@yawlabs/mcp-compliance 0.14.2 → 0.14.4

package/README.md

@@ -9,9 +9,9 @@
 
 Built and maintained by [Yaw Labs](https://yaw.sh).
 
-[![Add to mcp.hosting](https://mcp.hosting/install-button.svg)](https://mcp.hosting/install?name=mcp-compliance&command=npx&args=-y%2C%40yawlabs%2Fmcp-compliance&description=Test%20any%20MCP%20server%20against%20the%20spec%20-%2088-test%20suite%20with%20letter-grade%20scoring&source=https%3A%2F%2Fgithub.com%2FYawLabs%2Fmcp-compliance)
+[![Add to Yaw MCP](https://yaw.sh/yaw-mcp-button.svg)](https://yaw.sh/mcp/install?name=mcp-compliance&command=npx&args=-y%2C%40yawlabs%2Fmcp-compliance&description=Test%20any%20MCP%20server%20against%20the%20spec%20-%2088-test%20suite%20with%20letter-grade%20scoring&source=https%3A%2F%2Fgithub.com%2FYawLabs%2Fmcp-compliance)
 
-One click adds this to your [mcp.hosting](https://mcp.hosting) account so it syncs to every MCP client you use. Or install manually below.
+One click adds this to your local Yaw MCP config so it's available in every Yaw Terminal session. Or install manually below.
 
 ## Why this tool?
 
@@ -32,20 +32,20 @@ This tool solves that:
 **Remote HTTP server:**
 
 ```bash
-npx @yawlabs/mcp-compliance test https://my-server.com/mcp
+npx @yawlabs/mcp-compliance@latest test https://my-server.com/mcp
 ```
 
 **Local stdio server** (the vast majority of MCP servers on npm):
 
 ```bash
 # Pass the command directly, Inspector-style
-npx @yawlabs/mcp-compliance test npx @modelcontextprotocol/server-filesystem /tmp
+npx @yawlabs/mcp-compliance@latest test npx @modelcontextprotocol/server-filesystem /tmp
 
 # Or a local build
-npx @yawlabs/mcp-compliance test node ./dist/server.js
+npx @yawlabs/mcp-compliance@latest test node ./dist/server.js
 
 # With env vars
-npx @yawlabs/mcp-compliance test -E GITHUB_TOKEN=$GITHUB_TOKEN -- npx @modelcontextprotocol/server-github
+npx @yawlabs/mcp-compliance@latest test -E GITHUB_TOKEN=$GITHUB_TOKEN -- npx @modelcontextprotocol/server-github
 ```
 
 **Install globally:**
@@ -421,27 +421,27 @@ Required tests are worth 70% of the score, optional tests 30%. See the [full sco
 ```yaml
 # GitHub Actions example
 - name: MCP Compliance Check
-  run: npx @yawlabs/mcp-compliance test ${{ env.MCP_SERVER_URL }} --strict
+  run: npx @yawlabs/mcp-compliance@latest test ${{ env.MCP_SERVER_URL }} --strict
 ```
 
 ```yaml
 # With JSON output for parsing
 - name: MCP Compliance Check
   run: |
-    npx @yawlabs/mcp-compliance test ${{ env.MCP_SERVER_URL }} --format json > compliance.json
+    npx @yawlabs/mcp-compliance@latest test ${{ env.MCP_SERVER_URL }} --format json > compliance.json
     cat compliance.json | jq '.grade'
 ```
 
 ```yaml
 # With retries for flaky network conditions
 - name: MCP Compliance Check
-  run: npx @yawlabs/mcp-compliance test ${{ env.MCP_SERVER_URL }} --strict --retries 2 --timeout 30000
+  run: npx @yawlabs/mcp-compliance@latest test ${{ env.MCP_SERVER_URL }} --strict --retries 2 --timeout 30000
 ```
 
 ```yaml
 # SARIF output for GitHub Code Scanning
 - name: MCP Compliance Check
-  run: npx @yawlabs/mcp-compliance test ${{ env.MCP_SERVER_URL }} --format sarif > compliance.sarif
+  run: npx @yawlabs/mcp-compliance@latest test ${{ env.MCP_SERVER_URL }} --format sarif > compliance.sarif
 - name: Upload SARIF
   uses: github/codeql-action/upload-sarif@v3
   with:
@@ -457,7 +457,7 @@ This package also exposes an MCP server with 3 tools that can be used from Claud
 **Claude Code (one-liner):**
 
