@yawlabs/mcp-compliance 0.2.1 → 0.4.0

package/dist/index.js

@@ -1,13 +1,40 @@
 #!/usr/bin/env node
 
 // src/index.ts
-import { Command } from "commander";
+import { createRequire as createRequire3 } from "module";
 import chalk2 from "chalk";
+import { Command } from "commander";
+
+// src/mcp/server.ts
 import { createRequire as createRequire2 } from "module";
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+
+// src/mcp/tools.ts
+import { z } from "zod";
 
 // src/runner.ts
-import { request } from "undici";
 import { createRequire } from "module";
+import { request } from "undici";
+
+// src/badge.ts
+function generateBadge(url) {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    parsed = new URL("https://unknown");
+  }
+  const encoded = encodeURIComponent(parsed.href);
+  const imageUrl = `https://mcp.hosting/api/compliance/${encoded}/badge`;
+  const reportUrl = `https://mcp.hosting/compliance/${encoded}`;
+  return {
+    imageUrl,
+    reportUrl,
+    markdown: `[![MCP Compliant](${imageUrl})](${reportUrl})`,
+    html: `<a href="${reportUrl}"><img src="${imageUrl}" alt="MCP Compliant"></a>`
+  };
+}
 
 // src/grader.ts
 function computeGrade(score) {
@@ -44,77 +71,402 @@ function computeScore(tests) {
   };
 }
 
-// src/badge.ts
-function generateBadge(url) {
-  let parsed;
-  try {
-    parsed = new URL(url);
-  } catch {
-    parsed = new URL("https://unknown");
-  }
-  const encoded = encodeURIComponent(parsed.href);
-  const imageUrl = `https://mcp.hosting/api/compliance/${encoded}/badge`;
-  const reportUrl = `https://mcp.hosting/compliance/${encoded}`;
-  return {
-    imageUrl,
-    reportUrl,
-    markdown: `[![MCP Compliant](${imageUrl})](${reportUrl})`,
-    html: `<a href="${reportUrl}"><img src="${imageUrl}" alt="MCP Compliant"></a>`
-  };
-}
-
 // src/types.ts
 var TEST_DEFINITIONS = [
   // ── Transport (7 tests) ──────────────────────────────────────────
-  { id: "transport-post", name: "HTTP POST accepted", category: "transport", required: true, specRef: "basic/transports#streamable-http", description: "Verifies the server accepts HTTP POST requests and returns a 2xx status code. This is the fundamental transport requirement for Streamable HTTP MCP servers." },
-  { id: "transport-content-type", name: "Responds with JSON or SSE", category: "transport", required: true, specRef: "basic/transports#streamable-http", description: "Checks that the server responds with Content-Type application/json or text/event-stream. MCP servers must use one of these two content types." },
-  { id: "transport-notification-202", name: "Notification returns 202 Accepted", category: "transport", required: false, specRef: "basic/transports#streamable-http", description: "Verifies that sending a JSON-RPC notification (no id field) returns HTTP 202 Accepted with no body. Per spec, servers MUST return 202 for notifications." },
-  { id: "transport-session-id", name: "Enforces MCP-Session-Id after init", category: "transport", required: false, specRef: "basic/transports#streamable-http", description: "Tests that the server returns HTTP 400 when MCP-Session-Id header is missing on requests after initialization (when the server issued a session ID)." },
-  { id: "transport-get", name: "GET returns SSE stream or 405", category: "transport", required: false, specRef: "basic/transports#streamable-http", description: "Tests the GET endpoint for server-initiated messages. Server should return text/event-stream or 405 Method Not Allowed." },
-  { id: "transport-delete", name: "DELETE accepted or returns 405", category: "transport", required: false, specRef: "basic/transports#streamable-http", description: "Tests the DELETE endpoint for session termination. Server should accept the request or return 405 Method Not Allowed." },
-  { id: "transport-batch-reject", name: "Rejects JSON-RPC batch requests", category: "transport", required: true, specRef: "basic/transports#streamable-http", description: "Sends a JSON-RPC batch request (array of messages) and verifies the server rejects it with an error. MCP does not support JSON-RPC batch requests." },
+  {
+    id: "transport-post",
+    name: "HTTP POST accepted",
+    category: "transport",
+    required: true,
+    specRef: "basic/transports#streamable-http",
+    description: "Verifies the server accepts HTTP POST requests and returns a 2xx status code. This is the fundamental transport requirement for Streamable HTTP MCP servers.",
+    recommendation: "Ensure your server listens for POST requests on the MCP endpoint. If you see 401/403, pass --auth with a valid token. Check that the URL is correct and the server is running."
+  },
+  {
+    id: "transport-content-type",
+    name: "Responds with JSON or SSE",
+    category: "transport",
+    required: true,
+    specRef: "basic/transports#streamable-http",
+    description: "Checks that the server responds with Content-Type application/json or text/event-stream. MCP servers must use one of these two content types.",
+    recommendation: 'Set the Content-Type response header to "application/json" for synchronous responses or "text/event-stream" for streaming. Do not use text/html or other types.'
+  },
+  {
+    id: "transport-notification-202",
+    name: "Notification returns 202 Accepted",
+    category: "transport",
+    required: false,
+    specRef: "basic/transports#streamable-http",
+    description: "Verifies that sending a JSON-RPC notification (no id field) returns HTTP 202 Accepted with no body. Per spec, servers MUST return 202 for notifications.",
+    recommendation: "Detect JSON-RPC messages without an id field and return HTTP 202 with an empty body. Do not attempt to send a JSON-RPC response for notifications."
+  },
+  {
+    id: "transport-session-id",
+    name: "Enforces MCP-Session-Id after init",
+    category: "transport",
+    required: false,
+    specRef: "basic/transports#streamable-http",
+    description: "Tests that the server returns HTTP 400 when MCP-Session-Id header is missing on requests after initialization (when the server issued a session ID).",
+    recommendation: "If your server issues an MCP-Session-Id header in the initialize response, reject subsequent requests that omit this header with HTTP 400."
+  },
+  {
+    id: "transport-get",
+    name: "GET returns SSE stream or 405",
+    category: "transport",
+    required: false,
+    specRef: "basic/transports#streamable-http",
+    description: "Tests the GET endpoint for server-initiated messages. Server should return text/event-stream or 405 Method Not Allowed.",
+    recommendation: "If your server supports server-initiated messages, handle GET with text/event-stream. Otherwise, return 405 Method Not Allowed."
+  },
+  {
+    id: "transport-delete",
+    name: "DELETE accepted or returns 405",
+    category: "transport",
+    required: false,
+    specRef: "basic/transports#streamable-http",
+    description: "Tests the DELETE endpoint for session termination. Server should accept the request or return 405 Method Not Allowed.",
+    recommendation: "Handle DELETE requests for session cleanup, or return 405 if session termination is not supported. Do not return 500."
+  },
+  {
+    id: "transport-batch-reject",
+    name: "Rejects JSON-RPC batch requests",
+    category: "transport",
+    required: true,
+    specRef: "basic/transports#streamable-http",
+    description: "Sends a JSON-RPC batch request (array of messages) and verifies the server rejects it with an error. MCP does not support JSON-RPC batch requests.",
+    recommendation: "Check if the parsed JSON body is an array. If so, return a JSON-RPC error or HTTP 400. Do not process batch requests \u2014 MCP explicitly forbids them."
+  },
   // ── Lifecycle (10 tests) ─────────────────────────────────────────
-  { id: "lifecycle-init", name: "Initialize handshake", category: "lifecycle", required: true, specRef: "basic/lifecycle#initialization", description: "Tests the initialize handshake by sending an initialize request with client capabilities. The server must return a result with protocolVersion." },
-  { id: "lifecycle-proto-version", name: "Returns valid protocol version", category: "lifecycle", required: true, specRef: "basic/lifecycle#version-negotiation", description: "Validates that the protocolVersion returned by the server matches the YYYY-MM-DD date format required by the spec." },
-  { id: "lifecycle-server-info", name: "Includes serverInfo", category: "lifecycle", required: false, specRef: "basic/lifecycle#initialization", description: "Checks that the server includes a serverInfo object with at least a name field in its initialize response. While recommended, this is not strictly required." },
-  { id: "lifecycle-capabilities", name: "Returns capabilities object", category: "lifecycle", required: true, specRef: "basic/lifecycle#capability-negotiation", description: "Verifies the server returns a capabilities object in its initialize response. An empty object is valid (no optional features declared)." },
-  { id: "lifecycle-jsonrpc", name: "Response is valid JSON-RPC 2.0", category: "lifecycle", required: true, specRef: "basic", description: 'Validates that the initialize response is a proper JSON-RPC 2.0 message with jsonrpc="2.0", an id field, and either a result or error field.' },
-  { id: "lifecycle-ping", name: "Responds to ping", category: "lifecycle", required: true, specRef: "basic/utilities#ping", description: "Tests that the server responds to the ping method with an empty result object. This is a required utility method." },
-  { id: "lifecycle-instructions", name: "Instructions field is valid", category: "lifecycle", required: false, specRef: "basic/lifecycle#initialization", description: "If the server includes an instructions field in the initialize response, validates it is a string. Instructions provide guidance for how the client should interact with the server." },
-  { id: "lifecycle-id-match", name: "Response ID matches request ID", category: "lifecycle", required: true, specRef: "basic", description: "Verifies that the JSON-RPC response id matches the request id sent by the client. This is a fundamental JSON-RPC 2.0 requirement." },
-  { id: "lifecycle-logging", name: "logging/setLevel accepted", category: "lifecycle", required: false, specRef: "server/utilities#logging", description: "If the server declares logging capability, tests that logging/setLevel method is accepted with a valid log level." },
-  { id: "lifecycle-completions", name: "completion/complete accepted", category: "lifecycle", required: false, specRef: "server/utilities#completion", description: "If the server declares completions capability, tests that the completion/complete method is accepted." },
+  {
+    id: "lifecycle-init",
+    name: "Initialize handshake",
+    category: "lifecycle",
+    required: true,
+    specRef: "basic/lifecycle#initialization",
+    description: "Tests the initialize handshake by sending an initialize request with client capabilities. The server must return a result with protocolVersion.",
+    recommendation: 'Implement the "initialize" method handler. Return a result object with at least protocolVersion, capabilities, and serverInfo fields.'
+  },
+  {
+    id: "lifecycle-proto-version",
+    name: "Returns valid protocol version",
+    category: "lifecycle",
+    required: true,
+    specRef: "basic/lifecycle#version-negotiation",
+    description: "Validates that the protocolVersion returned by the server matches the YYYY-MM-DD date format required by the spec.",
+    recommendation: `Return protocolVersion as a YYYY-MM-DD string (e.g., "2025-11-25"). The server should negotiate based on the client's requested version.`
+  },
+  {
+    id: "lifecycle-server-info",
+    name: "Includes serverInfo",
+    category: "lifecycle",
+    required: false,
+    specRef: "basic/lifecycle#initialization",
+    description: "Checks that the server includes a serverInfo object with at least a name field in its initialize response. While recommended, this is not strictly required.",
+    recommendation: 'Add a serverInfo object to your initialize response: { name: "your-server", version: "1.0.0" }. This helps clients identify your server.'
+  },
+  {
+    id: "lifecycle-capabilities",
+    name: "Returns capabilities object",
+    category: "lifecycle",
+    required: true,
+    specRef: "basic/lifecycle#capability-negotiation",
+    description: "Verifies the server returns a capabilities object in its initialize response. An empty object is valid (no optional features declared).",
+    recommendation: "Include a capabilities object in your initialize response. Declare the features your server supports (tools, resources, prompts, logging, etc.). An empty object {} is valid."
+  },
+  {
+    id: "lifecycle-jsonrpc",
+    name: "Response is valid JSON-RPC 2.0",
+    category: "lifecycle",
+    required: true,
+    specRef: "basic",
+    description: 'Validates that the initialize response is a proper JSON-RPC 2.0 message with jsonrpc="2.0", an id field, and either a result or error field.',
+    recommendation: 'Ensure every response includes jsonrpc: "2.0", the matching id from the request, and either a result or error field. Never omit the jsonrpc field.'
+  },
+  {
+    id: "lifecycle-ping",
+    name: "Responds to ping",
+    category: "lifecycle",
+    required: true,
+    specRef: "basic/utilities#ping",
+    description: "Tests that the server responds to the ping method with an empty result object. This is a required utility method.",
+    recommendation: 'Implement a "ping" method handler that returns an empty result object {}. This is required by the MCP spec for keepalive and connectivity checking.'
+  },
+  {
+    id: "lifecycle-instructions",
+    name: "Instructions field is valid",
+    category: "lifecycle",
+    required: false,
+    specRef: "basic/lifecycle#initialization",
+    description: "If the server includes an instructions field in the initialize response, validates it is a string. Instructions provide guidance for how the client should interact with the server.",
+    recommendation: "If you include an instructions field in the initialize response, ensure it is a string. Remove the field or fix the type if it is not a string."
+  },
+  {
+    id: "lifecycle-id-match",
+    name: "Response ID matches request ID",
+    category: "lifecycle",
+    required: true,
+    specRef: "basic",
+    description: "Verifies that the JSON-RPC response id matches the request id sent by the client. This is a fundamental JSON-RPC 2.0 requirement.",
+    recommendation: "Copy the id field from the request into the response. This is a core JSON-RPC 2.0 requirement. Check that your framework does not modify or discard the request ID."
+  },
+  {
+    id: "lifecycle-logging",
+    name: "logging/setLevel accepted",
+    category: "lifecycle",
+    required: false,
+    specRef: "server/utilities#logging",
+    description: "If the server declares logging capability, tests that logging/setLevel method is accepted with a valid log level.",
+    recommendation: 'If you declare logging in capabilities, implement the "logging/setLevel" handler. Accept standard log levels: debug, info, notice, warning, error, critical, alert, emergency.'
+  },
+  {
+    id: "lifecycle-completions",
+    name: "completion/complete accepted",
+    category: "lifecycle",
+    required: false,
+    specRef: "server/utilities#completion",
+    description: "If the server declares completions capability, tests that the completion/complete method is accepted.",
+    recommendation: 'If you declare completions in capabilities, implement the "completion/complete" handler. Return a completion object with a values array, even if empty.'
