@yawlabs/mcp-compliance 0.14.4 → 0.15.1

package/dist/{chunk-2CXRMEZ3.js → chunk-B5HSDK4K.js}

@@ -1,5 +1,4 @@
 // src/runner.ts
-import { createRequire } from "module";
 import { request as request2 } from "undici";
 
 // src/badge.ts
@@ -74,6 +73,27 @@ function computeScore(tests) {
   };
 }
 
+// src/pkg-version.ts
+import { existsSync, readFileSync } from "fs";
+import { dirname, join } from "path";
+import { fileURLToPath } from "url";
+function readPackageVersion(metaUrl) {
+  let dir = dirname(fileURLToPath(metaUrl));
+  for (; ; ) {
+    const pkgPath = join(dir, "package.json");
+    if (existsSync(pkgPath)) {
+      try {
+        return JSON.parse(readFileSync(pkgPath, "utf8")).version ?? "0.0.0";
+      } catch {
+        return "0.0.0";
+      }
+    }
+    const parent = dirname(dir);
+    if (parent === dir) return "0.0.0";
+    dir = parent;
+  }
+}
+
 // src/transport/http.ts
 import { request } from "undici";
 
@@ -399,23 +419,30 @@ function createStdioTransport(opts) {
         child.stdin?.end();
       } catch {
       }
-      const gracePeriodMs = 2e3;
-      await new Promise((resolve) => {
-        const timer = setTimeout(() => {
+      const treeKill = (force) => {
+        if (isWindows && child.pid !== void 0) {
           try {
-            child.kill("SIGKILL");
+            spawn("taskkill", ["/pid", String(child.pid), "/t", ...force ? ["/f"] : []], { stdio: "ignore" });
           } catch {
           }
+        } else {
+          try {
+            child.kill(force ? "SIGKILL" : "SIGTERM");
+          } catch {
+          }
+        }
+      };
+      const gracePeriodMs = 2e3;
+      await new Promise((resolve) => {
+        const timer = setTimeout(() => {
+          treeKill(true);
           resolve();
         }, gracePeriodMs);
         child.once("exit", () => {
           clearTimeout(timer);
           resolve();
         });
-        try {
-          child.kill(isWindows ? void 0 : "SIGTERM");
-        } catch {
-        }
+        treeKill(false);
       });
       rejectAllPending(new Error("stdio transport: closed"));
     },
@@ -1254,8 +1281,7 @@ var TEST_DEFINITIONS = [
 
