@yawlabs/mcp-compliance 0.15.1 → 0.16.3

package/README.md

@@ -222,37 +222,13 @@ Check in a `mcp-compliance.config.json` so CI and your dev loop can run `mcp-com
 
 Precedence: CLI flags > config file > defaults. Any field can be overridden on the command line.
 
-### Publish a shareable badge (HTTP only)
+### Local SVG badge
 
-```bash
-mcp-compliance badge https://my-server.com/mcp
-```
-
-Runs the compliance suite, publishes the report to [mcp.hosting](https://mcp.hosting), and prints the markdown embed for your README. The badge image reflects the real grade (A–F) and links to the full report.
-
-| Option | Description |
-|--------|-------------|
-| `-H, --header <header>` | Add header to all requests, format `"Key: Value"` (repeatable) |
-| `--auth <token>` | Shorthand for `-H "Authorization: <token>"` |
-| `--timeout <ms>` | Request timeout in milliseconds (default: `15000`) |
-| `--no-publish` | Skip publishing; print a local badge markdown only |
-| `--output <file>` | Also write a local SVG badge to the given path |
-
-Reports are kept for 90 days from last submission; resubmitting the same URL overwrites the previous report. Auth headers are stripped client-side before upload. Private/loopback URLs (`localhost`, `127.0.0.1`, `192.168.*`, etc.) trigger an interactive confirmation before publishing, and are rejected by the server in any case.
-
-A delete token is returned at publish time and stored at `~/.mcp-compliance/tokens.json` (mode `0600`). Use it to take a report down:
-
-```bash
-mcp-compliance unpublish https://my-server.com/mcp
-```
-
-### Local SVG badge (any transport)
-
-Stdio servers can't be published (no public URL to key on), but you can commit a local SVG reflecting the real grade:
+Write a local SVG reflecting the real grade and commit it to your repo:
 
 ```bash
+mcp-compliance test https://my-server.com/mcp --output badge.svg
 mcp-compliance test node ./dist/server.js --output badge.svg
-mcp-compliance badge npx -y @modelcontextprotocol/server-filesystem /tmp --output badge.svg
 ```
 
 Then embed it in your README:
@@ -261,8 +237,6 @@ Then embed it in your README:
 ![MCP Compliance](./badge.svg)
 ```
 
-The `test` command never publishes — use it for CI, debugging, and local iteration. `badge` is the only command that publishes to mcp.hosting.
-
 ## What the 88 tests check
 
 <details>
@@ -495,7 +469,6 @@ Restart your MCP client and approve the server when prompted.
 ### Tools
 
 - **mcp_compliance_test** — Run the full 88-test suite against a URL or stdio command. Supports auth, custom headers, env vars, timeout, retries, and category/test filtering. Returns grade, score, and detailed results.
-- **mcp_compliance_badge** — Get the badge markdown/HTML for a server. Supports auth and custom headers.
 - **mcp_compliance_explain** — Explain what a specific test ID checks and why it matters.
 
 All tools have [MCP tool annotations](https://modelcontextprotocol.io/specification/2025-11-25/server/tools#annotations) (`readOnlyHint`, `destructiveHint`, `idempotentHint`, `openWorldHint`) so MCP clients can skip confirmation dialogs for safe operations.
@@ -560,11 +533,8 @@ The testing methodology is published openly so the grading is auditable:
 - **[Why `mcp-compliance`](./docs/WHY.md)** — the problem, existing alternatives, what this tool does differently
 - **[Fixing common failures](./docs/FIXES.md)** — recipes for the most frequent test failures with code snippets
 - **[Spec version migration policy](./docs/SPEC_VERSION_MIGRATION.md)** — how this tool evolves with MCP spec releases
-- **[mcp.hosting external API](./docs/EXT_API.md)** — public submit/retrieve/badge/delete endpoints used by `mcp-compliance badge` and any custom integrations
-- **[Enterprise tier (draft)](./docs/ENTERPRISE.md)** — paid tier structure for organizations with scheduled/private/audit-track compliance needs
 - **[Performance deep-dive](./docs/PERFORMANCE.md)** — why the suite is sequential and what parallel execution would cost
 - **[Spec PR drafts](./docs/spec-prs/)** — our proposed MCP spec clarifications for ambiguous cases we've hit
-- **[mcp.hosting integration spec](./docs/mcp-hosting-integration.md)** — the contract between this engine and the mcp.hosting platform: URL surfaces, data flow, storage model, badge API, leaderboard, router integration
 
 The methodology is not an authoritative conformance standard — it's one tool's choices, published so they can be inspected, adopted, or forked. The [official MCP specification](https://modelcontextprotocol.io/specification/2025-11-25) defines what servers must do; this document describes how `@yawlabs/mcp-compliance` verifies it.