+  },
   // ── Tools (4 tests) ──────────────────────────────────────────────
-  { id: "tools-list", name: "tools/list returns valid response", category: "tools", required: false, specRef: "server/tools#listing-tools", description: "Calls tools/list and validates it returns an array of tool definitions. Required if the server declares tools capability." },
-  { id: "tools-call", name: "tools/call responds correctly", category: "tools", required: false, specRef: "server/tools#calling-tools", description: "Calls the first tool with empty arguments and verifies the response format. Accepts both successful results and InvalidParams errors." },
-  { id: "tools-pagination", name: "tools/list supports pagination", category: "tools", required: false, specRef: "server/tools#listing-tools", description: "Tests cursor-based pagination on tools/list. Validates nextCursor is a string if present and that fetching the next page returns a valid response." },
-  { id: "tools-content-types", name: "Tool content items have valid types", category: "tools", required: false, specRef: "server/tools#calling-tools", description: "Validates that content items returned by tools/call have a recognized type field (text, image, audio, resource, resource_link)." },
+  {
+    id: "tools-list",
+    name: "tools/list returns valid response",
+    category: "tools",
+    required: false,
+    specRef: "server/tools#listing-tools",
+    description: "Calls tools/list and validates it returns an array of tool definitions. Required if the server declares tools capability.",
+    recommendation: "Implement the tools/list handler to return { tools: [...] } with an array of tool definition objects. Each tool needs at least a name and inputSchema."
+  },
+  {
+    id: "tools-call",
+    name: "tools/call responds correctly",
+    category: "tools",
+    required: false,
+    specRef: "server/tools#calling-tools",
+    description: "Calls the first tool with empty arguments and verifies the response format. Accepts both successful results and InvalidParams errors.",
+    recommendation: "Ensure tools/call returns { content: [...] } with an array of content objects, each having a type field. Return isError: true for tool execution errors."
+  },
+  {
+    id: "tools-pagination",
+    name: "tools/list supports pagination",
+    category: "tools",
+    required: false,
+    specRef: "server/tools#listing-tools",
+    description: "Tests cursor-based pagination on tools/list. Validates nextCursor is a string if present and that fetching the next page returns a valid response.",
+    recommendation: "If your server has many tools, include a nextCursor string in the response. Ensure passing this cursor back in a subsequent request returns the next page."
+  },
+  {
+    id: "tools-content-types",
+    name: "Tool content items have valid types",
+    category: "tools",
+    required: false,
+    specRef: "server/tools#calling-tools",
+    description: "Validates that content items returned by tools/call have a recognized type field (text, image, audio, resource, resource_link).",
+    recommendation: 'Every content item returned by tools/call must have a type field set to one of: "text", "image", "audio", "resource", or "resource_link". Check for typos or missing type fields.'
+  },
   // ── Resources (5 tests) ──────────────────────────────────────────
-  { id: "resources-list", name: "resources/list returns valid response", category: "resources", required: false, specRef: "server/resources#listing-resources", description: "Calls resources/list and validates it returns an array. Required if the server declares resources capability." },
-  { id: "resources-read", name: "resources/read returns content", category: "resources", required: false, specRef: "server/resources#reading-resources", description: "Reads the first resource and validates the response contains a contents array with proper uri and text/blob fields." },
-  { id: "resources-templates", name: "resources/templates/list returns valid response", category: "resources", required: false, specRef: "server/resources#resource-templates", description: "Tests the resource templates endpoint. Accepts Method not found (-32601) since templates are optional." },
-  { id: "resources-pagination", name: "resources/list supports pagination", category: "resources", required: false, specRef: "server/resources#listing-resources", description: "Tests cursor-based pagination on resources/list. Validates nextCursor is a string if present and that fetching the next page works." },
-  { id: "resources-subscribe", name: "Resource subscribe/unsubscribe", category: "resources", required: false, specRef: "server/resources#subscriptions", description: "If the server declares resources.subscribe capability, tests that resources/subscribe and resources/unsubscribe methods are accepted." },
+  {
+    id: "resources-list",
+    name: "resources/list returns valid response",
+    category: "resources",
+    required: false,
+    specRef: "server/resources#listing-resources",
+    description: "Calls resources/list and validates it returns an array. Required if the server declares resources capability.",
+    recommendation: "Implement resources/list to return { resources: [...] } with an array of resource objects. Each resource needs at least a uri and name."
+  },
+  {
+    id: "resources-read",
+    name: "resources/read returns content",
+    category: "resources",
+    required: false,
+    specRef: "server/resources#reading-resources",
+    description: "Reads the first resource and validates the response contains a contents array with proper uri and text/blob fields.",
+    recommendation: "Implement resources/read to return { contents: [...] } where each item has a uri and either a text or blob field. Ensure the uri matches the requested resource."
+  },
+  {
+    id: "resources-templates",
+    name: "resources/templates/list returns valid response",
+    category: "resources",
+    required: false,
+    specRef: "server/resources#resource-templates",
+    description: "Tests the resource templates endpoint. Accepts Method not found (-32601) since templates are optional.",
+    recommendation: "If your server supports resource templates, implement resources/templates/list returning { resourceTemplates: [...] }. Otherwise, return error code -32601."
+  },
+  {
+    id: "resources-pagination",
+    name: "resources/list supports pagination",
+    category: "resources",
+    required: false,
+    specRef: "server/resources#listing-resources",
+    description: "Tests cursor-based pagination on resources/list. Validates nextCursor is a string if present and that fetching the next page works.",
+    recommendation: "If you return nextCursor in resources/list, ensure it is a string and that passing it back as cursor in the next request returns valid results."
+  },
+  {
+    id: "resources-subscribe",
+    name: "Resource subscribe/unsubscribe",
+    category: "resources",
+    required: false,
+    specRef: "server/resources#subscriptions",
+    description: "If the server declares resources.subscribe capability, tests that resources/subscribe and resources/unsubscribe methods are accepted.",
+    recommendation: "If you declare resources.subscribe capability, implement both resources/subscribe and resources/unsubscribe handlers. Both should accept a uri parameter."
+  },
   // ── Prompts (3 tests) ────────────────────────────────────────────
-  { id: "prompts-list", name: "prompts/list returns valid response", category: "prompts", required: false, specRef: "server/prompts#listing-prompts", description: "Calls prompts/list and validates it returns an array. Required if the server declares prompts capability." },
-  { id: "prompts-get", name: "prompts/get returns valid messages", category: "prompts", required: false, specRef: "server/prompts#getting-a-prompt", description: "Gets the first prompt and validates the response contains a messages array with proper role and content fields." },
-  { id: "prompts-pagination", name: "prompts/list supports pagination", category: "prompts", required: false, specRef: "server/prompts#listing-prompts", description: "Tests cursor-based pagination on prompts/list. Validates nextCursor is a string if present and that fetching the next page works." },
+  {
+    id: "prompts-list",
+    name: "prompts/list returns valid response",
+    category: "prompts",
+    required: false,
+    specRef: "server/prompts#listing-prompts",
+    description: "Calls prompts/list and validates it returns an array. Required if the server declares prompts capability.",
+    recommendation: "Implement prompts/list to return { prompts: [...] } with an array of prompt objects. Each prompt needs at least a name field."
+  },
+  {
+    id: "prompts-get",
+    name: "prompts/get returns valid messages",
+    category: "prompts",
+    required: false,
+    specRef: "server/prompts#getting-a-prompt",
+    description: "Gets the first prompt and validates the response contains a messages array with proper role and content fields.",
+    recommendation: 'Implement prompts/get to return { messages: [...] } where each message has a role ("user" or "assistant") and a content field.'
+  },
+  {
+    id: "prompts-pagination",
+    name: "prompts/list supports pagination",
+    category: "prompts",
+    required: false,
+    specRef: "server/prompts#listing-prompts",
+    description: "Tests cursor-based pagination on prompts/list. Validates nextCursor is a string if present and that fetching the next page works.",
+    recommendation: "If you return nextCursor in prompts/list, ensure it is a string and that passing it back as cursor in the next request returns valid results."
+  },
   // ── Error Handling (8 tests) ─────────────────────────────────────
-  { id: "error-unknown-method", name: "Returns JSON-RPC error for unknown method", category: "errors", required: true, specRef: "basic", description: "Sends an unknown method and verifies the server returns a JSON-RPC error. The spec requires error code -32601 (Method not found)." },
-  { id: "error-method-code", name: "Uses correct JSON-RPC error code for unknown method", category: "errors", required: false, specRef: "basic", description: "Checks the error code is specifically -32601 (Method not found) for unknown methods, as required by JSON-RPC 2.0." },
-  { id: "error-invalid-jsonrpc", name: "Handles malformed JSON-RPC", category: "errors", required: true, specRef: "basic", description: "Sends a malformed JSON-RPC message (missing required fields) and verifies the server returns an error or 4xx status." },
-  { id: "error-invalid-json", name: "Handles invalid JSON body", category: "errors", required: false, specRef: "basic", description: "Sends invalid JSON and verifies the server returns a parse error (-32700) or 4xx status code." },
-  { id: "error-missing-params", name: "Returns error for tools/call without name", category: "errors", required: false, specRef: "server/tools#error-handling", description: "Calls tools/call with an empty params object (missing required name field) and verifies an error is returned." },
-  { id: "error-parse-code", name: "Returns -32700 for invalid JSON", category: "errors", required: false, specRef: "basic", description: "Checks that the server returns the specific JSON-RPC error code -32700 (Parse error) when receiving invalid JSON, as required by the JSON-RPC 2.0 specification." },
-  { id: "error-invalid-request-code", name: "Returns -32600 for invalid request", category: "errors", required: false, specRef: "basic", description: "Checks that the server returns the specific JSON-RPC error code -32600 (Invalid Request) for malformed JSON-RPC messages missing required fields." },
-  { id: "tools-call-unknown", name: "Returns error for unknown tool name", category: "errors", required: false, specRef: "server/tools#error-handling", description: "Calls tools/call with a nonexistent tool name and verifies the server returns an error response." },
+  {
+    id: "error-unknown-method",
+    name: "Returns JSON-RPC error for unknown method",
+    category: "errors",
+    required: true,
+    specRef: "basic",
+    description: "Sends an unknown method and verifies the server returns a JSON-RPC error. The spec requires error code -32601 (Method not found).",
+    recommendation: "Return a JSON-RPC error with code -32601 (Method not found) for any unrecognized method name. Do not silently ignore unknown methods."
+  },
+  {
+    id: "error-method-code",
+    name: "Uses correct JSON-RPC error code for unknown method",
+    category: "errors",
+    required: false,
+    specRef: "basic",
+    description: "Checks the error code is specifically -32601 (Method not found) for unknown methods, as required by JSON-RPC 2.0.",
+    recommendation: "Use exactly error code -32601 for unknown methods. Do not use generic error codes like -32000. This is required by JSON-RPC 2.0."
+  },
+  {
+    id: "error-invalid-jsonrpc",
+    name: "Handles malformed JSON-RPC",
+    category: "errors",
+    required: true,
+    specRef: "basic",
+    description: "Sends a malformed JSON-RPC message (missing required fields) and verifies the server returns an error or 4xx status.",
+    recommendation: "Validate incoming JSON-RPC messages for required fields (jsonrpc, method). Return error code -32600 (Invalid Request) or HTTP 400 for malformed messages."
+  },
+  {
+    id: "error-invalid-json",
+    name: "Handles invalid JSON body",
+    category: "errors",
+    required: false,
+    specRef: "basic",
+    description: "Sends invalid JSON and verifies the server returns a parse error (-32700) or 4xx status code.",
+    recommendation: "Catch JSON parse errors and return error code -32700 (Parse error) with a descriptive message. Do not return 500 for malformed input."
+  },
+  {
+    id: "error-missing-params",
+    name: "Returns error for tools/call without name",
+    category: "errors",
+    required: false,
+    specRef: "server/tools#error-handling",
+    description: "Calls tools/call with an empty params object (missing required name field) and verifies an error is returned.",
+    recommendation: "Validate tools/call params and return error code -32602 (Invalid params) when the required name field is missing."
+  },
+  {
+    id: "error-parse-code",
+    name: "Returns -32700 for invalid JSON",
+    category: "errors",
+    required: false,
+    specRef: "basic",
+    description: "Checks that the server returns the specific JSON-RPC error code -32700 (Parse error) when receiving invalid JSON, as required by the JSON-RPC 2.0 specification.",
+    recommendation: "Return exactly error code -32700 for JSON parse failures. Most JSON-RPC frameworks handle this automatically \u2014 check yours does not override the code."
+  },
+  {
+    id: "error-invalid-request-code",
+    name: "Returns -32600 for invalid request",
+    category: "errors",
+    required: false,
+    specRef: "basic",
+    description: "Checks that the server returns the specific JSON-RPC error code -32600 (Invalid Request) for malformed JSON-RPC messages missing required fields.",
+    recommendation: "Return exactly error code -32600 for structurally invalid JSON-RPC messages (e.g., missing method field). Check your JSON-RPC middleware configuration."
+  },
+  {
+    id: "tools-call-unknown",
+    name: "Returns error for unknown tool name",
+    category: "errors",
+    required: false,
+    specRef: "server/tools#error-handling",
+    description: "Calls tools/call with a nonexistent tool name and verifies the server returns an error response.",
+    recommendation: "Return a JSON-RPC error or set isError: true when tools/call receives an unrecognized tool name. Do not return an empty success response."
+  },
   // ── Schema Validation (6 tests) ──────────────────────────────────
-  { id: "tools-schema", name: "All tools have name and inputSchema", category: "schema", required: false, specRef: "server/tools#data-types", description: 'Validates every tool has a valid name (1-128 chars, alphanumeric/underscore/hyphen/dot) and a required inputSchema of type "object".' },
-  { id: "tools-annotations", name: "Tool annotations are valid", category: "schema", required: false, specRef: "server/tools#annotations", description: "Validates tool annotation fields if present: readOnlyHint, destructiveHint, idempotentHint, openWorldHint should be booleans; title should be a string." },
-  { id: "tools-title-field", name: "Tools include title field", category: "schema", required: false, specRef: "server/tools#data-types", description: "Checks if tools include the optional title field for human-readable display names. Added in spec version 2025-11-25." },
-  { id: "tools-output-schema", name: "Tools with outputSchema are valid", category: "schema", required: false, specRef: "server/tools#structured-content", description: 'If tools declare an outputSchema, validates it is a valid JSON Schema object with type "object". Used for structured output validation.' },
-  { id: "prompts-schema", name: "Prompts have name field", category: "schema", required: false, specRef: "server/prompts#data-types", description: "Validates every prompt has a name and that any arguments array contains items with name fields." },
-  { id: "resources-schema", name: "Resources have uri and name", category: "schema", required: false, specRef: "server/resources#data-types", description: "Validates every resource has a valid URI (parseable as a URL) and a name field." }
+  {
+    id: "tools-schema",
+    name: "All tools have name and inputSchema",
+    category: "schema",
+    required: false,
+    specRef: "server/tools#data-types",
+    description: 'Validates every tool has a valid name (1-128 chars, alphanumeric/underscore/hyphen/dot) and a required inputSchema of type "object".',
+    recommendation: 'Ensure every tool has a name (1-128 chars, [A-Za-z0-9_.-]) and an inputSchema with type: "object". Add descriptions to tools for better AI assistant integration.'
