mcp-stdio-guard 0.4.0 → 0.5.0

package/README.md

@@ -11,7 +11,7 @@
 <p align="center">
   <a href="https://github.com/1Utkarsh1/mcp-stdio-guard/actions/workflows/ci.yml"><img alt="CI" src="https://github.com/1Utkarsh1/mcp-stdio-guard/actions/workflows/ci.yml/badge.svg" /></a>
   <a href="https://www.npmjs.com/package/mcp-stdio-guard"><img alt="npm" src="https://img.shields.io/npm/v/mcp-stdio-guard?color=0b6bcb" /></a>
-  <a href="https://badge.socket.dev/npm/package/mcp-stdio-guard/0.4.0"><img alt="Socket" src="https://badge.socket.dev/npm/package/mcp-stdio-guard/0.4.0" /></a>
+  <a href="https://badge.socket.dev/npm/package/mcp-stdio-guard/0.5.0"><img alt="Socket" src="https://badge.socket.dev/npm/package/mcp-stdio-guard/0.5.0" /></a>
   <img alt="runtime dependencies" src="https://img.shields.io/badge/runtime%20deps-0-1f8f4c" />
   <img alt="node" src="https://img.shields.io/badge/node-%3E%3D18-2f855a" />
   <a href="LICENSE"><img alt="license" src="https://img.shields.io/badge/license-MIT-111827" /></a>
@@ -143,6 +143,7 @@ mcp-stdio-guard [options] -- <command> [args...]
 | `--repeat <count>` | run the same guard multiple times to catch cold/warm startup behavior |
 | `--request <method>` | send one MCP request after initialization, for example `tools/list` |
 | `--params <json>` | JSON params for `--request` |
+| `--adversarial-probe <name>` / `--adversarial-probes <list>` | opt into strict protocol probes: `invalid-method`, `invalid-params`, `notification`, `malformed-json`, `all`, or `none` |
 | `--scan <path>` | scan source for risky stdout writes and visible startup-output risks |
 | `--fail-on-static` | make static scan findings fail the command |
 | `--json` | print machine-readable output |
@@ -159,9 +160,9 @@ Profiles are deterministic presets for common workflows. Existing CLI behavior r
 | `smoke` | initialize only unless `--request` is provided; skip advertised `tools/list`, `resources/list`, and `prompts/list` probes |
 | `registry` | run advertised list probes and repeat twice by default for cold/warm consistency |
 | `ci` | emit JSON output and make static scan findings fail when `--scan` is used |
-| `strict` | combine CI-style output/static failures with registry-style repeat depth; future adversarial probes will attach here |
+| `strict` | combine CI-style output/static failures, registry-style repeat depth, and built-in adversarial protocol probes |
 
-Explicit flags can still narrow or deepen a profile. For example, `--profile registry --repeat 1` keeps registry capability probing but disables the repeat preset.
+Explicit flags can still narrow or deepen a profile. For example, `--profile registry --repeat 1` keeps registry capability probing but disables the repeat preset. Use `--profile strict --adversarial-probes none` if you want strict JSON/static behavior without adversarial inputs.
 
 ## Config Files
 
@@ -181,6 +182,8 @@ Supported fields:
 | `request` | one explicit post-initialize request: `{ "method": "tools/list" }` |
 | `requests` | list of explicit post-initialize requests |
 | `safeToolCalls` | opt-in `tools/call` recipes; no tool is called unless listed here or explicitly requested |
+| `adversarialProbes` | opt-in built-in probes as `true`, `"all"`, `"none"`, or a list of probe names |
+| `adversarialToolCalls` | opt-in invalid-argument `tools/call` probes for configured safe tools |
 
 Example:
 
@@ -196,14 +199,20 @@ Example:
   "requests": [
     { "method": "tools/list" }
   ],
+  "adversarialProbes": ["invalid-method", "notification"],
   "safeToolCalls": [
     { "name": "echo", "arguments": { "text": "hello" } }
+  ],
+  "adversarialToolCalls": [
+    { "name": "echo", "arguments": { "unexpected": true } }
   ]
 }
 ```
 
 The guard does not discover and call arbitrary tools from `tools/list`. Tool execution only happens through an explicit `safeToolCalls` entry or an explicit `tools/call` request you provide.
 
+Adversarial probes are off by default because they intentionally send unusual inputs. Built-in probes check that unknown methods return structured errors, invalid params return structured errors, notifications do not receive responses, and malformed JSON does not crash the process. `adversarialToolCalls` is separate because it calls a named tool with intentionally invalid arguments; only use it for tools you control and consider safe/idempotent.
+
 ## JSON Contract
 
 `--json` is intended for CI, registries, and badge ingestion. The current contract is `schemaVersion: 1`; new fields may be added, but these fields are stable for consumers:
@@ -220,6 +229,7 @@ The guard does not discover and call arbitrary tools from `tools/list`. Tool exe
 | `initialized` | whether the server completed the initialize handshake |
 | `operation` | post-initialize request result, or `null` when `--request` was not used |
 | `operations` | all explicit post-initialize requests, including config requests and safe tool calls |
+| `adversarial` | opt-in adversarial probe results, including status, risk text, and per-probe issue codes |
 | `toolSchema` | summary of `tools/list` metadata validation when that operation was requested or probed from an advertised tools capability |
 | `capabilityProbes` | whether advertised capability list probes were enabled for this run |
 | `capabilityKeys` | sorted capability keys returned by `initialize` for a single run; repeat mode exposes this inside each `runs` entry |
@@ -234,7 +244,7 @@ The guard does not discover and call arbitrary tools from `tools/list`. Tool exe
 | `staticFindings` | source scan findings with language, file, line, reason, and message |
 | `runs` | per-run results when `--repeat` is used |
 
-Check statuses are `pass`, `fail`, `warning`, or `skipped`. The `checks` object separates the signal into `initialize`, `stdout`, `jsonRpc`, `operation`, `capabilities`, `toolSchema`, `process`, `pythonBuffering`, `staticScan`, and `repeat`, each with stable `status` and `issueCodes` fields. When `--repeat` is used, `checks.repeat` also includes `runs`, `passedRuns`, and `failedRuns`; each entry in `runs` is a normal schema-versioned result for that individual guard run.
+Check statuses are `pass`, `fail`, `warning`, or `skipped`. The `checks` object separates the signal into `initialize`, `stdout`, `jsonRpc`, `operation`, `capabilities`, `toolSchema`, `adversarial`, `process`, `pythonBuffering`, `staticScan`, and `repeat`, each with stable `status` and `issueCodes` fields. When `--repeat` is used, `checks.repeat` also includes `runs`, `passedRuns`, and `failedRuns`; each entry in `runs` is a normal schema-versioned result for that individual guard run.
