@yawlabs/mcp-compliance 0.14.3 → 0.15.0

package/README.md

@@ -9,7 +9,7 @@
 
 Built and maintained by [Yaw Labs](https://yaw.sh).
 
-[![Add to Yaw MCP](https://yaw.sh/yaw-mcp-button.svg)](yaw://install?name=mcp-compliance&command=npx&args=-y%2C%40yawlabs%2Fmcp-compliance&description=Test%20any%20MCP%20server%20against%20the%20spec%20-%2088-test%20suite%20with%20letter-grade%20scoring&source=https%3A%2F%2Fgithub.com%2FYawLabs%2Fmcp-compliance)
+[![Add to Yaw MCP](https://yaw.sh/yaw-mcp-button.svg)](https://yaw.sh/mcp/install?name=mcp-compliance&command=npx&args=-y%2C%40yawlabs%2Fmcp-compliance&description=Test%20any%20MCP%20server%20against%20the%20spec%20-%2088-test%20suite%20with%20letter-grade%20scoring&source=https%3A%2F%2Fgithub.com%2FYawLabs%2Fmcp-compliance)
 
 One click adds this to your local Yaw MCP config so it's available in every Yaw Terminal session. Or install manually below.
 

package/dist/{chunk-6PF56RRO.js → chunk-A3UG3J63.js}

@@ -1,5 +1,4 @@
 // src/runner.ts
-import { createRequire } from "module";
 import { request as request2 } from "undici";
 
 // src/badge.ts
@@ -74,6 +73,27 @@ function computeScore(tests) {
   };
 }
 
+// src/pkg-version.ts
+import { existsSync, readFileSync } from "fs";
+import { dirname, join } from "path";
+import { fileURLToPath } from "url";
+function readPackageVersion(metaUrl) {
+  let dir = dirname(fileURLToPath(metaUrl));
+  for (; ; ) {
+    const pkgPath = join(dir, "package.json");
+    if (existsSync(pkgPath)) {
+      try {
+        return JSON.parse(readFileSync(pkgPath, "utf8")).version ?? "0.0.0";
+      } catch {
+        return "0.0.0";
+      }
+    }
+    const parent = dirname(dir);
+    if (parent === dir) return "0.0.0";
+    dir = parent;
+  }
+}
+
 // src/transport/http.ts
 import { request } from "undici";
 
@@ -127,10 +147,17 @@ function createHttpTransport(opts) {
     }
     return out;
   }
-  async function doRawRequest(method, body, extraHeaders, timeout) {
+  async function doRawRequest(method, body, extraHeaders, timeout, omitUserHeaders) {
+    const base = sessionHeaders();
+    if (omitUserHeaders && omitUserHeaders.length > 0) {
+      const drop = new Set(omitUserHeaders.map((h) => h.toLowerCase()));
+      for (const key of Object.keys(base)) {
+        if (drop.has(key.toLowerCase())) delete base[key];
+      }
+    }
     const headers = {
       Accept: "application/json, text/event-stream",
-      ...sessionHeaders(),
+      ...base,
       ...extraHeaders
     };
     if (body !== void 0 && !("Content-Type" in headers) && !("content-type" in headers)) {
@@ -155,7 +182,7 @@ function createHttpTransport(opts) {
     async request(method, params, nextId, init) {
       const id = nextId();
       const body = JSON.stringify({ jsonrpc: "2.0", id, method, params: params ?? {} });
-      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout);
+      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout, init.omitUserHeaders);
       const contentType = (raw.headers["content-type"] || "").toLowerCase();
       let parsed;
       if (contentType.includes("text/event-stream")) {
@@ -185,7 +212,7 @@ function createHttpTransport(opts) {
     },
     async notify(method, params, init) {
       const body = JSON.stringify({ jsonrpc: "2.0", method, ...params ? { params } : {} });
-      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout);
+      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout, init.omitUserHeaders);
       return { statusCode: raw.statusCode, headers: raw.headers };
     },
     async close() {
@@ -392,23 +419,30 @@ function createStdioTransport(opts) {
         child.stdin?.end();
       } catch {
       }
-      const gracePeriodMs = 2e3;
-      await new Promise((resolve) => {
-        const timer = setTimeout(() => {
+      const treeKill = (force) => {
+        if (isWindows && child.pid !== void 0) {
+          try {
+            spawn("taskkill", ["/pid", String(child.pid), "/t", ...force ? ["/f"] : []], { stdio: "ignore" });
+          } catch {
+          }
+        } else {
           try {
-            child.kill("SIGKILL");
+            child.kill(force ? "SIGKILL" : "SIGTERM");
           } catch {
           }
+        }
+      };
+      const gracePeriodMs = 2e3;
+      await new Promise((resolve) => {
+        const timer = setTimeout(() => {
+          treeKill(true);
           resolve();
         }, gracePeriodMs);
         child.once("exit", () => {
           clearTimeout(timer);
           resolve();
         });
-        try {
-          child.kill(isWindows ? void 0 : "SIGTERM");
-        } catch {
-        }
+        treeKill(false);
       });
       rejectAllPending(new Error("stdio transport: closed"));
     },
@@ -1247,8 +1281,7 @@ var TEST_DEFINITIONS = [
 