+  },
+  {
+    id: "tools-annotations",
+    name: "Tool annotations are valid",
+    category: "schema",
+    required: false,
+    specRef: "server/tools#annotations",
+    description: "Validates tool annotation fields if present: readOnlyHint, destructiveHint, idempotentHint, openWorldHint should be booleans; title should be a string.",
+    recommendation: "If you include annotations on tools, ensure readOnlyHint, destructiveHint, idempotentHint, and openWorldHint are booleans. Title must be a string."
+  },
+  {
+    id: "tools-title-field",
+    name: "Tools include title field",
+    category: "schema",
+    required: false,
+    specRef: "server/tools#data-types",
+    description: "Checks if tools include the optional title field for human-readable display names. Added in spec version 2025-11-25.",
+    recommendation: "Add a title field (human-readable string) to each tool definition. This helps MCP clients display your tools in a user-friendly way."
+  },
+  {
+    id: "tools-output-schema",
+    name: "Tools with outputSchema are valid",
+    category: "schema",
+    required: false,
+    specRef: "server/tools#structured-content",
+    description: 'If tools declare an outputSchema, validates it is a valid JSON Schema object with type "object". Used for structured output validation.',
+    recommendation: 'If you declare outputSchema on a tool, ensure it is a valid JSON Schema object with type: "object". Remove outputSchema if you do not need structured output.'
+  },
+  {
+    id: "prompts-schema",
+    name: "Prompts have name field",
+    category: "schema",
+    required: false,
+    specRef: "server/prompts#data-types",
+    description: "Validates every prompt has a name and that any arguments array contains items with name fields.",
+    recommendation: "Ensure every prompt has a name field. If the prompt has arguments, each argument object must include a name field."
+  },
+  {
+    id: "resources-schema",
+    name: "Resources have uri and name",
+    category: "schema",
+    required: false,
+    specRef: "server/resources#data-types",
+    description: "Validates every resource has a valid URI (parseable as a URL) and a name field.",
+    recommendation: "Ensure every resource has a valid, parseable URI and a name field. Add description and mimeType for better client integration."
+  }
 ];
 
 // src/runner.ts
@@ -165,7 +517,7 @@ async function mcpRequest(backendUrl, method, params, nextId, extraHeaders, time
   });
   const headers = {
     "Content-Type": "application/json",
-    "Accept": "application/json, text/event-stream",
+    Accept: "application/json, text/event-stream",
     ...extraHeaders
   };
   const res = await request(backendUrl, {
@@ -200,7 +552,7 @@ async function mcpRequest(backendUrl, method, params, nextId, extraHeaders, time
 async function mcpNotification(backendUrl, method, params, extraHeaders, timeout) {
   const headers = {
     "Content-Type": "application/json",
-    "Accept": "application/json, text/event-stream",
+    Accept: "application/json, text/event-stream",
     ...extraHeaders
   };
   const res = await request(backendUrl, {
@@ -252,7 +604,7 @@ async function runComplianceSuite(url, options = {}) {
     }
     return true;
   }
-  let serverInfo = {
+  const serverInfo = {
     protocolVersion: null,
     name: null,
     version: null,
@@ -290,94 +642,129 @@ async function runComplianceSuite(url, options = {}) {
     });
     options.onProgress?.(id, lastResult.passed, lastResult.details);
   }
-  await test("transport-post", "HTTP POST accepted", "transport", true, "basic/transports#streamable-http", async () => {
-    const res = await request(backendUrl, {
-      method: "POST",
-      headers: { "Content-Type": "application/json", "Accept": "application/json, text/event-stream", ...userHeaders },
-      body: JSON.stringify({ jsonrpc: "2.0", id: 99901, method: "ping" }),
-      signal: AbortSignal.timeout(timeout)
-    });
-    await res.body.text();
-    const passed = res.statusCode >= 200 && res.statusCode < 300;
-    const note = res.statusCode === 401 || res.statusCode === 403 ? " (auth required)" : "";
-    return { passed, details: `HTTP ${res.statusCode}${note}` };
-  });
-  await test("transport-content-type", "Responds with JSON or SSE", "transport", true, "basic/transports#streamable-http", async () => {
-    const res = await request(backendUrl, {
-      method: "POST",
-      headers: { "Content-Type": "application/json", "Accept": "application/json, text/event-stream", ...userHeaders },
-      body: JSON.stringify({ jsonrpc: "2.0", id: 99902, method: "ping" }),
-      signal: AbortSignal.timeout(timeout)
-    });
-    await res.body.text();
-    const rawCt = res.headers["content-type"];
-    const ct = (Array.isArray(rawCt) ? rawCt[0] : rawCt || "").toLowerCase();
-    const valid = ct.includes("application/json") || ct.includes("text/event-stream");
-    return { passed: valid, details: `Content-Type: ${ct}` };
-  });
-  await test("transport-get", "GET returns SSE stream or 405", "transport", false, "basic/transports#streamable-http", async () => {
-    const res = await request(backendUrl, {
-      method: "GET",
-      headers: { "Accept": "text/event-stream", ...userHeaders },
-      signal: AbortSignal.timeout(timeout)
-    });
-    await res.body.text();
-    const ct = (res.headers["content-type"] || "").toLowerCase();
-    if (res.statusCode === 405) {
-      return { passed: true, details: "HTTP 405 Method Not Allowed (acceptable)" };
-    }
-    if (ct.includes("text/event-stream")) {
-      return { passed: true, details: "Returns text/event-stream for SSE" };
-    }
-    if (res.statusCode >= 200 && res.statusCode < 300) {
-      return { passed: true, details: `HTTP ${res.statusCode} (accepted)` };
-    }
-    return { passed: false, details: `HTTP ${res.statusCode}, Content-Type: ${ct}` };
-  });
-  await test("transport-delete", "DELETE accepted or returns 405", "transport", false, "basic/transports#streamable-http", async () => {
-    const res = await request(backendUrl, {
-      method: "DELETE",
-      headers: { ...userHeaders },
-      signal: AbortSignal.timeout(timeout)
-    });
-    await res.body.text();
-    if (res.statusCode === 405) {
-      return { passed: true, details: "HTTP 405 Method Not Allowed (acceptable)" };
+  await test(
+    "transport-post",
+    "HTTP POST accepted",
+    "transport",
+    true,
+    "basic/transports#streamable-http",
+    async () => {
+      const res = await request(backendUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", Accept: "application/json, text/event-stream", ...userHeaders },
+        body: JSON.stringify({ jsonrpc: "2.0", id: 99901, method: "ping" }),
+        signal: AbortSignal.timeout(timeout)
+      });
+      await res.body.text();
+      const passed = res.statusCode >= 200 && res.statusCode < 300;
+      const note = res.statusCode === 401 || res.statusCode === 403 ? " (auth required)" : "";
+      return { passed, details: `HTTP ${res.statusCode}${note}` };
     }
-    if (res.statusCode >= 200 && res.statusCode < 300) {
-      return { passed: true, details: `HTTP ${res.statusCode} (session termination supported)` };
+  );
+  await test(
+    "transport-content-type",
+    "Responds with JSON or SSE",
+    "transport",
+    true,
+    "basic/transports#streamable-http",
+    async () => {
+      const res = await request(backendUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", Accept: "application/json, text/event-stream", ...userHeaders },
+        body: JSON.stringify({ jsonrpc: "2.0", id: 99902, method: "ping" }),
+        signal: AbortSignal.timeout(timeout)
+      });
+      await res.body.text();
+      const rawCt = res.headers["content-type"];
+      const ct = (Array.isArray(rawCt) ? rawCt[0] : rawCt || "").toLowerCase();
+      const valid = ct.includes("application/json") || ct.includes("text/event-stream");
+      return { passed: valid, details: `Content-Type: ${ct}` };
     }
-    if (res.statusCode === 400 || res.statusCode === 404) {
-      return { passed: true, details: `HTTP ${res.statusCode} (no active session, acceptable)` };
+  );
+  await test(
+    "transport-get",
+    "GET returns SSE stream or 405",
+    "transport",
+    false,
+    "basic/transports#streamable-http",
+    async () => {
+      const res = await request(backendUrl, {
+        method: "GET",
+        headers: { Accept: "text/event-stream", ...userHeaders },
+        signal: AbortSignal.timeout(timeout)
+      });
+      await res.body.text();
+      const ct = (res.headers["content-type"] || "").toLowerCase();
+      if (res.statusCode === 405) {
+        return { passed: true, details: "HTTP 405 Method Not Allowed (acceptable)" };
+      }
+      if (ct.includes("text/event-stream")) {
+        return { passed: true, details: "Returns text/event-stream for SSE" };
+      }
+      if (res.statusCode >= 200 && res.statusCode < 300) {
+        return { passed: true, details: `HTTP ${res.statusCode} (accepted)` };
+      }
+      return { passed: false, details: `HTTP ${res.statusCode}, Content-Type: ${ct}` };
     }
-    return { passed: false, details: `HTTP ${res.statusCode}` };
-  });
-  await test("transport-batch-reject", "Rejects JSON-RPC batch requests", "transport", true, "basic/transports#streamable-http", async () => {
-    const res = await request(backendUrl, {
-      method: "POST",
-      headers: { "Content-Type": "application/json", "Accept": "application/json, text/event-stream", ...userHeaders },
-      body: JSON.stringify([
-        { jsonrpc: "2.0", id: 99903, method: "ping" },
-        { jsonrpc: "2.0", id: 99904, method: "ping" }
-      ]),
-      signal: AbortSignal.timeout(timeout)
-    });
-    const text = await res.body.text();
-    if (res.statusCode >= 400 && res.statusCode < 500) {
-      return { passed: true, details: `HTTP ${res.statusCode} (batch rejected)` };
+  );
+  await test(
+    "transport-delete",
+    "DELETE accepted or returns 405",
+    "transport",
+    false,
+    "basic/transports#streamable-http",
+    async () => {
+      const res = await request(backendUrl, {
+        method: "DELETE",
+        headers: { ...userHeaders },
+        signal: AbortSignal.timeout(timeout)
+      });
+      await res.body.text();
+      if (res.statusCode === 405) {
+        return { passed: true, details: "HTTP 405 Method Not Allowed (acceptable)" };
+      }
+      if (res.statusCode >= 200 && res.statusCode < 300) {
+        return { passed: true, details: `HTTP ${res.statusCode} (session termination supported)` };
+      }
+      if (res.statusCode === 400 || res.statusCode === 404) {
+        return { passed: true, details: `HTTP ${res.statusCode} (no active session, acceptable)` };
+      }
+      return { passed: false, details: `HTTP ${res.statusCode}` };
     }
-    try {
-      const body = JSON.parse(text);
-      if (body?.error) {
-        return { passed: true, details: `JSON-RPC error: ${body.error.code} \u2014 ${body.error.message}` };
+  );
+  await test(
+    "transport-batch-reject",
+    "Rejects JSON-RPC batch requests",
+    "transport",
+    true,
+    "basic/transports#streamable-http",
+    async () => {
+      const res = await request(backendUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", Accept: "application/json, text/event-stream", ...userHeaders },
+        body: JSON.stringify([
+          { jsonrpc: "2.0", id: 99903, method: "ping" },
+          { jsonrpc: "2.0", id: 99904, method: "ping" }
+        ]),
+        signal: AbortSignal.timeout(timeout)
+      });
+      const text = await res.body.text();
+      if (res.statusCode >= 400 && res.statusCode < 500) {
+        return { passed: true, details: `HTTP ${res.statusCode} (batch rejected)` };
       }
-      if (Array.isArray(body)) {
-        return { passed: false, details: "Server processed batch request (MCP forbids batch)" };
+      try {
+        const body = JSON.parse(text);
+        if (body?.error) {
+          return { passed: true, details: `JSON-RPC error: ${body.error.code} \u2014 ${body.error.message}` };
+        }
+        if (Array.isArray(body)) {
+          return { passed: false, details: "Server processed batch request (MCP forbids batch)" };
+        }
+      } catch {
       }
-    } catch {
+      return { passed: false, details: `HTTP ${res.statusCode} \u2014 expected error or 4xx for batch request` };
     }
-    return { passed: false, details: `HTTP ${res.statusCode} \u2014 expected error or 4xx for batch request` };
-  });
+  );
   let initRes = null;
   try {
     initRes = await rpc("initialize", {
@@ -401,35 +788,69 @@ async function runComplianceSuite(url, options = {}) {
     await mcpNotification(backendUrl, "notifications/initialized", void 0, buildHeaders(), timeout);
   } catch {
   }
-  await test("lifecycle-init", "Initialize handshake", "lifecycle", true, "basic/lifecycle#initialization", async () => {
-    if (!initRes) return { passed: false, details: "Initialize request failed" };
-    const result = initRes.body?.result;
-    if (!result) return { passed: false, details: "No result in response" };
-    return { passed: !!result.protocolVersion, details: `Protocol: ${result.protocolVersion || "missing"}` };
-  });
-  await test("lifecycle-proto-version", "Returns valid protocol version", "lifecycle", true, "basic/lifecycle#version-negotiation", async () => {
-    const version2 = initRes?.body?.result?.protocolVersion;
-    if (!version2) return { passed: false, details: "No protocolVersion" };
-    const valid = /^\d{4}-\d{2}-\d{2}$/.test(version2);
-    if (valid && version2 !== SPEC_VERSION) {
-      warnings.push(`Server negotiated protocol version ${version2} (latest is ${SPEC_VERSION})`);
+  await test(
+    "lifecycle-init",
+    "Initialize handshake",
+    "lifecycle",
+    true,
+    "basic/lifecycle#initialization",
+    async () => {
+      if (!initRes) return { passed: false, details: "Initialize request failed" };
+      const result = initRes.body?.result;
+      if (!result) return { passed: false, details: "No result in response" };
+      return { passed: !!result.protocolVersion, details: `Protocol: ${result.protocolVersion || "missing"}` };
     }
-    return { passed: valid, details: `Version: ${version2}` };
-  });
-  await test("lifecycle-server-info", "Includes serverInfo", "lifecycle", false, "basic/lifecycle#initialization", async () => {
-    const info = initRes?.body?.result?.serverInfo;
-    return { passed: !!info?.name, details: info ? `${info.name} v${info.version || "?"}` : "Missing serverInfo" };
-  });
-  await test("lifecycle-capabilities", "Returns capabilities object", "lifecycle", true, "basic/lifecycle#capability-negotiation", async () => {
-    const caps = initRes?.body?.result?.capabilities;
-    if (!caps || typeof caps !== "object") return { passed: false, details: "No capabilities object in response" };
-    const declared = Object.keys(caps).filter((k) => caps[k] !== void 0);
-    return { passed: true, details: declared.length > 0 ? `Capabilities: ${declared.join(", ")}` : "Empty capabilities (valid)" };
-  });
+  );
+  await test(
+    "lifecycle-proto-version",
+    "Returns valid protocol version",
+    "lifecycle",
+    true,
+    "basic/lifecycle#version-negotiation",
+    async () => {
+      const version3 = initRes?.body?.result?.protocolVersion;
+      if (!version3) return { passed: false, details: "No protocolVersion" };
