@yawlabs/mcp-compliance 0.14.3 → 0.14.4

package/README.md

@@ -9,7 +9,7 @@
 
 Built and maintained by [Yaw Labs](https://yaw.sh).
 
-[![Add to Yaw MCP](https://yaw.sh/yaw-mcp-button.svg)](yaw://install?name=mcp-compliance&command=npx&args=-y%2C%40yawlabs%2Fmcp-compliance&description=Test%20any%20MCP%20server%20against%20the%20spec%20-%2088-test%20suite%20with%20letter-grade%20scoring&source=https%3A%2F%2Fgithub.com%2FYawLabs%2Fmcp-compliance)
+[![Add to Yaw MCP](https://yaw.sh/yaw-mcp-button.svg)](https://yaw.sh/mcp/install?name=mcp-compliance&command=npx&args=-y%2C%40yawlabs%2Fmcp-compliance&description=Test%20any%20MCP%20server%20against%20the%20spec%20-%2088-test%20suite%20with%20letter-grade%20scoring&source=https%3A%2F%2Fgithub.com%2FYawLabs%2Fmcp-compliance)
 
 One click adds this to your local Yaw MCP config so it's available in every Yaw Terminal session. Or install manually below.
 

package/dist/{chunk-6PF56RRO.js → chunk-2CXRMEZ3.js}

@@ -127,10 +127,17 @@ function createHttpTransport(opts) {
     }
     return out;
   }
-  async function doRawRequest(method, body, extraHeaders, timeout) {
+  async function doRawRequest(method, body, extraHeaders, timeout, omitUserHeaders) {
+    const base = sessionHeaders();
+    if (omitUserHeaders && omitUserHeaders.length > 0) {
+      const drop = new Set(omitUserHeaders.map((h) => h.toLowerCase()));
+      for (const key of Object.keys(base)) {
+        if (drop.has(key.toLowerCase())) delete base[key];
+      }
+    }
     const headers = {
       Accept: "application/json, text/event-stream",
-      ...sessionHeaders(),
+      ...base,
       ...extraHeaders
     };
     if (body !== void 0 && !("Content-Type" in headers) && !("content-type" in headers)) {
@@ -155,7 +162,7 @@ function createHttpTransport(opts) {
     async request(method, params, nextId, init) {
       const id = nextId();
       const body = JSON.stringify({ jsonrpc: "2.0", id, method, params: params ?? {} });
-      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout);
+      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout, init.omitUserHeaders);
       const contentType = (raw.headers["content-type"] || "").toLowerCase();
       let parsed;
       if (contentType.includes("text/event-stream")) {
@@ -185,7 +192,7 @@ function createHttpTransport(opts) {
     },
     async notify(method, params, init) {
       const body = JSON.stringify({ jsonrpc: "2.0", method, ...params ? { params } : {} });
-      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout);
+      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout, init.omitUserHeaders);
       return { statusCode: raw.statusCode, headers: raw.headers };
     },
     async close() {
@@ -1451,10 +1458,11 @@ async function runComplianceSuite(target, options = {}) {
     const retries = options.retries || 0;
     let sessionId = null;
     let negotiatedProtocolVersion = null;
-    async function mcpRequest(_backendUrl, method, params, idCounter, extraHeaders, timeoutMs) {
+    async function mcpRequest(_backendUrl, method, params, idCounter, extraHeaders, timeoutMs, omitUserHeaders) {
       const res = await transport.request(method, params, idCounter, {
         timeout: timeoutMs,
-        headers: extraHeaders
+        headers: extraHeaders,
+        omitUserHeaders
       });
       return {
         statusCode: res.statusCode ?? 200,
@@ -3168,7 +3176,9 @@ async function runComplianceSuite(target, options = {}) {
         const noAuthHeaders = {};
         if (sessionId) noAuthHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (unauthenticated request rejected)` };
           }
@@ -3191,7 +3201,9 @@ async function runComplianceSuite(target, options = {}) {
         const noAuthHeaders = {};
         if (sessionId) noAuthHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401) {
             const wwwAuth = res.headers["www-authenticate"];
             if (wwwAuth) {
@@ -3226,7 +3238,9 @@ async function runComplianceSuite(target, options = {}) {
         };
         if (sessionId) malformedHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, malformedHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, malformedHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (malformed auth rejected)` };
           }
@@ -3316,7 +3330,9 @@ async function runComplianceSuite(target, options = {}) {
           "mcp-session-id": sessionId
         };
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, sessionOnlyHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, sessionOnlyHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (session ID alone not sufficient for auth)` };
           }