 // src/runner.ts
 var TEST_DEFINITIONS_MAP = new Map(TEST_DEFINITIONS.map((t) => [t.id, t]));
-var _require = createRequire(import.meta.url);
-var { version: TOOL_VERSION } = _require("../package.json");
+var TOOL_VERSION = readPackageVersion(import.meta.url);
 var SPEC_VERSION = "2025-11-25";
 var SPEC_BASE = `https://modelcontextprotocol.io/specification/${SPEC_VERSION}`;
 var VALID_CONTENT_TYPES = ["text", "image", "audio", "resource", "resource_link"];
@@ -1451,10 +1484,11 @@ async function runComplianceSuite(target, options = {}) {
     const retries = options.retries || 0;
     let sessionId = null;
     let negotiatedProtocolVersion = null;
-    async function mcpRequest(_backendUrl, method, params, idCounter, extraHeaders, timeoutMs) {
+    async function mcpRequest(_backendUrl, method, params, idCounter, extraHeaders, timeoutMs, omitUserHeaders) {
       const res = await transport.request(method, params, idCounter, {
         timeout: timeoutMs,
-        headers: extraHeaders
+        headers: extraHeaders,
+        omitUserHeaders
       });
       return {
         statusCode: res.statusCode ?? 200,
@@ -2467,7 +2501,7 @@ async function runComplianceSuite(target, options = {}) {
             issues.push("Tool missing name");
             continue;
           }
-          if (tool.name.length > 128 || !/^[A-Za-z0-9_.\-]+$/.test(tool.name)) {
+          if (tool.name.length > 128 || !/^[A-Za-z0-9_.-]+$/.test(tool.name)) {
             issues.push(`${tool.name}: name format invalid`);
           }
           if (!tool.description) warnings.push(`Tool "${tool.name}" missing description`);
@@ -3168,7 +3202,9 @@ async function runComplianceSuite(target, options = {}) {
         const noAuthHeaders = {};
         if (sessionId) noAuthHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (unauthenticated request rejected)` };
           }
@@ -3191,7 +3227,9 @@ async function runComplianceSuite(target, options = {}) {
         const noAuthHeaders = {};
         if (sessionId) noAuthHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401) {
             const wwwAuth = res.headers["www-authenticate"];
             if (wwwAuth) {
@@ -3219,14 +3257,16 @@ async function runComplianceSuite(target, options = {}) {
       "basic/authorization",
       async () => {
         if (!hasAuth) {
-          return { passed: false, details: "Skipped: server does not require auth" };
+          return { passed: true, details: "Skipped: server does not require auth" };
         }
         const malformedHeaders = {
           Authorization: "Bearer INVALID_GARBAGE_TOKEN_!@#$%^&*()"
         };
         if (sessionId) malformedHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, malformedHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, malformedHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (malformed auth rejected)` };
           }
@@ -3316,7 +3356,9 @@ async function runComplianceSuite(target, options = {}) {
           "mcp-session-id": sessionId
         };
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, sessionOnlyHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, sessionOnlyHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (session ID alone not sufficient for auth)` };
           }
@@ -3717,9 +3759,10 @@ async function runComplianceSuite(target, options = {}) {
           return { passed: true, details: "No tools available to test (skipped)" };
         }
         try {
+          const maliciousArgs = JSON.parse('{"__injected_param__":"malicious_value","__proto__":{"admin":true}}');
           const res = await rpc("tools/call", {
             name: toolNames[0],
-            arguments: { __injected_param__: "malicious_value", __proto__: { admin: true } }
+            arguments: maliciousArgs
           });
           const error = res.body?.error;
           if (error) {
@@ -4123,6 +4166,7 @@ export {
   generateBadge,
   computeGrade,
   computeScore,
+  readPackageVersion,
   parseSSEResponse,
   TEST_DEFINITIONS,
   SPEC_VERSION,