 
 `issueClasses` is additive to `checks`. It groups issue codes by the kind of problem a registry or client should display:
 
@@ -250,7 +260,7 @@ Current issue-code mapping:
 | --- | --- |
 | `installRuntime` | `initialize-timeout`, `operation-missing-response`, `operation-timeout`, `python-buffered-stdio`, `server-crashed`, `server-exited`, `spawn-failed` |
 | `stdioTransport` | `static-stdout-write`, `stdout-content-length-framing`, `stdout-empty-line`, `stdout-non-json`, `stdout-without-newline` |
-| `mcpProtocol` | `capability-list-error`, `capability-list-missing-response`, `capability-list-timeout`, `capability-list-unsupported`, `initialize-error`, `initialize-invalid-capabilities`, `initialize-invalid-protocol-version`, `initialize-invalid-result`, `initialize-invalid-server-info`, `initialize-missing-capabilities`, `initialize-missing-protocol-version`, `initialize-missing-server-info`, `notification-response`, `operation-error`, `repeat-capability-drift`, `repeat-list-shape-drift`, `repeat-protocol-drift`, `repeat-tool-drift`, `response-id-mismatch`, `response-id-type-mismatch`, `stdout-invalid-json-rpc`, `stdout-unexpected-request-id`, `tool-description-missing`, `tool-input-schema-invalid`, `tool-input-schema-required-missing`, `tool-name-duplicate`, `tool-name-invalid`, `tools-list-invalid-result` |
+| `mcpProtocol` | `adversarial-invalid-method-result`, `adversarial-invalid-params-result`, `adversarial-malformed-json-result`, `adversarial-notification-response`, `adversarial-probe-crash`, `adversarial-probe-invalid-stdout`, `adversarial-probe-timeout`, `adversarial-tool-call-result`, `capability-list-error`, `capability-list-missing-response`, `capability-list-timeout`, `capability-list-unsupported`, `initialize-error`, `initialize-invalid-capabilities`, `initialize-invalid-protocol-version`, `initialize-invalid-result`, `initialize-invalid-server-info`, `initialize-missing-capabilities`, `initialize-missing-protocol-version`, `initialize-missing-server-info`, `notification-response`, `operation-error`, `repeat-capability-drift`, `repeat-list-shape-drift`, `repeat-protocol-drift`, `repeat-tool-drift`, `response-id-mismatch`, `response-id-type-mismatch`, `stdout-invalid-json-rpc`, `stdout-unexpected-request-id`, `tool-description-missing`, `tool-input-schema-invalid`, `tool-input-schema-required-missing`, `tool-name-duplicate`, `tool-name-invalid`, `tools-list-invalid-result` |
 
 Initialize lifecycle checks are part of the MCP protocol class. Missing or invalid `protocolVersion` and `capabilities` fail the run before the guard sends `notifications/initialized` or any normal request. Missing or invalid `serverInfo` is warning-level so registries can surface incomplete metadata without confusing it with a broken transport.
 
@@ -260,6 +270,8 @@ Tool schema checks run when `tools/list` receives a successful result, either fr
 
 Capability honesty checks are additive. If `initialize` advertises `capabilities.tools`, `capabilities.resources`, or `capabilities.prompts`, the guard probes the matching `tools/list`, `resources/list`, or `prompts/list` method after `notifications/initialized`. Unadvertised capabilities are `skipped`, not failed. `capability-list-unsupported` means an advertised list method returned method-not-found; `capability-list-error`, `capability-list-timeout`, and `capability-list-missing-response` mean the advertised list method existed in the contract but failed at runtime.
 
+Adversarial probes are additive and opt-in. Their failures are classified as `mcpProtocol`, not install/runtime failures, so registries can distinguish "the package cannot start" from "the server started but mishandled strict JSON-RPC/MCP inputs." `malformed-json` accepts either a structured parse error or silence after a short observation window; a crash is a protocol failure. `notification` expects no response.
+
 Repeat drift checks compare successful initialized runs against the first initialized run. Negotiated protocol changes, advertised capability key changes, added or removed tool names, tool count changes, and resource/prompt list count changes are warning-level `repeat-*` issues. Tool order is normalized before comparison, so order-only changes do not warn.
 
 The repeat `drift` object has stable `status`, `issueCodes`, `baselineRun`, and `comparedRuns` fields. Its nested `negotiatedProtocol`, `capabilities`, `tools`, `lists.resources`, and `lists.prompts` sections include `changedRuns` so registries can show exactly what changed between cold and warm starts.
@@ -275,7 +287,7 @@ Runtime issue codes remain backward-compatible. For finer registry display, runt
 | `operation-missing-response` | `clean-exit-during-operation`, `nonzero-exit-during-operation`, `signal-exit-during-operation` |
 | `server-crashed` | `nonzero-exit-after-initialize`, `signal-exit-after-initialize` |
 
-`process` records the observed lifecycle even when the run passes. `outcome` is one of `starting`, `running`, `exited`, `timeout`, `spawn-failed`, or `guard-terminated`; `starting` is the transient initial value while the child is being created, not an expected terminal outcome. `phase` is `startup`, `initialize`, `operation`, or `post-initialize`. `exitCode` and `signal` are included when the process exits before the guard finishes; timeout runs include `timedOut`, `timeoutCode`, `timeoutMs`, and guard kill metadata. `spawnError` is either `null` or an object with `code` and `message`; the matching `spawn-failed` issue also exposes `spawnErrorCode`.
+`process` records the observed lifecycle even when the run passes. `outcome` is one of `starting`, `running`, `exited`, `timeout`, `spawn-failed`, or `guard-terminated`; `starting` is the transient initial value while the child is being created, not an expected terminal outcome. `phase` is `startup`, `initialize`, `operation`, `adversarial`, or `post-initialize`. `exitCode` and `signal` are included when the process exits before the guard finishes; timeout runs include `timedOut`, `timeoutCode`, `timeoutMs`, and guard kill metadata. `spawnError` is either `null` or an object with `code` and `message`; the matching `spawn-failed` issue also exposes `spawnErrorCode`.
