mcpcert-cli 0.1.0__py3-none-any.whl

mcpcert/conformance.py

@@ -0,0 +1,341 @@
+"""Conformance normalization + the built-in OAuth flow driver.
+
+Mirrors packages/node/src/lib/conformance.ts. The OAuth/PKCE/loopback helpers are
+self-contained here; the CLI depends only on the public mcpcert.org HTTP API.
+"""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import json
+import secrets
+import threading
+import time
+import urllib.error
+import urllib.parse
+import urllib.request
+import webbrowser
+from datetime import datetime, timezone
+from http.server import BaseHTTPRequestHandler, HTTPServer
+from typing import Any, Callable
+
+from .errors import CliError
+
+
+def iso_now() -> str:
+    now = datetime.now(timezone.utc)
+    return now.strftime("%Y-%m-%dT%H:%M:%S.") + f"{now.microsecond // 1000:03d}Z"
+
+
+def verdict_from_status(status: str) -> str:
+    if status in ("pass", "fail", "error"):
+        return status
+    return "incomplete"
+
+
+def normalize_run(api: dict[str, Any]) -> dict[str, Any]:
+    trace = api.get("trace")
+    if not isinstance(trace, list):
+        raise CliError("conformance_payload_invalid", "Server returned a conformance run without a steps array.")
+    steps: list[dict[str, Any]] = []
+    summary = {"total": 0, "pass": 0, "fail": 0, "warn": 0, "skip": 0}
+    for step in trace:
+        normalized = {"id": step.get("id"), "title": step.get("title"), "status": step.get("status")}
+        if step.get("detail") is not None:
+            normalized["detail"] = step["detail"]
+        if step.get("remediation") is not None:
+            normalized["remediation"] = step["remediation"]
+        steps.append(normalized)
+        summary["total"] += 1
+        if step.get("status") in summary:
+            summary[step["status"]] += 1
+    run: dict[str, Any] = {
+        "run_id": api.get("runId"),
+        "client_id": api.get("clientId"),
+        "started_at": api.get("createdAt"),
+        "status": api.get("status"),
+        "verdict": verdict_from_status(str(api.get("status"))),
+        "steps": steps,
+        "summary": summary,
+    }
+    if api.get("completedAt") is not None:
+        run["completed_at"] = api["completedAt"]
+    return run
+
+
+def run_list_row(api: dict[str, Any]) -> dict[str, Any]:
+    row: dict[str, Any] = {
+        "run_id": api.get("runId"),
+        "client_id": api.get("clientId"),
+        "started_at": api.get("createdAt"),
+        "status": api.get("status"),
+        "verdict": verdict_from_status(str(api.get("status"))),
+    }
+    if api.get("completedAt") is not None:
+        row["completed_at"] = api["completedAt"]
+    return row
+
+
+def resolve_sandbox_target(api_base_url: str, profile: str, dev_origin: str | None) -> dict[str, Any]:
+    if profile == "local":
+        origin = (dev_origin or "http://127.0.0.1:3000").rstrip("/")
+        return {
+            "profile": "local",
+            "transport_origin": origin,
+            "discovery_url": f"{origin}/sandbox/.well-known/oauth-authorization-server",
+            "rebase": True,
+        }
+    host = urllib.parse.urlparse(api_base_url).netloc
+    origin = f"https://sandbox.{host}"
+    return {
+        "profile": "production",
+        "transport_origin": origin,
+        "discovery_url": f"{origin}/.well-known/oauth-authorization-server",
+        "rebase": False,
+    }
+
+
+def run_conformance_flow(
+    *,
+    config: dict[str, Any],
+    claim_token: str,
+    api_client: Any,
+    api_base_url: str,
+    profile: str,
+    dev_origin: str | None,
+    redirect_uri_flag: str | None,
+    no_open: bool,
+    timeout_ms: int,
+    emit: Callable[[str], None],
+) -> dict[str, Any]:
+    started_at = iso_now()
+    target = resolve_sandbox_target(api_base_url, profile, dev_origin)
+    cimd_url = config["client_id"]
+
+    metadata = _fetch_cimd(cimd_url)
+    if metadata.get("client_id") != cimd_url:
+        raise CliError("conformance_payload_invalid", f"CIMD client_id {metadata.get('client_id')} does not match configured {cimd_url}.")
+
+    endpoints = _discover_as(target)
+
+    redirect_template = redirect_uri_flag or _first_loopback(config["redirect_uris"])
+    if not redirect_template:
+        raise CliError("port_unavailable", "No loopback (http://127.0.0.1) redirect URI is configured. Add one with `mcpcert update --redirect-uri`.")
+
+    loopback = _start_loopback(redirect_template, timeout_ms)
