@yawlabs/mcp-compliance 0.4.0 → 0.5.0

package/README.md

@@ -15,7 +15,7 @@ MCP servers are multiplying fast — but most ship without compliance testing. B
 
 This tool solves that:
 
-- **43 tests across 7 categories** — transport, lifecycle, tools, resources, prompts, error handling, and schema validation. No gaps.
+- **48 tests across 7 categories** — transport, lifecycle, tools, resources, prompts, error handling, and schema validation. No gaps.
 - **Capability-driven** — tests adapt to what the server declares. If it says it supports tools, tool tests become required. No false failures for features the server doesn't claim.
 - **Graded scoring** — A-F letter grade with a weighted score (required tests 70%, optional 30%). One number to communicate compliance.
 - **CI-ready** — `--strict` mode exits with code 1 on required test failures. Drop it into any pipeline.
@@ -100,7 +100,7 @@ mcp-compliance badge https://my-server.com/mcp
 
 Outputs the markdown embed for a compliance badge hosted at [mcp.hosting](https://mcp.hosting).
 
-## What the 43 tests check
+## What the 48 tests check
 
 <details>
 <summary><strong>Transport (7 tests)</strong></summary>

package/dist/{chunk-KNOSZ3TD.js → chunk-Z7VLPYIO.js}

@@ -3,16 +3,14 @@ import { createRequire } from "module";
 import { request } from "undici";
 
 // src/badge.ts
+import { createHash } from "crypto";
+function urlHash(url) {
+  return createHash("sha256").update(url).digest("hex").slice(0, 12);
+}
 function generateBadge(url) {
-  let parsed;
-  try {
-    parsed = new URL(url);
-  } catch {
-    parsed = new URL("https://unknown");
-  }
-  const encoded = encodeURIComponent(parsed.href);
-  const imageUrl = `https://mcp.hosting/api/compliance/${encoded}/badge`;
-  const reportUrl = `https://mcp.hosting/compliance/${encoded}`;
+  const hash = urlHash(url);
+  const imageUrl = `https://mcp.hosting/api/compliance/${hash}/badge`;
+  const reportUrl = `https://mcp.hosting/compliance/${hash}`;
   return {
     imageUrl,
     reportUrl,
@@ -58,7 +56,7 @@ function computeScore(tests) {
 
 // src/types.ts
 var TEST_DEFINITIONS = [
-  // ── Transport (7 tests) ──────────────────────────────────────────
+  // ── Transport (10 tests) ─────────────────────────────────────────
   {
     id: "transport-post",
     name: "HTTP POST accepted",
@@ -122,7 +120,34 @@ var TEST_DEFINITIONS = [
     description: "Sends a JSON-RPC batch request (array of messages) and verifies the server rejects it with an error. MCP does not support JSON-RPC batch requests.",
     recommendation: "Check if the parsed JSON body is an array. If so, return a JSON-RPC error or HTTP 400. Do not process batch requests \u2014 MCP explicitly forbids them."
   },
-  // ── Lifecycle (10 tests) ─────────────────────────────────────────
+  {
+    id: "transport-content-type-init",
+    name: "Initialize response has valid content type",
+    category: "transport",
+    required: false,
+    specRef: "basic/transports#streamable-http",
+    description: "Validates that the initialize response uses application/json or text/event-stream content type. Some servers return other types for the handshake.",
+    recommendation: 'Ensure the initialize response uses Content-Type "application/json" or "text/event-stream". Do not return text/html or other types for JSON-RPC responses.'
+  },
+  {
+    id: "transport-get-stream",
+    name: "GET with session returns SSE or 405",
+    category: "transport",
+    required: false,
+    specRef: "basic/transports#streamable-http",
+    description: "Tests the GET endpoint with an active session ID for server-initiated messages. After initialization, the server should either return an SSE stream or 405.",
+    recommendation: "If your server supports server-initiated messages, return text/event-stream on GET with a valid session ID. Otherwise, return 405 Method Not Allowed."