+      const valid = /^\d{4}-\d{2}-\d{2}$/.test(version3);
+      if (valid && version3 !== SPEC_VERSION) {
+        warnings.push(`Server negotiated protocol version ${version3} (latest is ${SPEC_VERSION})`);
+      }
+      return { passed: valid, details: `Version: ${version3}` };
+    }
+  );
+  await test(
+    "lifecycle-server-info",
+    "Includes serverInfo",
+    "lifecycle",
+    false,
+    "basic/lifecycle#initialization",
+    async () => {
+      const info = initRes?.body?.result?.serverInfo;
+      return { passed: !!info?.name, details: info ? `${info.name} v${info.version || "?"}` : "Missing serverInfo" };
+    }
+  );
+  await test(
+    "lifecycle-capabilities",
+    "Returns capabilities object",
+    "lifecycle",
+    true,
+    "basic/lifecycle#capability-negotiation",
+    async () => {
+      const caps = initRes?.body?.result?.capabilities;
+      if (!caps || typeof caps !== "object") return { passed: false, details: "No capabilities object in response" };
+      const declared = Object.keys(caps).filter((k) => caps[k] !== void 0);
+      return {
+        passed: true,
+        details: declared.length > 0 ? `Capabilities: ${declared.join(", ")}` : "Empty capabilities (valid)"
+      };
+    }
+  );
   await test("lifecycle-jsonrpc", "Response is valid JSON-RPC 2.0", "lifecycle", true, "basic", async () => {
     const body = initRes?.body;
     const valid = body?.jsonrpc === "2.0" && body?.id !== void 0 && (body?.result !== void 0 || body?.error !== void 0);
-    return { passed: valid, details: valid ? "Valid JSON-RPC 2.0 response" : `Missing fields: jsonrpc=${body?.jsonrpc}, id=${body?.id}` };
+    return {
+      passed: valid,
+      details: valid ? "Valid JSON-RPC 2.0 response" : `Missing fields: jsonrpc=${body?.jsonrpc}, id=${body?.id}`
+    };
   });
   await test("lifecycle-ping", "Responds to ping", "lifecycle", true, "basic/utilities#ping", async () => {
     const res = await rpc("ping");
@@ -438,149 +859,223 @@ async function runComplianceSuite(url, options = {}) {
     if (body?.result !== void 0) return { passed: true, details: "Ping responded successfully" };
     return { passed: false, details: "No result in ping response" };
   });
-  await test("lifecycle-instructions", "Instructions field is valid", "lifecycle", false, "basic/lifecycle#initialization", async () => {
-    const result = initRes?.body?.result;
-    if (!result) return { passed: false, details: "No init result" };
-    if (result.instructions === void 0) {
-      return { passed: true, details: "No instructions field (optional)" };
-    }
-    if (typeof result.instructions === "string") {
-      const preview = result.instructions.length > 80 ? result.instructions.slice(0, 80) + "..." : result.instructions;
-      return { passed: true, details: `Instructions: "${preview}"` };
+  await test(
+    "lifecycle-instructions",
+    "Instructions field is valid",
+    "lifecycle",
+    false,
+    "basic/lifecycle#initialization",
+    async () => {
+      const result = initRes?.body?.result;
+      if (!result) return { passed: false, details: "No init result" };
+      if (result.instructions === void 0) {
+        return { passed: true, details: "No instructions field (optional)" };
+      }
+      if (typeof result.instructions === "string") {
+        const preview = result.instructions.length > 80 ? result.instructions.slice(0, 80) + "..." : result.instructions;
+        return { passed: true, details: `Instructions: "${preview}"` };
+      }
+      return { passed: false, details: `instructions should be a string, got ${typeof result.instructions}` };
     }
-    return { passed: false, details: `instructions should be a string, got ${typeof result.instructions}` };
-  });
+  );
   await test("lifecycle-id-match", "Response ID matches request ID", "lifecycle", true, "basic", async () => {
     const res = await rpc("ping");
     const body = res.body;
     if (body?.id === void 0) return { passed: false, details: "No id in response" };
     const match = body.id === res.requestId;
-    return { passed: match, details: match ? `Request id=${res.requestId}, response id=${body.id} (match)` : `Request id=${res.requestId}, response id=${body.id} (MISMATCH)` };
+    return {
+      passed: match,
+      details: match ? `Request id=${res.requestId}, response id=${body.id} (match)` : `Request id=${res.requestId}, response id=${body.id} (MISMATCH)`
+    };
   });
   const hasLogging = !!serverInfo.capabilities.logging;
-  await test("lifecycle-logging", "logging/setLevel accepted", "lifecycle", hasLogging, "server/utilities#logging", async () => {
-    if (!hasLogging) return { passed: true, details: "Server does not declare logging capability (skipped)" };
-    const res = await rpc("logging/setLevel", { level: "info" });
-    if (res.body?.error) {
-      return { passed: false, details: `Error: ${res.body.error.code} \u2014 ${res.body.error.message}` };
+  await test(
+    "lifecycle-logging",
+    "logging/setLevel accepted",
+    "lifecycle",
+    hasLogging,
+    "server/utilities#logging",
+    async () => {
+      if (!hasLogging) return { passed: true, details: "Server does not declare logging capability (skipped)" };
+      const res = await rpc("logging/setLevel", { level: "info" });
+      if (res.body?.error) {
+        return { passed: false, details: `Error: ${res.body.error.code} \u2014 ${res.body.error.message}` };
+      }
+      return { passed: true, details: "logging/setLevel accepted" };
     }
-    return { passed: true, details: "logging/setLevel accepted" };
-  });
+  );
   const hasCompletions = !!serverInfo.capabilities.completions;
-  await test("lifecycle-completions", "completion/complete accepted", "lifecycle", hasCompletions, "server/utilities#completion", async () => {
-    if (!hasCompletions) return { passed: true, details: "Server does not declare completions capability (skipped)" };
-    const res = await rpc("completion/complete", {
-      ref: { type: "ref/prompt", name: "__test__" },
-      argument: { name: "test", value: "" }
-    });
-    if (res.body?.error) {
-      if (res.body.error.code === -32602) {
-        return { passed: true, details: "InvalidParams for test ref (acceptable)" };
+  await test(
+    "lifecycle-completions",
+    "completion/complete accepted",
+    "lifecycle",
+    hasCompletions,
+    "server/utilities#completion",
+    async () => {
+      if (!hasCompletions) return { passed: true, details: "Server does not declare completions capability (skipped)" };
+      const res = await rpc("completion/complete", {
+        ref: { type: "ref/prompt", name: "__test__" },
+        argument: { name: "test", value: "" }
+      });
+      if (res.body?.error) {
+        if (res.body.error.code === -32602) {
+          return { passed: true, details: "InvalidParams for test ref (acceptable)" };
+        }
+        return { passed: false, details: `Error: ${res.body.error.code} \u2014 ${res.body.error.message}` };
       }
-      return { passed: false, details: `Error: ${res.body.error.code} \u2014 ${res.body.error.message}` };
-    }
-    const values = res.body?.result?.completion?.values;
-    if (Array.isArray(values)) {
-      return { passed: true, details: `Returned ${values.length} completion(s)` };
-    }
-    return { passed: true, details: "completion/complete accepted" };
-  });
-  await test("transport-notification-202", "Notification returns 202 Accepted", "transport", false, "basic/transports#streamable-http", async () => {
-    const res = await request(backendUrl, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "Accept": "application/json, text/event-stream",
-        ...buildHeaders()
-      },
-      body: JSON.stringify({ jsonrpc: "2.0", method: "notifications/cancelled", params: { requestId: "nonexistent", reason: "compliance test" } }),
-      signal: AbortSignal.timeout(timeout)
-    });
-    await res.body.text();
-    if (res.statusCode === 202) {
-      return { passed: true, details: "HTTP 202 Accepted (correct)" };
-    }
-    if (res.statusCode >= 200 && res.statusCode < 300) {
-      return { passed: true, details: `HTTP ${res.statusCode} (accepted, but 202 is preferred)` };
-    }
-    return { passed: false, details: `HTTP ${res.statusCode} \u2014 expected 202 Accepted for notifications` };
-  });
-  await test("transport-session-id", "Enforces MCP-Session-Id after init", "transport", false, "basic/transports#streamable-http", async () => {
-    if (!sessionId) {
-      warnings.push("Server did not issue MCP-Session-Id header");
-      return { passed: true, details: "Server did not issue session ID (test not applicable)" };
-    }
-    const headersWithout = { ...userHeaders };
-    if (negotiatedProtocolVersion) headersWithout["mcp-protocol-version"] = negotiatedProtocolVersion;
-    const res = await mcpRequest(backendUrl, "ping", void 0, createIdCounter(99910), headersWithout, timeout);
-    if (res.statusCode === 400) {
-      return { passed: true, details: "HTTP 400 for missing session ID (correct)" };
+      const values = res.body?.result?.completion?.values;
+      if (Array.isArray(values)) {
+        return { passed: true, details: `Returned ${values.length} completion(s)` };
+      }
+      return { passed: true, details: "completion/complete accepted" };
     }
-    if (res.statusCode >= 200 && res.statusCode < 300) {
-      return { passed: false, details: `HTTP ${res.statusCode} \u2014 server should return 400 when session ID is missing` };
+  );
+  await test(
+    "transport-notification-202",
+    "Notification returns 202 Accepted",
+    "transport",
+    false,
+    "basic/transports#streamable-http",
+    async () => {
+      const res = await request(backendUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json, text/event-stream",
+          ...buildHeaders()
+        },
+        body: JSON.stringify({
+          jsonrpc: "2.0",
+          method: "notifications/cancelled",
+          params: { requestId: "nonexistent", reason: "compliance test" }
+        }),
+        signal: AbortSignal.timeout(timeout)
+      });
+      await res.body.text();
+      if (res.statusCode === 202) {
+        return { passed: true, details: "HTTP 202 Accepted (correct)" };
+      }
+      if (res.statusCode >= 200 && res.statusCode < 300) {
+        return { passed: true, details: `HTTP ${res.statusCode} (accepted, but 202 is preferred)` };
+      }
+      return { passed: false, details: `HTTP ${res.statusCode} \u2014 expected 202 Accepted for notifications` };
     }
-    return { passed: false, details: `HTTP ${res.statusCode}` };
-  });
-  const hasTools = !!serverInfo.capabilities.tools;
-  let cachedToolsList = null;
-  await test("tools-list", "tools/list returns valid response", "tools", hasTools, "server/tools#listing-tools", async () => {
-    const res = await rpc("tools/list");
-    const tools = res.body?.result?.tools;
-    if (!Array.isArray(tools)) return { passed: false, details: "No tools array in result" };
-    cachedToolsList = tools;
-    toolCount = tools.length;
-    toolNames = tools.map((t) => t.name).filter(Boolean);
-    return { passed: true, details: `${toolCount} tool(s): ${toolNames.slice(0, 5).join(", ")}${toolCount > 5 ? "..." : ""}` };
-  });
-  await test("tools-schema", "All tools have name and inputSchema", "schema", hasTools, "server/tools#data-types", async () => {
-    const tools = cachedToolsList ?? (await rpc("tools/list")).body?.result?.tools ?? [];
-    const issues = [];
-    for (const tool of tools) {
-      if (!tool.name) {
-        issues.push("Tool missing name");
-        continue;
+  );
+  await test(
+    "transport-session-id",
+    "Enforces MCP-Session-Id after init",
+    "transport",
+    false,
+    "basic/transports#streamable-http",
+    async () => {
+      if (!sessionId) {
+        warnings.push("Server did not issue MCP-Session-Id header");
+        return { passed: true, details: "Server did not issue session ID (test not applicable)" };
       }
-      if (tool.name.length > 128 || !/^[A-Za-z0-9_.\-]+$/.test(tool.name)) {
-        issues.push(`${tool.name}: name format invalid`);
+      const headersWithout = { ...userHeaders };
+      if (negotiatedProtocolVersion) headersWithout["mcp-protocol-version"] = negotiatedProtocolVersion;
+      const res = await mcpRequest(backendUrl, "ping", void 0, createIdCounter(99910), headersWithout, timeout);
+      if (res.statusCode === 400) {
+        return { passed: true, details: "HTTP 400 for missing session ID (correct)" };
       }
-      if (!tool.description) warnings.push(`Tool "${tool.name}" missing description`);
-      if (!tool.inputSchema) {
-        issues.push(`${tool.name}: missing inputSchema (required)`);
-      } else if (typeof tool.inputSchema !== "object" || tool.inputSchema === null) {
-        issues.push(`${tool.name}: inputSchema must be a valid JSON Schema object`);
-      } else if (tool.inputSchema.type !== "object") {
-        issues.push(`${tool.name}: inputSchema.type must be "object" (got "${tool.inputSchema.type || "undefined"}")`);
+      if (res.statusCode >= 200 && res.statusCode < 300) {
+        return {
+          passed: false,
+          details: `HTTP ${res.statusCode} \u2014 server should return 400 when session ID is missing`
+        };
       }
+      return { passed: false, details: `HTTP ${res.statusCode}` };
     }
-    const detail = issues.length === 0 ? "All tools have valid schemas" : issues.join("; ");
-    return { passed: issues.length === 0, details: detail };
-  });
-  await test("tools-annotations", "Tool annotations are valid", "schema", false, "server/tools#annotations", async () => {
-    const tools = cachedToolsList ?? (await rpc("tools/list")).body?.result?.tools ?? [];
-    if (tools.length === 0) return { passed: true, details: "No tools to validate" };
-    const issues = [];
-    let annotatedCount = 0;
-    for (const tool of tools) {
-      const ann = tool.annotations;
-      if (!ann) continue;
-      annotatedCount++;
-      if (typeof ann !== "object" || ann === null) {
-        issues.push(`${tool.name}: annotations must be an object`);
-        continue;
-      }
-      const boolFields = ["readOnlyHint", "destructiveHint", "idempotentHint", "openWorldHint"];
-      for (const field of boolFields) {
-        if (ann[field] !== void 0 && typeof ann[field] !== "boolean") {
-          issues.push(`${tool.name}: annotations.${field} should be boolean, got ${typeof ann[field]}`);
+  );
+  const hasTools = !!serverInfo.capabilities.tools;
+  let cachedToolsList = null;
+  await test(
+    "tools-list",
+    "tools/list returns valid response",
+    "tools",
+    hasTools,
+    "server/tools#listing-tools",
+    async () => {
+      const res = await rpc("tools/list");
+      const tools = res.body?.result?.tools;
+      if (!Array.isArray(tools)) return { passed: false, details: "No tools array in result" };
+      cachedToolsList = tools;
+      toolCount = tools.length;
+      toolNames = tools.map((t) => t.name).filter(Boolean);
+      return {
+        passed: true,
+        details: `${toolCount} tool(s): ${toolNames.slice(0, 5).join(", ")}${toolCount > 5 ? "..." : ""}`
+      };
+    }
+  );
+  await test(
+    "tools-schema",
+    "All tools have name and inputSchema",
+    "schema",
+    hasTools,
+    "server/tools#data-types",
+    async () => {