 ```bash
-claude mcp add mcp-compliance -- npx -y @yawlabs/mcp-compliance mcp
+claude mcp add mcp-compliance -- npx -y @yawlabs/mcp-compliance@latest mcp
 ```
 
 **Or create `.mcp.json` in your project root:**
@@ -469,7 +469,7 @@ macOS / Linux / WSL:
   "mcpServers": {
     "mcp-compliance": {
       "command": "npx",
-      "args": ["-y", "@yawlabs/mcp-compliance", "mcp"]
+      "args": ["-y", "@yawlabs/mcp-compliance@latest", "mcp"]
     }
   }
 }
@@ -482,7 +482,7 @@ Windows:
   "mcpServers": {
     "mcp-compliance": {
       "command": "cmd",
-      "args": ["/c", "npx", "-y", "@yawlabs/mcp-compliance", "mcp"]
+      "args": ["/c", "npx", "-y", "@yawlabs/mcp-compliance@latest", "mcp"]
     }
   }
 }

package/dist/{chunk-6PF56RRO.js → chunk-2CXRMEZ3.js}

@@ -127,10 +127,17 @@ function createHttpTransport(opts) {
     }
     return out;
   }
-  async function doRawRequest(method, body, extraHeaders, timeout) {
+  async function doRawRequest(method, body, extraHeaders, timeout, omitUserHeaders) {
+    const base = sessionHeaders();
+    if (omitUserHeaders && omitUserHeaders.length > 0) {
+      const drop = new Set(omitUserHeaders.map((h) => h.toLowerCase()));
+      for (const key of Object.keys(base)) {
+        if (drop.has(key.toLowerCase())) delete base[key];
+      }
+    }
     const headers = {
       Accept: "application/json, text/event-stream",
-      ...sessionHeaders(),
+      ...base,
       ...extraHeaders
     };
     if (body !== void 0 && !("Content-Type" in headers) && !("content-type" in headers)) {
@@ -155,7 +162,7 @@ function createHttpTransport(opts) {
     async request(method, params, nextId, init) {
       const id = nextId();
       const body = JSON.stringify({ jsonrpc: "2.0", id, method, params: params ?? {} });
-      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout);
+      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout, init.omitUserHeaders);
       const contentType = (raw.headers["content-type"] || "").toLowerCase();
       let parsed;
       if (contentType.includes("text/event-stream")) {
@@ -185,7 +192,7 @@ function createHttpTransport(opts) {
     },
     async notify(method, params, init) {
       const body = JSON.stringify({ jsonrpc: "2.0", method, ...params ? { params } : {} });
-      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout);
+      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout, init.omitUserHeaders);
       return { statusCode: raw.statusCode, headers: raw.headers };
     },
     async close() {
@@ -1451,10 +1458,11 @@ async function runComplianceSuite(target, options = {}) {
     const retries = options.retries || 0;
     let sessionId = null;
     let negotiatedProtocolVersion = null;
-    async function mcpRequest(_backendUrl, method, params, idCounter, extraHeaders, timeoutMs) {
+    async function mcpRequest(_backendUrl, method, params, idCounter, extraHeaders, timeoutMs, omitUserHeaders) {
       const res = await transport.request(method, params, idCounter, {
         timeout: timeoutMs,
-        headers: extraHeaders
+        headers: extraHeaders,
+        omitUserHeaders
       });
       return {
         statusCode: res.statusCode ?? 200,
@@ -3168,7 +3176,9 @@ async function runComplianceSuite(target, options = {}) {
         const noAuthHeaders = {};
         if (sessionId) noAuthHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (unauthenticated request rejected)` };
           }
@@ -3191,7 +3201,9 @@ async function runComplianceSuite(target, options = {}) {
         const noAuthHeaders = {};
         if (sessionId) noAuthHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401) {
             const wwwAuth = res.headers["www-authenticate"];
             if (wwwAuth) {
@@ -3226,7 +3238,9 @@ async function runComplianceSuite(target, options = {}) {
         };
         if (sessionId) malformedHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, malformedHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, malformedHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (malformed auth rejected)` };
           }
@@ -3316,7 +3330,9 @@ async function runComplianceSuite(target, options = {}) {
           "mcp-session-id": sessionId
         };
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, sessionOnlyHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, sessionOnlyHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (session ID alone not sufficient for auth)` };
           }

package/dist/index.js

@@ -117,10 +117,17 @@ function createHttpTransport(opts) {
     }
     return out;
