meritmcp 0.1.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 '//e0
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,149 @@
+# Merit
+
+> **The CI quality gate for MCP servers** — one command that runs functional tests, the official MCP conformance suite, and OWASP-MCP-Top-10 security checks, then emits a PASS/FAIL verdict, a 0–100 safety score, SARIF for GitHub code scanning, and a README badge.
+
+[![Merit](https://img.shields.io/badge/Merit-100%2F100%20·%20passing-brightgreen)](https://github.com/meritmcp/meritmcp)
+[![license](https://img.shields.io/badge/license-MIT-blue)](./LICENSE)
+
+> ⚠️ **Status: alpha (0.1.x).** Wraps two fast-moving upstreams (`@modelcontextprotocol/sdk`, `@modelcontextprotocol/conformance`) which are pinned and isolated behind adapters. APIs may change before 1.0.
+
+---
+
+## Why
+
+MCP servers are shipped fast and "vibe-tested." There's no standard way to answer, in one shot: *is my server functionally correct, spec-conformant, and not leaking secrets or running shell input?* Merit is that one shot — and the bundle is the point: **conformance ≠ correct ≠ secure.** A server can pass the official conformance suite while returning wrong answers and exposing a command-injection tool.
+
+## Quickstart
+
+```bash
+# Point it at a stdio server…
+npx meritmcp run --stdio "node dist/server.js"
+
+# …or a Streamable HTTP server
+npx meritmcp run --http https://your-host/mcp
+```
+
+You'll get a verdict like:
+
+```
+Merit — PASS · Safety score 93/100
+
+Functional: 12/12 passed
+Conformance: 8/8 applicable scenarios passed (score 100/100) · 22 N/A skipped
+Security: 1 medium (score 96/100)
+  ▲ [MCP07:2025] Server accepted an unauthenticated MCP session …
+```
+
+Exit code is `0` on PASS, `1` on FAIL (gate your CI), `2` on a setup error.
+
+## What it checks
+
+| Engine | What | Weight |
+|---|---|---|
+| **Functional** | Your YAML tests (tool calls + assertions) **and** schema-snapshot drift, incl. description-only "rug-pull" detection | 30% |
+| **Conformance** | The **official** MCP conformance suite, wrapped — never reimplemented. Capability- & transport-aware so a tools-only server isn't punished for unimplemented optional features | 30% |
+| **Security** | OWASP-MCP-Top-10. Static (always on): MCP01 secrets · MCP03a invisible-Unicode poisoning · MCP04 dependency CVEs via [OSV.dev](https://osv.dev). Live probes (**opt-in `--probe`**, only on a server you control): MCP05 command-injection · MCP07 HTTP auth | 40% |
+
+> The conformance suite is HTTP-only. For stdio servers, Merit transparently spins up an in-process stdio→HTTP proxy so the official suite can test them.
+
+## CLI
+
+```bash
+meritmcp run --stdio "<command>" | --http <url>  [options]
+  --tests <path>                 YAML functional spec (default: merit.tests.yaml)
+  --snapshot <path>              schema snapshot file (default: merit.snapshot.json)
+  --src <dir>                    server source dir → enables dependency CVE scanning (OSV)
+  --conformance-baseline <path>  YAML of expected conformance failures
+  --min-score <n>                fail if the score is below n
+  --sarif <path>                 write SARIF 2.1.0 (GitHub code scanning)
+  --out <path>                   write the full report JSON (open, reproducible scoring)
+  --badge <path>                 write a shields.io endpoint badge JSON
+  --pr-comment <path>            write the PR-comment markdown
+  --probe                        run LIVE security probes (side effects! only on servers you control)
+  --no-security | --no-conformance
+  --json                         print the raw report JSON
+
+meritmcp snapshot --stdio "<command>" --out merit.snapshot.json   # capture/refresh the tool surface
+meritmcp init                                                          # write a starter merit.tests.yaml
+```
+
+### Functional test spec (`merit.tests.yaml`)
+
+```yaml
+version: 1
+tests:
+  - name: "tool catalog is stable"
+    op: list_tools
+    assert:
+      contains_tools: [search, fetch]
+  - name: "add returns the sum"
+    op: call_tool
+    tool: add
+    arguments: { a: 2, b: 3 }
+    assert:
+      not_error: true
+      content_contains: "5"
+      structured:
+        json_schema: { type: object, required: [sum], properties: { sum: { const: 5 } } }
+```
+
+## GitHub Action
+
+```yaml
+# .github/workflows/meritmcp.yml
+name: Merit
+on: [pull_request]
+permissions:
+  contents: read
+  security-events: write   # upload SARIF
+  pull-requests: write     # sticky PR comment
+jobs:
+  meritmcp:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm ci && npm run build
+      - uses: meritmcp/meritmcp@v0          # or: meritmcp/meritmcp@<sha>
+        with:
+          command: "node dist/server.js"      # or: url: https://your-host/mcp
+          src: "."                            # enable dependency CVE scanning
+          min-score: "70"
+```
+
+The Action runs Merit, uploads SARIF to the **Security** tab, and posts a sticky PR comment with the verdict. Outputs: `score`, `verdict`.