 // src/runner.ts
 var TEST_DEFINITIONS_MAP = new Map(TEST_DEFINITIONS.map((t) => [t.id, t]));
-var _require = createRequire(import.meta.url);
-var { version: TOOL_VERSION } = _require("../package.json");
+var TOOL_VERSION = readPackageVersion(import.meta.url);
 var SPEC_VERSION = "2025-11-25";
 var SPEC_BASE = `https://modelcontextprotocol.io/specification/${SPEC_VERSION}`;
 var VALID_CONTENT_TYPES = ["text", "image", "audio", "resource", "resource_link"];
@@ -2475,7 +2501,7 @@ async function runComplianceSuite(target, options = {}) {
             issues.push("Tool missing name");
             continue;
           }
-          if (tool.name.length > 128 || !/^[A-Za-z0-9_.\-]+$/.test(tool.name)) {
+          if (tool.name.length > 128 || !/^[A-Za-z0-9_.-]+$/.test(tool.name)) {
             issues.push(`${tool.name}: name format invalid`);
           }
           if (!tool.description) warnings.push(`Tool "${tool.name}" missing description`);
@@ -3183,7 +3209,7 @@ async function runComplianceSuite(target, options = {}) {
             return { passed: true, details: `HTTP ${res.statusCode} (unauthenticated request rejected)` };
           }
           return { passed: false, details: `HTTP ${res.statusCode} \u2014 server accepted unauthenticated request` };
-        } catch (err) {
+        } catch (_err) {
           return { passed: true, details: "Connection rejected (acceptable)" };
         }
       }
@@ -3231,7 +3257,7 @@ async function runComplianceSuite(target, options = {}) {
       "basic/authorization",
       async () => {
         if (!hasAuth) {
-          return { passed: false, details: "Skipped: server does not require auth" };
+          return { passed: true, details: "Skipped: server does not require auth" };
         }
         const malformedHeaders = {
           Authorization: "Bearer INVALID_GARBAGE_TOKEN_!@#$%^&*()"
@@ -3245,7 +3271,7 @@ async function runComplianceSuite(target, options = {}) {
             return { passed: true, details: `HTTP ${res.statusCode} (malformed auth rejected)` };
           }
           return { passed: false, details: `HTTP ${res.statusCode} \u2014 server accepted malformed auth token` };
-        } catch (err) {
+        } catch (_err) {
           return { passed: true, details: "Connection rejected (acceptable)" };
         }
       }
@@ -3733,9 +3759,10 @@ async function runComplianceSuite(target, options = {}) {
           return { passed: true, details: "No tools available to test (skipped)" };
         }
         try {
+          const maliciousArgs = JSON.parse('{"__injected_param__":"malicious_value","__proto__":{"admin":true}}');
           const res = await rpc("tools/call", {
             name: toolNames[0],
-            arguments: { __injected_param__: "malicious_value", __proto__: { admin: true } }
+            arguments: maliciousArgs
           });
           const error = res.body?.error;
           if (error) {
@@ -3757,7 +3784,7 @@ async function runComplianceSuite(target, options = {}) {
         if (!toolsListOk) return { passed: true, details: "Skipped: tools/list not available" };
         const tools = cachedToolsList ?? [];
         if (tools.length === 0) return { passed: true, details: "No tools to validate" };
-        const missing = tools.filter((t) => !t.inputSchema || t.inputSchema.type !== "object");
+        const missing = tools.filter((t) => t.inputSchema?.type !== "object");
         if (missing.length > 0) {
           return {
             passed: false,
@@ -4139,6 +4166,7 @@ export {
   generateBadge,
   computeGrade,
   computeScore,
+  readPackageVersion,
   parseSSEResponse,
   TEST_DEFINITIONS,
   SPEC_VERSION,

package/dist/index.js

@@ -2,7 +2,7 @@
 
 // src/index.ts
 import { watch as fsWatch, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
-import { createRequire as createRequire2 } from "module";
+import { createRequire } from "module";
 import { createInterface } from "readline/promises";
 import chalk2 from "chalk";
 import { Command, Option } from "commander";
@@ -238,10 +238,10 @@ function createStdioTransport(opts) {
   const pending = /* @__PURE__ */ new Map();
   let stdoutBuffer = "";
   let stderrBuffer = "";
-  const spawnReady = new Promise((resolve3, reject) => {
+  const spawnReady = new Promise((resolve2, reject) => {
     child.once("spawn", () => {
       spawned = true;
-      resolve3();
+      resolve2();
     });
     child.once("error", (err) => {
       if (!spawned) reject(err);
@@ -337,9 +337,9 @@ function createStdioTransport(opts) {
     if (spawnError) throw new Error(annotateWithStderr(`stdio transport: spawn failed \u2014 ${spawnError.message}`));
     const stdin = child.stdin;
     if (!stdin || stdin.destroyed) throw new Error(annotateWithStderr("stdio transport: stdin is closed"));
-    return new Promise((resolve3, reject) => {
+    return new Promise((resolve2, reject) => {
       stdin.write(`${line}
-`, "utf8", (err) => err ? reject(err) : resolve3());
+`, "utf8", (err) => err ? reject(err) : resolve2());
     });
   }
   const transport = {
@@ -361,7 +361,7 @@ function createStdioTransport(opts) {
     async request(method, params, nextId, init) {
       const id = nextId();
       const body = JSON.stringify({ jsonrpc: "2.0", id, method, params: params ?? {} });
-      return new Promise((resolve3, reject) => {
+      return new Promise((resolve2, reject) => {
         const timer = setTimeout(() => {
           pending.delete(id);
           reject(
@@ -370,7 +370,7 @@ function createStdioTransport(opts) {
             )
           );
         }, init.timeout);
-        pending.set(id, { resolve: resolve3, reject, id, timer });
+        pending.set(id, { resolve: resolve2, reject, id, timer });
         writeLine(body).catch((err) => {
           clearTimeout(timer);
           pending.delete(id);
@@ -389,23 +389,30 @@ function createStdioTransport(opts) {
         child.stdin?.end();
       } catch {
       }
-      const gracePeriodMs = 2e3;
-      await new Promise((resolve3) => {
-        const timer = setTimeout(() => {
+      const treeKill = (force) => {
+        if (isWindows && child.pid !== void 0) {
+          try {
+            spawn("taskkill", ["/pid", String(child.pid), "/t", ...force ? ["/f"] : []], { stdio: "ignore" });
+          } catch {
+          }
+        } else {
           try {
-            child.kill("SIGKILL");
+            child.kill(force ? "SIGKILL" : "SIGTERM");
           } catch {
           }
-          resolve3();
+        }
+      };
+      const gracePeriodMs = 2e3;
+      await new Promise((resolve2) => {
+        const timer = setTimeout(() => {
+          treeKill(true);
+          resolve2();
         }, gracePeriodMs);
         child.once("exit", () => {
           clearTimeout(timer);
-          resolve3();
+          resolve2();
         });
-        try {
-          child.kill(isWindows ? void 0 : "SIGTERM");
-        } catch {
-        }
+        treeKill(false);
       });
       rejectAllPending(new Error("stdio transport: closed"));
     },
@@ -669,7 +676,9 @@ function diffReports(baseline, current) {
 }
 function formatDiff(summary) {
   const lines = [];
-  const arrow = summary.baselineGrade === summary.currentGrade ? "\u2192" : "\u2192";
+  let arrow = "\u2192";
+  if (summary.currentScore > summary.baselineScore) arrow = "\u2191";
+  else if (summary.currentScore < summary.baselineScore) arrow = "\u2193";
   lines.push(
     `Grade ${summary.baselineGrade} (${summary.baselineScore}%) ${arrow} ${summary.currentGrade} (${summary.currentScore}%)`
   );
@@ -706,17 +715,37 @@ function hasRegressions(summary) {
 }
 