+  },
+  {
+    id: "transport-concurrent",
+    name: "Handles concurrent requests",
+    category: "transport",
+    required: false,
+    specRef: "basic/transports#streamable-http",
+    description: "Sends multiple JSON-RPC requests in parallel and verifies the server responds to all with correct matching IDs. Tests that the server can handle concurrent connections.",
+    recommendation: "Ensure your server can handle multiple simultaneous requests. Each response must include the correct id matching the request. Use async handlers or connection pooling."
+  },
+  // ── Lifecycle (12 tests) ─────────────────────────────────────────
   {
     id: "lifecycle-init",
     name: "Initialize handshake",
@@ -213,6 +238,24 @@ var TEST_DEFINITIONS = [
     description: "If the server declares completions capability, tests that the completion/complete method is accepted.",
     recommendation: 'If you declare completions in capabilities, implement the "completion/complete" handler. Return a completion object with a values array, even if empty.'
   },
+  {
+    id: "lifecycle-cancellation",
+    name: "Handles cancellation notifications",
+    category: "lifecycle",
+    required: false,
+    specRef: "basic/utilities#cancellation",
+    description: "Tests that the server accepts notifications/cancelled without error. Servers should gracefully handle cancellation of unknown or completed requests.",
+    recommendation: "Accept notifications/cancelled and stop any in-progress work for the referenced requestId. If the request is unknown or already complete, silently ignore the cancellation."
+  },
+  {
+    id: "lifecycle-progress",
+    name: "Accepts progress notifications",
+    category: "lifecycle",
+    required: false,
+    specRef: "basic/utilities#progress",
+    description: "Tests that the server accepts notifications/progress without error. Servers should handle progress notifications for request tracking.",
+    recommendation: "Accept notifications/progress with progressToken, progress, and optional total fields. Ignore notifications for unknown progress tokens."
+  },
   // ── Tools (4 tests) ──────────────────────────────────────────────
   {
     id: "tools-list",
@@ -554,19 +597,39 @@ async function mcpNotification(backendUrl, method, params, extraHeaders, timeout
   return { statusCode: res.statusCode, headers: responseHeaders };
 }
 async function runComplianceSuite(url, options = {}) {
-  let parsed;
   try {
-    parsed = new URL(url);
+    const parsed = new URL(url);
     if (!["http:", "https:"].includes(parsed.protocol)) {
       throw new Error("Only HTTP and HTTPS URLs are supported");
     }
   } catch (e) {
-    if (e.message.includes("Only HTTP")) throw e;
+    if (e instanceof Error && e.message.includes("Only HTTP")) throw e;
     throw new Error(`Invalid URL: ${url}`);
   }
   const backendUrl = url;
+  let serverReachable = true;
+  try {
+    const preflight = await request(backendUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json, text/event-stream",
+        ...options.headers
+      },
+      body: JSON.stringify({ jsonrpc: "2.0", id: 0, method: "ping" }),
+      signal: AbortSignal.timeout(Math.min(options.timeout || 15e3, 1e4))
+    });
+    await preflight.body.text();
+  } catch {
+    serverReachable = false;
+  }
   const tests = [];
   const warnings = [];
+  if (!serverReachable) {
+    warnings.push(
+      `Server at ${url} is unreachable \u2014 all tests will fail. Check the URL and ensure the server is running.`
+    );
+  }
   const nextId = createIdCounter(1e3);
   const timeout = options.timeout || 15e3;
   const retries = options.retries || 0;
@@ -611,7 +674,8 @@ async function runComplianceSuite(url, options = {}) {
         if (lastResult.passed) break;
         if (attempt < retries) await new Promise((r) => setTimeout(r, 1e3 * (attempt + 1)));
       } catch (err) {
-        lastResult = { passed: false, details: `Error: ${err.message}` };
+        const message = err instanceof Error ? err.message : String(err);
+        lastResult = { passed: false, details: `Error: ${message}` };
         if (attempt < retries) await new Promise((r) => setTimeout(r, 1e3 * (attempt + 1)));
