mcp-scorecard 0.1.0

package/dist/audit/runner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"runner.js","sourceRoot":"","sources":["../../src/audit/runner.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAEjD,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,4BAA4B,EAAE,MAAM,sCAAsC,CAAC;AACpF,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAI7C,MAAM,YAAY,GAA4B;IAC5C,eAAe,EAAE,iBAAiB;IAClC,WAAW,EAAE,wBAAwB;IACrC,aAAa,EAAE,0BAA0B;IACzC,eAAe,EAAE,iBAAiB;IAClC,cAAc,EAAE,gBAAgB;IAChC,UAAU,EAAE,YAAY;IACxB,SAAS,EAAE,sBAAsB;IACjC,iBAAiB,EAAE,mBAAmB;IACtC,WAAW,EAAE,aAAa;IAC1B,wBAAwB,EAAE,0BAA0B;CACrD,CAAC;AAEF,SAAS,OAAO,CAAC,EAAW,EAAE,EAAqB;IACjD,IAAI,CAAC;QACH,OAAO,EAAE,EAAE,CAAC;IACd,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO;YACL,EAAE;YACF,KAAK,EAAE,YAAY,CAAC,EAAE,CAAC;YACvB,KAAK,EAAE,CAAC;YACR,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,sBAAsB;YAC/B,OAAO,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAC5B,KAAK,EAAE,EAAE;SACV,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,MAAsB;IACnD,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,MAAM,CAAC,CAAC;IAE3C,MAAM,MAAM,GAAkB;QAC5B,OAAO,CAAC,iBAAiB,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QAC/D,OAAO,CAAC,aAAa,EAAE,GAAG,EAAE,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QACvD,OAAO,CAAC,eAAe,EAAE,GAAG,EAAE,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAC3D,OAAO,CAAC,iBAAiB,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QAC/D,OAAO,CAAC,gBAAgB,EAAE,GAAG,EAAE,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAC7D,OAAO,CAAC,YAAY,EAAE,GAAG,EAAE,CAAC,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC7D,OAAO,CAAC,WAAW,EAAE,GAAG,EAAE,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;QACpD,OAAO,CAAC,mBAAmB,EAAE,GAAG,EAAE,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC;QACnE,OAAO,CAAC,aAAa,EAAE,GAAG,EAAE,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QACxD,OAAO,CAAC,0BAA0B,EAAE,GAAG,EAAE,CAAC,4BAA4B,CAAC,QAAQ,CAAC,CAAC;KAClF,CAAC;IAEF,OAAO;QACL,MAAM,EAAE;YACN,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,IAAI;YACpC,aAAa,EAAE,QAAQ,CAAC,UAAU,CAAC,OAAO;SAC3C;QACD,UAAU,EAAE,cAAc,CAAC,MAAM,CAAC;QAClC,MAAM;QACN,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACrC,gBAAgB,EAAE,cAAc;KACjC,CAAC;AACJ,CAAC"}

package/dist/audit/scorer.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Scorer — sums the 10 check scores (each 0..10) into a single 0..100.
+ *
+ * Currently every check has equal weight. Future versions may introduce
+ * weighting (CLI: --weights schema=2,naming=1,...). For now: trivially sum.
+ */
+import type { CheckResult } from '../types.js';
+export declare function aggregateScore(checks: CheckResult[]): number;

package/dist/audit/scorer.js

@@ -0,0 +1,17 @@
+/**
+ * Scorer — sums the 10 check scores (each 0..10) into a single 0..100.
+ *
+ * Currently every check has equal weight. Future versions may introduce
+ * weighting (CLI: --weights schema=2,naming=1,...). For now: trivially sum.
+ */
+const EXPECTED_CHECK_COUNT = 10;
+export function aggregateScore(checks) {
+    if (checks.length === 0)
+        return 0;
+    // Use the expected denominator (10 checks * 10 each = 100); if a check
+    // failed to even run, we still divide by 10 so the score reflects gaps.
+    const sum = checks.reduce((acc, c) => acc + Math.max(0, Math.min(10, c.score)), 0);
+    const denom = EXPECTED_CHECK_COUNT * 10;
+    return Math.round((sum / denom) * 100);
+}
+//# sourceMappingURL=scorer.js.map

