mcp-server-verify 1.1.0 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.cjs +37 -37
- package/package.json +1 -1
package/dist/cli.cjs
CHANGED
|
@@ -1,43 +1,43 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
|
-
"use strict";var
|
|
2
|
+
"use strict";var zr=Object.create;var ge=Object.defineProperty;var Wr=Object.getOwnPropertyDescriptor;var Ur=Object.getOwnPropertyNames;var Br=Object.getPrototypeOf,Gr=Object.prototype.hasOwnProperty;var Yr=(n,e)=>()=>(n&&(e=n(n=0)),e);var W=(n,e)=>()=>(e||n((e={exports:{}}).exports,e),e.exports),Gt=(n,e)=>{for(var t in e)ge(n,t,{get:e[t],enumerable:!0})},Yt=(n,e,t,r)=>{if(e&&typeof e=="object"||typeof e=="function")for(let o of Ur(e))!Gr.call(n,o)&&o!==t&&ge(n,o,{get:()=>e[o],enumerable:!(r=Wr(e,o))||r.enumerable});return n};var $e=(n,e,t)=>(t=n!=null?zr(Br(n)):{},Yt(e||!n||!n.__esModule?ge(t,"default",{value:n,enumerable:!0}):t,n)),Kr=n=>Yt(ge({},"__esModule",{value:!0}),n);var se=W(Ae=>{"use strict";var ye=class extends Error{constructor(e,t,r){super(r),Error.captureStackTrace(this,this.constructor),this.name=this.constructor.name,this.code=t,this.exitCode=e,this.nestedError=void 0}},_e=class extends ye{constructor(e){super(1,"commander.invalidArgument",e),Error.captureStackTrace(this,this.constructor),this.name=this.constructor.name}};Ae.CommanderError=ye;Ae.InvalidArgumentError=_e});var be=W(Ne=>{"use strict";var{InvalidArgumentError:Xr}=se(),Ie=class{constructor(e,t){switch(this.description=t||"",this.variadic=!1,this.parseArg=void 0,this.defaultValue=void 0,this.defaultValueDescription=void 0,this.argChoices=void 0,e[0]){case"<":this.required=!0,this._name=e.slice(1,-1);break;case"[":this.required=!1,this._name=e.slice(1,-1);break;default:this.required=!0,this._name=e;break}this._name.length>3&&this._name.slice(-3)==="..."&&(this.variadic=!0,this._name=this._name.slice(0,-3))}name(){return this._name}_concatValue(e,t){return t===this.defaultValue||!Array.isArray(t)?[e]:t.concat(e)}default(e,t){return this.defaultValue=e,this.defaultValueDescription=t,this}argParser(e){return this.parseArg=e,this}choices(e){return this.argChoices=e.slice(),this.parseArg=(t,r)=>{if(!this.argChoices.includes(t))throw new Xr(`Allowed choices are ${this.argChoices.join(", ")}.`);return this.variadic?this._concatValue(t,r):t},this}argRequired(){return this.required=!0,this}argOptional(){return this.required=!1,this}};function Zr(n){let e=n.name()+(n.variadic===!0?"...":"");return n.required?"<"+e+">":"["+e+"]"}Ne.Argument=Ie;Ne.humanReadableArgName=Zr});var je=W(Kt=>{"use strict";var{humanReadableArgName:Qr}=be(),Ve=class{constructor(){this.helpWidth=void 0,this.sortSubcommands=!1,this.sortOptions=!1,this.showGlobalOptions=!1}visibleCommands(e){let t=e.commands.filter(o=>!o._hidden),r=e._getHelpCommand();return r&&!r._hidden&&t.push(r),this.sortSubcommands&&t.sort((o,s)=>o.name().localeCompare(s.name())),t}compareOptions(e,t){let r=o=>o.short?o.short.replace(/^-/,""):o.long.replace(/^--/,"");return r(e).localeCompare(r(t))}visibleOptions(e){let t=e.options.filter(o=>!o.hidden),r=e._getHelpOption();if(r&&!r.hidden){let o=r.short&&e._findOption(r.short),s=r.long&&e._findOption(r.long);!o&&!s?t.push(r):r.long&&!s?t.push(e.createOption(r.long,r.description)):r.short&&!o&&t.push(e.createOption(r.short,r.description))}return this.sortOptions&&t.sort(this.compareOptions),t}visibleGlobalOptions(e){if(!this.showGlobalOptions)return[];let t=[];for(let r=e.parent;r;r=r.parent){let o=r.options.filter(s=>!s.hidden);t.push(...o)}return this.sortOptions&&t.sort(this.compareOptions),t}visibleArguments(e){return e._argsDescription&&e.registeredArguments.forEach(t=>{t.description=t.description||e._argsDescription[t.name()]||""}),e.registeredArguments.find(t=>t.description)?e.registeredArguments:[]}subcommandTerm(e){let t=e.registeredArguments.map(r=>Qr(r)).join(" ");return e._name+(e._aliases[0]?"|"+e._aliases[0]:"")+(e.options.length?" [options]":"")+(t?" "+t:"")}optionTerm(e){return e.flags}argumentTerm(e){return e.name()}longestSubcommandTermLength(e,t){return t.visibleCommands(e).reduce((r,o)=>Math.max(r,t.subcommandTerm(o).length),0)}longestOptionTermLength(e,t){return t.visibleOptions(e).reduce((r,o)=>Math.max(r,t.optionTerm(o).length),0)}longestGlobalOptionTermLength(e,t){return t.visibleGlobalOptions(e).reduce((r,o)=>Math.max(r,t.optionTerm(o).length),0)}longestArgumentTermLength(e,t){return t.visibleArguments(e).reduce((r,o)=>Math.max(r,t.argumentTerm(o).length),0)}commandUsage(e){let t=e._name;e._aliases[0]&&(t=t+"|"+e._aliases[0]);let r="";for(let o=e.parent;o;o=o.parent)r=o.name()+" "+r;return r+t+" "+e.usage()}commandDescription(e){return e.description()}subcommandDescription(e){return e.summary()||e.description()}optionDescription(e){let t=[];return e.argChoices&&t.push(`choices: ${e.argChoices.map(r=>JSON.stringify(r)).join(", ")}`),e.defaultValue!==void 0&&(e.required||e.optional||e.isBoolean()&&typeof e.defaultValue=="boolean")&&t.push(`default: ${e.defaultValueDescription||JSON.stringify(e.defaultValue)}`),e.presetArg!==void 0&&e.optional&&t.push(`preset: ${JSON.stringify(e.presetArg)}`),e.envVar!==void 0&&t.push(`env: ${e.envVar}`),t.length>0?`${e.description} (${t.join(", ")})`:e.description}argumentDescription(e){let t=[];if(e.argChoices&&t.push(`choices: ${e.argChoices.map(r=>JSON.stringify(r)).join(", ")}`),e.defaultValue!==void 0&&t.push(`default: ${e.defaultValueDescription||JSON.stringify(e.defaultValue)}`),t.length>0){let r=`(${t.join(", ")})`;return e.description?`${e.description} ${r}`:r}return e.description}formatHelp(e,t){let r=t.padWidth(e,t),o=t.helpWidth||80,s=2,i=2;function c(f,h){if(h){let y=`${f.padEnd(r+i)}${h}`;return t.wrap(y,o-s,r+i)}return f}function a(f){return f.join(`
|
|
3
3
|
`).replace(/^/gm," ".repeat(s))}let l=[`Usage: ${t.commandUsage(e)}`,""],p=t.commandDescription(e);p.length>0&&(l=l.concat([t.wrap(p,o,0),""]));let u=t.visibleArguments(e).map(f=>c(t.argumentTerm(f),t.argumentDescription(f)));u.length>0&&(l=l.concat(["Arguments:",a(u),""]));let d=t.visibleOptions(e).map(f=>c(t.optionTerm(f),t.optionDescription(f)));if(d.length>0&&(l=l.concat(["Options:",a(d),""])),this.showGlobalOptions){let f=t.visibleGlobalOptions(e).map(h=>c(t.optionTerm(h),t.optionDescription(h)));f.length>0&&(l=l.concat(["Global Options:",a(f),""]))}let m=t.visibleCommands(e).map(f=>c(t.subcommandTerm(f),t.subcommandDescription(f)));return m.length>0&&(l=l.concat(["Commands:",a(m),""])),l.join(`
|
|
4
4
|
`)}padWidth(e,t){return Math.max(t.longestOptionTermLength(e,t),t.longestGlobalOptionTermLength(e,t),t.longestSubcommandTermLength(e,t),t.longestArgumentTermLength(e,t))}wrap(e,t,r,o=40){let s=" \\f\\t\\v\xA0\u1680\u2000-\u200A\u202F\u205F\u3000\uFEFF",i=new RegExp(`[\\n][${s}]+`);if(e.match(i))return e;let c=t-r;if(c<o)return e;let a=e.slice(0,r),l=e.slice(r).replace(`\r
|
|
5
5
|
`,`
|
|
6
6
|
`),p=" ".repeat(r),d="\\s\u200B",m=new RegExp(`
|
|
7
7
|
|.{1,${c-1}}([${d}]|$)|[^${d}]+?([${d}]|$)`,"g"),f=l.match(m)||[];return a+f.map((h,y)=>h===`
|
|
8
8
|
`?"":(y>0?p:"")+h.trimEnd()).join(`
|
|
9
|
-
`)}};
|
|
9
|
+
`)}};Kt.Help=Ve});var De=W(Le=>{"use strict";var{InvalidArgumentError:en}=se(),Me=class{constructor(e,t){this.flags=e,this.description=t||"",this.required=e.includes("<"),this.optional=e.includes("["),this.variadic=/\w\.\.\.[>\]]$/.test(e),this.mandatory=!1;let r=rn(e);this.short=r.shortFlag,this.long=r.longFlag,this.negate=!1,this.long&&(this.negate=this.long.startsWith("--no-")),this.defaultValue=void 0,this.defaultValueDescription=void 0,this.presetArg=void 0,this.envVar=void 0,this.parseArg=void 0,this.hidden=!1,this.argChoices=void 0,this.conflictsWith=[],this.implied=void 0}default(e,t){return this.defaultValue=e,this.defaultValueDescription=t,this}preset(e){return this.presetArg=e,this}conflicts(e){return this.conflictsWith=this.conflictsWith.concat(e),this}implies(e){let t=e;return typeof e=="string"&&(t={[e]:!0}),this.implied=Object.assign(this.implied||{},t),this}env(e){return this.envVar=e,this}argParser(e){return this.parseArg=e,this}makeOptionMandatory(e=!0){return this.mandatory=!!e,this}hideHelp(e=!0){return this.hidden=!!e,this}_concatValue(e,t){return t===this.defaultValue||!Array.isArray(t)?[e]:t.concat(e)}choices(e){return this.argChoices=e.slice(),this.parseArg=(t,r)=>{if(!this.argChoices.includes(t))throw new en(`Allowed choices are ${this.argChoices.join(", ")}.`);return this.variadic?this._concatValue(t,r):t},this}name(){return this.long?this.long.replace(/^--/,""):this.short.replace(/^-/,"")}attributeName(){return tn(this.name().replace(/^no-/,""))}is(e){return this.short===e||this.long===e}isBoolean(){return!this.required&&!this.optional&&!this.negate}},He=class{constructor(e){this.positiveOptions=new Map,this.negativeOptions=new Map,this.dualOptions=new Set,e.forEach(t=>{t.negate?this.negativeOptions.set(t.attributeName(),t):this.positiveOptions.set(t.attributeName(),t)}),this.negativeOptions.forEach((t,r)=>{this.positiveOptions.has(r)&&this.dualOptions.add(r)})}valueFromOption(e,t){let r=t.attributeName();if(!this.dualOptions.has(r))return!0;let o=this.negativeOptions.get(r).presetArg,s=o!==void 0?o:!1;return t.negate===(s===e)}};function tn(n){return n.split("-").reduce((e,t)=>e+t[0].toUpperCase()+t.slice(1))}function rn(n){let e,t,r=n.split(/[ |,]+/);return r.length>1&&!/^[[<]/.test(r[1])&&(e=r.shift()),t=r.shift(),!e&&/^-[^-]$/.test(t)&&(e=t,t=void 0),{shortFlag:e,longFlag:t}}Le.Option=Me;Le.DualOptions=He});var Zt=W(Xt=>{"use strict";function nn(n,e){if(Math.abs(n.length-e.length)>3)return Math.max(n.length,e.length);let t=[];for(let r=0;r<=n.length;r++)t[r]=[r];for(let r=0;r<=e.length;r++)t[0][r]=r;for(let r=1;r<=e.length;r++)for(let o=1;o<=n.length;o++){let s=1;n[o-1]===e[r-1]?s=0:s=1,t[o][r]=Math.min(t[o-1][r]+1,t[o][r-1]+1,t[o-1][r-1]+s),o>1&&r>1&&n[o-1]===e[r-2]&&n[o-2]===e[r-1]&&(t[o][r]=Math.min(t[o][r],t[o-2][r-2]+1))}return t[n.length][e.length]}function on(n,e){if(!e||e.length===0)return"";e=Array.from(new Set(e));let t=n.startsWith("--");t&&(n=n.slice(2),e=e.map(i=>i.slice(2)));let r=[],o=3,s=.4;return e.forEach(i=>{if(i.length<=1)return;let c=nn(n,i),a=Math.max(n.length,i.length);(a-c)/a>s&&(c<o?(o=c,r=[i]):c===o&&r.push(i))}),r.sort((i,c)=>i.localeCompare(c)),t&&(r=r.map(i=>`--${i}`)),r.length>1?`
|
|
10
10
|
(Did you mean one of ${r.join(", ")}?)`:r.length===1?`
|
|
11
|
-
(Did you mean ${r[0]}?)`:""}
|
|
12
|
-
- specify the name in Command constructor or using .name()`);return t=t||{},t.isDefault&&(this._defaultCommandName=e._name),(t.noHelp||t.hidden)&&(e._hidden=!0),this._registerCommand(e),e.parent=this,e._checkForBrokenPassThrough(),this}createArgument(e,t){return new
|
|
13
|
-
Expecting one of '${r.join("', '")}'`);return this._lifeCycleHooks[e]?this._lifeCycleHooks[e].push(t):this._lifeCycleHooks[e]=[t],this}exitOverride(e){return e?this._exitCallback=e:this._exitCallback=t=>{if(t.code!=="commander.executeSubCommandAsync")throw t},this}_exit(e,t,r){this._exitCallback&&this._exitCallback(new qe(e,t,r)),w.exit(e)}action(e){let t=r=>{let o=this.registeredArguments.length,s=r.slice(0,o);return this._storeOptionsAsProperties?s[o]=this:s[o]=this.opts(),s.push(this),e.apply(this,s)};return this._actionHandler=t,this}createOption(e,t){return new
|
|
14
|
-
- already used by option '${t.flags}'`)}this.options.push(e)}_registerCommand(e){let t=o=>[o.name()].concat(o.aliases()),r=t(e).find(o=>this._findCommand(o));if(r){let o=t(this._findCommand(r)).join("|"),s=t(e).join("|");throw new Error(`cannot add command '${s}' as already have command '${o}'`)}this.commands.push(e)}addOption(e){this._registerOption(e);let t=e.name(),r=e.attributeName();if(e.negate){let s=e.long.replace(/^--no-/,"--");this._findOption(s)||this.setOptionValueWithSource(r,e.defaultValue===void 0?!0:e.defaultValue,"default")}else e.defaultValue!==void 0&&this.setOptionValueWithSource(r,e.defaultValue,"default");let o=(s,i,c)=>{s==null&&e.presetArg!==void 0&&(s=e.presetArg);let a=this.getOptionValue(r);s!==null&&e.parseArg?s=this._callParseArg(e,s,a,i):s!==null&&e.variadic&&(s=e._concatValue(s,a)),s==null&&(e.negate?s=!1:e.isBoolean()||e.optional?s=!0:s=""),this.setOptionValueWithSource(r,s,c)};return this.on("option:"+t,s=>{let i=`error: option '${e.flags}' argument '${s}' is invalid.`;o(s,i,"cli")}),e.envVar&&this.on("optionEnv:"+t,s=>{let i=`error: option '${e.flags}' value '${s}' from env '${e.envVar}' is invalid.`;o(s,i,"env")}),this}_optionEx(e,t,r,o,s){if(typeof t=="object"&&t instanceof
|
|
11
|
+
(Did you mean ${r[0]}?)`:""}Xt.suggestSimilar=on});var nr=W(rr=>{"use strict";var sn=require("events").EventEmitter,Fe=require("child_process"),L=require("path"),Je=require("fs"),w=require("process"),{Argument:an,humanReadableArgName:cn}=be(),{CommanderError:qe}=se(),{Help:ln}=je(),{Option:Qt,DualOptions:pn}=De(),{suggestSimilar:er}=Zt(),ze=class n extends sn{constructor(e){super(),this.commands=[],this.options=[],this.parent=null,this._allowUnknownOption=!1,this._allowExcessArguments=!0,this.registeredArguments=[],this._args=this.registeredArguments,this.args=[],this.rawArgs=[],this.processedArgs=[],this._scriptPath=null,this._name=e||"",this._optionValues={},this._optionValueSources={},this._storeOptionsAsProperties=!1,this._actionHandler=null,this._executableHandler=!1,this._executableFile=null,this._executableDir=null,this._defaultCommandName=null,this._exitCallback=null,this._aliases=[],this._combineFlagAndOptionalValue=!0,this._description="",this._summary="",this._argsDescription=void 0,this._enablePositionalOptions=!1,this._passThroughOptions=!1,this._lifeCycleHooks={},this._showHelpAfterError=!1,this._showSuggestionAfterError=!0,this._outputConfiguration={writeOut:t=>w.stdout.write(t),writeErr:t=>w.stderr.write(t),getOutHelpWidth:()=>w.stdout.isTTY?w.stdout.columns:void 0,getErrHelpWidth:()=>w.stderr.isTTY?w.stderr.columns:void 0,outputError:(t,r)=>r(t)},this._hidden=!1,this._helpOption=void 0,this._addImplicitHelpCommand=void 0,this._helpCommand=void 0,this._helpConfiguration={}}copyInheritedSettings(e){return this._outputConfiguration=e._outputConfiguration,this._helpOption=e._helpOption,this._helpCommand=e._helpCommand,this._helpConfiguration=e._helpConfiguration,this._exitCallback=e._exitCallback,this._storeOptionsAsProperties=e._storeOptionsAsProperties,this._combineFlagAndOptionalValue=e._combineFlagAndOptionalValue,this._allowExcessArguments=e._allowExcessArguments,this._enablePositionalOptions=e._enablePositionalOptions,this._showHelpAfterError=e._showHelpAfterError,this._showSuggestionAfterError=e._showSuggestionAfterError,this}_getCommandAndAncestors(){let e=[];for(let t=this;t;t=t.parent)e.push(t);return e}command(e,t,r){let o=t,s=r;typeof o=="object"&&o!==null&&(s=o,o=null),s=s||{};let[,i,c]=e.match(/([^ ]+) *(.*)/),a=this.createCommand(i);return o&&(a.description(o),a._executableHandler=!0),s.isDefault&&(this._defaultCommandName=a._name),a._hidden=!!(s.noHelp||s.hidden),a._executableFile=s.executableFile||null,c&&a.arguments(c),this._registerCommand(a),a.parent=this,a.copyInheritedSettings(this),o?this:a}createCommand(e){return new n(e)}createHelp(){return Object.assign(new ln,this.configureHelp())}configureHelp(e){return e===void 0?this._helpConfiguration:(this._helpConfiguration=e,this)}configureOutput(e){return e===void 0?this._outputConfiguration:(Object.assign(this._outputConfiguration,e),this)}showHelpAfterError(e=!0){return typeof e!="string"&&(e=!!e),this._showHelpAfterError=e,this}showSuggestionAfterError(e=!0){return this._showSuggestionAfterError=!!e,this}addCommand(e,t){if(!e._name)throw new Error(`Command passed to .addCommand() must have a name
|
|
12
|
+
- specify the name in Command constructor or using .name()`);return t=t||{},t.isDefault&&(this._defaultCommandName=e._name),(t.noHelp||t.hidden)&&(e._hidden=!0),this._registerCommand(e),e.parent=this,e._checkForBrokenPassThrough(),this}createArgument(e,t){return new an(e,t)}argument(e,t,r,o){let s=this.createArgument(e,t);return typeof r=="function"?s.default(o).argParser(r):s.default(r),this.addArgument(s),this}arguments(e){return e.trim().split(/ +/).forEach(t=>{this.argument(t)}),this}addArgument(e){let t=this.registeredArguments.slice(-1)[0];if(t&&t.variadic)throw new Error(`only the last argument can be variadic '${t.name()}'`);if(e.required&&e.defaultValue!==void 0&&e.parseArg===void 0)throw new Error(`a default value for a required argument is never used: '${e.name()}'`);return this.registeredArguments.push(e),this}helpCommand(e,t){if(typeof e=="boolean")return this._addImplicitHelpCommand=e,this;e=e??"help [command]";let[,r,o]=e.match(/([^ ]+) *(.*)/),s=t??"display help for command",i=this.createCommand(r);return i.helpOption(!1),o&&i.arguments(o),s&&i.description(s),this._addImplicitHelpCommand=!0,this._helpCommand=i,this}addHelpCommand(e,t){return typeof e!="object"?(this.helpCommand(e,t),this):(this._addImplicitHelpCommand=!0,this._helpCommand=e,this)}_getHelpCommand(){return this._addImplicitHelpCommand??(this.commands.length&&!this._actionHandler&&!this._findCommand("help"))?(this._helpCommand===void 0&&this.helpCommand(void 0,void 0),this._helpCommand):null}hook(e,t){let r=["preSubcommand","preAction","postAction"];if(!r.includes(e))throw new Error(`Unexpected value for event passed to hook : '${e}'.
