mcp-scorecard 0.1.0

package/dist/audit/checks/resources.js

@@ -0,0 +1,39 @@
+/**
+ * Check 7 — Resources advertised.
+ *
+ * Score from count of MCP resources returned by listResources():
+ *   0   resources → 0
+ *   1-2 resources → 5
+ *   3+  resources → 10
+ */
+export function checkResources(snapshot) {
+    const count = snapshot.resources.length;
+    let score;
+    let status;
+    if (count >= 3) {
+        score = 10;
+        status = 'pass';
+    }
+    else if (count >= 1) {
+        score = 5;
+        status = 'warn';
+    }
+    else {
+        score = 0;
+        status = 'fail';
+    }
+    const fixes = [];
+    if (count < 3) {
+        fixes.push('Register MCP resources (e.g. `whoop://summary/daily`, `whoop://agent-manifest`) so agents can subscribe to context instead of polling tools.');
+    }
+    return {
+        id: 'resources',
+        label: 'Resources advertised',
+        score,
+        status,
+        summary: `${count} resource${count === 1 ? '' : 's'} registered`,
+        details: [],
+        fixes
+    };
+}
+//# sourceMappingURL=resources.js.map

package/dist/audit/checks/resources.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resources.js","sourceRoot":"","sources":["../../../src/audit/checks/resources.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,MAAM,UAAU,cAAc,CAAC,QAAuB;IACpD,MAAM,KAAK,GAAG,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC;IACxC,IAAI,KAAa,CAAC;IAClB,IAAI,MAA6B,CAAC;IAClC,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;QACf,KAAK,GAAG,EAAE,CAAC;QACX,MAAM,GAAG,MAAM,CAAC;IAClB,CAAC;SAAM,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;QACtB,KAAK,GAAG,CAAC,CAAC;QACV,MAAM,GAAG,MAAM,CAAC;IAClB,CAAC;SAAM,CAAC;QACN,KAAK,GAAG,CAAC,CAAC;QACV,MAAM,GAAG,MAAM,CAAC;IAClB,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;QACd,KAAK,CAAC,IAAI,CACR,8IAA8I,CAC/I,CAAC;IACJ,CAAC;IAED,OAAO;QACL,EAAE,EAAE,WAAW;QACf,KAAK,EAAE,sBAAsB;QAC7B,KAAK;QACL,MAAM;QACN,OAAO,EAAE,GAAG,KAAK,YAAY,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,aAAa;QAChE,OAAO,EAAE,EAAE;QACX,KAAK;KACN,CAAC;AACJ,CAAC"}

package/dist/audit/checks/schema-validity.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Check 1 — Schema validity.
+ *
+ * Score = 10 * (tools_with_valid_input_schema / total_tools).
+ * Uses ajv to compile each tool's inputSchema. "Valid" means ajv compiles
+ * without throwing AND the schema is an object (not primitive).
+ */
+import type { CheckResult, ProbeSnapshot } from '../../types.js';
+export declare function checkSchemaValidity(snapshot: ProbeSnapshot): CheckResult;

package/dist/audit/checks/schema-validity.js

@@ -0,0 +1,59 @@
+/**
+ * Check 1 — Schema validity.
+ *
+ * Score = 10 * (tools_with_valid_input_schema / total_tools).
+ * Uses ajv to compile each tool's inputSchema. "Valid" means ajv compiles
+ * without throwing AND the schema is an object (not primitive).
+ */
+// ajv's default export gymnastic for ESM + TS: cast through the namespace.
+import AjvModule from 'ajv';
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const Ajv = AjvModule.default ?? AjvModule;
+export function checkSchemaValidity(snapshot) {
+    const tools = snapshot.tools;
+    // strict:false + logger:false keeps ajv from writing "unknown format"
+    // warnings to stderr when MCP schemas use date-time, uri, etc. without
+    // registering ajv-formats.
+    const ajv = new Ajv({ strict: false, allErrors: true, logger: false });
+    if (tools.length === 0) {
+        return {
+            id: 'schema_validity',
+            label: 'Schema validity',
+            score: 0,
+            status: 'fail',
+            summary: 'no tools to validate',
+            details: ['Target exposed zero tools.'],
+            fixes: ['Register at least one tool with a valid JSON Schema.']
+        };
+    }
+    const broken = [];
+    let valid = 0;
+    for (const tool of tools) {
+        if (!tool.inputSchema || typeof tool.inputSchema !== 'object') {
+            broken.push(`${tool.name}: missing or non-object inputSchema`);
+            continue;
+        }
+        try {
+            ajv.compile(tool.inputSchema);
+            valid += 1;
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            broken.push(`${tool.name}: ${msg.slice(0, 120)}`);
+        }
+    }
+    const score = Math.round((valid / tools.length) * 10);
+    const status = score >= 9 ? 'pass' : score >= 6 ? 'warn' : 'fail';
+    return {
+        id: 'schema_validity',
+        label: 'Schema validity',
+        score,
+        status,
+        summary: `${valid}/${tools.length} tools have valid input schema`,
+        details: broken.slice(0, 10).map((b) => `Invalid schema: ${b}`),
+        fixes: broken.length
+            ? ['Ensure every tool registers a JSON Schema object as inputSchema (zod-to-json-schema works well).']
+            : []
+    };
+}
+//# sourceMappingURL=schema-validity.js.map