package/dist/audit/scorer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scorer.js","sourceRoot":"","sources":["../../src/audit/scorer.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,oBAAoB,GAAG,EAAE,CAAC;AAEhC,MAAM,UAAU,cAAc,CAAC,MAAqB;IAClD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAClC,uEAAuE;IACvE,wEAAwE;IACxE,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACnF,MAAM,KAAK,GAAG,oBAAoB,GAAG,EAAE,CAAC;IACxC,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC;AACzC,CAAC"}

package/dist/cli/commands.d.ts

@@ -0,0 +1,10 @@
+/**
+ * CLI parser — plain argv, no commander. The first positional is the
+ * subject (npm package, GitHub URL, or absolute path). Flags:
+ *
+ *   --json            emit JSON instead of markdown
+ *   --min-score N     exit 1 if total score < N (CI gate)
+ *   --version         print scorecard version
+ *   --help, -h        print usage
+ */
+export declare function run(argv: string[]): Promise<number>;

package/dist/cli/commands.js

@@ -0,0 +1,123 @@
+/**
+ * CLI parser — plain argv, no commander. The first positional is the
+ * subject (npm package, GitHub URL, or absolute path). Flags:
+ *
+ *   --json            emit JSON instead of markdown
+ *   --min-score N     exit 1 if total score < N (CI gate)
+ *   --version         print scorecard version
+ *   --help, -h        print usage
+ */
+import { existsSync } from 'node:fs';
+import { isAbsolute } from 'node:path';
+import { SERVER_VERSION } from '../constants.js';
+import { runAudit } from '../audit/runner.js';
+import { resolveGithubRepo } from '../resolvers/github-resolver.js';
+import { resolveLocal } from '../resolvers/local-resolver.js';
+import { resolveNpmPackage } from '../resolvers/npm-resolver.js';
+import { renderJson, renderMarkdown } from './output.js';
+const USAGE = `mcp-scorecard v${SERVER_VERSION}
+
+Usage:
+  mcp-scorecard <subject> [--json] [--min-score N]
+
+Subjects:
+  npm-package            e.g. whoop-mcp-unofficial[@version]
+  github-url             e.g. https://github.com/davidmosiah/whoop-mcp
+  /abs/path/dist/index.js  built MCP server entry
+
+Flags:
+  --json           emit structured JSON to stdout
+  --min-score N    exit non-zero if total score < N (default 0)
+  --version        print version
+  --help, -h       print this message
+
+Privacy: the probe sets MCP_PROBE=1 so MCP authors can detect an audit and
+skip auth-only side effects. Probe responses are NEVER persisted; only
+counts and field names are recorded. See the README for the security model.`;
+function parseArgs(argv) {
+    const out = { json: false, minScore: 0, help: false, showVersion: false };
+    for (let i = 0; i < argv.length; i++) {
+        const arg = argv[i];
+        if (arg === '--help' || arg === '-h')
+            out.help = true;
+        else if (arg === '--version')
+            out.showVersion = true;
+        else if (arg === '--json')
+            out.json = true;
+        else if (arg === '--min-score') {
+            const v = argv[++i];
+            const n = Number.parseInt(v, 10);
+            if (!Number.isFinite(n))
+                throw new Error(`--min-score expects a number, got: ${v}`);
+            out.minScore = n;
+        }
+        else if (arg.startsWith('--')) {
+            throw new Error(`Unknown flag: ${arg}`);
+        }
+        else if (!out.subject) {
+            out.subject = arg;
+        }
+    }
+    return out;
+}
+function classifySubject(subject) {
+    if (/^https?:\/\/github\.com\//.test(subject) || /^github:/.test(subject))
+        return 'github';
+    if (isAbsolute(subject) && existsSync(subject))
+        return 'local';
+    return 'npm';
+}
+async function resolveSubject(subject) {
+    const kind = classifySubject(subject);
+    if (kind === 'github')
+        return resolveGithubRepo(subject);
+    if (kind === 'local')
+        return resolveLocal(subject);
+    return resolveNpmPackage(subject);
+}
+export async function run(argv) {
+    let parsed;
+    try {
+        parsed = parseArgs(argv);
+    }
+    catch (err) {
+        process.stderr.write(`${err instanceof Error ? err.message : String(err)}\n\n${USAGE}\n`);
+        return 2;
+    }
+    if (parsed.help) {
+        process.stdout.write(`${USAGE}\n`);
+        return 0;
+    }
+    if (parsed.showVersion) {
+        process.stdout.write(`${SERVER_VERSION}\n`);
+        return 0;
+    }
+    if (!parsed.subject) {
+        process.stderr.write(`Missing subject.\n\n${USAGE}\n`);
+        return 2;
+    }
+    let target;
+    try {
+        target = await resolveSubject(parsed.subject);
+    }
+    catch (err) {
+        process.stderr.write(`Resolver error: ${err instanceof Error ? err.message : String(err)}\n`);
+        return 1;
+    }
+    let report;
+    try {
+        report = await runAudit(target);
+    }
+    catch (err) {
+        process.stderr.write(`Audit error: ${err instanceof Error ? err.message : String(err)}\n`);
+        return 1;
+    }
+    process.stdout.write(parsed.json ? renderJson(report) : renderMarkdown(report));
+    process.stdout.write('\n');
+    if (report.totalScore < parsed.minScore) {
+        process.stderr.write(`\nScore ${report.totalScore} < --min-score ${parsed.minScore}\n`);
+        return 1;
+    }
+    return 0;
+}
+//# sourceMappingURL=commands.js.map