+    try:
+        code_verifier = base64.urlsafe_b64encode(secrets.token_bytes(32)).rstrip(b"=").decode()
+        code_challenge = base64.urlsafe_b64encode(hashlib.sha256(code_verifier.encode()).digest()).rstrip(b"=").decode()
+        state = base64.urlsafe_b64encode(secrets.token_bytes(32)).rstrip(b"=").decode()
+        resource = f"{endpoints['issuer']}/mcp"
+
+        params = {
+            "response_type": "code",
+            "client_id": cimd_url,
+            "redirect_uri": loopback["redirect_uri"],
+            "code_challenge": code_challenge,
+            "code_challenge_method": "S256",
+            "state": state,
+            "resource": resource,
+        }
+        authorize_url = f"{endpoints['authorize']}?{urllib.parse.urlencode(params)}"
+
+        if no_open:
+            emit(f"Authorize URL: {authorize_url}")
+        else:
+            try:
+                webbrowser.open(authorize_url)
+            except Exception:  # noqa: BLE001 - browser launch is best-effort
+                pass
+            emit("Opened the authorization URL in your browser. Approve consent to continue...")
+
+        callback = loopback["wait"]()
+        if callback.get("error"):
+            desc = f" - {callback['error_description']}" if callback.get("error_description") else ""
+            raise CliError("validation_error", f"Authorization failed: {callback['error']}{desc}")
+        if not callback.get("code"):
+            raise CliError("validation_error", "Authorization callback did not include a code.")
+        if callback.get("state") != state:
+            raise CliError("validation_error", "State mismatch on authorization callback (possible CSRF).")
+
+        access_token = _exchange_token(
+            endpoints["token"],
+            code=callback["code"],
+            redirect_uri=loopback["redirect_uri"],
+            client_id=cimd_url,
+            code_verifier=code_verifier,
+        )
+        _mcp_ping(endpoints["mcp"], access_token)
+    finally:
+        loopback["close"]()
+
+    deadline = time.time() + timeout_ms / 1000
+    run: dict[str, Any] | None = None
+    while time.time() < deadline:
+        listing = api_client.conformance_list(config["appname"], claim_token)
+        matches = [
+            r for r in listing.get("runs", [])
+            if r.get("clientId") == cimd_url and str(r.get("createdAt", "")) >= started_at
+        ]
+        matches.sort(key=lambda r: r.get("createdAt", ""), reverse=True)
+        if matches:
+            run = normalize_run(matches[0])
+            break
+        time.sleep(2)
+
+    return {"started_at": started_at, "run": run, "run_lookup_timed_out": run is None}
+
+
+# ---- duplicated OAuth helpers ----
+
+def _http_get_json(url: str, what: str) -> dict[str, Any]:
+    try:
+        request = urllib.request.Request(url, headers={"accept": "application/json"})
+        with urllib.request.urlopen(request) as response:
+            return json.loads(response.read().decode("utf-8"))
+    except urllib.error.HTTPError as error:
+        raise CliError("conformance_payload_invalid", f"{what} returned HTTP {error.code}.") from None
+    except urllib.error.URLError as error:
+        raise CliError("network_error", f"{what} failed: {error.reason}") from None
+    except ValueError:
+        raise CliError("conformance_payload_invalid", f"{what} did not return valid JSON.") from None
+
+
+def _fetch_cimd(cimd_url: str) -> dict[str, Any]:
+    return _http_get_json(cimd_url, "CIMD fetch")
+
+
+def _discover_as(target: dict[str, Any]) -> dict[str, str]:
+    meta = _http_get_json(target["discovery_url"], "AS discovery")
+    issuer = str(meta.get("issuer") or "")
+    if not issuer:
+        raise CliError("conformance_payload_invalid", "AS metadata is missing issuer.")
+    origin = target["transport_origin"]
+    if target["rebase"]:
+        return {
+            "issuer": issuer,
+            "authorize": f"{origin}/sandbox/authorize",
+            "token": f"{origin}/sandbox/token",
+            "mcp": f"{origin}/sandbox/mcp",
+        }
+    return {
+        "issuer": issuer,
+        "authorize": str(meta.get("authorization_endpoint")),
+        "token": str(meta.get("token_endpoint")),
+        "mcp": f"{origin}/mcp",
+    }
+
+
+def _first_loopback(redirect_uris: list[str]) -> str | None:
+    for uri in redirect_uris:
+        parsed = urllib.parse.urlparse(uri)
