Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.
return this._anthropic ??= new Anthropic({ apiKey: process.env.ANTHROPIC_API_KEY });Avoid accessing sensitive env vars directly. Use a configuration module that validates and restricts access.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Connected to server with tools:', this.tools.map(({ name }) => name));Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const transport = new StreamableHTTPClientTransport(new URL('http://localhost:3000/mcp'));Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* USER-CONFIGURED — OAuth credentials supplied directly
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
Backslash-based directory traversal patterns targeting Windows file systems.
console.log('✅ All queued elicitations processed. Resuming command loop...\n');Normalize path separators and apply traversal checks for both forward and backslashes.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
const server = createServer((req, res) => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(400).send('Missing session ID');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Detected multiple McpServer or Server instantiations in a single file. Multiple server instances in one project may indicate a shadow MCP server that intercepts or duplicates tool traffic without authorization.
const server = new McpServer(
Consolidate MCP server instances into a single, well-documented server. Remove any duplicate or shadow server instantiations.
Using sudo in scripts escalates privileges and may allow unintended system-wide modifications.
: /* list inspired by the default env inheritance of sudo */
Remove sudo usage. Run processes with the minimum required privileges.
Detected runtime reassignment of a tool's description property to a non-literal value. Dynamically modifying tool descriptions can allow an attacker to inject misleading instructions that alter LLM behavior.
if (updates.description !== undefined) registeredPrompt.description = updates.description;
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: anthropics/claude-code-action@v1
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/setup-node@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/setup-node@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/setup-node@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/configure-pages@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/upload-pages-artifact@v4
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/deploy-pages@v5
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/setup-node@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/setup-node@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/setup-node@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/setup-node@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/setup-node@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/setup-node@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/setup-node@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.
const apiKey = process.env.ANTHROPIC_API_KEY;
Avoid accessing sensitive env vars directly. Use a configuration module that validates and restricts access.
Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.
const session: HostSessionStore = { getMcpToken: () => process.env.MCP_TOKEN };Avoid accessing sensitive env vars directly. Use a configuration module that validates and restricts access.
Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.
const clientId = process.env.OAUTH_CLIENT_ID;
Avoid accessing sensitive env vars directly. Use a configuration module that validates and restricts access.
Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.
const clientSecret = process.env.OAUTH_CLIENT_SECRET;
Avoid accessing sensitive env vars directly. Use a configuration module that validates and restricts access.
Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.
const privateKeyPem = process.env.MCP_CLIENT_PRIVATE_KEY_PEM;
Avoid accessing sensitive env vars directly. Use a configuration module that validates and restricts access.
Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.
const clientSecret = process.env.MCP_CLIENT_SECRET;
Avoid accessing sensitive env vars directly. Use a configuration module that validates and restricts access.
Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.
const token = process.env.MCP_TOKEN;
Avoid accessing sensitive env vars directly. Use a configuration module that validates and restricts access.
Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.
const AUTH_PORT = process.env.MCP_AUTH_PORT ? Number.parseInt(process.env.MCP_AUTH_PORT, 10) : 3001;
Avoid accessing sensitive env vars directly. Use a configuration module that validates and restricts access.
Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.
const AUTH_PORT = process.env.MCP_AUTH_PORT ? Number.parseInt(process.env.MCP_AUTH_PORT, 10) : 3001;
Avoid accessing sensitive env vars directly. Use a configuration module that validates and restricts access.
Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.
const AUTH_PORT = process.env.MCP_AUTH_PORT ? Number.parseInt(process.env.MCP_AUTH_PORT, 10) : 3001;
Avoid accessing sensitive env vars directly. Use a configuration module that validates and restricts access.
Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.
const AUTH_PORT = process.env.MCP_AUTH_PORT ? Number.parseInt(process.env.MCP_AUTH_PORT, 10) : 3001;
Avoid accessing sensitive env vars directly. Use a configuration module that validates and restricts access.
Encoding environment variables or credential file contents to Base64 is a common exfiltration obfuscation technique.
const credentials = btoa(`${clientId}:${clientSecret}`);Remove Base64 encoding of credentials. If encoding is needed, use a proper encryption library.
Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.
* const authProvider: AuthProvider = { token: async () => process.env.API_KEY };Avoid accessing sensitive env vars directly. Use a configuration module that validates and restricts access.
Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.
const AUTH_SERVER_URL = process.env.MCP_CONFORMANCE_AUTH_SERVER_URL;
Avoid accessing sensitive env vars directly. Use a configuration module that validates and restricts access.
String literals matching known API key prefixes (sk-, ghp_, AKIA, xoxb-, etc.) or long base64-like strings may expose secrets in source code.
const TEST_IMAGE_BASE64 = 'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mP8z8DwHwAFBQIAX8jx0gAAAABJRU5ErkJggg==';
Remove hardcoded secrets from source code. Use environment variables or a secrets manager.
String literals matching known API key prefixes (sk-, ghp_, AKIA, xoxb-, etc.) or long base64-like strings may expose secrets in source code.
const TEST_AUDIO_BASE64 = 'UklGRiYAAABXQVZFZm10IBAAAAABAAEAQB8AAAB9AAACABAAZGF0YQIAAAA=';
Remove hardcoded secrets from source code. Use environment variables or a secrets manager.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Failed to connect to MCP server: ', e);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\nMCP Client Started!');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Type your queries or "quit" to exit.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n' + response);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Usage: node build/index.js <path_to_server_script>');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(systemPrompt);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(result.content);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(result.structuredContent); // e.g. { bmi: 22.86 }Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Progress: ${progress}/${total ?? '?'}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(result.content);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(item);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Config updated:', contents);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
arguments: { code: 'console.log("hello")' }Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(messages);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(completion.values); // e.g. ['typescript']
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[${level}]`, data);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Resources changed:', resources.length);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Tools updated:', tools);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
onChanged: (error, prompts) => console.log('Prompts updated:', prompts)Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Sampling request:', lastMessage);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Server asks:', request.params.message);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Schema:', request.params.requestedSchema);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Success:', result.content);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Connection closed');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(result.content);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(result);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.
console.error('OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET required for oauth mode');Remove sensitive data from log statements. If you must reference sensitive fields, redact or mask them before logging.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Tools:', tools.tools.map(t => t.name).join(', ') || '(none)');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected patterns that disable, silence, or suppress logging or audit trails. Disabling security logging can mask malicious activity and hinder incident investigation.
console.log('Tools:', tools.tools.map(t => t.name).join(', ') || '(none)');Ensure security-related logging is always enabled in production. Never suppress audit trails or security event logs.
Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.
console.log('Getting OAuth token...');Remove sensitive data from log statements. If you must reference sensitive fields, redact or mask them before logging.
Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.
console.log(' third-party-auth - Test tool that requires third-party OAuth credentials');Remove sensitive data from log statements. If you must reference sensitive fields, redact or mask them before logging.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Getting OAuth token...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`🌐 Opening browser for OAuth redirect: ${redirectUrl.toString()}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('MCP Interactive Client');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('=====================');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\nAvailable commands:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' connect [url] - Connect to MCP server (default: http://localhost:3000/mcp)');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' disconnect - Disconnect from server');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' terminate-session - Terminate the current session');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' reconnect - Reconnect to the server');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' list-tools - List available tools');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' call-tool <name> [args] - Call a tool with optional JSON arguments');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' payment-confirm - Test URL elicitation via error response with payment-confirm tool');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' third-party-auth - Test tool that requires third-party OAuth credentials');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' help - Show this help');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' quit - Exit the program');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Usage: call-tool <name> [args]');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Invalid JSON arguments. Using empty args.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Unknown command: ${command}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`📤 Processing queued elicitation (${elicitationQueue.length} remaining)`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('✅ All queued elicitations processed. Resuming command loop...\n');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Please manually open: ${url}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('📋 Processing elicitation immediately (during command execution)');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`📥 Queueing elicitation request (queue size will be: ${elicitationQueue.length + 1})`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n🔔 Elicitation Request Received:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Mode: ${mode}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`🆔 Elicitation ID: ${elicitationId}`); // Print for illustrationReplace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n⚠️ \u001B[33mSECURITY WARNING\u001B[0m ⚠️');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\u001B[33mThe server is requesting you to open an external URL.\u001B[0m');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\u001B[33mOnly proceed if you trust this server and understand why it needs this.\u001B[0m\n');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`🌐 Target domain: \u001B[36m${domain}\u001B[0m`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`🔗 Full URL: \u001B[36m${url}\u001B[0m`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\nℹ️ Server's reason:\n\n\u001B[36m${message}\u001B[0m\n`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('❌ URL navigation declined.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🚫 Invalid response. Cancelling elicitation.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\u001B[31m❌ Elicitation ${elicitationId} timed out waiting for completion.\u001B[0m`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\n🚀 Opening browser to: ${url}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n⏳ Waiting for you to complete the interaction in your browser...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' The server will send a notification once you complete the action.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`📥 Received callback: ${req.url}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`✅ Authorization code received: ${code?.slice(0, 10)}...