|
|
13
|
+
Expecting one of '${r.join("', '")}'`);return this._lifeCycleHooks[e]?this._lifeCycleHooks[e].push(t):this._lifeCycleHooks[e]=[t],this}exitOverride(e){return e?this._exitCallback=e:this._exitCallback=t=>{if(t.code!=="commander.executeSubCommandAsync")throw t},this}_exit(e,t,r){this._exitCallback&&this._exitCallback(new qe(e,t,r)),w.exit(e)}action(e){let t=r=>{let o=this.registeredArguments.length,s=r.slice(0,o);return this._storeOptionsAsProperties?s[o]=this:s[o]=this.opts(),s.push(this),e.apply(this,s)};return this._actionHandler=t,this}createOption(e,t){return new Qt(e,t)}_callParseArg(e,t,r,o){try{return e.parseArg(t,r)}catch(s){if(s.code==="commander.invalidArgument"){let i=`${o} ${s.message}`;this.error(i,{exitCode:s.exitCode,code:s.code})}throw s}}_registerOption(e){let t=e.short&&this._findOption(e.short)||e.long&&this._findOption(e.long);if(t){let r=e.long&&this._findOption(e.long)?e.long:e.short;throw new Error(`Cannot add option '${e.flags}'${this._name&&` to command '${this._name}'`} due to conflicting flag '${r}'
|
|
14
|
+
- already used by option '${t.flags}'`)}this.options.push(e)}_registerCommand(e){let t=o=>[o.name()].concat(o.aliases()),r=t(e).find(o=>this._findCommand(o));if(r){let o=t(this._findCommand(r)).join("|"),s=t(e).join("|");throw new Error(`cannot add command '${s}' as already have command '${o}'`)}this.commands.push(e)}addOption(e){this._registerOption(e);let t=e.name(),r=e.attributeName();if(e.negate){let s=e.long.replace(/^--no-/,"--");this._findOption(s)||this.setOptionValueWithSource(r,e.defaultValue===void 0?!0:e.defaultValue,"default")}else e.defaultValue!==void 0&&this.setOptionValueWithSource(r,e.defaultValue,"default");let o=(s,i,c)=>{s==null&&e.presetArg!==void 0&&(s=e.presetArg);let a=this.getOptionValue(r);s!==null&&e.parseArg?s=this._callParseArg(e,s,a,i):s!==null&&e.variadic&&(s=e._concatValue(s,a)),s==null&&(e.negate?s=!1:e.isBoolean()||e.optional?s=!0:s=""),this.setOptionValueWithSource(r,s,c)};return this.on("option:"+t,s=>{let i=`error: option '${e.flags}' argument '${s}' is invalid.`;o(s,i,"cli")}),e.envVar&&this.on("optionEnv:"+t,s=>{let i=`error: option '${e.flags}' value '${s}' from env '${e.envVar}' is invalid.`;o(s,i,"env")}),this}_optionEx(e,t,r,o,s){if(typeof t=="object"&&t instanceof Qt)throw new Error("To add an Option object use addOption() instead of option() or requiredOption()");let i=this.createOption(t,r);if(i.makeOptionMandatory(!!e.mandatory),typeof o=="function")i.default(s).argParser(o);else if(o instanceof RegExp){let c=o;o=(a,l)=>{let p=c.exec(a);return p?p[0]:l},i.default(s).argParser(o)}else i.default(o);return this.addOption(i)}option(e,t,r,o){return this._optionEx({},e,t,r,o)}requiredOption(e,t,r,o){return this._optionEx({mandatory:!0},e,t,r,o)}combineFlagAndOptionalValue(e=!0){return this._combineFlagAndOptionalValue=!!e,this}allowUnknownOption(e=!0){return this._allowUnknownOption=!!e,this}allowExcessArguments(e=!0){return this._allowExcessArguments=!!e,this}enablePositionalOptions(e=!0){return this._enablePositionalOptions=!!e,this}passThroughOptions(e=!0){return this._passThroughOptions=!!e,this._checkForBrokenPassThrough(),this}_checkForBrokenPassThrough(){if(this.parent&&this._passThroughOptions&&!this.parent._enablePositionalOptions)throw new Error(`passThroughOptions cannot be used for '${this._name}' without turning on enablePositionalOptions for parent command(s)`)}storeOptionsAsProperties(e=!0){if(this.options.length)throw new Error("call .storeOptionsAsProperties() before adding options");if(Object.keys(this._optionValues).length)throw new Error("call .storeOptionsAsProperties() before setting option values");return this._storeOptionsAsProperties=!!e,this}getOptionValue(e){return this._storeOptionsAsProperties?this[e]:this._optionValues[e]}setOptionValue(e,t){return this.setOptionValueWithSource(e,t,void 0)}setOptionValueWithSource(e,t,r){return this._storeOptionsAsProperties?this[e]=t:this._optionValues[e]=t,this._optionValueSources[e]=r,this}getOptionValueSource(e){return this._optionValueSources[e]}getOptionValueSourceWithGlobals(e){let t;return this._getCommandAndAncestors().forEach(r=>{r.getOptionValueSource(e)!==void 0&&(t=r.getOptionValueSource(e))}),t}_prepareUserArgs(e,t){if(e!==void 0&&!Array.isArray(e))throw new Error("first parameter to parse must be array or undefined");if(t=t||{},e===void 0&&t.from===void 0){w.versions?.electron&&(t.from="electron");let o=w.execArgv??[];(o.includes("-e")||o.includes("--eval")||o.includes("-p")||o.includes("--print"))&&(t.from="eval")}e===void 0&&(e=w.argv),this.rawArgs=e.slice();let r;switch(t.from){case void 0:case"node":this._scriptPath=e[1],r=e.slice(2);break;case"electron":w.defaultApp?(this._scriptPath=e[1],r=e.slice(2)):r=e.slice(1);break;case"user":r=e.slice(0);break;case"eval":r=e.slice(1);break;default:throw new Error(`unexpected parse option { from: '${t.from}' }`)}return!this._name&&this._scriptPath&&this.nameFromFilename(this._scriptPath),this._name=this._name||"program",r}parse(e,t){let r=this._prepareUserArgs(e,t);return this._parseCommand([],r),this}async parseAsync(e,t){let r=this._prepareUserArgs(e,t);return await this._parseCommand([],r),this}_executeSubCommand(e,t){t=t.slice();let r=!1,o=[".js",".ts",".tsx",".mjs",".cjs"];function s(p,u){let d=L.resolve(p,u);if(Je.existsSync(d))return d;if(o.includes(L.extname(u)))return;let m=o.find(f=>Je.existsSync(`${d}${f}`));if(m)return`${d}${m}`}this._checkForMissingMandatoryOptions(),this._checkForConflictingOptions();let i=e._executableFile||`${this._name}-${e._name}`,c=this._executableDir||"";if(this._scriptPath){let p;try{p=Je.realpathSync(this._scriptPath)}catch{p=this._scriptPath}c=L.resolve(L.dirname(p),c)}if(c){let p=s(c,i);if(!p&&!e._executableFile&&this._scriptPath){let u=L.basename(this._scriptPath,L.extname(this._scriptPath));u!==this._name&&(p=s(c,`${u}-${e._name}`))}i=p||i}r=o.includes(L.extname(i));let a;w.platform!=="win32"?r?(t.unshift(i),t=tr(w.execArgv).concat(t),a=Fe.spawn(w.argv[0],t,{stdio:"inherit"})):a=Fe.spawn(i,t,{stdio:"inherit"}):(t.unshift(i),t=tr(w.execArgv).concat(t),a=Fe.spawn(w.execPath,t,{stdio:"inherit"})),a.killed||["SIGUSR1","SIGUSR2","SIGTERM","SIGINT","SIGHUP"].forEach(u=>{w.on(u,()=>{a.killed===!1&&a.exitCode===null&&a.kill(u)})});let l=this._exitCallback;a.on("close",p=>{p=p??1,l?l(new qe(p,"commander.executeSubCommandAsync","(close)")):w.exit(p)}),a.on("error",p=>{if(p.code==="ENOENT"){let u=c?`searched for local subcommand relative to directory '${c}'`:"no directory for search for local subcommand, use .executableDir() to supply a custom directory",d=`'${i}' does not exist
|
|
15
15
|
- if '${e._name}' is not meant to be an executable command, remove description parameter from '.command()' and use '.description()' instead
|
|
16
16
|
- if the default executable name is not suitable, use the executableFile option to supply a custom name or path
|
|
17
17
|
- ${u}`;throw new Error(d)}else if(p.code==="EACCES")throw new Error(`'${i}' not executable`);if(!l)w.exit(1);else{let u=new qe(1,"commander.executeSubCommandAsync","(error)");u.nestedError=p,l(u)}}),this.runningCommand=a}_dispatchSubcommand(e,t,r){let o=this._findCommand(e);o||this.help({error:!0});let s;return s=this._chainOrCallSubCommandHook(s,o,"preSubcommand"),s=this._chainOrCall(s,()=>{if(o._executableHandler)this._executeSubCommand(o,t.concat(r));else return o._parseCommand(t,r)}),s}_dispatchHelpCommand(e){e||this.help();let t=this._findCommand(e);return t&&!t._executableHandler&&t.help(),this._dispatchSubcommand(e,[],[this._getHelpOption()?.long??this._getHelpOption()?.short??"--help"])}_checkNumberOfArguments(){this.registeredArguments.forEach((e,t)=>{e.required&&this.args[t]==null&&this.missingArgument(e.name())}),!(this.registeredArguments.length>0&&this.registeredArguments[this.registeredArguments.length-1].variadic)&&this.args.length>this.registeredArguments.length&&this._excessArguments(this.args)}_processArguments(){let e=(r,o,s)=>{let i=o;if(o!==null&&r.parseArg){let c=`error: command-argument value '${o}' is invalid for argument '${r.name()}'.`;i=this._callParseArg(r,o,s,c)}return i};this._checkNumberOfArguments();let t=[];this.registeredArguments.forEach((r,o)=>{let s=r.defaultValue;r.variadic?o<this.args.length?(s=this.args.slice(o),r.parseArg&&(s=s.reduce((i,c)=>e(r,c,i),r.defaultValue))):s===void 0&&(s=[]):o<this.args.length&&(s=this.args[o],r.parseArg&&(s=e(r,s,r.defaultValue))),t[o]=s}),this.processedArgs=t}_chainOrCall(e,t){return e&&e.then&&typeof e.then=="function"?e.then(()=>t()):t()}_chainOrCallHooks(e,t){let r=e,o=[];return this._getCommandAndAncestors().reverse().filter(s=>s._lifeCycleHooks[t]!==void 0).forEach(s=>{s._lifeCycleHooks[t].forEach(i=>{o.push({hookedCommand:s,callback:i})})}),t==="postAction"&&o.reverse(),o.forEach(s=>{r=this._chainOrCall(r,()=>s.callback(s.hookedCommand,this))}),r}_chainOrCallSubCommandHook(e,t,r){let o=e;return this._lifeCycleHooks[r]!==void 0&&this._lifeCycleHooks[r].forEach(s=>{o=this._chainOrCall(o,()=>s(this,t))}),o}_parseCommand(e,t){let r=this.parseOptions(t);if(this._parseOptionsEnv(),this._parseOptionsImplied(),e=e.concat(r.operands),t=r.unknown,this.args=e.concat(t),e&&this._findCommand(e[0]))return this._dispatchSubcommand(e[0],e.slice(1),t);if(this._getHelpCommand()&&e[0]===this._getHelpCommand().name())return this._dispatchHelpCommand(e[1]);if(this._defaultCommandName)return this._outputHelpIfRequested(t),this._dispatchSubcommand(this._defaultCommandName,e,t);this.commands.length&&this.args.length===0&&!this._actionHandler&&!this._defaultCommandName&&this.help({error:!0}),this._outputHelpIfRequested(r.unknown),this._checkForMissingMandatoryOptions(),this._checkForConflictingOptions();let o=()=>{r.unknown.length>0&&this.unknownOption(r.unknown[0])},s=`command:${this.name()}`;if(this._actionHandler){o(),this._processArguments();let i;return i=this._chainOrCallHooks(i,"preAction"),i=this._chainOrCall(i,()=>this._actionHandler(this.processedArgs)),this.parent&&(i=this._chainOrCall(i,()=>{this.parent.emit(s,e,t)})),i=this._chainOrCallHooks(i,"postAction"),i}if(this.parent&&this.parent.listenerCount(s))o(),this._processArguments(),this.parent.emit(s,e,t);else if(e.length){if(this._findCommand("*"))return this._dispatchSubcommand("*",e,t);this.listenerCount("command:*")?this.emit("command:*",e,t):this.commands.length?this.unknownCommand():(o(),this._processArguments())}else this.commands.length?(o(),this.help({error:!0})):(o(),this._processArguments())}_findCommand(e){if(e)return this.commands.find(t=>t._name===e||t._aliases.includes(e))}_findOption(e){return this.options.find(t=>t.is(e))}_checkForMissingMandatoryOptions(){this._getCommandAndAncestors().forEach(e=>{e.options.forEach(t=>{t.mandatory&&e.getOptionValue(t.attributeName())===void 0&&e.missingMandatoryOptionValue(t)})})}_checkForConflictingLocalOptions(){let e=this.options.filter(r=>{let o=r.attributeName();return this.getOptionValue(o)===void 0?!1:this.getOptionValueSource(o)!=="default"});e.filter(r=>r.conflictsWith.length>0).forEach(r=>{let o=e.find(s=>r.conflictsWith.includes(s.attributeName()));o&&this._conflictingOption(r,o)})}_checkForConflictingOptions(){this._getCommandAndAncestors().forEach(e=>{e._checkForConflictingLocalOptions()})}parseOptions(e){let t=[],r=[],o=t,s=e.slice();function i(a){return a.length>1&&a[0]==="-"}let c=null;for(;s.length;){let a=s.shift();if(a==="--"){o===r&&o.push(a),o.push(...s);break}if(c&&!i(a)){this.emit(`option:${c.name()}`,a);continue}if(c=null,i(a)){let l=this._findOption(a);if(l){if(l.required){let p=s.shift();p===void 0&&this.optionMissingArgument(l),this.emit(`option:${l.name()}`,p)}else if(l.optional){let p=null;s.length>0&&!i(s[0])&&(p=s.shift()),this.emit(`option:${l.name()}`,p)}else this.emit(`option:${l.name()}`);c=l.variadic?l:null;continue}}if(a.length>2&&a[0]==="-"&&a[1]!=="-"){let l=this._findOption(`-${a[1]}`);if(l){l.required||l.optional&&this._combineFlagAndOptionalValue?this.emit(`option:${l.name()}`,a.slice(2)):(this.emit(`option:${l.name()}`),s.unshift(`-${a.slice(2)}`));continue}}if(/^--[^=]+=/.test(a)){let l=a.indexOf("="),p=this._findOption(a.slice(0,l));if(p&&(p.required||p.optional)){this.emit(`option:${p.name()}`,a.slice(l+1));continue}}if(i(a)&&(o=r),(this._enablePositionalOptions||this._passThroughOptions)&&t.length===0&&r.length===0){if(this._findCommand(a)){t.push(a),s.length>0&&r.push(...s);break}else if(this._getHelpCommand()&&a===this._getHelpCommand().name()){t.push(a),s.length>0&&t.push(...s);break}else if(this._defaultCommandName){r.push(a),s.length>0&&r.push(...s);break}}if(this._passThroughOptions){o.push(a),s.length>0&&o.push(...s);break}o.push(a)}return{operands:t,unknown:r}}opts(){if(this._storeOptionsAsProperties){let e={},t=this.options.length;for(let r=0;r<t;r++){let o=this.options[r].attributeName();e[o]=o===this._versionOptionName?this._version:this[o]}return e}return this._optionValues}optsWithGlobals(){return this._getCommandAndAncestors().reduce((e,t)=>Object.assign(e,t.opts()),{})}error(e,t){this._outputConfiguration.outputError(`${e}
|
|
18
18
|
`,this._outputConfiguration.writeErr),typeof this._showHelpAfterError=="string"?this._outputConfiguration.writeErr(`${this._showHelpAfterError}
|
|
19
19
|
`):this._showHelpAfterError&&(this._outputConfiguration.writeErr(`
|
|
20
|
-
`),this.outputHelp({error:!0}));let r=t||{},o=r.exitCode||1,s=r.code||"commander.error";this._exit(o,s,e)}_parseOptionsEnv(){this.options.forEach(e=>{if(e.envVar&&e.envVar in w.env){let t=e.attributeName();(this.getOptionValue(t)===void 0||["default","config","env"].includes(this.getOptionValueSource(t)))&&(e.required||e.optional?this.emit(`optionEnv:${e.name()}`,w.env[e.envVar]):this.emit(`optionEnv:${e.name()}`))}})}_parseOptionsImplied(){let e=new
|
|
21
|
-
`),this._exit(0,"commander.version",e)}),this}description(e,t){return e===void 0&&t===void 0?this._description:(this._description=e,t&&(this._argsDescription=t),this)}summary(e){return e===void 0?this._summary:(this._summary=e,this)}alias(e){if(e===void 0)return this._aliases[0];let t=this;if(this.commands.length!==0&&this.commands[this.commands.length-1]._executableHandler&&(t=this.commands[this.commands.length-1]),e===t._name)throw new Error("Command alias can't be the same as its name");let r=this.parent?._findCommand(e);if(r){let o=[r.name()].concat(r.aliases()).join("|");throw new Error(`cannot add alias '${e}' to command '${this.name()}' as already have command '${o}'`)}return t._aliases.push(e),this}aliases(e){return e===void 0?this._aliases:(e.forEach(t=>this.alias(t)),this)}usage(e){if(e===void 0){if(this._usage)return this._usage;let t=this.registeredArguments.map(r=>
|
|
20
|
+
`),this.outputHelp({error:!0}));let r=t||{},o=r.exitCode||1,s=r.code||"commander.error";this._exit(o,s,e)}_parseOptionsEnv(){this.options.forEach(e=>{if(e.envVar&&e.envVar in w.env){let t=e.attributeName();(this.getOptionValue(t)===void 0||["default","config","env"].includes(this.getOptionValueSource(t)))&&(e.required||e.optional?this.emit(`optionEnv:${e.name()}`,w.env[e.envVar]):this.emit(`optionEnv:${e.name()}`))}})}_parseOptionsImplied(){let e=new pn(this.options),t=r=>this.getOptionValue(r)!==void 0&&!["default","implied"].includes(this.getOptionValueSource(r));this.options.filter(r=>r.implied!==void 0&&t(r.attributeName())&&e.valueFromOption(this.getOptionValue(r.attributeName()),r)).forEach(r=>{Object.keys(r.implied).filter(o=>!t(o)).forEach(o=>{this.setOptionValueWithSource(o,r.implied[o],"implied")})})}missingArgument(e){let t=`error: missing required argument '${e}'`;this.error(t,{code:"commander.missingArgument"})}optionMissingArgument(e){let t=`error: option '${e.flags}' argument missing`;this.error(t,{code:"commander.optionMissingArgument"})}missingMandatoryOptionValue(e){let t=`error: required option '${e.flags}' not specified`;this.error(t,{code:"commander.missingMandatoryOptionValue"})}_conflictingOption(e,t){let r=i=>{let c=i.attributeName(),a=this.getOptionValue(c),l=this.options.find(u=>u.negate&&c===u.attributeName()),p=this.options.find(u=>!u.negate&&c===u.attributeName());return l&&(l.presetArg===void 0&&a===!1||l.presetArg!==void 0&&a===l.presetArg)?l:p||i},o=i=>{let c=r(i),a=c.attributeName();return this.getOptionValueSource(a)==="env"?`environment variable '${c.envVar}'`:`option '${c.flags}'`},s=`error: ${o(e)} cannot be used with ${o(t)}`;this.error(s,{code:"commander.conflictingOption"})}unknownOption(e){if(this._allowUnknownOption)return;let t="";if(e.startsWith("--")&&this._showSuggestionAfterError){let o=[],s=this;do{let i=s.createHelp().visibleOptions(s).filter(c=>c.long).map(c=>c.long);o=o.concat(i),s=s.parent}while(s&&!s._enablePositionalOptions);t=er(e,o)}let r=`error: unknown option '${e}'${t}`;this.error(r,{code:"commander.unknownOption"})}_excessArguments(e){if(this._allowExcessArguments)return;let t=this.registeredArguments.length,r=t===1?"":"s",s=`error: too many arguments${this.parent?` for '${this.name()}'`:""}. Expected ${t} argument${r} but got ${e.length}.`;this.error(s,{code:"commander.excessArguments"})}unknownCommand(){let e=this.args[0],t="";if(this._showSuggestionAfterError){let o=[];this.createHelp().visibleCommands(this).forEach(s=>{o.push(s.name()),s.alias()&&o.push(s.alias())}),t=er(e,o)}let r=`error: unknown command '${e}'${t}`;this.error(r,{code:"commander.unknownCommand"})}version(e,t,r){if(e===void 0)return this._version;this._version=e,t=t||"-V, --version",r=r||"output the version number";let o=this.createOption(t,r);return this._versionOptionName=o.attributeName(),this._registerOption(o),this.on("option:"+o.name(),()=>{this._outputConfiguration.writeOut(`${e}
|
|
21
|
+
`),this._exit(0,"commander.version",e)}),this}description(e,t){return e===void 0&&t===void 0?this._description:(this._description=e,t&&(this._argsDescription=t),this)}summary(e){return e===void 0?this._summary:(this._summary=e,this)}alias(e){if(e===void 0)return this._aliases[0];let t=this;if(this.commands.length!==0&&this.commands[this.commands.length-1]._executableHandler&&(t=this.commands[this.commands.length-1]),e===t._name)throw new Error("Command alias can't be the same as its name");let r=this.parent?._findCommand(e);if(r){let o=[r.name()].concat(r.aliases()).join("|");throw new Error(`cannot add alias '${e}' to command '${this.name()}' as already have command '${o}'`)}return t._aliases.push(e),this}aliases(e){return e===void 0?this._aliases:(e.forEach(t=>this.alias(t)),this)}usage(e){if(e===void 0){if(this._usage)return this._usage;let t=this.registeredArguments.map(r=>cn(r));return[].concat(this.options.length||this._helpOption!==null?"[options]":[],this.commands.length?"[command]":[],this.registeredArguments.length?t:[]).join(" ")}return this._usage=e,this}name(e){return e===void 0?this._name:(this._name=e,this)}nameFromFilename(e){return this._name=L.basename(e,L.extname(e)),this}executableDir(e){return e===void 0?this._executableDir:(this._executableDir=e,this)}helpInformation(e){let t=this.createHelp();return t.helpWidth===void 0&&(t.helpWidth=e&&e.error?this._outputConfiguration.getErrHelpWidth():this._outputConfiguration.getOutHelpWidth()),t.formatHelp(this,t)}_getHelpContext(e){e=e||{};let t={error:!!e.error},r;return t.error?r=o=>this._outputConfiguration.writeErr(o):r=o=>this._outputConfiguration.writeOut(o),t.write=e.write||r,t.command=this,t}outputHelp(e){let t;typeof e=="function"&&(t=e,e=void 0);let r=this._getHelpContext(e);this._getCommandAndAncestors().reverse().forEach(s=>s.emit("beforeAllHelp",r)),this.emit("beforeHelp",r);let o=this.helpInformation(r);if(t&&(o=t(o),typeof o!="string"&&!Buffer.isBuffer(o)))throw new Error("outputHelp callback must return a string or a Buffer");r.write(o),this._getHelpOption()?.long&&this.emit(this._getHelpOption().long),this.emit("afterHelp",r),this._getCommandAndAncestors().forEach(s=>s.emit("afterAllHelp",r))}helpOption(e,t){return typeof e=="boolean"?(e?this._helpOption=this._helpOption??void 0:this._helpOption=null,this):(e=e??"-h, --help",t=t??"display help for command",this._helpOption=this.createOption(e,t),this)}_getHelpOption(){return this._helpOption===void 0&&this.helpOption(void 0,void 0),this._helpOption}addHelpOption(e){return this._helpOption=e,this}help(e){this.outputHelp(e);let t=w.exitCode||0;t===0&&e&&typeof e!="function"&&e.error&&(t=1),this._exit(t,"commander.help","(outputHelp)")}addHelpText(e,t){let r=["beforeAll","before","after","afterAll"];if(!r.includes(e))throw new Error(`Unexpected value for position to addHelpText.
|
|
22
22
|
Expecting one of '${r.join("', '")}'`);let o=`${e}Help`;return this.on(o,s=>{let i;typeof t=="function"?i=t({error:s.error,command:s.command}):i=t,i&&s.write(`${i}
|
|
23
|
-
`)}),this}_outputHelpIfRequested(e){let t=this._getHelpOption();t&&e.find(o=>t.is(o))&&(this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)"))}};function
|
|
24
|
-
`)}}});var
|
|
23
|
+
`)}),this}_outputHelpIfRequested(e){let t=this._getHelpOption();t&&e.find(o=>t.is(o))&&(this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)"))}};function tr(n){return n.map(e=>{if(!e.startsWith("--inspect"))return e;let t,r="127.0.0.1",o="9229",s;return(s=e.match(/^(--inspect(-brk)?)$/))!==null?t=s[1]:(s=e.match(/^(--inspect(-brk|-port)?)=([^:]+)$/))!==null?(t=s[1],/^\d+$/.test(s[3])?o=s[3]:r=s[3]):(s=e.match(/^(--inspect(-brk|-port)?)=([^:]+):(\d+)$/))!==null&&(t=s[1],r=s[3],o=s[4]),t&&o!=="0"?`${t}=${r}:${parseInt(o)+1}`:e})}rr.Command=ze});var ar=W(_=>{"use strict";var{Argument:or}=be(),{Command:We}=nr(),{CommanderError:un,InvalidArgumentError:sr}=se(),{Help:dn}=je(),{Option:ir}=De();_.program=new We;_.createCommand=n=>new We(n);_.createOption=(n,e)=>new ir(n,e);_.createArgument=(n,e)=>new or(n,e);_.Command=We;_.Option=ir;_.Argument=or;_.Help=dn;_.CommanderError=un;_.InvalidArgumentError=sr;_.InvalidOptionArgumentError=sr});var Er={};Gt(Er,{TerminalReporter:()=>re});function uo(n){return!(n||process.env.NO_COLOR!==void 0||!process.stdout.isTTY)}function fo(n){return function(t,r){return n?`${t}${r}${po}`:r}}function go(){return`\u2554${"\u2550".repeat(z)}\u2557`}function xr(){return`\u2560${"\u2550".repeat(z)}\u2563`}function yo(){return`\u255A${"\u2550".repeat(z)}\u255D`}function At(n){return`\u2551${n.padEnd(z," ")}\u2551`}function Pr(){return At("")}function Or(n,e){return n>=80?e(G,String(n)):n>=50?e(Ce,String(n)):e(te,String(n))}function bo(n,e){switch(n){case"failure":return e(te,"[FAIL]");case"warning":return e(Ce,"[WARN]");case"info":return e($,"[INFO]");case"pass":return e(G,"[PASS]")}}function vo(n){return n==="http"?"HTTP+SSE":"stdio"}function Ro(n){return n<1e3?`${n}ms`:`${(n/1e3).toFixed(1)}s`}function Co(n,e){switch(n){case"critical":return e(te,"[CRITICAL]");case"high":return e(te,"[HIGH]");case"medium":return e(Ce,"[MEDIUM]");case"low":return e($,"[LOW]");case"info":return e(Re,"[INFO]")}}var po,ee,Re,te,G,Ce,$,mo,ho,kr,z,re,Se=Yr(()=>{"use strict";po="\x1B[0m",ee="\x1B[1m",Re="\x1B[2m",te="\x1B[31m",G="\x1B[32m",Ce="\x1B[33m",$="\x1B[36m";mo={"jsonrpc-base":"JSON-RPC Base",initialization:"Initialization",tools:"Tools",resources:"Resources",prompts:"Prompts",transport:"Transport","error-handling":"Error Handling"},ho=["jsonrpc-base","initialization","tools","resources","prompts","transport"],kr=["jsonrpc-base","initialization","tools","resources","prompts","transport","error-handling"],z=54;re=class{useColor;constructor(e=!1){this.useColor=uo(e)}format(e){let t=fo(this.useColor),r=[],{meta:o,conformance:s,summary:i}=e,c=s.score,a=i.pass?"PASS":"FAIL",l=i.pass?t(G,`Verdict: ${a}`):t(te,`Verdict: ${a}`);r.push(t($,go()));let p="MCP Verify Report",u=Math.floor((z-p.length)/2),d=z-p.length-u;r.push(t($,At(" ".repeat(u)+t(ee,p)+" ".repeat(d)))),r.push(t($,xr()));let m=[["Target:",o.target],["Transport:",vo(o.transport)],["Server:",`${o.toolVersion}`],["Spec:",`MCP ${o.specVersion}`],["Timestamp:",o.timestamp],["Duration:",Ro(o.durationMs)]];for(let[S,E]of m){let K=` ${S.padEnd(12)}${E}`;r.push(t($,At(K)))}r.push(t($,xr())),r.push(t($,Pr()));let f="Conformance Score: ",h=`${Or(c,t)} / 100`,y=`${c} / 100`,b=z-2-f.length-y.length;r.push(t($,`\u2551 ${f}${h}${" ".repeat(Math.max(0,b))}\u2551`)),r.push(t($,Pr()));let R=` ${l}`,g=` Verdict: ${a}`,v=z-g.length;r.push(t($,`\u2551${R}${" ".repeat(Math.max(0,v))}\u2551`)),r.push(t($,yo())),r.push(""),r.push(t(ee,"=== Conformance Breakdown ===")),r.push("");let C=new Map;for(let S of kr)C.set(S,[]);for(let S of s.violations){let E=C.get(S.category);E!==void 0&&E.push(S)}for(let S of kr){let E=mo[S],K=C.get(S)??[];if(ho.includes(S)){let H=s.breakdown[S]??0,fe=Or(H,t),me=` ${E}:`,he=Math.max(1,18-me.length);r.push(` ${t(ee,`${E}:`)}${" ".repeat(he)}${fe}/100`)}else r.push(` ${t(ee,`${E}:`)}`);if(K.length===0)r.push(` ${t(G,"\u2713 No violations")}`);else for(let H of K){let fe=bo(H.level,t),me=H.field!==void 0?` (${H.field})`:"",he=` (${H.checkId})`;H.level==="pass"?r.push(` ${fe} ${H.description}${me}${he}`):r.push(` ${fe} ${H.description}${me}${he}`)}r.push("")}r.push(t(ee,"=== Security Findings ===")),r.push("");let x=e.security.findings,O=e.security.suppressed;if(x.length===0&&O.length===0)r.push(` ${t(G,"\u2713 No security findings detected")}`);else{if(x.length>0)for(let S of x){let E=Co(S.severity,t),K=S.confidence==="deterministic"?t($,"[deterministic]"):t(Ce,"[heuristic]");r.push(` ${E} ${K} ${S.title}`),r.push(` ${t(Re,S.checkId)} | CVSS ${S.cvssScore} | ${S.component}`),r.push(` ${S.description}`),r.push(` ${t(G,"Remediation:")} ${S.remediation}`),r.push("")}if(O.length>0){r.push(` ${t(Re,`${O.length} suppressed finding(s)`)}`);for(let S of O){let E=S.justification!==void 0?` \u2014 ${S.justification}`:"";r.push(` ${t(Re,`[SUPPRESSED] ${S.checkId}: ${S.title}${E}`)}`)}}}r.push("");let V=`=== ${a} ===`,Te=i.pass?t(G,V):t(te,V);return r.push(t(ee,Te)),r.join(`