 
 Spawn failure shape:
 
@@ -308,11 +320,19 @@ Example:
     "enabled": false,
     "path": "",
     "resolvedPath": "",
-    "checks": { "command": false, "cwd": false, "envNames": [], "requests": [], "safeToolCalls": [] }
+    "checks": {
+      "command": false,
+      "cwd": false,
+      "envNames": [],
+      "requests": [],
+      "safeToolCalls": [],
+      "adversarialProbes": [],
+      "adversarialToolCalls": []
+    }
   },
   "profile": "custom",
   "fingerprint": {
-    "guard": { "name": "mcp-stdio-guard", "version": "0.4.0" },
+    "guard": { "name": "mcp-stdio-guard", "version": "0.5.0" },
     "command": {
       "executable": "node",
       "args": ["./server.js"],
@@ -328,12 +348,21 @@ Example:
       "enabled": false,
       "path": "",
       "resolvedPath": "",
-      "checks": { "command": false, "cwd": false, "envNames": [], "requests": [], "safeToolCalls": [] }
+      "checks": {
+        "command": false,
+        "cwd": false,
+        "envNames": [],
+        "requests": [],
+        "safeToolCalls": [],
+        "adversarialProbes": [],
+        "adversarialToolCalls": []
+      }
     },
     "profile": "custom",
     "timeoutMs": 5000,
     "repeat": 1,
     "capabilityProbes": true,
+    "adversarialProbes": [],
     "operation": { "method": "tools/list", "hasParams": false, "source": "cli-request", "safeToolCallName": "" },
     "operations": [{ "method": "tools/list", "hasParams": false, "source": "cli-request", "safeToolCallName": "" }],
     "system": { "platform": "darwin", "arch": "arm64", "osRelease": "25.0.0" },
@@ -365,6 +394,7 @@ Example:
     "spawnError": null
   },
   "capabilityProbes": true,
+  "adversarial": { "enabled": false, "probes": [] },
   "capabilityKeys": ["tools"],
   "capabilityChecks": {
     "tools": { "advertised": true, "method": "tools/list", "responded": true, "itemCount": 2, "error": null },
@@ -398,6 +428,7 @@ Example:
       "prompts": { "status": "skipped", "issueCodes": [], "advertised": false, "method": "prompts/list", "responded": false, "itemCount": null }
     },
     "toolSchema": { "status": "pass", "issueCodes": [] },
+    "adversarial": { "status": "skipped", "issueCodes": [] },
     "process": { "status": "pass", "issueCodes": [] },
     "pythonBuffering": { "status": "pass", "issueCodes": [] },
     "staticScan": { "status": "skipped", "issueCodes": [] },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-stdio-guard",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "A runtime zero-dependency CLI that catches stdout pollution and handshake failures in MCP stdio servers.",
   "type": "module",
   "bin": {

package/src/index.js

@@ -6,9 +6,9 @@ import { spawn, spawnSync } from 'node:child_process';
 function loadVersion() {
   try {
     const packageJson = JSON.parse(fs.readFileSync(new URL('../package.json', import.meta.url), 'utf8'));
-    return typeof packageJson.version === 'string' ? packageJson.version : '0.4.0';
+    return typeof packageJson.version === 'string' ? packageJson.version : '0.5.0';
   } catch {
-    return '0.4.0';
+    return '0.5.0';
   }
 }
 
@@ -32,7 +32,7 @@ const GUARD_PROFILES = Object.freeze({
     description: 'stable JSON output with static findings treated as failures when scanned'
   },
   strict: {
-    description: 'deep deterministic checks; reserved for opt-in adversarial probes'
+    description: 'deep deterministic checks with opt-in adversarial protocol probes'
   }
 });
 const GUARD_PROFILE_NAMES = Object.keys(GUARD_PROFILES);
@@ -94,12 +94,69 @@ const CAPABILITY_DEFINITIONS = Object.freeze([
   { name: 'resources', method: 'resources/list' },
   { name: 'prompts', method: 'prompts/list' }
 ]);
+const ADVERSARIAL_OBSERVATION_MS = 150;
+const BUILTIN_ADVERSARIAL_PROBES = Object.freeze({
+  'invalid-method': {
+    name: 'invalid-method',
+    source: 'builtin',
+    method: 'mcp_stdio_guard/invalid_method',
+    params: { reason: 'adversarial-probe' },
+    expectation: 'error',
+    failureCode: 'adversarial-invalid-method-result',
+    description: 'invalid method requests return structured JSON-RPC errors',
+    risk: 'Sends one unknown JSON-RPC method after initialize; servers should answer with an error instead of crashing or returning success.'
+  },
+  'invalid-params': {
+    name: 'invalid-params',
+    source: 'builtin',
+    method: 'tools/list',
+    params: [],
+    expectation: 'error',
+    failureCode: 'adversarial-invalid-params-result',
+    description: 'invalid params return structured JSON-RPC errors',
+    risk: 'Sends deliberately invalid params to a common MCP method; tolerant servers may need to opt out of this stricter probe.'
+  },
+  notification: {
+    name: 'notification',
+    source: 'builtin',
+    method: 'notifications/mcp_stdio_guard_probe',
+    params: { reason: 'adversarial-probe' },
+    omitId: true,
+    expectation: 'no-response',
+    failureCode: 'adversarial-notification-response',
+    description: 'notifications do not receive responses',
+    risk: 'Sends one unknown JSON-RPC notification; servers should not reply to notifications even when the method is unknown.'
+  },
+  'malformed-json': {
+    name: 'malformed-json',
+    source: 'builtin',
+    method: '',
+    rawLine: '{"jsonrpc":"2.0","id":"mcp-stdio-guard-malformed","method":',
+    expectation: 'error-or-no-response',
+    failureCode: 'adversarial-malformed-json-result',
+    description: 'malformed JSON does not crash the server',
+    risk: 'Writes one malformed line to stdin; servers may return a structured parse error or ignore it, but should not crash.'
+  }
+});
+const BUILTIN_ADVERSARIAL_PROBE_NAMES = Object.freeze(Object.keys(BUILTIN_ADVERSARIAL_PROBES));
+const STRICT_ADVERSARIAL_PROBE_NAMES = BUILTIN_ADVERSARIAL_PROBE_NAMES;
+const SUPPORTED_ADVERSARIAL_EXPECTATIONS = new Set(['error', 'no-response', 'error-or-no-response']);
 const CAPABILITY_ISSUE_CODES = new Set([
   'capability-list-error',
   'capability-list-missing-response',
   'capability-list-timeout',
   'capability-list-unsupported'
 ]);
+const ADVERSARIAL_ISSUE_CODES = new Set([
+  'adversarial-invalid-method-result',
+  'adversarial-invalid-params-result',
+  'adversarial-malformed-json-result',
+  'adversarial-notification-response',
+  'adversarial-probe-crash',
+  'adversarial-probe-invalid-stdout',
+  'adversarial-probe-timeout',
+  'adversarial-tool-call-result'
+]);
 const REPEAT_DRIFT_ISSUE_CODES = new Set([
   'repeat-capability-drift',
   'repeat-list-shape-drift',
@@ -176,6 +233,14 @@ const ISSUE_CLASS_BY_CODE = new Map([
   ['tool-name-duplicate', ISSUE_CLASSES.MCP_PROTOCOL],
   ['tool-name-invalid', ISSUE_CLASSES.MCP_PROTOCOL],
   ['tools-list-invalid-result', ISSUE_CLASSES.MCP_PROTOCOL],
+  ['adversarial-invalid-method-result', ISSUE_CLASSES.MCP_PROTOCOL],
+  ['adversarial-invalid-params-result', ISSUE_CLASSES.MCP_PROTOCOL],