+      const tools = cachedToolsList ?? (await rpc("tools/list")).body?.result?.tools ?? [];
+      const issues = [];
+      for (const tool of tools) {
+        if (!tool.name) {
+          issues.push("Tool missing name");
+          continue;
+        }
+        if (tool.name.length > 128 || !/^[A-Za-z0-9_.\-]+$/.test(tool.name)) {
+          issues.push(`${tool.name}: name format invalid`);
+        }
+        if (!tool.description) warnings.push(`Tool "${tool.name}" missing description`);
+        if (!tool.inputSchema) {
+          issues.push(`${tool.name}: missing inputSchema (required)`);
+        } else if (typeof tool.inputSchema !== "object" || tool.inputSchema === null) {
+          issues.push(`${tool.name}: inputSchema must be a valid JSON Schema object`);
+        } else if (tool.inputSchema.type !== "object") {
+          issues.push(
+            `${tool.name}: inputSchema.type must be "object" (got "${tool.inputSchema.type || "undefined"}")`
+          );
         }
       }
-      if (ann.title !== void 0 && typeof ann.title !== "string") {
-        issues.push(`${tool.name}: annotations.title should be string`);
+      const detail = issues.length === 0 ? "All tools have valid schemas" : issues.join("; ");
+      return { passed: issues.length === 0, details: detail };
+    }
+  );
+  await test(
+    "tools-annotations",
+    "Tool annotations are valid",
+    "schema",
+    false,
+    "server/tools#annotations",
+    async () => {
+      const tools = cachedToolsList ?? (await rpc("tools/list")).body?.result?.tools ?? [];
+      if (tools.length === 0) return { passed: true, details: "No tools to validate" };
+      const issues = [];
+      let annotatedCount = 0;
+      for (const tool of tools) {
+        const ann = tool.annotations;
+        if (!ann) continue;
+        annotatedCount++;
+        if (typeof ann !== "object" || ann === null) {
+          issues.push(`${tool.name}: annotations must be an object`);
+          continue;
+        }
+        const boolFields = ["readOnlyHint", "destructiveHint", "idempotentHint", "openWorldHint"];
+        for (const field of boolFields) {
+          if (ann[field] !== void 0 && typeof ann[field] !== "boolean") {
+            issues.push(`${tool.name}: annotations.${field} should be boolean, got ${typeof ann[field]}`);
+          }
+        }
+        if (ann.title !== void 0 && typeof ann.title !== "string") {
+          issues.push(`${tool.name}: annotations.title should be string`);
+        }
       }
+      if (issues.length > 0) return { passed: false, details: issues.join("; ") };
+      return {
+        passed: true,
+        details: annotatedCount > 0 ? `${annotatedCount} tool(s) with valid annotations` : "No tools have annotations (optional)"
+      };
     }
-    if (issues.length > 0) return { passed: false, details: issues.join("; ") };
-    return { passed: true, details: annotatedCount > 0 ? `${annotatedCount} tool(s) with valid annotations` : "No tools have annotations (optional)" };
-  });
+  );
   await test("tools-title-field", "Tools include title field", "schema", false, "server/tools#data-types", async () => {
     const tools = cachedToolsList ?? (await rpc("tools/list")).body?.result?.tools ?? [];
     if (tools.length === 0) return { passed: true, details: "No tools to validate" };
@@ -597,211 +1092,319 @@ async function runComplianceSuite(url, options = {}) {
     }
     return { passed: true, details: `${withTitle.length}/${tools.length} tool(s) have title field` };
   });
-  await test("tools-output-schema", "Tools with outputSchema are valid", "schema", false, "server/tools#structured-content", async () => {
-    const tools = cachedToolsList ?? (await rpc("tools/list")).body?.result?.tools ?? [];
-    if (tools.length === 0) return { passed: true, details: "No tools to validate" };
-    const issues = [];
-    let withSchema = 0;
-    for (const tool of tools) {
-      if (tool.outputSchema === void 0) continue;
-      withSchema++;
-      if (typeof tool.outputSchema !== "object" || tool.outputSchema === null) {
-        issues.push(`${tool.name}: outputSchema must be a JSON Schema object`);
-      } else if (tool.outputSchema.type !== "object") {
-        issues.push(`${tool.name}: outputSchema.type must be "object" (got "${tool.outputSchema.type || "undefined"}")`);
+  await test(
+    "tools-output-schema",
+    "Tools with outputSchema are valid",
+    "schema",
+    false,
+    "server/tools#structured-content",
+    async () => {
+      const tools = cachedToolsList ?? (await rpc("tools/list")).body?.result?.tools ?? [];
+      if (tools.length === 0) return { passed: true, details: "No tools to validate" };
+      const issues = [];
+      let withSchema = 0;
+      for (const tool of tools) {
+        if (tool.outputSchema === void 0) continue;
+        withSchema++;
+        if (typeof tool.outputSchema !== "object" || tool.outputSchema === null) {
+          issues.push(`${tool.name}: outputSchema must be a JSON Schema object`);
+        } else if (tool.outputSchema.type !== "object") {
+          issues.push(
+            `${tool.name}: outputSchema.type must be "object" (got "${tool.outputSchema.type || "undefined"}")`
+          );
+        }
       }
+      if (issues.length > 0) return { passed: false, details: issues.join("; ") };
+      return {
+        passed: true,
+        details: withSchema > 0 ? `${withSchema} tool(s) with valid outputSchema` : "No tools have outputSchema (optional)"
+      };
     }
-    if (issues.length > 0) return { passed: false, details: issues.join("; ") };
-    return { passed: true, details: withSchema > 0 ? `${withSchema} tool(s) with valid outputSchema` : "No tools have outputSchema (optional)" };
-  });
+  );
   if (toolNames.length > 0) {
-    await test("tools-call", "tools/call responds correctly", "tools", false, "server/tools#calling-tools", async () => {
-      const res = await rpc("tools/call", { name: toolNames[0], arguments: {} });
-      const result = res.body?.result;
-      const error = res.body?.error;
-      if (error) {
-        const code = error.code;
-        if (code === -32602 || code === -32600) {
-          return { passed: true, details: `Invalid params error (acceptable): code ${code}` };
+    await test(
+      "tools-call",
+      "tools/call responds correctly",
+      "tools",
+      false,
+      "server/tools#calling-tools",
+      async () => {
+        const res = await rpc("tools/call", { name: toolNames[0], arguments: {} });
+        const result = res.body?.result;
+        const error = res.body?.error;
+        if (error) {
+          const code = error.code;
+          if (code === -32602 || code === -32600) {
+            return { passed: true, details: `Invalid params error (acceptable): code ${code}` };
+          }
+          return { passed: true, details: `Protocol error: code ${code} \u2014 ${error.message}` };
         }
-        return { passed: true, details: `Protocol error: code ${code} \u2014 ${error.message}` };
-      }
-      if (result?.content && Array.isArray(result.content)) {
-        const badItems = result.content.filter((c) => !c.type);
-        if (badItems.length > 0) return { passed: false, details: `${badItems.length} content item(s) missing 'type' field` };
-        return { passed: true, details: `Returned ${result.content.length} content item(s)` };
-      }
-      if (result?.isError && result?.content && Array.isArray(result.content)) {
-        return { passed: true, details: "Tool returned execution error with content (valid)" };
-      }
-      return { passed: false, details: "Response missing content array" };
-    });
-    await test("tools-content-types", "Tool content items have valid types", "tools", false, "server/tools#calling-tools", async () => {
-      const res = await rpc("tools/call", { name: toolNames[0], arguments: {} });
-      const result = res.body?.result;
-      const error = res.body?.error;
-      if (error) {
-        return { passed: true, details: `Tool returned error (content types not applicable): code ${error.code}` };
-      }
-      const content = result?.content;
-      if (!Array.isArray(content) || content.length === 0) {
-        return { passed: true, details: "No content items to validate" };
+        if (result?.content && Array.isArray(result.content)) {
+          const badItems = result.content.filter((c) => !c.type);
+          if (badItems.length > 0)
+            return { passed: false, details: `${badItems.length} content item(s) missing 'type' field` };
+          return { passed: true, details: `Returned ${result.content.length} content item(s)` };
+        }
+        if (result?.isError && result?.content && Array.isArray(result.content)) {
+          return { passed: true, details: "Tool returned execution error with content (valid)" };
+        }
+        return { passed: false, details: "Response missing content array" };
       }
-      const issues = [];
-      const types = /* @__PURE__ */ new Set();
-      for (const item of content) {
-        if (!item.type) {
-          issues.push("Content item missing type field");
-        } else if (!VALID_CONTENT_TYPES.includes(item.type)) {
-          issues.push(`Unknown content type: "${item.type}"`);
-        } else {
-          types.add(item.type);
+    );
+    await test(
+      "tools-content-types",
+      "Tool content items have valid types",
+      "tools",
+      false,
+      "server/tools#calling-tools",
+      async () => {
+        const res = await rpc("tools/call", { name: toolNames[0], arguments: {} });
+        const result = res.body?.result;
+        const error = res.body?.error;
+        if (error) {
+          return { passed: true, details: `Tool returned error (content types not applicable): code ${error.code}` };
+        }
+        const content = result?.content;
+        if (!Array.isArray(content) || content.length === 0) {
+          return { passed: true, details: "No content items to validate" };
+        }
+        const issues = [];
+        const types = /* @__PURE__ */ new Set();
+        for (const item of content) {
+          if (!item.type) {
+            issues.push("Content item missing type field");
+          } else if (!VALID_CONTENT_TYPES.includes(item.type)) {
+            issues.push(`Unknown content type: "${item.type}"`);
+          } else {
+            types.add(item.type);
+          }
         }
+        if (issues.length > 0) return { passed: false, details: issues.join("; ") };
+        return { passed: true, details: `Content types: ${[...types].join(", ")}` };
       }
-      if (issues.length > 0) return { passed: false, details: issues.join("; ") };
-      return { passed: true, details: `Content types: ${[...types].join(", ")}` };
-    });
+    );
   }
   if (hasTools) {
-    await test("tools-pagination", "tools/list supports pagination", "tools", false, "server/tools#listing-tools", async () => {
-      const res = await rpc("tools/list");
-      const result = res.body?.result;
-      if (!result) return { passed: false, details: "No result from tools/list" };
-      if (!Array.isArray(result.tools)) return { passed: false, details: "No tools array" };
-      if (result.nextCursor !== void 0) {
-        if (typeof result.nextCursor !== "string") {
-          return { passed: false, details: `nextCursor should be string, got ${typeof result.nextCursor}` };
-        }
-        const nextRes = await rpc("tools/list", { cursor: result.nextCursor });
-        const nextResult = nextRes.body?.result;
-        if (!nextResult || !Array.isArray(nextResult.tools)) {
-          return { passed: false, details: "Next page failed to return tools array" };
+    await test(
+      "tools-pagination",
+      "tools/list supports pagination",
+      "tools",
+      false,
+      "server/tools#listing-tools",
+      async () => {
+        const res = await rpc("tools/list");
+        const result = res.body?.result;
+        if (!result) return { passed: false, details: "No result from tools/list" };
+        if (!Array.isArray(result.tools)) return { passed: false, details: "No tools array" };
+        if (result.nextCursor !== void 0) {
+          if (typeof result.nextCursor !== "string") {
+            return { passed: false, details: `nextCursor should be string, got ${typeof result.nextCursor}` };
+          }
+          const nextRes = await rpc("tools/list", { cursor: result.nextCursor });
+          const nextResult = nextRes.body?.result;
+          if (!nextResult || !Array.isArray(nextResult.tools)) {
+            return { passed: false, details: "Next page failed to return tools array" };
+          }
+          return {
+            passed: true,
+            details: `Pagination works: page 1 had ${result.tools.length} tools, page 2 had ${nextResult.tools.length} tools`
+          };
         }
-        return { passed: true, details: `Pagination works: page 1 had ${result.tools.length} tools, page 2 had ${nextResult.tools.length} tools` };
+        return { passed: true, details: `${result.tools.length} tool(s), no nextCursor (single page)` };
       }
-      return { passed: true, details: `${result.tools.length} tool(s), no nextCursor (single page)` };
-    });
-    await test("tools-call-unknown", "Returns error for unknown tool name", "errors", false, "server/tools#error-handling", async () => {
-      const res = await rpc("tools/call", { name: "__nonexistent_tool_compliance_test__", arguments: {} });
-      const error = res.body?.error;
-      const isError = res.body?.result?.isError;
-      if (error) return { passed: true, details: `Error code: ${error.code} \u2014 ${error.message}` };
-      if (isError) return { passed: true, details: "Tool execution error with isError=true (valid)" };
-      return { passed: false, details: "No error returned for nonexistent tool" };
-    });
+    );
+    await test(
+      "tools-call-unknown",
+      "Returns error for unknown tool name",
+      "errors",
+      false,
+      "server/tools#error-handling",
+      async () => {
+        const res = await rpc("tools/call", { name: "__nonexistent_tool_compliance_test__", arguments: {} });
+        const error = res.body?.error;
+        const isError = res.body?.result?.isError;
+        if (error) return { passed: true, details: `Error code: ${error.code} \u2014 ${error.message}` };
+        if (isError) return { passed: true, details: "Tool execution error with isError=true (valid)" };
+        return { passed: false, details: "No error returned for nonexistent tool" };
+      }
+    );
   }
   const hasResources = !!serverInfo.capabilities.resources;
   const hasSubscribe = !!serverInfo.capabilities.resources?.subscribe;
   if (hasResources) {
     let cachedResourcesList = null;
-    await test("resources-list", "resources/list returns valid response", "resources", true, "server/resources#listing-resources", async () => {
-      const res = await rpc("resources/list");
-      const resources = res.body?.result?.resources;
-      if (!Array.isArray(resources)) return { passed: false, details: "No resources array" };
-      cachedResourcesList = resources;
-      resourceCount = resources.length;
-      resourceNames = resources.map((r) => r.name).filter(Boolean);
-      return { passed: true, details: `${resourceCount} resource(s)` };
-    });