 
@@ -596,7 +566,6 @@ npm test
 
 ## Links
 
-- [mcp.hosting](https://mcp.hosting) — Hosted MCP server infrastructure
 - [MCP Specification](https://modelcontextprotocol.io/specification/2025-11-25)
 - [Testing methodology](./COMPLIANCE_RUBRIC.md)
 - [Yaw Labs](https://yaw.sh)

package/dist/{chunk-B5HSDK4K.js → chunk-XBHHNN6R.js}

@@ -1,27 +1,6 @@
 // src/runner.ts
 import { request as request2 } from "undici";
 
-// src/badge.ts
-import { createHash } from "crypto";
-function urlHash(url) {
-  return createHash("sha256").update(url).digest("hex").slice(0, 24);
-}
-function generateBadge(url) {
-  const hash = urlHash(url);
-  const imageUrl = `https://mcp.hosting/api/compliance/ext/${hash}/badge`;
-  const reportUrl = `https://mcp.hosting/compliance/ext/${hash}`;
-  return {
-    imageUrl,
-    reportUrl,
-    markdown: `[![MCP Compliant](${imageUrl})](${reportUrl})`,
-    // loading="lazy" so READMEs that embed many badges don't block first
-    // paint on this image. Markdown renderers (GitHub, npmjs.com) emit
-    // their own <img> from the markdown form so the attribute only
-    // matters for the HTML form people paste into custom pages.
-    html: `<a href="${reportUrl}"><img src="${imageUrl}" alt="MCP Compliant" loading="lazy"></a>`
-  };
-}
-
 // src/grader.ts
 function computeGrade(score) {
   if (score >= 90) return "A";
@@ -78,6 +57,8 @@ import { existsSync, readFileSync } from "fs";
 import { dirname, join } from "path";
 import { fileURLToPath } from "url";
 function readPackageVersion(metaUrl) {
+  if (typeof __VERSION__ === "string" && __VERSION__) return __VERSION__;
+  if (!metaUrl) return "0.0.0";
   let dir = dirname(fileURLToPath(metaUrl));
   for (; ; ) {
     const pkgPath = join(dir, "package.json");
@@ -4132,7 +4113,7 @@ async function runComplianceSuite(target, options = {}) {
     warnings.length = 0;
     warnings.push(...capped);
     const { score, grade, overall, summary, categories } = computeScore(tests);
-    const badge = displayUrl.startsWith("stdio:") ? { imageUrl: "", reportUrl: "", markdown: "", html: "" } : generateBadge(displayUrl);
+    const badge = { imageUrl: "", reportUrl: "", markdown: "", html: "" };
     return {
       schemaVersion: REPORT_SCHEMA_VERSION,
       specVersion: SPEC_VERSION,
@@ -4162,8 +4143,6 @@ async function runComplianceSuite(target, options = {}) {
 }
 
 export {
-  urlHash,
-  generateBadge,
   computeGrade,
   computeScore,
   readPackageVersion,

package/dist/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/index.ts
-import { watch as fsWatch, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
+import { watch as fsWatch, readFileSync as readFileSync3, writeFileSync } from "fs";
 import { createRequire } from "module";
 import { createInterface } from "readline/promises";
 import chalk2 from "chalk";
@@ -726,6 +726,8 @@ import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
 import { dirname, join as join2 } from "path";
 import { fileURLToPath } from "url";
 function readPackageVersion(metaUrl) {
+  if (typeof __VERSION__ === "string" && __VERSION__) return __VERSION__;
+  if (!metaUrl) return "0.0.0";
   let dir = dirname(fileURLToPath(metaUrl));
   for (; ; ) {
     const pkgPath = join2(dir, "package.json");
@@ -748,27 +750,6 @@ import { z } from "zod";
 // src/runner.ts
 import { request as request2 } from "undici";
 
-// src/badge.ts
-import { createHash } from "crypto";
-function urlHash(url) {
-  return createHash("sha256").update(url).digest("hex").slice(0, 24);
-}
-function generateBadge(url) {
-  const hash = urlHash(url);
-  const imageUrl = `https://mcp.hosting/api/compliance/ext/${hash}/badge`;
-  const reportUrl = `https://mcp.hosting/compliance/ext/${hash}`;
-  return {
-    imageUrl,
-    reportUrl,
-    markdown: `[![MCP Compliant](${imageUrl})](${reportUrl})`,
-    // loading="lazy" so READMEs that embed many badges don't block first
-    // paint on this image. Markdown renderers (GitHub, npmjs.com) emit
-    // their own <img> from the markdown form so the attribute only
-    // matters for the HTML form people paste into custom pages.