+  ['adversarial-malformed-json-result', ISSUE_CLASSES.MCP_PROTOCOL],
+  ['adversarial-notification-response', ISSUE_CLASSES.MCP_PROTOCOL],
+  ['adversarial-probe-crash', ISSUE_CLASSES.MCP_PROTOCOL],
+  ['adversarial-probe-invalid-stdout', ISSUE_CLASSES.MCP_PROTOCOL],
+  ['adversarial-probe-timeout', ISSUE_CLASSES.MCP_PROTOCOL],
+  ['adversarial-tool-call-result', ISSUE_CLASSES.MCP_PROTOCOL],
   ['notification-response', ISSUE_CLASSES.MCP_PROTOCOL],
   ['response-id-mismatch', ISSUE_CLASSES.MCP_PROTOCOL],
   ['response-id-type-mismatch', ISSUE_CLASSES.MCP_PROTOCOL],
@@ -208,6 +273,7 @@ export async function runCli(argv) {
     cwd: options.cwd,
     env: options.env,
     probeCapabilities: options.probeCapabilities,
+    adversarialProbes: options.adversarialProbes,
     operations: options.operations,
     operation: options.operations.length === 1
       ? {
@@ -263,6 +329,8 @@ export function parseArgs(argv) {
     env: {},
     operations: [],
     configOperations: [],
+    adversarialProbeSpecs: [],
+    adversarialProbes: [],
     protocol: DEFAULT_PROTOCOL,
     timeoutMs: DEFAULT_TIMEOUT,
     profile: DEFAULT_PROFILE,
@@ -314,6 +382,10 @@ export function parseArgs(argv) {
       options.requestParams = parseJsonOption(readOptionValue(argv, index, arg), arg);
       specifiedOptions.add('requestParams');
       index += 1;
+    } else if (arg === '--adversarial-probe' || arg === '--adversarial-probes') {
+      options.adversarialProbeSpecs.push(...expandAdversarialProbeList(readOptionValue(argv, index, arg), arg));
+      specifiedOptions.add('adversarialProbes');
+      index += 1;
     } else if (arg === '--protocol') {
       options.protocol = readOptionValue(argv, index, arg);
       specifiedOptions.add('protocol');
@@ -348,6 +420,7 @@ export function parseArgs(argv) {
   }
   applyProfileDefaults(options, specifiedOptions);
   options.operations = buildConfiguredOperations(options);
+  options.adversarialProbes = normalizeAdversarialProbeSpecs(options.adversarialProbeSpecs);
 
   if (!Number.isInteger(options.timeoutMs) || options.timeoutMs < 100) {
     throw new Error('--timeout must be an integer >= 100');
@@ -391,6 +464,9 @@ function applyProfileDefaults(options, specifiedOptions) {
     if (!specifiedOptions.has('repeat')) {
       options.repeat = 2;
     }
+    if (!specifiedOptions.has('adversarialProbes')) {
+      options.adversarialProbeSpecs.push(...STRICT_ADVERSARIAL_PROBE_NAMES);
+    }
   }
 
   return options;
@@ -421,9 +497,13 @@ function applyConfigFile(options, config, specifiedOptions) {
   const env = normalizeConfigEnv(config);
   const requests = normalizeConfigRequests(config);
   const safeToolCalls = normalizeSafeToolCalls(config);
+  const adversarialProbes = normalizeConfigAdversarialProbes(config);
+  const adversarialToolCalls = normalizeConfigAdversarialToolCalls(config);
   const usesConfigCommand = command.length > 0 && !specifiedOptions.has('command');
   const usesConfigCwd = typeof config.cwd === 'string' && !specifiedOptions.has('cwd');
   const usesConfigOperations = !specifiedOptions.has('requestMethod') && !specifiedOptions.has('requestParams');
+  const usesConfigAdversarialProbes = !specifiedOptions.has('adversarialProbes')
+    && (Object.hasOwn(config, 'adversarialProbes') || Object.hasOwn(config, 'adversarialToolCalls'));
 
   if (usesConfigCommand) {
     options.command = command;
@@ -489,6 +569,11 @@ function applyConfigFile(options, config, specifiedOptions) {
     options.configOperations = [...requests, ...safeToolCalls];
   }
 
+  if (usesConfigAdversarialProbes) {
+    options.adversarialProbeSpecs = [...adversarialProbes, ...adversarialToolCalls];
+    specifiedOptions.add('adversarialProbes');
+  }
+
   options.config = {
     enabled: true,
     path: options.configPath,
@@ -498,7 +583,9 @@ function applyConfigFile(options, config, specifiedOptions) {
       cwd: usesConfigCwd,
       envNames: Object.keys(env).sort(),
       requests: usesConfigOperations ? requests.map((request) => request.method) : [],
-      safeToolCalls: usesConfigOperations ? safeToolCalls.map((request) => request.safeToolCallName) : []
+      safeToolCalls: usesConfigOperations ? safeToolCalls.map((request) => request.safeToolCallName) : [],
+      adversarialProbes: usesConfigAdversarialProbes ? adversarialProbes.map((probe) => probe.name ?? probe) : [],
+      adversarialToolCalls: usesConfigAdversarialProbes ? adversarialToolCalls.map((probe) => probe.safeToolCallName) : []
     }
   };
 }
@@ -608,6 +695,67 @@ function normalizeSafeToolCalls(config) {
   });
 }
 
+function normalizeConfigAdversarialProbes(config) {
+  if (config.adversarialProbes === undefined) return [];
+
+  if (config.adversarialProbes === true) {
+    return [...BUILTIN_ADVERSARIAL_PROBE_NAMES];
+  }
+
+  if (config.adversarialProbes === false) {
+    return [];
+  }
+
+  if (typeof config.adversarialProbes === 'string') {
+    return expandAndValidateAdversarialProbeList(config.adversarialProbes, '--config adversarialProbes');
+  }
+
+  if (!Array.isArray(config.adversarialProbes)) {
+    throw new Error('--config adversarialProbes must be a boolean, string, or array of strings');
+  }
+
+  return config.adversarialProbes.flatMap((probe, index) => {
+    if (typeof probe !== 'string') {
+      throw new Error(`--config adversarialProbes[${index}] must be a string`);
+    }
+    return expandAndValidateAdversarialProbeList(probe, `--config adversarialProbes[${index}]`);
+  });
+}
+
+function normalizeConfigAdversarialToolCalls(config) {
+  if (config.adversarialToolCalls === undefined) return [];
+  if (!Array.isArray(config.adversarialToolCalls)) {
+    throw new Error('--config adversarialToolCalls must be an array');
+  }
+
+  return config.adversarialToolCalls.map((call, index) => {
+    if (!isObjectRecord(call)) {
+      throw new Error(`--config adversarialToolCalls[${index}] must be an object`);
+    }
+    if (typeof call.name !== 'string' || !call.name) {
+      throw new Error(`--config adversarialToolCalls[${index}].name must be a non-empty string`);
+    }
+    const argumentsValue = call.arguments ?? {};
+    if (!isObjectRecord(argumentsValue)) {
+      throw new Error(`--config adversarialToolCalls[${index}].arguments must be an object`);
+    }
+    return {
+      name: `safe-tool-invalid-args:${call.name}`,
+      source: 'adversarial-tool-call',
+      method: 'tools/call',
+      params: {
+        name: call.name,
+        arguments: argumentsValue
+      },
+      safeToolCallName: call.name,
+      expectation: 'error',
+      failureCode: 'adversarial-tool-call-result',
+      description: `tools/call for ${call.name} with invalid arguments returns a structured error`,
+      risk: 'Calls a configured safe tool with intentionally invalid arguments; only use for idempotent tools.'