 // src/mcp/server.ts
-import { existsSync as existsSync2, readFileSync as readFileSync2, realpathSync } from "fs";
-import { basename, dirname, join as join2, resolve as resolve2 } from "path";
-import { fileURLToPath } from "url";
+import { realpathSync } from "fs";
+import { basename, dirname as dirname2 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 
+// src/pkg-version.ts
+import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
+import { dirname, join as join2 } from "path";
+import { fileURLToPath } from "url";
+function readPackageVersion(metaUrl) {
+  let dir = dirname(fileURLToPath(metaUrl));
+  for (; ; ) {
+    const pkgPath = join2(dir, "package.json");
+    if (existsSync2(pkgPath)) {
+      try {
+        return JSON.parse(readFileSync2(pkgPath, "utf8")).version ?? "0.0.0";
+      } catch {
+        return "0.0.0";
+      }
+    }
+    const parent = dirname(dir);
+    if (parent === dir) return "0.0.0";
+    dir = parent;
+  }
+}
+
 // src/mcp/tools.ts
 import { z } from "zod";
 
 // src/runner.ts
-import { createRequire } from "module";
 import { request as request2 } from "undici";
 
 // src/badge.ts
@@ -1611,8 +1640,7 @@ var TEST_DEFINITIONS = [
 
 // src/runner.ts
 var TEST_DEFINITIONS_MAP = new Map(TEST_DEFINITIONS.map((t) => [t.id, t]));
-var _require = createRequire(import.meta.url);
-var { version: TOOL_VERSION } = _require("../package.json");
+var TOOL_VERSION = readPackageVersion(import.meta.url);
 var SPEC_VERSION = "2025-11-25";
 var SPEC_BASE = `https://modelcontextprotocol.io/specification/${SPEC_VERSION}`;
 var VALID_CONTENT_TYPES = ["text", "image", "audio", "resource", "resource_link"];
@@ -2832,7 +2860,7 @@ async function runComplianceSuite(target, options = {}) {
             issues.push("Tool missing name");
             continue;
           }
-          if (tool.name.length > 128 || !/^[A-Za-z0-9_.\-]+$/.test(tool.name)) {
+          if (tool.name.length > 128 || !/^[A-Za-z0-9_.-]+$/.test(tool.name)) {
             issues.push(`${tool.name}: name format invalid`);
           }
           if (!tool.description) warnings.push(`Tool "${tool.name}" missing description`);
@@ -3540,7 +3568,7 @@ async function runComplianceSuite(target, options = {}) {
             return { passed: true, details: `HTTP ${res.statusCode} (unauthenticated request rejected)` };
           }
           return { passed: false, details: `HTTP ${res.statusCode} \u2014 server accepted unauthenticated request` };
-        } catch (err) {
+        } catch (_err) {
           return { passed: true, details: "Connection rejected (acceptable)" };
         }
       }
@@ -3588,7 +3616,7 @@ async function runComplianceSuite(target, options = {}) {
       "basic/authorization",
       async () => {
         if (!hasAuth) {
-          return { passed: false, details: "Skipped: server does not require auth" };
+          return { passed: true, details: "Skipped: server does not require auth" };
         }
         const malformedHeaders = {
           Authorization: "Bearer INVALID_GARBAGE_TOKEN_!@#$%^&*()"
@@ -3602,7 +3630,7 @@ async function runComplianceSuite(target, options = {}) {
             return { passed: true, details: `HTTP ${res.statusCode} (malformed auth rejected)` };
           }
           return { passed: false, details: `HTTP ${res.statusCode} \u2014 server accepted malformed auth token` };
-        } catch (err) {
+        } catch (_err) {
           return { passed: true, details: "Connection rejected (acceptable)" };
         }
       }
@@ -4090,9 +4118,10 @@ async function runComplianceSuite(target, options = {}) {
           return { passed: true, details: "No tools available to test (skipped)" };
         }
         try {
+          const maliciousArgs = JSON.parse('{"__injected_param__":"malicious_value","__proto__":{"admin":true}}');
           const res = await rpc("tools/call", {
             name: toolNames[0],
-            arguments: { __injected_param__: "malicious_value", __proto__: { admin: true } }
+            arguments: maliciousArgs
           });
           const error = res.body?.error;
           if (error) {
@@ -4114,7 +4143,7 @@ async function runComplianceSuite(target, options = {}) {
         if (!toolsListOk) return { passed: true, details: "Skipped: tools/list not available" };
         const tools = cachedToolsList ?? [];
         if (tools.length === 0) return { passed: true, details: "No tools to validate" };
-        const missing = tools.filter((t) => !t.inputSchema || t.inputSchema.type !== "object");
+        const missing = tools.filter((t) => t.inputSchema?.type !== "object");
         if (missing.length > 0) {
           return {
             passed: false,
@@ -4499,7 +4528,7 @@ function registerTools(server) {
     {
       url: z.string().url().describe("The MCP server URL to test (must be HTTP or HTTPS)"),
       auth: z.string().optional().describe('Authorization header value (e.g., "Bearer tok123")'),
-      headers: z.record(z.string()).optional().describe('Additional headers to include on all requests (e.g., {"X-Api-Key": "abc"})'),
+      headers: z.record(z.string(), z.string()).optional().describe('Additional headers to include on all requests (e.g., {"X-Api-Key": "abc"})'),
       timeout: z.number().int().min(1).max(3e5).optional().describe("Request timeout in milliseconds (default: 15000, max: 300000)"),
       retries: z.number().int().min(0).max(10).optional().describe("Number of retries for failed tests (default: 0, max: 10)"),
       only: z.array(z.string()).optional().describe("Only run tests matching these categories or test IDs"),
@@ -4565,7 +4594,7 @@ ${JSON.stringify(report, null, 2)}` }
     {
       url: z.string().url().describe("The MCP server URL to test"),
       auth: z.string().optional().describe('Authorization header value (e.g., "Bearer tok123")'),
-      headers: z.record(z.string()).optional().describe("Additional headers to include on all requests"),
+      headers: z.record(z.string(), z.string()).optional().describe("Additional headers to include on all requests"),
       timeout: z.number().int().min(1).max(3e5).optional().describe("Request timeout in milliseconds (default: 15000, max: 300000)")
     },
     {
@@ -4661,25 +4690,7 @@ ${TEST_DEFINITIONS.map((t) => t.id).join(", ")}`
 }
 