+
+## The badge
+
+`meritmcp run … --badge badge.json` writes a [shields.io endpoint](https://shields.io/endpoint) file. Publish it (gh-pages / a Gist) and embed:
+
+```markdown
+![Merit](https://img.shields.io/endpoint?url=https://<you>.github.io/<repo>/badge.json)
+```
+
+## Scoring (open + reproducible)
+
+```
+score = 0.30·functional + 0.30·conformance + 0.40·security
+```
+
+- Engines that don't run have their weight redistributed across the rest.
+- **Security cap:** any *high-confidence* Critical/High finding caps the total at **49 and forces FAIL** — a pretty score can't hide a real hole.
+- A description-only schema change (rug-pull) costs 15 points.
+- Every weight lives in [`config/scoring.config.json`](./config/scoring.config.json) and every finding's contribution is in `merit.json`, so anyone can recompute the score by hand.
+
+Low-confidence/heuristic findings are reported as notes — they never hard-FAIL. Detection methodology and confidence per OWASP risk: [`04-SECURITY-OWASP.md`](./04-SECURITY-OWASP.md).
+
+## Development
+
+```bash
+npm install
+npm run demo:pass    # green PASS against a clean fixture
+npm run demo:fail    # red FAIL against a deliberately broken+insecure fixture
+npm test             # unit tests
+```
+
+Design docs: [`01-DESIGN.md`](./01-DESIGN.md) · [`03-ARCHITECTURE.md`](./03-ARCHITECTURE.md) · [`04-SECURITY-OWASP.md`](./04-SECURITY-OWASP.md).
+
+## License
+
+[MIT](./LICENSE)

package/action.yml

@@ -0,0 +1,120 @@
+name: "Merit"
+description: "The CI quality gate for MCP servers — functional + official conformance + OWASP-MCP-Top-10 security, with a SARIF report and a score badge."
+branding:
+  icon: "shield"
+  color: "green"
+
+inputs:
+  command:
+    description: "stdio command to launch the MCP server (e.g. 'node dist/server.js'). Use this OR url."
+    required: false
+  url:
+    description: "Streamable HTTP MCP server URL. Use this OR command."
+    required: false
+  tests:
+    description: "Path to the YAML functional test spec."
+    required: false
+    default: "merit.tests.yaml"
+  src:
+    description: "Server source dir (enables dependency CVE scanning via OSV)."
+    required: false
+  snapshot:
+    description: "Schema snapshot file."
+    required: false
+    default: "merit.snapshot.json"
+  min-score:
+    description: "Fail the job if the score is below this (0-100)."
+    required: false
+    default: "0"
+  conformance:
+    description: "Run the official MCP conformance suite ('true'/'false')."
+    required: false
+    default: "true"
+  conformance-baseline:
+    description: "YAML of expected conformance failures (baseline)."
+    required: false
+  version:
+    description: "meritmcp npm version / dist-tag to run."
+    required: false
+    default: "latest"
+  node-version:
+    description: "Node version to set up."
+    required: false
+    default: "20"
+  comment-pr:
+    description: "Post a sticky PR comment with the results ('true'/'false')."
+    required: false
+    default: "true"
+
+outputs:
+  score:
+    description: "The 0-100 safety score."
+    value: ${{ steps.meritmcp.outputs.score }}
+  verdict:
+    description: "PASS or FAIL."