+        if parsed.scheme == "http" and parsed.hostname in ("127.0.0.1", "::1"):
+            return uri
+    return None
+
+
+def _start_loopback(template: str, timeout_ms: int) -> dict[str, Any]:
+    parsed = urllib.parse.urlparse(template)
+    expected_path = parsed.path or "/"
+    host = parsed.hostname or "127.0.0.1"
+    requested_port = parsed.port or 0
+    captured: dict[str, Any] = {}
+
+    class _Handler(BaseHTTPRequestHandler):
+        def do_GET(self) -> None:  # noqa: N802
+            url = urllib.parse.urlparse(self.path)
+            if url.path != expected_path:
+                self.send_response(404)
+                self.end_headers()
+                self.wfile.write(b"Not the OAuth callback path.")
+                return
+            query = urllib.parse.parse_qs(url.query)
+            captured.update(
+                code=query.get("code", [None])[0],
+                state=query.get("state", [None])[0],
+                error=query.get("error", [None])[0],
+                error_description=query.get("error_description", [None])[0],
+            )
+            self.send_response(200)
+            self.send_header("content-type", "text/html; charset=utf-8")
+            self.end_headers()
+            self.wfile.write(b"<!doctype html><title>mcpcert</title><p>Authorization complete. You may close this window.</p>")
+
+        def log_message(self, *args: Any) -> None:  # silence default logging
+            return
+
+    server = HTTPServer((host, requested_port), _Handler)
+    actual_port = server.server_address[1]
+    redirect = parsed._replace(netloc=f"{host}:{actual_port}")
+    redirect_uri = urllib.parse.urlunparse(redirect)
+
+    def wait() -> dict[str, Any]:
+        deadline = time.time() + timeout_ms / 1000
+        server.timeout = 1
+        while not captured and time.time() < deadline:
+            server.handle_request()
+        if not captured:
+            raise CliError("callback_timeout", f"Timed out after {timeout_ms}ms waiting for the authorization callback.")
+        return captured
+
+    def close() -> None:
+        server.server_close()
+
+    return {"redirect_uri": redirect_uri, "wait": wait, "close": close}
+
+
+def _exchange_token(token_endpoint: str, *, code: str, redirect_uri: str, client_id: str, code_verifier: str) -> str:
+    body = urllib.parse.urlencode(
+        {
+            "grant_type": "authorization_code",
+            "code": code,
+            "redirect_uri": redirect_uri,
+            "client_id": client_id,
+            "code_verifier": code_verifier,
+        }
+    ).encode()
+    request = urllib.request.Request(
+        token_endpoint,
+        data=body,
+        method="POST",
+        headers={"content-type": "application/x-www-form-urlencoded", "accept": "application/json"},
+    )
+    try:
+        with urllib.request.urlopen(request) as response:
+            payload = json.loads(response.read().decode("utf-8"))
+    except urllib.error.HTTPError as error:
+        payload = {}
+        try:
+            payload = json.loads(error.read().decode("utf-8"))
+        except ValueError:
+            pass
+        err = payload.get("error", f"HTTP {error.code}")
+        desc = payload.get("error_description", "token endpoint rejected the request")
+        raise CliError("validation_error", f"Token exchange failed: {err} - {desc}") from None
+    except urllib.error.URLError as error:
+        raise CliError("network_error", f"Token exchange failed: {error.reason}") from None
+    token = payload.get("access_token")
+    if not isinstance(token, str):
+        raise CliError("validation_error", "Token response is missing access_token.")
+    return token
+
+
+def _mcp_ping(mcp_endpoint: str, access_token: str) -> None:
+    request = urllib.request.Request(
+        mcp_endpoint,
+        data=json.dumps({"tool": "ping", "params": {}}).encode(),
+        method="POST",
+        headers={
+            "authorization": f"Bearer {access_token}",
+            "content-type": "application/json",
+            "accept": "application/json",
+        },
+    )
+    try:
+        with urllib.request.urlopen(request):
+            return
+    except urllib.error.HTTPError as error:
+        raise CliError("validation_error", f"MCP ping failed with HTTP {error.code}.") from None
+    except urllib.error.URLError as error:
+        raise CliError("network_error", f"MCP ping failed: {error.reason}") from None