 // src/mcp/server.ts
-function findPackageVersion() {
-  let dir = dirname(fileURLToPath(import.meta.url));
-  const root = resolve2(dir, "..", "..", "..");
-  while (dir !== root) {
-    const pkgPath = join2(dir, "package.json");
-    if (existsSync2(pkgPath)) {
-      try {
-        return JSON.parse(readFileSync2(pkgPath, "utf8")).version ?? "0.0.0";
-      } catch {
-        return "0.0.0";
-      }
-    }
-    const parent = dirname(dir);
-    if (parent === dir) break;
-    dir = parent;
-  }
-  return "0.0.0";
-}
-var version = findPackageVersion();
+var version = readPackageVersion(import.meta.url);
 function createComplianceServer() {
   const server = new McpServer({ name: "mcp-compliance", version });
   registerTools(server);
@@ -4694,10 +4705,10 @@ function isInvokedDirectly() {
   const argv1 = process.argv[1];
   if (!argv1) return false;
   try {
-    const selfPath = realpathSync(fileURLToPath(import.meta.url));
+    const selfPath = realpathSync(fileURLToPath2(import.meta.url));
     if (realpathSync(argv1) !== selfPath) return false;
     const file = basename(selfPath);
-    const parent = basename(dirname(selfPath));
+    const parent = basename(dirname2(selfPath));
     return parent === "mcp" && (file === "server.js" || file === "server.ts");
   } catch {
     return false;
@@ -4986,8 +4997,7 @@ function formatSarif(report) {
         {
           physicalLocation: {
             artifactLocation: {
-              uri: report.url,
-              uriBaseId: "MCP_SERVER"
+              uri: report.url
             }
           }
         }
@@ -5251,14 +5261,13 @@ function splitStdioTarget(s) {
 }
 
 // src/token-store.ts
-import { createHash as createHash2 } from "crypto";
 import { existsSync as existsSync3, mkdirSync, readFileSync as readFileSync3, writeFileSync } from "fs";
 import { homedir } from "os";
-import { dirname as dirname2, join as join3 } from "path";
+import { dirname as dirname3, join as join3 } from "path";
 var STORE_DIR = join3(homedir(), ".mcp-compliance");
 var STORE_PATH = join3(STORE_DIR, "tokens.json");
 function hashUrl(url) {
-  return createHash2("sha256").update(url).digest("hex").slice(0, 24);
+  return urlHash(url);
 }
 function readStore() {
   if (!existsSync3(STORE_PATH)) return {};
@@ -5271,7 +5280,7 @@ function readStore() {
   }
 }
 function writeStore(store) {
-  const dir = dirname2(STORE_PATH);
+  const dir = dirname3(STORE_PATH);
   try {
     if (!existsSync3(dir)) mkdirSync(dir, { recursive: true, mode: 448 });
     writeFileSync(STORE_PATH, JSON.stringify(store, null, 2), { mode: 384 });
@@ -5308,7 +5317,7 @@ function deleteToken(hash) {
 }
 