       }
     }
@@ -640,10 +704,23 @@ async function runComplianceSuite(url, options = {}) {
         body: JSON.stringify({ jsonrpc: "2.0", id: 99901, method: "ping" }),
         signal: AbortSignal.timeout(timeout)
       });
-      await res.body.text();
-      const passed = res.statusCode >= 200 && res.statusCode < 300;
-      const note = res.statusCode === 401 || res.statusCode === 403 ? " (auth required)" : "";
-      return { passed, details: `HTTP ${res.statusCode}${note}` };
+      const text = await res.body.text();
+      if (res.statusCode >= 200 && res.statusCode < 300) {
+        return { passed: true, details: `HTTP ${res.statusCode}` };
+      }
+      if (res.statusCode === 401 || res.statusCode === 403) {
+        return { passed: false, details: `HTTP ${res.statusCode} (auth required \u2014 pass --auth)` };
+      }
+      if (res.statusCode === 400) {
+        try {
+          const body = JSON.parse(text);
+          if (body?.error || body?.jsonrpc) {
+            return { passed: true, details: "HTTP 400 with JSON-RPC response (server requires initialization first)" };
+          }
+        } catch {
+        }
+      }
+      return { passed: false, details: `HTTP ${res.statusCode}` };
     }
   );
   await test(
@@ -673,18 +750,29 @@ async function runComplianceSuite(url, options = {}) {
     false,
     "basic/transports#streamable-http",
     async () => {
+      const getHeaders = { Accept: "text/event-stream", ...buildHeaders() };
       const res = await request(backendUrl, {
         method: "GET",
-        headers: { Accept: "text/event-stream", ...userHeaders },
+        headers: getHeaders,
         signal: AbortSignal.timeout(timeout)
       });
-      await res.body.text();
+      const body = await res.body.text();
       const ct = (res.headers["content-type"] || "").toLowerCase();
       if (res.statusCode === 405) {
         return { passed: true, details: "HTTP 405 Method Not Allowed (acceptable)" };
       }
       if (ct.includes("text/event-stream")) {
-        return { passed: true, details: "Returns text/event-stream for SSE" };
+        if (body.trim().length > 0) {
+          const hasDataFields = body.includes("data:");
+          const hasEventFields = body.includes("event:");
+          if (!hasDataFields && !hasEventFields) {
+            return {
+              passed: false,
+              details: "Content-Type is text/event-stream but body has no SSE data: or event: fields"
+            };
+          }
+        }
+        return { passed: true, details: "Returns text/event-stream with valid SSE format" };
       }
       if (res.statusCode >= 200 && res.statusCode < 300) {
         return { passed: true, details: `HTTP ${res.statusCode} (accepted)` };
@@ -692,31 +780,6 @@ async function runComplianceSuite(url, options = {}) {
       return { passed: false, details: `HTTP ${res.statusCode}, Content-Type: ${ct}` };
     }
   );
-  await test(
-    "transport-delete",
-    "DELETE accepted or returns 405",
-    "transport",
-    false,
-    "basic/transports#streamable-http",
-    async () => {
-      const res = await request(backendUrl, {
-        method: "DELETE",
-        headers: { ...userHeaders },
-        signal: AbortSignal.timeout(timeout)
-      });
-      await res.body.text();
-      if (res.statusCode === 405) {
-        return { passed: true, details: "HTTP 405 Method Not Allowed (acceptable)" };
-      }
-      if (res.statusCode >= 200 && res.statusCode < 300) {
-        return { passed: true, details: `HTTP ${res.statusCode} (session termination supported)` };
-      }
-      if (res.statusCode === 400 || res.statusCode === 404) {
-        return { passed: true, details: `HTTP ${res.statusCode} (no active session, acceptable)` };
-      }
-      return { passed: false, details: `HTTP ${res.statusCode}` };
-    }
-  );
   await test(
     "transport-batch-reject",
     "Rejects JSON-RPC batch requests",
@@ -754,7 +817,7 @@ async function runComplianceSuite(url, options = {}) {
   try {
     initRes = await rpc("initialize", {
       protocolVersion: SPEC_VERSION,
-      capabilities: { roots: { listChanged: true }, sampling: {} },
+      capabilities: {},