-    html: `<a href="${reportUrl}"><img src="${imageUrl}" alt="MCP Compliant" loading="lazy"></a>`
-  };
-}
-
 // src/grader.ts
 function computeGrade(score) {
   if (score >= 90) return "A";
@@ -4491,7 +4472,7 @@ async function runComplianceSuite(target, options = {}) {
     warnings.length = 0;
     warnings.push(...capped);
     const { score, grade, overall, summary, categories } = computeScore(tests);
-    const badge = displayUrl.startsWith("stdio:") ? { imageUrl: "", reportUrl: "", markdown: "", html: "" } : generateBadge(displayUrl);
+    const badge = { imageUrl: "", reportUrl: "", markdown: "", html: "" };
     return {
       schemaVersion: REPORT_SCHEMA_VERSION,
       specVersion: SPEC_VERSION,
@@ -4588,56 +4569,6 @@ ${JSON.stringify(report, null, 2)}` }
       }
     }
   );
-  server.tool(
-    "mcp_compliance_badge",
-    "Get the badge markdown embed code for an MCP server. Runs the compliance test suite first to determine the grade.",
-    {
-      url: z.string().url().describe("The MCP server URL to test"),
-      auth: z.string().optional().describe('Authorization header value (e.g., "Bearer tok123")'),
-      headers: z.record(z.string(), z.string()).optional().describe("Additional headers to include on all requests"),
-      timeout: z.number().int().min(1).max(3e5).optional().describe("Request timeout in milliseconds (default: 15000, max: 300000)")
-    },
-    {
-      title: "Get Compliance Badge",
-      readOnlyHint: true,
-      destructiveHint: false,
-      idempotentHint: true,
-      openWorldHint: true
-    },
-    async ({ url, auth, headers: extraHeaders, timeout }) => {
-      try {
-        const headers = { ...extraHeaders };
-        if (auth) headers.Authorization = auth;
-        const report = await runComplianceSuite(url, {
-          headers: Object.keys(headers).length > 0 ? headers : void 0,
-          timeout
-        });
-        const badge = report.badge;
-        return {
-          content: [
-            {
-              type: "text",
-              text: [
-                `Grade: ${report.grade} (${report.score}%)`,
-                "",
-                "Markdown:",
-                badge.markdown,
-                "",
-                "HTML:",
-                badge.html
-              ].join("\n")
-            }
-          ]
-        };
-      } catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        return {
-          content: [{ type: "text", text: `Error: ${message}` }],
-          isError: true
-        };
-      }
-    }
-  );
   server.tool(
     "mcp_compliance_explain",
     "Explain what a specific compliance test ID checks and why it matters.",
@@ -4721,75 +4652,6 @@ if (isInvokedDirectly()) {
   });
 }
 
-// src/publish.ts
-import { request as request3 } from "undici";
-var PUBLISH_BASE = "https://mcp.hosting";
-var PUBLISH_PATH = "/api/compliance/ext";
-var PUBLISH_TIMEOUT_MS = 1e4;
-var PUBLISH_RETRIES = 2;
-function sanitizeReport(report) {
-  const { headers: _h, auth: _a, ...rest } = report;
-  void _h;
-  void _a;
-  return rest;
-}
-async function publishReport(report) {
-  const body = JSON.stringify(sanitizeReport(report));
-  let lastErr;
-  for (let attempt = 0; attempt <= PUBLISH_RETRIES; attempt++) {
-    try {
-      const res = await request3(`${PUBLISH_BASE}${PUBLISH_PATH}`, {
-        method: "POST",
-        headers: { "content-type": "application/json" },
-        body,
-        signal: AbortSignal.timeout(PUBLISH_TIMEOUT_MS)
-      });
-      if (res.statusCode >= 500 && attempt < PUBLISH_RETRIES) {
-        await res.body.dump();
-        await new Promise((r) => setTimeout(r, 500 * (attempt + 1)));
-        continue;
-      }
-      const text = await res.body.text();
-      if (res.statusCode >= 400) {
-        let message = `Publish failed: HTTP ${res.statusCode}`;
-        try {
-          const parsed2 = JSON.parse(text);
-          if (parsed2.error) message = `Publish failed: ${parsed2.error}`;
-        } catch {
-        }
-        throw new Error(message);
-      }
-      const parsed = JSON.parse(text);
-      if (!parsed.hash || !parsed.deleteToken || !parsed.reportUrl || !parsed.badgeUrl) {
-        throw new Error("Publish failed: malformed response from mcp.hosting");
-      }
-      return parsed;
-    } catch (err) {
-      lastErr = err;
-      if (attempt < PUBLISH_RETRIES) {
-        await new Promise((r) => setTimeout(r, 500 * (attempt + 1)));
-      }
-    }
-  }
-  throw lastErr instanceof Error ? lastErr : new Error(String(lastErr));
-}
-async function unpublishReport(hash, deleteToken2) {
-  const res = await request3(`${PUBLISH_BASE}${PUBLISH_PATH}/${hash}`, {
-    method: "DELETE",
-    headers: { authorization: `Bearer ${deleteToken2}` },
-    signal: AbortSignal.timeout(PUBLISH_TIMEOUT_MS)
-  });
-  const text = await res.body.text();
-  if (res.statusCode === 204 || res.statusCode === 404) return;
-  let message = `Unpublish failed: HTTP ${res.statusCode}`;
-  try {
-    const parsed = JSON.parse(text);
-    if (parsed.error) message = `Unpublish failed: ${parsed.error}`;
-  } catch {
-  }
-  throw new Error(message);
-}
-
 // src/reporter.ts
 import chalk from "chalk";
 var CATEGORY_LABELS = {
@@ -4957,13 +4819,7 @@ function formatTerminal(report) {
     }
     out.push("");
   }
-  if (report.url.startsWith("stdio:")) {
-    out.push(
-      chalk.dim("  Badge:    stdio targets aren't published. Run with --output badge.svg for a local badge image.")