 // src/index.ts
-var require2 = createRequire2(import.meta.url);
+var require2 = createRequire(import.meta.url);
 var { version: version2 } = require2("../package.json");
 function parseHeaderArg(value, prev) {
   const idx = value.indexOf(":");
@@ -5448,8 +5457,9 @@ function isPrivateHost(urlStr) {
     if (a === 192 && b === 168) return true;
     if (a === 0) return true;
   }
-  if (host === "::1" || host === "[::1]") return true;
-  if (host.startsWith("fe80:") || host.startsWith("fc") || host.startsWith("fd")) return true;
+  const v6 = host.replace(/^\[|\]$/g, "");
+  if (v6 === "::1") return true;
+  if (v6.includes(":") && (v6.startsWith("fe80:") || v6.startsWith("fc") || v6.startsWith("fd"))) return true;
   return false;
 }
 async function promptYesNo(message) {
@@ -5468,7 +5478,14 @@ program.command("test").description("Run the full compliance test suite against
   "[target]",
   "Server URL, or command to spawn as a stdio server (optional when a config file defines 'target')"
 ).argument("[extraArgs...]", "Additional args passed to the stdio command").addOption(
-  new Option("--format <format>", "Output format").choices(["terminal", "json", "sarif", "github", "markdown", "html"]).default("terminal")
+  new Option("--format <format>", "Output format (default: terminal, or `format` in config)").choices([
+    "terminal",
+    "json",
+    "sarif",
+    "github",
+    "markdown",
+    "html"
+  ])
 ).option("--config <path>", "Load options from a config file (default: mcp-compliance.config.json in cwd)").option("--output <file>", "Write a local SVG badge to the given path after the run (works with any transport)").option("--list", "Print the test IDs that would run given current filters, then exit (no connection)").addOption(
   new Option(
     "--transport <kind>",
@@ -5489,8 +5506,7 @@ program.command("test").description("Run the full compliance test suite against
   {}
 ).option("--auth <token>", 'Shorthand for -H "Authorization: <token>" (HTTP only)').option("-E, --env <var>", 'Set env var for stdio command ("KEY=VALUE", repeatable)', parseEnvVar, {}).option("--env-file <path>", "Load env vars from file (KEY=VALUE per line, stdio only)").option("--cwd <dir>", "Working directory for stdio command").option(
   "--timeout <ms>",
-  "Per-request timeout in milliseconds (applies to every test request after the initial handshake)",
-  "15000"
+  "Per-request timeout in ms after the initial handshake (default: 15000, or `timeout` in config)"
 ).option(
   "--startup-timeout <ms>",
   "Deadline for the initial initialize handshake (default: max(--timeout, 60000); covers cold `npx` cache fetches before a stdio server starts)"
@@ -5498,7 +5514,7 @@ program.command("test").description("Run the full compliance test suite against
   "--concurrency <n>",
   "Max parallel-safe tests in flight (default 1; see docs/PERFORMANCE.md before raising)",
   "1"
-).option("--preflight-timeout <ms>", "Preflight connectivity check timeout in milliseconds").option("--retries <n>", "Number of retries for failed tests", "0").option(
+).option("--preflight-timeout <ms>", "Preflight connectivity check timeout in milliseconds").option("--retries <n>", "Number of retries for failed tests (default: 0, or `retries` in config)").option(
   "--only <items>",
   'Only run matching categories or test IDs, comma-separated (e.g., "transport,lifecycle" or "transport-post,lifecycle-init")',
   parseList
@@ -5547,6 +5563,11 @@ ${defs.length} tests would run for transport=${transportKind}`));
       const skip = opts.skip ?? config?.skip;
       const verbose = opts.verbose ?? config?.verbose;
       const strict = opts.strict ?? config?.strict;
+      opts.format = opts.format ?? config?.format ?? "terminal";
+      let timeout = config?.timeout ?? 15e3;
+      if (opts.timeout !== void 0) timeout = parsePositiveInt(opts.timeout, "--timeout", 1);
+      let retries = config?.retries ?? 0;
+      if (opts.retries !== void 0) retries = parsePositiveInt(opts.retries, "--retries");
       async function runOnce() {
         if (opts.format === "terminal") {
           console.log(chalk2.dim(`