package/dist/cli/commands.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"commands.js","sourceRoot":"","sources":["../../src/cli/commands.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AAEjE,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAEzD,MAAM,KAAK,GAAG,kBAAkB,cAAc;;;;;;;;;;;;;;;;;;4EAkB8B,CAAC;AAU7E,SAAS,SAAS,CAAC,IAAc;IAC/B,MAAM,GAAG,GAAe,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC;IACtF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;YAAE,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;aACjD,IAAI,GAAG,KAAK,WAAW;YAAE,GAAG,CAAC,WAAW,GAAG,IAAI,CAAC;aAChD,IAAI,GAAG,KAAK,QAAQ;YAAE,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;aACtC,IAAI,GAAG,KAAK,aAAa,EAAE,CAAC;YAC/B,MAAM,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YACpB,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACjC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;gBAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,EAAE,CAAC,CAAC;YACpF,GAAG,CAAC,QAAQ,GAAG,CAAC,CAAC;QACnB,CAAC;aAAM,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,iBAAiB,GAAG,EAAE,CAAC,CAAC;QAC1C,CAAC;aAAM,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YACxB,GAAG,CAAC,OAAO,GAAG,GAAG,CAAC;QACpB,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,eAAe,CAAC,OAAe;IACtC,IAAI,2BAA2B,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC3F,IAAI,UAAU,CAAC,OAAO,CAAC,IAAI,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,OAAO,CAAC;IAC/D,OAAO,KAAK,CAAC;AACf,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,OAAe;IAC3C,MAAM,IAAI,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IACtC,IAAI,IAAI,KAAK,QAAQ;QAAE,OAAO,iBAAiB,CAAC,OAAO,CAAC,CAAC;IACzD,IAAI,IAAI,KAAK,OAAO;QAAE,OAAO,YAAY,CAAC,OAAO,CAAC,CAAC;IACnD,OAAO,iBAAiB,CAAC,OAAO,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,GAAG,CAAC,IAAc;IACtC,IAAI,MAAkB,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,KAAK,IAAI,CAAC,CAAC;QAC1F,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAChB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,KAAK,IAAI,CAAC,CAAC;QACnC,OAAO,CAAC,CAAC;IACX,CAAC;IACD,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;QACvB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,cAAc,IAAI,CAAC,CAAC;QAC5C,OAAO,CAAC,CAAC;IACX,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,KAAK,IAAI,CAAC,CAAC;QACvD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,MAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,cAAc,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAChD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC9F,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,MAA4C,CAAC;IACjD,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gBAAgB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC3F,OAAO,CAAC,CAAC;IACX,CAAC;IAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC;IAChF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE3B,IAAI,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;QACxC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,MAAM,CAAC,UAAU,kBAAkB,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC;QACxF,OAAO,CAAC,CAAC;IACX,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC"}