-    await test("resources-schema", "Resources have uri and name", "schema", true, "server/resources#data-types", async () => {
-      const resources = cachedResourcesList ?? (await rpc("resources/list")).body?.result?.resources ?? [];
-      const issues = [];
-      for (const r of resources) {
-        if (!r.uri) issues.push("Resource missing uri");
-        else {
-          try {
-            new URL(r.uri);
-          } catch {
-            issues.push(`${r.uri}: invalid URI format`);
+    await test(
+      "resources-list",
+      "resources/list returns valid response",
+      "resources",
+      true,
+      "server/resources#listing-resources",
+      async () => {
+        const res = await rpc("resources/list");
+        const resources = res.body?.result?.resources;
+        if (!Array.isArray(resources)) return { passed: false, details: "No resources array" };
+        cachedResourcesList = resources;
+        resourceCount = resources.length;
+        resourceNames = resources.map((r) => r.name).filter(Boolean);
+        return { passed: true, details: `${resourceCount} resource(s)` };
+      }
+    );
+    await test(
+      "resources-schema",
+      "Resources have uri and name",
+      "schema",
+      true,
+      "server/resources#data-types",
+      async () => {
+        const resources = cachedResourcesList ?? (await rpc("resources/list")).body?.result?.resources ?? [];
+        const issues = [];
+        for (const r of resources) {
+          if (!r.uri) issues.push("Resource missing uri");
+          else {
+            try {
+              new URL(r.uri);
+            } catch {
+              issues.push(`${r.uri}: invalid URI format`);
+            }
           }
+          if (!r.name) issues.push(`${r.uri || "?"}: missing name`);
+          if (!r.description) warnings.push(`Resource "${r.name || r.uri}" missing description`);
+          if (!r.mimeType) warnings.push(`Resource "${r.name || r.uri}" missing mimeType`);
         }
-        if (!r.name) issues.push(`${r.uri || "?"}: missing name`);
-        if (!r.description) warnings.push(`Resource "${r.name || r.uri}" missing description`);
-        if (!r.mimeType) warnings.push(`Resource "${r.name || r.uri}" missing mimeType`);
+        return {
+          passed: issues.length === 0,
+          details: issues.length === 0 ? "All resources valid" : issues.join("; ")
+        };
       }
-      return { passed: issues.length === 0, details: issues.length === 0 ? "All resources valid" : issues.join("; ") };
-    });
+    );
     if (resourceCount > 0) {
-      await test("resources-read", "resources/read returns content", "resources", false, "server/resources#reading-resources", async () => {
-        const resources = cachedResourcesList ?? (await rpc("resources/list")).body?.result?.resources ?? [];
-        const firstUri = resources[0]?.uri;
-        if (!firstUri) return { passed: false, details: "No resource URI to test" };
-        const readRes = await rpc("resources/read", { uri: firstUri });
-        const contents = readRes.body?.result?.contents;
-        if (!Array.isArray(contents)) return { passed: false, details: "No contents array" };
+      await test(
+        "resources-read",
+        "resources/read returns content",
+        "resources",
+        false,
+        "server/resources#reading-resources",
+        async () => {
+          const resources = cachedResourcesList ?? (await rpc("resources/list")).body?.result?.resources ?? [];
+          const firstUri = resources[0]?.uri;
+          if (!firstUri) return { passed: false, details: "No resource URI to test" };
+          const readRes = await rpc("resources/read", { uri: firstUri });
+          const contents = readRes.body?.result?.contents;
+          if (!Array.isArray(contents)) return { passed: false, details: "No contents array" };
+          const issues = [];
+          for (const c of contents) {
+            if (!c.uri) issues.push("Content item missing uri");
+            if (!c.text && !c.blob) issues.push(`Content item for ${c.uri || "?"} missing both text and blob`);
+          }
+          if (issues.length > 0) return { passed: false, details: issues.join("; ") };
+          return { passed: true, details: `Read ${contents.length} content item(s) from ${firstUri}` };
+        }
+      );
+    }
+    await test(
+      "resources-templates",
+      "resources/templates/list returns valid response",
+      "resources",
+      false,
+      "server/resources#resource-templates",
+      async () => {
+        const res = await rpc("resources/templates/list");
+        const error = res.body?.error;
+        if (error) {
+          if (error.code === -32601) return { passed: true, details: "Method not supported (acceptable)" };
+          return { passed: false, details: `Error: ${error.message}` };
+        }
+        const templates = res.body?.result?.resourceTemplates;
+        if (!Array.isArray(templates)) return { passed: false, details: "No resourceTemplates array" };
         const issues = [];
-        for (const c of contents) {
-          if (!c.uri) issues.push("Content item missing uri");
-          if (!c.text && !c.blob) issues.push(`Content item for ${c.uri || "?"} missing both text and blob`);
+        for (const t of templates) {
+          if (!t.uriTemplate) issues.push("Template missing uriTemplate");
+          if (!t.name) issues.push(`${t.uriTemplate || "?"}: missing name`);
         }
         if (issues.length > 0) return { passed: false, details: issues.join("; ") };
-        return { passed: true, details: `Read ${contents.length} content item(s) from ${firstUri}` };
-      });
-    }
-    await test("resources-templates", "resources/templates/list returns valid response", "resources", false, "server/resources#resource-templates", async () => {
-      const res = await rpc("resources/templates/list");
-      const error = res.body?.error;
-      if (error) {
-        if (error.code === -32601) return { passed: true, details: "Method not supported (acceptable)" };
-        return { passed: false, details: `Error: ${error.message}` };
-      }
-      const templates = res.body?.result?.resourceTemplates;
-      if (!Array.isArray(templates)) return { passed: false, details: "No resourceTemplates array" };
-      const issues = [];
-      for (const t of templates) {
-        if (!t.uriTemplate) issues.push("Template missing uriTemplate");
-        if (!t.name) issues.push(`${t.uriTemplate || "?"}: missing name`);
+        return { passed: true, details: `${templates.length} resource template(s)` };
       }
-      if (issues.length > 0) return { passed: false, details: issues.join("; ") };
-      return { passed: true, details: `${templates.length} resource template(s)` };
-    });
-    await test("resources-pagination", "resources/list supports pagination", "resources", false, "server/resources#listing-resources", async () => {
-      const res = await rpc("resources/list");
-      const result = res.body?.result;
-      if (!result) return { passed: false, details: "No result from resources/list" };
-      if (!Array.isArray(result.resources)) return { passed: false, details: "No resources array" };
-      if (result.nextCursor !== void 0) {
-        if (typeof result.nextCursor !== "string") {
-          return { passed: false, details: `nextCursor should be string, got ${typeof result.nextCursor}` };
-        }
-        const nextRes = await rpc("resources/list", { cursor: result.nextCursor });
-        const nextResult = nextRes.body?.result;
-        if (!nextResult || !Array.isArray(nextResult.resources)) {
-          return { passed: false, details: "Next page failed to return resources array" };
+    );
+    await test(
+      "resources-pagination",
+      "resources/list supports pagination",
+      "resources",
+      false,
+      "server/resources#listing-resources",
+      async () => {
+        const res = await rpc("resources/list");
+        const result = res.body?.result;
+        if (!result) return { passed: false, details: "No result from resources/list" };
+        if (!Array.isArray(result.resources)) return { passed: false, details: "No resources array" };
+        if (result.nextCursor !== void 0) {
+          if (typeof result.nextCursor !== "string") {
+            return { passed: false, details: `nextCursor should be string, got ${typeof result.nextCursor}` };
+          }
+          const nextRes = await rpc("resources/list", { cursor: result.nextCursor });
+          const nextResult = nextRes.body?.result;
+          if (!nextResult || !Array.isArray(nextResult.resources)) {
+            return { passed: false, details: "Next page failed to return resources array" };
+          }
+          return {
+            passed: true,
+            details: `Pagination works: page 1 had ${result.resources.length}, page 2 had ${nextResult.resources.length}`
+          };
         }
-        return { passed: true, details: `Pagination works: page 1 had ${result.resources.length}, page 2 had ${nextResult.resources.length}` };
+        return { passed: true, details: `${result.resources.length} resource(s), no nextCursor (single page)` };
       }
-      return { passed: true, details: `${result.resources.length} resource(s), no nextCursor (single page)` };
-    });
+    );
     if (hasSubscribe && resourceCount > 0) {
-      await test("resources-subscribe", "Resource subscribe/unsubscribe", "resources", true, "server/resources#subscriptions", async () => {
-        const resources = cachedResourcesList ?? (await rpc("resources/list")).body?.result?.resources ?? [];
-        const firstUri = resources[0]?.uri;
-        if (!firstUri) return { passed: false, details: "No resource URI for subscribe test" };
-        const subRes = await rpc("resources/subscribe", { uri: firstUri });
-        if (subRes.body?.error) {
-          return { passed: false, details: `Subscribe error: ${subRes.body.error.code} \u2014 ${subRes.body.error.message}` };
-        }
-        const unsubRes = await rpc("resources/unsubscribe", { uri: firstUri });
-        if (unsubRes.body?.error) {
-          return { passed: false, details: `Unsubscribe error: ${unsubRes.body.error.code} \u2014 ${unsubRes.body.error.message}` };
+      await test(
+        "resources-subscribe",
+        "Resource subscribe/unsubscribe",
+        "resources",
+        true,
+        "server/resources#subscriptions",
+        async () => {
+          const resources = cachedResourcesList ?? (await rpc("resources/list")).body?.result?.resources ?? [];
+          const firstUri = resources[0]?.uri;
+          if (!firstUri) return { passed: false, details: "No resource URI for subscribe test" };
+          const subRes = await rpc("resources/subscribe", { uri: firstUri });
+          if (subRes.body?.error) {
+            return {
+              passed: false,
+              details: `Subscribe error: ${subRes.body.error.code} \u2014 ${subRes.body.error.message}`
+            };
+          }
+          const unsubRes = await rpc("resources/unsubscribe", { uri: firstUri });
+          if (unsubRes.body?.error) {
+            return {
+              passed: false,
+              details: `Unsubscribe error: ${unsubRes.body.error.code} \u2014 ${unsubRes.body.error.message}`
+            };
+          }
+          return { passed: true, details: `Subscribe/unsubscribe for ${firstUri} succeeded` };
         }
-        return { passed: true, details: `Subscribe/unsubscribe for ${firstUri} succeeded` };
-      });
+      );
     }
   }
   const hasPrompts = !!serverInfo.capabilities.prompts;
   if (hasPrompts) {
     let cachedPromptsList = null;
-    await test("prompts-list", "prompts/list returns valid response", "prompts", true, "server/prompts#listing-prompts", async () => {
-      const res = await rpc("prompts/list");
-      const prompts = res.body?.result?.prompts;
-      if (!Array.isArray(prompts)) return { passed: false, details: "No prompts array" };
-      cachedPromptsList = prompts;
-      promptCount = prompts.length;
-      promptNames = prompts.map((p) => p.name).filter(Boolean);
-      return { passed: true, details: `${promptCount} prompt(s): ${promptNames.slice(0, 5).join(", ")}${promptCount > 5 ? "..." : ""}` };
-    });
+    await test(
+      "prompts-list",
+      "prompts/list returns valid response",
+      "prompts",
+      true,
+      "server/prompts#listing-prompts",
+      async () => {
+        const res = await rpc("prompts/list");
+        const prompts = res.body?.result?.prompts;
+        if (!Array.isArray(prompts)) return { passed: false, details: "No prompts array" };
+        cachedPromptsList = prompts;
+        promptCount = prompts.length;
+        promptNames = prompts.map((p) => p.name).filter(Boolean);
+        return {
+          passed: true,
+          details: `${promptCount} prompt(s): ${promptNames.slice(0, 5).join(", ")}${promptCount > 5 ? "..." : ""}`
+        };
+      }
+    );
     await test("prompts-schema", "Prompts have name field", "schema", true, "server/prompts#data-types", async () => {
       const prompts = cachedPromptsList ?? (await rpc("prompts/list")).body?.result?.prompts ?? [];
       const issues = [];
@@ -818,39 +1421,56 @@ async function runComplianceSuite(url, options = {}) {
       return { passed: issues.length === 0, details: issues.length === 0 ? "All prompts valid" : issues.join("; ") };
     });
     if (promptNames.length > 0) {
-      await test("prompts-get", "prompts/get returns valid messages", "prompts", false, "server/prompts#getting-a-prompt", async () => {
-        const res = await rpc("prompts/get", { name: promptNames[0] });
-        const error = res.body?.error;
-        if (error) return { passed: true, details: `Error (may need arguments): code ${error.code}` };
-        const messages = res.body?.result?.messages;
-        if (!Array.isArray(messages)) return { passed: false, details: "No messages array in result" };
-        const issues = [];
-        for (const msg of messages) {
-          if (!msg.role || !["user", "assistant"].includes(msg.role)) issues.push(`Invalid role: ${msg.role}`);
-          if (!msg.content) issues.push("Message missing content");
+      await test(
+        "prompts-get",
+        "prompts/get returns valid messages",
+        "prompts",
+        false,
+        "server/prompts#getting-a-prompt",
+        async () => {
+          const res = await rpc("prompts/get", { name: promptNames[0] });
+          const error = res.body?.error;
+          if (error) return { passed: true, details: `Error (may need arguments): code ${error.code}` };
+          const messages = res.body?.result?.messages;
+          if (!Array.isArray(messages)) return { passed: false, details: "No messages array in result" };
+          const issues = [];
+          for (const msg of messages) {
+            if (!msg.role || !["user", "assistant"].includes(msg.role)) issues.push(`Invalid role: ${msg.role}`);
+            if (!msg.content) issues.push("Message missing content");
+          }
+          if (issues.length > 0) return { passed: false, details: issues.join("; ") };
+          return { passed: true, details: `${messages.length} message(s) from ${promptNames[0]}` };
         }
-        if (issues.length > 0) return { passed: false, details: issues.join("; ") };
-        return { passed: true, details: `${messages.length} message(s) from ${promptNames[0]}` };
-      });
+      );