|
|
24
|
+
`)}}});var Fo={};Gt(Fo,{ExitCode:()=>Dr,buildProgram:()=>Jr,exitWithError:()=>Y,main:()=>qr,parseConformanceThreshold:()=>Wt,parseFailOnSeverity:()=>zt,parseFormat:()=>Jt,parseHeader:()=>Ut,parsePort:()=>Fr,parseTimeout:()=>Ft,parseTransport:()=>qt});module.exports=Kr(Fo);var cr=$e(ar(),1),{program:Ko,createCommand:Xo,createArgument:Zo,createOption:Qo,CommanderError:es,InvalidArgumentError:D,InvalidOptionArgumentError:ts,Command:lr,Argument:rs,Option:ns,Help:os}=cr.default;var Bt=require("fs");var k={timeout:1e4,format:"terminal",transport:null,failOnSeverity:"critical",conformanceThreshold:0,skip:[],skipJustifications:{},checkMode:"balanced",noColor:!1,verbose:!1,output:null,noHistory:!1,headers:{}};function Ue(n){if(n.startsWith("http://")||n.startsWith("https://"))return"http";if(n.startsWith("stdio://")||n.length>0)return"stdio";let e=new Error(`Cannot detect transport for target: "${n}". Provide an HTTP URL or a command to run via stdio.`);throw e.code="2",e}var pr=require("child_process"),ur=require("path"),ie=class{executablePath;timeout;verbose;process=null;stdoutBuffer="";pending=new Map;preProtocolOutput=[];timings=[];firstJsonSeen=!1;closed=!1;constructor(e,t,r=!1){this.executablePath=e.replace(/^stdio:\/\//,""),this.timeout=t,this.verbose=r}ensureSpawned(){if(this.process!==null)return;let e=this.executablePath.trim(),r=(fn(e)?`npx --yes ${e}`:e).split(/\s+/),o=r[0]??"",s=(0,ur.extname)(o).toLowerCase(),i,c;r.length>1?(i=o,c=r.slice(1)):s===".js"||s===".ts"?(i=process.execPath,c=[o]):(i=o,c=[]),this.process=(0,pr.spawn)(i,c,{stdio:["pipe","pipe","pipe"]}),this.process.stdout.on("data",a=>{this.stdoutBuffer+=a.toString("utf8"),this.drainBuffer()}),this.verbose&&this.process.stderr.on("data",a=>{process.stderr.write(a)}),this.process.on("error",a=>{this.rejectAll(a)}),this.process.on("exit",a=>{let l=new Error(`Child process exited with code ${a??"null"}`);this.rejectAll(l)})}async close(){if(this.closed||this.process===null){this.closed=!0;return}this.closed=!0;let e=this.process;return new Promise(t=>{let r=setTimeout(()=>{e.kill("SIGKILL"),t()},2e3);e.once("exit",()=>{clearTimeout(r),t()}),e.kill("SIGTERM")})}async send(e){return this.ensureSpawned(),new Promise((t,r)=>{let o=Date.now(),s=setTimeout(()=>{this.pending.delete(e.id),r(new Error(`Timeout waiting for response to "${e.method}" (id: ${e.id})`))},this.timeout);this.pending.set(e.id,{resolve:i=>{clearTimeout(s);let c=Date.now();this.timings.push({method:e.method,requestTimestamp:o,responseTimestamp:c,durationMs:c-o}),t(i)},reject:i=>{clearTimeout(s),r(i)},timer:s,method:e.method,requestTimestamp:o}),this.writeToProcess(JSON.stringify(e)+`
|
|
25
25
|
`)})}async notify(e){this.ensureSpawned(),this.writeToProcess(JSON.stringify(e)+`
|
|
26
26
|
`)}async sendRaw(e){this.ensureSpawned();let t=`raw-${Date.now()}`;return new Promise(r=>{let o=setTimeout(()=>{this.pending.delete(t),r(null)},this.timeout);this.pending.set(t,{resolve:s=>{clearTimeout(o),r(s)},reject:s=>{clearTimeout(o),r(null)},timer:o,method:"raw",requestTimestamp:Date.now()}),this.writeToProcess(e+`
|
|
27
27
|
`)})}getMetadata(){return{type:"stdio",target:this.executablePath,httpHeaders:{},sseObservations:[],preProtocolOutput:[...this.preProtocolOutput],timing:[...this.timings]}}writeToProcess(e){this.process===null||this.closed||this.process.stdin.write(e,"utf8")}drainBuffer(){let e;for(;(e=this.stdoutBuffer.indexOf(`
|
|
28
|
-
`))!==-1;){let t=this.stdoutBuffer.slice(0,e).trimEnd();if(this.stdoutBuffer=this.stdoutBuffer.slice(e+1),!t)continue;let r;try{r=JSON.parse(t)}catch{this.firstJsonSeen||this.preProtocolOutput.push(t);continue}if(this.firstJsonSeen=!0,!dn(r))continue;let o=r;if(o.id!==null&&this.pending.has(o.id)){let s=this.pending.get(o.id);if(s){this.pending.delete(o.id),s.resolve(o);continue}}if(o.id===null){for(let[s,i]of this.pending.entries())if(String(s).startsWith("raw-")){this.pending.delete(s),i.resolve(o);break}}}}rejectAll(e){for(let[t,r]of this.pending.entries())this.pending.delete(t),clearTimeout(r.timer),r.reject(e)}};function dn(n){if(typeof n!="object"||n===null)return!1;let e=n;return typeof e.jsonrpc=="string"&&(e.id===null||typeof e.id=="string"||typeof e.id=="number")&&(Object.prototype.hasOwnProperty.call(e,"result")||Object.prototype.hasOwnProperty.call(e,"error"))}var mn=$e(require("http"),1),hn=$e(require("https"),1),ur=require("url");function Be(n){let e=[],t=[],r=n.split(/\r?\n\r?\n/);for(let o of r){if(!o.trim())continue;let s=o.split(/\r?\n/),i=null;for(let c of s)c&&(c.startsWith("data:")?(i=c.slice(5).trimStart(),t.push({hasDataPrefix:!0,hasEventType:!1,rawLine:c})):c.startsWith("event:")?t.push({hasDataPrefix:!1,hasEventType:!0,rawLine:c}):c.startsWith("id:")||c.startsWith(":")?t.push({hasDataPrefix:!1,hasEventType:!1,rawLine:c}):t.push({hasDataPrefix:!1,hasEventType:!1,rawLine:c}));if(i!==null)try{let c=JSON.parse(i);fn(c)&&e.push(c)}catch{}}return{responses:e,observations:t}}function fn(n){if(typeof n!="object"||n===null)return!1;let e=n;return typeof e.jsonrpc=="string"&&(e.id===null||typeof e.id=="string"||typeof e.id=="number")}var ae=class{url;timeout;capturedHeaders={};sseObservations=[];timings=[];activeSockets=new Set;constructor(e,t){this.url=e,this.timeout=t}async send(e){let t=Date.now(),r=await this.post(JSON.stringify(e),e.id),o=Date.now();return this.timings.push({method:e.method,requestTimestamp:t,responseTimestamp:o,durationMs:o-t}),r}async notify(e){try{await this.post(JSON.stringify(e),null)}catch{}}async sendRaw(e){try{return await this.post(e,null)}catch{return null}}getMetadata(){return{type:"http",target:this.url,httpHeaders:{...this.capturedHeaders},sseObservations:[...this.sseObservations],preProtocolOutput:[],timing:[...this.timings]}}async close(){for(let e of this.activeSockets)e.destroy();this.activeSockets.clear()}post(e,t){return new Promise((r,o)=>{let s=new ur.URL(this.url),i=s.protocol==="https:",c=i?hn:mn,a={method:"POST",hostname:s.hostname,port:s.port?parseInt(s.port,10):i?443:80,path:s.pathname+s.search,headers:{"Content-Type":"application/json","Content-Length":Buffer.byteLength(e,"utf8"),Accept:"application/json, text/event-stream"}},l=setTimeout(()=>{p.destroy(new Error(`HTTP request timed out after ${this.timeout}ms`))},this.timeout),p=c.request(a,u=>{clearTimeout(l);let d=`${a.method} ${a.path}`,m={};for(let[v,C]of Object.entries(u.headers))C!==void 0&&(m[v]=Array.isArray(C)?C.join(", "):C);this.capturedHeaders[d]=m;let h=(u.headers["content-type"]??"").includes("text/event-stream"),y=[];u.on("data",v=>{y.push(v)}),u.on("end",()=>{this.activeSockets.delete(p);let v=Buffer.concat(y).toString("utf8");if(h){let{responses:C,observations:g}=Be(v);for(let R of g)this.sseObservations.push(R);let b=t!==null?C.find(R=>R.id===t):C[0];b!==void 0?r(b):C.length>0&&C[0]!==void 0?r(C[0]):o(new Error("No JSON-RPC response found in SSE stream"))}else{let C;try{C=JSON.parse(v)}catch(g){o(new Error(`Failed to parse JSON response: ${String(g)}`));return}if(!gn(C)){o(new Error("Response is not a valid JSON-RPC response"));return}r(C)}}),u.on("error",v=>{this.activeSockets.delete(p),o(v)})});p.on("error",u=>{clearTimeout(l),this.activeSockets.delete(p),o(u)}),this.activeSockets.add(p),p.write(e,"utf8"),p.end()})}};function gn(n){if(typeof n!="object"||n===null)return!1;let e=n;return typeof e.jsonrpc=="string"&&(e.id===null||typeof e.id=="string"||typeof e.id=="number")}function Ge(n,e){let t=e.transport??Ue(n);switch(t){case"stdio":return new ie(n,e.timeout,e.verbose);case"http":return new ae(n,e.timeout);default:{let r=t;throw new Error(`Unsupported transport type: ${String(r)}`)}}}var yn=1;function X(){return yn++}var be="2024-11-05";function Ye(n){return{jsonrpc:"2.0",id:X(),method:"initialize",params:{protocolVersion:be,capabilities:{},clientInfo:{name:"mcp-verify",version:n}}}}function Ke(){return{jsonrpc:"2.0",method:"notifications/initialized"}}function Xe(n){let e={};return n!==void 0&&(e.cursor=n),{jsonrpc:"2.0",id:X(),method:"tools/list",params:e}}function Ze(){return{jsonrpc:"2.0",id:X(),method:"resources/list",params:{}}}function Qe(n){return{jsonrpc:"2.0",id:X(),method:"resources/read",params:{uri:n}}}function et(){return{jsonrpc:"2.0",id:X(),method:"prompts/list",params:{}}}function tt(){return{jsonrpc:"2.0",id:X(),method:"mcp-verify/probe-unknown-method",params:{}}}function rt(n){if(n.error!==void 0)return{};let e=n.result;if(typeof e!="object"||e===null)return{};let r=e.capabilities;return typeof r!="object"||r===null?{}:r}function Z(n,e){return Object.prototype.hasOwnProperty.call(n,e)&&n[e]!==null&&n[e]!==void 0}var vn="0.2.0-alpha",bn=500;async function ot(n,e){let t=[],r={},o=Ye(vn),s=null,i=null;{let{result:g,stepResult:b}=await U("initialize",()=>n.send(o),e);r.initialize=b,s=g,g!==null?i=Cn(g,be):t.push({step:"initialize",message:b.error??"initialize failed",code:b.status==="timeout"?"TIMEOUT":"ERROR"})}let c=!1;{let g=Date.now();try{await n.notify(Ke()),c=!0,r.initialized={status:"completed",durationMs:Date.now()-g}}catch(b){r.initialized={status:"error",durationMs:Date.now()-g,error:String(b)}}}let a=s!==null?rt(s):{},l=[],p=[];if(Z(a,"tools")){let g,b=0,R=!1;do{let x=Xe(g),{result:O,stepResult:V}=await U("tools/list",()=>n.send(x),e);if(b===0&&(r["tools/list"]=V),O===null||V.status!=="completed"){b===0&&t.push({step:"tools/list",message:V.error??"tools/list failed",code:V.status==="timeout"?"TIMEOUT":"ERROR"});break}l.push(O);let Te=nt(O,"tools");for(let E of Te)p.length<bn?p.push(E):R=!0;if(g=Rn(O),b++,R)break}while(g!==void 0);Object.prototype.hasOwnProperty.call(r,"tools/list")||(r["tools/list"]={status:"skipped",durationMs:0})}else r["tools/list"]={status:"skipped",durationMs:0};let u=null,d=[];if(Z(a,"resources")){let{result:g,stepResult:b}=await U("resources/list",()=>n.send(Ze()),e);if(r["resources/list"]=b,u=g,g!==null&&b.status==="completed"){let R=nt(g,"resources");for(let x of R)d.push(x)}else g===null&&t.push({step:"resources/list",message:b.error??"resources/list failed",code:b.status==="timeout"?"TIMEOUT":"ERROR"})}else r["resources/list"]={status:"skipped",durationMs:0};let m=null;if(Z(a,"resources")&&d.length>0){let g=d[0],b=Sn(g);if(b!==null){let{result:R,stepResult:x}=await U("resources/read",()=>n.send(Qe(b)),e);r["resources/read"]=x,m=R,R===null&&t.push({step:"resources/read",message:x.error??"resources/read failed",code:x.status==="timeout"?"TIMEOUT":"ERROR"})}else r["resources/read"]={status:"skipped",durationMs:0}}else r["resources/read"]={status:"skipped",durationMs:0};let f=null,h=[];if(Z(a,"prompts")){let{result:g,stepResult:b}=await U("prompts/list",()=>n.send(et()),e);if(r["prompts/list"]=b,f=g,g!==null&&b.status==="completed"){let R=nt(g,"prompts");for(let x of R)h.push(x)}else g===null&&t.push({step:"prompts/list",message:b.error??"prompts/list failed",code:b.status==="timeout"?"TIMEOUT":"ERROR"})}else r["prompts/list"]={status:"skipped",durationMs:0};let y=null;{let g=tt(),{result:b,stepResult:R}=await U("error-probe-unknown",()=>n.send(g),e);r["error-probe-unknown"]=R,y=b}let v=null;{let{result:g,stepResult:b}=await U("error-probe-malformed",()=>n.sendRaw("{ invalid json %%%"),e);r["error-probe-malformed"]=b,v=g}let C=["initialize","initialized","tools/list","resources/list","resources/read","prompts/list","error-probe-unknown","error-probe-malformed"];for(let g of C)Object.prototype.hasOwnProperty.call(r,g)||(r[g]={status:"skipped",durationMs:0});return{initializeRequest:o,initializeResponse:s,initializedSent:c,serverInfo:i,toolsListResponses:l,tools:p,resourcesListResponse:u,resources:d,resourceReadResponse:m,promptsListResponse:f,prompts:h,unknownMethodProbeResponse:y,malformedJsonProbeResponse:v,transportMetadata:n.getMetadata(),errors:t,stepResults:r}}async function U(n,e,t){let r=Date.now();try{return{result:await e(),stepResult:{status:"completed",durationMs:Date.now()-r}}}catch(o){let s=o instanceof Error?o.message:String(o);return{result:null,stepResult:{status:s.toLowerCase().includes("timeout")||s.toLowerCase().includes("timed out")?"timeout":"error",durationMs:Date.now()-r,error:s}}}}function Cn(n,e){if(n.error!==void 0)return null;let t=n.result;if(typeof t!="object"||t===null)return null;let r=t,o=r.serverInfo,s=typeof r.protocolVersion=="string"?r.protocolVersion:e;if(typeof o!="object"||o===null)return{name:"unknown",protocolVersion:s};let i=o;return{name:typeof i.name=="string"?i.name:"unknown",version:typeof i.version=="string"?i.version:void 0,protocolVersion:s}}function nt(n,e){if(n.result===void 0||n.result===null)return[];if(typeof n.result!="object")return[];let r=n.result[e];return Array.isArray(r)?r:[]}function Rn(n){if(n.result===void 0||n.result===null||typeof n.result!="object")return;let t=n.result.nextCursor;return typeof t=="string"&&t.length>0?t:void 0}function Sn(n){if(typeof n!="object"||n===null)return null;let e=n;return typeof e.uri=="string"?e.uri:null}var wn=new Set([-32700,-32600,-32601,-32602,-32603]);function dr(n){return wn.has(n)}function fr(n){return n>=-32099&&n<=-32e3}function kn(n){return n>=-32699&&n<=-32604}function xn(n){return dr(n)||fr(n)}function Pn(n){let e=[];n.initializeResponse!==null&&e.push({response:n.initializeResponse,label:"initialize"});for(let t=0;t<n.toolsListResponses.length;t++){let r=n.toolsListResponses[t];r!==void 0&&e.push({response:r,label:`tools/list[${t}]`})}return n.resourcesListResponse!==null&&e.push({response:n.resourcesListResponse,label:"resources/list"}),n.resourceReadResponse!==null&&e.push({response:n.resourceReadResponse,label:"resources/read"}),n.promptsListResponse!==null&&e.push({response:n.promptsListResponse,label:"prompts/list"}),n.unknownMethodProbeResponse!==null&&e.push({response:n.unknownMethodProbeResponse,label:"error-probe-unknown"}),n.malformedJsonProbeResponse!==null&&e.push({response:n.malformedJsonProbeResponse,label:"error-probe-malformed"}),e}function On(n,e){let{response:t,label:r}=n,o=t.id??void 0,s=t.jsonrpc==="2.0";e.push({checkId:"JSONRPC-001",name:"JSON-RPC version field",category:"jsonrpc-base",level:s?"pass":"failure",description:s?`Response for "${r}" has jsonrpc: "2.0"`:`Response for "${r}" has incorrect or missing jsonrpc field (got: ${JSON.stringify(t.jsonrpc)})`,specVersion:"2024-11-05",specReference:"JSON-RPC 2.0 \xA74",confidence:"deterministic",messageId:o,field:"jsonrpc",details:{label:r}});let i=t.id,a=typeof i=="string"||typeof i=="number"||(r==="error-probe-unknown"||r==="error-probe-malformed")&&i===null;e.push({checkId:"JSONRPC-002",name:"JSON-RPC id field type",category:"jsonrpc-base",level:a?"pass":"failure",description:a?`Response for "${r}" has a valid id field`:`Response for "${r}" has null or invalid id field (got: ${JSON.stringify(i)})`,specVersion:"2024-11-05",specReference:"JSON-RPC 2.0 \xA74",confidence:"deterministic",messageId:o,field:"id",details:{label:r}});let l="result"in t,p="error"in t,u=l&&p,d=!l&&!p,m="pass",f=`Response for "${r}" correctly has either result or error (not both)`;u?(m="failure",f=`Response for "${r}" contains both "result" and "error" fields \u2014 they are mutually exclusive per JSON-RPC 2.0`):d&&(m="failure",f=`Response for "${r}" contains neither "result" nor "error" field \u2014 one is required per JSON-RPC 2.0`),e.push({checkId:"JSONRPC-003",name:"JSON-RPC result/error mutual exclusion",category:"jsonrpc-base",level:m,description:f,specVersion:"2024-11-05",specReference:"JSON-RPC 2.0 \xA75",confidence:"deterministic",messageId:o,details:{label:r,hasResult:l,hasError:p}})}function En(n,e){let{response:t,label:r}=n,o=t.id??void 0;if(!("error"in t)||t.error===void 0){e.push({checkId:"JSONRPC-004",name:"JSON-RPC error code validity",category:"jsonrpc-base",level:"pass",description:`Response for "${r}" has no error object \u2014 error code check not applicable`,specVersion:"2024-11-05",specReference:"JSON-RPC 2.0 \xA75.1",confidence:"deterministic",messageId:o,details:{label:r}});return}let s=t.error.code,i=s>0,c=dr(s),a=fr(s),l=kn(s),p=xn(s),u="pass",d=`Response for "${r}" has a valid error code ${s}`;i?(u="failure",d=`Response for "${r}" has a positive error code ${s} \u2014 JSON-RPC error codes must be negative integers`):!p&&!l?(u="failure",d=`Response for "${r}" has error code ${s} which is outside all valid JSON-RPC ranges`):l?(u="warning",d=`Response for "${r}" uses reserved error code ${s} (range -32699 to -32604 is currently unassigned)`):c?d=`Response for "${r}" uses standard error code ${s}`:a&&(d=`Response for "${r}" uses server-defined error code ${s} (range -32099 to -32000)`),e.push({checkId:"JSONRPC-004",name:"JSON-RPC error code validity",category:"jsonrpc-base",level:u,description:d,specVersion:"2024-11-05",specReference:"JSON-RPC 2.0 \xA75.1",confidence:"deterministic",messageId:o,field:"error.code",details:{label:r,code:s,isStandardRange:c,isServerDefinedRange:a}});let m=typeof t.error.message=="string";e.push({checkId:"JSONRPC-005",name:"JSON-RPC error message type",category:"jsonrpc-base",level:m?"pass":"failure",description:m?`Response for "${r}" error object has a string message field`:`Response for "${r}" error object message field is not a string (got: ${typeof t.error.message})`,specVersion:"2024-11-05",specReference:"JSON-RPC 2.0 \xA75.1",confidence:"deterministic",messageId:o,field:"error.message",details:{label:r}})}function st(n,e){let t=[],r=Pn(n);if(r.length===0)return t.push({checkId:"JSONRPC-000",name:"JSON-RPC responses present",category:"jsonrpc-base",level:"failure",description:"No JSON-RPC responses found in the exchange record \u2014 cannot validate envelope",specVersion:"2024-11-05",specReference:"JSON-RPC 2.0 \xA74",confidence:"deterministic"}),t;for(let o of r)On(o,t),En(o,t);return t}var P="2024-11-05";function Tn(n){let e=n.initializeResponse;return e===null||!("result"in e)||e.result===null||typeof e.result!="object"?null:e.result}function $n(n,e){if(n===null){e.push({checkId:"INIT-001",name:"Initialize response present",category:"initialization",level:"failure",description:"No initialize response was received \u2014 cannot validate initialization handshake",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic"});return}e.push({checkId:"INIT-001",name:"Initialize response present",category:"initialization",level:"pass",description:"Initialize response was received from the server",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic"});let t=n.protocolVersion,r=t!=null&&typeof t=="string",o=r&&t.length>0;e.push({checkId:"INIT-002",name:"protocolVersion field",category:"initialization",level:r&&o?"pass":"failure",description:r&&o?`protocolVersion is present and valid: "${t}"`:r?"protocolVersion field is an empty string":"protocolVersion field is absent or not a string in the initialize response",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic",field:"result.protocolVersion",details:{protocolVersion:t}})}function _n(n,e){if(n===null)return null;let t=n.capabilities,r=t!=null&&typeof t=="object"&&!Array.isArray(t);if(e.push({checkId:"INIT-003",name:"capabilities object present",category:"initialization",level:r?"pass":"failure",description:r?"capabilities object is present in the initialize response":"capabilities object is absent or not an object in the initialize response",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic",field:"result.capabilities"}),!r)return null;let o=t;return e.push({checkId:"INIT-004",name:"capabilities structure",category:"initialization",level:"pass",description:"capabilities is a valid object (not an array)",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic",field:"result.capabilities"}),o}function An(n,e,t){let r=n!==null?n.serverInfo:void 0,o=e.serverInfo,s=r!=null||o!==null;if(t.push({checkId:"INIT-005",name:"serverInfo presence",category:"initialization",level:s?"pass":"warning",description:s?"serverInfo object is present in the initialize response":"serverInfo object is absent from the initialize response \u2014 recommended for identification",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic",field:"result.serverInfo"}),!s)return;let i=r??o;if(i===null||typeof i!="object"){t.push({checkId:"INIT-006",name:"serverInfo.name field",category:"initialization",level:"warning",description:"serverInfo is not a valid object \u2014 cannot validate name field",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic",field:"result.serverInfo.name"});return}let c=i.name,a=typeof c=="string"&&c.length>0;t.push({checkId:"INIT-006",name:"serverInfo.name field",category:"initialization",level:a?"pass":"warning",description:a?`serverInfo.name is present: "${c}"`:"serverInfo.name is absent or empty \u2014 recommended for server identification",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic",field:"result.serverInfo.name",details:{name:c}})}function In(n,e){e.push({checkId:"INIT-007",name:"initialized notification sent",category:"initialization",level:n.initializedSent?"pass":"warning",description:n.initializedSent?"The initialized notification was sent after the initialize response":"The initialized notification was not sent \u2014 the server may not consider the session active",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic",details:{initializedSent:n.initializedSent}})}function Nn(n,e,t){if(n===null){t.push({checkId:"INIT-008",name:"Capability negotiation cross-check",category:"initialization",level:"info",description:"Cannot cross-check capability negotiation \u2014 capabilities object was not available",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"deterministic"});return}let r="tools"in n&&n.tools!==void 0,o=e.toolsListResponses,s=o.length===0||o.every(h=>"error"in h&&h.error!==void 0);r&&s?t.push({checkId:"INIT-008",name:"tools capability vs tools/list response",category:"initialization",level:"failure",description:"Server declared tools capability but tools/list returned an error or no response",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"deterministic",details:{toolsDeclared:r,toolsListResponseCount:o.length}}):t.push({checkId:"INIT-008",name:"tools capability vs tools/list response",category:"initialization",level:"pass",description:r?"Server declared tools capability and tools/list responded successfully":"Server did not declare tools capability \u2014 tools/list check not required",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"deterministic",details:{toolsDeclared:r}});let i="resources"in n&&n.resources!==void 0,c=e.resourcesListResponse,a=i&&(c===null||"error"in c&&c.error!==void 0);i&&a?t.push({checkId:"INIT-009",name:"resources capability vs resources/list response",category:"initialization",level:"failure",description:"Server declared resources capability but resources/list returned an error or no response",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"deterministic",details:{resourcesDeclared:i}}):t.push({checkId:"INIT-009",name:"resources capability vs resources/list response",category:"initialization",level:"pass",description:i?"Server declared resources capability and resources/list responded successfully":"Server did not declare resources capability \u2014 resources/list check not required",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"deterministic",details:{resourcesDeclared:i}});let l="prompts"in n&&n.prompts!==void 0,p=e.promptsListResponse,u=l&&(p===null||"error"in p&&p.error!==void 0);l&&u?t.push({checkId:"INIT-010",name:"prompts capability vs prompts/list response",category:"initialization",level:"failure",description:"Server declared prompts capability but prompts/list returned an error or no response",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"deterministic",details:{promptsDeclared:l}}):t.push({checkId:"INIT-010",name:"prompts capability vs prompts/list response",category:"initialization",level:"pass",description:l?"Server declared prompts capability and prompts/list responded successfully":"Server did not declare prompts capability \u2014 prompts/list check not required",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"deterministic",details:{promptsDeclared:l}});let d=o.some(h=>"result"in h&&h.result!==void 0);!r&&d&&t.push({checkId:"INIT-011",name:"Undeclared tools capability responds",category:"initialization",level:"warning",description:"Server did not declare tools capability but tools/list returned a successful response \u2014 capability advertisement is inconsistent",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"high",details:{toolsDeclared:r}});let m=c!==null&&"result"in c&&c.result!==void 0;!i&&m&&t.push({checkId:"INIT-012",name:"Undeclared resources capability responds",category:"initialization",level:"warning",description:"Server did not declare resources capability but resources/list returned a successful response \u2014 capability advertisement is inconsistent",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"high",details:{resourcesDeclared:i}});let f=p!==null&&"result"in p&&p.result!