+    value: ${{ steps.meritmcp.outputs.verdict }}
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/setup-node@v4
+      with:
+        node-version: ${{ inputs.node-version }}
+
+    - id: meritmcp
+      shell: bash
+      env:
+        IN_COMMAND: ${{ inputs.command }}
+        IN_URL: ${{ inputs.url }}
+        IN_TESTS: ${{ inputs.tests }}
+        IN_SRC: ${{ inputs.src }}
+        IN_SNAPSHOT: ${{ inputs.snapshot }}
+        IN_MIN_SCORE: ${{ inputs.min-score }}
+        IN_CONFORMANCE: ${{ inputs.conformance }}
+        IN_BASELINE: ${{ inputs.conformance-baseline }}
+        IN_VERSION: ${{ inputs.version }}
+      run: |
+        set -u
+        ARGS=(run --tests "$IN_TESTS" --snapshot "$IN_SNAPSHOT" --min-score "$IN_MIN_SCORE"
+              --sarif merit.sarif --out merit.json --badge merit-badge.json --pr-comment merit-pr.md)
+        [ -n "$IN_COMMAND" ] && ARGS+=(--stdio "$IN_COMMAND")
+        [ -n "$IN_URL" ] && ARGS+=(--http "$IN_URL")
+        [ -n "$IN_SRC" ] && ARGS+=(--src "$IN_SRC")
+        [ "$IN_CONFORMANCE" = "false" ] && ARGS+=(--no-conformance)
+        [ -n "$IN_BASELINE" ] && ARGS+=(--conformance-baseline "$IN_BASELINE")
+
+        set +e
+        npx -y "meritmcp@${IN_VERSION}" "${ARGS[@]}"
+        CODE=$?
+        set -e
+
+        if [ -f merit.json ]; then
+          echo "score=$(node -p "require('./merit.json').score")" >> "$GITHUB_OUTPUT"
+          echo "verdict=$(node -p "require('./merit.json').verdict")" >> "$GITHUB_OUTPUT"
+        fi
+        exit $CODE
+
+    - name: Upload SARIF to code scanning
+      if: ${{ always() && hashFiles('merit.sarif') != '' }}
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: merit.sarif
+
+    - name: Sticky PR comment
+      if: ${{ always() && github.event_name == 'pull_request' && inputs.comment-pr == 'true' }}
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const fs = require('fs');
+          if (!fs.existsSync('merit-pr.md')) return;
+          const body = fs.readFileSync('merit-pr.md', 'utf8');
+          const marker = '<!-- merit-report -->';
+          const { owner, repo } = context.repo;
+          const issue_number = context.issue.number;
+          const { data: comments } = await github.rest.issues.listComments({ owner, repo, issue_number });
+          const existing = comments.find((c) => c.body && c.body.includes(marker));
+          if (existing) {
+            await github.rest.issues.updateComment({ owner, repo, comment_id: existing.id, body });
+          } else {
+            await github.rest.issues.createComment({ owner, repo, issue_number, body });
+          }

package/config/scoring.config.json

@@ -0,0 +1,9 @@
+{
+  "_comment": "Open, reproducible scoring weights. Mirrors DEFAULT_SCORING in src/report/score.ts. Score = 0.30*Functional + 0.30*Conformance + 0.40*Security; engines that don't run have their weight redistributed.",
+  "weights": { "functional": 0.3, "conformance": 0.3, "security": 0.4 },
+  "securityPenalties": { "critical": 40, "high": 20, "medium": 8, "low": 3 },
+  "confidenceMultiplier": { "high": 1.0, "medium": 0.5, "low": 0.2 },
+  "rugPullPenalty": 15,
+  "capScore": 49,
+  "bands": { "brightgreen": 85, "green": 70, "yellow": 50, "red": 30 }
+}

package/dist/src/adapter/mcpClient.js

@@ -0,0 +1,72 @@
+// THE single SDK chokepoint. Every @modelcontextprotocol/sdk call lives here so
+// the coming v2 package split is a one-file migration (see 03-ARCHITECTURE.md).