package/dist/audit/checks/schema-validity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema-validity.js","sourceRoot":"","sources":["../../../src/audit/checks/schema-validity.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,2EAA2E;AAC3E,OAAO,SAAS,MAAM,KAAK,CAAC;AAC5B,8DAA8D;AAC9D,MAAM,GAAG,GAAI,SAAiB,CAAC,OAAO,IAAI,SAAS,CAAC;AAGpD,MAAM,UAAU,mBAAmB,CAAC,QAAuB;IACzD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC;IAC7B,sEAAsE;IACtE,uEAAuE;IACvE,2BAA2B;IAC3B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAEvE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,EAAE,EAAE,iBAAiB;YACrB,KAAK,EAAE,iBAAiB;YACxB,KAAK,EAAE,CAAC;YACR,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,sBAAsB;YAC/B,OAAO,EAAE,CAAC,4BAA4B,CAAC;YACvC,KAAK,EAAE,CAAC,sDAAsD,CAAC;SAChE,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;YAC9D,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,qCAAqC,CAAC,CAAC;YAC/D,SAAS;QACX,CAAC;QACD,IAAI,CAAC;YACH,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC9B,KAAK,IAAI,CAAC,CAAC;QACb,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;IACtD,MAAM,MAAM,GAAG,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;IAElE,OAAO;QACL,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,iBAAiB;QACxB,KAAK;QACL,MAAM;QACN,OAAO,EAAE,GAAG,KAAK,IAAI,KAAK,CAAC,MAAM,gCAAgC;QACjE,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,mBAAmB,CAAC,EAAE,CAAC;QAC/D,KAAK,EAAE,MAAM,CAAC,MAAM;YAClB,CAAC,CAAC,CAAC,kGAAkG,CAAC;YACtG,CAAC,CAAC,EAAE;KACP,CAAC;AACJ,CAAC"}

package/dist/audit/checks/smoke-test.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Check 6 — Smoke test present.
+ *
+ * File-system check on the resolved package dir:
+ *   - looks for scripts/smoke*.mjs, scripts/smoke*.js, scripts/smoke*.ts
+ *   - looks for a "test" script in package.json that isn't the literal default
+ *
+ * Score:
+ *   10 — has scripts/smoke*.{mjs,js,ts}
+ *    7 — has a `test` script in package.json
+ *    0 — neither
+ */
+import type { CheckResult, ProbeSnapshot, ResolvedTarget } from '../../types.js';
+export declare function checkSmokeTest(_snapshot: ProbeSnapshot, target: ResolvedTarget): CheckResult;

package/dist/audit/checks/smoke-test.js

@@ -0,0 +1,59 @@
+/**
+ * Check 6 — Smoke test present.
+ *
+ * File-system check on the resolved package dir:
+ *   - looks for scripts/smoke*.mjs, scripts/smoke*.js, scripts/smoke*.ts
+ *   - looks for a "test" script in package.json that isn't the literal default
+ *
+ * Score:
+ *   10 — has scripts/smoke*.{mjs,js,ts}
+ *    7 — has a `test` script in package.json
+ *    0 — neither
+ */
+import { existsSync, readdirSync } from 'node:fs';
+import { join } from 'node:path';
+const SMOKE_NAME_RE = /^smoke[\w-]*\.(mjs|js|ts)$/i;
+const DEFAULT_TEST = 'echo "Error: no test specified" && exit 1';
+export function checkSmokeTest(_snapshot, target) {
+    const scriptsDir = join(target.packageDir, 'scripts');
+    let smokeFiles = [];
+    if (existsSync(scriptsDir)) {
+        try {
+            smokeFiles = readdirSync(scriptsDir).filter((f) => SMOKE_NAME_RE.test(f));
+        }
+        catch {
+            smokeFiles = [];
+        }
+    }
+    const pkg = target.packageJson;
+    const scripts = (pkg?.scripts ?? {});
+    const hasRealTest = typeof scripts.test === 'string' && scripts.test.trim().length > 0 && scripts.test !== DEFAULT_TEST;
+    let score;
+    let summary;
+    let status;
+    const details = [];
+    if (smokeFiles.length > 0) {
+        score = 10;
+        status = 'pass';
+        summary = `scripts/${smokeFiles[0]} found`;
+        if (smokeFiles.length > 1)
+            details.push(`Also: ${smokeFiles.slice(1).join(', ')}`);
+    }
+    else if (hasRealTest) {
+        score = 7;
+        status = 'warn';
+        summary = 'has `test` script in package.json';
+        details.push('Add a dedicated smoke runner under `scripts/` for clearer CI signal.');
+    }
+    else {
+        score = 0;
+        status = 'fail';
+        summary = 'no smoke script and no test script';
+    }
+    const fixes = [];
+    if (score < 10) {
+        fixes.push('Add `scripts/smoke-tools.mjs` that boots the server via StdioClientTransport and asserts the tool list.');
+    }
+    return { id: 'smoke_test', label: 'Smoke test', score, status, summary, details, fixes };
+}
+//# sourceMappingURL=smoke-test.js.map