-    );
-  } else {
-    out.push(chalk.dim(`  Badge:    ${report.badge.markdown}`));
-  }
+  out.push(chalk.dim("  Badge:    run with --output badge.svg for a local badge image."));
   out.push("");
   return out.join("\n");
 }
@@ -5107,14 +4963,6 @@ function formatMarkdown(report) {
     for (const w of report.warnings) lines.push(`- ${w}`);
     lines.push("");
   }
-  if (!report.url.startsWith("stdio:")) {
-    lines.push("## Badge");
-    lines.push("");
-    lines.push("```markdown");
-    lines.push(report.badge.markdown);
-    lines.push("```");
-    lines.push("");
-  }
   return lines.join("\n");
 }
 function formatHtml(report) {
@@ -5133,7 +4981,6 @@ function formatHtml(report) {
   const grouped = /* @__PURE__ */ new Map();
   for (const cat of CATEGORY_ORDER) grouped.set(cat, []);
   for (const t of report.tests) grouped.get(t.category)?.push(t);
-  const isStdio = report.url.startsWith("stdio:");
   return `<!doctype html>
 <html lang="en">
 <head>
@@ -5232,11 +5079,8 @@ function formatHtml(report) {
     </tbody></table></div>`
   ).join("")}
 
-  ${!isStdio ? `<div class="card"><h2>Embed badge</h2>
-    <div class="badge-img"><img src="${esc(report.badge.imageUrl)}" alt="MCP Compliance"></div>
-    <p class="muted" style="margin-top:12px">Markdown:</p>
-    <code style="display:block; padding:8px; background:#0b0f17">${esc(report.badge.markdown)}</code></div>` : `<div class="card"><h2>Local badge</h2>
-    <p class="muted">Stdio servers can't be published to mcp.hosting (no public URL). Use <code>--output badge.svg</code> to write a local badge image.</p></div>`}
+  ${`<div class="card"><h2>Local badge</h2>
+    <p class="muted">Use <code>--output badge.svg</code> to write a local badge image.</p></div>`}
 
   <footer>
     Generated by <a href="https://www.npmjs.com/package/@yawlabs/mcp-compliance">@yawlabs/mcp-compliance</a> v${esc(report.toolVersion)}
@@ -5260,65 +5104,8 @@ function splitStdioTarget(s) {
   return { command: tokens[0], args: tokens.slice(1) };
 }
 
-// src/token-store.ts
-import { existsSync as existsSync3, mkdirSync, readFileSync as readFileSync3, writeFileSync } from "fs";
-import { homedir } from "os";
-import { dirname as dirname3, join as join3 } from "path";
-var STORE_DIR = join3(homedir(), ".mcp-compliance");
-var STORE_PATH = join3(STORE_DIR, "tokens.json");
-function hashUrl(url) {
-  return urlHash(url);
-}
-function readStore() {
-  if (!existsSync3(STORE_PATH)) return {};
-  try {
-    const raw = readFileSync3(STORE_PATH, "utf8");
-    const parsed = JSON.parse(raw);
-    return parsed && typeof parsed === "object" ? parsed : {};
-  } catch {
-    return {};
-  }
-}
-function writeStore(store) {
-  const dir = dirname3(STORE_PATH);
-  try {
-    if (!existsSync3(dir)) mkdirSync(dir, { recursive: true, mode: 448 });
-    writeFileSync(STORE_PATH, JSON.stringify(store, null, 2), { mode: 384 });
-  } catch (err) {
-    const code = err?.code;
-    if (code === "EACCES" || code === "EPERM") {
-      throw new Error(
-        `Cannot write delete-token store at ${STORE_PATH}: permission denied. If you don't need to publish, re-run with --no-publish. Otherwise, ensure your home directory is writable.`
-      );
-    }
-    if (code === "ENOSPC") {
-      throw new Error(`Cannot write delete-token store at ${STORE_PATH}: no space left on device.`);
-    }
-    const message = err instanceof Error ? err.message : String(err);
-    throw new Error(`Cannot write delete-token store at ${STORE_PATH}: ${message}`);
-  }
-}
-function saveToken(hash, entry) {
-  const store = readStore();
-  store[hash] = entry;
-  writeStore(store);
-}
-function getTokenForUrl(url) {
-  const hash = hashUrl(url);
-  const store = readStore();
-  const entry = store[hash];
-  return entry ? { hash, entry } : null;
-}
-function deleteToken(hash) {
-  const store = readStore();
-  if (!(hash in store)) return;
-  delete store[hash];
-  writeStore(store);
-}
-
 // src/index.ts
-var require2 = createRequire(import.meta.url);
-var { version: version2 } = require2("../package.json");
+var version2 = typeof __VERSION__ === "string" && __VERSION__ ? __VERSION__ : createRequire(import.meta.url)("../package.json").version;
 function parseHeaderArg(value, prev) {
   const idx = value.indexOf(":");
   if (idx === -1) {
@@ -5361,7 +5148,7 @@ function parseEnvVar(value, prev) {
 function readEnvFile(path) {
   let contents;
   try {
-    contents = readFileSync4(path, "utf8");
+    contents = readFileSync3(path, "utf8");
   } catch (err) {
     const code = err?.code;
     if (code === "ENOENT") throw new Error(`--env-file: file not found: ${path}`);
@@ -5423,55 +5210,6 @@ function resolveTarget(cliTarget, cliExtraArgs, cliOpts, config) {