     }
-    await test("prompts-pagination", "prompts/list supports pagination", "prompts", false, "server/prompts#listing-prompts", async () => {
-      const res = await rpc("prompts/list");
-      const result = res.body?.result;
-      if (!result) return { passed: false, details: "No result from prompts/list" };
-      if (!Array.isArray(result.prompts)) return { passed: false, details: "No prompts array" };
-      if (result.nextCursor !== void 0) {
-        if (typeof result.nextCursor !== "string") {
-          return { passed: false, details: `nextCursor should be string, got ${typeof result.nextCursor}` };
-        }
-        const nextRes = await rpc("prompts/list", { cursor: result.nextCursor });
-        const nextResult = nextRes.body?.result;
-        if (!nextResult || !Array.isArray(nextResult.prompts)) {
-          return { passed: false, details: "Next page failed to return prompts array" };
+    await test(
+      "prompts-pagination",
+      "prompts/list supports pagination",
+      "prompts",
+      false,
+      "server/prompts#listing-prompts",
+      async () => {
+        const res = await rpc("prompts/list");
+        const result = res.body?.result;
+        if (!result) return { passed: false, details: "No result from prompts/list" };
+        if (!Array.isArray(result.prompts)) return { passed: false, details: "No prompts array" };
+        if (result.nextCursor !== void 0) {
+          if (typeof result.nextCursor !== "string") {
+            return { passed: false, details: `nextCursor should be string, got ${typeof result.nextCursor}` };
+          }
+          const nextRes = await rpc("prompts/list", { cursor: result.nextCursor });
+          const nextResult = nextRes.body?.result;
+          if (!nextResult || !Array.isArray(nextResult.prompts)) {
+            return { passed: false, details: "Next page failed to return prompts array" };
+          }
+          return {
+            passed: true,
+            details: `Pagination works: page 1 had ${result.prompts.length}, page 2 had ${nextResult.prompts.length}`
+          };
         }
-        return { passed: true, details: `Pagination works: page 1 had ${result.prompts.length}, page 2 had ${nextResult.prompts.length}` };
+        return { passed: true, details: `${result.prompts.length} prompt(s), no nextCursor (single page)` };
       }
-      return { passed: true, details: `${result.prompts.length} prompt(s), no nextCursor (single page)` };
-    });
+    );
   }
   await test("error-unknown-method", "Returns JSON-RPC error for unknown method", "errors", true, "basic", async () => {
     const res = await rpc("nonexistent/method");
@@ -862,16 +1482,23 @@ async function runComplianceSuite(url, options = {}) {
       details: `Error code: ${error.code}${correctCode ? " (correct: Method not found)" : " (expected -32601)"} \u2014 ${error.message}`
     };
   });
-  await test("error-method-code", "Uses correct JSON-RPC error code for unknown method", "errors", false, "basic", async () => {
-    const res = await rpc("nonexistent/method");
-    const error = res.body?.error;
-    if (!error) return { passed: false, details: "No error returned" };
-    return { passed: error.code === -32601, details: `Expected -32601, got ${error.code}` };
-  });
+  await test(
+    "error-method-code",
+    "Uses correct JSON-RPC error code for unknown method",
+    "errors",
+    false,
+    "basic",
+    async () => {
+      const res = await rpc("nonexistent/method");
+      const error = res.body?.error;
+      if (!error) return { passed: false, details: "No error returned" };
+      return { passed: error.code === -32601, details: `Expected -32601, got ${error.code}` };
+    }
+  );
   await test("error-invalid-jsonrpc", "Handles malformed JSON-RPC", "errors", true, "basic", async () => {
     const res = await request(backendUrl, {
       method: "POST",
-      headers: { "Content-Type": "application/json", "Accept": "application/json, text/event-stream", ...buildHeaders() },
+      headers: { "Content-Type": "application/json", Accept: "application/json, text/event-stream", ...buildHeaders() },
       body: JSON.stringify({ not: "a valid jsonrpc message" }),
       signal: AbortSignal.timeout(timeout)
     });
@@ -880,17 +1507,21 @@ async function runComplianceSuite(url, options = {}) {
       const body = JSON.parse(text);
       if (body?.error) {
         const correctCode = body.error.code === -32600;
-        return { passed: true, details: `Error code: ${body.error.code}${correctCode ? " (correct: Invalid Request)" : ""} \u2014 ${body.error.message}` };
+        return {
+          passed: true,
+          details: `Error code: ${body.error.code}${correctCode ? " (correct: Invalid Request)" : ""} \u2014 ${body.error.message}`
+        };
       }
     } catch {
     }
-    if (res.statusCode >= 400 && res.statusCode < 500) return { passed: true, details: `HTTP ${res.statusCode} (acceptable)` };
+    if (res.statusCode >= 400 && res.statusCode < 500)
+      return { passed: true, details: `HTTP ${res.statusCode} (acceptable)` };
     return { passed: false, details: `HTTP ${res.statusCode} \u2014 expected JSON-RPC error or 4xx status` };
   });
   await test("error-invalid-json", "Handles invalid JSON body", "errors", false, "basic", async () => {
     const res = await request(backendUrl, {
       method: "POST",
-      headers: { "Content-Type": "application/json", "Accept": "application/json, text/event-stream", ...buildHeaders() },
+      headers: { "Content-Type": "application/json", Accept: "application/json, text/event-stream", ...buildHeaders() },
       body: "{this is not valid json!!!",
       signal: AbortSignal.timeout(timeout)
     });
@@ -900,24 +1531,35 @@ async function runComplianceSuite(url, options = {}) {
       if (body?.error) return { passed: true, details: `Error code: ${body.error.code} \u2014 ${body.error.message}` };
     } catch {
     }
-    if (res.statusCode >= 400 && res.statusCode < 500) return { passed: true, details: `HTTP ${res.statusCode} (acceptable)` };
+    if (res.statusCode >= 400 && res.statusCode < 500)
+      return { passed: true, details: `HTTP ${res.statusCode} (acceptable)` };
     return { passed: false, details: `HTTP ${res.statusCode} \u2014 expected parse error or 4xx status` };
   });
-  await test("error-missing-params", "Returns error for tools/call without name", "errors", false, "server/tools#error-handling", async () => {
-    const res = await rpc("tools/call", {});
-    const error = res.body?.error;
-    const isError = res.body?.result?.isError;
-    if (error) {
-      const correctCode = error.code === -32602;
-      return { passed: true, details: `Error code: ${error.code}${correctCode ? " (correct: Invalid params)" : ""} \u2014 ${error.message}` };
+  await test(
+    "error-missing-params",
+    "Returns error for tools/call without name",
+    "errors",
+    false,
+    "server/tools#error-handling",
+    async () => {
+      const res = await rpc("tools/call", {});
+      const error = res.body?.error;
+      const isError = res.body?.result?.isError;
+      if (error) {
+        const correctCode = error.code === -32602;
+        return {
+          passed: true,
+          details: `Error code: ${error.code}${correctCode ? " (correct: Invalid params)" : ""} \u2014 ${error.message}`
+        };
+      }
+      if (isError) return { passed: true, details: "Tool execution error (valid)" };
+      return { passed: false, details: "No error for tools/call without name" };
     }
-    if (isError) return { passed: true, details: "Tool execution error (valid)" };
-    return { passed: false, details: "No error for tools/call without name" };
-  });
+  );
   await test("error-parse-code", "Returns -32700 for invalid JSON", "errors", false, "basic", async () => {
     const res = await request(backendUrl, {
       method: "POST",
-      headers: { "Content-Type": "application/json", "Accept": "application/json, text/event-stream", ...buildHeaders() },
+      headers: { "Content-Type": "application/json", Accept: "application/json, text/event-stream", ...buildHeaders() },
       body: "<<<not json>>>",
       signal: AbortSignal.timeout(timeout)
     });
@@ -940,7 +1582,7 @@ async function runComplianceSuite(url, options = {}) {
   await test("error-invalid-request-code", "Returns -32600 for invalid request", "errors", false, "basic", async () => {
     const res = await request(backendUrl, {
       method: "POST",
-      headers: { "Content-Type": "application/json", "Accept": "application/json, text/event-stream", ...buildHeaders() },
+      headers: { "Content-Type": "application/json", Accept: "application/json, text/event-stream", ...buildHeaders() },
       body: JSON.stringify({ jsonrpc: "2.0", id: 99999 }),
       signal: AbortSignal.timeout(timeout)
     });
@@ -985,6 +1627,194 @@ async function runComplianceSuite(url, options = {}) {
   };
 }
 
+// src/mcp/tools.ts
+function registerTools(server) {
+  server.tool(
+    "mcp_compliance_test",
+    "Run the full MCP compliance test suite against a server URL. Returns grade (A-F), score, and detailed results for all 43 tests covering transport, lifecycle, tools, resources, prompts, errors, and schema validation.",
+    {
+      url: z.string().url().describe("The MCP server URL to test (must be HTTP or HTTPS)"),
+      auth: z.string().optional().describe('Authorization header value (e.g., "Bearer tok123")'),
+      headers: z.record(z.string()).optional().describe('Additional headers to include on all requests (e.g., {"X-Api-Key": "abc"})'),
+      timeout: z.number().optional().describe("Request timeout in milliseconds (default: 15000)"),
+      retries: z.number().optional().describe("Number of retries for failed tests (default: 0)"),
+      only: z.array(z.string()).optional().describe("Only run tests matching these categories or test IDs"),
+      skip: z.array(z.string()).optional().describe("Skip tests matching these categories or test IDs")
+    },
+    {
+      title: "Run MCP Compliance Tests",
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    async ({ url, auth, headers: extraHeaders, timeout, retries, only, skip }) => {
+      try {
+        const headers = { ...extraHeaders };
+        if (auth) headers.Authorization = auth;
+        const report = await runComplianceSuite(url, {
+          headers: Object.keys(headers).length > 0 ? headers : void 0,
+          timeout,
+          retries,
+          only,
+          skip
+        });
+        const summary = [
+          `Grade: ${report.grade} (${report.score}%)`,
+          `Overall: ${report.overall}`,
+          `Tests: ${report.summary.passed}/${report.summary.total} passed (${report.summary.requiredPassed}/${report.summary.required} required)`,
+          "",
+          ...report.tests.map(
+            (t) => `${t.passed ? "PASS" : "FAIL"} ${t.name}${t.required ? " (required)" : ""} \u2014 ${t.details}`
+          )
+        ];
+        if (report.serverInfo.name) {
+          summary.unshift(`Server: ${report.serverInfo.name} v${report.serverInfo.version || "?"}`);
+        }
+        if (report.warnings.length > 0) {
+          summary.push("", `Warnings (${report.warnings.length}):`);
+          for (const w of report.warnings) {
+            summary.push(`  - ${w}`);
+          }
+        }
+        return {
+          content: [
+            { type: "text", text: summary.join("\n") },
+            { type: "text", text: `
+
+Full report:
+${JSON.stringify(report, null, 2)}` }
+          ]
+        };
+      } catch (err) {
+        return {
+          content: [{ type: "text", text: `Error running compliance test: ${err.message}` }],
+          isError: true
+        };
+      }
+    }
+  );
+  server.tool(
+    "mcp_compliance_badge",
+    "Get the badge markdown embed code for an MCP server. Runs the compliance test suite first to determine the grade.",
+    {
+      url: z.string().url().describe("The MCP server URL to test"),
+      auth: z.string().optional().describe('Authorization header value (e.g., "Bearer tok123")'),
+      headers: z.record(z.string()).optional().describe("Additional headers to include on all requests"),
+      timeout: z.number().optional().describe("Request timeout in milliseconds (default: 15000)")
+    },
+    {
+      title: "Get Compliance Badge",
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    async ({ url, auth, headers: extraHeaders, timeout }) => {
+      try {
+        const headers = { ...extraHeaders };
+        if (auth) headers.Authorization = auth;
+        const report = await runComplianceSuite(url, {
+          headers: Object.keys(headers).length > 0 ? headers : void 0,
+          timeout
+        });
+        const badge = report.badge;
+        return {
+          content: [
+            {
+              type: "text",
+              text: [
+                `Grade: ${report.grade} (${report.score}%)`,
+                "",
+                "Markdown:",
+                badge.markdown,
+                "",
+                "HTML:",
+                badge.html
+              ].join("\n")
+            }
+          ]
+        };
+      } catch (err) {
+        return {
+          content: [{ type: "text", text: `Error: ${err.message}` }],
+          isError: true
+        };
+      }
+    }
+  );
+  server.tool(
+    "mcp_compliance_explain",
+    "Explain what a specific compliance test ID checks and why it matters.",
+    {
+      testId: z.string().describe('The test ID to explain (e.g., "transport-post", "lifecycle-init", "tools-schema")')
+    },
+    {
+      title: "Explain Compliance Test",
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: false
+    },
+    async ({ testId }) => {
+      const def = TEST_DEFINITIONS.find((t) => t.id === testId);
+      if (!def) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: `Unknown test ID: "${testId}"
+
+Valid test IDs:
+${TEST_DEFINITIONS.map((t) => t.id).join(", ")}`
+            }
+          ],
+          isError: true
+        };
+      }
+      return {
+        content: [
+          {
+            type: "text",
+            text: [
+              `Test: ${def.id}`,
+              `Name: ${def.name}`,
+              `Category: ${def.category}`,
+              `Required: ${def.required ? "Yes" : "No"}`,
+              `Spec reference: https://modelcontextprotocol.io/specification/2025-11-25/${def.specRef}`,
+              "",
+              def.description,
+              "",
+              `Fix: ${def.recommendation}`
+            ].join("\n")
+          }
+        ]
+      };
+    }
+  );
+}
+
+// src/mcp/server.ts
+var require2 = createRequire2(import.meta.url);
+var { version } = require2("../../package.json");
+function createComplianceServer() {
+  const server = new McpServer({ name: "mcp-compliance", version });
+  registerTools(server);
+  return server;
+}
+async function startServer() {
+  const server = createComplianceServer();
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+}
+var isDirectRun = process.argv[1]?.endsWith("mcp/server.js") || process.argv[1]?.endsWith("mcp\\server.js");
+if (isDirectRun) {
+  startServer().catch((err) => {
+    console.error("MCP server error:", err);
+    process.exit(1);
+  });
+}
+
 // src/reporter.ts
 import chalk from "chalk";
 var CATEGORY_LABELS = {
@@ -1027,8 +1857,16 @@ function testLine(t) {