+    };
+  });
+}
+
 function buildConfiguredOperations(options) {
   if (options.requestMethod) {
     return [{
@@ -629,6 +777,127 @@ function normalizeGuardOperations(operations) {
   }));
 }
 
+function expandAdversarialProbeList(rawValue, option) {
+  const names = String(rawValue)
+    .split(',')
+    .map((name) => name.trim())
+    .filter(Boolean);
+
+  if (!names.length) {
+    throw new Error(`${option} requires at least one probe name`);
+  }
+
+  if (names.includes('none')) {
+    if (names.length > 1) {
+      throw new Error(`${option} cannot combine none with other probes`);
+    }
+    return [];
+  }
+
+  if (names.includes('all')) {
+    if (names.length > 1) {
+      throw new Error(`${option} cannot combine all with other probes`);
+    }
+    return [...BUILTIN_ADVERSARIAL_PROBE_NAMES];
+  }
+
+  return names;
+}
+
+function expandAndValidateAdversarialProbeList(rawValue, option) {
+  return expandAdversarialProbeList(rawValue, option).map((name) => validateAdversarialProbeName(name, option));
+}
+
+function validateAdversarialProbeName(name, option) {
+  if (!BUILTIN_ADVERSARIAL_PROBES[name]) {
+    throw new Error(`${option} must be one of: ${[...BUILTIN_ADVERSARIAL_PROBE_NAMES, 'all', 'none'].join(', ')}`);
+  }
+  return name;
+}
+
+function normalizeAdversarialProbeSpecs(specs) {
+  const probes = [];
+  const seenBuiltins = new Set();
+
+  for (const spec of specs ?? []) {
+    if (typeof spec === 'string') {
+      for (const name of expandAdversarialProbeList(spec, '--adversarial-probe')) {
+        const definition = BUILTIN_ADVERSARIAL_PROBES[validateAdversarialProbeName(name, '--adversarial-probe')];
+        if (seenBuiltins.has(name)) continue;
+        seenBuiltins.add(name);
+        probes.push({ ...definition });
+      }
+    } else if (isObjectRecord(spec)) {
+      probes.push(normalizeAdversarialProbeObject(spec, '--adversarial-probe'));
+    } else {
+      throw new Error('--adversarial-probe entries must be strings or configured adversarial tool calls');
+    }
+  }
+
+  return probes.map((probe, index) => ({
+    index,
+    safeToolCallName: '',
+    rawLine: '',
+    omitId: false,
+    ...probe
+  }));
+}
+
+function normalizeAdversarialProbeObject(spec, option) {
+  if (typeof spec.name !== 'string' || !spec.name.trim()) {
+    throw new Error(`${option}.name must be a non-empty string`);
+  }
+
+  if (typeof spec.expectation !== 'string' || !SUPPORTED_ADVERSARIAL_EXPECTATIONS.has(spec.expectation)) {
+    throw new Error(`${option}.expectation must be one of: ${[...SUPPORTED_ADVERSARIAL_EXPECTATIONS].join(', ')}`);
+  }
+
+  if (typeof spec.failureCode !== 'string' || !spec.failureCode) {
+    throw new Error(`${option}.failureCode must be a non-empty string`);
+  }
+
+  const rawLine = spec.rawLine ?? '';
+  if (typeof rawLine !== 'string') {
+    throw new Error(`${option}.rawLine must be a string when provided`);
+  }
+
+  const method = spec.method ?? '';
+  if (typeof method !== 'string') {
+    throw new Error(`${option}.method must be a string when provided`);
+  }
+  if (!rawLine && !method) {
+    throw new Error(`${option}.method must be a non-empty string when rawLine is not set`);
+  }
+
+  if (spec.source !== undefined && typeof spec.source !== 'string') {
+    throw new Error(`${option}.source must be a string when provided`);
+  }
+  if (spec.safeToolCallName !== undefined && typeof spec.safeToolCallName !== 'string') {
+    throw new Error(`${option}.safeToolCallName must be a string when provided`);
+  }
+  if (spec.description !== undefined && typeof spec.description !== 'string') {
+    throw new Error(`${option}.description must be a string when provided`);
+  }
+  if (spec.risk !== undefined && typeof spec.risk !== 'string') {
+    throw new Error(`${option}.risk must be a string when provided`);
+  }
+  if (spec.omitId !== undefined && typeof spec.omitId !== 'boolean') {
+    throw new Error(`${option}.omitId must be a boolean when provided`);
+  }
+  if (spec.quietMs !== undefined && (!Number.isInteger(spec.quietMs) || spec.quietMs < 1)) {
+    throw new Error(`${option}.quietMs must be an integer >= 1 when provided`);
+  }
+
+  return {
+    ...spec,
+    name: spec.name.trim(),
+    source: spec.source ?? 'custom',
+    method,
+    rawLine,
+    safeToolCallName: spec.safeToolCallName ?? ''
+  };
+}
+
 function resolveConfigPath(value, configDir) {
   return path.resolve(configDir, value);
 }
@@ -636,6 +905,7 @@ function resolveConfigPath(value, configDir) {
 export async function guardRepeatedStdioServer(commandWithArgs, options = {}) {
   const startedAt = Date.now();
   const repeat = options.repeat ?? 1;
+  const adversarialProbes = normalizeAdversarialProbeSpecs(options.adversarialProbes ?? []);
   const runs = [];
   const issues = [];
 
@@ -643,7 +913,7 @@ export async function guardRepeatedStdioServer(commandWithArgs, options = {}) {
     throw new Error('repeat must be an integer >= 1');
   }
 
-  const singleRunOptions = { ...options, repeat: 1 };
+  const singleRunOptions = { ...options, adversarialProbes, repeat: 1 };
 
   for (let index = 1; index <= repeat; index += 1) {
     const run = await guardStdioServer(commandWithArgs, singleRunOptions);
@@ -672,6 +942,7 @@ export async function guardRepeatedStdioServer(commandWithArgs, options = {}) {
     issues,
     checks: {},
     capabilityProbes: options.probeCapabilities ?? true,
+    adversarial: aggregateRunAdversarial(runs, adversarialProbes),
     drift,
     staticScan: defaultStaticScan(),
     staticFindings: [],
@@ -690,6 +961,7 @@ export async function guardStdioServer(commandWithArgs, options = {}) {
   const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT;
   const protocol = options.protocol ?? DEFAULT_PROTOCOL;
   const operations = normalizeGuardOperations(options.operations ?? (options.operation ? [options.operation] : []));
+  const adversarialProbes = normalizeAdversarialProbeSpecs(options.adversarialProbes ?? []);
   const probeCapabilities = options.probeCapabilities ?? true;
   const env = { ...process.env, ...(options.env ?? {}) };
   const issues = [];
@@ -737,6 +1009,7 @@ export async function guardStdioServer(commandWithArgs, options = {}) {
     capabilityProbes: probeCapabilities,
     capabilityKeys: [],
     capabilityChecks: defaultCapabilityChecks(),
+    adversarial: defaultAdversarialResult(adversarialProbes),
     stderr: '',
     process: defaultProcessInfo(timeoutMs),
     staticScan: defaultStaticScan(),
@@ -750,6 +1023,7 @@ export async function guardStdioServer(commandWithArgs, options = {}) {
       config: options.config,
       profile: options.profile,