package/dist/audit/checks/smoke-test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"smoke-test.js","sourceRoot":"","sources":["../../../src/audit/checks/smoke-test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC,MAAM,aAAa,GAAG,6BAA6B,CAAC;AACpD,MAAM,YAAY,GAAG,2CAA2C,CAAC;AAEjE,MAAM,UAAU,cAAc,CAAC,SAAwB,EAAE,MAAsB;IAC7E,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IACtD,IAAI,UAAU,GAAa,EAAE,CAAC;IAC9B,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,UAAU,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5E,CAAC;QAAC,MAAM,CAAC;YACP,UAAU,GAAG,EAAE,CAAC;QAClB,CAAC;IACH,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC;IAC/B,MAAM,OAAO,GAAG,CAAC,GAAG,EAAE,OAAO,IAAI,EAAE,CAA2B,CAAC;IAC/D,MAAM,WAAW,GACf,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,KAAK,YAAY,CAAC;IAEtG,IAAI,KAAa,CAAC;IAClB,IAAI,OAAe,CAAC;IACpB,IAAI,MAA6B,CAAC;IAClC,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,KAAK,GAAG,EAAE,CAAC;QACX,MAAM,GAAG,MAAM,CAAC;QAChB,OAAO,GAAG,WAAW,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC;QAC3C,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,SAAS,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACrF,CAAC;SAAM,IAAI,WAAW,EAAE,CAAC;QACvB,KAAK,GAAG,CAAC,CAAC;QACV,MAAM,GAAG,MAAM,CAAC;QAChB,OAAO,GAAG,mCAAmC,CAAC;QAC9C,OAAO,CAAC,IAAI,CAAC,sEAAsE,CAAC,CAAC;IACvF,CAAC;SAAM,CAAC;QACN,KAAK,GAAG,CAAC,CAAC;QACV,MAAM,GAAG,MAAM,CAAC;QAChB,OAAO,GAAG,oCAAoC,CAAC;IACjD,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,KAAK,GAAG,EAAE,EAAE,CAAC;QACf,KAAK,CAAC,IAAI,CACR,yGAAyG,CAC1G,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAC3F,CAAC"}

package/dist/audit/checks/tool-descriptions.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Check 8 — Tool descriptions.
+ *
+ * Average `description` length:
+ *   < 30  → 0
+ *   30-60 → 5
+ *   60+   → 10
+ *
+ * Missing descriptions count as 0 chars in the average, then we also flag
+ * the names with no description at all.
+ */
+import type { CheckResult, ProbeSnapshot } from '../../types.js';
+export declare function checkToolDescriptions(snapshot: ProbeSnapshot): CheckResult;

package/dist/audit/checks/tool-descriptions.js

@@ -0,0 +1,59 @@
+/**
+ * Check 8 — Tool descriptions.
+ *
+ * Average `description` length:
+ *   < 30  → 0
+ *   30-60 → 5
+ *   60+   → 10
+ *
+ * Missing descriptions count as 0 chars in the average, then we also flag
+ * the names with no description at all.
+ */
+export function checkToolDescriptions(snapshot) {
+    const tools = snapshot.tools;
+    if (tools.length === 0) {
+        return {
+            id: 'tool_descriptions',
+            label: 'Tool descriptions',
+            score: 0,
+            status: 'fail',
+            summary: 'no tools',
+            details: [],
+            fixes: []
+        };
+    }
+    const lengths = tools.map((t) => (t.description ?? '').length);
+    const missing = tools.filter((t) => !t.description || t.description.length === 0).map((t) => t.name);
+    const avg = lengths.reduce((s, n) => s + n, 0) / tools.length;
+    let score;
+    let status;
+    if (avg >= 60) {
+        score = 10;
+        status = 'pass';
+    }
+    else if (avg >= 30) {
+        score = 5;
+        status = 'warn';
+    }
+    else {
+        score = 0;
+        status = 'fail';
+    }
+    const details = [];
+    if (missing.length)
+        details.push(`Missing descriptions: ${missing.slice(0, 10).join(', ')}`);
+    const fixes = [];
+    if (score < 10) {
+        fixes.push('Write a one-paragraph description per tool that names the inputs, the output shape, and any side effects.');
+    }
+    return {
+        id: 'tool_descriptions',
+        label: 'Tool descriptions',
+        score,
+        status,
+        summary: `avg ${avg.toFixed(0)} chars across ${tools.length} tool${tools.length === 1 ? '' : 's'}`,
+        details,
+        fixes
+    };
+}
+//# sourceMappingURL=tool-descriptions.js.map