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
+import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+export class McpClient {
+    client;
+    constructor(name = "merit", version = "0.1.0") {
+        this.client = new Client({ name, version }, { capabilities: {} });
+    }
+    async connect(opts) {
+        if (opts.transport === "http") {
+            if (!opts.url)
+                throw new Error('HTTP transport requires --http <url>');
+            await this.client.connect(new StreamableHTTPClientTransport(new URL(opts.url)));
+            return;
+        }
+        if (!opts.command)
+            throw new Error('stdio transport requires --stdio "<command>"');
+        const { command, args } = splitCommand(opts.command);
+        await this.client.connect(new StdioClientTransport({ command, args, env: { ...currentEnv(), ...(opts.env ?? {}) } }));
+    }
+    /** Enumerate all tools, following pagination cursors. */
+    async listTools() {
+        const out = [];
+        let cursor;
+        do {
+            const page = (await this.client.listTools(cursor ? { cursor } : undefined));
+            out.push(...(page.tools ?? []));
+            cursor = page.nextCursor;
+        } while (cursor);
+        return out;
+    }
+    async callTool(name, args) {
+        const res = (await this.client.callTool({ name, arguments: args }));
+        const text = (res.content ?? [])
+            .filter((c) => c.type === "text" && typeof c.text === "string")
+            .map((c) => c.text)
+            .join("\n");
+        return { text, isError: Boolean(res.isError), structured: res.structuredContent, raw: res };
+    }
+    /** Server capabilities negotiated during initialize (available after connect). */
+    serverCapabilities() {
+        return (this.client.getServerCapabilities() ?? {});
+    }
+    async close() {
+        try {
+            await this.client.close();
+        }
+        catch {
+            /* server may already be gone; ignore */
+        }
+    }
+}
+/** Split a shell-ish command string into command + args, respecting quotes. */
+export function splitCommand(cmd) {
+    const matches = cmd.match(/(?:[^\s"']+|"[^"]*"|'[^']*')+/g) ?? [];
+    const parts = matches.map((s) => s.replace(/^["']|["']$/g, ""));
+    const [command, ...args] = parts;
+    if (!command)
+        throw new Error(`could not parse command: ${cmd}`);
+    return { command, args };
+}
+/** process.env with undefined values dropped (StdioClientTransport wants Record<string,string>). */
+export function currentEnv() {
+    const out = {};
+    for (const [k, v] of Object.entries(process.env))
+        if (typeof v === "string")
+            out[k] = v;
+    return out;
+}
+//# sourceMappingURL=mcpClient.js.map

package/dist/src/adapter/mcpClient.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcpClient.js","sourceRoot":"","sources":["../../../src/adapter/mcpClient.ts"],"names":[],"mappings":"AAAA,gFAAgF;AAChF,gFAAgF;AAChF,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AAwBnG,MAAM,OAAO,SAAS;IACZ,MAAM,CAAS;IAEvB,YAAY,IAAI,GAAG,OAAO,EAAE,OAAO,GAAG,OAAO;QAC3C,IAAI,CAAC,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,IAAoB;QAChC,IAAI,IAAI,CAAC,SAAS,KAAK,MAAM,EAAE,CAAC;YAC9B,IAAI,CAAC,IAAI,CAAC,GAAG;gBAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;YACvE,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,6BAA6B,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAChF,OAAO;QACT,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QACnF,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACrD,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CACvB,IAAI,oBAAoB,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,GAAG,UAAU,EAAE,EAAE,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC,CAC3F,CAAC;IACJ,CAAC;IAED,yDAAyD;IACzD,KAAK,CAAC,SAAS;QACb,MAAM,GAAG,GAAe,EAAE,CAAC;QAC3B,IAAI,MAA0B,CAAC;QAC/B,GAAG,CAAC;YACF,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAGzE,CAAC;YACF,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC;YAChC,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC;QAC3B,CAAC,QAAQ,MAAM,EAAE;QACjB,OAAO,GAAG,CAAC;IACb,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,IAAY,EAAE,IAA6B;QACxD,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAIjE,CAAC;QACF,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC;aAC7B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC;aAC9D,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAc,CAAC;aAC5B,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,UAAU,EAAE,GAAG,CAAC,iBAAiB,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;IAC9F,CAAC;IAED,kFAAkF;IAClF,kBAAkB;QAChB,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,qBAAqB,EAAE,IAAI,EAAE,CAA4B,CAAC;IAChF,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,wCAAwC;QAC1C,CAAC;IACH,CAAC;CACF;AAED,+EAA+E;AAC/E,MAAM,UAAU,YAAY,CAAC,GAAW;IACtC,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,gCAAgC,CAAC,IAAI,EAAE,CAAC;IAClE,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC,CAAC;IAChE,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,KAAK,CAAC;IACjC,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,4BAA4B,GAAG,EAAE,CAAC,CAAC;IACjE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED,oGAAoG;AACpG,MAAM,UAAU,UAAU;IACxB,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACxF,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/src/cli.js

@@ -0,0 +1,121 @@
+#!/usr/bin/env node
+import { Command } from "commander";
+import { writeFileSync, existsSync } from "node:fs";
+import { run } from "./orchestrator.js";
+import { McpClient } from "./adapter/mcpClient.js";
+import { capture } from "./snapshot/capture.js";
+import { printReport } from "./report/console.js";
+import { toSarif } from "./report/sarif.js";
+import { toBadge } from "./report/badge.js";
+import { toMarkdown } from "./report/prcomment.js";
+import { DEFAULT_SCORING } from "./report/score.js";
+const STARTER_TESTS = `version: 1
+# Merit functional tests. Point the CLI at your server with --stdio / --http.