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`❌ Authorization error: ${error}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`❌ No authorization code or error in callback`);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`OAuth callback server started on http://localhost:${OAUTH_CALLBACK_PORT}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🚢 Creating transport with OAuth provider...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🚢 Transport created');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🔌 Attempting connection (this will trigger OAuth redirect if needed)...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Transport created with session ID:', sessionId);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('✅ Connected successfully');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🔐 OAuth required - waiting for authorization...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🔐 Authorization code received:', authCode);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🔌 Reconnecting with authenticated transport...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Already connected. Disconnect first.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`🔗 Attempting to connect to ${serverUrl}...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('👤 Creating MCP client...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('👤 Client created');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\u001B[32m✅ Elicitation ${elicitationId} completed!\u001B[0m`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🔐 Starting OAuth flow...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Connected to MCP server');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Not connected.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Disconnected from MCP server');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Not connected.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Terminating session with ID:', transport.sessionId);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Session terminated successfully');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Server responded with 405 Method Not Allowed (session termination not supported)');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Session ID is still active:', transport.sessionId);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Session ID has been cleared');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Transport closed after session termination');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Not connected to server.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Available tools:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' No tools available');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` - id: ${tool.name}, name: ${getDisplayName(tool)}, description: ${tool.description}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Tools not supported by this server (${error})`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Not connected to server.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Calling tool '${name}' with args:`, args);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Tool result:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` ${item.text}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` 📁 Resource Link: ${resourceLink.name}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` URI: ${resourceLink.uri}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` Type: ${resourceLink.mimeType}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` Description: ${resourceLink.description}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` [Embedded Resource: ${item.resource.uri}]`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` [Image: ${item.mimeType}]`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` [Audio: ${item.mimeType}]`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` [Unknown content type]:`, item);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\nFound ${resourceLinks.length} resource link(s). Use 'read-resource <uri>' to read their content.`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n🔔 Elicitation Required Error Received:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Message: ${error.message}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Error calling tool ${name}: ${error}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Terminating session before exit...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Session terminated successfully');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\nGoodbye!');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Calling payment-confirm tool...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Calling third-party-auth tool...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\nESC key pressed. Disconnecting from server...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Disconnected. Press Enter to continue.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Not connected to server.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\nReceived SIGINT. Cleaning up...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[${config.id}] Creating client: ${config.name}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[${config.id}] Notification: ${notification.params.data}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[${config.id}] Connected to MCP server`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[${config.id}] Calling tool: ${config.toolName}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[${config.id}] Tool call completed`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[${config.id}] Disconnected from MCP server`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('MCP Multiple Clients Example');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('============================');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Server URL: ${serverUrl}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Starting ${clientConfigs.length} clients in parallel...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n=== Final Results ===');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\n[${id}] Tool result:`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` ${item.text}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` ${item.type} content:`, item);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` Unexpected result format:`, result);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n=== All clients completed successfully ===');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('MCP Parallel Tool Calls Client');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('==============================');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Connecting to server at: ${serverUrl}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Successfully connected to MCP server');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Notification: ${notification.params.data}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('List tools');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Tools:', toolsRequest);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n=== Starting Multiple Notification Streams in Parallel ===');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\n=== Tool result for ${caller} ===`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` ${item.text}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` ${item.type} content:`, item);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n=== Waiting for all notifications ===');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n=== Disconnecting ===');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Disconnected from MCP server');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Available tools:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' No tools available');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` - ${tool.name}: ${tool.description}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Tools not supported by this server: ${error}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Starting ${toolCalls.length} notification tools in parallel...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Starting tool call for ${caller}...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.
console.log('Using private_key_jwt authentication');Remove sensitive data from log statements. If you must reference sensitive fields, redact or mask them before logging.
Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.
console.error('MCP_CLIENT_SECRET or MCP_CLIENT_PRIVATE_KEY_PEM environment variable is required');Remove sensitive data from log statements. If you must reference sensitive fields, redact or mask them before logging.
Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.
console.log('Using client_secret_basic authentication');Remove sensitive data from log statements. If you must reference sensitive fields, redact or mask them before logging.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Using private_key_jwt authentication');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Using client_secret_basic authentication');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Connected successfully.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Available tools:', tools.tools.map(t => t.name).join(', ') || '(none)');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected patterns that disable, silence, or suppress logging or audit trails. Disabling security logging can mask malicious activity and hinder incident investigation.
console.log('Available tools:', tools.tools.map(t => t.name).join(', ') || '(none)');Ensure security-related logging is always enabled in production. Never suppress audit trails or security event logs.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`🌐 Opening browser for authorization: ${url}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Please manually open: ${url}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`📥 Received callback: ${req.url}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`✅ Authorization code received: ${code?.slice(0, 10)}...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`❌ Authorization error: ${error}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`❌ No authorization code or error in callback`);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`OAuth callback server started on http://localhost:${CALLBACK_PORT}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🚢 Creating transport with OAuth provider...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🚢 Transport created');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🔌 Attempting connection (this will trigger OAuth redirect)...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('✅ Connected successfully');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🔐 OAuth required - waiting for authorization...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🔐 Authorization code received:', authCode);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🔌 Reconnecting with authenticated transport...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`🔗 Attempting to connect to ${this.serverUrl}...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🔐 Creating OAuth provider...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`📌 OAuth redirect handler called - opening browser`);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Opening browser to: ${redirectUrl.toString()}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🔐 OAuth provider created');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('👤 Creating MCP client...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('👤 Client created');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🔐 Starting OAuth flow...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n🎯 Interactive MCP Client with OAuth');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Commands:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' list - List available tools');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' call <tool_name> [args] - Call a tool');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' stream <tool_name> [args] - Call a tool with streaming (shows task status)');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' quit - Exit the client');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log();
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n👋 Goodbye!');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log("❌ Unknown command. Try 'list', 'call <tool_name>', 'stream <tool_name>', or 'quit'");Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n\n👋 Goodbye!');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('❌ Not connected to server');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n📋 Available tools:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`${index + 1}. ${tool.name}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` Description: ${tool.description}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log();
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('No tools available');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('❌ Please specify a tool name');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('❌ Invalid arguments format (expected JSON)');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('❌ Not connected to server');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\n🔧 Tool '${toolName}' result:`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(content.text);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(content);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(result);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('❌ Please specify a tool name');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('❌ Invalid arguments format (expected JSON)');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('❌ Not connected to server');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\n🔧 Streaming tool '${toolName}'...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`✓ Task created: ${message.task.taskId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`⟳ Status: ${message.task.status}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` ${message.task.statusMessage}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('✓ Completed!');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(content.text);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(content);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('✗ Error:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` ${message.error.message}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🚀 Simple MCP OAuth Client');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Connecting to: ${serverUrl}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Client Metadata URL: ${clientMetadataUrl}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log();
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n\n👋 Goodbye!');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Redirect to: ${url.toString()}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.
console.log(`Using resumption token: ${notificationsToolLastEventId || 'none'}`);Remove sensitive data from log statements. If you must reference sensitive fields, redact or mask them before logging.
Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.
console.log(`Updated resumption token: ${event}`);Remove sensitive data from log statements. If you must reference sensitive fields, redact or mask them before logging.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('MCP Interactive Client');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('=====================');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\nAvailable commands:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' connect [url] - Connect to MCP server (default: http://localhost:3000/mcp)');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' disconnect - Disconnect from server');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' terminate-session - Terminate the current session');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' reconnect - Reconnect to the server');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' list-tools - List available tools');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' call-tool <name> [args] - Call a tool with optional JSON arguments');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' call-tool-task <name> [args] - Call a tool with task-based execution (example: call-tool-task delay {"duration":3000})');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' greet [name] - Call the greet tool');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' multi-greet [name] - Call the multi-greet tool with notifications');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' collect-info [type] - Test form elicitation with collect-user-info tool (contact/preferences/feedback)');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' collect-info-task [type] - Test bidirectional task support (server+client tasks) with elicitation');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' start-notifications [interval] [count] - Start periodic notifications');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' run-notifications-tool-with-resumability [interval] [count] - Run notification tool with resumability');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' list-prompts - List available prompts');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' get-prompt [name] [args] - Get a prompt with optional JSON arguments');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' list-resources - List available resources');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' read-resource <uri> - Read a specific resource by URI');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' help - Show this help');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' quit - Exit the program');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Usage: call-tool <name> [args]');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Invalid JSON arguments. Using empty args.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Usage: call-tool-task <name> [args]');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Invalid JSON arguments. Using empty args.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Usage: get-prompt <name> [args]');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Invalid JSON arguments. Using empty args.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Usage: read-resource <uri>');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Unknown command: ${command}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Already connected. Disconnect first.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Connecting to ${serverUrl}...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n🔔 Elicitation (form) Request Received:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Message: ${request.params.message}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Related Task: ${request.params._meta?.[RELATED_TASK_META_KEY]?.taskId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Task Creation Requested: ${request.params.task ? 'yes' : 'no'}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Requested Schema:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(JSON.stringify(request.params.requestedSchema, null, 2));
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`📋 Created client-side task: ${task.taskId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\nPlease provide the following information (attempt ${attempts}/${maxAttempts}):`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`❌ Error: ${error}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Please try again...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Maximum attempts reached. Declining request.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('❌ Validation errors:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` - ${error.instancePath || 'root'}: ${error.message}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Please correct the errors and try again...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Maximum attempts reached. Declining request.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n✅ Collected data:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(JSON.stringify(content, null, 2));
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Please re-enter the information...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Maximum attempts reached. Declining request.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\nNotification #${notificationCount}: ${notification.params.level} - ${notification.params.data}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\nResource list changed notification received!`);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Client disconnected, cannot fetch resources');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Available resources count:', resourcesResult.resources.length);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Failed to list resources after change notification');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Transport created with session ID:', sessionId);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Connected to MCP server');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Not connected.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Disconnected from MCP server');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Not connected.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Terminating session with ID:', transport.sessionId);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Session terminated successfully');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Server responded with 405 Method Not Allowed (session termination not supported)');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Session ID is still active:', transport.sessionId);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Session ID has been cleared');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Transport closed after session termination');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Not connected to server.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Available tools:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' No tools available');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` - id: ${tool.name}, name: ${getDisplayName(tool)}, description: ${tool.description}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Tools not supported by this server (${error})`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Not connected to server.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Calling tool '${name}' with args:`, args);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Tool result:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` ${item.text}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` 📁 Resource Link: ${resourceLink.name}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` URI: ${resourceLink.uri}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` Type: ${resourceLink.mimeType}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` Description: ${resourceLink.description}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` [Embedded Resource: ${item.resource.uri}]`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` [Image: ${item.mimeType}]`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` [Audio: ${item.mimeType}]`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` [Unknown content type]:`, item);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\nFound ${resourceLinks.length} resource link(s). Use 'read-resource <uri>' to read their content.