package/dist/audit/checks/tool-descriptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-descriptions.js","sourceRoot":"","sources":["../../../src/audit/checks/tool-descriptions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,MAAM,UAAU,qBAAqB,CAAC,QAAuB;IAC3D,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,EAAE,EAAE,mBAAmB;YACvB,KAAK,EAAE,mBAAmB;YAC1B,KAAK,EAAE,CAAC;YACR,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,UAAU;YACnB,OAAO,EAAE,EAAE;YACX,KAAK,EAAE,EAAE;SACV,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;IAC/D,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACrG,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC;IAE9D,IAAI,KAAa,CAAC;IAClB,IAAI,MAA6B,CAAC;IAClC,IAAI,GAAG,IAAI,EAAE,EAAE,CAAC;QACd,KAAK,GAAG,EAAE,CAAC;QACX,MAAM,GAAG,MAAM,CAAC;IAClB,CAAC;SAAM,IAAI,GAAG,IAAI,EAAE,EAAE,CAAC;QACrB,KAAK,GAAG,CAAC,CAAC;QACV,MAAM,GAAG,MAAM,CAAC;IAClB,CAAC;SAAM,CAAC;QACN,KAAK,GAAG,CAAC,CAAC;QACV,MAAM,GAAG,MAAM,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,OAAO,CAAC,MAAM;QAAE,OAAO,CAAC,IAAI,CAAC,yBAAyB,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAE7F,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,KAAK,GAAG,EAAE,EAAE,CAAC;QACf,KAAK,CAAC,IAAI,CACR,2GAA2G,CAC5G,CAAC;IACJ,CAAC;IAED,OAAO;QACL,EAAE,EAAE,mBAAmB;QACvB,KAAK,EAAE,mBAAmB;QAC1B,KAAK;QACL,MAAM;QACN,OAAO,EAAE,OAAO,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,iBAAiB,KAAK,CAAC,MAAM,QAAQ,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,EAAE;QAClG,OAAO;QACP,KAAK;KACN,CAAC;AACJ,CAAC"}

package/dist/audit/checks/tool-naming.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Check 2 — Tool naming convention.
+ *
+ * Looks for:
+ *   - all tools share a common prefix (e.g. "whoop_", "nourish_")
+ *   - all tools are snake_case (lowercase a-z, digits, underscores)
+ *   - no whitespace, hyphens, dots, uppercase
+ *
+ * Score:
+ *   10 — single prefix + all snake_case
+ *    7 — all snake_case but no common prefix
+ *    4 — some non-snake_case
+ *    0 — chaotic
+ */
+import type { CheckResult, ProbeSnapshot } from '../../types.js';
+export declare function checkToolNaming(snapshot: ProbeSnapshot): CheckResult;

package/dist/audit/checks/tool-naming.js

@@ -0,0 +1,81 @@
+/**
+ * Check 2 — Tool naming convention.
+ *
+ * Looks for:
+ *   - all tools share a common prefix (e.g. "whoop_", "nourish_")
+ *   - all tools are snake_case (lowercase a-z, digits, underscores)
+ *   - no whitespace, hyphens, dots, uppercase
+ *
+ * Score:
+ *   10 — single prefix + all snake_case
+ *    7 — all snake_case but no common prefix
+ *    4 — some non-snake_case
+ *    0 — chaotic
+ */
+const SNAKE_RE = /^[a-z][a-z0-9_]*$/;
+function longestCommonPrefix(names) {
+    if (names.length === 0)
+        return '';
+    let prefix = names[0];
+    for (const n of names.slice(1)) {
+        let i = 0;
+        while (i < prefix.length && i < n.length && prefix[i] === n[i])
+            i++;
+        prefix = prefix.slice(0, i);
+        if (!prefix)
+            break;
+    }
+    // We want a meaningful prefix ending at "_" — e.g. "whoop_" not "wh".
+    const cut = prefix.lastIndexOf('_');
+    return cut > 0 ? prefix.slice(0, cut + 1) : '';
+}
+export function checkToolNaming(snapshot) {
+    const names = snapshot.tools.map((t) => t.name);
+    if (names.length === 0) {
+        return {
+            id: 'tool_naming',
+            label: 'Tool naming convention',
+            score: 0,
+            status: 'fail',
+            summary: 'no tools to inspect',
+            details: [],
+            fixes: []
+        };
+    }
+    const offenders = names.filter((n) => !SNAKE_RE.test(n));
+    const prefix = longestCommonPrefix(names);
+    let score;
+    let summary;
+    if (offenders.length === 0 && prefix && names.every((n) => n.startsWith(prefix))) {
+        score = 10;
+        summary = `consistent \`${prefix}\` prefix, snake_case`;
+    }
+    else if (offenders.length === 0) {
+        score = 7;
+        summary = 'all snake_case but no shared prefix';
+    }
+    else if (offenders.length < names.length / 3) {
+        score = 4;
+        summary = `${offenders.length}/${names.length} tools violate snake_case`;
+    }
+    else {
+        score = 0;
+        summary = `${offenders.length}/${names.length} tools violate snake_case`;
+    }
+    const status = score >= 9 ? 'pass' : score >= 5 ? 'warn' : 'fail';
+    const details = [];
+    if (offenders.length) {
+        details.push(`Non-snake_case names: ${offenders.slice(0, 10).join(', ')}`);
+    }
+    if (!prefix && offenders.length === 0) {
+        details.push('No common prefix — agents discovering many MCPs find prefixed tools easier to disambiguate.');
+    }
+    const fixes = [];
+    if (offenders.length)
+        fixes.push('Rename tools to lowercase snake_case (a-z, 0-9, _).');
+    if (!prefix && offenders.length === 0) {
+        fixes.push('Adopt a single prefix per server (e.g. `myserver_*`) so agents can scope discovery.');
+    }
+    return { id: 'tool_naming', label: 'Tool naming convention', score, status, summary, details, fixes };
+}
+//# sourceMappingURL=tool-naming.js.map