package/dist/cli/output.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Output formatters: markdown (default) + json (--json).
+ *
+ * Markdown layout matches the spec sample. Status icons use plain text so
+ * the output is readable in non-emoji terminals too.
+ *
+ * Privacy: we run a redaction pass on any string going into details/fixes/
+ * summary, so a stray customer_id in a tool description doesn't leak.
+ */
+import type { AuditReport } from '../types.js';
+/** Markdown table-ish output suitable for terminals and PR comments. */
+export declare function renderMarkdown(report: AuditReport): string;
+export declare function renderJson(report: AuditReport): string;

package/dist/cli/output.js

@@ -0,0 +1,76 @@
+/**
+ * Output formatters: markdown (default) + json (--json).
+ *
+ * Markdown layout matches the spec sample. Status icons use plain text so
+ * the output is readable in non-emoji terminals too.
+ *
+ * Privacy: we run a redaction pass on any string going into details/fixes/
+ * summary, so a stray customer_id in a tool description doesn't leak.
+ */
+import { REDACTION_KEYS } from '../constants.js';
+const STATUS_ICON = {
+    pass: '[PASS]',
+    warn: '[WARN]',
+    fail: '[FAIL]'
+};
+const REDACTION_RE = new RegExp(`\\b(${REDACTION_KEYS.map((k) => k.replace(/_/g, '[_-]?')).join('|')})\\b\\s*[:=]\\s*([^\\s,]+)`, 'gi');
+function redact(text) {
+    return text.replace(REDACTION_RE, (_full, key) => `${key}: [REDACTED]`);
+}
+function redactAll(items) {
+    return items.map(redact);
+}
+/** Markdown table-ish output suitable for terminals and PR comments. */
+export function renderMarkdown(report) {
+    const lines = [];
+    const versionTag = report.target.version ? ` @${report.target.version}` : '';
+    lines.push(`# mcp-scorecard - ${report.target.displayName}${versionTag}`);
+    lines.push('');
+    lines.push(`**Agent-readiness score:** ${report.totalScore}/100`);
+    lines.push('');
+    for (const c of report.checks) {
+        lines.push(`- ${STATUS_ICON[c.status]} ${c.label.padEnd(28)} (${redact(c.summary)})`);
+    }
+    const detailLines = [];
+    for (const c of report.checks) {
+        if (c.details.length > 0) {
+            detailLines.push(`### ${c.label}`);
+            for (const d of redactAll(c.details)) {
+                detailLines.push(`- ${d}`);
+            }
+        }
+    }
+    if (detailLines.length > 0) {
+        lines.push('');
+        lines.push('## Details');
+        lines.push(...detailLines);
+    }
+    const fixLines = [];
+    for (const c of report.checks) {
+        if (c.fixes.length > 0) {
+            for (const f of redactAll(c.fixes)) {
+                fixLines.push(`- ${f}`);
+            }
+        }
+    }
+    if (fixLines.length > 0) {
+        lines.push('');
+        lines.push('## Suggested fixes');
+        lines.push(...fixLines);
+    }
+    lines.push('');
+    lines.push(`_Generated by mcp-scorecard v${report.scorecardVersion} at ${report.generatedAt}_`);
+    return lines.join('\n');
+}
+export function renderJson(report) {
+    // JSON output is also redacted at the string level so consumers don't
+    // accidentally persist secrets from probed servers.
+    const redactedChecks = report.checks.map((c) => ({
+        ...c,
+        summary: redact(c.summary),
+        details: redactAll(c.details),
+        fixes: redactAll(c.fixes)
+    }));
+    return JSON.stringify({ ...report, checks: redactedChecks }, null, 2);
+}
+//# sourceMappingURL=output.js.map