       clientInfo: { name: "mcp-compliance", version: TOOL_VERSION }
     });
     const result = initRes?.body?.result;
@@ -767,7 +830,7 @@ async function runComplianceSuite(url, options = {}) {
       if (sid) sessionId = sid;
       if (result.protocolVersion) negotiatedProtocolVersion = result.protocolVersion;
     }
-  } catch (err) {
+  } catch {
   }
   try {
     await mcpNotification(backendUrl, "notifications/initialized", void 0, buildHeaders(), timeout);
@@ -886,7 +949,17 @@ async function runComplianceSuite(url, options = {}) {
       if (res.body?.error) {
         return { passed: false, details: `Error: ${res.body.error.code} \u2014 ${res.body.error.message}` };
       }
-      return { passed: true, details: "logging/setLevel accepted" };
+      const invalidRes = await rpc("logging/setLevel", { level: "__invalid_level__" });
+      const validatesInput = !!invalidRes.body?.error;
+      const validLevels = ["debug", "warning", "error"];
+      const accepted = [];
+      for (const level of validLevels) {
+        const r = await rpc("logging/setLevel", { level });
+        if (!r.body?.error) accepted.push(level);
+      }
+      const details = validatesInput ? `logging/setLevel accepted (validates levels, ${accepted.length + 1} levels accepted)` : "logging/setLevel accepted (warning: server does not reject invalid log levels)";
+      if (!validatesInput) warnings.push("Server accepts invalid log levels without error");
+      return { passed: true, details };
     }
   );
   const hasCompletions = !!serverInfo.capabilities.completions;
@@ -915,6 +988,59 @@ async function runComplianceSuite(url, options = {}) {
       return { passed: true, details: "completion/complete accepted" };
     }
   );
+  await test(
+    "lifecycle-cancellation",
+    "Handles cancellation notifications",
+    "lifecycle",
+    false,
+    "basic/utilities#cancellation",
+    async () => {
+      const res = await mcpNotification(
+        backendUrl,
+        "notifications/cancelled",
+        { requestId: 99999, reason: "compliance test" },
+        buildHeaders(),
+        timeout
+      );
+      if (res.statusCode >= 200 && res.statusCode < 300) {
+        return { passed: true, details: `HTTP ${res.statusCode} (cancellation accepted)` };
+      }
+      return { passed: false, details: `HTTP ${res.statusCode} \u2014 server should accept cancellation notifications` };
+    }
+  );
+  await test(
+    "lifecycle-progress",
+    "Accepts progress notifications",
+    "lifecycle",
+    false,
+    "basic/utilities#progress",
+    async () => {
+      const res = await mcpNotification(
+        backendUrl,
+        "notifications/progress",
+        { progressToken: "compliance-test-token", progress: 50, total: 100 },
+        buildHeaders(),
+        timeout
+      );
+      if (res.statusCode >= 200 && res.statusCode < 300) {
+        return { passed: true, details: `HTTP ${res.statusCode} (progress notification accepted)` };
+      }
+      return { passed: false, details: `HTTP ${res.statusCode} \u2014 server should accept progress notifications` };
+    }
+  );
+  await test(
+    "transport-content-type-init",
+    "Initialize response has valid content type",
+    "transport",
+    false,
+    "basic/transports#streamable-http",
+    async () => {
+      if (!initRes) return { passed: false, details: "No init response to check" };
+      const ct = (initRes.headers["content-type"] || "").toLowerCase();
+      const valid = ct.includes("application/json") || ct.includes("text/event-stream");
+      return { passed: valid, details: `Content-Type: ${ct || "missing"}` };
+    }
+  );
   await test(
     "transport-notification-202",
     "Notification returns 202 Accepted",
@@ -972,6 +1098,88 @@ async function runComplianceSuite(url, options = {}) {
       return { passed: false, details: `HTTP ${res.statusCode}` };
     }
   );
+  await test(
+    "transport-get-stream",
+    "GET with session returns SSE or 405",
+    "transport",
+    false,
+    "basic/transports#streamable-http",
+    async () => {
+      if (!sessionId) {
+        return { passed: true, details: "No session ID \u2014 server-initiated messages not applicable" };