package/dist/audit/checks/tool-naming.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-naming.js","sourceRoot":"","sources":["../../../src/audit/checks/tool-naming.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,MAAM,QAAQ,GAAG,mBAAmB,CAAC;AAErC,SAAS,mBAAmB,CAAC,KAAe;IAC1C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAClC,IAAI,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACtB,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/B,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAAE,CAAC,EAAE,CAAC;QACpE,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5B,IAAI,CAAC,MAAM;YAAE,MAAM;IACrB,CAAC;IACD,sEAAsE;IACtE,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACpC,OAAO,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,QAAuB;IACrD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAChD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,EAAE,EAAE,aAAa;YACjB,KAAK,EAAE,wBAAwB;YAC/B,KAAK,EAAE,CAAC;YACR,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,qBAAqB;YAC9B,OAAO,EAAE,EAAE;YACX,KAAK,EAAE,EAAE;SACV,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IACzD,MAAM,MAAM,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;IAE1C,IAAI,KAAa,CAAC;IAClB,IAAI,OAAe,CAAC;IACpB,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;QACjF,KAAK,GAAG,EAAE,CAAC;QACX,OAAO,GAAG,gBAAgB,MAAM,uBAAuB,CAAC;IAC1D,CAAC;SAAM,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,KAAK,GAAG,CAAC,CAAC;QACV,OAAO,GAAG,qCAAqC,CAAC;IAClD,CAAC;SAAM,IAAI,SAAS,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,KAAK,GAAG,CAAC,CAAC;QACV,OAAO,GAAG,GAAG,SAAS,CAAC,MAAM,IAAI,KAAK,CAAC,MAAM,2BAA2B,CAAC;IAC3E,CAAC;SAAM,CAAC;QACN,KAAK,GAAG,CAAC,CAAC;QACV,OAAO,GAAG,GAAG,SAAS,CAAC,MAAM,IAAI,KAAK,CAAC,MAAM,2BAA2B,CAAC;IAC3E,CAAC;IAED,MAAM,MAAM,GAAG,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;IAElE,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,SAAS,CAAC,MAAM,EAAE,CAAC;QACrB,OAAO,CAAC,IAAI,CAAC,yBAAyB,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7E,CAAC;IACD,IAAI,CAAC,MAAM,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO,CAAC,IAAI,CAAC,6FAA6F,CAAC,CAAC;IAC9G,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,SAAS,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;IACxF,IAAI,CAAC,MAAM,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,KAAK,CAAC,IAAI,CAAC,qFAAqF,CAAC,CAAC;IACpG,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,aAAa,EAAE,KAAK,EAAE,wBAAwB,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AACxG,CAAC"}

package/dist/audit/probe.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Probe: connects to one MCP target over stdio, captures tools/resources/
+ * prompts, optionally calls *_agent_manifest, then closes the transport.
+ *
+ * The captured snapshot is the only thing checks see — we never re-probe
+ * during scoring. This keeps the audit deterministic and avoids hammering
+ * the target.
+ *
+ * Privacy: we never log full responses to stdout/stderr; only counts and
+ * field names. If a probe lands on a logged-in server, no user data leaks.
+ */
+import type { ProbeSnapshot, ResolvedTarget } from '../types.js';
+/**
+ * Spawn the target MCP server and capture a snapshot.
+ *
+ * The transport inherits a sanitized env: the original env is passed
+ * through (so the target finds node, paths, etc.) plus MCP_PROBE=1 so
+ * authors can detect they are being audited and short-circuit auth.
+ */
+export declare function probeTarget(target: ResolvedTarget): Promise<ProbeSnapshot>;