package/dist/index.js

@@ -2,7 +2,7 @@
 
 // src/index.ts
 import { watch as fsWatch, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
-import { createRequire as createRequire2 } from "module";
+import { createRequire } from "module";
 import { createInterface } from "readline/promises";
 import chalk2 from "chalk";
 import { Command, Option } from "commander";
@@ -117,10 +117,17 @@ function createHttpTransport(opts) {
     }
     return out;
   }
-  async function doRawRequest(method, body, extraHeaders, timeout) {
+  async function doRawRequest(method, body, extraHeaders, timeout, omitUserHeaders) {
+    const base = sessionHeaders();
+    if (omitUserHeaders && omitUserHeaders.length > 0) {
+      const drop = new Set(omitUserHeaders.map((h) => h.toLowerCase()));
+      for (const key of Object.keys(base)) {
+        if (drop.has(key.toLowerCase())) delete base[key];
+      }
+    }
     const headers = {
       Accept: "application/json, text/event-stream",
-      ...sessionHeaders(),
+      ...base,
       ...extraHeaders
     };
     if (body !== void 0 && !("Content-Type" in headers) && !("content-type" in headers)) {
@@ -145,7 +152,7 @@ function createHttpTransport(opts) {
     async request(method, params, nextId, init) {
       const id = nextId();
       const body = JSON.stringify({ jsonrpc: "2.0", id, method, params: params ?? {} });
-      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout);
+      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout, init.omitUserHeaders);
       const contentType = (raw.headers["content-type"] || "").toLowerCase();
       let parsed;
       if (contentType.includes("text/event-stream")) {
@@ -175,7 +182,7 @@ function createHttpTransport(opts) {
     },
     async notify(method, params, init) {
       const body = JSON.stringify({ jsonrpc: "2.0", method, ...params ? { params } : {} });
-      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout);
+      const raw = await doRawRequest("POST", body, init.headers ?? {}, init.timeout, init.omitUserHeaders);
       return { statusCode: raw.statusCode, headers: raw.headers };
     },
     async close() {
@@ -231,10 +238,10 @@ function createStdioTransport(opts) {
   const pending = /* @__PURE__ */ new Map();
   let stdoutBuffer = "";
   let stderrBuffer = "";
-  const spawnReady = new Promise((resolve3, reject) => {
+  const spawnReady = new Promise((resolve2, reject) => {
     child.once("spawn", () => {
       spawned = true;
-      resolve3();
+      resolve2();
     });
     child.once("error", (err) => {
       if (!spawned) reject(err);
@@ -330,9 +337,9 @@ function createStdioTransport(opts) {
     if (spawnError) throw new Error(annotateWithStderr(`stdio transport: spawn failed \u2014 ${spawnError.message}`));
     const stdin = child.stdin;
     if (!stdin || stdin.destroyed) throw new Error(annotateWithStderr("stdio transport: stdin is closed"));
-    return new Promise((resolve3, reject) => {
+    return new Promise((resolve2, reject) => {
       stdin.write(`${line}
-`, "utf8", (err) => err ? reject(err) : resolve3());
+`, "utf8", (err) => err ? reject(err) : resolve2());
     });
   }
   const transport = {
@@ -354,7 +361,7 @@ function createStdioTransport(opts) {
     async request(method, params, nextId, init) {
       const id = nextId();
       const body = JSON.stringify({ jsonrpc: "2.0", id, method, params: params ?? {} });
-      return new Promise((resolve3, reject) => {
+      return new Promise((resolve2, reject) => {
         const timer = setTimeout(() => {
           pending.delete(id);
           reject(
@@ -363,7 +370,7 @@ function createStdioTransport(opts) {
             )
           );
         }, init.timeout);
-        pending.set(id, { resolve: resolve3, reject, id, timer });
+        pending.set(id, { resolve: resolve2, reject, id, timer });
         writeLine(body).catch((err) => {
           clearTimeout(timer);
           pending.delete(id);
@@ -382,23 +389,30 @@ function createStdioTransport(opts) {
         child.stdin?.end();
       } catch {
       }
-      const gracePeriodMs = 2e3;
-      await new Promise((resolve3) => {
-        const timer = setTimeout(() => {
+      const treeKill = (force) => {
+        if (isWindows && child.pid !== void 0) {
           try {
-            child.kill("SIGKILL");
+            spawn("taskkill", ["/pid", String(child.pid), "/t", ...force ? ["/f"] : []], { stdio: "ignore" });
           } catch {
           }
-          resolve3();
+        } else {
+          try {
+            child.kill(force ? "SIGKILL" : "SIGTERM");
+          } catch {
+          }
+        }
+      };
+      const gracePeriodMs = 2e3;
+      await new Promise((resolve2) => {
+        const timer = setTimeout(() => {
+          treeKill(true);
+          resolve2();
         }, gracePeriodMs);
         child.once("exit", () => {
           clearTimeout(timer);
-          resolve3();
+          resolve2();
         });
-        try {
-          child.kill(isWindows ? void 0 : "SIGTERM");
-        } catch {
-        }
+        treeKill(false);
       });
       rejectAllPending(new Error("stdio transport: closed"));
     },
@@ -662,7 +676,9 @@ function diffReports(baseline, current) {
 }
 function formatDiff(summary) {
   const lines = [];
-  const arrow = summary.baselineGrade === summary.currentGrade ? "\u2192" : "\u2192";
+  let arrow = "\u2192";
+  if (summary.currentScore > summary.baselineScore) arrow = "\u2191";
+  else if (summary.currentScore < summary.baselineScore) arrow = "\u2193";
   lines.push(
     `Grade ${summary.baselineGrade} (${summary.baselineScore}%) ${arrow} ${summary.currentGrade} (${summary.currentScore}%)`
   );
@@ -699,17 +715,37 @@ function hasRegressions(summary) {
 }
 