   if (config?.target) return config.target;
   throw new Error("No target specified. Pass a URL or command, or add 'target' to mcp-compliance.config.json.");
 }
-var PRIVATE_TLD_SUFFIXES = [
-  ".local",
-  ".localhost",
-  ".internal",
-  ".corp",
-  ".home",
-  ".home.arpa",
-  ".lan",
-  ".intranet",
-  ".private",
-  ".test",
-  ".invalid",
-  ".example",
-  ".onion"
-];
-function isPrivateHost(urlStr) {
-  let host;
-  try {
-    host = new URL(urlStr).hostname.toLowerCase();
-  } catch {
-    return false;
-  }
-  if (host === "localhost") return true;
-  for (const suffix of PRIVATE_TLD_SUFFIXES) {
-    if (host === suffix.slice(1) || host.endsWith(suffix)) return true;
-  }
-  const v4 = host.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
-  if (v4) {
-    const [a, b] = v4.slice(1).map(Number);
-    if (a === 10 || a === 127 || a === 169 && b === 254) return true;
-    if (a === 172 && b >= 16 && b <= 31) return true;
-    if (a === 192 && b === 168) return true;
-    if (a === 0) return true;
-  }
-  const v6 = host.replace(/^\[|\]$/g, "");
-  if (v6 === "::1") return true;
-  if (v6.includes(":") && (v6.startsWith("fe80:") || v6.startsWith("fc") || v6.startsWith("fd"))) return true;
-  return false;
-}
-async function promptYesNo(message) {
-  if (!process.stdin.isTTY) return false;
-  const rl = createInterface({ input: process.stdin, output: process.stderr });
-  try {
-    const answer = (await rl.question(`${message} [y/N]: `)).trim().toLowerCase();
-    return answer === "y" || answer === "yes";
-  } finally {
-    rl.close();
-  }
-}
 var program = new Command();
 program.name("mcp-compliance").description("Test MCP servers for spec compliance").version(version2);
 program.command("test").description("Run the full compliance test suite against an MCP server (URL or stdio command)").argument(
@@ -5610,7 +5348,7 @@ Testing ${describeTarget(transportTarget)}...
         }
         if (opts.output) {
           const svg = renderBadgeSvg({ grade: report2.grade, score: report2.score, timestamp: report2.timestamp });
-          writeFileSync2(opts.output, svg, "utf8");
+          writeFileSync(opts.output, svg, "utf8");
           if (opts.format === "terminal") {
             console.log(chalk2.dim(`
 Badge SVG written to ${opts.output}`));
@@ -5693,144 +5431,6 @@ Error: ${message}
     }
   }
 );
-program.command("badge").description("Run tests and publish a shareable compliance badge to mcp.hosting (HTTP targets only)").argument(
-  "[target]",
-  "Server URL, or command to spawn as a stdio server (optional when a config file defines 'target')"
-).argument("[extraArgs...]", "Additional args passed to the stdio command").option("--config <path>", "Load options from a config file").option(
-  "-H, --header <header>",
-  'Add header to all requests (format: "Key: Value", repeatable; HTTP only)',
-  parseHeaderArg,
-  {}
-).option("--auth <token>", 'Shorthand for -H "Authorization: <token>" (HTTP only)').option("-E, --env <var>", 'Set env var for stdio command ("KEY=VALUE", repeatable)', parseEnvVar, {}).option("--env-file <path>", "Load env vars from file (stdio only)").option("--cwd <dir>", "Working directory for stdio command").option("--timeout <ms>", "Request timeout in milliseconds (default: 15000, or `timeout` in config)").option("--no-publish", "Do not publish the report to mcp.hosting").option("--output <file>", "Write a local SVG badge to the given path (works for any transport)").option("--no-color", "Disable colored output (also honors NO_COLOR env var)").action(
-  async (target, extraArgs, opts) => {
-    if (opts.color === false) chalk2.level = 0;
-    try {
-      const config = loadConfig(opts.config);
-      const transportTarget = resolveTarget(
-        target,
-        extraArgs,
-        {
-          header: opts.header,
-          auth: opts.auth,
-          env: opts.env,
-          envFile: opts.envFile,
-          cwd: opts.cwd
-        },
-        config
-      );
-      const shouldPublish = opts.publish && transportTarget.type === "http";
-      if (shouldPublish && transportTarget.type === "http" && isPrivateHost(transportTarget.url)) {
-        console.error(
-          chalk2.yellow(
-            `
-Warning: ${transportTarget.url} looks like a private/internal address. Publishing will send the report (with the URL) to mcp.hosting.`
-          )
-        );
-        const ok = await promptYesNo(chalk2.yellow("Publish anyway?"));
-        if (!ok) {
-          console.error(chalk2.dim("\nAborted. Re-run with --no-publish to skip publishing.\n"));
-          process.exit(1);
-        }
-      }
-      console.log(chalk2.dim(`
-Testing ${describeTarget(transportTarget)}...
