
@@ -107,7 +112,8 @@ function createHttpTransport(opts) {
   function normalizeHeaders(raw) {
     const out = {};
     for (const [k, v] of Object.entries(raw)) {
-      if (typeof v === "string") out[k] = v;
+      if (v === void 0) continue;
+      out[k] = Array.isArray(v) ? v.join(", ") : v;
     }
     return out;
   }
@@ -198,6 +204,13 @@ function createHttpTransport(opts) {
 
 // src/transport/stdio.ts
 import { spawn } from "child_process";
+function exitDiagnostic(code, signal) {
+  if (signal) return `server terminated by signal ${signal} before completing the request`;
+  if (code === 0) {
+    return "server exited cleanly (code 0) before completing the request. This usually means the command is a one-shot CLI, not a long-running MCP stdio server. If the server needs a subcommand to start (e.g. `serve`, `mcp`, `start`), include it in the command.";
+  }
+  return `server crashed with exit code ${code} before completing the request`;
+}
 function createStdioTransport(opts) {
   const { command, args = [], env, cwd, verbose = false } = opts;
   const stderrBufferSize = opts.stderrBufferSize ?? 64 * 1024;
@@ -237,8 +250,7 @@ function createStdioTransport(opts) {
     exited = true;
     exitCode = code;
     if (pending.size > 0) {
-      const reason = signal ? `child exited (signal ${signal})` : `child exited with code ${code}`;
-      rejectAllPending(new Error(reason));
+      rejectAllPending(new Error(exitDiagnostic(code, signal)));
     }
   });
   child.stdout?.setEncoding("utf8");
@@ -251,6 +263,11 @@ function createStdioTransport(opts) {
       handleLine(line);
     }
     if (stdoutBuffer.length > stdoutBufferSize) {
+      stderrBuffer += `[mcp-compliance] stdout buffer exceeded ${stdoutBufferSize} bytes without a newline; discarding buffered data
+`;
+      if (stderrBuffer.length > stderrBufferSize) {
+        stderrBuffer = stderrBuffer.slice(stderrBuffer.length - stderrBufferSize);
+      }
       stdoutBuffer = "";
     }
   });
@@ -308,7 +325,7 @@ function createStdioTransport(opts) {
       }
     }
     if (exited) {
-      throw new Error(annotateWithStderr(`stdio transport: child has exited (code ${exitCode})`));
+      throw new Error(annotateWithStderr(`stdio transport: ${exitDiagnostic(exitCode, null)}`));
     }
     if (spawnError) throw new Error(annotateWithStderr(`stdio transport: spawn failed \u2014 ${spawnError.message}`));
     const stdin = child.stdin;
@@ -579,6 +596,11 @@ function validateTarget(t, source) {
 
 // src/diff.ts
 function diffReports(baseline, current) {
+  if (baseline.specVersion && current.specVersion && baseline.specVersion !== current.specVersion) {
+    throw new Error(
+      `Spec version mismatch: baseline is ${baseline.specVersion}, current is ${current.specVersion}. Re-run the baseline with this tool version (or downgrade the tool to match) before diffing.`
+    );
+  }
   const baseById = new Map(baseline.tests.map((t) => [t.id, t]));
   const curById = new Map(current.tests.map((t) => [t.id, t]));
   const regressions = [];
@@ -676,7 +698,7 @@ function hasRegressions(summary) {
 }
 