+      }
+      const res = await request(backendUrl, {
+        method: "GET",
+        headers: { Accept: "text/event-stream", ...buildHeaders() },
+        signal: AbortSignal.timeout(Math.min(timeout, 3e3))
+      });
+      const body = await res.body.text();
+      const ct = (res.headers["content-type"] || "").toLowerCase();
+      if (res.statusCode === 405) {
+        return { passed: true, details: "HTTP 405 (server does not support server-initiated messages)" };
+      }
+      if (ct.includes("text/event-stream")) {
+        if (body.trim().length > 0) {
+          const hasSSEFields = body.includes("data:") || body.includes("event:");
+          if (!hasSSEFields) {
+            return { passed: false, details: "Content-Type is text/event-stream but body has no SSE fields" };
+          }
+        }
+        return { passed: true, details: "GET with session returns SSE stream for server-initiated messages" };
+      }
+      if (res.statusCode >= 200 && res.statusCode < 300) {
+        return { passed: true, details: `HTTP ${res.statusCode} (accepted)` };
+      }
+      return { passed: false, details: `HTTP ${res.statusCode}, Content-Type: ${ct}` };
+    }
+  );
+  await test(
+    "transport-concurrent",
+    "Handles concurrent requests",
+    "transport",
+    false,
+    "basic/transports#streamable-http",
+    async () => {
+      const ids = [createIdCounter(99930)(), createIdCounter(99931)(), createIdCounter(99932)()];
+      const promises = ids.map(
+        (id) => request(backendUrl, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            Accept: "application/json, text/event-stream",
+            ...buildHeaders()
+          },
+          body: JSON.stringify({ jsonrpc: "2.0", id, method: "ping" }),
+          signal: AbortSignal.timeout(timeout)
+        }).then(async (res) => {
+          const text = await res.body.text();
+          const ct = (res.headers["content-type"] || "").toLowerCase();
+          let body;
+          if (ct.includes("text/event-stream")) {
+            body = parseSSEResponse(text);
+          }
+          if (!body) {
+            try {
+              body = JSON.parse(text);
+            } catch {
+            }
+          }
+          return { statusCode: res.statusCode, body, requestId: id };
+        })
+      );
+      const results = await Promise.all(promises);
+      const issues = [];
+      for (const r of results) {
+        if (r.statusCode < 200 || r.statusCode >= 300) {
+          issues.push(`Request id=${r.requestId}: HTTP ${r.statusCode}`);
+        } else if (r.body?.id !== r.requestId) {
+          issues.push(`Request id=${r.requestId}: response id=${r.body?.id} (mismatch)`);
+        }
+      }
+      if (issues.length > 0) return { passed: false, details: issues.join("; ") };
+      return { passed: true, details: `${results.length} concurrent requests handled correctly` };
+    }
+  );
   const hasTools = !!serverInfo.capabilities.tools;
   let cachedToolsList = null;
   await test(
@@ -993,6 +1201,7 @@ async function runComplianceSuite(url, options = {}) {
       };
     }
   );
+  const toolsListOk = cachedToolsList !== null;
   await test(
     "tools-schema",
     "All tools have name and inputSchema",
@@ -1000,7 +1209,8 @@ async function runComplianceSuite(url, options = {}) {
     hasTools,
     "server/tools#data-types",
     async () => {
-      const tools = cachedToolsList ?? (await rpc("tools/list")).body?.result?.tools ?? [];
+      if (!toolsListOk) return { passed: false, details: "Skipped: tools/list failed" };
+      const tools = cachedToolsList ?? [];
       const issues = [];
       for (const tool of tools) {
         if (!tool.name) {
@@ -1032,7 +1242,8 @@ async function runComplianceSuite(url, options = {}) {
     false,
     "server/tools#annotations",
     async () => {
-      const tools = cachedToolsList ?? (await rpc("tools/list")).body?.result?.tools ?? [];
+      if (!toolsListOk) return { passed: false, details: "Skipped: tools/list failed" };
+      const tools = cachedToolsList ?? [];
       if (tools.length === 0) return { passed: true, details: "No tools to validate" };
       const issues = [];