+tests:
+  - name: "tool catalog is stable"
+    op: list_tools
+    assert:
+      contains_tools: []       # e.g. [search, fetch]
+  # - name: "add returns the sum"
+  #   op: call_tool
+  #   tool: add
+  #   arguments: { a: 2, b: 3 }
+  #   assert:
+  #     not_error: true
+  #     content_contains: "5"
+`;
+const program = new Command();
+program.name("merit").description("The CI quality gate for MCP servers").version("0.1.0");
+function connectOpts(opts) {
+    return opts.http ? { transport: "http", url: opts.http } : { transport: "stdio", command: opts.stdio };
+}
+program
+    .command("run")
+    .description("Connect to an MCP server and run the quality gate: functional tests + schema-drift + official conformance + OWASP-MCP-Top-10 security.")
+    .option("--stdio <command>", 'launch a stdio MCP server, e.g. "node dist/server.js"')
+    .option("--http <url>", "connect to a Streamable HTTP MCP server URL")
+    .option("--tests <path>", "YAML functional test spec", "merit.tests.yaml")
+    .option("--snapshot <path>", "schema snapshot file", "merit.snapshot.json")
+    .option("--src <dir>", "server source dir (enables dependency CVE scanning via OSV)")
+    .option("--no-security", "skip the OWASP-MCP-Top-10 security checks")
+    .option("--probe", "run LIVE security probes — sends canary payloads to the server's tools (may trigger real tool actions; only use on a server you control). Off by default.", false)
+    .option("--no-conformance", "skip the official MCP conformance suite")
+    .option("--conformance-baseline <path>", "YAML of expected conformance failures (baseline)")
+    .option("--min-score <n>", "fail if the score is below this", "0")
+    .option("--sarif <path>", "write SARIF 2.1.0 (for GitHub code scanning)")
+    .option("--out <path>", "write the full report JSON (open, reproducible scoring)")
+    .option("--badge <path>", "write a shields.io endpoint badge JSON")
+    .option("--pr-comment <path>", "write the PR-comment markdown")
+    .option("--json", "print the raw report as JSON instead of the console verdict", false)
+    .action(async (opts) => {
+    if (!opts.stdio && !opts.http) {
+        console.error('✖ provide --stdio "<command>" or --http <url>');
+        process.exit(2);
+    }
+    try {
+        const report = await run({
+            connect: connectOpts(opts),
+            testsPath: opts.tests,
+            snapshotPath: opts.snapshot,
+            srcDir: opts.src,
+            security: opts.security,
+            probe: opts.probe,
+            conformance: opts.conformance,
+            conformanceBaseline: opts.conformanceBaseline,
+        });
+        if (opts.sarif)
+            writeFileSync(opts.sarif, JSON.stringify(toSarif(report), null, 2));
+        if (opts.badge)
+            writeFileSync(opts.badge, JSON.stringify(toBadge(report), null, 2));
+        if (opts.prComment)
+            writeFileSync(opts.prComment, toMarkdown(report));
+        if (opts.out)
+            writeFileSync(opts.out, JSON.stringify({ ...report, scoring: DEFAULT_SCORING, generatedAt: new Date().toISOString() }, null, 2));
+        if (opts.json)
+            console.log(JSON.stringify(report, null, 2));
+        else
+            printReport(report);
+        const ok = report.verdict === "PASS" && report.score >= Number(opts.minScore);
+        process.exit(ok ? 0 : 1);
+    }
+    catch (e) {
+        console.error(`✖ ${e.message}`);
+        process.exit(2);
+    }
+});
+program
+    .command("snapshot")
+    .description("Capture/refresh the schema snapshot of a server's tool surface.")