package/dist/audit/probe.js

@@ -0,0 +1,145 @@
+/**
+ * Probe: connects to one MCP target over stdio, captures tools/resources/
+ * prompts, optionally calls *_agent_manifest, then closes the transport.
+ *
+ * The captured snapshot is the only thing checks see — we never re-probe
+ * during scoring. This keeps the audit deterministic and avoids hammering
+ * the target.
+ *
+ * Privacy: we never log full responses to stdout/stderr; only counts and
+ * field names. If a probe lands on a logged-in server, no user data leaks.
+ */
+import { Client } from '@modelcontextprotocol/sdk/client/index.js';
+import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
+import { PROBE_CLIENT_NAME, PROBE_ENV_FLAG, SERVER_VERSION } from '../constants.js';
+const PROBE_TIMEOUT_MS = 30_000;
+function withTimeout(promise, ms, label) {
+    return new Promise((resolve, reject) => {
+        const timer = setTimeout(() => {
+            reject(new Error(`Probe step "${label}" timed out after ${ms}ms`));
+        }, ms);
+        promise.then((value) => {
+            clearTimeout(timer);
+            resolve(value);
+        }, (err) => {
+            clearTimeout(timer);
+            reject(err);
+        });
+    });
+}
+/** Find an *_agent_manifest tool from the captured list, if any. */
+function findManifestTool(tools) {
+    return tools.find((t) => /(^|_)agent_manifest$/.test(t.name))?.name;
+}
+/**
+ * Sanitize a probe response into counts + key names only. NEVER returns
+ * nested values — strings/numbers/booleans/arrays are reduced to lengths
+ * or omitted entirely.
+ */
+function sanitizeManifestResponse(raw) {
+    if (!raw || typeof raw !== 'object')
+        return undefined;
+    const obj = raw;
+    const rec = obj.recommended_first_calls;
+    const std = obj.standard_tools;
+    return {
+        has_recommended_first_calls: Array.isArray(rec),
+        recommended_first_calls_count: Array.isArray(rec) ? rec.length : 0,
+        has_standard_tools: Array.isArray(std),
+        standard_tools_count: Array.isArray(std) ? std.length : 0,
+        raw_keys: Object.keys(obj).slice(0, 50)
+    };
+}
+/**
+ * Spawn the target MCP server and capture a snapshot.
+ *
+ * The transport inherits a sanitized env: the original env is passed
+ * through (so the target finds node, paths, etc.) plus MCP_PROBE=1 so
+ * authors can detect they are being audited and short-circuit auth.
+ */
+export async function probeTarget(target) {
+    const env = {};
+    for (const [k, v] of Object.entries(process.env)) {
+        if (typeof v === 'string')
+            env[k] = v;
+    }
+    env[PROBE_ENV_FLAG] = '1';
+    const transport = new StdioClientTransport({
+        command: target.command,
+        args: target.args,
+        env,
+        cwd: target.packageDir
+    });
+    const client = new Client({ name: PROBE_CLIENT_NAME, version: SERVER_VERSION });
+    await withTimeout(client.connect(transport), PROBE_TIMEOUT_MS, 'connect');
+    let toolsRes = { tools: [] };
+    let resourcesRes = { resources: [] };
+    let promptsRes = { prompts: [] };
+    let agentManifest;
+    let serverInfo = {};
+    try {
+        // serverInfo from the negotiated server (available after connect)
+        const sv = client.getServerVersion?.();
+        if (sv) {
+            serverInfo = { name: sv.name, version: sv.version };
+        }
+        toolsRes = (await withTimeout(client.listTools(), PROBE_TIMEOUT_MS, 'listTools'));
+        // Resources and prompts are optional — some servers don't implement them.
+        try {
+            resourcesRes = (await withTimeout(client.listResources(), PROBE_TIMEOUT_MS, 'listResources'));
+        }
+        catch {
+            resourcesRes = { resources: [] };
+        }
+        try {
+            promptsRes = (await withTimeout(client.listPrompts(), PROBE_TIMEOUT_MS, 'listPrompts'));
+        }
+        catch {
+            promptsRes = { prompts: [] };
+        }
+        // Call agent_manifest if present, sanitize, never log raw payload.
+        const manifestToolName = findManifestTool(toolsRes.tools);
+        if (manifestToolName) {
+            try {
+                const callRes = (await withTimeout(client.callTool({ name: manifestToolName, arguments: {} }), PROBE_TIMEOUT_MS, `call ${manifestToolName}`));
+                // Most servers return a single JSON-encoded text content; try to parse.
+                const text = callRes.content?.find((c) => c.type === 'text')?.text;
+                if (text) {
+                    try {
+                        agentManifest = sanitizeManifestResponse(JSON.parse(text));
+                    }
+                    catch {
+                        // not JSON — still record that it returned something
+                        agentManifest = {
+                            has_recommended_first_calls: false,
+                            recommended_first_calls_count: 0,
+                            has_standard_tools: false,
+                            standard_tools_count: 0,
+                            raw_keys: []
+                        };
+                    }
+                }
+            }
+            catch {
+                // call failed — leave agentManifest undefined; agent_manifest check
+                // will treat that as missing.
+            }
+        }
+    }
+    finally {
+        try {
+            await transport.close();
+        }
+        catch {
+            // already closed
+        }
+    }
+    return {
+        serverInfo,
+        tools: toolsRes.tools ?? [],
+        resources: resourcesRes.resources ?? [],
+        prompts: promptsRes.prompts ?? [],
+        agentManifest
+    };
+}
+//# sourceMappingURL=probe.js.map