package/dist/cli/output.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"output.js","sourceRoot":"","sources":["../../src/cli/output.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAGjD,MAAM,WAAW,GAA0C;IACzD,IAAI,EAAE,QAAQ;IACd,IAAI,EAAE,QAAQ;IACd,IAAI,EAAE,QAAQ;CACf,CAAC;AAEF,MAAM,YAAY,GAAG,IAAI,MAAM,CAC7B,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,4BAA4B,EAChG,IAAI,CACL,CAAC;AAEF,SAAS,MAAM,CAAC,IAAY;IAC1B,OAAO,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,GAAG,cAAc,CAAC,CAAC;AAC1E,CAAC;AAED,SAAS,SAAS,CAAC,KAAe;IAChC,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;AAC3B,CAAC;AAED,wEAAwE;AACxE,MAAM,UAAU,cAAc,CAAC,MAAmB;IAChD,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7E,KAAK,CAAC,IAAI,CAAC,qBAAqB,MAAM,CAAC,MAAM,CAAC,WAAW,GAAG,UAAU,EAAE,CAAC,CAAC;IAC1E,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,8BAA8B,MAAM,CAAC,UAAU,MAAM,CAAC,CAAC;IAClE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9B,KAAK,CAAC,IAAI,CAAC,KAAK,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACxF,CAAC;IAED,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9B,IAAI,CAAC,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;YACnC,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;gBACrC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACzB,KAAK,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAC;IAC7B,CAAC;IAED,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9B,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;gBACnC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,gCAAgC,MAAM,CAAC,gBAAgB,OAAO,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC;IAChG,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,MAAmB;IAC5C,sEAAsE;IACtE,oDAAoD;IACpD,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC/C,GAAG,CAAC;QACJ,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC;QAC1B,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC;QAC7B,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC;KAC1B,CAAC,CAAC,CAAC;IACJ,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACxE,CAAC"}

package/dist/constants.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Version pinned in source so the audit output and probe handshake show the
+ * same string. Bumping this without updating package.json is intentional during
+ * dev (keep src as source of truth); a release script can sync them.
+ */
+export declare const SERVER_VERSION = "0.1.0";
+/** Identifier used when the probe connects to a target MCP server. */
+export declare const PROBE_CLIENT_NAME = "mcp-scorecard";
+/** Env var set on the spawned target so MCP authors can detect we are probing
+ *  and skip auth-only side effects. Documented in the README. */
+export declare const PROBE_ENV_FLAG = "MCP_PROBE";
+/**
+ * Patterns that imply a tool MUTATES state on the target system. We use these
+ * to score mutation gating — if a tool name matches and the description does
+ * not mention an explicit gate, it loses points.
+ */
+export declare const MUTATION_PATTERNS: RegExp[];
+/**
+ * Words that, when present in a mutation tool's description, signal the author
+ * thought about gating: env vars, explicit consent, dry-run, etc.
+ */
+export declare const MUTATION_GATE_HINTS: string[];
+/** Manifest-discoverability candidates — at least one must exist on target. */
+export declare const DISCOVERY_TOOL_SUFFIXES: string[];
+/** Field names that, if echoed back in tool descriptions, are redacted in
+ *  output to avoid leaking real customer data when run against a logged-in
+ *  server. */
+export declare const REDACTION_KEYS: string[];

package/dist/constants.js

@@ -0,0 +1,54 @@
+/**
+ * Version pinned in source so the audit output and probe handshake show the
+ * same string. Bumping this without updating package.json is intentional during
+ * dev (keep src as source of truth); a release script can sync them.
+ */
+export const SERVER_VERSION = '0.1.0';
+/** Identifier used when the probe connects to a target MCP server. */
+export const PROBE_CLIENT_NAME = 'mcp-scorecard';
+/** Env var set on the spawned target so MCP authors can detect we are probing
+ *  and skip auth-only side effects. Documented in the README. */
+export const PROBE_ENV_FLAG = 'MCP_PROBE';
+/**
+ * Patterns that imply a tool MUTATES state on the target system. We use these
+ * to score mutation gating — if a tool name matches and the description does
+ * not mention an explicit gate, it loses points.
+ */
+export const MUTATION_PATTERNS = [
+    /(^|_)(set|update|delete|create|pause|resume|enable|disable|cancel|publish|send|remove|add|insert|patch|put|post)(_|$)/i
+];
+/**
+ * Words that, when present in a mutation tool's description, signal the author
+ * thought about gating: env vars, explicit consent, dry-run, etc.
+ */
+export const MUTATION_GATE_HINTS = [
+    'gated by',
+    'requires explicit',
+    'explicit user intent',
+    'allow_mutations',
+    'dry-run',
+    'dry_run',
+    'confirm',
+    'consent'
+];
+/** Manifest-discoverability candidates — at least one must exist on target. */
+export const DISCOVERY_TOOL_SUFFIXES = [
+    'agent_manifest',
+    'data_inventory',
+    'capabilities',
+    'connection_status'
+];
+/** Field names that, if echoed back in tool descriptions, are redacted in
+ *  output to avoid leaking real customer data when run against a logged-in
+ *  server. */
+export const REDACTION_KEYS = [
+    'customer_id',
+    'email',
+    'phone',
+    'access_token',
+    'refresh_token',
+    'client_secret',
+    'developer_token',
+    'api_key'
+];
+//# sourceMappingURL=constants.js.map