==void 0;!l&&f&&t.push({checkId:"INIT-013",name:"Undeclared prompts capability responds",category:"initialization",level:"warning",description:"Server did not declare prompts capability but prompts/list returned a successful response \u2014 capability advertisement is inconsistent",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"high",details:{promptsDeclared:l}})}function it(n,e){let t=[],r=Tn(n);$n(r,t);let o=_n(r,t);return An(r,n,t),In(n,t),Nn(o,n,t),t}var A="2024-11-05";function D(n){return typeof n=="object"&&n!==null&&!Array.isArray(n)}function Vn(n){return typeof n=="string"&&n.trim().length>0}var mr=new Set(["string","number","integer","boolean","null","array","object"]);function J(n,e,t){if(!D(n)){if(typeof n=="boolean")return;t.push({path:e,message:`Schema node must be an object or boolean, got: ${typeof n}`});return}if("type"in n){let r=n.type;if(Array.isArray(r))for(let o of r)mr.has(o)||t.push({path:`${e}.type`,message:`Unknown type value: ${JSON.stringify(o)}`});else r!==void 0&&!mr.has(r)&&t.push({path:`${e}.type`,message:`Unknown type value: ${JSON.stringify(r)}`})}if("properties"in n){let r=n.properties;if(!D(r))t.push({path:`${e}.properties`,message:"properties must be an object"});else for(let[o,s]of Object.entries(r))J(s,`${e}.properties.${o}`,t)}if("items"in n){let r=n.items;Array.isArray(r)?r.forEach((o,s)=>J(o,`${e}.items[${s}]`,t)):J(r,`${e}.items`,t)}if("additionalProperties"in n){let r=n.additionalProperties;typeof r!="boolean"&&J(r,`${e}.additionalProperties`,t)}if("required"in n){let r=n.required;if(!Array.isArray(r))t.push({path:`${e}.required`,message:"required must be an array"});else for(let o of r)typeof o!="string"&&t.push({path:`${e}.required`,message:`required array items must be strings, got: ${typeof o}`})}for(let r of["allOf","anyOf","oneOf"])if(r in n){let o=n[r];Array.isArray(o)?o.forEach((s,i)=>J(s,`${e}.${r}[${i}]`,t)):t.push({path:`${e}.${r}`,message:`${r} must be an array`})}"not"in n&&J(n.not,`${e}.not`,t);for(let r of["definitions","$defs"])if(r in n){let o=n[r];if(!D(o))t.push({path:`${e}.${r}`,message:`${r} must be an object`});else for(let[s,i]of Object.entries(o))J(i,`${e}.${r}.${s}`,t)}}function jn(n,e,t){let r=`tools[${e}]`;if(!D(n)){t.push({checkId:"TOOL-001",name:"Tool object structure",category:"tools",level:"failure",description:`${r} is not a valid object`,specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic",details:{index:e}});return}let o=n.name,s=Vn(o),i=s?`"${o}"`:`#${e}`;t.push({checkId:"TOOL-001",name:"Tool name field",category:"tools",level:s?"pass":"failure",description:s?`Tool ${i} has a valid name field`:`Tool at index ${e} is missing a valid name field (got: ${JSON.stringify(o)})`,specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic",field:`${r}.name`,details:{index:e,name:o}});let a=typeof n.description=="string";t.push({checkId:"TOOL-002",name:"Tool description field",category:"tools",level:a?"pass":"warning",description:a?`Tool ${i} has a description field`:`Tool ${i} is missing a description field \u2014 recommended for discoverability`,specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic",field:`${r}.description`,details:{index:e,toolName:o}});let l=n.inputSchema,p=l!=null;if(t.push({checkId:"TOOL-003",name:"Tool inputSchema presence",category:"tools",level:p?"pass":"failure",description:p?`Tool ${i} has an inputSchema field`:`Tool ${i} is missing the required inputSchema field`,specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic",field:`${r}.inputSchema`,details:{index:e,toolName:o}}),!p)return;if(!D(l)){t.push({checkId:"TOOL-004",name:"Tool inputSchema type field",category:"tools",level:"failure",description:`Tool ${i} inputSchema is not a valid object`,specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic",field:`${r}.inputSchema`,details:{index:e,toolName:o}});return}let u=l.type,d=u==="object";t.push({checkId:"TOOL-004",name:"Tool inputSchema type field",category:"tools",level:d?"pass":"failure",description:d?`Tool ${i} inputSchema.type is "object"`:`Tool ${i} inputSchema.type must be "object" (got: ${JSON.stringify(u)})`,specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic",field:`${r}.inputSchema.type`,details:{index:e,toolName:o,schemaType:u}});let m=l.properties,f="properties"in l&&m!==void 0;if(f){let C=D(m);t.push({checkId:"TOOL-005",name:"Tool inputSchema properties structure",category:"tools",level:C?"pass":"failure",description:C?`Tool ${i} inputSchema.properties is a valid object`:`Tool ${i} inputSchema.properties must be an object (got: ${Array.isArray(m)?"array":typeof m})`,specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic",field:`${r}.inputSchema.properties`,details:{index:e,toolName:o}})}let h=l.required;if("required"in l&&h!==void 0){let C=Array.isArray(h),g=C&&h.every(x=>typeof x=="string"),b="pass",R=`Tool ${i} inputSchema.required is a valid string array`;if(!C)b="failure",R=`Tool ${i} inputSchema.required must be an array (got: ${typeof h})`;else if(!g)b="failure",R=`Tool ${i} inputSchema.required must be an array of strings`;else if(f&&D(m)){let x=new Set(Object.keys(m)),O=h.filter(V=>!x.has(V));O.length>0&&(b="failure",R=`Tool ${i} inputSchema.required references properties not defined in properties: ${O.map(V=>`"${V}"`).join(", ")}`)}t.push({checkId:"TOOL-006",name:"Tool inputSchema required array",category:"tools",level:b,description:R,specVersion:A,specReference:"MCP spec \xA75 (Tools) / JSON Schema draft-07",confidence:"deterministic",field:`${r}.inputSchema.required`,details:{index:e,toolName:o}})}let v=[];if(J(l,`${r}.inputSchema`,v),v.length>0)for(let C of v)t.push({checkId:"TOOL-007",name:"Tool inputSchema structural validity",category:"tools",level:"warning",description:`Tool ${i} inputSchema structural issue at ${C.path}: ${C.message}`,specVersion:A,specReference:"JSON Schema draft-07",confidence:"high",field:C.path,details:{index:e,toolName:o,issuePath:C.path}});else t.push({checkId:"TOOL-007",name:"Tool inputSchema structural validity",category:"tools",level:"pass",description:`Tool ${i} inputSchema passes structural JSON Schema draft-07 validation`,specVersion:A,specReference:"JSON Schema draft-07",confidence:"high",details:{index:e,toolName:o}})}function at(n,e){let t=[],r=n.tools;if(r.length===0){let o=n.initializeResponse,s=!1;if(o!==null&&"result"in o&&o.result!==null&&D(o.result)){let i=o.result.capabilities;D(i)&&"tools"in i&&(s=!0)}return t.push({checkId:"TOOL-000",name:"Tools list presence",category:"tools",level:s?"warning":"info",description:s?"Server declared tools capability but no tools were returned in tools/list":"No tools found in exchange record \u2014 tools capability may not be declared",specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic"}),t}t.push({checkId:"TOOL-000",name:"Tools list presence",category:"tools",level:"pass",description:`${r.length} tool(s) found in exchange record`,specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic",details:{count:r.length}});for(let o=0;o<r.length;o++)jn(r[o],o,t);return t}var I="2024-11-05";function ct(n){return typeof n=="object"&&n!==null&&!Array.isArray(n)}function Mn(n){return typeof n=="string"&&n.trim().length>0}function lt(n,e){let t=[],r=n.resourcesListResponse;if(r===null)return t.push({checkId:"RSRC-001",name:"resources/list response presence",category:"resources",level:"info",description:"No resources/list response found \u2014 server may not support resources",specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic"}),t;if("error"in r&&r.error!==void 0)return t.push({checkId:"RSRC-001",name:"resources/list response presence",category:"resources",level:"info",description:`resources/list returned an error: ${r.error.message} (code: ${r.error.code})`,specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",details:{errorCode:r.error.code,errorMessage:r.error.message}}),t;t.push({checkId:"RSRC-001",name:"resources/list response presence",category:"resources",level:"pass",description:"resources/list response was received from the server",specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic"});let o=r.result;if(!ct(o))return t.push({checkId:"RSRC-002",name:"resources array in response",category:"resources",level:"failure",description:"resources/list result is not a valid object",specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",field:"result"}),t;let s=o.resources,i=Array.isArray(s);if(t.push({checkId:"RSRC-002",name:"resources array in response",category:"resources",level:i?"pass":"failure",description:i?`resources/list result contains a resources array with ${s.length} item(s)`:`resources/list result.resources is not an array (got: ${typeof s})`,specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",field:"result.resources",details:i?{count:s.length}:{}}),!i)return t;let c=s;for(let d=0;d<c.length;d++){let m=c[d],f=`resources[${d}]`;if(!ct(m)){t.push({checkId:"RSRC-003",name:"Resource object structure",category:"resources",level:"failure",description:`${f} is not a valid object`,specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",details:{index:d}});continue}let h=m.uri,y=m.name,v=Mn(y)?`"${y}"`:`#${d}`,C=typeof h=="string";t.push({checkId:"RSRC-003",name:"Resource uri field",category:"resources",level:C?"pass":"failure",description:C?`Resource ${v} has a valid uri field: "${h}"`:`Resource ${v} is missing a valid uri field (got: ${JSON.stringify(h)})`,specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",field:`${f}.uri`,details:{index:d,uri:h}});let g=typeof y=="string";t.push({checkId:"RSRC-004",name:"Resource name field",category:"resources",level:g?"pass":"failure",description:g?`Resource ${v} has a valid name field`:`Resource at index ${d} is missing a valid name field (got: ${JSON.stringify(y)})`,specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",field:`${f}.name`,details:{index:d,name:y}})}let a=n.resourceReadResponse;if(a===null)return t.push({checkId:"RSRC-005",name:"resources/read response contents",category:"resources",level:"info",description:"No resources/read response found \u2014 read validation skipped",specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic"}),t;if("error"in a&&a.error!==void 0)return t.push({checkId:"RSRC-005",name:"resources/read response contents",category:"resources",level:"failure",description:`resources/read returned an error: ${a.error.message} (code: ${a.error.code})`,specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",details:{errorCode:a.error.code,errorMessage:a.error.message}}),t;let l=a.result;if(!ct(l))return t.push({checkId:"RSRC-005",name:"resources/read response contents",category:"resources",level:"failure",description:"resources/read result is not a valid object",specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",field:"result"}),t;let p=l.contents,u=Array.isArray(p);return t.push({checkId:"RSRC-005",name:"resources/read response contents",category:"resources",level:u?"pass":"failure",description:u?`resources/read result contains a contents array with ${p.length} item(s)`:`resources/read result.contents is not an array (got: ${typeof p})`,specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",field:"result.contents",details:u?{count:p.length}:{}}),t}var T="2024-11-05";function pt(n){return typeof n=="object"&&n!==null&&!Array.isArray(n)}function ut(n){return typeof n=="string"&&n.trim().length>0}function dt(n,e){let t=[],r=n.promptsListResponse;if(r===null)return t.push({checkId:"PROMPT-001",name:"prompts/list response presence",category:"prompts",level:"info",description:"No prompts/list response found \u2014 server may not support prompts",specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic"}),t;if("error"in r&&r.error!==void 0)return t.push({checkId:"PROMPT-001",name:"prompts/list response presence",category:"prompts",level:"info",description:`prompts/list returned an error: ${r.error.message} (code: ${r.error.code})`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",details:{errorCode:r.error.code,errorMessage:r.error.message}}),t;t.push({checkId:"PROMPT-001",name:"prompts/list response presence",category:"prompts",level:"pass",description:"prompts/list response was received from the server",specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic"});let o=r.result;if(!pt(o))return t.push({checkId:"PROMPT-002",name:"prompts array in response",category:"prompts",level:"failure",description:"prompts/list result is not a valid object",specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",field:"result"}),t;let s=o.prompts,i=Array.isArray(s);if(t.push({checkId:"PROMPT-002",name:"prompts array in response",category:"prompts",level:i?"pass":"failure",description:i?`prompts/list result contains a prompts array with ${s.length} item(s)`:`prompts/list result.prompts is not an array (got: ${typeof s})`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",field:"result.prompts",details:i?{count:s.length}:{}}),!i)return t;let c=s;for(let a=0;a<c.length;a++){let l=c[a],p=`prompts[${a}]`;if(!pt(l)){t.push({checkId:"PROMPT-003",name:"Prompt object structure",category:"prompts",level:"failure",description:`${p} is not a valid object`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",details:{index:a}});continue}let u=l.name,d=ut(u),m=d?`"${u}"`:`#${a}`;t.push({checkId:"PROMPT-003",name:"Prompt name field",category:"prompts",level:d?"pass":"failure",description:d?`Prompt ${m} has a valid name field`:`Prompt at index ${a} is missing a valid name field (got: ${JSON.stringify(u)})`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",field:`${p}.name`,details:{index:a,name:u}});let f=l.arguments;if(f==null){t.push({checkId:"PROMPT-004",name:"Prompt arguments structure",category:"prompts",level:"pass",description:`Prompt ${m} has no arguments defined`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",details:{index:a,promptName:u}});continue}if(!Array.isArray(f)){t.push({checkId:"PROMPT-004",name:"Prompt arguments structure",category:"prompts",level:"failure",description:`Prompt ${m} arguments must be an array (got: ${typeof f})`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",field:`${p}.arguments`,details:{index:a,promptName:u}});continue}t.push({checkId:"PROMPT-004",name:"Prompt arguments structure",category:"prompts",level:"pass",description:`Prompt ${m} has a valid arguments array with ${f.length} item(s)`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",field:`${p}.arguments`,details:{index:a,promptName:u,argCount:f.length}});let h=f;for(let y=0;y<h.length;y++){let v=h[y],C=`${p}.arguments[${y}]`;if(!pt(v)){t.push({checkId:"PROMPT-005",name:"Prompt argument object structure",category:"prompts",level:"failure",description:`Prompt ${m} argument at index ${y} is not a valid object`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",field:C,details:{promptIndex:a,argIndex:y,promptName:u}});continue}let g=v.name,b=v.required,R=ut(g)?`"${g}"`:`#${y}`,x=ut(g);if(t.push({checkId:"PROMPT-005",name:"Prompt argument name field",category:"prompts",level:x?"pass":"failure",description:x?`Prompt ${m} argument ${R} has a valid name field`:`Prompt ${m} argument at index ${y} is missing a valid name field (got: ${JSON.stringify(g)})`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",field:`${C}.name`,details:{promptIndex:a,argIndex:y,promptName:u,argName:g}}),"required"in v){let O=typeof b=="boolean";t.push({checkId:"PROMPT-006",name:"Prompt argument required field",category:"prompts",level:O?"pass":"failure",description:O?`Prompt ${m} argument ${R} has a valid required field (${b})`:`Prompt ${m} argument ${R} required field must be a boolean (got: ${typeof b})`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",field:`${C}.required`,details:{promptIndex:a,argIndex:y,promptName:u,argName:g,argRequired:b}})}}}return t}var ft="2024-11-05";function mt(n,e){let t=[],r=n.transportMetadata;if(r.type!=="stdio")return t;let o=r.preProtocolOutput,s=Array.isArray(o)&&o.length>0;t.push({checkId:"XPORT-001",name:"Stdio extraneous output",category:"transport",level:s?"failure":"pass",description:s?`Server emitted ${o.length} line(s) of non-JSON output before the protocol exchange \u2014 stdio MCP servers must write only JSON-RPC messages on stdout`:"No extraneous output detected before the protocol exchange",specVersion:ft,specReference:"MCP spec \xA72 (Transports) \u2014 stdio",confidence:"deterministic",details:s?{lineCount:o.length,firstLine:o[0]}:{}});let i=r.timing,c=Array.isArray(i)&&i.length>0,a=n.errors.filter(u=>u.message.toLowerCase().includes("frame")||u.message.toLowerCase().includes("delimit")||u.message.toLowerCase().includes("parse")||u.message.toLowerCase().includes("newline")),l=a.length>0;t.push({checkId:"XPORT-002",name:"Stdio line-delimited framing",category:"transport",level:l?"failure":c?"pass":"info",description:l?`Stdio framing errors detected: ${a.map(u=>u.message).join("; ")}`:c?`Stdio line-delimited framing appears correct \u2014 ${i.length} message exchange(s) completed`:"No message timings recorded \u2014 unable to verify stdio framing",specVersion:ft,specReference:"MCP spec \xA72 (Transports) \u2014 stdio",confidence:l?"deterministic":"high",details:{framingErrorCount:a.length,timingCount:i.length}});let p=s?o.filter(u=>{try{return JSON.parse(u),!1}catch{return!0}}):[];return t.push({checkId:"XPORT-003",name:"Stdio stdout JSON-only output",category:"transport",level:p.length>0?"failure":"pass",description:p.length>0?`${p.length} non-JSON line(s) detected on stdout \u2014 stdio MCP servers must not write non-JSON data to stdout`:"All stdout output appears to be valid JSON (no non-JSON lines detected)",specVersion:ft,specReference:"MCP spec \xA72 (Transports) \u2014 stdio",confidence:"deterministic",details:{nonJsonLineCount:p.length,firstNonJsonLine:p[0]??null}}),t}var Q="2024-11-05";function ht(n,e){let t=[],r=n.transportMetadata;if(r.type!=="http")return t;let o=r.httpHeaders,s=r.sseObservations,i=[];for(let[d,m]of Object.entries(o)){let f=m["content-type"]??m["Content-Type"];f!==void 0&&i.push(`${d}: ${f}`)}let c=i.length>0,a=i.some(d=>d.toLowerCase().includes("application/json")),l=i.some(d=>d.toLowerCase().includes("text/event-stream")),p=a||l;if(t.push({checkId:"XPORT-010",name:"HTTP Content-Type headers",category:"transport",level:c?p?"pass":"warning":"info",description:c?p?"HTTP responses have appropriate Content-Type headers (application/json or text/event-stream)":`HTTP responses do not have expected Content-Type headers (got: ${i.join(", ")})`:"No HTTP Content-Type headers recorded \u2014 cannot validate content types",specVersion:Q,specReference:"MCP spec \xA72 (Transports) \u2014 Streamable HTTP",confidence:c?"deterministic":"low",details:{contentTypeEntries:i,hasJsonContentType:a,hasSseContentType:l}}),s.length===0)t.push({checkId:"XPORT-011",name:"SSE format validation",category:"transport",level:"info",description:"No SSE observations recorded \u2014 SSE format check skipped",specVersion:Q,specReference:"MCP spec \xA72 (Transports) \u2014 Streamable HTTP / SSE",confidence:"deterministic"});else{let d=s.filter(v=>v.hasDataPrefix),m=s.filter(v=>!v.hasDataPrefix&&!v.hasEventType&&v.rawLine.trim().length>0&&!v.rawLine.startsWith("id:")&&!v.rawLine.startsWith(":")),f=d.length>0,h=m.length>0;t.push({checkId:"XPORT-011",name:"SSE format validation",category:"transport",level:h?"warning":f?"pass":"warning",description:h?`SSE stream contains ${m.length} line(s) that do not conform to SSE format`:f?`SSE stream format is valid \u2014 ${d.length} data line(s) observed`:"SSE observations recorded but no data: lines found \u2014 stream may be empty",specVersion:Q,specReference:"MCP spec \xA72 (Transports) \u2014 Streamable HTTP / SSE",confidence:"high",details:{totalObservations:s.length,dataLineCount:d.length,malformedLineCount:m.length}});let y=s.filter(v=>v.rawLine.trim().length>0&&!v.rawLine.startsWith(":")).filter(v=>!v.hasDataPrefix&&!v.hasEventType&&!v.rawLine.startsWith("id:"));y.length>0?t.push({checkId:"XPORT-012",name:"SSE data prefix compliance",category:"transport",level:"warning",description:`${y.length} SSE line(s) are missing the required "data:" prefix for data payloads`,specVersion:Q,specReference:"MCP spec \xA72 (Transports) \u2014 Streamable HTTP / SSE",confidence:"high",details:{violatingLineCount:y.length,exampleLine:y[0]?.rawLine??null}}):d.length>0&&t.push({checkId:"XPORT-012",name:"SSE data prefix compliance",category:"transport",level:"pass",description:'All SSE data payloads have the required "data:" prefix',specVersion:Q,specReference:"MCP spec \xA72 (Transports) \u2014 Streamable HTTP / SSE",confidence:"high",details:{dataLineCount:d.length}})}let u=[];for(let[d,m]of Object.entries(o)){let f=m["access-control-allow-origin"]??m["Access-Control-Allow-Origin"];f!==void 0&&u.push(`${d}: Access-Control-Allow-Origin: ${f}`)}return t.push({checkId:"XPORT-013",name:"CORS headers present",category:"transport",level:u.length>0?"pass":"info",description:u.length>0?`CORS headers observed on ${u.length} endpoint(s)`:"No CORS headers observed \u2014 may be an issue if the server is accessed from a browser context",specVersion:Q,specReference:"MCP spec \xA72 (Transports) \u2014 Streamable HTTP",confidence:"deterministic",details:{corsEntries:u,corsCount:u.length}}),t}var B="2024-11-05";function gt(n,e){let t=[],r=n.unknownMethodProbeResponse;if(r===null)t.push({checkId:"ERRH-001",name:"Unknown method probe response",category:"error-handling",level:"failure",description:"No response received for unknown-method probe \u2014 server must respond to unknown methods with JSON-RPC error -32601 (Method Not Found)",specVersion:B,specReference:"JSON-RPC 2.0 \xA75.1 / MCP spec \xA73 (Error Handling)",confidence:"deterministic"});else if(!("error"in r)||r.error===void 0)t.push({checkId:"ERRH-001",name:"Unknown method probe response",category:"error-handling",level:"failure",description:"Unknown-method probe returned a successful result instead of an error \u2014 server must return -32601 (Method Not Found) for unknown methods",specVersion:B,specReference:"JSON-RPC 2.0 \xA75.1 / MCP spec \xA73 (Error Handling)",confidence:"deterministic",details:{hasResult:"result"in r}});else{let i=r.error.code,c=i===-32601;t.push({checkId:"ERRH-001",name:"Unknown method probe response",category:"error-handling",level:c?"pass":"failure",description:c?"Unknown-method probe correctly returned error code -32601 (Method Not Found)":`Unknown-method probe returned error code ${i} \u2014 expected -32601 (Method Not Found)`,specVersion:B,specReference:"JSON-RPC 2.0 \xA75.1 / MCP spec \xA73 (Error Handling)",confidence:"deterministic",field:"error.code",details:{receivedCode:i,expectedCode:-32601}})}let o=n.malformedJsonProbeResponse;if(o===null)t.push({checkId:"ERRH-002",name:"Malformed JSON probe response",category:"error-handling",level:"failure",description:"No response received for malformed-JSON probe \u2014 server must respond to malformed JSON with JSON-RPC error -32700 (Parse Error)",specVersion:B,specReference:"JSON-RPC 2.0 \xA75.1 / MCP spec \xA73 (Error Handling)",confidence:"deterministic"});else if(!("error"in o)||o.error===void 0)t.push({checkId:"ERRH-002",name:"Malformed JSON probe response",category:"error-handling",level:"failure",description:"Malformed-JSON probe returned a successful result instead of an error \u2014 server must return -32700 (Parse Error) for malformed JSON",specVersion:B,specReference:"JSON-RPC 2.0 \xA75.1 / MCP spec \xA73 (Error Handling)",confidence:"deterministic",details:{hasResult:"result"in o}});else{let i=o.error.code,c=i===-32700;t.push({checkId:"ERRH-002",name:"Malformed JSON probe response",category:"error-handling",level:c?"pass":"failure",description:c?"Malformed-JSON probe correctly returned error code -32700 (Parse Error)":`Malformed-JSON probe returned error code ${i} \u2014 expected -32700 (Parse Error)`,specVersion:B,specReference:"JSON-RPC 2.0 \xA75.1 / MCP spec \xA73 (Error Handling)",confidence:"deterministic",field:"error.code",details:{receivedCode:i,expectedCode:-32700}})}let s=t.filter(i=>i.level==="failure").length;return t.push({checkId:"ERRH-003",name:"Error handling conformance summary",category:"error-handling",level:s===0?"pass":"info",description:s===0?"Server correctly handles both unknown-method and malformed-JSON error probes":`${s} error handling probe(s) failed \u2014 server error handling is not fully conformant`,specVersion:B,specReference:"JSON-RPC 2.0 \xA75.1 / MCP spec \xA73 (Error Handling)",confidence:"deterministic",details:{probeFailureCount:s}}),t}var yt=[st,it,at,lt,dt,mt,ht,gt];function vt(n,e){let t=[];for(let r of yt)try{let o=r(n,e);t.push(...o)}catch(o){t.push({checkId:"RUNNER-ERROR",name:"Validator runtime error",category:"jsonrpc-base",level:"info",description:`A validator threw an unexpected error: ${o instanceof Error?o.message:String(o)}`,specVersion:"2024-11-05",specReference:"N/A",confidence:"deterministic"})}return t}var bt={"jsonrpc-base":.2,initialization:.25,tools:.25,resources:.1,prompts:.1,transport:.1,"error-handling":0},Ct=15,Rt=7;var Hn=["jsonrpc-base","initialization","tools","resources","prompts","transport"],hr=[...Hn,"error-handling"];function Ln(n){return n.some(e=>e.checkId==="INIT-001"&&e.level==="failure")}function St(n,e,t){let r=new Map;for(let a of hr)r.set(a,[]);for(let a of n){let l=r.get(a.category);l!==void 0&&l.push(a)}let o=[];for(let a of hr){let l=r.get(a)??