 // src/mcp/server.ts
-import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
+import { existsSync as existsSync2, readFileSync as readFileSync2, realpathSync } from "fs";
 import { dirname, join as join2, resolve as resolve2 } from "path";
 import { fileURLToPath } from "url";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
@@ -724,12 +746,28 @@ function computeScore(tests) {
   const failed = total - passed;
   const requiredTests = tests.filter((t) => t.required);
   const requiredPassed = requiredTests.filter((t) => t.passed).length;
-  const requiredScore = requiredTests.length > 0 ? requiredPassed / requiredTests.length * 70 : 70;
   const optionalTests = tests.filter((t) => !t.required);
   const optionalPassed = optionalTests.filter((t) => t.passed).length;
-  const optionalScore = optionalTests.length > 0 ? optionalPassed / optionalTests.length * 30 : 30;
-  const score = Math.round(requiredScore + optionalScore);
-  const overall = requiredPassed === requiredTests.length ? passed === total ? "pass" : "partial" : "fail";
+  let score;
+  if (total === 0) {
+    score = 0;
+  } else if (requiredTests.length === 0) {
+    score = Math.round(optionalPassed / optionalTests.length * 100);
+  } else if (optionalTests.length === 0) {
+    score = Math.round(requiredPassed / requiredTests.length * 100);
+  } else {
+    score = Math.round(requiredPassed / requiredTests.length * 70 + optionalPassed / optionalTests.length * 30);
+  }
+  let overall;
+  if (total === 0) {
+    overall = "fail";
+  } else if (requiredPassed < requiredTests.length) {
+    overall = "fail";
+  } else if (passed === total) {
+    overall = "pass";
+  } else {
+    overall = "partial";
+  }
   const categories = {};
   for (const t of tests) {
     if (!categories[t.category]) categories[t.category] = { passed: 0, total: 0 };
@@ -748,7 +786,7 @@ function computeScore(tests) {
 // src/types.ts
 var REPORT_SCHEMA_VERSION = "1";
 var TEST_DEFINITIONS = [
-  // ── Transport (13 tests) ─────────────────────────────────────────
+  // ── Transport (16 tests: 13 HTTP + 3 stdio) ──────────────────────
   {
     id: "transport-post",
     name: "HTTP POST accepted",
@@ -897,7 +935,7 @@ var TEST_DEFINITIONS = [
     recommendation: "Return JSON-RPC error -32601 (Method not found) for unknown methods. Do not exit the process or disconnect \u2014 the client should be able to keep using the session after an error.",
     transports: ["stdio"]
   },
-  // ── Lifecycle (17 tests) ─────────────────────────────────────────
+  // ── Lifecycle (21 tests) ─────────────────────────────────────────
   {
     id: "lifecycle-init",
     name: "Initialize handshake",
@@ -1595,17 +1633,13 @@ var STACK_TRACE_PATTERNS = [
   // PHP
   /panicked\s+at\s+'/i,
   // Rust
-  /ENOENT|EACCES|EPERM/,
-  // Node.js system errors
   /node_modules\//,
-  // Node.js module paths
-  /\/usr\/local\/|\/home\//,
-  // Unix paths
-  /[A-Z]:\\.*\\/,
-  // Windows paths
-  /password|passwd|secret|credential/i,
-  // Sensitive terms
-  /jdbc:|mysql:|postgres:|mongodb:/i
+  // Node.js module paths (filesystem layout leak)
+  /\/usr\/local\/|\/home\/|\/root\//,
+  // Unix absolute paths
+  /[A-Z]:\\[\w\s.-]+\\[\w\s.-]+/,
+  // Windows absolute paths (drive + 2+ segments)
+  /jdbc:|mysql:\/\/|postgres(?:ql)?:\/\/|mongodb(?:\+srv)?:\/\//i
   // DB connection strings
 ];
 var INTERNAL_IP_PATTERNS = [
@@ -1624,6 +1658,20 @@ function createIdCounter(start = 0) {
   let id = start;
   return () => ++id;
 }
+function dedupAndCapWarnings(warnings, max) {
+  const seen = /* @__PURE__ */ new Set();
+  const deduped = [];
+  for (const w of warnings) {
+    if (seen.has(w)) continue;
+    seen.add(w);
+    deduped.push(w);
+  }
+  if (deduped.length > max) {
+    const truncated = deduped.length - max;
+    return [...deduped.slice(0, max), `... and ${truncated} more warning(s) suppressed`];
+  }
+  return deduped;
+}
 var STDIO_INCOMPATIBLE_IDS = /* @__PURE__ */ new Set([
   // Lifecycle tests that use raw undici for HTTP-specific checks
   "lifecycle-string-id",
@@ -4376,14 +4424,13 @@ async function runComplianceSuite(target, options = {}) {
         return { passed: true, details: "Unknown method returned JSON-RPC error; subsequent ping succeeded" };
       }
     );
-    const MAX_WARNINGS = 100;
-    if (warnings.length > MAX_WARNINGS) {
-      const truncated = warnings.length - MAX_WARNINGS;
-      warnings.splice(MAX_WARNINGS, truncated, `... and ${truncated} more warning(s) suppressed`);