       probeCapabilities,
+      adversarialProbes,
       operations,
       env: options.env
     })
@@ -811,12 +1085,20 @@ export async function guardStdioServer(commandWithArgs, options = {}) {
       child.stdin.write(`${JSON.stringify(message)}\n`);
     }
 
+    function sendRaw(line) {
+      if (!child?.stdin?.writable) return;
+      child.stdin.write(`${line}\n`);
+    }
+
     function enqueueRequest(request) {
+      const needsId = !request.omitId && !request.rawLine;
       requestQueue.push({
         ...request,
-        id: nextRequestId
+        id: needsId ? nextRequestId : null
       });
-      nextRequestId += 1;
+      if (needsId) {
+        nextRequestId += 1;
+      }
     }
 
     function startNextRequest() {
@@ -829,6 +1111,34 @@ export async function guardStdioServer(commandWithArgs, options = {}) {
       }
 
       result.process.phase = 'operation';
+      currentRequest.startedAt = Date.now();
+
+      if (currentRequest.kind === 'adversarial') {
+        result.process.phase = 'adversarial';
+        markAdversarialProbeRunning(currentRequest);
+        if (currentRequest.rawLine) {
+          sendRaw(currentRequest.rawLine);
+        } else {
+          const request = {
+            jsonrpc: '2.0',
+            method: currentRequest.method
+          };
+          if (!currentRequest.omitId) {
+            request.id = currentRequest.id;
+          }
+          if (currentRequest.params !== undefined) {
+            request.params = currentRequest.params;
+          }
+          send(request);
+        }
+        if (currentRequest.expectation === 'no-response' || currentRequest.expectation === 'error-or-no-response') {
+          armAdversarialQuietTimer(currentRequest);
+        } else {
+          armAdversarialTimeout(currentRequest);
+        }
+        return;
+      }
+
       const request = {
         jsonrpc: '2.0',
         id: currentRequest.id,
@@ -846,6 +1156,37 @@ export async function guardStdioServer(commandWithArgs, options = {}) {
       );
     }
 
+    function armAdversarialQuietTimer(request) {
+      clearTimeout(timer);
+      timer = setTimeout(() => {
+        completeAdversarialProbe(request, 'pass');
+        currentRequest = null;
+        startNextRequest();
+      }, request.quietMs);
+    }
+
+    function armAdversarialTimeout(request) {
+      clearTimeout(timer);
+      result.process.phase = 'adversarial';
+      timer = setTimeout(() => {
+        result.process.timedOut = true;
+        result.process.timeoutCode = 'adversarial-probe-timeout';
+        result.process.timeoutMs = timeoutMs;
+        result.process.outcome = 'timeout';
+        failAdversarialProbe(
+          request,
+          'adversarial-probe-timeout',
+          `${request.probeName} adversarial probe did not receive a structured error within ${timeoutMs}ms`,
+          {
+            detailCode: 'adversarial-probe-timeout',
+            phase: 'adversarial',
+            timeoutMs
+          }
+        );
+        finish();
+      }, timeoutMs);
+    }
+
     function configureCapabilityChecks(capabilities) {
       result.capabilityKeys = capabilityKeys(capabilities);
       for (const definition of CAPABILITY_DEFINITIONS) {
@@ -871,22 +1212,38 @@ export async function guardStdioServer(commandWithArgs, options = {}) {
         });
       }
 
-      if (!probeCapabilities) return;
-
-      for (const definition of CAPABILITY_DEFINITIONS) {
-        const check = result.capabilityChecks[definition.name];
-        if (!check.advertised || operationCapabilities.has(definition.name)) continue;
-        enqueueRequest({
-          kind: 'capability',
-          capability: definition.name,
-          method: definition.method,
-          timeoutCode: 'capability-list-timeout',
-          timeoutMessage: `${definition.method} did not receive a response for advertised ${definition.name} capability within ${timeoutMs}ms`,
-          timeoutDetails: {
+      if (probeCapabilities) {
+        for (const definition of CAPABILITY_DEFINITIONS) {
+          const check = result.capabilityChecks[definition.name];
+          if (!check.advertised || operationCapabilities.has(definition.name)) continue;
+          enqueueRequest({
+            kind: 'capability',
             capability: definition.name,
             method: definition.method,
-            detailCode: 'capability-request-timeout'
-          }
+            timeoutCode: 'capability-list-timeout',
+            timeoutMessage: `${definition.method} did not receive a response for advertised ${definition.name} capability within ${timeoutMs}ms`,
+            timeoutDetails: {
+              capability: definition.name,
+              method: definition.method,
+              detailCode: 'capability-request-timeout'
+            }
+          });
+        }
+      }
+
+      for (let probeIndex = 0; probeIndex < adversarialProbes.length; probeIndex += 1) {
+        const probe = adversarialProbes[probeIndex];
+        enqueueRequest({
+          kind: 'adversarial',
+          probeIndex,
+          probeName: probe.name,
+          method: probe.method,
+          params: probe.params,
+          rawLine: probe.rawLine,
+          omitId: probe.omitId,
+          expectation: probe.expectation,
+          failureCode: probe.failureCode,
+          quietMs: Math.min(timeoutMs, probe.quietMs ?? ADVERSARIAL_OBSERVATION_MS)
         });
       }
     }
@@ -950,6 +1307,107 @@ export async function guardStdioServer(commandWithArgs, options = {}) {
       });
     }
 
+    function markAdversarialProbeRunning(request) {
+      const probe = result.adversarial.probes[request.probeIndex];
+      if (!probe) return;
+      probe.status = 'running';
+      probe.started = true;
+    }
+
+    function completeAdversarialProbe(request, status, issueCodes = [], response = {}) {
+      const probe = result.adversarial.probes[request.probeIndex];
+      if (!probe) return;
+      probe.status = status;
+      probe.responded = Boolean(response.responded);
+      probe.error = response.error ?? null;
+      probe.issueCodes = [...new Set(issueCodes)].sort();
+      probe.durationMs = request.startedAt ? Date.now() - request.startedAt : null;
+    }
+
+    function failAdversarialProbe(request, code, message, details = {}, response = {}) {
+      completeAdversarialProbe(request, 'fail', [code], response);
+      addIssue('error', code, message, {
+        probe: request.probeName,
+        method: request.method || '',
+        ...details
+      });
+    }
+
+    function handleAdversarialFrame(message) {
+      clearTimeout(timer);
+      const request = currentRequest;
+