[],p=l.filter(y=>y.level==="failure").length,u=l.filter(y=>y.level==="warning").length,d=l.filter(y=>y.level==="pass").length,m=l.length,f=100-p*Ct-u*Rt,h=Math.max(0,f);o.push({category:a,score:h,weight:bt[a],totalChecks:m,passCount:d,failCount:p,warnCount:u})}if(Ln(n))return{overallScore:0,categoryScores:o,exitCode:0,pass:!1};let s=0,i=0;for(let a of o)a.weight>0&&(s+=a.score*a.weight,i+=a.weight);let c=i>0?s/i:0;return{overallScore:Math.round(c*10)/10,categoryScores:o,exitCode:0,pass:!0}}var gr=["info","low","medium","high","critical"];function yr(n){return gr.indexOf(n)}function Dn(n){return n==="none"?gr.length:yr(n)}function wt(n,e,t){let r=n.overallScore<t.conformanceThreshold,o=Dn(t.failOnSeverity),s=e.some(i=>!i.suppressed&&yr(i.severity)>=o);return r||s?1:0}var vr="command-injection";var Fn=/^(command|cmd|exec|shell|script|args|argv|path|file|filename|dir|directory)$/i,Jn=/\b(execute|run\s+command|shell|script|path\s+to)\b/i;function qn(n){return!!(typeof n.pattern=="string"&&n.pattern.length>0||Array.isArray(n.enum)&&n.enum.length>0)}function zn(n){return n.type==="string"||n.type===void 0}function Wn(n,e){let t=[],r=n.inputSchema?.properties;if(!r||typeof r!="object")return t;for(let[o,s]of Object.entries(r)){if(typeof s!="object"||s===null||!zn(s)||qn(s))continue;let i=s,c=Fn.test(o),a=typeof i.description=="string"&&Jn.test(i.description);if(c||a){e.count++;let l=c?`parameter name "${o}" matches shell execution pattern`:"parameter description contains execution keywords";t.push({id:`SEC-${String(e.count).padStart(3,"0")}`,checkId:vr,severity:"high",cvssScore:8.1,component:`tool "${n.name}" / param "${o}"`,title:"Command Injection Susceptibility",description:`Tool "${n.name}" has an unconstrained string parameter "${o}" \u2014 ${l}. Without a \`pattern\` or \`enum\` constraint, this parameter could be used to inject shell commands.`,remediation:`Add a \`pattern\` constraint (e.g., "^[a-zA-Z0-9_-]+$") or \`enum\` constraint to the "${o}" parameter in tool "${n.name}".`,confidence:"heuristic",evidence:{toolName:n.name,paramName:o,paramType:i.type??"string (implicit)",matchedOn:c?"parameterName":"description"},suppressed:!1})}}return t}var kt={id:vr,name:"Command Injection Susceptibility Detection",check(n){let e=n.exchange.tools;if(!Array.isArray(e)||e.length===0)return[];let t=[],r={count:0};for(let o of e){if(typeof o!="object"||o===null)continue;let s=Wn(o,r);t.push(...s)}return t}};var br="cors-wildcard";var xt={id:br,name:"CORS Wildcard Policy Detection",check(n){if(n.exchange.transportMetadata.type==="stdio")return[];let e=[],t=n.exchange.transportMetadata.httpHeaders,r=0;if(!t||typeof t!="object")return[];for(let[o,s]of Object.entries(t)){if(!s||typeof s!="object")continue;Un(s,"access-control-allow-origin")==="*"&&(r++,e.push({id:`SEC-${String(r).padStart(3,"0")}`,checkId:br,severity:"high",cvssScore:7.5,component:o,title:"CORS Wildcard Policy",description:`Endpoint "${o}" returns Access-Control-Allow-Origin: * which permits cross-origin requests from any web origin. This allows any website to invoke MCP tools on this server.`,remediation:'Restrict the Access-Control-Allow-Origin header to specific trusted origins instead of using the wildcard "*".',confidence:"deterministic",evidence:{endpoint:o,header:"Access-Control-Allow-Origin",value:"*"},suppressed:!1}))}return e}};function Un(n,e){let t=e.toLowerCase();for(let[r,o]of Object.entries(n))if(r.toLowerCase()===t)return o}var Cr="auth-gap";var Bn=new Set(["localhost","127.0.0.1","::1","[::1]"]),Gn=[/^10\./,/^172\.(1[6-9]|2\d|3[01])\./,/^192\.168\./,/^fd[0-9a-f]{2}:/i];function Yn(n){return Bn.has(n.toLowerCase())}function Kn(n){return Gn.some(e=>e.test(n))}function Xn(n){let e=new Map(Object.entries(n).map(([t,r])=>[t.toLowerCase(),r]));return e.has("www-authenticate")||e.has("authorization")}var Pt={id:Cr,name:"Authentication Gap Detection",check(n){if(n.exchange.transportMetadata.type==="stdio")return[];let e=n.exchange.transportMetadata,t=e.target,r;try{r=new URL(t).hostname}catch{return[]}if(Yn(r))return[];let o=e.httpHeaders,s=!1;if(o&&typeof o=="object"){for(let d of Object.values(o))if(d&&typeof d=="object"&&Xn(d)){s=!0;break}}if(s)return[];let i=e.resolvedAddress??r,c=e.addressType??(Kn(i)?"private":"public"),a=c==="public",l=a?"critical":"medium",p=a?9.8:6.5,u=a?"public internet":"private network";return[{id:"SEC-001",checkId:Cr,severity:l,cvssScore:p,component:t,title:"Authentication Gap",description:`MCP server at "${t}" (${u}, resolved: ${i}) responds to initialize without requiring authentication. Any client on the ${u} can invoke tools on this server.`,remediation:"Add authentication to the MCP server. Recommended approaches: Bearer token authentication, OAuth 2.0 client credentials, or mutual TLS for machine-to-machine communication.",confidence:"heuristic",evidence:{host:r,resolvedAddress:i,addressType:c,authHeaderPresent:!1,wwwAuthenticatePresent:!1},suppressed:!1}]}};var Rr="tool-poisoning";var Zn=[{pattern:/IGNORE\s+PREVIOUS/i,label:"IGNORE PREVIOUS"},{pattern:/\[SYSTEM\]/i,label:"[SYSTEM]"},{pattern:/<system>/i,label:"<system>"},{pattern:/\bDO\s+NOT\b(?=.*\b(?:tell|reveal|mention|show|share|disclose)\b)/i,label:"DO NOT (directive)"},{pattern:/\byou\s+must\b/i,label:"you must"},{pattern:/\byou\s+are\s+now\b/i,label:"you are now"},{pattern:/\bforget\s+(?:all|your|previous|everything)\b/i,label:"forget instructions"},{pattern:/\bpretend\s+(?:to\s+be|you\s+are)\b/i,label:"pretend to be"},{pattern:/\bact\s+as\s+(?:a|an|if)\b/i,label:"act as"},{pattern:/\bnew\s+instructions?\b/i,label:"new instructions"}],Qn=/<\/?(?:system|prompt|instruction|role|context|message)\b[^>]*>/i,eo=/^[A-Za-z0-9+/]{20,}={0,2}$/,to=/%[0-9A-Fa-f]{2}/,Ot={id:Rr,name:"Tool Poisoning Pattern Detection",check(n){let e=n.exchange.tools;if(!Array.isArray(e)||e.length===0)return[];let t=[],r=0;for(let o of e){if(typeof o!="object"||o===null)continue;let s=o;if(typeof s.name!="string"||(to.test(s.name)&&(r++,t.push(ce(r,s.name,"URL-encoded characters in tool name",`Tool name "${s.name}" contains URL-encoded substrings`))),eo.test(s.name)&&(r++,t.push(ce(r,s.name,"Base64-encoded tool name",`Tool name "${s.name}" appears to be Base64-encoded`))),typeof s.description!="string"))continue;let i=s.description.slice(0,1e4);i.length>2e3&&(r++,t.push(ce(r,s.name,"Suspiciously long tool description",`Tool "${s.name}" has a description of ${s.description.length} characters (threshold: 2000). Long descriptions may contain hidden instructions.`)));for(let{pattern:c,label:a}of Zn)if(c.test(i)){r++,t.push(ce(r,s.name,`Prompt injection pattern: "${a}"`,`Tool "${s.name}" description contains the pattern "${a}" which is commonly used in prompt injection attacks to hijack model behavior.`));break}Qn.test(i)&&(r++,t.push(ce(r,s.name,"XML/HTML system tags in description",`Tool "${s.name}" description contains XML/HTML tags that appear to embed system-prompt instructions.`)))}return t}};function ce(n,e,t,r){return{id:`SEC-${String(n).padStart(3,"0")}`,checkId:Rr,severity:"critical",cvssScore:8.8,component:`tool "${e}"`,title:t,description:r,remediation:`Review and sanitize the tool metadata for "${e}". Remove any instruction-like text, encoded strings, or system prompt patterns from tool names and descriptions.`,confidence:"heuristic",evidence:{toolName:e},suppressed:!1}}var Sr="info-leakage";var ro=[{pattern:/at\s+\S+\s+\([^)]+:\d+:\d+\)/,label:"Node.js stack trace"},{pattern:/at\s+Object\.<anonymous>/,label:"Node.js anonymous stack frame"},{pattern:/at\s+Function\./,label:"Node.js Function stack frame"},{pattern:/at\s+Module\._compile/,label:"Node.js module stack frame"},{pattern:/Traceback \(most recent call last\)/,label:"Python traceback"},{pattern:/File "[^"]+", line \d+/,label:"Python file reference"},{pattern:/at\s+\w+\.\w+\([^)]*\)\s+in\s+/,label:".NET stack trace"}],no=[{pattern:/\/home\/\w+/,label:"Unix home directory"},{pattern:/\/var\/\w+/,label:"Unix /var path"},{pattern:/\/usr\/\w+/,label:"Unix /usr path"},{pattern:/\/etc\/\w+/,label:"Unix /etc path"},{pattern:/\/tmp\/\w+/,label:"Unix /tmp path"},{pattern:/[A-Z]:\\Users\\/i,label:"Windows Users path"},{pattern:/[A-Z]:\\Program Files/i,label:"Windows Program Files path"}],oo=[{pattern:/process\.env\.\w+/,label:"Node.js process.env reference"},{pattern:/ENV\[\s*['"][^'"]+['"]\s*\]/,label:"ENV[] reference"},{pattern:/\$ENV_\w+/,label:"$ENV_ variable"},{pattern:/\bexport\s+\w+=/,label:"shell export statement"},{pattern:/os\.environ\b/,label:"Python os.environ reference"}];function so(n){let e=[];if(!n||typeof n!="object")return e;let t=n;if(t.error&&typeof t.error=="object"){let r=t.error;if(typeof r.message=="string"&&e.push(r.message.slice(0,1e4)),typeof r.data=="string"&&e.push(r.data.slice(0,1e4)),r.data&&typeof r.data=="object"){let o=r.data;typeof o.message=="string"&&e.push(o.message.slice(0,1e4)),typeof o.stack=="string"&&e.push(o.stack.slice(0,1e4))}}return e}function io(n){let e=/^(Method not found|Internal error|Invalid params|Parse error|Invalid request|Server error)$/i;return n.length<100&&e.test(n.trim())}var $t={id:Sr,name:"Information Leakage Detection",check(n){let e=[],t=0,r=[n.exchange.unknownMethodProbeResponse,n.exchange.malformedJsonProbeResponse];for(let o of r){if(!o)continue;let s=so(o);for(let i of s)if(!io(i)){for(let{pattern:c,label:a}of ro)if(c.test(i)){t++,e.push(Et(t,a,`Error response contains ${a} indicating verbose error output. Stack traces reveal internal code structure and file locations.`,Tt(i,c)));break}for(let{pattern:c,label:a}of no)if(c.test(i)){t++,e.push(Et(t,a,`Error response contains ${a} exposing internal server filesystem structure.`,Tt(i,c)));break}for(let{pattern:c,label:a}of oo)if(c.test(i)){t++,e.push(Et(t,a,`Error response contains ${a} exposing server environment configuration.`,Tt(i,c)));break}}}return e}};function Et(n,e,t,r){return{id:`SEC-${String(n).padStart(3,"0")}`,checkId:Sr,severity:"medium",cvssScore:5.3,component:"error response",title:`Information Leakage: ${e}`,description:t,remediation:"Return generic error messages in production. Avoid including stack traces, file paths, or environment variable names in error responses.",confidence:"deterministic",evidence:{matchType:e,snippet:r},suppressed:!1}}function Tt(n,e){let t=n.match(e);if(!t||t.index===void 0)return"[redacted]";let r=Math.max(0,t.index-15),o=Math.min(n.length,t.index+t[0].length+15),s=n.slice(r,o);return r>0&&(s="..."+s),o<n.length&&(s=s+"..."),s}var ao=[kt,xt,Pt,Ot,$t];function _t(n,e){let t={exchange:n,config:e},r=[],o=0;for(let s of ao){let i=s.check(t);for(let c of i){if(o++,c.id=`SEC-${String(o).padStart(3,"0")}`,e.skip.includes(c.checkId)){c.suppressed=!0;let a=e.skipJustifications[c.checkId];a!==void 0&&(c.justification=a)}r.push(c)}}return r}Se();var le=class{config;constructor(e){this.config=e}format(e){let t={schemaVersion:"1.0",meta:{toolVersion:e.meta.toolVersion,specVersion:e.meta.specVersion,timestamp:e.meta.timestamp,target:e.meta.target,transport:e.meta.transport,durationMs:e.meta.durationMs,checkMode:this.config.checkMode,thresholds:{conformanceThreshold:this.config.conformanceThreshold,failOnSeverity:this.config.failOnSeverity}},conformance:{score:e.conformance.score,breakdown:e.conformance.breakdown,violations:e.conformance.violations},security:{findings:e.security.findings,suppressed:e.security.suppressed},summary:{pass:e.summary.pass,exitCode:e.summary.exitCode,blockerCount:e.summary.blockerCount}};return JSON.stringify(t,null,2)}};var Er={"jsonrpc-base":"JSON-RPC Base",initialization:"Initialization",tools:"Tools",resources:"Resources",prompts:"Prompts",transport:"Transport","error-handling":"Error Handling"},Co=["jsonrpc-base","initialization","tools","resources","prompts","transport"],we=["jsonrpc-base","initialization","tools","resources","prompts","transport","error-handling"];function Ro(n){return n==="http"?"HTTP+SSE":"stdio"}function So(n){return n<1e3?`${n}ms`:`${(n/1e3).toFixed(1)}s`}function ke(n,e){let t=n.length,r=n.map(a=>a.length);for(let a of e)for(let l=0;l<t;l++){let p=a[l]??"";p.length>(r[l]??0)&&(r[l]=p.length)}function o(a,l){return a.padEnd(r[l]??a.length," ")}let s="| "+n.map((a,l)=>o(a,l)).join(" | ")+" |",i="| "+r.map(a=>"-".repeat(Math.max(a,1))).join(" | ")+" |",c=e.map(a=>"| "+a.map((l,p)=>o(l,p)).join(" | ")+" |");return[s,i,...c].join(`
|
|
29
|
-
`)}function
|
|
30
|
-
`)}function
|
|
31
|
-
`)}function
|
|
32
|
-
`)}};Se();function It(n){switch(n.format){case"terminal":return new re(n.noColor);case"json":return new le(n);case"markdown":return new pe;case"sarif":throw new Error(`${n.format} reporter not yet implemented (Sprint 3)`);default:throw new Error(`Unknown format: ${n.format}`)}}var ue=require("fs"),Nt=require("path")
|
|
28
|
+
`))!==-1;){let t=this.stdoutBuffer.slice(0,e).trimEnd();if(this.stdoutBuffer=this.stdoutBuffer.slice(e+1),!t)continue;let r;try{r=JSON.parse(t)}catch{this.firstJsonSeen||this.preProtocolOutput.push(t);continue}if(this.firstJsonSeen=!0,!mn(r))continue;let o=r;if(o.id!==null&&this.pending.has(o.id)){let s=this.pending.get(o.id);if(s){this.pending.delete(o.id),s.resolve(o);continue}}if(o.id===null){for(let[s,i]of this.pending.entries())if(String(s).startsWith("raw-")){this.pending.delete(s),i.resolve(o);break}}}}rejectAll(e){for(let[t,r]of this.pending.entries())this.pending.delete(t),clearTimeout(r.timer),r.reject(e)}};function fn(n){return!!(/^@[\w.-]+\/[\w.-]+/.test(n)||/^[\w.-]+@[\d]/.test(n)&&!n.includes("/")&&!n.includes("\\"))}function mn(n){if(typeof n!="object"||n===null)return!1;let e=n;return typeof e.jsonrpc=="string"&&(e.id===null||typeof e.id=="string"||typeof e.id=="number")&&(Object.prototype.hasOwnProperty.call(e,"result")||Object.prototype.hasOwnProperty.call(e,"error"))}var gn=$e(require("http"),1),yn=$e(require("https"),1),dr=require("url");function Be(n){let e=[],t=[],r=n.split(/\r?\n\r?\n/);for(let o of r){if(!o.trim())continue;let s=o.split(/\r?\n/),i=null;for(let c of s)c&&(c.startsWith("data:")?(i=c.slice(5).trimStart(),t.push({hasDataPrefix:!0,hasEventType:!1,rawLine:c})):c.startsWith("event:")?t.push({hasDataPrefix:!1,hasEventType:!0,rawLine:c}):c.startsWith("id:")||c.startsWith(":")?t.push({hasDataPrefix:!1,hasEventType:!1,rawLine:c}):t.push({hasDataPrefix:!1,hasEventType:!1,rawLine:c}));if(i!==null)try{let c=JSON.parse(i);hn(c)&&e.push(c)}catch{}}return{responses:e,observations:t}}function hn(n){if(typeof n!="object"||n===null)return!1;let e=n;return typeof e.jsonrpc=="string"&&(e.id===null||typeof e.id=="string"||typeof e.id=="number")}var ae=class{url;timeout;customHeaders;capturedHeaders={};sseObservations=[];timings=[];activeSockets=new Set;constructor(e,t,r={}){this.url=e,this.timeout=t,this.customHeaders=r}async send(e){let t=Date.now(),r=await this.post(JSON.stringify(e),e.id),o=Date.now();return this.timings.push({method:e.method,requestTimestamp:t,responseTimestamp:o,durationMs:o-t}),r}async notify(e){try{await this.post(JSON.stringify(e),null)}catch{}}async sendRaw(e){try{return await this.post(e,null)}catch{return null}}getMetadata(){return{type:"http",target:this.url,httpHeaders:{...this.capturedHeaders},sseObservations:[...this.sseObservations],preProtocolOutput:[],timing:[...this.timings]}}async close(){for(let e of this.activeSockets)e.destroy();this.activeSockets.clear()}post(e,t){return new Promise((r,o)=>{let s=new dr.URL(this.url),i=s.protocol==="https:",c=i?yn:gn,a={method:"POST",hostname:s.hostname,port:s.port?parseInt(s.port,10):i?443:80,path:s.pathname+s.search,headers:{...this.customHeaders,"Content-Type":"application/json","Content-Length":Buffer.byteLength(e,"utf8"),Accept:"application/json, text/event-stream"}},l=setTimeout(()=>{p.destroy(new Error(`HTTP request timed out after ${this.timeout}ms`))},this.timeout),p=c.request(a,u=>{clearTimeout(l);let d=`${a.method} ${a.path}`,m={};for(let[b,R]of Object.entries(u.headers))R!==void 0&&(m[b]=Array.isArray(R)?R.join(", "):R);this.capturedHeaders[d]=m;let h=(u.headers["content-type"]??"").includes("text/event-stream"),y=[];u.on("data",b=>{y.push(b)}),u.on("end",()=>{this.activeSockets.delete(p);let b=Buffer.concat(y).toString("utf8");if(h){let{responses:R,observations:g}=Be(b);for(let C of g)this.sseObservations.push(C);let v=t!==null?R.find(C=>C.id===t):R[0];v!==void 0?r(v):R.length>0&&R[0]!==void 0?r(R[0]):o(new Error("No JSON-RPC response found in SSE stream"))}else{let R;try{R=JSON.parse(b)}catch(g){o(new Error(`Failed to parse JSON response: ${String(g)}`));return}if(!bn(R)){o(new Error("Response is not a valid JSON-RPC response"));return}r(R)}}),u.on("error",b=>{this.activeSockets.delete(p),o(b)})});p.on("error",u=>{clearTimeout(l),this.activeSockets.delete(p),o(u)}),this.activeSockets.add(p),p.write(e,"utf8"),p.end()})}};function bn(n){if(typeof n!="object"||n===null)return!1;let e=n;return typeof e.jsonrpc=="string"&&(e.id===null||typeof e.id=="string"||typeof e.id=="number")}function Ge(n,e){let t=e.transport??Ue(n);switch(t){case"stdio":return new ie(n,e.timeout,e.verbose);case"http":return new ae(n,e.timeout,e.headers);default:{let r=t;throw new Error(`Unsupported transport type: ${String(r)}`)}}}var vn=1;function X(){return vn++}var ve="2024-11-05";function Ye(n){return{jsonrpc:"2.0",id:X(),method:"initialize",params:{protocolVersion:ve,capabilities:{},clientInfo:{name:"mcp-verify",version:n}}}}function Ke(){return{jsonrpc:"2.0",method:"notifications/initialized"}}function Xe(n){let e={};return n!==void 0&&(e.cursor=n),{jsonrpc:"2.0",id:X(),method:"tools/list",params:e}}function Ze(){return{jsonrpc:"2.0",id:X(),method:"resources/list",params:{}}}function Qe(n){return{jsonrpc:"2.0",id:X(),method:"resources/read",params:{uri:n}}}function et(){return{jsonrpc:"2.0",id:X(),method:"prompts/list",params:{}}}function tt(){return{jsonrpc:"2.0",id:X(),method:"mcp-verify/probe-unknown-method",params:{}}}function rt(n){if(n.error!==void 0)return{};let e=n.result;if(typeof e!="object"||e===null)return{};let r=e.capabilities;return typeof r!="object"||r===null?{}:r}function Z(n,e){return Object.prototype.hasOwnProperty.call(n,e)&&n[e]!==null&&n[e]!==void 0}var Rn="0.2.0-alpha",Cn=500;async function ot(n,e){let t=[],r={},o=Ye(Rn),s=null,i=null;{let{result:g,stepResult:v}=await U("initialize",()=>n.send(o),e);r.initialize=v,s=g,g!==null?i=Sn(g,ve):t.push({step:"initialize",message:v.error??"initialize failed",code:v.status==="timeout"?"TIMEOUT":"ERROR"})}let c=!1;{let g=Date.now();try{await n.notify(Ke()),c=!0,r.initialized={status:"completed",durationMs:Date.now()-g}}catch(v){r.initialized={status:"error",durationMs:Date.now()-g,error:String(v)}}}let a=s!==null?rt(s):{},l=[],p=[];if(Z(a,"tools")){let g,v=0,C=!1;do{let x=Xe(g),{result:O,stepResult:V}=await U("tools/list",()=>n.send(x),e);if(v===0&&(r["tools/list"]=V),O===null||V.status!=="completed"){v===0&&t.push({step:"tools/list",message:V.error??"tools/list failed",code:V.status==="timeout"?"TIMEOUT":"ERROR"});break}l.push(O);let Te=nt(O,"tools");for(let E of Te)p.length<Cn?p.push(E):C=!0;if(g=wn(O),v++,C)break}while(g!==void 0);Object.prototype.hasOwnProperty.call(r,"tools/list")||(r["tools/list"]={status:"skipped",durationMs:0})}else r["tools/list"]={status:"skipped",durationMs:0};let u=null,d=[];if(Z(a,"resources")){let{result:g,stepResult:v}=await U("resources/list",()=>n.send(Ze()),e);if(r["resources/list"]=v,u=g,g!==null&&v.status==="completed"){let C=nt(g,"resources");for(let x of C)d.push(x)}else g===null&&t.push({step:"resources/list",message:v.error??"resources/list failed",code:v.status==="timeout"?"TIMEOUT":"ERROR"})}else r["resources/list"]={status:"skipped",durationMs:0};let m=null;if(Z(a,"resources")&&d.length>0){let g=d[0],v=kn(g);if(v!==null){let{result:C,stepResult:x}=await U("resources/read",()=>n.send(Qe(v)),e);r["resources/read"]=x,m=C,C===null&&t.push({step:"resources/read",message:x.error??"resources/read failed",code:x.status==="timeout"?"TIMEOUT":"ERROR"})}else r["resources/read"]={status:"skipped",durationMs:0}}else r["resources/read"]={status:"skipped",durationMs:0};let f=null,h=[];if(Z(a,"prompts")){let{result:g,stepResult:v}=await U("prompts/list",()=>n.send(et()),e);if(r["prompts/list"]=v,f=g,g!==null&&v.status==="completed"){let C=nt(g,"prompts");for(let x of C)h.push(x)}else g===null&&t.push({step:"prompts/list",message:v.error??"prompts/list failed",code:v.status==="timeout"?"TIMEOUT":"ERROR"})}else r["prompts/list"]={status:"skipped",durationMs:0};let y=null;{let g=tt(),{result:v,stepResult:C}=await U("error-probe-unknown",()=>n.send(g),e);r["error-probe-unknown"]=C,y=v}let b=null;{let{result:g,stepResult:v}=await U("error-probe-malformed",()=>n.sendRaw("{ invalid json %%%"),e);r["error-probe-malformed"]=v,b=g}let R=["initialize","initialized","tools/list","resources/list","resources/read","prompts/list","error-probe-unknown","error-probe-malformed"];for(let g of R)Object.prototype.hasOwnProperty.call(r,g)||(r[g]={status:"skipped",durationMs:0});return{initializeRequest:o,initializeResponse:s,initializedSent:c,serverInfo:i,toolsListResponses:l,tools:p,resourcesListResponse:u,resources:d,resourceReadResponse:m,promptsListResponse:f,prompts:h,unknownMethodProbeResponse:y,malformedJsonProbeResponse:b,transportMetadata:n.getMetadata(),errors:t,stepResults:r}}async function U(n,e,t){let r=Date.now();try{return{result:await e(),stepResult:{status:"completed",durationMs:Date.now()-r}}}catch(o){let s=o instanceof Error?o.message:String(o);return{result:null,stepResult:{status:s.toLowerCase().includes("timeout")||s.toLowerCase().includes("timed out")?"timeout":"error",durationMs:Date.now()-r,error:s}}}}function Sn(n,e){if(n.error!==void 0)return null;let t=n.result;if(typeof t!="object"||t===null)return null;let r=t,o=r.serverInfo,s=typeof r.protocolVersion=="string"?r.protocolVersion:e;if(typeof o!="object"||o===null)return{name:"unknown",protocolVersion:s};let i=o;return{name:typeof i.name=="string"?i.name:"unknown",version:typeof i.version=="string"?i.version:void 0,protocolVersion:s}}function nt(n,e){if(n.result===void 0||n.result===null)return[];if(typeof n.result!="object")return[];let r=n.result[e];return Array.isArray(r)?r:[]}function wn(n){if(n.result===void 0||n.result===null||typeof n.result!="object")return;let t=n.result.nextCursor;return typeof t=="string"&&t.length>0?t:void 0}function kn(n){if(typeof n!="object"||n===null)return null;let e=n;return typeof e.uri=="string"?e.uri:null}var xn=new Set([-32700,-32600,-32601,-32602,-32603]);function fr(n){return xn.has(n)}function mr(n){return n>=-32099&&n<=-32e3}function Pn(n){return n>=-32699&&n<=-32604}function On(n){return fr(n)||mr(n)}function En(n){let e=[];n.initializeResponse!==null&&e.push({response:n.initializeResponse,label:"initialize"});for(let t=0;t<n.toolsListResponses.length;t++){let r=n.toolsListResponses[t];r!==void 0&&e.push({response:r,label:`tools/list[${t}]`})}return n.resourcesListResponse!==null&&e.push({response:n.resourcesListResponse,label:"resources/list"}),n.resourceReadResponse!==null&&e.push({response:n.resourceReadResponse,label:"resources/read"}),n.promptsListResponse!==null&&e.push({response:n.promptsListResponse,label:"prompts/list"}),n.unknownMethodProbeResponse!==null&&e.push({response:n.unknownMethodProbeResponse,label:"error-probe-unknown"}),n.malformedJsonProbeResponse!==null&&e.push({response:n.malformedJsonProbeResponse,label:"error-probe-malformed"}),e}function Tn(n,e){let{response:t,label:r}=n,o=t.id??void 0,s=t.jsonrpc==="2.0";e.push({checkId:"JSONRPC-001",name:"JSON-RPC version field",category:"jsonrpc-base",level:s?"pass":"failure",description:s?`Response for "${r}" has jsonrpc: "2.0"`:`Response for "${r}" has incorrect or missing jsonrpc field (got: ${JSON.stringify(t.jsonrpc)})`,specVersion:"2024-11-05",specReference:"JSON-RPC 2.0 \xA74",confidence:"deterministic",messageId:o,field:"jsonrpc",details:{label:r}});let i=t.id,a=typeof i=="string"||typeof i=="number"||(r==="error-probe-unknown"||r==="error-probe-malformed")&&i===null;e.push({checkId:"JSONRPC-002",name:"JSON-RPC id field type",category:"jsonrpc-base",level:a?"pass":"failure",description:a?`Response for "${r}" has a valid id field`:`Response for "${r}" has null or invalid id field (got: ${JSON.stringify(i)})`,specVersion:"2024-11-05",specReference:"JSON-RPC 2.0 \xA74",confidence:"deterministic",messageId:o,field:"id",details:{label:r}});let l="result"in t,p="error"in t,u=l&&p,d=!l&&!p,m="pass",f=`Response for "${r}" correctly has either result or error (not both)`;u?(m="failure",f=`Response for "${r}" contains both "result" and "error" fields \u2014 they are mutually exclusive per JSON-RPC 2.0`):d&&(m="failure",f=`Response for "${r}" contains neither "result" nor "error" field \u2014 one is required per JSON-RPC 2.0`),e.push({checkId:"JSONRPC-003",name:"JSON-RPC result/error mutual exclusion",category:"jsonrpc-base",level:m,description:f,specVersion:"2024-11-05",specReference:"JSON-RPC 2.0 \xA75",confidence:"deterministic",messageId:o,details:{label:r,hasResult:l,hasError:p}})}function $n(n,e){let{response:t,label:r}=n,o=t.id??void 0;if(!("error"in t)||t.error===void 0){e.push({checkId:"JSONRPC-004",name:"JSON-RPC error code validity",category:"jsonrpc-base",level:"pass",description:`Response for "${r}" has no error object \u2014 error code check not applicable`,specVersion:"2024-11-05",specReference:"JSON-RPC 2.0 \xA75.1",confidence:"deterministic",messageId:o,details:{label:r}});return}let s=t.error.code,i=s>0,c=fr(s),a=mr(s),l=Pn(s),p=On(s),u="pass",d=`Response for "${r}" has a valid error code ${s}`;i?