package/dist/index.js

@@ -117,10 +117,17 @@ function createHttpTransport(opts) {
     }
     return out;
   }
-  async function doRawRequest(method, body, extraHeaders, timeout) {
+  async function doRawRequest(method, body, extraHeaders, timeout, omitUserHeaders) {
+    const base = sessionHeaders();
+    if (omitUserHeaders && omitUserHeaders.length > 0) {
+      const drop = new Set(omitUserHeaders.map((h) => h.toLowerCase()));
+      for (const key of Object.keys(base)) {
+        if (drop.has(key.toLowerCase())) delete base[key];
+      }
+    }
     const headers = {
       Accept: "application/json, text/event-stream",
-      ...sessionHeaders(),
+      ...base,
       ...extraHeaders
     };
     if (body !== void 0 && !("Content-Type" in headers) && !("content-type" in headers)) {
@@ -145,7 +152,7 @@ function createHttpTransport(opts) {
     async request(method, params, nextId, init) {
       const id = nextId();
       const body = JSON.stringify({ jsonrpc: "2.0", id, method, params: params ?? {} });
-      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout);
+      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout, init.omitUserHeaders);
       const contentType = (raw.headers["content-type"] || "").toLowerCase();
       let parsed;
       if (contentType.includes("text/event-stream")) {
@@ -175,7 +182,7 @@ function createHttpTransport(opts) {
     },
     async notify(method, params, init) {
       const body = JSON.stringify({ jsonrpc: "2.0", method, ...params ? { params } : {} });
-      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout);
+      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout, init.omitUserHeaders);
       return { statusCode: raw.statusCode, headers: raw.headers };
     },
     async close() {
@@ -1808,10 +1815,11 @@ async function runComplianceSuite(target, options = {}) {
     const retries = options.retries || 0;
     let sessionId = null;
     let negotiatedProtocolVersion = null;
-    async function mcpRequest(_backendUrl, method, params, idCounter, extraHeaders, timeoutMs) {
+    async function mcpRequest(_backendUrl, method, params, idCounter, extraHeaders, timeoutMs, omitUserHeaders) {
       const res = await transport.request(method, params, idCounter, {
         timeout: timeoutMs,
-        headers: extraHeaders
+        headers: extraHeaders,
+        omitUserHeaders
       });
       return {
         statusCode: res.statusCode ?? 200,
@@ -3525,7 +3533,9 @@ async function runComplianceSuite(target, options = {}) {
         const noAuthHeaders = {};
         if (sessionId) noAuthHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (unauthenticated request rejected)` };
           }
@@ -3548,7 +3558,9 @@ async function runComplianceSuite(target, options = {}) {
         const noAuthHeaders = {};
         if (sessionId) noAuthHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401) {
             const wwwAuth = res.headers["www-authenticate"];
             if (wwwAuth) {
@@ -3583,7 +3595,9 @@ async function runComplianceSuite(target, options = {}) {
         };
         if (sessionId) malformedHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, malformedHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, malformedHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (malformed auth rejected)` };
           }
@@ -3673,7 +3687,9 @@ async function runComplianceSuite(target, options = {}) {
           "mcp-session-id": sessionId
         };
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, sessionOnlyHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, sessionOnlyHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (session ID alone not sufficient for auth)` };
           }

package/dist/mcp/server.js

@@ -2,7 +2,7 @@ import {
   SPEC_BASE,
   TEST_DEFINITIONS,
   runComplianceSuite
-} from "../chunk-6PF56RRO.js";
+} from "../chunk-2CXRMEZ3.js";
 
 // src/mcp/server.ts
 import { existsSync, readFileSync, realpathSync } from "fs";

package/dist/runner.js

@@ -10,7 +10,7 @@ import {
   previewTests,
   runComplianceSuite,
   urlHash
-} from "./chunk-6PF56RRO.js";
+} from "./chunk-2CXRMEZ3.js";
 export {
   SPEC_BASE,
   SPEC_VERSION,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/mcp-compliance",
-  "version": "0.14.3",
+  "version": "0.14.4",
   "mcpName": "io.github.YawLabs/mcp-compliance",
   "description": "CLI tool and MCP server that tests MCP servers for spec compliance",
   "license": "MIT",
@@ -20,7 +20,7 @@
   "main": "./dist/runner.js",
   "types": "./dist/runner.d.ts",
   "bin": {
-    "mcp-compliance": "./dist/index.js"
+    "mcp-compliance": "dist/index.js"
   },
   "files": [
     "dist",