 // src/mcp/server.ts
-import { existsSync as existsSync2, readFileSync as readFileSync2, realpathSync } from "fs";
-import { basename, dirname, join as join2, resolve as resolve2 } from "path";
-import { fileURLToPath } from "url";
+import { realpathSync } from "fs";
+import { basename, dirname as dirname2 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 
+// src/pkg-version.ts
+import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
+import { dirname, join as join2 } from "path";
+import { fileURLToPath } from "url";
+function readPackageVersion(metaUrl) {
+  let dir = dirname(fileURLToPath(metaUrl));
+  for (; ; ) {
+    const pkgPath = join2(dir, "package.json");
+    if (existsSync2(pkgPath)) {
+      try {
+        return JSON.parse(readFileSync2(pkgPath, "utf8")).version ?? "0.0.0";
+      } catch {
+        return "0.0.0";
+      }
+    }
+    const parent = dirname(dir);
+    if (parent === dir) return "0.0.0";
+    dir = parent;
+  }
+}
+
 // src/mcp/tools.ts
 import { z } from "zod";
 
 // src/runner.ts
-import { createRequire } from "module";
 import { request as request2 } from "undici";
 
 // src/badge.ts
@@ -1604,8 +1640,7 @@ var TEST_DEFINITIONS = [
 
 // src/runner.ts
 var TEST_DEFINITIONS_MAP = new Map(TEST_DEFINITIONS.map((t) => [t.id, t]));
-var _require = createRequire(import.meta.url);
-var { version: TOOL_VERSION } = _require("../package.json");
+var TOOL_VERSION = readPackageVersion(import.meta.url);
 var SPEC_VERSION = "2025-11-25";
 var SPEC_BASE = `https://modelcontextprotocol.io/specification/${SPEC_VERSION}`;
 var VALID_CONTENT_TYPES = ["text", "image", "audio", "resource", "resource_link"];
@@ -1808,10 +1843,11 @@ async function runComplianceSuite(target, options = {}) {
     const retries = options.retries || 0;
     let sessionId = null;
     let negotiatedProtocolVersion = null;
-    async function mcpRequest(_backendUrl, method, params, idCounter, extraHeaders, timeoutMs) {
+    async function mcpRequest(_backendUrl, method, params, idCounter, extraHeaders, timeoutMs, omitUserHeaders) {
       const res = await transport.request(method, params, idCounter, {
         timeout: timeoutMs,
-        headers: extraHeaders
+        headers: extraHeaders,
+        omitUserHeaders
       });
       return {
         statusCode: res.statusCode ?? 200,
@@ -2824,7 +2860,7 @@ async function runComplianceSuite(target, options = {}) {
             issues.push("Tool missing name");
             continue;
           }
-          if (tool.name.length > 128 || !/^[A-Za-z0-9_.\-]+$/.test(tool.name)) {
+          if (tool.name.length > 128 || !/^[A-Za-z0-9_.-]+$/.test(tool.name)) {
             issues.push(`${tool.name}: name format invalid`);
           }
           if (!tool.description) warnings.push(`Tool "${tool.name}" missing description`);
@@ -3525,7 +3561,9 @@ async function runComplianceSuite(target, options = {}) {
         const noAuthHeaders = {};
         if (sessionId) noAuthHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (unauthenticated request rejected)` };
           }
@@ -3548,7 +3586,9 @@ async function runComplianceSuite(target, options = {}) {
         const noAuthHeaders = {};
         if (sessionId) noAuthHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, noAuthHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401) {
             const wwwAuth = res.headers["www-authenticate"];
             if (wwwAuth) {
@@ -3576,14 +3616,16 @@ async function runComplianceSuite(target, options = {}) {
       "basic/authorization",
       async () => {
         if (!hasAuth) {
-          return { passed: false, details: "Skipped: server does not require auth" };
+          return { passed: true, details: "Skipped: server does not require auth" };
         }
         const malformedHeaders = {
           Authorization: "Bearer INVALID_GARBAGE_TOKEN_!@#$%^&*()"
         };
         if (sessionId) malformedHeaders["mcp-session-id"] = sessionId;
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, malformedHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, malformedHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (malformed auth rejected)` };
           }
@@ -3673,7 +3715,9 @@ async function runComplianceSuite(target, options = {}) {
           "mcp-session-id": sessionId
         };
         try {
-          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, sessionOnlyHeaders, timeout);
+          const res = await mcpRequest(backendUrl, "ping", void 0, nextId, sessionOnlyHeaders, timeout, [
+            "authorization"
+          ]);
           if (res.statusCode === 401 || res.statusCode === 403) {
             return { passed: true, details: `HTTP ${res.statusCode} (session ID alone not sufficient for auth)` };
           }
@@ -4074,9 +4118,10 @@ async function runComplianceSuite(target, options = {}) {
           return { passed: true, details: "No tools available to test (skipped)" };
         }
         try {
+          const maliciousArgs = JSON.parse('{"__injected_param__":"malicious_value","__proto__":{"admin":true}}');
           const res = await rpc("tools/call", {
             name: toolNames[0],
-            arguments: { __injected_param__: "malicious_value", __proto__: { admin: true } }
+            arguments: maliciousArgs
           });
           const error = res.body?.error;
           if (error) {
@@ -4483,7 +4528,7 @@ function registerTools(server) {
     {
       url: z.string().url().describe("The MCP server URL to test (must be HTTP or HTTPS)"),
       auth: z.string().optional().describe('Authorization header value (e.g., "Bearer tok123")'),
-      headers: z.record(z.string()).optional().describe('Additional headers to include on all requests (e.g., {"X-Api-Key": "abc"})'),
+      headers: z.record(z.string(), z.string()).optional().describe('Additional headers to include on all requests (e.g., {"X-Api-Key": "abc"})'),
       timeout: z.number().int().min(1).max(3e5).optional().describe("Request timeout in milliseconds (default: 15000, max: 300000)"),
       retries: z.number().int().min(0).max(10).optional().describe("Number of retries for failed tests (default: 0, max: 10)"),
       only: z.array(z.string()).optional().describe("Only run tests matching these categories or test IDs"),
@@ -4549,7 +4594,7 @@ ${JSON.stringify(report, null, 2)}` }
     {
       url: z.string().url().describe("The MCP server URL to test"),
       auth: z.string().optional().describe('Authorization header value (e.g., "Bearer tok123")'),
-      headers: z.record(z.string()).optional().describe("Additional headers to include on all requests"),
+      headers: z.record(z.string(), z.string()).optional().describe("Additional headers to include on all requests"),
       timeout: z.number().int().min(1).max(3e5).optional().describe("Request timeout in milliseconds (default: 15000, max: 300000)")
     },
     {
@@ -4645,25 +4690,7 @@ ${TEST_DEFINITIONS.map((t) => t.id).join(", ")}`
 }
 