`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Error calling tool ${name}: ${error}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Calling multi-greet tool with notifications...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Testing form elicitation with collect-user-info tool (${infoType})...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\n🔄 Testing bidirectional task support with collect-user-info-task tool (${infoType})...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('This will create a task on the server, which will elicit input and create a task on the client.\n');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Starting notification stream: interval=${interval}ms, count=${count || 'unlimited'}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Not connected to server.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Starting notification stream with resumability: interval=${interval}ms, count=${count || 'unlimited'}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Using resumption token: ${notificationsToolLastEventId || 'none'}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Updated resumption token: ${event}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Tool result:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` ${item.text}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` ${item.type} content:`, item);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Error starting notification stream: ${error}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Not connected to server.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Available prompts:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' No prompts available');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` - id: ${prompt.name}, name: ${getDisplayName(prompt)}, description: ${prompt.description}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Prompts not supported by this server (${error})`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Not connected to server.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Prompt template:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` [${index + 1}] ${msg.role}: ${msg.content.type === 'text' ? msg.content.text : JSON.stringify(msg.content)}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Error getting prompt ${name}: ${error}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Not connected to server.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Available resources:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' No resources available');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` - id: ${resource.name}, name: ${getDisplayName(resource)}, description: ${resource.uri}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Resources not supported by this server (${error})`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Not connected to server.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Reading resource: ${uri}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Resource contents:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` URI: ${content.uri}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` Type: ${content.mimeType}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' Content:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' ---');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' ---');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` [Binary data: ${content.blob.length} bytes]`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Error reading resource ${uri}: ${error}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Not connected to server.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Calling tool '${name}' with task-based execution...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Arguments:', args);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('This will return immediately while processing continues in the background...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Waiting for task completion...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Task created successfully with ID:', message.task.taskId);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` ${message.task.status}${message.task.statusMessage ? ` - ${message.task.statusMessage}` : ''}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Task completed!');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Tool result:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` ${item.text}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Error with task-based execution: ${error}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Terminating session before exit...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Session terminated successfully');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\nGoodbye!');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\nESC key pressed. Disconnecting from server...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Disconnected. Press Enter to continue.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Not connected to server.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\nReceived SIGINT. Cleaning up...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected patterns that disable, silence, or suppress logging or audit trails. Disabling security logging can mask malicious activity and hinder incident investigation.
console.log(`Using resumption token: ${notificationsToolLastEventId || 'none'}`);Ensure security-related logging is always enabled in production. Never suppress audit trails or security event logs.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\n[Elicitation] Server asks: ${params.message}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[Elicitation] Responding with: confirm=${confirmed}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\n[Sampling] Server requests LLM completion for: ${prompt}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Sampling] Responding with haiku');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Simple Task Interactive Client');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('==============================');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Connecting to ${url}...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Connected!\n');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Available tools: ${toolsResult.tools.map(t => t.name).join(', ')}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n--- Demo 1: Elicitation ---');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Calling confirm_delete tool...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Task created: ${message.task.taskId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Task status: ${message.task.status}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Result: ${getTextContent(toolResult)}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n--- Demo 2: Sampling ---');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Calling write_haiku tool...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Task created: ${message.task.taskId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Task status: ${message.task.status}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Result:\n${getTextContent(toolResult)}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\nDemo complete. Closing connection...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.
console.error('MCP_TOKEN environment variable is required');Remove sensitive data from log statements. If you must reference sensitive fields, redact or mask them before logging.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Connected successfully.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Available tools:', tools.tools.map(t => t.name).join(', ') || '(none)');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected patterns that disable, silence, or suppress logging or audit trails. Disabling security logging can mask malicious activity and hinder incident investigation.
console.log('Available tools:', tools.tools.map(t => t.name).join(', ') || '(none)');Ensure security-related logging is always enabled in production. Never suppress audit trails or security event logs.
Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.