+      if (request.expectation === 'no-response') {
+        failAdversarialProbe(
+          request,
+          request.failureCode,
+          `${request.probeName} adversarial probe received a response to a notification`,
+          {},
+          { responded: true }
+        );
+        finish();
+        return;
+      }
+
+      if (!request.rawLine && !request.omitId && isResponseIdTypeMismatch(message, request.id)) {
+        failAdversarialProbe(
+          request,
+          'response-id-type-mismatch',
+          `${request.probeName} adversarial response id ${JSON.stringify(message.id)} does not exactly match request id ${request.id}`,
+          {},
+          { responded: true }
+        );
+        finish();
+        return;
+      }
+
+      if (!request.rawLine && !request.omitId && isResponseIdMismatch(message, request.id)) {
+        failAdversarialProbe(
+          request,
+          'response-id-mismatch',
+          `${request.probeName} adversarial response id ${JSON.stringify(message.id)} does not match request id ${request.id}`,
+          {},
+          { responded: true }
+        );
+        finish();
+        return;
+      }
+
+      if (!isJsonRpcResponse(message)) {
+        failAdversarialProbe(
+          request,
+          'adversarial-probe-invalid-stdout',
+          `${request.probeName} adversarial probe received a JSON-RPC frame that was not a response`,
+          {},
+          { responded: true }
+        );
+        finish();
+        return;
+      }
+
+      if (message.error) {
+        completeAdversarialProbe(request, 'pass', [], {
+          responded: true,
+          error: {
+            code: message.error.code,
+            message: message.error.message
+          }
+        });
+        currentRequest = null;
+        startNextRequest();
+        return;
+      }
+
+      failAdversarialProbe(
+        request,
+        request.failureCode,
+        `${request.probeName} adversarial probe returned success where a structured error was expected`,
+        {},
+        { responded: true }
+      );
+      finish();
+    }
+
     function recordCapabilityListShape(request, responseResult) {
       if (!isObjectRecord(responseResult)) return;
       const check = result.capabilityChecks[request.capability];
@@ -1024,7 +1482,9 @@ export async function guardStdioServer(commandWithArgs, options = {}) {
       clearTimeout(timer);
       const exitPhase = initialized
         ? currentRequest
-          ? 'operation'
+          ? currentRequest.kind === 'adversarial'
+            ? 'adversarial'
+            : 'operation'
           : 'post-initialize'
         : 'initialize';
       result.process.phase = exitPhase;
@@ -1034,6 +1494,17 @@ export async function guardStdioServer(commandWithArgs, options = {}) {
       if (stdoutBuffer.trim()) {
         addIssue('error', 'stdout-without-newline', `stdout ended with an incomplete JSON-RPC frame: ${quote(stdoutBuffer)}`);
       }
+      if (!endedByGuard && initialized && currentRequest?.kind === 'adversarial') {
+        result.process.phase = 'adversarial';
+        failAdversarialProbe(
+          currentRequest,
+          'adversarial-probe-crash',
+          `server exited during ${currentRequest.probeName} adversarial probe (code ${code ?? 'null'}, signal ${signal ?? 'null'})`,
+          adversarialExitIssueDetails(code, signal)
+        );
+        finish();
+        return;
+      }
       if (!endedByGuard && initialized && currentRequest?.kind === 'operation') {
         const operationResult = result.operations[currentRequest.operationIndex];
         if (operationResult && !operationResult.responded) {
@@ -1087,17 +1558,42 @@ export async function guardStdioServer(commandWithArgs, options = {}) {
         message = JSON.parse(line);
       } catch {
         addIssue('error', 'stdout-non-json', `stdout line ${frames.length + 1} is not JSON-RPC: ${quote(line)}`);
+        if (currentRequest?.kind === 'adversarial') {
+          failAdversarialProbe(
+            currentRequest,
+            'adversarial-probe-invalid-stdout',
+            `${currentRequest.probeName} adversarial probe received non-JSON stdout`,
+            {},
+            { responded: true }
+          );
+          finish();
+        }
         return;
       }
 
       const validation = validateJsonRpc(message);
       if (validation) {
         addIssue('error', 'stdout-invalid-json-rpc', validation);
+        if (currentRequest?.kind === 'adversarial') {
+          failAdversarialProbe(
+            currentRequest,
+            'adversarial-probe-invalid-stdout',
+            `${currentRequest.probeName} adversarial probe received invalid JSON-RPC stdout`,
+            {},
+            { responded: true }
+          );
+          finish();
+        }
         return;
       }
 
       frames.push(message);
 
+      if (initialized && currentRequest?.kind === 'adversarial') {
+        handleAdversarialFrame(message);
+        return;
+      }
+
       if (!initialized && isResponseIdTypeMismatch(message, 1)) {
         clearTimeout(timer);
         addIssue('error', 'response-id-type-mismatch', `initialize response id ${JSON.stringify(message.id)} does not exactly match request id 1`);
@@ -1250,6 +1746,15 @@ function exitIssueDetails(position, code, signal) {
   };
 }
 
+function adversarialExitIssueDetails(code, signal) {
+  return {
+    detailCode: exitDetailCode('during-adversarial', code, signal),
+    phase: 'adversarial',
+    exitCode: code,
+    signal
+  };
+}
+
 function exitDetailCode(position, code, signal) {
   if (signal) return `signal-exit-${position}`;
   if (code === 0) return `clean-exit-${position}`;
@@ -1651,6 +2156,7 @@ export function classifyIssueCode(code) {
 export function createFingerprint(commandWithArgs, options = {}) {
   const cwd = path.resolve(options.cwd ?? process.cwd());
   const operations = normalizeGuardOperations(options.operations ?? (options.operation ? [options.operation] : []));
+  const adversarialProbes = normalizeAdversarialProbeSpecs(options.adversarialProbes ?? []);
 
   return {
     guard: {
@@ -1673,6 +2179,13 @@ export function createFingerprint(commandWithArgs, options = {}) {
     timeoutMs: options.timeoutMs ?? DEFAULT_TIMEOUT,
     repeat: options.repeat ?? 1,
     capabilityProbes: options.probeCapabilities ?? true,
+    adversarialProbes: adversarialProbes.map((probe) => ({
+      name: probe.name,
+      source: probe.source,
+      method: probe.method || '',
+      safeToolCallName: probe.safeToolCallName || '',
+      expectation: probe.expectation
+    })),
     operation: operations.length === 1
       ? {