+    .option("--stdio <command>", "launch a stdio MCP server")
+    .option("--http <url>", "connect to a Streamable HTTP MCP server URL")
+    .option("--out <path>", "snapshot output file", "merit.snapshot.json")
+    .action(async (opts) => {
+    if (!opts.stdio && !opts.http) {
+        console.error("✖ provide --stdio or --http");
+        process.exit(2);
+    }
+    const client = new McpClient();
+    try {
+        await client.connect(connectOpts(opts));
+        const snap = capture(await client.listTools());
+        writeFileSync(opts.out, JSON.stringify(snap, null, 2));
+        console.log(`✔ wrote ${opts.out} (rootHash ${snap.rootHash.slice(0, 12)}…, ${Object.keys(snap.tools).length} tools)`);
+    }
+    finally {
+        await client.close();
+    }
+});
+program
+    .command("init")
+    .description("Write a starter merit.tests.yaml.")
+    .option("--out <path>", "output path", "merit.tests.yaml")
+    .action((opts) => {
+    if (existsSync(opts.out)) {
+        console.error(`✖ ${opts.out} already exists`);
+        process.exit(1);
+    }
+    writeFileSync(opts.out, STARTER_TESTS);
+    console.log(`✔ wrote ${opts.out} — edit it, then: merit run --stdio "node dist/server.js"`);
+});
+program.parseAsync();
+//# sourceMappingURL=cli.js.map

package/dist/src/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,GAAG,EAAE,MAAM,mBAAmB,CAAC;AACxC,OAAO,EAAE,SAAS,EAAkB,MAAM,wBAAwB,CAAC;AACnE,OAAO,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEpD,MAAM,aAAa,GAAG;;;;;;;;;;;;;;CAcrB,CAAC;AAEF,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAC9B,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,qCAAqC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;AAE1F,SAAS,WAAW,CAAC,IAAuC;IAC1D,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;AACzG,CAAC;AAED,OAAO;KACJ,OAAO,CAAC,KAAK,CAAC;KACd,WAAW,CAAC,wIAAwI,CAAC;KACrJ,MAAM,CAAC,mBAAmB,EAAE,uDAAuD,CAAC;KACpF,MAAM,CAAC,cAAc,EAAE,6CAA6C,CAAC;KACrE,MAAM,CAAC,gBAAgB,EAAE,2BAA2B,EAAE,kBAAkB,CAAC;KACzE,MAAM,CAAC,mBAAmB,EAAE,sBAAsB,EAAE,qBAAqB,CAAC;KAC1E,MAAM,CAAC,aAAa,EAAE,6DAA6D,CAAC;KACpF,MAAM,CAAC,eAAe,EAAE,2CAA2C,CAAC;KACpE,MAAM,CAAC,SAAS,EAAE,2JAA2J,EAAE,KAAK,CAAC;KACrL,MAAM,CAAC,kBAAkB,EAAE,yCAAyC,CAAC;KACrE,MAAM,CAAC,+BAA+B,EAAE,kDAAkD,CAAC;KAC3F,MAAM,CAAC,iBAAiB,EAAE,iCAAiC,EAAE,GAAG,CAAC;KACjE,MAAM,CAAC,gBAAgB,EAAE,8CAA8C,CAAC;KACxE,MAAM,CAAC,cAAc,EAAE,yDAAyD,CAAC;KACjF,MAAM,CAAC,gBAAgB,EAAE,wCAAwC,CAAC;KAClE,MAAM,CAAC,qBAAqB,EAAE,+BAA+B,CAAC;KAC9D,MAAM,CAAC,QAAQ,EAAE,6DAA6D,EAAE,KAAK,CAAC;KACtF,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;IACrB,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC9B,OAAO,CAAC,KAAK,CAAC,+CAA+C,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC;YACvB,OAAO,EAAE,WAAW,CAAC,IAAI,CAAC;YAC1B,SAAS,EAAE,IAAI,CAAC,KAAK;YACrB,YAAY,EAAE,IAAI,CAAC,QAAQ;YAC3B,MAAM,EAAE,IAAI,CAAC,GAAG;YAChB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;SAC9C,CAAC,CAAC;QACH,IAAI,IAAI,CAAC,KAAK;YAAE,aAAa,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACpF,IAAI,IAAI,CAAC,KAAK;YAAE,aAAa,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACpF,IAAI,IAAI,CAAC,SAAS;YAAE,aAAa,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;QACtE,IAAI,IAAI,CAAC,GAAG;YAAE,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,MAAM,EAAE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAE/I,IAAI,IAAI,CAAC,IAAI;YAAE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;;YACvD,WAAW,CAAC,MAAM,CAAC,CAAC;QACzB,MAAM,EAAE,GAAG,MAAM,CAAC,OAAO,KAAK,MAAM,IAAI,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9E,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,KAAK,CAAC,KAAM,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,UAAU,CAAC;KACnB,WAAW,CAAC,iEAAiE,CAAC;KAC9E,MAAM,CAAC,mBAAmB,EAAE,2BAA2B,CAAC;KACxD,MAAM,CAAC,cAAc,EAAE,6CAA6C,CAAC;KACrE,MAAM,CAAC,cAAc,EAAE,sBAAsB,EAAE,qBAAqB,CAAC;KACrE,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;IACrB,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC9B,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;QAC7C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;QACxC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;QAC/C,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,CAAC,GAAG,cAAc,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,SAAS,CAAC,CAAC;IACxH,CAAC;YAAS,CAAC;QACT,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,mCAAmC,CAAC;KAChD,MAAM,CAAC,cAAc,EAAE,aAAa,EAAE,kBAAkB,CAAC;KACzD,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;IACf,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,GAAG,iBAAiB,CAAC,CAAC;QAC9C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IACvC,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,CAAC,GAAG,2DAA2D,CAAC,CAAC;AAC9F,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,UAAU,EAAE,CAAC"}