(u="failure",d=`Response for "${r}" has a positive error code ${s} \u2014 JSON-RPC error codes must be negative integers`):!p&&!l?(u="failure",d=`Response for "${r}" has error code ${s} which is outside all valid JSON-RPC ranges`):l?(u="warning",d=`Response for "${r}" uses reserved error code ${s} (range -32699 to -32604 is currently unassigned)`):c?d=`Response for "${r}" uses standard error code ${s}`:a&&(d=`Response for "${r}" uses server-defined error code ${s} (range -32099 to -32000)`),e.push({checkId:"JSONRPC-004",name:"JSON-RPC error code validity",category:"jsonrpc-base",level:u,description:d,specVersion:"2024-11-05",specReference:"JSON-RPC 2.0 \xA75.1",confidence:"deterministic",messageId:o,field:"error.code",details:{label:r,code:s,isStandardRange:c,isServerDefinedRange:a}});let m=typeof t.error.message=="string";e.push({checkId:"JSONRPC-005",name:"JSON-RPC error message type",category:"jsonrpc-base",level:m?"pass":"failure",description:m?`Response for "${r}" error object has a string message field`:`Response for "${r}" error object message field is not a string (got: ${typeof t.error.message})`,specVersion:"2024-11-05",specReference:"JSON-RPC 2.0 \xA75.1",confidence:"deterministic",messageId:o,field:"error.message",details:{label:r}})}function st(n,e){let t=[],r=En(n);if(r.length===0)return t.push({checkId:"JSONRPC-000",name:"JSON-RPC responses present",category:"jsonrpc-base",level:"failure",description:"No JSON-RPC responses found in the exchange record \u2014 cannot validate envelope",specVersion:"2024-11-05",specReference:"JSON-RPC 2.0 \xA74",confidence:"deterministic"}),t;for(let o of r)Tn(o,t),$n(o,t);return t}var P="2024-11-05";function _n(n){let e=n.initializeResponse;return e===null||!("result"in e)||e.result===null||typeof e.result!="object"?null:e.result}function An(n,e){if(n===null){e.push({checkId:"INIT-001",name:"Initialize response present",category:"initialization",level:"failure",description:"No initialize response was received \u2014 cannot validate initialization handshake",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic"});return}e.push({checkId:"INIT-001",name:"Initialize response present",category:"initialization",level:"pass",description:"Initialize response was received from the server",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic"});let t=n.protocolVersion,r=t!=null&&typeof t=="string",o=r&&t.length>0;e.push({checkId:"INIT-002",name:"protocolVersion field",category:"initialization",level:r&&o?"pass":"failure",description:r&&o?`protocolVersion is present and valid: "${t}"`:r?"protocolVersion field is an empty string":"protocolVersion field is absent or not a string in the initialize response",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic",field:"result.protocolVersion",details:{protocolVersion:t}})}function In(n,e){if(n===null)return null;let t=n.capabilities,r=t!=null&&typeof t=="object"&&!Array.isArray(t);if(e.push({checkId:"INIT-003",name:"capabilities object present",category:"initialization",level:r?"pass":"failure",description:r?"capabilities object is present in the initialize response":"capabilities object is absent or not an object in the initialize response",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic",field:"result.capabilities"}),!r)return null;let o=t;return e.push({checkId:"INIT-004",name:"capabilities structure",category:"initialization",level:"pass",description:"capabilities is a valid object (not an array)",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic",field:"result.capabilities"}),o}function Nn(n,e,t){let r=n!==null?n.serverInfo:void 0,o=e.serverInfo,s=r!=null||o!==null;if(t.push({checkId:"INIT-005",name:"serverInfo presence",category:"initialization",level:s?"pass":"warning",description:s?"serverInfo object is present in the initialize response":"serverInfo object is absent from the initialize response \u2014 recommended for identification",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic",field:"result.serverInfo"}),!s)return;let i=r??o;if(i===null||typeof i!="object"){t.push({checkId:"INIT-006",name:"serverInfo.name field",category:"initialization",level:"warning",description:"serverInfo is not a valid object \u2014 cannot validate name field",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic",field:"result.serverInfo.name"});return}let c=i.name,a=typeof c=="string"&&c.length>0;t.push({checkId:"INIT-006",name:"serverInfo.name field",category:"initialization",level:a?"pass":"warning",description:a?`serverInfo.name is present: "${c}"`:"serverInfo.name is absent or empty \u2014 recommended for server identification",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic",field:"result.serverInfo.name",details:{name:c}})}function Vn(n,e){e.push({checkId:"INIT-007",name:"initialized notification sent",category:"initialization",level:n.initializedSent?"pass":"warning",description:n.initializedSent?"The initialized notification was sent after the initialize response":"The initialized notification was not sent \u2014 the server may not consider the session active",specVersion:P,specReference:"MCP spec \xA73.1 (Initialization)",confidence:"deterministic",details:{initializedSent:n.initializedSent}})}function jn(n,e,t){if(n===null){t.push({checkId:"INIT-008",name:"Capability negotiation cross-check",category:"initialization",level:"info",description:"Cannot cross-check capability negotiation \u2014 capabilities object was not available",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"deterministic"});return}let r="tools"in n&&n.tools!==void 0,o=e.toolsListResponses,s=o.length===0||o.every(h=>"error"in h&&h.error!==void 0);r&&s?t.push({checkId:"INIT-008",name:"tools capability vs tools/list response",category:"initialization",level:"failure",description:"Server declared tools capability but tools/list returned an error or no response",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"deterministic",details:{toolsDeclared:r,toolsListResponseCount:o.length}}):t.push({checkId:"INIT-008",name:"tools capability vs tools/list response",category:"initialization",level:"pass",description:r?"Server declared tools capability and tools/list responded successfully":"Server did not declare tools capability \u2014 tools/list check not required",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"deterministic",details:{toolsDeclared:r}});let i="resources"in n&&n.resources!==void 0,c=e.resourcesListResponse,a=i&&(c===null||"error"in c&&c.error!==void 0);i&&a?t.push({checkId:"INIT-009",name:"resources capability vs resources/list response",category:"initialization",level:"failure",description:"Server declared resources capability but resources/list returned an error or no response",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"deterministic",details:{resourcesDeclared:i}}):t.push({checkId:"INIT-009",name:"resources capability vs resources/list response",category:"initialization",level:"pass",description:i?"Server declared resources capability and resources/list responded successfully":"Server did not declare resources capability \u2014 resources/list check not required",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"deterministic",details:{resourcesDeclared:i}});let l="prompts"in n&&n.prompts!==void 0,p=e.promptsListResponse,u=l&&(p===null||"error"in p&&p.error!==void 0);l&&u?t.push({checkId:"INIT-010",name:"prompts capability vs prompts/list response",category:"initialization",level:"failure",description:"Server declared prompts capability but prompts/list returned an error or no response",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"deterministic",details:{promptsDeclared:l}}):t.push({checkId:"INIT-010",name:"prompts capability vs prompts/list response",category:"initialization",level:"pass",description:l?"Server declared prompts capability and prompts/list responded successfully":"Server did not declare prompts capability \u2014 prompts/list check not required",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"deterministic",details:{promptsDeclared:l}});let d=o.some(h=>"result"in h&&h.result!==void 0);!r&&d&&t.push({checkId:"INIT-011",name:"Undeclared tools capability responds",category:"initialization",level:"warning",description:"Server did not declare tools capability but tools/list returned a successful response \u2014 capability advertisement is inconsistent",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"high",details:{toolsDeclared:r}});let m=c!==null&&"result"in c&&c.result!==void 0;!i&&m&&t.push({checkId:"INIT-012",name:"Undeclared resources capability responds",category:"initialization",level:"warning",description:"Server did not declare resources capability but resources/list returned a successful response \u2014 capability advertisement is inconsistent",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"high",details:{resourcesDeclared:i}});let f=p!==null&&"result"in p&&p.result!==void 0;!l&&f&&t.push({checkId:"INIT-013",name:"Undeclared prompts capability responds",category:"initialization",level:"warning",description:"Server did not declare prompts capability but prompts/list returned a successful response \u2014 capability advertisement is inconsistent",specVersion:P,specReference:"MCP spec \xA73.1 (Capability Negotiation)",confidence:"high",details:{promptsDeclared:l}})}function it(n,e){let t=[],r=_n(n);An(r,t);let o=In(r,t);return Nn(r,n,t),Vn(n,t),jn(o,n,t),t}var A="2024-11-05";function F(n){return typeof n=="object"&&n!==null&&!Array.isArray(n)}function Mn(n){return typeof n=="string"&&n.trim().length>0}var hr=new Set(["string","number","integer","boolean","null","array","object"]);function q(n,e,t){if(!F(n)){if(typeof n=="boolean")return;t.push({path:e,message:`Schema node must be an object or boolean, got: ${typeof n}`});return}if("type"in n){let r=n.type;if(Array.isArray(r))for(let o of r)hr.has(o)||t.push({path:`${e}.type`,message:`Unknown type value: ${JSON.stringify(o)}`});else r!==void 0&&!hr.has(r)&&t.push({path:`${e}.type`,message:`Unknown type value: ${JSON.stringify(r)}`})}if("properties"in n){let r=n.properties;if(!F(r))t.push({path:`${e}.properties`,message:"properties must be an object"});else for(let[o,s]of Object.entries(r))q(s,`${e}.properties.${o}`,t)}if("items"in n){let r=n.items;Array.isArray(r)?r.forEach((o,s)=>q(o,`${e}.items[${s}]`,t)):q(r,`${e}.items`,t)}if("additionalProperties"in n){let r=n.additionalProperties;typeof r!="boolean"&&q(r,`${e}.additionalProperties`,t)}if("required"in n){let r=n.required;if(!Array.isArray(r))t.push({path:`${e}.required`,message:"required must be an array"});else for(let o of r)typeof o!="string"&&t.push({path:`${e}.required`,message:`required array items must be strings, got: ${typeof o}`})}for(let r of["allOf","anyOf","oneOf"])if(r in n){let o=n[r];Array.isArray(o)?o.forEach((s,i)=>q(s,`${e}.${r}[${i}]`,t)):t.push({path:`${e}.${r}`,message:`${r} must be an array`})}"not"in n&&q(n.not,`${e}.not`,t);for(let r of["definitions","$defs"])if(r in n){let o=n[r];if(!F(o))t.push({path:`${e}.${r}`,message:`${r} must be an object`});else for(let[s,i]of Object.entries(o))q(i,`${e}.${r}.${s}`,t)}}function Hn(n,e,t){let r=`tools[${e}]`;if(!F(n)){t.push({checkId:"TOOL-001",name:"Tool object structure",category:"tools",level:"failure",description:`${r} is not a valid object`,specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic",details:{index:e}});return}let o=n.name,s=Mn(o),i=s?`"${o}"`:`#${e}`;t.push({checkId:"TOOL-001",name:"Tool name field",category:"tools",level:s?"pass":"failure",description:s?`Tool ${i} has a valid name field`:`Tool at index ${e} is missing a valid name field (got: ${JSON.stringify(o)})`,specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic",field:`${r}.name`,details:{index:e,name:o}});let a=typeof n.description=="string";t.push({checkId:"TOOL-002",name:"Tool description field",category:"tools",level:a?"pass":"warning",description:a?`Tool ${i} has a description field`:`Tool ${i} is missing a description field \u2014 recommended for discoverability`,specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic",field:`${r}.description`,details:{index:e,toolName:o}});let l=n.inputSchema,p=l!=null;if(t.push({checkId:"TOOL-003",name:"Tool inputSchema presence",category:"tools",level:p?"pass":"failure",description:p?`Tool ${i} has an inputSchema field`:`Tool ${i} is missing the required inputSchema field`,specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic",field:`${r}.inputSchema`,details:{index:e,toolName:o}}),!p)return;if(!F(l)){t.push({checkId:"TOOL-004",name:"Tool inputSchema type field",category:"tools",level:"failure",description:`Tool ${i} inputSchema is not a valid object`,specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic",field:`${r}.inputSchema`,details:{index:e,toolName:o}});return}let u=l.type,d=u==="object";t.push({checkId:"TOOL-004",name:"Tool inputSchema type field",category:"tools",level:d?"pass":"failure",description:d?`Tool ${i} inputSchema.type is "object"`:`Tool ${i} inputSchema.type must be "object" (got: ${JSON.stringify(u)})`,specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic",field:`${r}.inputSchema.type`,details:{index:e,toolName:o,schemaType:u}});let m=l.properties,f="properties"in l&&m!==void 0;if(f){let R=F(m);t.push({checkId:"TOOL-005",name:"Tool inputSchema properties structure",category:"tools",level:R?"pass":"failure",description:R?`Tool ${i} inputSchema.properties is a valid object`:`Tool ${i} inputSchema.properties must be an object (got: ${Array.isArray(m)?"array":typeof m})`,specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic",field:`${r}.inputSchema.properties`,details:{index:e,toolName:o}})}let h=l.required;if("required"in l&&h!==void 0){let R=Array.isArray(h),g=R&&h.every(x=>typeof x=="string"),v="pass",C=`Tool ${i} inputSchema.required is a valid string array`;if(!R)v="failure",C=`Tool ${i} inputSchema.required must be an array (got: ${typeof h})`;else if(!g)v="failure",C=`Tool ${i} inputSchema.required must be an array of strings`;else if(f&&F(m)){let x=new Set(Object.keys(m)),O=h.filter(V=>!x.has(V));O.length>0&&(v="failure",C=`Tool ${i} inputSchema.required references properties not defined in properties: ${O.map(V=>`"${V}"`).join(", ")}`)}t.push({checkId:"TOOL-006",name:"Tool inputSchema required array",category:"tools",level:v,description:C,specVersion:A,specReference:"MCP spec \xA75 (Tools) / JSON Schema draft-07",confidence:"deterministic",field:`${r}.inputSchema.required`,details:{index:e,toolName:o}})}let b=[];if(q(l,`${r}.inputSchema`,b),b.length>0)for(let R of b)t.push({checkId:"TOOL-007",name:"Tool inputSchema structural validity",category:"tools",level:"warning",description:`Tool ${i} inputSchema structural issue at ${R.path}: ${R.message}`,specVersion:A,specReference:"JSON Schema draft-07",confidence:"high",field:R.path,details:{index:e,toolName:o,issuePath:R.path}});else t.push({checkId:"TOOL-007",name:"Tool inputSchema structural validity",category:"tools",level:"pass",description:`Tool ${i} inputSchema passes structural JSON Schema draft-07 validation`,specVersion:A,specReference:"JSON Schema draft-07",confidence:"high",details:{index:e,toolName:o}})}function at(n,e){let t=[],r=n.tools;if(r.length===0){let o=n.initializeResponse,s=!1;if(o!==null&&"result"in o&&o.result!==null&&F(o.result)){let i=o.result.capabilities;F(i)&&"tools"in i&&(s=!0)}return t.push({checkId:"TOOL-000",name:"Tools list presence",category:"tools",level:s?"warning":"info",description:s?"Server declared tools capability but no tools were returned in tools/list":"No tools found in exchange record \u2014 tools capability may not be declared",specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic"}),t}t.push({checkId:"TOOL-000",name:"Tools list presence",category:"tools",level:"pass",description:`${r.length} tool(s) found in exchange record`,specVersion:A,specReference:"MCP spec \xA75 (Tools)",confidence:"deterministic",details:{count:r.length}});for(let o=0;o<r.length;o++)Hn(r[o],o,t);return t}var I="2024-11-05";function ct(n){return typeof n=="object"&&n!==null&&!Array.isArray(n)}function Ln(n){return typeof n=="string"&&n.trim().length>0}function lt(n,e){let t=[],r=n.resourcesListResponse;if(r===null)return t.push({checkId:"RSRC-001",name:"resources/list response presence",category:"resources",level:"info",description:"No resources/list response found \u2014 server may not support resources",specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic"}),t;if("error"in r&&r.error!==void 0)return t.push({checkId:"RSRC-001",name:"resources/list response presence",category:"resources",level:"info",description:`resources/list returned an error: ${r.error.message} (code: ${r.error.code})`,specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",details:{errorCode:r.error.code,errorMessage:r.error.message}}),t;t.push({checkId:"RSRC-001",name:"resources/list response presence",category:"resources",level:"pass",description:"resources/list response was received from the server",specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic"});let o=r.result;if(!ct(o))return t.push({checkId:"RSRC-002",name:"resources array in response",category:"resources",level:"failure",description:"resources/list result is not a valid object",specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",field:"result"}),t;let s=o.resources,i=Array.isArray(s);if(t.push({checkId:"RSRC-002",name:"resources array in response",category:"resources",level:i?"pass":"failure",description:i?`resources/list result contains a resources array with ${s.length} item(s)`:`resources/list result.resources is not an array (got: ${typeof s})`,specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",field:"result.resources",details:i?{count:s.length}:{}}),!i)return t;let c=s;for(let d=0;d<c.length;d++){let m=c[d],f=`resources[${d}]`;if(!ct(m)){t.push({checkId:"RSRC-003",name:"Resource object structure",category:"resources",level:"failure",description:`${f} is not a valid object`,specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",details:{index:d}});continue}let h=m.uri,y=m.name,b=Ln(y)?`"${y}"`:`#${d}`,R=typeof h=="string";t.push({checkId:"RSRC-003",name:"Resource uri field",category:"resources",level:R?"pass":"failure",description:R?`Resource ${b} has a valid uri field: "${h}"`:`Resource ${b} is missing a valid uri field (got: ${JSON.stringify(h)})`,specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",field:`${f}.uri`,details:{index:d,uri:h}});let g=typeof y=="string";t.push({checkId:"RSRC-004",name:"Resource name field",category:"resources",level:g?"pass":"failure",description:g?`Resource ${b} has a valid name field`:`Resource at index ${d} is missing a valid name field (got: ${JSON.stringify(y)})`,specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",field:`${f}.name`,details:{index:d,name:y}})}let a=n.resourceReadResponse;if(a===null)return t.push({checkId:"RSRC-005",name:"resources/read response contents",category:"resources",level:"info",description:"No resources/read response found \u2014 read validation skipped",specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic"}),t;if("error"in a&&a.error!==void 0)return t.push({checkId:"RSRC-005",name:"resources/read response contents",category:"resources",level:"failure",description:`resources/read returned an error: ${a.error.message} (code: ${a.error.code})`,specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",details:{errorCode:a.error.code,errorMessage:a.error.message}}),t;let l=a.result;if(!ct(l))return t.push({checkId:"RSRC-005",name:"resources/read response contents",category:"resources",level:"failure",description:"resources/read result is not a valid object",specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",field:"result"}),t;let p=l.contents,u=Array.isArray(p);return t.push({checkId:"RSRC-005",name:"resources/read response contents",category:"resources",level:u?"pass":"failure",description:u?`resources/read result contains a contents array with ${p.length} item(s)`:`resources/read result.contents is not an array (got: ${typeof p})`,specVersion:I,specReference:"MCP spec \xA76 (Resources)",confidence:"deterministic",field:"result.contents",details:u?{count:p.length}:{}}),t}var T="2024-11-05";function pt(n){return typeof n=="object"&&n!==null&&!Array.isArray(n)}function ut(n){return typeof n=="string"&&n.trim().length>0}function dt(n,e){let t=[],r=n.promptsListResponse;if(r===null)return t.push({checkId:"PROMPT-001",name:"prompts/list response presence",category:"prompts",level:"info",description:"No prompts/list response found \u2014 server may not support prompts",specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic"}),t;if("error"in r&&r.error!==void 0)return t.push({checkId:"PROMPT-001",name:"prompts/list response presence",category:"prompts",level:"info",description:`prompts/list returned an error: ${r.error.message} (code: ${r.error.code})`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",details:{errorCode:r.error.code,errorMessage:r.error.message}}),t;t.push({checkId:"PROMPT-001",name:"prompts/list response presence",category:"prompts",level:"pass",description:"prompts/list response was received from the server",specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic"});let o=r.result;if(!pt(o))return t.push({checkId:"PROMPT-002",name:"prompts array in response",category:"prompts",level:"failure",description:"prompts/list result is not a valid object",specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",field:"result"}),t;let s=o.prompts,i=Array.isArray(s);if(t.push({checkId:"PROMPT-002",name:"prompts array in response",category:"prompts",level:i?"pass":"failure",description:i?`prompts/list result contains a prompts array with ${s.length} item(s)`:`prompts/list result.prompts is not an array (got: ${typeof s})`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",field:"result.prompts",details:i?{count:s.length}:{}}),!i)return t;let c=s;for(let a=0;a<c.length;a++){let l=c[a],p=`prompts[${a}]`;if(!pt(l)){t.push({checkId:"PROMPT-003",name:"Prompt object structure",category:"prompts",level:"failure",description:`${p} is not a valid object`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",details:{index:a}});continue}let u=l.name,d=ut(u),m=d?`"${u}"`:`#${a}`;t.push({checkId:"PROMPT-003",name:"Prompt name field",category:"prompts",level:d?"pass":"failure",description:d?`Prompt ${m} has a valid name field`:`Prompt at index ${a} is missing a valid name field (got: ${JSON.stringify(u)})`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",field:`${p}.name`,details:{index:a,name:u}});let f=l.arguments;if(f==null){t.push({checkId:"PROMPT-004",name:"Prompt arguments structure",category:"prompts",level:"pass",description:`Prompt ${m} has no arguments defined`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",details:{index:a,promptName:u}});continue}if(!Array.isArray(f)){t.push({checkId:"PROMPT-004",name:"Prompt arguments structure",category:"prompts",level:"failure",description:`Prompt ${m} arguments must be an array (got: ${typeof f})`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",field:`${p}.arguments`,details:{index:a,promptName:u}});continue}t.push({checkId:"PROMPT-004",name:"Prompt arguments structure",category:"prompts",level:"pass",description:`Prompt ${m} has a valid arguments array with ${f.length} item(s)`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",field:`${p}.arguments`,details:{index:a,promptName:u,argCount:f.length}});let h=f;for(let y=0;y<h.length;y++){let b=h[y],R=`${p}.arguments[${y}]`;if(!pt(b)){t.push({checkId:"PROMPT-005",name:"Prompt argument object structure",category:"prompts",level:"failure",description:`Prompt ${m} argument at index ${y} is not a valid object`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",field:R,details:{promptIndex:a,argIndex:y,promptName:u}});continue}let g=b.name,v=b.required,C=ut(g)?`"${g}"`:`#${y}`,x=ut(g);if(t.push({checkId:"PROMPT-005",name:"Prompt argument name field",category:"prompts",level:x?"pass":"failure",description:x?`Prompt ${m} argument ${C} has a valid name field`:`Prompt ${m} argument at index ${y} is missing a valid name field (got: ${JSON.stringify(g)})`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",field:`${R}.name`,details:{promptIndex:a,argIndex:y,promptName:u,argName:g}}),"required"in b){let O=typeof v=="boolean";t.push({checkId:"PROMPT-006",name:"Prompt argument required field",category:"prompts",level:O?"pass":"failure",description:O?`Prompt ${m} argument ${C} has a valid required field (${v})`:`Prompt ${m} argument ${C} required field must be a boolean (got: ${typeof v})`,specVersion:T,specReference:"MCP spec \xA77 (Prompts)",confidence:"deterministic",field:`${R}.required`,details:{promptIndex:a,argIndex:y,promptName:u,argName:g,argRequired:v}})}}}return t}var ft="2024-11-05";function mt(n,e){let t=[],r=n.transportMetadata;if(r.type!=="stdio")return t;let o=r.preProtocolOutput,s=Array.isArray(o)&&o.length>0;t.push({checkId:"XPORT-001",name:"Stdio extraneous output",category:"transport",level:s?"failure":"pass",description:s?`Server emitted ${o.length} line(s) of non-JSON output before the protocol exchange \u2014 stdio MCP servers must write only JSON-RPC messages on stdout`:"No extraneous output detected before the protocol exchange",specVersion:ft,specReference:"MCP spec \xA72 (Transports) \u2014 stdio",confidence:"deterministic",details:s?