@@ -5554,10 +5575,10 @@ Testing ${describeTarget(transportTarget)}...
 `));
         }
         const report2 = await runComplianceSuite(transportTarget, {
-          timeout: parsePositiveInt(opts.timeout, "--timeout", 1),
+          timeout,
           startupTimeout: opts.startupTimeout ? parsePositiveInt(opts.startupTimeout, "--startup-timeout", 1) : config?.startupTimeout,
           preflightTimeout: opts.preflightTimeout ? parsePositiveInt(opts.preflightTimeout, "--preflight-timeout", 1) : config?.preflightTimeout,
-          retries: parsePositiveInt(opts.retries, "--retries"),
+          retries,
           concurrency: parsePositiveInt(opts.concurrency, "--concurrency", 1),
           only,
           skip,
@@ -5680,7 +5701,7 @@ program.command("badge").description("Run tests and publish a shareable complian
   'Add header to all requests (format: "Key: Value", repeatable; HTTP only)',
   parseHeaderArg,
   {}
-).option("--auth <token>", 'Shorthand for -H "Authorization: <token>" (HTTP only)').option("-E, --env <var>", 'Set env var for stdio command ("KEY=VALUE", repeatable)', parseEnvVar, {}).option("--env-file <path>", "Load env vars from file (stdio only)").option("--cwd <dir>", "Working directory for stdio command").option("--timeout <ms>", "Request timeout in milliseconds", "15000").option("--no-publish", "Do not publish the report to mcp.hosting").option("--output <file>", "Write a local SVG badge to the given path (works for any transport)").option("--no-color", "Disable colored output (also honors NO_COLOR env var)").action(
+).option("--auth <token>", 'Shorthand for -H "Authorization: <token>" (HTTP only)').option("-E, --env <var>", 'Set env var for stdio command ("KEY=VALUE", repeatable)', parseEnvVar, {}).option("--env-file <path>", "Load env vars from file (stdio only)").option("--cwd <dir>", "Working directory for stdio command").option("--timeout <ms>", "Request timeout in milliseconds (default: 15000, or `timeout` in config)").option("--no-publish", "Do not publish the report to mcp.hosting").option("--output <file>", "Write a local SVG badge to the given path (works for any transport)").option("--no-color", "Disable colored output (also honors NO_COLOR env var)").action(
   async (target, extraArgs, opts) => {
     if (opts.color === false) chalk2.level = 0;
     try {
@@ -5714,8 +5735,10 @@ Warning: ${transportTarget.url} looks like a private/internal address. Publishin
       console.log(chalk2.dim(`
 Testing ${describeTarget(transportTarget)}...
 `));
+      let badgeTimeout = config?.timeout ?? 15e3;
+      if (opts.timeout !== void 0) badgeTimeout = parsePositiveInt(opts.timeout, "--timeout", 1);
       const report = await runComplianceSuite(transportTarget, {
-        timeout: parsePositiveInt(opts.timeout, "--timeout", 1)
+        timeout: badgeTimeout
       });
       let markdown = report.badge.markdown;
       if (shouldPublish && transportTarget.type === "http") {
@@ -5775,7 +5798,7 @@ Error: ${message}
     }
   }
 );
-program.command("unpublish").description("Remove a previously-published compliance report from mcp.hosting").argument("<url>", "MCP server URL whose report should be removed").action(async (url) => {
+program.command("unpublish").description("Remove a previously-published compliance report from mcp.hosting").argument("<url>", "MCP server URL whose report should be removed").option("-y, --yes", "Skip the confirmation prompt (for automation)").action(async (url, opts) => {
   try {
     const stored = getTokenForUrl(url);
     if (!stored) {
@@ -5788,6 +5811,13 @@ No delete token found locally for ${url} \u2014 nothing to unpublish from this m
       );
       return;
     }
+    if (!opts.yes) {
+      const ok = await promptYesNo(chalk2.yellow(`Remove the published report for ${url}? This cannot be undone.`));
+      if (!ok) {
+        console.error(chalk2.dim("\nAborted. Re-run with --yes to skip this prompt.\n"));
+        return;
+      }
+    }
     await unpublishReport(stored.hash, stored.entry.deleteToken);
     deleteToken(stored.hash);
     console.log(chalk2.green(`