   const icon = t.passed ? chalk.green("  PASS") : chalk.red("  FAIL");
   const req = t.required ? chalk.dim(" (required)") : "";
   const dur = chalk.dim(` ${t.durationMs}ms`);
-  return `${icon}  ${t.name}${req}${dur}
+  let line = `${icon}  ${t.name}${req}${dur}
 ${chalk.dim(`         ${t.details}`)}`;
+  if (!t.passed) {
+    const def = TEST_DEFINITIONS.find((d) => d.id === t.id);
+    if (def?.recommendation) {
+      line += `
+${chalk.cyan(`         Fix: ${def.recommendation}`)}`;
+    }
+  }
+  return line;
 }
 function formatTerminal(report) {
   const lines = [];
@@ -1037,11 +1875,19 @@ function formatTerminal(report) {
   lines.push(chalk.dim(`Spec: ${report.specVersion}  |  Tool: v${report.toolVersion}  |  ${report.timestamp}`));
   lines.push(chalk.dim(`URL: ${report.url}`));
   if (report.serverInfo.name) {
-    lines.push(chalk.dim(`Server: ${report.serverInfo.name} v${report.serverInfo.version || "?"} (protocol ${report.serverInfo.protocolVersion || "?"})`));
+    lines.push(
+      chalk.dim(
+        `Server: ${report.serverInfo.name} v${report.serverInfo.version || "?"} (protocol ${report.serverInfo.protocolVersion || "?"})`
+      )
+    );
   }
   lines.push("");
-  lines.push(`  Grade: ${gradeColor(report.grade)}  Score: ${chalk.bold(String(report.score))}%  Overall: ${overallColor(report.overall)}`);
-  lines.push(`  Tests: ${chalk.green(String(report.summary.passed))} passed / ${chalk.red(String(report.summary.failed))} failed / ${report.summary.total} total`);
+  lines.push(
+    `  Grade: ${gradeColor(report.grade)}  Score: ${chalk.bold(String(report.score))}%  Overall: ${overallColor(report.overall)}`
+  );
+  lines.push(
+    `  Tests: ${chalk.green(String(report.summary.passed))} passed / ${chalk.red(String(report.summary.failed))} failed / ${report.summary.total} total`
+  );
   lines.push(`  Required: ${report.summary.requiredPassed}/${report.summary.required} passed`);
   const grouped = {};
   for (const t of report.tests) {
@@ -1067,13 +1913,25 @@ function formatTerminal(report) {
     lines.push(chalk.dim(`  Capabilities: ${declared.join(", ")}`));
   }
   if (report.toolCount > 0) {
-    lines.push(chalk.dim(`  Tools (${report.toolCount}): ${report.toolNames.slice(0, 10).join(", ")}${report.toolCount > 10 ? "..." : ""}`));
+    lines.push(
+      chalk.dim(
+        `  Tools (${report.toolCount}): ${report.toolNames.slice(0, 10).join(", ")}${report.toolCount > 10 ? "..." : ""}`
+      )
+    );
   }
   if (report.resourceCount > 0) {
-    lines.push(chalk.dim(`  Resources (${report.resourceCount}): ${report.resourceNames.slice(0, 10).join(", ")}${report.resourceCount > 10 ? "..." : ""}`));
+    lines.push(
+      chalk.dim(
+        `  Resources (${report.resourceCount}): ${report.resourceNames.slice(0, 10).join(", ")}${report.resourceCount > 10 ? "..." : ""}`
+      )
+    );
   }
   if (report.promptCount > 0) {
-    lines.push(chalk.dim(`  Prompts (${report.promptCount}): ${report.promptNames.slice(0, 10).join(", ")}${report.promptCount > 10 ? "..." : ""}`));
+    lines.push(
+      chalk.dim(
+        `  Prompts (${report.promptCount}): ${report.promptNames.slice(0, 10).join(", ")}${report.promptCount > 10 ? "..." : ""}`
+      )
+    );
   }
   if (report.warnings.length > 0) {
     lines.push("");
@@ -1091,131 +1949,80 @@ function formatTerminal(report) {
 function formatJson(report) {
   return JSON.stringify(report, null, 2);
 }
-
-// src/index.ts
-import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
-import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
-
-// src/mcp/tools.ts
-import { z } from "zod";
-function registerTools(server) {
-  server.tool(
-    "mcp_compliance_test",
-    "Run the full MCP compliance test suite against a server URL. Returns grade (A-F), score, and detailed results for all 43 tests covering transport, lifecycle, tools, resources, prompts, errors, and schema validation.",
-    {
-      url: z.string().url().describe("The MCP server URL to test (must be HTTP or HTTPS)")
-    },
-    async ({ url }) => {
-      try {
-        const report = await runComplianceSuite(url);
-        const summary = [
-          `Grade: ${report.grade} (${report.score}%)`,
-          `Overall: ${report.overall}`,
-          `Tests: ${report.summary.passed}/${report.summary.total} passed (${report.summary.requiredPassed}/${report.summary.required} required)`,
-          "",
-          ...report.tests.map(
-            (t) => `${t.passed ? "PASS" : "FAIL"} ${t.name}${t.required ? " (required)" : ""} \u2014 ${t.details}`
-          )
-        ];
-        if (report.serverInfo.name) {
-          summary.unshift(`Server: ${report.serverInfo.name} v${report.serverInfo.version || "?"}`);
-        }
-        if (report.warnings.length > 0) {
-          summary.push("", `Warnings (${report.warnings.length}):`);
-          for (const w of report.warnings) {
-            summary.push(`  - ${w}`);
+function formatSarif(report) {
+  const SPEC_BASE2 = `https://modelcontextprotocol.io/specification/${report.specVersion}`;
+  const rules = report.tests.map((t) => {
+    const def = TEST_DEFINITIONS.find((d) => d.id === t.id);
+    return {
+      id: t.id,
+      name: t.name,
+      shortDescription: { text: t.name },
+      fullDescription: { text: def?.description || t.details },
+      helpUri: t.specRef || `${SPEC_BASE2}/basic`,
+      properties: {
+        category: t.category,
+        required: t.required
+      }
+    };
+  });
+  const results = report.tests.filter((t) => !t.passed).map((t) => {
+    const def = TEST_DEFINITIONS.find((d) => d.id === t.id);
+    return {
+      ruleId: t.id,
+      level: t.required ? "error" : "warning",
+      message: {
+        text: def?.recommendation ? `${t.details}. Fix: ${def.recommendation}` : t.details
+      },
+      locations: [
+        {
+          physicalLocation: {
+            artifactLocation: {
+              uri: report.url,
+              uriBaseId: "MCP_SERVER"
+            }
           }
         }
-        return {
-          content: [
-            { type: "text", text: summary.join("\n") },
-            { type: "text", text: `
-
-Full report:
-${JSON.stringify(report, null, 2)}` }
-          ]
-        };
-      } catch (err) {
-        return {
-          content: [{ type: "text", text: `Error running compliance test: ${err.message}` }],
-          isError: true
-        };
-      }
-    }
-  );
-  server.tool(
-    "mcp_compliance_badge",
-    "Get the badge markdown embed code for an MCP server. Runs the compliance test suite first to determine the grade.",
-    {
-      url: z.string().url().describe("The MCP server URL to test")
-    },
-    async ({ url }) => {
-      try {
-        const report = await runComplianceSuite(url);
-        const badge = report.badge;
-        return {
-          content: [{
-            type: "text",
-            text: [
-              `Grade: ${report.grade} (${report.score}%)`,
-              "",
-              "Markdown:",
-              badge.markdown,
-              "",
-              "HTML:",
-              badge.html
-            ].join("\n")
-          }]
-        };
-      } catch (err) {
-        return {
-          content: [{ type: "text", text: `Error: ${err.message}` }],
-          isError: true
-        };
+      ],
+      properties: {
+        category: t.category,
+        durationMs: t.durationMs
       }
-    }
-  );
-  server.tool(
-    "mcp_compliance_explain",
-    "Explain what a specific compliance test ID checks and why it matters.",
-    {
-      testId: z.string().describe('The test ID to explain (e.g., "transport-post", "lifecycle-init", "tools-schema")')
-    },
-    async ({ testId }) => {
-      const def = TEST_DEFINITIONS.find((t) => t.id === testId);
-      if (!def) {
-        return {
-          content: [{
-            type: "text",
-            text: `Unknown test ID: "${testId}"
-
-Valid test IDs:
-${TEST_DEFINITIONS.map((t) => t.id).join(", ")}`
-          }],
-          isError: true
-        };
+    };
+  });
+  const sarif = {
+    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "mcp-compliance",
+            version: report.toolVersion,
+            informationUri: "https://github.com/YawLabs/mcp-compliance",
+            rules
+          }
+        },
+        results,
+        invocations: [
+          {
+            executionSuccessful: report.overall !== "fail",
+            properties: {
+              grade: report.grade,
+              score: report.score,
+              overall: report.overall,
+              specVersion: report.specVersion
+            }
+          }
+        ]
       }
-      return {
-        content: [{
-          type: "text",
-          text: [
-            `Test: ${def.id}`,
-            `Name: ${def.name}`,
-            `Category: ${def.category}`,
-            `Required: ${def.required ? "Yes" : "No"}`,
-            `Spec reference: https://modelcontextprotocol.io/specification/2025-11-25/${def.specRef}`,
-            "",
-            def.description
-          ].join("\n")
-        }]
-      };
-    }
-  );
+    ]
+  };
+  return JSON.stringify(sarif, null, 2);
 }
 
 // src/index.ts
-var require2 = createRequire2(import.meta.url);
-var { version } = require2("../package.json");
+var require3 = createRequire3(import.meta.url);
+var { version: version2 } = require3("../package.json");
 function parseHeaderArg(value, prev) {
   const idx = value.indexOf(":");
   if (idx === -1) {
@@ -1230,59 +2037,63 @@ function parseList(value) {
   return value.split(",").map((s) => s.trim()).filter(Boolean);
 }
 var program = new Command();
-program.name("mcp-compliance").description("Test MCP servers for spec compliance").version(version);
-program.command("test").description("Run the full compliance test suite against an MCP server").argument("<url>", "MCP server URL to test").option("--format <format>", "Output format: terminal or json", "terminal").option("--strict", "Exit with code 1 on any required test failure (for CI)").option("-H, --header <header>", 'Add header to all requests (format: "Key: Value", repeatable)', parseHeaderArg, {}).option("--auth <token>", 'Shorthand for -H "Authorization: <token>"').option("--timeout <ms>", "Request timeout in milliseconds", "15000").option("--retries <n>", "Number of retries for failed tests", "0").option("--only <items>", "Only run tests matching these categories or test IDs (comma-separated)", parseList).option("--skip <items>", "Skip tests matching these categories or test IDs (comma-separated)", parseList).option("--verbose", "Print each test result as it runs").action(async (url, opts) => {
-  try {
-    const headers = { ...opts.header };
-    if (opts.auth) headers["Authorization"] = opts.auth;
-    if (opts.format === "terminal") {
-      console.log(chalk2.dim(`
+program.name("mcp-compliance").description("Test MCP servers for spec compliance").version(version2);
+program.command("test").description("Run the full compliance test suite against an MCP server").argument("<url>", "MCP server URL to test").option("--format <format>", "Output format: terminal, json, or sarif", "terminal").option("--strict", "Exit with code 1 on any required test failure (for CI)").option("-H, --header <header>", 'Add header to all requests (format: "Key: Value", repeatable)', parseHeaderArg, {}).option("--auth <token>", 'Shorthand for -H "Authorization: <token>"').option("--timeout <ms>", "Request timeout in milliseconds", "15000").option("--retries <n>", "Number of retries for failed tests", "0").option("--only <items>", "Only run tests matching these categories or test IDs (comma-separated)", parseList).option("--skip <items>", "Skip tests matching these categories or test IDs (comma-separated)", parseList).option("--verbose", "Print each test result as it runs").action(
+  async (url, opts) => {
+    try {
+      const headers = { ...opts.header };
+      if (opts.auth) headers.Authorization = opts.auth;
+      if (opts.format === "terminal") {
+        console.log(chalk2.dim(`
 Testing ${url}...
 `));
-    }
-    const report = await runComplianceSuite(url, {
-      headers,
-      timeout: parseInt(opts.timeout, 10) || 15e3,
-      retries: parseInt(opts.retries, 10) || 0,
-      only: opts.only,
-      skip: opts.skip,
-      onProgress: opts.verbose ? (testId, passed, details) => {
-        const icon = passed ? chalk2.green("PASS") : chalk2.red("FAIL");
-        console.log(`  ${icon} ${testId} \u2014 ${details}`);
-      } : void 0
-    });
-    if (opts.verbose && opts.format === "terminal") {
-      console.log("");
-    }
-    if (opts.format === "json") {
-      console.log(formatJson(report));
-    } else {
-      console.log(formatTerminal(report));
-    }
-    if (opts.strict && report.overall === "fail") {
-      process.exit(1);
-    }
-  } catch (err) {
-    if (opts.format === "json") {
-      console.error(JSON.stringify({ error: err.message }));
-    } else {
-      console.error(chalk2.red(`
+      }
+      const report = await runComplianceSuite(url, {
+        headers,
+        timeout: Number.parseInt(opts.timeout, 10) || 15e3,
+        retries: Number.parseInt(opts.retries, 10) || 0,
+        only: opts.only,
+        skip: opts.skip,
+        onProgress: opts.verbose ? (testId, passed, details) => {
+          const icon = passed ? chalk2.green("PASS") : chalk2.red("FAIL");
+          console.log(`  ${icon} ${testId} \u2014 ${details}`);
+        } : void 0
+      });
+      if (opts.verbose && opts.format === "terminal") {
+        console.log("");
+      }
+      if (opts.format === "json") {
+        console.log(formatJson(report));
+      } else if (opts.format === "sarif") {
+        console.log(formatSarif(report));
+      } else {
+        console.log(formatTerminal(report));
+      }
+      if (opts.strict && report.overall === "fail") {
+        process.exit(1);
+      }
+    } catch (err) {
+      if (opts.format === "json" || opts.format === "sarif") {
+        console.error(JSON.stringify({ error: err.message }));
+      } else {
+        console.error(chalk2.red(`
 Error: ${err.message}
 `));
+      }
+      process.exit(1);
     }
-    process.exit(1);
   }
-});
+);
 program.command("badge").description("Run tests and output just the badge markdown embed code").argument("<url>", "MCP server URL to test").option("-H, --header <header>", 'Add header to all requests (format: "Key: Value", repeatable)', parseHeaderArg, {}).option("--auth <token>", 'Shorthand for -H "Authorization: <token>"').option("--timeout <ms>", "Request timeout in milliseconds", "15000").action(async (url, opts) => {
   try {
     const headers = { ...opts.header };
-    if (opts.auth) headers["Authorization"] = opts.auth;
+    if (opts.auth) headers.Authorization = opts.auth;
     console.log(chalk2.dim(`
 Testing ${url}...
 `));
     const report = await runComplianceSuite(url, {
       headers,
-      timeout: parseInt(opts.timeout, 10) || 15e3
+      timeout: Number.parseInt(opts.timeout, 10) || 15e3
     });
     console.log(`Grade: ${report.grade} (${report.score}%)
 `);
@@ -1296,9 +2107,6 @@ Error: ${err.message}
   }
 });
 program.command("mcp").description("Start the MCP compliance server (stdio transport)").action(async () => {
-  const server = new McpServer({ name: "mcp-compliance", version });
-  registerTools(server);
-  const transport = new StdioServerTransport();
-  await server.connect(transport);
+  await startServer();
 });
 program.parse();