       let annotatedCount = 0;
@@ -1062,7 +1273,8 @@ async function runComplianceSuite(url, options = {}) {
     }
   );
   await test("tools-title-field", "Tools include title field", "schema", false, "server/tools#data-types", async () => {
-    const tools = cachedToolsList ?? (await rpc("tools/list")).body?.result?.tools ?? [];
+    if (!toolsListOk) return { passed: false, details: "Skipped: tools/list failed" };
+    const tools = cachedToolsList ?? [];
     if (tools.length === 0) return { passed: true, details: "No tools to validate" };
     const withTitle = tools.filter((t) => typeof t.title === "string");
     const issues = [];
@@ -1084,7 +1296,8 @@ async function runComplianceSuite(url, options = {}) {
     false,
     "server/tools#structured-content",
     async () => {
-      const tools = cachedToolsList ?? (await rpc("tools/list")).body?.result?.tools ?? [];
+      if (!toolsListOk) return { passed: false, details: "Skipped: tools/list failed" };
+      const tools = cachedToolsList ?? [];
       if (tools.length === 0) return { passed: true, details: "No tools to validate" };
       const issues = [];
       let withSchema = 0;
@@ -1125,14 +1338,14 @@ async function runComplianceSuite(url, options = {}) {
           return { passed: true, details: `Protocol error: code ${code} \u2014 ${error.message}` };
         }
         if (result?.content && Array.isArray(result.content)) {
+          if (result.isError) {
+            return { passed: true, details: "Tool returned execution error with content (valid)" };
+          }
           const badItems = result.content.filter((c) => !c.type);
           if (badItems.length > 0)
             return { passed: false, details: `${badItems.length} content item(s) missing 'type' field` };
           return { passed: true, details: `Returned ${result.content.length} content item(s)` };
         }
-        if (result?.isError && result?.content && Array.isArray(result.content)) {
-          return { passed: true, details: "Tool returned execution error with content (valid)" };
-        }
         return { passed: false, details: "Response missing content array" };
       }
     );
@@ -1234,6 +1447,7 @@ async function runComplianceSuite(url, options = {}) {
         return { passed: true, details: `${resourceCount} resource(s)` };
       }
     );
+    const resourcesListOk = cachedResourcesList !== null;
     await test(
       "resources-schema",
       "Resources have uri and name",
@@ -1241,7 +1455,8 @@ async function runComplianceSuite(url, options = {}) {
       true,
       "server/resources#data-types",
       async () => {
-        const resources = cachedResourcesList ?? (await rpc("resources/list")).body?.result?.resources ?? [];
+        if (!resourcesListOk) return { passed: false, details: "Skipped: resources/list failed" };
+        const resources = cachedResourcesList ?? [];
         const issues = [];
         for (const r of resources) {
           if (!r.uri) issues.push("Resource missing uri");
@@ -1270,7 +1485,7 @@ async function runComplianceSuite(url, options = {}) {
         false,
         "server/resources#reading-resources",
         async () => {
-          const resources = cachedResourcesList ?? (await rpc("resources/list")).body?.result?.resources ?? [];
+          const resources = cachedResourcesList ?? [];
           const firstUri = resources[0]?.uri;
           if (!firstUri) return { passed: false, details: "No resource URI to test" };
           const readRes = await rpc("resources/read", { uri: firstUri });
@@ -1303,8 +1518,15 @@ async function runComplianceSuite(url, options = {}) {
         if (!Array.isArray(templates)) return { passed: false, details: "No resourceTemplates array" };
         const issues = [];
         for (const t of templates) {
-          if (!t.uriTemplate) issues.push("Template missing uriTemplate");
+          if (!t.uriTemplate) {
+            issues.push("Template missing uriTemplate");
+          } else if (typeof t.uriTemplate !== "string") {
+            issues.push(`uriTemplate should be a string, got ${typeof t.uriTemplate}`);
+          } else if (!t.uriTemplate.includes("{") || !t.uriTemplate.includes("}")) {