-    }
     if (inFlight.size > 0) await drainPool();
+    const MAX_WARNINGS = 50;
+    const capped = dedupAndCapWarnings(warnings, MAX_WARNINGS);
+    warnings.length = 0;
+    warnings.push(...capped);
     const { score, grade, overall, summary, categories } = computeScore(tests);
-    const badge = generateBadge(displayUrl);
+    const badge = displayUrl.startsWith("stdio:") ? { imageUrl: "", reportUrl: "", markdown: "", html: "" } : generateBadge(displayUrl);
     return {
       schemaVersion: REPORT_SCHEMA_VERSION,
       specVersion: SPEC_VERSION,
@@ -4611,8 +4658,16 @@ async function startServer() {
   const transport = new StdioServerTransport();
   await server.connect(transport);
 }
-var isDirectRun = process.argv[1]?.endsWith("mcp/server.js") || process.argv[1]?.endsWith("mcp\\server.js");
-if (isDirectRun) {
+function isInvokedDirectly() {
+  const argv1 = process.argv[1];
+  if (!argv1) return false;
+  try {
+    return realpathSync(argv1) === realpathSync(fileURLToPath(import.meta.url));
+  } catch {
+    return false;
+  }
+}
+if (isInvokedDirectly()) {
   startServer().catch((err) => {
     console.error("MCP server error:", err);
     process.exit(1);
@@ -4923,7 +4978,7 @@ function formatGithub(report) {
 }
 function formatMarkdown(report) {
   const lines = [];
-  const gradeEmoji = { A: "\u{1F7E2}", B: "\u{1F7E2}", C: "\u{1F7E1}", D: "\u{1F7E0}", F: "\u{1F534}" };
+  const gradeEmoji = { A: "\u{1F7E2}", B: "\u{1F535}", C: "\u{1F7E1}", D: "\u{1F7E0}", F: "\u{1F534}" };
   lines.push("# MCP Compliance Report");
   lines.push("");
   lines.push(
@@ -5253,6 +5308,21 @@ function resolveTarget(cliTarget, cliExtraArgs, cliOpts, config) {
   if (config?.target) return config.target;
   throw new Error("No target specified. Pass a URL or command, or add 'target' to mcp-compliance.config.json.");
 }
+var PRIVATE_TLD_SUFFIXES = [
+  ".local",
+  ".localhost",
+  ".internal",
+  ".corp",
+  ".home",
+  ".home.arpa",
+  ".lan",
+  ".intranet",
+  ".private",
+  ".test",
+  ".invalid",
+  ".example",
+  ".onion"
+];
 function isPrivateHost(urlStr) {
   let host;
   try {
@@ -5260,7 +5330,10 @@ function isPrivateHost(urlStr) {
   } catch {
     return false;
   }
-  if (host === "localhost" || host.endsWith(".localhost")) return true;
+  if (host === "localhost") return true;
+  for (const suffix of PRIVATE_TLD_SUFFIXES) {
+    if (host === suffix.slice(1) || host.endsWith(suffix)) return true;
+  }
   const v4 = host.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
   if (v4) {
     const [a, b] = v4.slice(1).map(Number);
@@ -5380,7 +5453,9 @@ Testing ${describeTarget(transportTarget)}...
           skip,
           onProgress: verbose ? (testId, passed, details) => {
             const icon = passed ? chalk2.green("PASS") : chalk2.red("FAIL");
-            console.log(`  ${icon} ${testId} \u2014 ${details}`);
+            const stream = opts.format === "terminal" ? process.stdout : process.stderr;
+            stream.write(`  ${icon} ${testId} \u2014 ${details}
+`);
           } : void 0
         });
         if (verbose && opts.format === "terminal") {
@@ -5414,6 +5489,16 @@ Badge SVG written to ${opts.output}`));
           console.error(chalk2.red("\nError: --watch only applies to stdio targets (HTTP servers are remote).\n"));
           process.exit(1);
         }
+        if (opts.format !== "terminal" && opts.format !== "markdown" && opts.format !== "html") {
+          console.error(
+            chalk2.red(
+              `
+Error: --watch is incompatible with --format=${opts.format} (multi-run output would be unparseable). Use --format=terminal.
+`
+            )
+          );
+          process.exit(1);
+        }
         await runOnce();
         let pending = null;
         let running = false;
@@ -5427,8 +5512,9 @@ Badge SVG written to ${opts.output}`));
             if (running) return;
             running = true;
             try {
-              console.log(chalk2.dim(`
+              process.stderr.write(chalk2.dim(`
 [watch] ${f} changed \u2014 re-running...
+
 `));
               await runOnce();
             } catch (err) {
@@ -5440,7 +5526,7 @@ Badge SVG written to ${opts.output}`));
         });
         process.on("SIGINT", () => {
           watcher.close();
-          console.log(chalk2.dim("\n[watch] stopped"));
+          process.stderr.write(chalk2.dim("\n[watch] stopped\n"));
           process.exit(0);
         });
         await new Promise(() => {