           method: operations[0].method,
@@ -2012,6 +2525,7 @@ function finalizeResult(result) {
   result.config ??= defaultConfigMetadata();
   result.profile ??= DEFAULT_PROFILE;
   result.capabilityProbes ??= true;
+  result.adversarial ??= defaultAdversarialResult();
   result.operations ??= result.operation ? [{
     index: 0,
     source: result.operation.source ?? 'request',
@@ -2023,6 +2537,7 @@ function finalizeResult(result) {
   result.staticScan ??= defaultStaticScan();
   result.staticFindings ??= [];
   result.issues = normalizeIssues(result.issues ?? []);
+  finalizeAdversarialResult(result);
   result.ok = !result.issues.some((issue) => issue.severity === 'error');
   result.checks = buildChecks(result);
   result.issueClasses = buildIssueClasses(result.issues);
@@ -2030,6 +2545,17 @@ function finalizeResult(result) {
   return result;
 }
 
+function finalizeAdversarialResult(result) {
+  if (!result.adversarial?.enabled) return;
+  for (const probe of result.adversarial.probes) {
+    if (probe.status === 'pending' || probe.status === 'running') {
+      probe.status = 'skipped';
+      probe.durationMs ??= null;
+    }
+    probe.issueCodes = [...new Set(probe.issueCodes ?? [])].sort();
+  }
+}
+
 function finalizeFingerprint(result) {
   if (!result.fingerprint) return;
   result.fingerprint.timings ??= {};
@@ -2071,6 +2597,9 @@ function buildChecks(result) {
     toolSchema: repeated
       ? aggregateRunCheck(result, 'toolSchema')
       : buildToolSchemaCheck(result, issues),
+    adversarial: repeated
+      ? aggregateRunCheck(result, 'adversarial')
+      : buildAdversarialCheck(result, issues),
     process: buildIssueCheck(issues, (issue) => PROCESS_ISSUE_CODES.has(issue.code)),
     pythonBuffering: buildIssueCheck(issues, (issue) => issue.code === 'python-buffered-stdio'),
     staticScan: buildStaticScanCheck(result, issues),
@@ -2135,6 +2664,28 @@ function buildToolSchemaCheck(result, issues) {
   return makeCheck('pass', []);
 }
 
+function buildAdversarialCheck(result, issues) {
+  if (!result.adversarial?.enabled) {
+    return makeCheck('skipped', []);
+  }
+
+  const probeNames = new Set(result.adversarial.probes.map((probe) => probe.name));
+  const matched = issues.filter((issue) => (
+    ADVERSARIAL_ISSUE_CODES.has(issue.code)
+    || (probeNames.has(issue.probe) && issue.class === ISSUE_CLASSES.MCP_PROTOCOL)
+  ));
+  if (matched.length) {
+    return makeCheck(statusFromIssues(matched), matched);
+  }
+
+  const active = result.adversarial.probes.filter((probe) => probe.status !== 'skipped');
+  if (!result.initialized || !active.length) {
+    return makeCheck('skipped', []);
+  }
+
+  return makeCheck(active.every((probe) => probe.status === 'pass') ? 'pass' : 'fail', []);
+}
+
 function buildCapabilityChecks(result, issues) {
   const checks = {};
   for (const definition of CAPABILITY_DEFINITIONS) {
@@ -2321,11 +2872,71 @@ function defaultConfigMetadata() {
       cwd: false,
       envNames: [],
       requests: [],
-      safeToolCalls: []
+      safeToolCalls: [],
+      adversarialProbes: [],
+      adversarialToolCalls: []
     }
   };
 }
 
+function defaultAdversarialResult(probes = []) {
+  return {
+    enabled: probes.length > 0,
+    probes: probes.map((probe, index) => ({
+      index,
+      name: probe.name,
+      source: probe.source,
+      method: probe.method || '',
+      safeToolCallName: probe.safeToolCallName || '',
+      expectation: probe.expectation,
+      description: probe.description,
+      risk: probe.risk,
+      status: 'pending',
+      started: false,
+      responded: false,
+      error: null,
+      issueCodes: [],
+      durationMs: null
+    }))
+  };
+}
+
+function aggregateRunAdversarial(runs, probes = []) {
+  if (!probes.length) {
+    return defaultAdversarialResult();
+  }
+
+  return {
+    enabled: true,
+    probes: probes.map((probe, index) => {
+      const runProbes = runs
+        .map((run) => run.adversarial?.probes?.[index])
+        .filter(Boolean);
+      const active = runProbes.filter((runProbe) => runProbe.status !== 'skipped');
+      const status = active.length
+        ? active.some((runProbe) => runProbe.status === 'fail')
+          ? 'fail'
+          : active.every((runProbe) => runProbe.status === 'pass')
+            ? 'pass'
+            : 'warning'
+        : 'skipped';
+      return {
+        index,
+        name: probe.name,
+        source: probe.source,
+        method: probe.method || '',
+        safeToolCallName: probe.safeToolCallName || '',
+        expectation: probe.expectation,
+        description: probe.description,
+        risk: probe.risk,
+        status,
+        runs: runProbes.length,
+        issueCodes: [...new Set(runProbes.flatMap((runProbe) => runProbe.issueCodes ?? []))].sort()
+      };
+    })
+  };
+}
+
 function defaultStaticScan() {
   return {
     enabled: false,
@@ -2903,6 +3514,11 @@ function formatTextResult(result) {
     lines.push(`tool schemas: ${result.toolSchema.validToolCount}/${result.toolSchema.toolCount} valid`);
   }
 
+  if (result.adversarial?.enabled) {
+    const passedProbes = result.adversarial.probes.filter((probe) => probe.status === 'pass').length;
+    lines.push(`adversarial probes: ${passedProbes}/${result.adversarial.probes.length} passed`);
+  }
+
   if (result.staticFindings.length) {
     lines.push(`static findings: ${result.staticFindings.length}`);
     for (const finding of result.staticFindings.slice(0, 10)) {
@@ -2930,6 +3546,11 @@ function formatRepeatedTextResult(result) {
     lines.push(`drift: ${result.drift.status}${issueCodes}`);
   }
 
+  if (result.adversarial?.enabled) {
+    const passedProbes = result.adversarial.probes.filter((probe) => probe.status === 'pass').length;
+    lines.push(`adversarial probes: ${passedProbes}/${result.adversarial.probes.length} passed`);
+  }
+
   for (const run of result.runs) {
     const runStatus = run.ok ? 'PASS' : 'FAIL';
     const invalidFrames = run.issues.filter((issue) => issue.code.startsWith('stdout-')).length;
@@ -2994,6 +3615,10 @@ Options:
   --fail-on-static       fail when --scan finds risky stdout writes
   --request <method>     send one MCP request after initialize, e.g. tools/list
   --params <json>        JSON params for --request
+  --adversarial-probe <name>
+                         opt into strict probes: ${[...BUILTIN_ADVERSARIAL_PROBE_NAMES, 'all', 'none'].join(', ')}
+  --adversarial-probes <list>
+                         comma-separated form of --adversarial-probe
   --json                 print JSON output
   --cwd <path>           run command from this directory
   --version, -v          print version