package/dist/audit/probe.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"probe.js","sourceRoot":"","sources":["../../src/audit/probe.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,iBAAiB,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAGpF,MAAM,gBAAgB,GAAG,MAAM,CAAC;AAEhC,SAAS,WAAW,CAAI,OAAmB,EAAE,EAAU,EAAE,KAAa;IACpE,OAAO,IAAI,OAAO,CAAI,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACxC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,MAAM,CAAC,IAAI,KAAK,CAAC,eAAe,KAAK,qBAAqB,EAAE,IAAI,CAAC,CAAC,CAAC;QACrE,CAAC,EAAE,EAAE,CAAC,CAAC;QACP,OAAO,CAAC,IAAI,CACV,CAAC,KAAK,EAAE,EAAE;YACR,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,OAAO,CAAC,KAAK,CAAC,CAAC;QACjB,CAAC,EACD,CAAC,GAAG,EAAE,EAAE;YACN,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,oEAAoE;AACpE,SAAS,gBAAgB,CAAC,KAAqB;IAC7C,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,IAAI,CAAC;AACtE,CAAC;AAED;;;;GAIG;AACH,SAAS,wBAAwB,CAAC,GAAY;IAC5C,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IACtD,MAAM,GAAG,GAAG,GAA8B,CAAC;IAC3C,MAAM,GAAG,GAAG,GAAG,CAAC,uBAAuB,CAAC;IACxC,MAAM,GAAG,GAAG,GAAG,CAAC,cAAc,CAAC;IAC/B,OAAO;QACL,2BAA2B,EAAE,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAC/C,6BAA6B,EAAE,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAClE,kBAAkB,EAAE,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QACtC,oBAAoB,EAAE,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACzD,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;KACxC,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,MAAsB;IACtD,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACjD,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACxC,CAAC;IACD,GAAG,CAAC,cAAc,CAAC,GAAG,GAAG,CAAC;IAE1B,MAAM,SAAS,GAAG,IAAI,oBAAoB,CAAC;QACzC,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,GAAG;QACH,GAAG,EAAE,MAAM,CAAC,UAAU;KACvB,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,cAAc,EAAE,CAAC,CAAC;IAEhF,MAAM,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,gBAAgB,EAAE,SAAS,CAAC,CAAC;IAE1E,IAAI,QAAQ,GAA8B,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;IACxD,IAAI,YAAY,GAA8C,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;IAChF,IAAI,UAAU,GAA0C,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACxE,IAAI,aAA6C,CAAC;IAClD,IAAI,UAAU,GAAgC,EAAE,CAAC;IAEjD,IAAI,CAAC;QACH,kEAAkE;QAClE,MAAM,EAAE,GAAG,MAAM,CAAC,gBAAgB,EAAE,EAAE,CAAC;QACvC,IAAI,EAAE,EAAE,CAAC;YACP,UAAU,GAAG,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,OAAO,EAAE,CAAC;QACtD,CAAC;QAED,QAAQ,GAAG,CAAC,MAAM,WAAW,CAAC,MAAM,CAAC,SAAS,EAAE,EAAE,gBAAgB,EAAE,WAAW,CAAC,CAE/E,CAAC;QAEF,0EAA0E;QAC1E,IAAI,CAAC;YACH,YAAY,GAAG,CAAC,MAAM,WAAW,CAC/B,MAAM,CAAC,aAAa,EAAE,EACtB,gBAAgB,EAChB,eAAe,CAChB,CAA8C,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,YAAY,GAAG,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;QACnC,CAAC;QAED,IAAI,CAAC;YACH,UAAU,GAAG,CAAC,MAAM,WAAW,CAC7B,MAAM,CAAC,WAAW,EAAE,EACpB,gBAAgB,EAChB,aAAa,CACd,CAA0C,CAAC;QAC9C,CAAC;QAAC,MAAM,CAAC;YACP,UAAU,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAC/B,CAAC;QAED,mEAAmE;QACnE,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,gBAAgB,EAAE,CAAC;YACrB,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,CAAC,MAAM,WAAW,CAChC,MAAM,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,gBAAgB,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,EAC1D,gBAAgB,EAChB,QAAQ,gBAAgB,EAAE,CAC3B,CAAyD,CAAC;gBAC3D,wEAAwE;gBACxE,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,EAAE,IAAI,CAAC;gBACnE,IAAI,IAAI,EAAE,CAAC;oBACT,IAAI,CAAC;wBACH,aAAa,GAAG,wBAAwB,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;oBAC7D,CAAC;oBAAC,MAAM,CAAC;wBACP,qDAAqD;wBACrD,aAAa,GAAG;4BACd,2BAA2B,EAAE,KAAK;4BAClC,6BAA6B,EAAE,CAAC;4BAChC,kBAAkB,EAAE,KAAK;4BACzB,oBAAoB,EAAE,CAAC;4BACvB,QAAQ,EAAE,EAAE;yBACb,CAAC;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,oEAAoE;gBACpE,8BAA8B;YAChC,CAAC;QACH,CAAC;IACH,CAAC;YAAS,CAAC;QACT,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,KAAK,EAAE,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,iBAAiB;QACnB,CAAC;IACH,CAAC;IAED,OAAO;QACL,UAAU;QACV,KAAK,EAAE,QAAQ,CAAC,KAAK,IAAI,EAAE;QAC3B,SAAS,EAAE,YAAY,CAAC,SAAS,IAAI,EAAE;QACvC,OAAO,EAAE,UAAU,CAAC,OAAO,IAAI,EAAE;QACjC,aAAa;KACd,CAAC;AACJ,CAAC"}