package/dist/mcp/server.js

@@ -2,10 +2,10 @@ import {
   SPEC_BASE,
   TEST_DEFINITIONS,
   runComplianceSuite
-} from "../chunk-G5K7CRWU.js";
+} from "../chunk-X5CVUDPW.js";
 
 // src/mcp/server.ts
-import { existsSync, readFileSync } from "fs";
+import { existsSync, readFileSync, realpathSync } from "fs";
 import { dirname, join, resolve } from "path";
 import { fileURLToPath } from "url";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
@@ -211,8 +211,16 @@ async function startServer() {
   const transport = new StdioServerTransport();
   await server.connect(transport);
 }
-var isDirectRun = process.argv[1]?.endsWith("mcp/server.js") || process.argv[1]?.endsWith("mcp\\server.js");
-if (isDirectRun) {
+function isInvokedDirectly() {
+  const argv1 = process.argv[1];
+  if (!argv1) return false;
+  try {
+    return realpathSync(argv1) === realpathSync(fileURLToPath(import.meta.url));
+  } catch {
+    return false;
+  }
+}
+if (isInvokedDirectly()) {
   startServer().catch((err) => {
     console.error("MCP server error:", err);
     process.exit(1);

package/dist/runner.d.ts

@@ -142,6 +142,14 @@ declare function parseSSEResponse(text: string): any;
 
 declare const SPEC_VERSION = "2025-11-25";
 declare const SPEC_BASE = "https://modelcontextprotocol.io/specification/2025-11-25";
+/**
+ * Dedupe and cap a list of warnings, preserving insertion order and
+ * appending a truncation sentinel when capped. Extracted so the cap
+ * semantics can be unit-tested without spinning up a suite run.
+ *
+ * @internal Exported for testing.
+ */
+declare function dedupAndCapWarnings(warnings: readonly string[], max: number): string[];
 
 interface PreviewOptions {
     /** Transport to filter against. Defaults to "http". */
@@ -206,4 +214,4 @@ interface RunOptions {
  */
 declare function runComplianceSuite(target: string | TransportTarget, options?: RunOptions): Promise<ComplianceReport>;
 
-export { type ComplianceReport, type PreviewOptions, type RunOptions, SPEC_BASE, SPEC_VERSION, TEST_DEFINITIONS, type TestResult, computeGrade, computeScore, generateBadge, parseSSEResponse, previewTests, runComplianceSuite, urlHash };
+export { type ComplianceReport, type PreviewOptions, type RunOptions, SPEC_BASE, SPEC_VERSION, TEST_DEFINITIONS, type TestResult, computeGrade, computeScore, dedupAndCapWarnings, generateBadge, parseSSEResponse, previewTests, runComplianceSuite, urlHash };

package/dist/runner.js

@@ -4,18 +4,20 @@ import {
   TEST_DEFINITIONS,
   computeGrade,
   computeScore,
+  dedupAndCapWarnings,
   generateBadge,
   parseSSEResponse,
   previewTests,
   runComplianceSuite,
   urlHash
-} from "./chunk-G5K7CRWU.js";
+} from "./chunk-X5CVUDPW.js";
 export {
   SPEC_BASE,
   SPEC_VERSION,
   TEST_DEFINITIONS,
   computeGrade,
   computeScore,
+  dedupAndCapWarnings,
   generateBadge,
   parseSSEResponse,
   previewTests,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/mcp-compliance",
-  "version": "0.13.0",
+  "version": "0.13.2",
   "description": "CLI tool and MCP server that tests MCP servers for spec compliance",
   "license": "MIT",
   "author": "Yaw Labs <contact@yaw.sh> (https://yaw.sh)",
@@ -57,7 +57,7 @@
     "vitest": "^3.1.1"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "keywords": [
     "mcp",