{lineCount:o.length,firstLine:o[0]}:{}});let i=r.timing,c=Array.isArray(i)&&i.length>0,a=n.errors.filter(u=>u.message.toLowerCase().includes("frame")||u.message.toLowerCase().includes("delimit")||u.message.toLowerCase().includes("parse")||u.message.toLowerCase().includes("newline")),l=a.length>0;t.push({checkId:"XPORT-002",name:"Stdio line-delimited framing",category:"transport",level:l?"failure":c?"pass":"info",description:l?`Stdio framing errors detected: ${a.map(u=>u.message).join("; ")}`:c?`Stdio line-delimited framing appears correct \u2014 ${i.length} message exchange(s) completed`:"No message timings recorded \u2014 unable to verify stdio framing",specVersion:ft,specReference:"MCP spec \xA72 (Transports) \u2014 stdio",confidence:l?"deterministic":"high",details:{framingErrorCount:a.length,timingCount:i.length}});let p=s?o.filter(u=>{try{return JSON.parse(u),!1}catch{return!0}}):[];return t.push({checkId:"XPORT-003",name:"Stdio stdout JSON-only output",category:"transport",level:p.length>0?"failure":"pass",description:p.length>0?`${p.length} non-JSON line(s) detected on stdout \u2014 stdio MCP servers must not write non-JSON data to stdout`:"All stdout output appears to be valid JSON (no non-JSON lines detected)",specVersion:ft,specReference:"MCP spec \xA72 (Transports) \u2014 stdio",confidence:"deterministic",details:{nonJsonLineCount:p.length,firstNonJsonLine:p[0]??null}}),t}var Q="2024-11-05";function ht(n,e){let t=[],r=n.transportMetadata;if(r.type!=="http")return t;let o=r.httpHeaders,s=r.sseObservations,i=[];for(let[d,m]of Object.entries(o)){let f=m["content-type"]??m["Content-Type"];f!==void 0&&i.push(`${d}: ${f}`)}let c=i.length>0,a=i.some(d=>d.toLowerCase().includes("application/json")),l=i.some(d=>d.toLowerCase().includes("text/event-stream")),p=a||l;if(t.push({checkId:"XPORT-010",name:"HTTP Content-Type headers",category:"transport",level:c?p?"pass":"warning":"info",description:c?p?"HTTP responses have appropriate Content-Type headers (application/json or text/event-stream)":`HTTP responses do not have expected Content-Type headers (got: ${i.join(", ")})`:"No HTTP Content-Type headers recorded \u2014 cannot validate content types",specVersion:Q,specReference:"MCP spec \xA72 (Transports) \u2014 Streamable HTTP",confidence:c?"deterministic":"low",details:{contentTypeEntries:i,hasJsonContentType:a,hasSseContentType:l}}),s.length===0)t.push({checkId:"XPORT-011",name:"SSE format validation",category:"transport",level:"info",description:"No SSE observations recorded \u2014 SSE format check skipped",specVersion:Q,specReference:"MCP spec \xA72 (Transports) \u2014 Streamable HTTP / SSE",confidence:"deterministic"});else{let d=s.filter(b=>b.hasDataPrefix),m=s.filter(b=>!b.hasDataPrefix&&!b.hasEventType&&b.rawLine.trim().length>0&&!b.rawLine.startsWith("id:")&&!b.rawLine.startsWith(":")),f=d.length>0,h=m.length>0;t.push({checkId:"XPORT-011",name:"SSE format validation",category:"transport",level:h?"warning":f?"pass":"warning",description:h?`SSE stream contains ${m.length} line(s) that do not conform to SSE format`:f?`SSE stream format is valid \u2014 ${d.length} data line(s) observed`:"SSE observations recorded but no data: lines found \u2014 stream may be empty",specVersion:Q,specReference:"MCP spec \xA72 (Transports) \u2014 Streamable HTTP / SSE",confidence:"high",details:{totalObservations:s.length,dataLineCount:d.length,malformedLineCount:m.length}});let y=s.filter(b=>b.rawLine.trim().length>0&&!b.rawLine.startsWith(":")).filter(b=>!b.hasDataPrefix&&!b.hasEventType&&!b.rawLine.startsWith("id:"));y.length>0?t.push({checkId:"XPORT-012",name:"SSE data prefix compliance",category:"transport",level:"warning",description:`${y.length} SSE line(s) are missing the required "data:" prefix for data payloads`,specVersion:Q,specReference:"MCP spec \xA72 (Transports) \u2014 Streamable HTTP / SSE",confidence:"high",details:{violatingLineCount:y.length,exampleLine:y[0]?.rawLine??null}}):d.length>0&&t.push({checkId:"XPORT-012",name:"SSE data prefix compliance",category:"transport",level:"pass",description:'All SSE data payloads have the required "data:" prefix',specVersion:Q,specReference:"MCP spec \xA72 (Transports) \u2014 Streamable HTTP / SSE",confidence:"high",details:{dataLineCount:d.length}})}let u=[];for(let[d,m]of Object.entries(o)){let f=m["access-control-allow-origin"]??m["Access-Control-Allow-Origin"];f!==void 0&&u.push(`${d}: Access-Control-Allow-Origin: ${f}`)}return t.push({checkId:"XPORT-013",name:"CORS headers present",category:"transport",level:u.length>0?"pass":"info",description:u.length>0?`CORS headers observed on ${u.length} endpoint(s)`:"No CORS headers observed \u2014 may be an issue if the server is accessed from a browser context",specVersion:Q,specReference:"MCP spec \xA72 (Transports) \u2014 Streamable HTTP",confidence:"deterministic",details:{corsEntries:u,corsCount:u.length}}),t}var B="2024-11-05";function gt(n,e){let t=[],r=n.unknownMethodProbeResponse;if(r===null)t.push({checkId:"ERRH-001",name:"Unknown method probe response",category:"error-handling",level:"failure",description:"No response received for unknown-method probe \u2014 server must respond to unknown methods with JSON-RPC error -32601 (Method Not Found)",specVersion:B,specReference:"JSON-RPC 2.0 \xA75.1 / MCP spec \xA73 (Error Handling)",confidence:"deterministic"});else if(!("error"in r)||r.error===void 0)t.push({checkId:"ERRH-001",name:"Unknown method probe response",category:"error-handling",level:"failure",description:"Unknown-method probe returned a successful result instead of an error \u2014 server must return -32601 (Method Not Found) for unknown methods",specVersion:B,specReference:"JSON-RPC 2.0 \xA75.1 / MCP spec \xA73 (Error Handling)",confidence:"deterministic",details:{hasResult:"result"in r}});else{let i=r.error.code,c=i===-32601;t.push({checkId:"ERRH-001",name:"Unknown method probe response",category:"error-handling",level:c?"pass":"failure",description:c?"Unknown-method probe correctly returned error code -32601 (Method Not Found)":`Unknown-method probe returned error code ${i} \u2014 expected -32601 (Method Not Found)`,specVersion:B,specReference:"JSON-RPC 2.0 \xA75.1 / MCP spec \xA73 (Error Handling)",confidence:"deterministic",field:"error.code",details:{receivedCode:i,expectedCode:-32601}})}let o=n.malformedJsonProbeResponse;if(o===null)t.push({checkId:"ERRH-002",name:"Malformed JSON probe response",category:"error-handling",level:"failure",description:"No response received for malformed-JSON probe \u2014 server must respond to malformed JSON with JSON-RPC error -32700 (Parse Error)",specVersion:B,specReference:"JSON-RPC 2.0 \xA75.1 / MCP spec \xA73 (Error Handling)",confidence:"deterministic"});else if(!("error"in o)||o.error===void 0)t.push({checkId:"ERRH-002",name:"Malformed JSON probe response",category:"error-handling",level:"failure",description:"Malformed-JSON probe returned a successful result instead of an error \u2014 server must return -32700 (Parse Error) for malformed JSON",specVersion:B,specReference:"JSON-RPC 2.0 \xA75.1 / MCP spec \xA73 (Error Handling)",confidence:"deterministic",details:{hasResult:"result"in o}});else{let i=o.error.code,c=i===-32700;t.push({checkId:"ERRH-002",name:"Malformed JSON probe response",category:"error-handling",level:c?"pass":"failure",description:c?"Malformed-JSON probe correctly returned error code -32700 (Parse Error)":`Malformed-JSON probe returned error code ${i} \u2014 expected -32700 (Parse Error)`,specVersion:B,specReference:"JSON-RPC 2.0 \xA75.1 / MCP spec \xA73 (Error Handling)",confidence:"deterministic",field:"error.code",details:{receivedCode:i,expectedCode:-32700}})}let s=t.filter(i=>i.level==="failure").length;return t.push({checkId:"ERRH-003",name:"Error handling conformance summary",category:"error-handling",level:s===0?"pass":"info",description:s===0?"Server correctly handles both unknown-method and malformed-JSON error probes":`${s} error handling probe(s) failed \u2014 server error handling is not fully conformant`,specVersion:B,specReference:"JSON-RPC 2.0 \xA75.1 / MCP spec \xA73 (Error Handling)",confidence:"deterministic",details:{probeFailureCount:s}}),t}var yt=[st,it,at,lt,dt,mt,ht,gt];function bt(n,e){let t=[];for(let r of yt)try{let o=r(n,e);t.push(...o)}catch(o){t.push({checkId:"RUNNER-ERROR",name:"Validator runtime error",category:"jsonrpc-base",level:"info",description:`A validator threw an unexpected error: ${o instanceof Error?o.message:String(o)}`,specVersion:"2024-11-05",specReference:"N/A",confidence:"deterministic"})}return t}var vt={"jsonrpc-base":.2,initialization:.25,tools:.25,resources:.1,prompts:.1,transport:.1,"error-handling":0},Rt=15,Ct=7;var Dn=["jsonrpc-base","initialization","tools","resources","prompts","transport"],gr=[...Dn,"error-handling"];function Fn(n){return n.some(e=>e.checkId==="INIT-001"&&e.level==="failure")}function St(n,e,t){let r=new Map;for(let a of gr)r.set(a,[]);for(let a of n){let l=r.get(a.category);l!==void 0&&l.push(a)}let o=[];for(let a of gr){let l=r.get(a)??[],p=l.filter(y=>y.level==="failure").length,u=l.filter(y=>y.level==="warning").length,d=l.filter(y=>y.level==="pass").length,m=l.length,f=100-p*Rt-u*Ct,h=Math.max(0,f);o.push({category:a,score:h,weight:vt[a],totalChecks:m,passCount:d,failCount:p,warnCount:u})}if(Fn(n))return{overallScore:0,categoryScores:o,exitCode:0,pass:!1};let s=0,i=0;for(let a of o)a.weight>0&&(s+=a.score*a.weight,i+=a.weight);let c=i>0?s/i:0;return{overallScore:Math.round(c*10)/10,categoryScores:o,exitCode:0,pass:!0}}var yr=["info","low","medium","high","critical"];function br(n){return yr.indexOf(n)}function Jn(n){return n==="none"?yr.length:br(n)}function wt(n,e,t){let r=n.overallScore<t.conformanceThreshold,o=Jn(t.failOnSeverity),s=e.some(i=>!i.suppressed&&br(i.severity)>=o);return r||s?1:0}var vr="command-injection";var qn=/^(command|cmd|exec|shell|script|args|argv|path|file|filename|dir|directory)$/i,zn=/\b(execute|run\s+command|shell|script|path\s+to)\b/i;function Wn(n){return!!(typeof n.pattern=="string"&&n.pattern.length>0||Array.isArray(n.enum)&&n.enum.length>0)}function Un(n){return n.type==="string"||n.type===void 0}function Bn(n,e){let t=[],r=n.inputSchema?.properties;if(!r||typeof r!="object")return t;for(let[o,s]of Object.entries(r)){if(typeof s!="object"||s===null||!Un(s)||Wn(s))continue;let i=s,c=qn.test(o),a=typeof i.description=="string"&&zn.test(i.description);if(c||a){e.count++;let l=c?`parameter name "${o}" matches shell execution pattern`:"parameter description contains execution keywords";t.push({id:`SEC-${String(e.count).padStart(3,"0")}`,checkId:vr,severity:"high",cvssScore:8.1,component:`tool "${n.name}" / param "${o}"`,title:"Command Injection Susceptibility",description:`Tool "${n.name}" has an unconstrained string parameter "${o}" \u2014 ${l}. Without a \`pattern\` or \`enum\` constraint, this parameter could be used to inject shell commands.`,remediation:`Add a \`pattern\` constraint (e.g., "^[a-zA-Z0-9_-]+$") or \`enum\` constraint to the "${o}" parameter in tool "${n.name}".`,confidence:"heuristic",evidence:{toolName:n.name,paramName:o,paramType:i.type??"string (implicit)",matchedOn:c?"parameterName":"description"},suppressed:!1})}}return t}var kt={id:vr,name:"Command Injection Susceptibility Detection",check(n){let e=n.exchange.tools;if(!Array.isArray(e)||e.length===0)return[];let t=[],r={count:0};for(let o of e){if(typeof o!="object"||o===null)continue;let s=Bn(o,r);t.push(...s)}return t}};var Rr="cors-wildcard";var xt={id:Rr,name:"CORS Wildcard Policy Detection",check(n){if(n.exchange.transportMetadata.type==="stdio")return[];let e=[],t=n.exchange.transportMetadata.httpHeaders,r=0;if(!t||typeof t!="object")return[];for(let[o,s]of Object.entries(t)){if(!s||typeof s!="object")continue;Gn(s,"access-control-allow-origin")==="*"&&(r++,e.push({id:`SEC-${String(r).padStart(3,"0")}`,checkId:Rr,severity:"high",cvssScore:7.5,component:o,title:"CORS Wildcard Policy",description:`Endpoint "${o}" returns Access-Control-Allow-Origin: * which permits cross-origin requests from any web origin. This allows any website to invoke MCP tools on this server.`,remediation:'Restrict the Access-Control-Allow-Origin header to specific trusted origins instead of using the wildcard "*".',confidence:"deterministic",evidence:{endpoint:o,header:"Access-Control-Allow-Origin",value:"*"},suppressed:!1}))}return e}};function Gn(n,e){let t=e.toLowerCase();for(let[r,o]of Object.entries(n))if(r.toLowerCase()===t)return o}var Cr="auth-gap";var Yn=new Set(["localhost","127.0.0.1","::1","[::1]"]),Kn=[/^10\./,/^172\.(1[6-9]|2\d|3[01])\./,/^192\.168\./,/^fd[0-9a-f]{2}:/i];function Xn(n){return Yn.has(n.toLowerCase())}function Zn(n){return Kn.some(e=>e.test(n))}function Qn(n){let e=new Map(Object.entries(n).map(([t,r])=>[t.toLowerCase(),r]));return e.has("www-authenticate")||e.has("authorization")}var Pt={id:Cr,name:"Authentication Gap Detection",check(n){if(n.exchange.transportMetadata.type==="stdio")return[];let e=n.exchange.transportMetadata,t=e.target,r;try{r=new URL(t).hostname}catch{return[]}if(Xn(r))return[];let o=e.httpHeaders,s=!1;if(o&&typeof o=="object"){for(let d of Object.values(o))if(d&&typeof d=="object"&&Qn(d)){s=!0;break}}if(s)return[];let i=e.resolvedAddress??r,c=e.addressType??(Zn(i)?"private":"public"),a=c==="public",l=a?"critical":"medium",p=a?9.8:6.5,u=a?"public internet":"private network";return[{id:"SEC-001",checkId:Cr,severity:l,cvssScore:p,component:t,title:"Authentication Gap",description:`MCP server at "${t}" (${u}, resolved: ${i}) responds to initialize without requiring authentication. Any client on the ${u} can invoke tools on this server.`,remediation:"Add authentication to the MCP server. Recommended approaches: Bearer token authentication, OAuth 2.0 client credentials, or mutual TLS for machine-to-machine communication.",confidence:"heuristic",evidence:{host:r,resolvedAddress:i,addressType:c,authHeaderPresent:!1,wwwAuthenticatePresent:!1},suppressed:!1}]}};var Sr="tool-poisoning";var eo=[{pattern:/IGNORE\s+PREVIOUS/i,label:"IGNORE PREVIOUS"},{pattern:/\[SYSTEM\]/i,label:"[SYSTEM]"},{pattern:/<system>/i,label:"<system>"},{pattern:/\bDO\s+NOT\b(?=.*\b(?:tell|reveal|mention|show|share|disclose)\b)/i,label:"DO NOT (directive)"},{pattern:/\byou\s+must\b/i,label:"you must"},{pattern:/\byou\s+are\s+now\b/i,label:"you are now"},{pattern:/\bforget\s+(?:all|your|previous|everything)\b/i,label:"forget instructions"},{pattern:/\bpretend\s+(?:to\s+be|you\s+are)\b/i,label:"pretend to be"},{pattern:/\bact\s+as\s+(?:a|an|if)\b/i,label:"act as"},{pattern:/\bnew\s+instructions?\b/i,label:"new instructions"}],to=/<\/?(?:system|prompt|instruction|role|context|message)\b[^>]*>/i,ro=/^[A-Za-z0-9+/]{20,}={0,2}$/,no=/%[0-9A-Fa-f]{2}/,Ot={id:Sr,name:"Tool Poisoning Pattern Detection",check(n){let e=n.exchange.tools;if(!Array.isArray(e)||e.length===0)return[];let t=[],r=0;for(let o of e){if(typeof o!="object"||o===null)continue;let s=o;if(typeof s.name!="string"||(no.test(s.name)&&(r++,t.push(ce(r,s.name,"URL-encoded characters in tool name",`Tool name "${s.name}" contains URL-encoded substrings`))),ro.test(s.name)&&(r++,t.push(ce(r,s.name,"Base64-encoded tool name",`Tool name "${s.name}" appears to be Base64-encoded`))),typeof s.description!="string"))continue;let i=s.description.slice(0,1e4);i.length>2e3&&(r++,t.push(ce(r,s.name,"Suspiciously long tool description",`Tool "${s.name}" has a description of ${s.description.length} characters (threshold: 2000). Long descriptions may contain hidden instructions.`)));for(let{pattern:c,label:a}of eo)if(c.test(i)){r++,t.push(ce(r,s.name,`Prompt injection pattern: "${a}"`,`Tool "${s.name}" description contains the pattern "${a}" which is commonly used in prompt injection attacks to hijack model behavior.`));break}to.test(i)&&(r++,t.push(ce(r,s.name,"XML/HTML system tags in description",`Tool "${s.name}" description contains XML/HTML tags that appear to embed system-prompt instructions.`)))}return t}};function ce(n,e,t,r){return{id:`SEC-${String(n).padStart(3,"0")}`,checkId:Sr,severity:"critical",cvssScore:8.8,component:`tool "${e}"`,title:t,description:r,remediation:`Review and sanitize the tool metadata for "${e}". Remove any instruction-like text, encoded strings, or system prompt patterns from tool names and descriptions.`,confidence:"heuristic",evidence:{toolName:e},suppressed:!1}}var wr="info-leakage";var oo=[{pattern:/at\s+\S+\s+\([^)]+:\d+:\d+\)/,label:"Node.js stack trace"},{pattern:/at\s+Object\.<anonymous>/,label:"Node.js anonymous stack frame"},{pattern:/at\s+Function\./,label:"Node.js Function stack frame"},{pattern:/at\s+Module\._compile/,label:"Node.js module stack frame"},{pattern:/Traceback \(most recent call last\)/,label:"Python traceback"},{pattern:/File "[^"]+", line \d+/,label:"Python file reference"},{pattern:/at\s+\w+\.\w+\([^)]*\)\s+in\s+/,label:".NET stack trace"}],so=[{pattern:/\/home\/\w+/,label:"Unix home directory"},{pattern:/\/var\/\w+/,label:"Unix /var path"},{pattern:/\/usr\/\w+/,label:"Unix /usr path"},{pattern:/\/etc\/\w+/,label:"Unix /etc path"},{pattern:/\/tmp\/\w+/,label:"Unix /tmp path"},{pattern:/[A-Z]:\\Users\\/i,label:"Windows Users path"},{pattern:/[A-Z]:\\Program Files/i,label:"Windows Program Files path"}],io=[{pattern:/process\.env\.\w+/,label:"Node.js process.env reference"},{pattern:/ENV\[\s*['"][^'"]+['"]\s*\]/,label:"ENV[] reference"},{pattern:/\$ENV_\w+/,label:"$ENV_ variable"},{pattern:/\bexport\s+\w+=/,label:"shell export statement"},{pattern:/os\.environ\b/,label:"Python os.environ reference"}];function ao(n){let e=[];if(!n||typeof n!="object")return e;let t=n;if(t.error&&typeof t.error=="object"){let r=t.error;if(typeof r.message=="string"&&e.push(r.message.slice(0,1e4)),typeof r.data=="string"&&e.push(r.data.slice(0,1e4)),r.data&&typeof r.data=="object"){let o=r.data;typeof o.message=="string"&&e.push(o.message.slice(0,1e4)),typeof o.stack=="string"&&e.push(o.stack.slice(0,1e4))}}return e}function co(n){let e=/^(Method not found|Internal error|Invalid params|Parse error|Invalid request|Server error)$/i;return n.length<100&&e.test(n.trim())}var $t={id:wr,name:"Information Leakage Detection",check(n){let e=[],t=0,r=[n.exchange.unknownMethodProbeResponse,n.exchange.malformedJsonProbeResponse];for(let o of r){if(!o)continue;let s=ao(o);for(let i of s)if(!co(i)){for(let{pattern:c,label:a}of oo)if(c.test(i)){t++,e.push(Et(t,a,`Error response contains ${a} indicating verbose error output. Stack traces reveal internal code structure and file locations.`,Tt(i,c)));break}for(let{pattern:c,label:a}of so)if(c.test(i)){t++,e.push(Et(t,a,`Error response contains ${a} exposing internal server filesystem structure.`,Tt(i,c)));break}for(let{pattern:c,label:a}of io)if(c.test(i)){t++,e.push(Et(t,a,`Error response contains ${a} exposing server environment configuration.`,Tt(i,c)));break}}}return e}};function Et(n,e,t,r){return{id:`SEC-${String(n).padStart(3,"0")}`,checkId:wr,severity:"medium",cvssScore:5.3,component:"error response",title:`Information Leakage: ${e}`,description:t,remediation:"Return generic error messages in production. Avoid including stack traces, file paths, or environment variable names in error responses.",confidence:"deterministic",evidence:{matchType:e,snippet:r},suppressed:!1}}function Tt(n,e){let t=n.match(e);if(!t||t.index===void 0)return"[redacted]";let r=Math.max(0,t.index-15),o=Math.min(n.length,t.index+t[0].length+15),s=n.slice(r,o);return r>0&&(s="..."+s),o<n.length&&(s=s+"..."),s}var lo=[kt,xt,Pt,Ot,$t];function _t(n,e){let t={exchange:n,config:e},r=[],o=0;for(let s of lo){let i=s.check(t);for(let c of i){if(o++,c.id=`SEC-${String(o).padStart(3,"0")}`,e.skip.includes(c.checkId)){c.suppressed=!0;let a=e.skipJustifications[c.checkId];a!==void 0&&(c.justification=a)}r.push(c)}}return r}Se();var le=class{config;constructor(e){this.config=e}format(e){let t={schemaVersion:"1.0",meta:{toolVersion:e.meta.toolVersion,specVersion:e.meta.specVersion,timestamp:e.meta.timestamp,target:e.meta.target,transport:e.meta.transport,durationMs:e.meta.durationMs,checkMode:this.config.checkMode,thresholds:{conformanceThreshold:this.config.conformanceThreshold,failOnSeverity:this.config.failOnSeverity}},conformance:{score:e.conformance.score,breakdown:e.conformance.breakdown,violations:e.conformance.violations},security:{findings:e.security.findings,suppressed:e.security.suppressed},summary:{pass:e.summary.pass,exitCode:e.summary.exitCode,blockerCount:e.summary.blockerCount}};return JSON.stringify(t,null,2)}};var Tr={"jsonrpc-base":"JSON-RPC Base",initialization:"Initialization",tools:"Tools",resources:"Resources",prompts:"Prompts",transport:"Transport","error-handling":"Error Handling"},So=["jsonrpc-base","initialization","tools","resources","prompts","transport"],we=["jsonrpc-base","initialization","tools","resources","prompts","transport","error-handling"];function wo(n){return n==="http"?"HTTP+SSE":"stdio"}function ko(n){return n<1e3?`${n}ms`:`${(n/1e3).toFixed(1)}s`}function ke(n,e){let t=n.length,r=n.map(a=>a.length);for(let a of e)for(let l=0;l<t;l++){let p=a[l]??"";p.length>(r[l]??0)&&(r[l]=p.length)}function o(a,l){return a.padEnd(r[l]??a.length," ")}let s="| "+n.map((a,l)=>o(a,l)).join(" | ")+" |",i="| "+r.map(a=>"-".repeat(Math.max(a,1))).join(" | ")+" |",c=e.map(a=>"| "+a.map((l,p)=>o(l,p)).join(" | ")+" |");return[s,i,...c].join(`
|
|
29
|
+
`)}function xo(n){let{meta:e}=n,t=[["Target",e.target],["Transport",wo(e.transport)],["Tool Version",e.toolVersion],["Spec Version",`MCP ${e.specVersion}`],["Timestamp",e.timestamp],["Duration",ko(e.durationMs)],["Check Mode",e.checkMode]];return ke(["Field","Value"],t)}function Po(n){let{conformance:e,security:t,summary:r}=n,o=t.findings,s=0,i=0,c=0,a=0;for(let u of o)switch(u.severity){case"critical":s++;break;case"high":i++;break;case"medium":c++;break;case"low":a++;break;default:break}let l=r.pass?"PASS":"FAIL",p=[["Conformance Score",`${e.score}/100`],["Critical Findings",String(s)],["High Findings",String(i)],["Medium Findings",String(c)],["Low Findings",String(a)],["**Verdict**",`**${l}**`]];return ke(["Metric","Value"],p)}function Oo(n){let e=new Map;for(let t of we)e.set(t,{totalChecks:0,failures:0,warnings:0});for(let t of n){let r=e.get(t.category);r!==void 0&&(r.totalChecks++,t.level==="failure"&&r.failures++,t.level==="warning"&&r.warnings++)}return e}function Eo(n){let{conformance:e}=n,t=Oo(e.violations),r=[];for(let o of we){let s=Tr[o],i=t.get(o)??{totalChecks:0,failures:0,warnings:0},c=So.includes(o)?String(e.breakdown[o]??0):"N/A";r.push([s,c,String(i.totalChecks),String(i.failures),String(i.warnings)])}return ke(["Category","Score","Checks","Failures","Warnings"],r)}function To(n){let{conformance:e}=n,t=[],r=new Map;for(let o of we)r.set(o,[]);for(let o of e.violations){let s=r.get(o.category);s!==void 0&&s.push(o)}for(let o of we){let s=Tr[o];t.push(`### ${s}`);let c=(r.get(o)??[]).filter(a=>a.level!=="pass");if(c.length===0)t.push("- [x] All checks passed");else for(let a of c){let l=a.level==="failure"?"[FAIL]":a.level==="warning"?"[WARN]":"[INFO]",p=a.field!==void 0?` (field: \`${a.field}\`)`:"";t.push(`- [ ] **${l}** ${a.description}${p} (${a.checkId})`)}t.push("")}return t.length>0&&t[t.length-1]===""&&t.pop(),t.join(`
|
|
30
|
+
`)}function $o(n){let{security:e}=n,t=e.findings;if(t.length===0)return"_No active security findings._";let r=[];for(let o of t)r.push(`### ${o.checkId}: ${o.title}`),r.push(`- **Severity:** ${o.severity.charAt(0).toUpperCase()}${o.severity.slice(1)} | **CVSS:** ${o.cvssScore} | **Confidence:** ${o.confidence}`),r.push(`- **Component:** ${o.component}`),r.push(`- **Description:** ${o.description}`),r.push(`- **Remediation:** ${o.remediation}`),r.push("");return r.length>0&&r[r.length-1]===""&&r.pop(),r.join(`
|
|
31
|
+
`)}function _o(n){let{suppressed:e}=n.security;if(e.length===0)return"_No suppressed findings._";let t=e.map(r=>[`${r.title} (${r.checkId})`,r.severity.charAt(0).toUpperCase()+r.severity.slice(1),r.justification??"_No justification provided_"]);return ke(["Finding","Severity","Justification"],t)}var pe=class{format(e){let{meta:t}=e,r=[];return r.push("# MCP Verify Report"),r.push(""),r.push(xo(e)),r.push(""),r.push("## Summary"),r.push(""),r.push(Po(e)),r.push(""),r.push("## Conformance Score"),r.push(""),r.push(Eo(e)),r.push(""),r.push("## Conformance Violations"),r.push(""),r.push(To(e)),r.push(""),r.push("## Security Findings"),r.push(""),r.push($o(e)),r.push(""),r.push("## Suppressed Findings"),r.push(""),r.push(_o(e)),r.push(""),r.push("---"),r.push(`*Generated by mcp-verify ${t.toolVersion} | MCP spec ${t.specVersion} | ${t.timestamp}*`),r.join(`
|
|
32
|
+
`)}};Se();function It(n){switch(n.format){case"terminal":return new re(n.noColor);case"json":return new le(n);case"markdown":return new pe;case"sarif":throw new Error(`${n.format} reporter not yet implemented (Sprint 3)`);default:throw new Error(`Unknown format: ${n.format}`)}}var ue=require("fs"),Nt=require("path"),Ao=["mcp-verify.json",".mcp-verify.json"];function Io(n,e){let t;try{t=JSON.parse(n)}catch(r){let o=r instanceof Error?r.message:String(r);process.stderr.write(`Error: Config file "${e}" contains invalid JSON: ${o}
|
|
33
33
|
`),process.exit(2)}return(typeof t!="object"||t===null||Array.isArray(t))&&(process.stderr.write(`Error: Config file "${e}" must be a JSON object at the top level.