package/dist/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,OAAO,CAAC;AAEtC,sEAAsE;AACtE,MAAM,CAAC,MAAM,iBAAiB,GAAG,eAAe,CAAC;AAEjD;iEACiE;AACjE,MAAM,CAAC,MAAM,cAAc,GAAG,WAAW,CAAC;AAE1C;;;;GAIG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAa;IACzC,wHAAwH;CACzH,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,UAAU;IACV,mBAAmB;IACnB,sBAAsB;IACtB,iBAAiB;IACjB,SAAS;IACT,SAAS;IACT,SAAS;IACT,SAAS;CACV,CAAC;AAEF,+EAA+E;AAC/E,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,gBAAgB;IAChB,gBAAgB;IAChB,cAAc;IACd,mBAAmB;CACpB,CAAC;AAEF;;cAEc;AACd,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,aAAa;IACb,OAAO;IACP,OAAO;IACP,cAAc;IACd,eAAe;IACf,eAAe;IACf,iBAAiB;IACjB,SAAS;CACV,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,13 @@
+#!/usr/bin/env node
+/**
+ * mcp-scorecard CLI entrypoint.
+ *
+ * Thin wrapper around src/cli/commands.ts so the bin field can point at
+ * a single file that just dispatches argv.
+ */
+import { run } from './cli/commands.js';
+run(process.argv.slice(2)).then((code) => process.exit(code), (err) => {
+    process.stderr.write(`Fatal: ${err instanceof Error ? err.stack ?? err.message : String(err)}\n`);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;;;GAKG;AACH,OAAO,EAAE,GAAG,EAAE,MAAM,mBAAmB,CAAC;AAExC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAC7B,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAC5B,CAAC,GAAG,EAAE,EAAE;IACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAClG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CACF,CAAC"}

package/dist/resolvers/github-resolver.d.ts

@@ -0,0 +1,10 @@
+/**
+ * GitHub resolver — extracts owner/repo from a URL, clones via `gh repo
+ * clone` into /tmp/scorecard-work/, reads package.json for the npm name,
+ * then delegates to npm resolver (so we audit what users actually `npx`).
+ *
+ * Falls back to launching from a local `dist/index.js` if the package was
+ * never published.
+ */
+import type { ResolvedTarget } from '../types.js';
+export declare function resolveGithubRepo(url: string): Promise<ResolvedTarget>;