package/dist/src/conformance/stdio-proxy.js

@@ -0,0 +1,102 @@
+// stdio→HTTP proxy. The official conformance suite is HTTP-only (--url, no --stdio),
+// so to test a stdio server we expose it over Streamable HTTP here. This is a transparent
+// JSON-RPC relay: an HTTP server transport (facing conformance) bridged to a fresh stdio
+// child per session (the server-under-test). Messages are forwarded verbatim — no parsing.
+import { createServer } from "node:http";
+import { randomUUID } from "node:crypto";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
+import { splitCommand, currentEnv } from "../adapter/mcpClient.js";
+export async function startStdioHttpProxy(commandString, path = "/mcp") {
+    const { command, args } = splitCommand(commandString);
+    const env = currentEnv();
+    const sessions = new Map();
+    async function newSession() {
+        const child = new StdioClientTransport({ command, args, env });
+        const http = new StreamableHTTPServerTransport({
+            sessionIdGenerator: () => randomUUID(),
+            onsessioninitialized: (sid) => {
+                sessions.set(sid, { http, close });
+            },
+        });
+        // Idempotent teardown — both transports' onclose route here, and so does proxy.close(),
+        // so the underlying handles are only closed once (avoids libuv double-close on Windows).
+        let closed = false;
+        async function close() {
+            if (closed)
+                return;
+            closed = true;
+            await http.close().catch(() => { });
+            await child.close().catch(() => { });
+        }
+        // Transparent bidirectional relay (verbatim JSON-RPC).
+        http.onmessage = (msg) => void child.send(msg).catch(() => { });
+        child.onmessage = (msg) => void http.send(msg).catch(() => { });
+        http.onclose = () => void close();
+        child.onclose = () => void close();
+        await child.start();
+        await http.start();
+        return http;
+    }
+    const server = createServer(async (req, res) => {
+        try {
+            if (!req.url || !req.url.startsWith(path)) {
+                res.statusCode = 404;
+                res.end();
+                return;
+            }
+            const sid = req.headers["mcp-session-id"];
+            let transport = sid ? sessions.get(sid)?.http : undefined;
+            const body = await readBody(req);
+            if (!transport) {
+                if (isInitialize(body)) {
+                    transport = await newSession();
+                }
+                else {
+                    res.statusCode = 400;
+                    res.setHeader("content-type", "application/json");
+                    res.end(JSON.stringify({ jsonrpc: "2.0", error: { code: -32000, message: "No valid session" }, id: null }));
+                    return;
+                }
+            }
+            await transport.handleRequest(req, res, body);
+        }
+        catch {
+            if (!res.headersSent) {
+                res.statusCode = 500;
+                res.end();
+            }
+        }
+    });
+    await new Promise((resolve) => server.listen(0, "127.0.0.1", resolve));
+    const port = server.address().port;
+    return {
+        url: `http://127.0.0.1:${port}${path}`,
+        close: async () => {
+            for (const s of sessions.values())
+                await s.close();
+            await new Promise((resolve) => server.close(() => resolve()));
+        },
+    };
+}
+function isInitialize(body) {