 // src/mcp/server.ts
-function findPackageVersion() {
-  let dir = dirname(fileURLToPath(import.meta.url));
-  const root = resolve2(dir, "..", "..", "..");
-  while (dir !== root) {
-    const pkgPath = join2(dir, "package.json");
-    if (existsSync2(pkgPath)) {
-      try {
-        return JSON.parse(readFileSync2(pkgPath, "utf8")).version ?? "0.0.0";
-      } catch {
-        return "0.0.0";
-      }
-    }
-    const parent = dirname(dir);
-    if (parent === dir) break;
-    dir = parent;
-  }
-  return "0.0.0";
-}
-var version = findPackageVersion();
+var version = readPackageVersion(import.meta.url);
 function createComplianceServer() {
   const server = new McpServer({ name: "mcp-compliance", version });
   registerTools(server);
@@ -4678,10 +4705,10 @@ function isInvokedDirectly() {
   const argv1 = process.argv[1];
   if (!argv1) return false;
   try {
-    const selfPath = realpathSync(fileURLToPath(import.meta.url));
+    const selfPath = realpathSync(fileURLToPath2(import.meta.url));
     if (realpathSync(argv1) !== selfPath) return false;
     const file = basename(selfPath);
-    const parent = basename(dirname(selfPath));
+    const parent = basename(dirname2(selfPath));
     return parent === "mcp" && (file === "server.js" || file === "server.ts");
   } catch {
     return false;
@@ -4970,8 +4997,7 @@ function formatSarif(report) {
         {
           physicalLocation: {
             artifactLocation: {
-              uri: report.url,
-              uriBaseId: "MCP_SERVER"
+              uri: report.url
             }
           }
         }
@@ -5235,14 +5261,13 @@ function splitStdioTarget(s) {
 }
 