package/dist/resolvers/github-resolver.js

@@ -0,0 +1,65 @@
+/**
+ * GitHub resolver — extracts owner/repo from a URL, clones via `gh repo
+ * clone` into /tmp/scorecard-work/, reads package.json for the npm name,
+ * then delegates to npm resolver (so we audit what users actually `npx`).
+ *
+ * Falls back to launching from a local `dist/index.js` if the package was
+ * never published.
+ */
+import { spawnSync } from 'node:child_process';
+import { existsSync, mkdirSync, mkdtempSync, readFileSync } from 'node:fs';
+import { join, resolve as pathResolve } from 'node:path';
+import { resolveNpmPackage } from './npm-resolver.js';
+const SCRATCH_ROOT = '/tmp/scorecard-work';
+function parseOwnerRepo(input) {
+    const m = input.match(/^https?:\/\/github\.com\/([^/]+)\/([^/]+?)(?:\.git)?\/?$/i) ||
+        input.match(/^github:([^/]+)\/(.+)$/i);
+    if (!m)
+        return undefined;
+    return { owner: m[1], repo: m[2].replace(/\.git$/, '') };
+}
+export async function resolveGithubRepo(url) {
+    const parsed = parseOwnerRepo(url);
+    if (!parsed)
+        throw new Error(`Not a recognizable GitHub URL: ${url}`);
+    if (!existsSync(SCRATCH_ROOT))
+        mkdirSync(SCRATCH_ROOT, { recursive: true });
+    const dest = mkdtempSync(join(SCRATCH_ROOT, 'gh-'));
+    const cloneDir = join(dest, parsed.repo);
+    const gh = spawnSync('gh', ['repo', 'clone', `${parsed.owner}/${parsed.repo}`, cloneDir, '--', '--depth=1'], {
+        encoding: 'utf8'
+    });
+    if (gh.status !== 0) {
+        throw new Error(`gh repo clone failed for ${parsed.owner}/${parsed.repo}: ${gh.stderr}`);
+    }
+    const pkgJsonPath = join(cloneDir, 'package.json');
+    if (!existsSync(pkgJsonPath)) {
+        throw new Error(`Cloned repo has no package.json: ${pkgJsonPath}`);
+    }
+    const pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf8'));
+    // Prefer auditing the published npm package — that's what agents actually
+    // pull via `npx -y <name>`. Falls back to local dist if npm pack fails.
+    if (typeof pkg.name === 'string') {
+        try {
+            return await resolveNpmPackage(pkg.name);
+        }
+        catch {
+            // package not published — try local dist
+        }
+    }
+    const localBin = pathResolve(cloneDir, (pkg.bin && typeof pkg.bin === 'object'
+        ? (Object.values(pkg.bin)[0] ?? 'dist/index.js')
+        : (typeof pkg.bin === 'string' ? pkg.bin : 'dist/index.js')));
+    if (!existsSync(localBin)) {
+        throw new Error(`No published npm package and no local bin at ${localBin}. Run \`npm run build\` in the repo first.`);
+    }
+    return {
+        displayName: pkg.name ?? `${parsed.owner}/${parsed.repo}`,
+        version: pkg.version,
+        command: 'node',
+        args: [localBin],
+        packageDir: cloneDir,
+        packageJson: pkg
+    };
+}
+//# sourceMappingURL=github-resolver.js.map

package/dist/resolvers/github-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"github-resolver.js","sourceRoot":"","sources":["../../src/resolvers/github-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC3E,OAAO,EAAE,IAAI,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,WAAW,CAAC;AAEzD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAEtD,MAAM,YAAY,GAAG,qBAAqB,CAAC;AAE3C,SAAS,cAAc,CAAC,KAAa;IACnC,MAAM,CAAC,GACL,KAAK,CAAC,KAAK,CAAC,2DAA2D,CAAC;QACxE,KAAK,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;IACzC,IAAI,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IACzB,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,EAAE,CAAC;AAC3D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,GAAW;IACjD,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,GAAG,EAAE,CAAC,CAAC;IAEtE,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC;QAAE,SAAS,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC5E,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC;IACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;IAEzC,MAAM,EAAE,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE;QAC3G,QAAQ,EAAE,MAAM;KACjB,CAAC,CAAC;IACH,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,4BAA4B,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3F,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IACnD,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,oCAAoC,WAAW,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC;IAE1D,0EAA0E;IAC1E,wEAAwE;IACxE,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,OAAO,MAAM,iBAAiB,CAAC,GAAG,CAAC,IAAc,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,yCAAyC;QAC3C,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,GAAG,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ;QAC5E,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,GAA6B,CAAC,CAAC,CAAC,CAAC,IAAI,eAAe,CAAC;QAC1E,CAAC,CAAC,CAAC,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IAEhE,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,gDAAgD,QAAQ,4CAA4C,CAAC,CAAC;IACxH,CAAC;IAED,OAAO;QACL,WAAW,EAAG,GAAG,CAAC,IAAe,IAAI,GAAG,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,EAAE;QACrE,OAAO,EAAE,GAAG,CAAC,OAA6B;QAC1C,OAAO,EAAE,MAAM;QACf,IAAI,EAAE,CAAC,QAAQ,CAAC;QAChB,UAAU,EAAE,QAAQ;QACpB,WAAW,EAAE,GAAG;KACjB,CAAC;AACJ,CAAC"}