mcpcert/context.py

@@ -0,0 +1,31 @@
+"""Shared resolution helpers. Mirrors packages/node/src/lib/context.ts."""
+
+from __future__ import annotations
+
+import os
+import sys
+from typing import Any
+
+from .args import ParsedArgs, one
+from .contract import DEFAULT_API_BASE_URL
+
+
+def resolve_api_base_url(args: ParsedArgs, config: dict[str, Any] | None) -> str:
+    raw = (
+        one(args, "api")
+        or os.environ.get("MCPCERT_API")
+        or (config.get("api_base_url") if config else None)
+        or DEFAULT_API_BASE_URL
+    )
+    return raw.rstrip("/")
+
+
+def is_non_interactive() -> bool:
+    ci = os.environ.get("CI")
+    if ci and ci not in ("false", "0"):
+        return True
+    return not sys.stdout.isatty() or not sys.stdin.isatty()
+
+
+def env_flag(name: str) -> bool:
+    return os.environ.get(name) in ("1", "true", "yes")

mcpcert/contract.py

@@ -0,0 +1,61 @@
+"""Shared contract constants. Mirrors packages/node/src/lib/contract.ts and specs/cli-behavior.md."""
+
+from __future__ import annotations
+
+from urllib.parse import quote
+
+CLI_CONTRACT_VERSION = "0.1"
+CONFIG_SCHEMA_VERSION = 1
+CREDENTIALS_SCHEMA_VERSION = 1
+OUTPUT_SCHEMA_VERSION = 1
+DEFAULT_API_BASE_URL = "https://mcpcert.org"
+CONTRACT_HEADER = "X-Mcpcert-Cli-Contract"
+
+# Exit-code classes (specs/cli-behavior.md §10).
+EXIT_SUCCESS = 0
+EXIT_REMOTE_FAILURE = 1
+EXIT_USAGE = 2
+EXIT_CREDENTIAL = 3
+EXIT_NETWORK = 4
+EXIT_RATE_LIMITED = 5
+EXIT_VERSION = 6
+
+# Stable error code -> exit code (local + remote codes surfaced verbatim).
+ERROR_EXIT: dict[str, int] = {
+    # local
+    "config_not_found": EXIT_USAGE,
+    "config_invalid": EXIT_USAGE,
+    "config_conflict": EXIT_USAGE,
+    "identity_exists": EXIT_USAGE,
+    "tos_not_accepted": EXIT_USAGE,
+    "no_update_fields": EXIT_USAGE,
+    "unsupported_config_path": EXIT_USAGE,
+    "port_unavailable": EXIT_USAGE,
+    "claim_token_missing": EXIT_CREDENTIAL,
+    "callback_timeout": EXIT_NETWORK,
+    "run_lookup_timeout": EXIT_NETWORK,
+    "conformance_payload_invalid": EXIT_REMOTE_FAILURE,
+    "network_error": EXIT_NETWORK,
+    "api_version_unsupported": EXIT_VERSION,
+    # remote
+    "validation_error": EXIT_REMOTE_FAILURE,
+    "tos_not_acknowledged": EXIT_REMOTE_FAILURE,
+    "appname_taken": EXIT_REMOTE_FAILURE,
+    "appname_reserved": EXIT_REMOTE_FAILURE,
+    "dev_registration_not_found": EXIT_REMOTE_FAILURE,
+    "dev_registration_expired": EXIT_REMOTE_FAILURE,
+    "conformance_run_not_found": EXIT_REMOTE_FAILURE,
+    "invalid_claim_token": EXIT_CREDENTIAL,
+    "not_owner": EXIT_CREDENTIAL,
+    "rate_limited": EXIT_RATE_LIMITED,
+}
+
+PROMOTION_PATH = "/dashboard/promote"
+
+
+def exit_for_error_code(code: str) -> int:
+    return ERROR_EXIT.get(code, EXIT_REMOTE_FAILURE)
+
+
+def promotion_url(api_base_url: str, appname: str) -> str:
+    return f"{api_base_url.rstrip('/')}{PROMOTION_PATH}?dev_appname={quote(appname, safe='')}"