+    const first = Array.isArray(body) ? body[0] : body;
+    return Boolean(first) && typeof first === "object" && first.method === "initialize";
+}
+async function readBody(req) {
+    if (req.method !== "POST")
+        return undefined;
+    const chunks = [];
+    for await (const c of req)
+        chunks.push(c);
+    const raw = Buffer.concat(chunks).toString("utf8");
+    if (!raw)
+        return undefined;
+    try {
+        return JSON.parse(raw);
+    }
+    catch {
+        return raw;
+    }
+}
+//# sourceMappingURL=stdio-proxy.js.map

package/dist/src/conformance/stdio-proxy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"stdio-proxy.js","sourceRoot":"","sources":["../../../src/conformance/stdio-proxy.ts"],"names":[],"mappings":"AAAA,qFAAqF;AACrF,0FAA0F;AAC1F,yFAAyF;AACzF,2FAA2F;AAC3F,OAAO,EAAE,YAAY,EAA2C,MAAM,WAAW,CAAC;AAElF,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AACnG,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAYnE,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,aAAqB,EAAE,IAAI,GAAG,MAAM;IAC5E,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,YAAY,CAAC,aAAa,CAAC,CAAC;IACtD,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;IACzB,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAmB,CAAC;IAE5C,KAAK,UAAU,UAAU;QACvB,MAAM,KAAK,GAAG,IAAI,oBAAoB,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;QAC/D,MAAM,IAAI,GAAkC,IAAI,6BAA6B,CAAC;YAC5E,kBAAkB,EAAE,GAAG,EAAE,CAAC,UAAU,EAAE;YACtC,oBAAoB,EAAE,CAAC,GAAW,EAAE,EAAE;gBACpC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YACrC,CAAC;SACF,CAAC,CAAC;QAEH,wFAAwF;QACxF,yFAAyF;QACzF,IAAI,MAAM,GAAG,KAAK,CAAC;QACnB,KAAK,UAAU,KAAK;YAClB,IAAI,MAAM;gBAAE,OAAO;YACnB,MAAM,GAAG,IAAI,CAAC;YACd,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACnC,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACtC,CAAC;QAED,uDAAuD;QACvD,IAAI,CAAC,SAAS,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAC/D,KAAK,CAAC,SAAS,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAC/D,IAAI,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC,KAAK,KAAK,EAAE,CAAC;QAClC,KAAK,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC,KAAK,KAAK,EAAE,CAAC;QACnC,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC;QACpB,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAAW,YAAY,CAAC,KAAK,EAAE,GAAoB,EAAE,GAAmB,EAAE,EAAE;QACtF,IAAI,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC1C,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;gBACrB,GAAG,CAAC,GAAG,EAAE,CAAC;gBACV,OAAO;YACT,CAAC;YACD,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAuB,CAAC;YAChE,IAAI,SAAS,GAAG,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YAC1D,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAC;YAEjC,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,IAAI,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvB,SAAS,GAAG,MAAM,UAAU,EAAE,CAAC;gBACjC,CAAC;qBAAM,CAAC;oBACN,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;oBACrB,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;oBAClD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,kBAAkB,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;oBAC5G,OAAO;gBACT,CAAC;YACH,CAAC;YACD,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;gBACrB,GAAG,CAAC,GAAG,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;IAC7E,MAAM,IAAI,GAAI,MAAM,CAAC,OAAO,EAAkB,CAAC,IAAI,CAAC;IAEpD,OAAO;QACL,GAAG,EAAE,oBAAoB,IAAI,GAAG,IAAI,EAAE;QACtC,KAAK,EAAE,KAAK,IAAI,EAAE;YAChB,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,MAAM,EAAE;gBAAE,MAAM,CAAC,CAAC,KAAK,EAAE,CAAC;YACnD,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACtE,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,IAAa;IACjC,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACnD,OAAO,OAAO,CAAC,KAAK,CAAC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAK,KAA6B,CAAC,MAAM,KAAK,YAAY,CAAC;AAC/G,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,GAAoB;IAC1C,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM;QAAE,OAAO,SAAS,CAAC;IAC5C,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,KAAK,EAAE,MAAM,CAAC,IAAI,GAAG;QAAE,MAAM,CAAC,IAAI,CAAC,CAAW,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,GAAG,CAAC;IACb,CAAC;AACH,CAAC"}