 // src/token-store.ts
-import { createHash as createHash2 } from "crypto";
 import { existsSync as existsSync3, mkdirSync, readFileSync as readFileSync3, writeFileSync } from "fs";
 import { homedir } from "os";
-import { dirname as dirname2, join as join3 } from "path";
+import { dirname as dirname3, join as join3 } from "path";
 var STORE_DIR = join3(homedir(), ".mcp-compliance");
 var STORE_PATH = join3(STORE_DIR, "tokens.json");
 function hashUrl(url) {
-  return createHash2("sha256").update(url).digest("hex").slice(0, 24);
+  return urlHash(url);
 }
 function readStore() {
   if (!existsSync3(STORE_PATH)) return {};
@@ -5255,7 +5280,7 @@ function readStore() {
   }
 }
 function writeStore(store) {
-  const dir = dirname2(STORE_PATH);
+  const dir = dirname3(STORE_PATH);
   try {
     if (!existsSync3(dir)) mkdirSync(dir, { recursive: true, mode: 448 });
     writeFileSync(STORE_PATH, JSON.stringify(store, null, 2), { mode: 384 });
@@ -5292,7 +5317,7 @@ function deleteToken(hash) {
 }
 
 // src/index.ts
-var require2 = createRequire2(import.meta.url);
+var require2 = createRequire(import.meta.url);
 var { version: version2 } = require2("../package.json");
 function parseHeaderArg(value, prev) {
   const idx = value.indexOf(":");
@@ -5432,8 +5457,9 @@ function isPrivateHost(urlStr) {
     if (a === 192 && b === 168) return true;
     if (a === 0) return true;
   }
-  if (host === "::1" || host === "[::1]") return true;
-  if (host.startsWith("fe80:") || host.startsWith("fc") || host.startsWith("fd")) return true;
+  const v6 = host.replace(/^\[|\]$/g, "");
+  if (v6 === "::1") return true;
+  if (v6.includes(":") && (v6.startsWith("fe80:") || v6.startsWith("fc") || v6.startsWith("fd"))) return true;
   return false;
 }
 async function promptYesNo(message) {
@@ -5452,7 +5478,14 @@ program.command("test").description("Run the full compliance test suite against
   "[target]",
   "Server URL, or command to spawn as a stdio server (optional when a config file defines 'target')"
 ).argument("[extraArgs...]", "Additional args passed to the stdio command").addOption(
-  new Option("--format <format>", "Output format").choices(["terminal", "json", "sarif", "github", "markdown", "html"]).default("terminal")
+  new Option("--format <format>", "Output format (default: terminal, or `format` in config)").choices([
+    "terminal",
+    "json",
+    "sarif",
+    "github",
+    "markdown",
+    "html"
+  ])
 ).option("--config <path>", "Load options from a config file (default: mcp-compliance.config.json in cwd)").option("--output <file>", "Write a local SVG badge to the given path after the run (works with any transport)").option("--list", "Print the test IDs that would run given current filters, then exit (no connection)").addOption(
   new Option(
     "--transport <kind>",
@@ -5473,8 +5506,7 @@ program.command("test").description("Run the full compliance test suite against
   {}
 ).option("--auth <token>", 'Shorthand for -H "Authorization: <token>" (HTTP only)').option("-E, --env <var>", 'Set env var for stdio command ("KEY=VALUE", repeatable)', parseEnvVar, {}).option("--env-file <path>", "Load env vars from file (KEY=VALUE per line, stdio only)").option("--cwd <dir>", "Working directory for stdio command").option(
   "--timeout <ms>",
-  "Per-request timeout in milliseconds (applies to every test request after the initial handshake)",
-  "15000"
+  "Per-request timeout in ms after the initial handshake (default: 15000, or `timeout` in config)"
 ).option(
   "--startup-timeout <ms>",
   "Deadline for the initial initialize handshake (default: max(--timeout, 60000); covers cold `npx` cache fetches before a stdio server starts)"
@@ -5482,7 +5514,7 @@ program.command("test").description("Run the full compliance test suite against
   "--concurrency <n>",
   "Max parallel-safe tests in flight (default 1; see docs/PERFORMANCE.md before raising)",
   "1"
-).option("--preflight-timeout <ms>", "Preflight connectivity check timeout in milliseconds").option("--retries <n>", "Number of retries for failed tests", "0").option(