-`));
-      let badgeTimeout = config?.timeout ?? 15e3;
-      if (opts.timeout !== void 0) badgeTimeout = parsePositiveInt(opts.timeout, "--timeout", 1);
-      const report = await runComplianceSuite(transportTarget, {
-        timeout: badgeTimeout
-      });
-      let markdown = report.badge.markdown;
-      if (shouldPublish && transportTarget.type === "http") {
-        try {
-          const res = await publishReport(report);
-          saveToken(res.hash, {
-            deleteToken: res.deleteToken,
-            url: transportTarget.url,
-            publishedAt: (/* @__PURE__ */ new Date()).toISOString()
-          });
-          markdown = `[![MCP Compliant](${res.badgeUrl})](${res.reportUrl})`;
-          console.log(`Grade: ${report.grade} (${report.score}%)
-`);
-          console.log(markdown);
-          console.log(chalk2.dim(`
-Report published: ${res.reportUrl}`));
-          console.log(chalk2.dim(`Remove with: mcp-compliance unpublish ${transportTarget.url}
-`));
-        } catch (err) {
-          const message = err instanceof Error ? err.message : String(err);
-          console.error(chalk2.yellow(`
-Warning: publish failed \u2014 ${message}`));
-          console.error(chalk2.dim("Falling back to local badge markdown.\n"));
-          console.log(`Grade: ${report.grade} (${report.score}%)
-`);
-          console.log(markdown);
-          console.log("");
-        }
-      } else {
-        console.log(`Grade: ${report.grade} (${report.score}%)
-`);
-        if (transportTarget.type === "stdio") {
-          if (!opts.output) {
-            console.log(
-              chalk2.dim(
-                "Stdio servers cannot be published. Pass --output <file.svg> to write a local badge image for your README."
-              )
-            );
-          }
-        } else {
-          console.log(markdown);
-        }
-        console.log("");
-      }
-      if (opts.output) {
-        const svg = renderBadgeSvg({ grade: report.grade, score: report.score, timestamp: report.timestamp });
-        writeFileSync2(opts.output, svg, "utf8");
-        console.log(chalk2.dim(`Badge SVG written to ${opts.output}
-`));
-      }
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err);
-      console.error(chalk2.red(`
-Error: ${message}
-`));
-      process.exit(1);
-    }
-  }
-);
-program.command("unpublish").description("Remove a previously-published compliance report from mcp.hosting").argument("<url>", "MCP server URL whose report should be removed").option("-y, --yes", "Skip the confirmation prompt (for automation)").action(async (url, opts) => {
-  try {
-    const stored = getTokenForUrl(url);
-    if (!stored) {
-      console.log(chalk2.dim(`
-No delete token found locally for ${url} \u2014 nothing to unpublish from this machine.`));
-      console.log(
-        chalk2.dim(
-          "(Delete tokens are stored locally at publish time. If you published from a different machine, run unpublish from there.)\n"
-        )
-      );
-      return;
-    }
-    if (!opts.yes) {
-      const ok = await promptYesNo(chalk2.yellow(`Remove the published report for ${url}? This cannot be undone.`));
-      if (!ok) {
-        console.error(chalk2.dim("\nAborted. Re-run with --yes to skip this prompt.\n"));
-        return;
-      }
-    }
-    await unpublishReport(stored.hash, stored.entry.deleteToken);
-    deleteToken(stored.hash);
-    console.log(chalk2.green(`
-Removed report for ${url}.