mcpcert/credentials.py

@@ -0,0 +1,79 @@
+"""Credential file + .gitignore handling. Mirrors packages/node/src/lib/credentials.ts."""
+
+from __future__ import annotations
+
+import json
+import os
+from typing import Any
+
+from .contract import CREDENTIALS_SCHEMA_VERSION
+
+
+def identity_key(api_base_url: str, appname: str) -> str:
+    return f"{api_base_url}|{appname}"
+
+
+def default_credentials_path(project_root: str) -> str:
+    return os.path.join(project_root, ".mcpcert", "credentials.json")
+
+
+def _read_file(path: str) -> dict[str, Any]:
+    if not os.path.exists(path):
+        return {"schema_version": CREDENTIALS_SCHEMA_VERSION, "identities": {}}
+    try:
+        with open(path, encoding="utf-8") as handle:
+            data = json.load(handle)
+        data.setdefault("identities", {})
+        return data
+    except (OSError, ValueError):
+        return {"schema_version": CREDENTIALS_SCHEMA_VERSION, "identities": {}}
+
+
+def get_identity(path: str, api_base_url: str, appname: str) -> dict[str, Any] | None:
+    data = _read_file(path)
+    return data["identities"].get(identity_key(api_base_url, appname))
+
+
+def save_identity(path: str, identity: dict[str, Any]) -> None:
+    data = _read_file(path)
+    data["schema_version"] = CREDENTIALS_SCHEMA_VERSION
+    data["identities"][identity_key(identity["api_base_url"], identity["appname"])] = identity
+    os.makedirs(os.path.dirname(path), exist_ok=True)
+    fd = os.open(path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
+    with os.fdopen(fd, "w", encoding="utf-8") as handle:
+        handle.write(json.dumps(data, indent=2) + "\n")
+
+
+def ensure_gitignore(project_root: str) -> dict[str, Any]:
+    if _find_git_dir(project_root) is None:
+        return {
+            "created": False,
+            "warning": ".mcpcert/ holds your claim token (a secret). No Git worktree was found; "
+            "ensure it is ignored by any future VCS.",
+        }
+    gitignore_path = os.path.join(project_root, ".gitignore")
+    if os.path.exists(gitignore_path):
+        with open(gitignore_path, encoding="utf-8") as handle:
+            content = handle.read()
+        already = any(line.strip() in (".mcpcert/", ".mcpcert") for line in content.splitlines())
+        if already:
+            return {"created": False}
+        prefix = "" if content.endswith("\n") or content == "" else "\n"
+        with open(gitignore_path, "a", encoding="utf-8") as handle:
+            handle.write(f"{prefix}.mcpcert/\n")
+        return {"created": False}
+    with open(gitignore_path, "w", encoding="utf-8") as handle:
+        handle.write(".mcpcert/\n")
+    return {"created": True}
+
+
+def _find_git_dir(start: str) -> str | None:
+    current = os.path.abspath(start)
+    while True:
+        candidate = os.path.join(current, ".git")
+        if os.path.exists(candidate):
+            return candidate
+        parent = os.path.dirname(current)
+        if parent == current:
+            return None
+        current = parent

mcpcert/errors.py

@@ -0,0 +1,23 @@
+"""CLI error type carrying a stable error code (specs/cli-behavior.md §10)."""
+
+from __future__ import annotations
+
+from typing import Any
+
+from .contract import exit_for_error_code
+
+
+class CliError(Exception):
+    def __init__(
+        self,
+        code: str,
+        message: str,
+        *,
+        exit_code: int | None = None,
+        details: dict[str, Any] | None = None,
+    ) -> None:
+        super().__init__(message)
+        self.code = code
+        self.message = message
+        self.exit_code = exit_code if exit_code is not None else exit_for_error_code(code)
+        self.details = details or {}