   }
-  async function doRawRequest(method, body, extraHeaders, timeout) {
+  async function doRawRequest(method, body, extraHeaders, timeout, omitUserHeaders) {
+    const base = sessionHeaders();
+    if (omitUserHeaders && omitUserHeaders.length > 0) {
+      const drop = new Set(omitUserHeaders.map((h) => h.toLowerCase()));
+      for (const key of Object.keys(base)) {
+        if (drop.has(key.toLowerCase())) delete base[key];
+      }
+    }
     const headers = {
       Accept: "application/json, text/event-stream",
-      ...sessionHeaders(),
+      ...base,
       ...extraHeaders
     };
     if (body !== void 0 && !("Content-Type" in headers) && !("content-type" in headers)) {
@@ -145,7 +152,7 @@ function createHttpTransport(opts) {
     async request(method, params, nextId, init) {
       const id = nextId();
       const body = JSON.stringify({ jsonrpc: "2.0", id, method, params: params ?? {} });
-      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout);
+      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout, init.omitUserHeaders);
       const contentType = (raw.headers["content-type"] || "").toLowerCase();
       let parsed;
       if (contentType.includes("text/event-stream")) {
@@ -175,7 +182,7 @@ function createHttpTransport(opts) {
     },
     async notify(method, params, init) {
       const body = JSON.stringify({ jsonrpc: "2.0", method, ...params ? { params } : {} });
-      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout);
+      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout, init.omitUserHeaders);
       return { statusCode: raw.statusCode, headers: raw.headers };
     },
     async close() {
@@ -1808,10 +1815,11 @@ async function runComplianceSuite(target, options = {}) {
     const retries = options.retries || 0;
     let sessionId = null;
     let negotiatedProtocolVersion = null;
-    async function mcpRequest(_backendUrl, method, params, idCounter, extraHeaders, timeoutMs) {
+    async function mcpRequest(_backendUrl, method, params, idCounter, extraHeaders, timeoutMs, omitUserHeaders) {
       const res = await transport.request(method, params, idCounter, {
         timeout: timeoutMs,
-        headers: extraHeaders
+        headers: extraHeaders,
+        omitUserHeaders
       });
       return {
         statusCode: res.statusCode ?? 200,
@@ -3525,7 +3533,9 @@ async function runComplianceSuite(target, options = {}) {
         const noAuthHeaders = {};
         if (sessionId) noAuthHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (unauthenticated request rejected)` };
           }
@@ -3548,7 +3558,9 @@ async function runComplianceSuite(target, options = {}) {
         const noAuthHeaders = {};
         if (sessionId) noAuthHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401) {
             const wwwAuth = res.headers["www-authenticate"];
             if (wwwAuth) {
@@ -3583,7 +3595,9 @@ async function runComplianceSuite(target, options = {}) {
         };
         if (sessionId) malformedHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, malformedHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, malformedHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (malformed auth rejected)` };
           }
@@ -3673,7 +3687,9 @@ async function runComplianceSuite(target, options = {}) {
           "mcp-session-id": sessionId
         };
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, sessionOnlyHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, sessionOnlyHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (session ID alone not sufficient for auth)` };
           }

package/dist/mcp/server.js

@@ -2,7 +2,7 @@ import {
   SPEC_BASE,
   TEST_DEFINITIONS,
   runComplianceSuite
-} from "../chunk-6PF56RRO.js";
+} from "../chunk-2CXRMEZ3.js";
 
 // src/mcp/server.ts
 import { existsSync, readFileSync, realpathSync } from "fs";

package/dist/runner.js

@@ -10,7 +10,7 @@ import {
   previewTests,
   runComplianceSuite,
   urlHash
-} from "./chunk-6PF56RRO.js";
+} from "./chunk-2CXRMEZ3.js";
 export {
   SPEC_BASE,
   SPEC_VERSION,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/mcp-compliance",
-  "version": "0.14.2",
+  "version": "0.14.4",
   "mcpName": "io.github.YawLabs/mcp-compliance",
   "description": "CLI tool and MCP server that tests MCP servers for spec compliance",
   "license": "MIT",
@@ -20,7 +20,7 @@
   "main": "./dist/runner.js",
   "types": "./dist/runner.d.ts",
   "bin": {
-    "mcp-compliance": "./dist/index.js"
+    "mcp-compliance": "dist/index.js"
   },
   "files": [
     "dist",