-`));
-  } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    console.error(chalk2.red(`
-Error: ${message}
-`));
-    process.exit(1);
-  }
-});
 program.command("benchmark").description("Measure ping latency and throughput against an MCP server (URL or stdio command)").argument("[target]", "Server URL or stdio command").argument("[extraArgs...]", "Additional args for stdio command").option("-r, --requests <n>", "Number of ping requests to send", "100").option("-c, --concurrency <n>", "Concurrent in-flight requests", "1").option("--timeout <ms>", "Per-request timeout in milliseconds", "15000").option("--config <path>", "Load options from a config file").option("--format <format>", "terminal or json", "terminal").option("-H, --header <header>", "HTTP header (repeatable)", parseHeaderArg, {}).option("--auth <token>", 'Shorthand for -H "Authorization: <token>"').option("-E, --env <var>", "Env var for stdio (repeatable)", parseEnvVar, {}).option("--env-file <path>", "Load env vars from file").option("--cwd <dir>", "Working directory for stdio command").action(
   async (target, extraArgs, opts) => {
     try {
@@ -5863,8 +5463,8 @@ Error: ${message}
 );
 program.command("diff").description("Compare two compliance JSON reports; exit 1 if there are regressions").argument("<baseline>", "Baseline report JSON file").argument("<current>", "Current report JSON file").option("--format <format>", "terminal or json", "terminal").action((baselinePath, currentPath, opts) => {
   try {
-    const baseline = JSON.parse(readFileSync4(baselinePath, "utf8"));
-    const current = JSON.parse(readFileSync4(currentPath, "utf8"));
+    const baseline = JSON.parse(readFileSync3(baselinePath, "utf8"));
+    const current = JSON.parse(readFileSync3(currentPath, "utf8"));
     const summary = diffReports(baseline, current);
     if (opts.format === "json") {
       console.log(JSON.stringify(summary, null, 2));
@@ -5881,10 +5481,10 @@ Error: ${message}
   }
 });
 program.command("init").description("Scaffold a mcp-compliance.config.json in the current directory").option("--force", "Overwrite an existing config file without asking").action(async (opts) => {
-  const { existsSync: existsSync4, writeFileSync: write } = await import("fs");
+  const { existsSync: existsSync3, writeFileSync: write } = await import("fs");
   const { join: joinPath } = await import("path");
   const out = joinPath(process.cwd(), "mcp-compliance.config.json");
-  if (existsSync4(out) && !opts.force) {
+  if (existsSync3(out) && !opts.force) {
     console.error(chalk2.red(`
 A config already exists at ${out}.`));
     console.error(chalk2.dim("Re-run with --force to overwrite.\n"));

package/dist/mcp/server.js

@@ -3,7 +3,7 @@ import {
   TEST_DEFINITIONS,
   readPackageVersion,
   runComplianceSuite
-} from "../chunk-B5HSDK4K.js";
+} from "../chunk-XBHHNN6R.js";
 
 // src/mcp/server.ts
 import { realpathSync } from "fs";
@@ -81,56 +81,6 @@ ${JSON.stringify(report, null, 2)}` }
       }
     }
   );
-  server.tool(
-    "mcp_compliance_badge",
-    "Get the badge markdown embed code for an MCP server. Runs the compliance test suite first to determine the grade.",
-    {
-      url: z.string().url().describe("The MCP server URL to test"),
-      auth: z.string().optional().describe('Authorization header value (e.g., "Bearer tok123")'),
-      headers: z.record(z.string(), z.string()).optional().describe("Additional headers to include on all requests"),
-      timeout: z.number().int().min(1).max(3e5).optional().describe("Request timeout in milliseconds (default: 15000, max: 300000)")
-    },
-    {
-      title: "Get Compliance Badge",
-      readOnlyHint: true,
-      destructiveHint: false,
-      idempotentHint: true,
-      openWorldHint: true
-    },
-    async ({ url, auth, headers: extraHeaders, timeout }) => {
-      try {
-        const headers = { ...extraHeaders };
-        if (auth) headers.Authorization = auth;
-        const report = await runComplianceSuite(url, {
-          headers: Object.keys(headers).length > 0 ? headers : void 0,
-          timeout
-        });
-        const badge = report.badge;
-        return {
-          content: [
-            {
-              type: "text",
-              text: [
-                `Grade: ${report.grade} (${report.score}%)`,
-                "",
-                "Markdown:",
-                badge.markdown,
-                "",
-                "HTML:",
-                badge.html
-              ].join("\n")
-            }
-          ]
-        };
-      } catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        return {
-          content: [{ type: "text", text: `Error: ${message}` }],
-          isError: true
-        };
-      }
-    }
-  );
   server.tool(
     "mcp_compliance_explain",
     "Explain what a specific compliance test ID checks and why it matters.",

package/dist/runner.d.ts

@@ -46,6 +46,11 @@ interface ComplianceReport {
     resourceNames: string[];
     promptCount: number;
     promptNames: string[];
+    /**
+     * @deprecated The hosted badge renderer (mcp.hosting) is retired; these
+     * fields are always empty and will be removed in schema v2. For a local
+     * badge image, use the CLI's `--output <file>.svg`.
+     */
     badge: {
         imageUrl: string;
         reportUrl: string;
@@ -92,27 +97,6 @@ type TransportTarget = {
 /** All 88 test IDs with descriptions for the explain command */
 declare const TEST_DEFINITIONS: TestDefinition[];
 
-/**
- * Generate a short, deterministic hash of a URL for badge paths.