package/dist/audit/runner.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Runner — orchestrates probe + 10 checks → AuditReport.
+ *
+ * Order matters only for the displayed list; checks are independent and
+ * read from the same probe snapshot. If a check throws, we record a 0
+ * with a synthetic detail entry rather than crashing the audit.
+ */
+import type { AuditReport, ResolvedTarget } from '../types.js';
+export declare function runAudit(target: ResolvedTarget): Promise<AuditReport>;

package/dist/audit/runner.js

@@ -0,0 +1,77 @@
+/**
+ * Runner — orchestrates probe + 10 checks → AuditReport.
+ *
+ * Order matters only for the displayed list; checks are independent and
+ * read from the same probe snapshot. If a check throws, we record a 0
+ * with a synthetic detail entry rather than crashing the audit.
+ */
+import { SERVER_VERSION } from '../constants.js';
+import { checkAgentManifest } from './checks/agent-manifest.js';
+import { checkAnnotations } from './checks/annotations.js';
+import { checkManifestDiscoverability } from './checks/manifest-discoverability.js';
+import { checkMutationGating } from './checks/mutation-gating.js';
+import { checkPrivacyModes } from './checks/privacy-modes.js';
+import { checkResources } from './checks/resources.js';
+import { checkSchemaValidity } from './checks/schema-validity.js';
+import { checkSmokeTest } from './checks/smoke-test.js';
+import { checkToolDescriptions } from './checks/tool-descriptions.js';
+import { checkToolNaming } from './checks/tool-naming.js';
+import { probeTarget } from './probe.js';
+import { aggregateScore } from './scorer.js';
+const CHECK_LABELS = {
+    schema_validity: 'Schema validity',
+    tool_naming: 'Tool naming convention',
+    privacy_modes: 'Privacy modes documented',
+    mutation_gating: 'Mutation gating',
+    agent_manifest: 'Agent manifest',
+    smoke_test: 'Smoke test',
+    resources: 'Resources advertised',
+    tool_descriptions: 'Tool descriptions',
+    annotations: 'Annotations',
+    manifest_discoverability: 'Manifest discoverability'
+};
+function safeRun(id, fn) {
+    try {
+        return fn();
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        return {
+            id,
+            label: CHECK_LABELS[id],
+            score: 0,
+            status: 'fail',
+            summary: 'check threw an error',
+            details: [msg.slice(0, 200)],
+            fixes: []
+        };
+    }
+}
+export async function runAudit(target) {
+    const snapshot = await probeTarget(target);
+    const checks = [
+        safeRun('schema_validity', () => checkSchemaValidity(snapshot)),
+        safeRun('tool_naming', () => checkToolNaming(snapshot)),
+        safeRun('privacy_modes', () => checkPrivacyModes(snapshot)),
+        safeRun('mutation_gating', () => checkMutationGating(snapshot)),
+        safeRun('agent_manifest', () => checkAgentManifest(snapshot)),
+        safeRun('smoke_test', () => checkSmokeTest(snapshot, target)),
+        safeRun('resources', () => checkResources(snapshot)),
+        safeRun('tool_descriptions', () => checkToolDescriptions(snapshot)),
+        safeRun('annotations', () => checkAnnotations(snapshot)),
+        safeRun('manifest_discoverability', () => checkManifestDiscoverability(snapshot))
+    ];
+    return {
+        target: {
+            displayName: target.displayName,
+            version: target.version,
+            serverName: snapshot.serverInfo.name,
+            serverVersion: snapshot.serverInfo.version
+        },
+        totalScore: aggregateScore(checks),
+        checks,
+        generatedAt: new Date().toISOString(),
+        scorecardVersion: SERVER_VERSION
+    };
+}
+//# sourceMappingURL=runner.js.map