package/dist/mcp/server.js

@@ -1,12 +1,13 @@
 import {
   SPEC_BASE,
   TEST_DEFINITIONS,
+  readPackageVersion,
   runComplianceSuite
-} from "../chunk-2CXRMEZ3.js";
+} from "../chunk-B5HSDK4K.js";
 
 // src/mcp/server.ts
-import { existsSync, readFileSync, realpathSync } from "fs";
-import { basename, dirname, join, resolve } from "path";
+import { realpathSync } from "fs";
+import { basename, dirname } from "path";
 import { fileURLToPath } from "url";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
@@ -20,7 +21,7 @@ function registerTools(server) {
     {
       url: z.string().url().describe("The MCP server URL to test (must be HTTP or HTTPS)"),
       auth: z.string().optional().describe('Authorization header value (e.g., "Bearer tok123")'),
-      headers: z.record(z.string()).optional().describe('Additional headers to include on all requests (e.g., {"X-Api-Key": "abc"})'),
+      headers: z.record(z.string(), z.string()).optional().describe('Additional headers to include on all requests (e.g., {"X-Api-Key": "abc"})'),
       timeout: z.number().int().min(1).max(3e5).optional().describe("Request timeout in milliseconds (default: 15000, max: 300000)"),
       retries: z.number().int().min(0).max(10).optional().describe("Number of retries for failed tests (default: 0, max: 10)"),
       only: z.array(z.string()).optional().describe("Only run tests matching these categories or test IDs"),
@@ -86,7 +87,7 @@ ${JSON.stringify(report, null, 2)}` }
     {
       url: z.string().url().describe("The MCP server URL to test"),
       auth: z.string().optional().describe('Authorization header value (e.g., "Bearer tok123")'),
-      headers: z.record(z.string()).optional().describe("Additional headers to include on all requests"),
+      headers: z.record(z.string(), z.string()).optional().describe("Additional headers to include on all requests"),
       timeout: z.number().int().min(1).max(3e5).optional().describe("Request timeout in milliseconds (default: 15000, max: 300000)")
     },
     {
@@ -182,25 +183,7 @@ ${TEST_DEFINITIONS.map((t) => t.id).join(", ")}`
 }
 