|
|
34
|
-
`),process.exit(2)),t}function
|
|
35
|
-
`),process.exit(2))
|
|
36
|
-
`)}var N=class{getHistoryDir(){let e=(0,Vt.join)((0
|
|
34
|
+
`),process.exit(2)),t}function $r(n){let e=(0,ue.readFileSync)(n,"utf-8");return Io(e,n)}function xe(n,e=process.cwd()){if(n!==void 0){let t=(0,Nt.resolve)(e,n);return(0,ue.existsSync)(t)||(process.stderr.write(`Error: Config file not found: "${t}"
|
|
35
|
+
`),process.exit(2)),$r(t)}for(let t of Ao){let r=(0,Nt.resolve)(e,t);if((0,ue.existsSync)(r))return $r(r)}return null}function Pe(n,e,t){let r=n.skip!==void 0?n.skip:e?.skip!==void 0?e.skip.map(s=>s.checkId):k.skip,o=n.skipJustifications!==void 0?n.skipJustifications:e?.skip!==void 0?Object.fromEntries(e.skip.filter(s=>s.justification!==void 0).map(s=>[s.checkId,s.justification])):k.skipJustifications;return{target:t,timeout:n.timeout!==void 0?n.timeout:e?.timeout!==void 0?e.timeout:k.timeout,format:n.format!==void 0?n.format:e?.format!==void 0?e.format:k.format,transport:n.transport!==void 0?n.transport:e?.transport!==void 0?e.transport:k.transport,failOnSeverity:n.failOnSeverity!==void 0?n.failOnSeverity:e?.failOnSeverity!==void 0?e.failOnSeverity:k.failOnSeverity,conformanceThreshold:n.conformanceThreshold!==void 0?n.conformanceThreshold:e?.conformanceThreshold!==void 0?e.conformanceThreshold:k.conformanceThreshold,skip:r,skipJustifications:o,checkMode:n.checkMode!==void 0?n.checkMode:e?.checkMode!==void 0?e.checkMode:k.checkMode,noColor:n.noColor!==void 0?n.noColor:k.noColor,verbose:n.verbose!==void 0?n.verbose:e?.verbose!==void 0?e.verbose:k.verbose,output:n.output!==void 0?n.output:e?.output!==void 0?e.output:k.output,noHistory:n.noHistory!==void 0?n.noHistory:k.noHistory,headers:{...e?.headers??{},...n.headers??{}}}}var j=require("fs"),Vt=require("path"),_r=require("os");function ne(n){process.env.DEBUG&&process.stderr.write(`[mcp-verify:history] ${n}
|
|
36
|
+
`)}var N=class{getHistoryDir(){let e=(0,Vt.join)((0,_r.homedir)(),".mcp-verify","history");if(!(0,j.existsSync)(e))try{(0,j.mkdirSync)(e,{recursive:!0})}catch(t){return ne(`Could not create history directory "${e}": ${t instanceof Error?t.message:String(t)}`),null}return e}encodeTarget(e){return encodeURIComponent(e).replace(/%/g,"_")}targetFilePath(e,t){return(0,Vt.join)(e,`${this.encodeTarget(t)}.jsonl`)}appendRun(e,t){let r=this.getHistoryDir();if(r===null){ne(`Skipping history append for target "${e}" \u2014 directory unavailable`);return}let o=this.targetFilePath(r,e),s=JSON.stringify(t)+`
|
|
37
37
|
`;try{(0,j.appendFileSync)(o,s,"utf-8")}catch(i){ne(`Could not append history for target "${e}" at "${o}": ${i instanceof Error?i.message:String(i)}`)}}getHistory(e){let t=this.getHistoryDir();if(t===null)return[];let r=this.targetFilePath(t,e);if(!(0,j.existsSync)(r))return[];let o;try{o=(0,j.readFileSync)(r,"utf-8")}catch(i){return ne(`Could not read history for target "${e}" at "${r}": ${i instanceof Error?i.message:String(i)}`),[]}let s=[];for(let i of o.split(`
|
|
38
|
-
`)){let c=i.trim();if(c.length!==0)try{s.push(JSON.parse(c))}catch{ne(`Skipping malformed JSONL line in "${r}": ${c}`)}}return s}getLatestRun(e){let t=this.getHistory(e);return t.length>0?t[t.length-1]??null:null}getAllTargets(){let e=this.getHistoryDir();if(e===null)return[];let t;try{t=(0,j.readdirSync)(e)}catch(r){return ne(`Could not list history directory "${e}": ${r instanceof Error?r.message:String(r)}`),[]}return t.filter(r=>r.endsWith(".jsonl")).map(r=>{let o=r.slice(0,-6);try{return decodeURIComponent(o.replace(/_/g,"%"))}catch{return o}})}};function
|
|
39
|
-
`)}function Mt(n){let e=n!==void 0?(0,de.join)(n,".mcp-verify","baselines"):(0,de.join)((0,
|
|
40
|
-
`,"utf-8")}catch(i){throw new Error(`Cannot save baseline for "${n}" at "${s}": ${i instanceof Error?i.message:String(i)}`)}}function Ht(n,e){let t=Mt(e);if(t===null)return null;let r=
|
|
38
|
+
`)){let c=i.trim();if(c.length!==0)try{s.push(JSON.parse(c))}catch{ne(`Skipping malformed JSONL line in "${r}": ${c}`)}}return s}getLatestRun(e){let t=this.getHistory(e);return t.length>0?t[t.length-1]??null:null}getAllTargets(){let e=this.getHistoryDir();if(e===null)return[];let t;try{t=(0,j.readdirSync)(e)}catch(r){return ne(`Could not list history directory "${e}": ${r instanceof Error?r.message:String(r)}`),[]}return t.filter(r=>r.endsWith(".jsonl")).map(r=>{let o=r.slice(0,-6);try{return decodeURIComponent(o.replace(/_/g,"%"))}catch{return o}})}};function Ar(n){return`${n.checkId}::${n.title}`}function Ir(n){return n.description.trim().length>0?n.description:n.title}function jt(n,e,t=[],r=[]){let o=n.conformanceScore,s=e.conformanceScore,i=s-o,c=new Map;for(let u of t)u.suppressed||c.set(Ar(u),Ir(u));let a=new Map;for(let u of r)u.suppressed||a.set(Ar(u),Ir(u));let l=[];for(let[u,d]of a)c.has(u)||l.push(d);let p=[];for(let[u,d]of c)a.has(u)||p.push(d);return{previousScore:o,currentScore:s,scoreDelta:i,previousFindingsCount:n.securityFindingsCount,currentFindingsCount:e.securityFindingsCount,newFindings:l,resolvedFindings:p,isRegression:i<0}}var J=require("fs"),de=require("path"),Nr=require("os");var Vr=new N;function jr(n){process.env.DEBUG&&process.stderr.write(`[mcp-verify:baseline] ${n}
|
|
39
|
+
`)}function Mt(n){let e=n!==void 0?(0,de.join)(n,".mcp-verify","baselines"):(0,de.join)((0,Nr.homedir)(),".mcp-verify","baselines");if(!(0,J.existsSync)(e))try{(0,J.mkdirSync)(e,{recursive:!0})}catch(t){return jr(`Could not create baselines directory "${e}": ${t instanceof Error?t.message:String(t)}`),null}return e}function Oe(n,e,t){let r=Mt(t);if(r===null)throw new Error(`Cannot save baseline for "${n}": baseline directory is not writable`);let o=Vr.encodeTarget(n),s=(0,de.join)(r,`${o}.json`);try{(0,J.writeFileSync)(s,JSON.stringify(e,null,2)+`
|
|
40
|
+
`,"utf-8")}catch(i){throw new Error(`Cannot save baseline for "${n}" at "${s}": ${i instanceof Error?i.message:String(i)}`)}}function Ht(n,e){let t=Mt(e);if(t===null)return null;let r=Vr.encodeTarget(n),o=(0,de.join)(t,`${r}.json`);if(!(0,J.existsSync)(o))return null;let s;try{s=(0,J.readFileSync)(o,"utf-8")}catch(i){return jr(`Could not read baseline for "${n}" at "${o}": ${i instanceof Error?i.message:String(i)}`),null}try{return JSON.parse(s)}catch(i){throw new Error(`Baseline file for "${n}" at "${o}" contains invalid JSON: ${i instanceof Error?i.message:String(i)}`)}}var Mr=require("http");var Lt=`<!DOCTYPE html>
|
|
41
41
|
<html lang="en">
|
|
42
42
|
<head>
|
|
43
43
|
<meta charset="UTF-8" />
|
|
@@ -702,47 +702,47 @@ Expecting one of '${r.join("', '")}'`);let o=`${e}Help`;return this.on(o,s=>{let
|
|
|
702
702
|
loadPortfolio();
|
|
703
703
|
</script>
|
|
704
704
|
</body>
|
|
705
|
-
</html>`;var
|
|
706
|
-
`),process.on("SIGINT",()=>{e.stop().finally(()=>{process.exit(0)})}),e}var
|
|
705
|
+
</html>`;var Hr="default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'";function No(n){if(n.length<2)return"stable";let e=n.slice(-3),t=e[0]??0,o=(e[e.length-1]??0)-t;return o>2?"up":o<-2?"down":"stable"}function M(n,e,t){let r=JSON.stringify(t);n.writeHead(e,{"Content-Type":"application/json","Content-Security-Policy":Hr,"Cache-Control":"no-store"}),n.end(r)}function Vo(n,e,t){n.writeHead(e,{"Content-Type":"text/html; charset=utf-8","Content-Security-Policy":Hr,"Cache-Control":"no-store"}),n.end(t)}function jo(n){let e=n.url??"/",t=e.indexOf("?");return t===-1?e:e.slice(0,t)}function Mo(n){return function(t,r){let o=jo(t);if(o==="/api/targets"){if(t.method!=="GET"){M(r,405,{error:"Method Not Allowed"});return}let a=n.getAllTargets().map(l=>{let p=n.getHistory(l),u=p[p.length-1],d=p.map(m=>m.conformanceScore);return{target:l,latestScore:u?.conformanceScore??0,findingsCount:u?.securityFindingsCount??0,trend:No(d),lastRun:u?.timestamp??null}});M(r,200,a);return}let s=/^\/api\/history\/(.+)$/.exec(o);if(s){if(t.method!=="GET"){M(r,405,{error:"Method Not Allowed"});return}let c=s[1]??"",a;try{a=decodeURIComponent(c)}catch{M(r,400,{error:"Invalid target encoding"});return}let l=n.getHistory(a);M(r,200,l);return}let i=/^\/api\/baselines\/(.+)$/.exec(o);if(i){if(t.method!=="GET"){M(r,405,{error:"Method Not Allowed"});return}let c=i[1]??"",a;try{a=decodeURIComponent(c)}catch{M(r,400,{error:"Invalid target encoding"});return}let l=n.getLatestRun(a);if(l===null){M(r,404,{error:"No baseline found for target"});return}M(r,200,{target:a,baseline:l});return}if(o==="/"||o==="/index.html"){if(t.method!=="GET"){M(r,405,{error:"Method Not Allowed"});return}Vo(r,200,Lt);return}M(r,404,{error:"Not Found"})}}var Ee=class{server;storage;port;constructor(e){this.port=e.port,this.storage=e.storage??new N,this.server=(0,Mr.createServer)(Mo(this.storage))}start(){return new Promise((e,t)=>{this.server.once("error",r=>{r.code==="EADDRINUSE"?t(new Error(`Port ${this.port} is already in use. Try a different port with --port <number>.`)):t(r)}),this.server.listen(this.port,"127.0.0.1",()=>{let r=this.server.address(),o=r!==null&&typeof r=="object"?r.port:this.port;e(o)})})}stop(){return new Promise((e,t)=>{this.server.close(r=>{r?t(r):e()})})}};async function Dt(n){let e=new Ee({port:n}),t=await e.start();return process.stdout.write(`Dashboard available at http://localhost:${t}
|
|
706
|
+
`),process.on("SIGINT",()=>{e.stop().finally(()=>{process.exit(0)})}),e}var Dr=(r=>(r[r.PASS=0]="PASS",r[r.FAIL=1]="FAIL",r[r.ERROR=2]="ERROR",r))(Dr||{});function Y(n,e=!1,t){process.stderr.write(`Error: ${n}
|
|
707
707
|
`),e&&t instanceof Error&&t.stack&&process.stderr.write(`${t.stack}
|
|
708
|
-
`),process.exit(2)}function
|
|
709
|
-
`)}async function
|
|
708
|
+
`),process.exit(2)}function Ho(n){let e={critical:0,high:0,medium:0,low:0};for(let t of n)if(!t.suppressed){let r=e[t.severity];r!==void 0&&(e[t.severity]=r+1)}return e}function Lo(n){let e=[];e.push(""),e.push("=== Comparison with Previous Run ==="),e.push("");let t=n.scoreDelta>0?"+":"";if(e.push(` Score: ${n.previousScore} -> ${n.currentScore} (${t}${n.scoreDelta})`),e.push(` Findings: ${n.previousFindingsCount} -> ${n.currentFindingsCount}`),n.isRegression?e.push(" Status: REGRESSION"):n.scoreDelta>0?e.push(" Status: IMPROVEMENT"):e.push(" Status: NO CHANGE"),n.newFindings.length>0){e.push(""),e.push(` New findings (${n.newFindings.length}):`);for(let r of n.newFindings)e.push(` + ${r}`)}if(n.resolvedFindings.length>0){e.push(""),e.push(` Resolved findings (${n.resolvedFindings.length}):`);for(let r of n.resolvedFindings)e.push(` - ${r}`)}return e.push(""),e.join(`
|
|
709
|
+
`)}async function Lr(n,e={}){let t=Date.now(),r;try{r=Ge(n.target,n)}catch(o){Y(o instanceof Error?o.message:String(o),n.verbose,o)}try{let o=await ot(r,n),s=bt(o,n),i=_t(o,n),c=St(s,i,n),a=wt(c,i,n),l={meta:{toolVersion:"1.2.0",specVersion:"2024-11-05",timestamp:new Date().toISOString(),target:n.target,transport:o.transportMetadata.type,durationMs:Date.now()-t,checkMode:n.checkMode},conformance:{score:c.overallScore,breakdown:Object.fromEntries(c.categoryScores.map(f=>[f.category,f.score])),violations:s.filter(f=>f.level!=="pass")},security:{findings:i.filter(f=>!f.suppressed),suppressed:i.filter(f=>f.suppressed)},summary:{pass:a===0,exitCode:a,blockerCount:Ho(i)}},p={timestamp:l.meta.timestamp,target:n.target,conformanceScore:l.conformance.score,securityFindingsCount:l.security.findings.length,breakdown:l.conformance.breakdown,toolVersion:l.meta.toolVersion,specVersion:l.meta.specVersion},u=null,d=e.compareLast===!0||e.comparePrevious===!0;if(d){let f=new N,h=null;e.comparePrevious===!0?h=f.getLatestRun(n.target):h=Ht(n.target)??f.getLatestRun(n.target),h!==null&&(u=jt(h,p,[],l.security.findings))}let m=It(n);if(n.output!==null){let f;if(n.format==="json"&&u!==null&&e.compareLast===!0){let h=JSON.parse(m.format(l));h.comparison=u,f=JSON.stringify(h,null,2)}else f=m.format(l);try{(0,Bt.writeFileSync)(n.output,f,"utf-8")}catch(h){Y(`Failed to write output file "${n.output}": ${h instanceof Error?h.message:String(h)}`,n.verbose,h)}if(n.format!=="terminal"){let{TerminalReporter:h}=await Promise.resolve().then(()=>(Se(),Er)),y=new h(n.noColor);process.stdout.write(y.format(l)+`
|
|
710
710
|
`)}}else{let f=m.format(l);process.stdout.write(f+`
|
|
711
|
-
`)}d&&(u!==null?process.stdout.write(
|
|
711
|
+
`)}d&&(u!==null?process.stdout.write(Lo(u)):process.stdout.write(`
|
|
712
712
|
No previous run found for ${n.target}
|
|
713
|
-
`)),n.noHistory||new N().appendRun(n.target,p),e.saveAsBaseline===!0&&Oe(n.target,p),process.exit(a)}finally{await r.close()}}function Ft(n){let e=Number(n);if(!Number.isInteger(e)||e<=0)throw new
|
|
714
|
-
`),process.exit(2)})}function
|
|
713
|
+
`)),n.noHistory||new N().appendRun(n.target,p),e.saveAsBaseline===!0&&Oe(n.target,p),process.exit(a)}finally{await r.close()}}function Ft(n){let e=Number(n);if(!Number.isInteger(e)||e<=0)throw new D(`--timeout must be a positive integer (got: ${n})`);return e}function Jt(n){let e=["terminal","json","markdown","sarif"];if(!e.includes(n))throw new D(`--format must be one of: ${e.join(", ")} (got: ${n})`);return n}function qt(n){let e=["http","stdio"];if(!e.includes(n))throw new D(`--transport must be one of: ${e.join(", ")} (got: ${n})`);return n}function zt(n){let e=["critical","high","medium","low","none"];if(!e.includes(n))throw new D(`--fail-on-severity must be one of: ${e.join(", ")} (got: ${n})`);return n}function Wt(n){let e=Number(n);if(!Number.isInteger(e)||e<0||e>100)throw new D(`--conformance-threshold must be an integer between 0 and 100 (got: ${n})`);return e}function Fr(n){let e=Number(n);if(!Number.isInteger(e)||e<1||e>65535)throw new D(`--port must be an integer between 1 and 65535 (got: ${n})`);return e}function Ut(n,e){let t=n.indexOf(":");if(t===-1)throw new D(`--header must be in "Name: Value" format (got: ${n})`);let r=n.slice(0,t).trim(),o=n.slice(t+1).trim();if(r.length===0)throw new D(`--header name must not be empty (got: ${n})`);return{...e,[r]:o}}function oe(n){n.configureOutput({writeErr:()=>{}}),n.exitOverride(e=>{(e.code==="commander.helpDisplayed"||e.code==="commander.version")&&process.exit(0);let t=e.message.replace(/^error:\s*/i,"");process.stderr.write(`Error: ${t}
|
|
714
|
+
`),process.exit(2)})}function Jr(){let n=new lr;n.name("mcp-verify").description("Verify MCP servers for spec conformance, security vulnerabilities, and health metrics").version("mcp-verify 1.2.0 (validates MCP spec 2024-11-05)","-V, --version","Output the version number").addHelpText("after",`
|
|
715
715
|
Examples:
|
|
716
716
|
mcp-verify https://example.com/mcp
|
|
717
717
|
mcp-verify verify https://example.com/mcp --format json
|
|
718
718
|
mcp-verify verify ./my-server --timeout 30000
|
|
719
|
-
`),oe(n);let e=n.command("verify <target>",{isDefault:!0}).description("Verify an MCP server at <target> (URL or stdio command)").option("--timeout <ms>","Connection and response timeout in milliseconds",Ft,k.timeout).option("--no-color","Disable colored output").option("--format <type>","Output format: terminal | json | markdown | sarif",Jt,k.format).option("--config <path>","Path to config file (default: auto-discover mcp-verify.json or .mcp-verify.json)").option("--strict","Set check mode to strict").option("--lenient","Set check mode to lenient").option("--verbose","Enable verbose output").option("--output <path>","Write formatted report to file instead of stdout").option("--transport <type>","Force transport type: http | stdio",qt).option("--fail-on-severity <level>","Minimum severity level to fail on: critical | high | medium | low | none",zt,k.failOnSeverity).option("--conformance-threshold <score>","Minimum conformance score (0\u2013100)",Wt,k.conformanceThreshold).option("--no-history","Skip saving this run to history storage").option("--compare-last","After verification, compare with baseline (if set) or the previous run").option("--compare-previous","After verification, compare with immediately previous run (bypasses baseline)").addHelpText("after",`
|
|
719
|
+
`),oe(n);let e=n.command("verify <target>",{isDefault:!0}).description("Verify an MCP server at <target> (URL or stdio command)").option("--timeout <ms>","Connection and response timeout in milliseconds",Ft,k.timeout).option("--no-color","Disable colored output").option("--format <type>","Output format: terminal | json | markdown | sarif",Jt,k.format).option("--config <path>","Path to config file (default: auto-discover mcp-verify.json or .mcp-verify.json)").option("--strict","Set check mode to strict").option("--lenient","Set check mode to lenient").option("--verbose","Enable verbose output").option("--output <path>","Write formatted report to file instead of stdout").option("--transport <type>","Force transport type: http | stdio",qt).option("--fail-on-severity <level>","Minimum severity level to fail on: critical | high | medium | low | none",zt,k.failOnSeverity).option("--conformance-threshold <score>","Minimum conformance score (0\u2013100)",Wt,k.conformanceThreshold).option("--no-history","Skip saving this run to history storage").option("--compare-last","After verification, compare with baseline (if set) or the previous run").option("--compare-previous","After verification, compare with immediately previous run (bypasses baseline)").option("-H, --header <key:value>",'Custom HTTP header in "Name: Value" format (repeatable)',Ut,{}).addHelpText("after",`
|
|
720
720
|
Examples:
|
|
721
721
|
mcp-verify https://example.com/mcp
|
|
722
722
|
mcp-verify verify https://example.com/mcp --format json
|
|
723
723
|
mcp-verify verify ./my-server --timeout 30000
|
|
724
724
|
mcp-verify verify https://example.com/mcp --no-color --format sarif
|
|
725
725
|
mcp-verify verify https://example.com/mcp --compare-last
|
|
726
|
-
mcp-verify verify https://example.com/mcp
|
|
726
|
+
mcp-verify verify https://example.com/mcp -H "Authorization: Bearer <token>"
|
|
727
727
|
`);oe(e),e.action(async(i,c)=>{c.strict&&c.lenient&&(process.stderr.write(`Error: --strict and --lenient are mutually exclusive
|
|
728
|
-
`),process.exit(2));let a;c.strict?a="strict":c.lenient&&(a="lenient");let l=xe(c.config),p={timeout:c.timeout,noColor:!c.color,format:c.format,failOnSeverity:c.failOnSeverity,conformanceThreshold:c.conformanceThreshold,noHistory:!c.history};a!==void 0&&(p.checkMode=a),c.verbose===!0&&(p.verbose=!0),c.output!==void 0&&(p.output=c.output),c.transport!==void 0&&(p.transport=c.transport);let u=Pe(p,l,i);try{await
|
|
728
|
+
`),process.exit(2));let a;c.strict?a="strict":c.lenient&&(a="lenient");let l=xe(c.config),p={timeout:c.timeout,noColor:!c.color,format:c.format,failOnSeverity:c.failOnSeverity,conformanceThreshold:c.conformanceThreshold,noHistory:!c.history};a!==void 0&&(p.checkMode=a),c.verbose===!0&&(p.verbose=!0),c.output!==void 0&&(p.output=c.output),c.transport!==void 0&&(p.transport=c.transport),Object.keys(c.header).length>0&&(p.headers=c.header);let u=Pe(p,l,i);try{await Lr(u,{compareLast:c.compareLast===!0,comparePrevious:c.comparePrevious===!0})}catch(d){Y(d instanceof Error?d.message:String(d),u.verbose,d)}});let t=n.command("baseline <target>").description("Run verification and store the result as a baseline for <target>").option("--existing","Promote the most recent history entry as baseline without running verification").option("--timeout <ms>","Connection and response timeout in milliseconds",Ft,k.timeout).option("--no-color","Disable colored output").option("--format <type>","Output format: terminal | json | markdown | sarif",Jt,k.format).option("--config <path>","Path to config file (default: auto-discover mcp-verify.json or .mcp-verify.json)").option("--strict","Set check mode to strict").option("--lenient","Set check mode to lenient").option("--verbose","Enable verbose output").option("--output <path>","Write formatted report to file instead of stdout").option("--transport <type>","Force transport type: http | stdio",qt).option("--fail-on-severity <level>","Minimum severity level to fail on: critical | high | medium | low | none",zt,k.failOnSeverity).option("--conformance-threshold <score>","Minimum conformance score (0\u2013100)",Wt,k.conformanceThreshold).option("-H, --header <key:value>",'Custom HTTP header in "Name: Value" format (repeatable)',Ut,{}).addHelpText("after",`
|
|
729
729
|
Examples:
|
|
730
730
|
mcp-verify baseline https://example.com/mcp
|
|
731
731
|
mcp-verify baseline --existing https://example.com/mcp
|
|
732
732
|
`);oe(t),t.action(async(i,c)=>{if(c.existing===!0){let m=new N().getLatestRun(i);m===null&&(process.stderr.write(`Error: No history found for "${i}". Run a verification first.
|
|
733
733
|
`),process.exit(2));try{Oe(i,m)}catch(f){Y(f instanceof Error?f.message:String(f),c.verbose===!0,f)}process.stdout.write(`Baseline saved for "${i}" (score: ${m.conformanceScore}, timestamp: ${m.timestamp})
|
|
734
734
|
`),process.exit(0)}c.strict&&c.lenient&&(process.stderr.write(`Error: --strict and --lenient are mutually exclusive
|
|
735
|
-
`),process.exit(2));let a;c.strict?a="strict":c.lenient&&(a="lenient");let l=xe(c.config),p={timeout:c.timeout,noColor:!c.color,format:c.format,failOnSeverity:c.failOnSeverity,conformanceThreshold:c.conformanceThreshold};a!==void 0&&(p.checkMode=a),c.verbose===!0&&(p.verbose=!0),c.output!==void 0&&(p.output=c.output),c.transport!==void 0&&(p.transport=c.transport);let u=Pe(p,l,i);try{await
|
|
735
|
+
`),process.exit(2));let a;c.strict?a="strict":c.lenient&&(a="lenient");let l=xe(c.config),p={timeout:c.timeout,noColor:!c.color,format:c.format,failOnSeverity:c.failOnSeverity,conformanceThreshold:c.conformanceThreshold};a!==void 0&&(p.checkMode=a),c.verbose===!0&&(p.verbose=!0),c.output!==void 0&&(p.output=c.output),c.transport!==void 0&&(p.transport=c.transport),Object.keys(c.header).length>0&&(p.headers=c.header);let u=Pe(p,l,i);try{await Lr(u,{saveAsBaseline:!0})}catch(d){Y(d instanceof Error?d.message:String(d),u.verbose,d)}});let r=n.command("history").description("Manage run history");oe(r);let o=r.command("export [target]").description("Export run history as JSON").option("--all","Export history for all tracked targets").option("--output <path>","Write exported history to a file instead of stdout").addHelpText("after",`
|
|
736
736
|
Examples:
|
|
737
737
|
mcp-verify history export https://example.com/mcp --output history.json
|
|
738
738
|
mcp-verify history export --all --output all-history.json
|
|
739
739
|
`);oe(o),o.action((i,c)=>{let a=new N;c.all!==!0&&(i===void 0||i.trim()==="")&&(process.stderr.write(`Error: Provide a <target> argument or use --all to export all targets
|
|
740
|
-
`),process.exit(2));let l,p;if(c.all===!0)p=a.getAllTargets(),l=p.flatMap(m=>a.getHistory(m));else{let m=i;p=[m],l=a.getHistory(m)}let u={exportedAt:new Date().toISOString(),toolVersion:"1.
|
|
741
|
-
`;if(c.output!==void 0){try{(0,
|
|
742
|
-
`)}else process.stdout.write(d);process.exit(0)});let s=n.command("serve").description("Start the local web dashboard").option("--port <number>","Port to listen on (default: 4000)",
|
|
740
|
+
`),process.exit(2));let l,p;if(c.all===!0)p=a.getAllTargets(),l=p.flatMap(m=>a.getHistory(m));else{let m=i;p=[m],l=a.getHistory(m)}let u={exportedAt:new Date().toISOString(),toolVersion:"1.2.0",targets:p,runs:l},d=JSON.stringify(u,null,2)+`
|
|
741
|
+
`;if(c.output!==void 0){try{(0,Bt.writeFileSync)(c.output,d,"utf-8")}catch(m){Y(`Failed to write output file "${c.output}": ${m instanceof Error?m.message:String(m)}`)}process.stdout.write(`History exported to "${c.output}"
|
|
742
|
+
`)}else process.stdout.write(d);process.exit(0)});let s=n.command("serve").description("Start the local web dashboard").option("--port <number>","Port to listen on (default: 4000)",Fr,4e3).addHelpText("after",`
|
|
743
743
|
Examples:
|
|
744
744
|
mcp-verify serve
|
|
745
745
|
mcp-verify serve --port 8080
|
|
746
746
|
`);return oe(s),s.action(async i=>{try{await Dt(i.port),await new Promise(()=>{})}catch(c){let a=c instanceof Error?c.message:String(c);process.stderr.write(`Error: ${a}
|
|
747
|
-
`),process.exit(2)}}),n}async function
|
|
748
|
-
`),process.exit(2)});0&&(module.exports={ExitCode,buildProgram,exitWithError,main,parseConformanceThreshold,parseFailOnSeverity,parseFormat,parsePort,parseTimeout,parseTransport});
|
|
747
|
+
`),process.exit(2)}}),n}async function qr(n){let e=Jr();n.slice(2).length===0&&(e.outputHelp(),process.exit(2)),await e.parseAsync(n)}var Do=process.argv[1]!==void 0&&(process.argv[1].endsWith("cli.js")||process.argv[1].endsWith("cli.cjs"));Do&&qr(process.argv).catch(n=>{let e=n instanceof Error?n.message:String(n);process.stderr.write(`Error: ${e}
|
|
748
|
+
`),process.exit(2)});0&&(module.exports={ExitCode,buildProgram,exitWithError,main,parseConformanceThreshold,parseFailOnSeverity,parseFormat,parseHeader,parsePort,parseTimeout,parseTransport});
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "mcp-server-verify",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.2.0",
|
|
4
4
|
"description": "Framework-agnostic CLI and GitHub Action that verifies MCP servers for spec conformance, security vulnerabilities, and health metrics",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/cli.cjs",
|