mcpcert/output.py

@@ -0,0 +1,66 @@
+"""JSON envelope + human output. Mirrors packages/node/src/lib/output.ts.
+
+Color is intentionally omitted so plain-text output matches the TypeScript CLI byte for byte.
+"""
+
+from __future__ import annotations
+
+import json
+import sys
+from typing import Any
+
+from .contract import OUTPUT_SCHEMA_VERSION
+from .errors import CliError
+
+
+class Output:
+    def __init__(self, as_json: bool, color: bool = False) -> None:
+        self._json = as_json
+        # color accepted for contract compatibility but unused (plain text only).
+        _ = color
+
+    def success(
+        self,
+        command: str,
+        api_base_url: str,
+        data: dict[str, Any],
+        human_lines: list[str],
+        warnings: list[dict[str, str]] | None = None,
+    ) -> None:
+        warnings = warnings or []
+        if self._json:
+            self._write_json(
+                {
+                    "schema_version": OUTPUT_SCHEMA_VERSION,
+                    "ok": True,
+                    "command": command,
+                    "api_base_url": api_base_url,
+                    "data": data,
+                    "warnings": warnings,
+                }
+            )
+            return
+        for line in human_lines:
+            sys.stdout.write(f"{line}\n")
+        for warning in warnings:
+            sys.stderr.write(f"warning: {warning['message']} ({warning['code']})\n")
+
+    def failure(self, command: str, api_base_url: str, err: CliError) -> int:
+        if self._json:
+            self._write_json(
+                {
+                    "schema_version": OUTPUT_SCHEMA_VERSION,
+                    "ok": False,
+                    "command": command,
+                    "api_base_url": api_base_url,
+                    "error": {"code": err.code, "message": err.message, "details": err.details},
+                    "warnings": [],
+                }
+            )
+        else:
+            sys.stderr.write(f"error: {err.message} ({err.code})\n")
+        return err.exit_code
+
+    @staticmethod
+    def _write_json(payload: Any) -> None:
+        sys.stdout.write(json.dumps(payload, indent=2) + "\n")

mcpcert_cli-0.1.0.dist-info/METADATA

@@ -0,0 +1,65 @@
+Metadata-Version: 2.4
+Name: mcpcert-cli
+Version: 0.1.0
+Summary: Official mcpcert.org CLI: provision a hosted dev MCP client identity (CIMD) and run an end-to-end OAuth 2.0 + PKCE conformance check, no account required.
+Project-URL: Homepage, https://mcpcert.org
+Project-URL: Issues, https://mcpcert.org/contact
+License-Expression: Apache-2.0
+License-File: LICENSE
+License-File: NOTICE
+Keywords: cimd,cli,mcp,mcpcert,model-context-protocol,oauth,oauth2,pkce
+Requires-Python: >=3.10
+Requires-Dist: tomli>=2.0.1; python_version < '3.11'
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# mcpcert (Python)
+
+[mcpcert.org](https://mcpcert.org) is a free **registry and conformance service** for **MCP (Model
+Context Protocol) clients**: it hosts your client's metadata document (CIMD) at a stable URL (your
+permanent `client_id`) and runs a conformance sandbox for an end-to-end OAuth 2.0 + PKCE conformance
+check. Development identities are free and need no account; promote one to production within 60 days.
+
+This is the **Python** build of the official `mcpcert` CLI (a TypeScript/Node build is also published
+to npm). It installs an executable named `mcpcert` and is a thin HTTP client over the public
+mcpcert.org API.
+
+## Install
+
+```bash
+uv tool install mcpcert-cli      # or:
+pipx install mcpcert-cli
+```
+
+The PyPI package is `mcpcert-cli`; it installs a command named `mcpcert`. Requires Python >= 3.10.
+
+## Quick start
+
+```bash
+mcpcert init --accept-tos     # provision a hosted dev identity (no account)
+mcpcert info                  # show it (offline)
+mcpcert conformance run       # end-to-end OAuth 2.0 + PKCE conformance check
+mcpcert update --redirect-uri http://127.0.0.1:8080/callback
+```
+
+## Commands
+
+| Command | Purpose |
+| --- | --- |
+| `mcpcert init` | Provision an anonymous development identity (CIMD). |
+| `mcpcert update` | Patch mutable dev metadata before expiry (never renews). |
+| `mcpcert info [--check]` | Print the local identity; `--check` reconciles with live server state. |
+| `mcpcert conformance run` | Drive the OAuth/conformance flow end to end. |
+| `mcpcert conformance list` | List conformance runs. |
+| `mcpcert conformance show <runId>` | Show one conformance run. |
+
+Run `mcpcert <command> --help` for flags. Add `--json` to any command for machine-readable output.
+
+Promotion to a permanent **production** CIMD is done in the web dashboard
+(<https://mcpcert.org/dashboard/promote>) — it requires an account and is **not** a CLI command.
+There is no `promote` or `refresh` command. Full docs: <https://mcpcert.org>.
+
+## License
+
+Apache-2.0. See `LICENSE` and `NOTICE` in this package.