 // src/mcp/server.ts
-function findPackageVersion() {
-  let dir = dirname(fileURLToPath(import.meta.url));
-  const root = resolve(dir, "..", "..", "..");
-  while (dir !== root) {
-    const pkgPath = join(dir, "package.json");
-    if (existsSync(pkgPath)) {
-      try {
-        return JSON.parse(readFileSync(pkgPath, "utf8")).version ?? "0.0.0";
-      } catch {
-        return "0.0.0";
-      }
-    }
-    const parent = dirname(dir);
-    if (parent === dir) break;
-    dir = parent;
-  }
-  return "0.0.0";
-}
-var version = findPackageVersion();
+var version = readPackageVersion(import.meta.url);
 function createComplianceServer() {
   const server = new McpServer({ name: "mcp-compliance", version });
   registerTools(server);

package/dist/runner.d.ts

@@ -92,24 +92,6 @@ type TransportTarget = {
 /** All 88 test IDs with descriptions for the explain command */
 declare const TEST_DEFINITIONS: TestDefinition[];
 
-declare function computeGrade(score: number): Grade;
-declare function computeScore(tests: TestResult[]): {
-    score: number;
-    grade: Grade;
-    overall: "pass" | "partial" | "fail";
-    summary: {
-        total: number;
-        passed: number;
-        failed: number;
-        required: number;
-        requiredPassed: number;
-    };
-    categories: Record<string, {
-        passed: number;
-        total: number;
-    }>;
-};
-
 /**
  * Generate a short, deterministic hash of a URL for badge paths.
  * SHA-256 truncated to 24 hex chars (96 bits of entropy) — matches the
@@ -131,6 +113,24 @@ declare function generateBadge(url: string): {
     html: string;
 };
 
+declare function computeGrade(score: number): Grade;
+declare function computeScore(tests: TestResult[]): {
+    score: number;
+    grade: Grade;
+    overall: "pass" | "partial" | "fail";
+    summary: {
+        total: number;
+        passed: number;
+        failed: number;
+        required: number;
+        requiredPassed: number;
+    };
+    categories: Record<string, {
+        passed: number;
+        total: number;
+    }>;
+};
+
 /**
  * Parse a Server-Sent Events response body and extract the first
  * JSON-RPC response message. Returns null if none found.

package/dist/runner.js

@@ -10,7 +10,7 @@ import {
   previewTests,
   runComplianceSuite,
   urlHash
-} from "./chunk-2CXRMEZ3.js";
+} from "./chunk-B5HSDK4K.js";
 export {
   SPEC_BASE,
   SPEC_VERSION,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/mcp-compliance",
-  "version": "0.14.4",
+  "version": "0.15.1",
   "mcpName": "io.github.YawLabs/mcp-compliance",
   "description": "CLI tool and MCP server that tests MCP servers for spec compliance",
   "license": "MIT",
@@ -45,17 +45,17 @@
     "chalk": "^5.4.1",
     "commander": "^14.0.3",
     "undici": "^7.8.0",
-    "zod": "^3.24.4"
+    "zod": "^4.4.3"
   },
   "devDependencies": {
-    "@biomejs/biome": "^1.9.4",
+    "@biomejs/biome": "^2.4.16",
     "@types/node": "^25.5.2",
     "ajv": "^8.18.0",
     "ajv-formats": "^3.0.1",
     "tsup": "^8.4.0",
     "tsx": "^4.21.0",
-    "typescript": "^5.8.3",
-    "vitest": "^3.1.1"
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.8"
   },
   "engines": {
     "node": ">=20"