- * SHA-256 truncated to 24 hex chars (96 bits of entropy) — matches the
- * server-side hash width used by mcp.hosting for `/compliance/ext/<hash>`.
- *
- * Exported so mcp.hosting (and other consumers) can compute matching
- * hashes when looking up reports/badges by URL. The hash is the canonical
- * key for `/compliance/ext/<hash>` and `/api/compliance/ext/<hash>/badge`.
- */
-declare function urlHash(url: string): string;
-/**
- * Generate badge URLs and markdown for a compliance report.
- * Badge images are served by mcp.hosting.
- */
-declare function generateBadge(url: string): {
-    imageUrl: string;
-    reportUrl: string;
-    markdown: string;
-    html: string;
-};
-
 declare function computeGrade(score: number): Grade;
 declare function computeScore(tests: TestResult[]): {
     score: number;
@@ -226,4 +210,4 @@ interface RunOptions {
  */
 declare function runComplianceSuite(target: string | TransportTarget, options?: RunOptions): Promise<ComplianceReport>;
 
-export { type ComplianceReport, type PreviewOptions, type RunOptions, SPEC_BASE, SPEC_VERSION, TEST_DEFINITIONS, type TestResult, computeGrade, computeScore, dedupAndCapWarnings, generateBadge, parseSSEResponse, previewTests, runComplianceSuite, urlHash };
+export { type ComplianceReport, type PreviewOptions, type RunOptions, SPEC_BASE, SPEC_VERSION, TEST_DEFINITIONS, type TestResult, computeGrade, computeScore, dedupAndCapWarnings, parseSSEResponse, previewTests, runComplianceSuite };

package/dist/runner.js

@@ -5,12 +5,10 @@ import {
   computeGrade,
   computeScore,
   dedupAndCapWarnings,
-  generateBadge,
   parseSSEResponse,
   previewTests,
-  runComplianceSuite,
-  urlHash
-} from "./chunk-B5HSDK4K.js";
+  runComplianceSuite
+} from "./chunk-XBHHNN6R.js";
 export {
   SPEC_BASE,
   SPEC_VERSION,
@@ -18,9 +16,7 @@ export {
   computeGrade,
   computeScore,
   dedupAndCapWarnings,
-  generateBadge,
   parseSSEResponse,
   previewTests,
-  runComplianceSuite,
-  urlHash
+  runComplianceSuite
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/mcp-compliance",
-  "version": "0.15.1",
+  "version": "0.16.3",
   "mcpName": "io.github.YawLabs/mcp-compliance",
   "description": "CLI tool and MCP server that tests MCP servers for spec compliance",
   "license": "MIT",
@@ -40,11 +40,14 @@
     "prepublishOnly": "npm run build",
     "start": "node dist/index.js"
   },
+  "overrides": {
+    "esbuild": "^0.28.1"
+  },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",
     "chalk": "^5.4.1",
     "commander": "^14.0.3",
-    "undici": "^7.8.0",
+    "undici": "^7.28.0",
     "zod": "^4.4.3"
   },
   "devDependencies": {
@@ -52,8 +55,10 @@
     "@types/node": "^25.5.2",
     "ajv": "^8.18.0",
     "ajv-formats": "^3.0.1",
-    "tsup": "^8.4.0",
-    "tsx": "^4.21.0",
+    "esbuild": "^0.28.1",
+    "postject": "^1.0.0-alpha.6",
+    "tsup": "^8.5.1",
+    "tsx": "^4.22.4",
     "typescript": "^6.0.3",
     "vitest": "^4.1.8"
   },
@@ -79,5 +84,5 @@
   "bugs": {
     "url": "https://github.com/YawLabs/mcp-compliance/issues"
   },
-  "homepage": "https://mcp.hosting"
+  "homepage": "https://github.com/YawLabs/mcp-compliance"
 }

package/schemas/report.v1.json

@@ -1,8 +1,8 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://mcp.hosting/schemas/compliance/report.v1.json",
+  "$id": "https://yaw.sh/schemas/mcp-compliance/report.v1.json",
   "title": "MCP Compliance Report",
-  "description": "Structured output of the mcp-compliance test suite. Stable, versioned contract — increment schemaVersion on breaking changes. Consumed by mcp.hosting and third-party dashboards.",
+  "description": "Structured output of the mcp-compliance test suite. Stable, versioned contract — increment schemaVersion on breaking changes. Consumed by Yaw MCP and third-party dashboards.",
   "type": "object",
   "required": [
     "schemaVersion",
@@ -120,8 +120,8 @@
       "type": "object",
       "required": ["imageUrl", "reportUrl", "markdown", "html"],
       "properties": {
-        "imageUrl": { "type": "string", "format": "uri" },
-        "reportUrl": { "type": "string", "format": "uri" },
+        "imageUrl": { "type": "string" },
+        "reportUrl": { "type": "string" },
         "markdown": { "type": "string" },
         "html": { "type": "string" }
       },