package/dist/resolvers/local-resolver.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Local resolver — the subject is an absolute path to a built MCP binary.
+ *
+ * The packageDir is the nearest ancestor containing package.json (so smoke
+ * test detection and version display work). We launch with `node <path>`.
+ */
+import type { ResolvedTarget } from '../types.js';
+export declare function resolveLocal(targetPath: string): ResolvedTarget;

package/dist/resolvers/local-resolver.js

@@ -0,0 +1,50 @@
+/**
+ * Local resolver — the subject is an absolute path to a built MCP binary.
+ *
+ * The packageDir is the nearest ancestor containing package.json (so smoke
+ * test detection and version display work). We launch with `node <path>`.
+ */
+import { existsSync, readFileSync, statSync } from 'node:fs';
+import { dirname, isAbsolute, resolve as pathResolve } from 'node:path';
+function findPackageRoot(start) {
+    let dir = start;
+    for (let i = 0; i < 6; i++) {
+        const candidate = pathResolve(dir, 'package.json');
+        if (existsSync(candidate)) {
+            try {
+                const pkg = JSON.parse(readFileSync(candidate, 'utf8'));
+                return { dir, pkg };
+            }
+            catch {
+                // unparseable — keep going up
+            }
+        }
+        const parent = dirname(dir);
+        if (parent === dir)
+            break;
+        dir = parent;
+    }
+    return { dir: start };
+}
+export function resolveLocal(targetPath) {
+    const abs = isAbsolute(targetPath) ? targetPath : pathResolve(process.cwd(), targetPath);
+    if (!existsSync(abs)) {
+        throw new Error(`Local target does not exist: ${abs}`);
+    }
+    const st = statSync(abs);
+    if (!st.isFile()) {
+        throw new Error(`Local target must be a file (built JS): ${abs}`);
+    }
+    const { dir, pkg } = findPackageRoot(dirname(abs));
+    const displayName = pkg?.name ?? abs;
+    const version = pkg?.version;
+    return {
+        displayName,
+        version,
+        command: 'node',
+        args: [abs],
+        packageDir: dir,
+        packageJson: pkg
+    };
+}
+//# sourceMappingURL=local-resolver.js.map

package/dist/resolvers/local-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-resolver.js","sourceRoot":"","sources":["../../src/resolvers/local-resolver.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,WAAW,CAAC;AAGxE,SAAS,eAAe,CAAC,KAAa;IACpC,IAAI,GAAG,GAAG,KAAK,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;QACnD,IAAI,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC1B,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;gBACxD,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;YACtB,CAAC;YAAC,MAAM,CAAC;gBACP,8BAA8B;YAChC,CAAC;QACH,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,MAAM,KAAK,GAAG;YAAE,MAAM;QAC1B,GAAG,GAAG,MAAM,CAAC;IACf,CAAC;IACD,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,UAAkB;IAC7C,MAAM,GAAG,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC;IACzF,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,gCAAgC,GAAG,EAAE,CAAC,CAAC;IACzD,CAAC;IACD,MAAM,EAAE,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IACzB,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,2CAA2C,GAAG,EAAE,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;IACnD,MAAM,WAAW,GAAI,GAAG,EAAE,IAA2B,IAAI,GAAG,CAAC;IAC7D,MAAM,OAAO,GAAG,GAAG,EAAE,OAA6B,CAAC;IACnD,OAAO;QACL,WAAW;QACX,OAAO;QACP,OAAO,EAAE,MAAM;QACf,IAAI,EAAE,CAAC,GAAG,CAAC;QACX,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,GAAG;KACjB,CAAC;AACJ,CAAC"}

package/dist/resolvers/npm-resolver.d.ts

@@ -0,0 +1,11 @@
+/**
+ * npm resolver — given a package name (optionally @version), runs `npm pack`
+ * into a fresh temp dir, unpacks the tarball, locates the bin from
+ * package.json, and returns a ResolvedTarget ready for probing.
+ *
+ * Security:
+ *   - works in /tmp/scorecard-work/probe-<random>/, never in the user's HOME.
+ *   - uses --no-fund --no-audit to keep output clean and avoid any phone-home.
+ */
+import type { ResolvedTarget } from '../types.js';
+export declare function resolveNpmPackage(spec: string): Promise<ResolvedTarget>;