+).option("--preflight-timeout <ms>", "Preflight connectivity check timeout in milliseconds").option("--retries <n>", "Number of retries for failed tests (default: 0, or `retries` in config)").option(
   "--only <items>",
   'Only run matching categories or test IDs, comma-separated (e.g., "transport,lifecycle" or "transport-post,lifecycle-init")',
   parseList
@@ -5531,6 +5563,11 @@ ${defs.length} tests would run for transport=${transportKind}`));
       const skip = opts.skip ?? config?.skip;
       const verbose = opts.verbose ?? config?.verbose;
       const strict = opts.strict ?? config?.strict;
+      opts.format = opts.format ?? config?.format ?? "terminal";
+      let timeout = config?.timeout ?? 15e3;
+      if (opts.timeout !== void 0) timeout = parsePositiveInt(opts.timeout, "--timeout", 1);
+      let retries = config?.retries ?? 0;
+      if (opts.retries !== void 0) retries = parsePositiveInt(opts.retries, "--retries");
       async function runOnce() {
         if (opts.format === "terminal") {
           console.log(chalk2.dim(`
@@ -5538,10 +5575,10 @@ Testing ${describeTarget(transportTarget)}...
 `));
         }
         const report2 = await runComplianceSuite(transportTarget, {
-          timeout: parsePositiveInt(opts.timeout, "--timeout", 1),
+          timeout,
           startupTimeout: opts.startupTimeout ? parsePositiveInt(opts.startupTimeout, "--startup-timeout", 1) : config?.startupTimeout,
           preflightTimeout: opts.preflightTimeout ? parsePositiveInt(opts.preflightTimeout, "--preflight-timeout", 1) : config?.preflightTimeout,
-          retries: parsePositiveInt(opts.retries, "--retries"),
+          retries,
           concurrency: parsePositiveInt(opts.concurrency, "--concurrency", 1),
           only,
           skip,
@@ -5664,7 +5701,7 @@ program.command("badge").description("Run tests and publish a shareable complian
   'Add header to all requests (format: "Key: Value", repeatable; HTTP only)',
   parseHeaderArg,
   {}
-).option("--auth <token>", 'Shorthand for -H "Authorization: <token>" (HTTP only)').option("-E, --env <var>", 'Set env var for stdio command ("KEY=VALUE", repeatable)', parseEnvVar, {}).option("--env-file <path>", "Load env vars from file (stdio only)").option("--cwd <dir>", "Working directory for stdio command").option("--timeout <ms>", "Request timeout in milliseconds", "15000").option("--no-publish", "Do not publish the report to mcp.hosting").option("--output <file>", "Write a local SVG badge to the given path (works for any transport)").option("--no-color", "Disable colored output (also honors NO_COLOR env var)").action(
+).option("--auth <token>", 'Shorthand for -H "Authorization: <token>" (HTTP only)').option("-E, --env <var>", 'Set env var for stdio command ("KEY=VALUE", repeatable)', parseEnvVar, {}).option("--env-file <path>", "Load env vars from file (stdio only)").option("--cwd <dir>", "Working directory for stdio command").option("--timeout <ms>", "Request timeout in milliseconds (default: 15000, or `timeout` in config)").option("--no-publish", "Do not publish the report to mcp.hosting").option("--output <file>", "Write a local SVG badge to the given path (works for any transport)").option("--no-color", "Disable colored output (also honors NO_COLOR env var)").action(
   async (target, extraArgs, opts) => {
     if (opts.color === false) chalk2.level = 0;
     try {
@@ -5698,8 +5735,10 @@ Warning: ${transportTarget.url} looks like a private/internal address. Publishin
       console.log(chalk2.dim(`
 Testing ${describeTarget(transportTarget)}...
 `));
+      let badgeTimeout = config?.timeout ?? 15e3;
+      if (opts.timeout !== void 0) badgeTimeout = parsePositiveInt(opts.timeout, "--timeout", 1);
       const report = await runComplianceSuite(transportTarget, {
-        timeout: parsePositiveInt(opts.timeout, "--timeout", 1)
+        timeout: badgeTimeout
       });
       let markdown = report.badge.markdown;
       if (shouldPublish && transportTarget.type === "http") {