+            warnings.push(`Template "${t.name || t.uriTemplate}" has no URI template parameters (e.g., {id})`);
+          }
           if (!t.name) issues.push(`${t.uriTemplate || "?"}: missing name`);
+          if (!t.description) warnings.push(`Template "${t.name || t.uriTemplate || "?"}" missing description`);
         }
         if (issues.length > 0) return { passed: false, details: issues.join("; ") };
         return { passed: true, details: `${templates.length} resource template(s)` };
@@ -1346,7 +1568,7 @@ async function runComplianceSuite(url, options = {}) {
         true,
         "server/resources#subscriptions",
         async () => {
-          const resources = cachedResourcesList ?? (await rpc("resources/list")).body?.result?.resources ?? [];
+          const resources = cachedResourcesList ?? [];
           const firstUri = resources[0]?.uri;
           if (!firstUri) return { passed: false, details: "No resource URI for subscribe test" };
           const subRes = await rpc("resources/subscribe", { uri: firstUri });
@@ -1390,8 +1612,10 @@ async function runComplianceSuite(url, options = {}) {
         };
       }
     );
+    const promptsListOk = cachedPromptsList !== null;
     await test("prompts-schema", "Prompts have name field", "schema", true, "server/prompts#data-types", async () => {
-      const prompts = cachedPromptsList ?? (await rpc("prompts/list")).body?.result?.prompts ?? [];
+      if (!promptsListOk) return { passed: false, details: "Skipped: prompts/list failed" };
+      const prompts = cachedPromptsList ?? [];
       const issues = [];
       for (const p of prompts) {
         if (!p.name) issues.push("Prompt missing name");
@@ -1587,6 +1811,60 @@ async function runComplianceSuite(url, options = {}) {
     }
     return { passed: false, details: `HTTP ${res.statusCode} \u2014 expected error code -32600` };
   });
+  await test(
+    "transport-delete",
+    "DELETE accepted or returns 405",
+    "transport",
+    false,
+    "basic/transports#streamable-http",
+    async () => {
+      const deleteHeaders = { ...buildHeaders() };
+      const res = await request(backendUrl, {
+        method: "DELETE",
+        headers: deleteHeaders,
+        signal: AbortSignal.timeout(timeout)
+      });
+      await res.body.text();
+      if (res.statusCode === 405) {
+        return { passed: true, details: "HTTP 405 Method Not Allowed (acceptable)" };
+      }
+      if (res.statusCode >= 200 && res.statusCode < 300) {
+        if (sessionId) {
+          try {
+            const verifyRes = await mcpRequest(
+              backendUrl,
+              "ping",
+              void 0,
+              createIdCounter(99920),
+              deleteHeaders,
+              timeout
+            );
+            if (verifyRes.statusCode === 400 || verifyRes.statusCode === 404 || verifyRes.statusCode === 409) {
+              return {
+                passed: true,
+                details: `HTTP ${res.statusCode} (session terminated, post-delete request correctly rejected with ${verifyRes.statusCode})`
+              };
+            }
+          } catch {
+            return {
+              passed: true,
+              details: `HTTP ${res.statusCode} (session terminated, post-delete request rejected)`
+            };
+          }
+        }
+        return { passed: true, details: `HTTP ${res.statusCode} (session termination supported)` };
+      }
+      if (res.statusCode === 400 || res.statusCode === 404) {
+        return { passed: true, details: `HTTP ${res.statusCode} (no active session, acceptable)` };
+      }
+      return { passed: false, details: `HTTP ${res.statusCode}` };
+    }
+  );
+  const MAX_WARNINGS = 50;
+  if (warnings.length > MAX_WARNINGS) {
+    const truncated = warnings.length - MAX_WARNINGS;
+    warnings.splice(MAX_WARNINGS, truncated, `... and ${truncated} more warning(s) suppressed`);
+  }
   const { score, grade, overall, summary, categories } = computeScore(tests);
   const badge = generateBadge(url);
   return {
@@ -1617,5 +1895,8 @@ export {
   computeGrade,
   computeScore,
   TEST_DEFINITIONS,
+  SPEC_VERSION,
+  SPEC_BASE,
+  parseSSEResponse,
   runComplianceSuite
 };