package/dist/mcp/server.js

@@ -1,12 +1,13 @@
 import {
   SPEC_BASE,
   TEST_DEFINITIONS,
+  readPackageVersion,
   runComplianceSuite
-} from "../chunk-6PF56RRO.js";
+} from "../chunk-A3UG3J63.js";
 
 // src/mcp/server.ts
-import { existsSync, readFileSync, realpathSync } from "fs";
-import { basename, dirname, join, resolve } from "path";
+import { realpathSync } from "fs";
+import { basename, dirname } from "path";
 import { fileURLToPath } from "url";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
@@ -20,7 +21,7 @@ function registerTools(server) {
     {
       url: z.string().url().describe("The MCP server URL to test (must be HTTP or HTTPS)"),
       auth: z.string().optional().describe('Authorization header value (e.g., "Bearer tok123")'),
-      headers: z.record(z.string()).optional().describe('Additional headers to include on all requests (e.g., {"X-Api-Key": "abc"})'),
+      headers: z.record(z.string(), z.string()).optional().describe('Additional headers to include on all requests (e.g., {"X-Api-Key": "abc"})'),
       timeout: z.number().int().min(1).max(3e5).optional().describe("Request timeout in milliseconds (default: 15000, max: 300000)"),
       retries: z.number().int().min(0).max(10).optional().describe("Number of retries for failed tests (default: 0, max: 10)"),
       only: z.array(z.string()).optional().describe("Only run tests matching these categories or test IDs"),
@@ -86,7 +87,7 @@ ${JSON.stringify(report, null, 2)}` }
     {
       url: z.string().url().describe("The MCP server URL to test"),
       auth: z.string().optional().describe('Authorization header value (e.g., "Bearer tok123")'),
-      headers: z.record(z.string()).optional().describe("Additional headers to include on all requests"),
+      headers: z.record(z.string(), z.string()).optional().describe("Additional headers to include on all requests"),
       timeout: z.number().int().min(1).max(3e5).optional().describe("Request timeout in milliseconds (default: 15000, max: 300000)")
     },
     {
@@ -182,25 +183,7 @@ ${TEST_DEFINITIONS.map((t) => t.id).join(", ")}`
 }
 
 // src/mcp/server.ts
-function findPackageVersion() {
-  let dir = dirname(fileURLToPath(import.meta.url));
-  const root = resolve(dir, "..", "..", "..");
-  while (dir !== root) {
-    const pkgPath = join(dir, "package.json");
-    if (existsSync(pkgPath)) {
-      try {
-        return JSON.parse(readFileSync(pkgPath, "utf8")).version ?? "0.0.0";
-      } catch {
-        return "0.0.0";
-      }
-    }
-    const parent = dirname(dir);
-    if (parent === dir) break;
-    dir = parent;
-  }
-  return "0.0.0";
-}
-var version = findPackageVersion();
+var version = readPackageVersion(import.meta.url);
 function createComplianceServer() {
   const server = new McpServer({ name: "mcp-compliance", version });
   registerTools(server);

package/dist/runner.d.ts

@@ -92,24 +92,6 @@ type TransportTarget = {
 /** All 88 test IDs with descriptions for the explain command */
 declare const TEST_DEFINITIONS: TestDefinition[];
 
-declare function computeGrade(score: number): Grade;
-declare function computeScore(tests: TestResult[]): {
-    score: number;
-    grade: Grade;
-    overall: "pass" | "partial" | "fail";
-    summary: {
-        total: number;
-        passed: number;
-        failed: number;
-        required: number;
-        requiredPassed: number;
-    };
-    categories: Record<string, {
-        passed: number;
-        total: number;
-    }>;
-};
-
 /**
  * Generate a short, deterministic hash of a URL for badge paths.
  * SHA-256 truncated to 24 hex chars (96 bits of entropy) — matches the
@@ -131,6 +113,24 @@ declare function generateBadge(url: string): {
     html: string;
 };
 
+declare function computeGrade(score: number): Grade;
+declare function computeScore(tests: TestResult[]): {
+    score: number;
+    grade: Grade;
+    overall: "pass" | "partial" | "fail";
+    summary: {
+        total: number;
+        passed: number;
+        failed: number;
+        required: number;
+        requiredPassed: number;
+    };
+    categories: Record<string, {
+        passed: number;
+        total: number;
+    }>;
+};
+
 /**
  * Parse a Server-Sent Events response body and extract the first
  * JSON-RPC response message. Returns null if none found.

package/dist/runner.js

@@ -10,7 +10,7 @@ import {
   previewTests,
   runComplianceSuite,
   urlHash
-} from "./chunk-6PF56RRO.js";
+} from "./chunk-A3UG3J63.js";
 export {
   SPEC_BASE,
   SPEC_VERSION,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/mcp-compliance",
-  "version": "0.14.3",
+  "version": "0.15.0",
   "mcpName": "io.github.YawLabs/mcp-compliance",
   "description": "CLI tool and MCP server that tests MCP servers for spec compliance",
   "license": "MIT",
@@ -20,7 +20,7 @@
   "main": "./dist/runner.js",
   "types": "./dist/runner.d.ts",
   "bin": {
-    "mcp-compliance": "./dist/index.js"
+    "mcp-compliance": "dist/index.js"
   },
   "files": [
     "dist",
@@ -45,17 +45,17 @@
     "chalk": "^5.4.1",
     "commander": "^14.0.3",
     "undici": "^7.8.0",
-    "zod": "^3.24.4"
+    "zod": "^4.4.3"
   },
   "devDependencies": {
-    "@biomejs/biome": "^1.9.4",
+    "@biomejs/biome": "^2.4.16",
     "@types/node": "^25.5.2",
     "ajv": "^8.18.0",
     "ajv-formats": "^3.0.1",
     "tsup": "^8.4.0",
     "tsx": "^4.21.0",
-    "typescript": "^5.8.3",
-    "vitest": "^3.1.1"
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.8"
   },
   "engines": {
     "node": ">=20"