console.log(`[Event ID] ${token}`);Remove sensitive data from log statements. If you must reference sensitive fields, redact or mask them before logging.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('SSE Polling Example Client');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('==========================');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Connecting to ${SERVER_URL}...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Transport] SSE stream disconnected - client will auto-reconnect');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[Transport] Error: ${error.message}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Transport] Connection closed');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[Notification] ${data}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Client] Connected successfully');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Client] Calling long-task tool...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Client] Server will disconnect mid-task to demonstrate polling');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[Event ID] ${token}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Client] Tool completed!');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[Result] ${JSON.stringify(result.content, null, 2)}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[Debug] Final event ID: ${lastEventId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Client] Disconnected');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('MCP Backwards Compatible Client');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('===============================');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Connecting to server at: ${serverUrl}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Notification: ${notification.params.level} - ${notification.params.data}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n=== Listing Available Tools ===');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n=== Starting Notification Stream ===');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n=== Waiting for all notifications ===');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\n=== Disconnecting ===');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Disconnected from MCP server');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('1. Trying Streamable HTTP transport first...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Successfully connected using modern Streamable HTTP transport.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`StreamableHttp transport connection failed: ${error}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('2. Falling back to deprecated HTTP+SSE transport...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Successfully connected using deprecated HTTP+SSE transport.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Available tools:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' No tools available');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` - ${tool.name}: ${tool.description}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Tools not supported by this server: ${error}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Calling notification tool...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Tool result:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` ${item.text}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` ${item.type} content:`, item);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Error calling notification tool: ${error}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`MCP server with custom protocol versions on port ${PORT}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Supported versions: ${CUSTOM_VERSIONS.join(', ')}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Received MCP request for session: ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Session initialized with ID: ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Transport closed for session ${sid}, removing from transports map`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Establishing SSE stream for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Received session termination request for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Form elicitation example server is running on http://localhost:${PORT}/mcp`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Available tools:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' - register_user: Collect user registration information');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' - create_event: Multi-step event creation');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' - update_shipping_address: Collect and validate address');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\nConnect your MCP client to this server using the HTTP transport.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Shutting down server...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Closing transport for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Server shutdown complete');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.
console.log(`Simulating OAuth token received for elicitation ${elicitationId}`);Remove sensitive data from log statements. If you must reference sensitive fields, redact or mask them before logging.
Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.
console.log(`🔑 Received API key \u001B[32m${apiKey}\u001B[0m for session ${sessionId}`);Remove sensitive data from log statements. If you must reference sensitive fields, redact or mask them before logging.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Simulating OAuth token received for elicitation ${elicitationId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Cleaned up expired elicitation: ${id}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Sending notifications/elicitation/complete notification for elicitation ${elicitationId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🔑 URL elicitation demo: Requesting API key from client...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🔑 URL elicitation demo: Client accepted the API key elicitation (now pending form submission)');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('🔑 URL elicitation demo: Client declined to provide an API key');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`🔑 Received API key \u001B[32m${apiKey}\u001B[0m for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`💳 Payment confirmed for cart ${cartId || 'unknown'} by user ${userSession.name} (session ${sessionId})`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`💳 Payment cancelled for cart ${cartId || 'unknown'} by user ${userSession.name} (session ${sessionId})`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Session initialized with ID: ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Transport closed for session ${sid}, removing from transports map`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Client reconnecting with Last-Event-ID: ${lastEventId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Establishing new SSE stream for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`🔑 URL elicitation demo: Finished sending API key elicitation request for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Received session termination request for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`MCP Streamable HTTP Server listening on port ${MCP_PORT}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` Protected Resource Metadata: http://localhost:${MCP_PORT}/.well-known/oauth-protected-resource/mcp`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Shutting down server...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Closing transport for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Server shutdown complete');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Starting Hono MCP server on port ${PORT}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Health check: http://localhost:${PORT}/health`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`MCP endpoint: http://localhost:${PORT}/mcp`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Received MCP request:', req.body);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Session initialized with ID: ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`MCP Streamable HTTP Server listening on port ${PORT}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Shutting down server...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Request closed');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Received GET MCP request');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Received DELETE MCP request');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`MCP Stateless Streamable HTTP Server listening on port ${PORT}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Shutting down server...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Received MCP request for session: ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Request body:', req.body);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Authenticated user:', req.app.locals.auth);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Session initialized with ID: ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Transport closed for session ${sid}, removing from transports map`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Authenticated SSE connection from user:', req.app.locals.auth);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Client reconnecting with Last-Event-ID: ${lastEventId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Establishing new SSE stream for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Received session termination request for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`MCP Streamable HTTP Server listening on port ${MCP_PORT}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` Protected Resource Metadata: http://localhost:${MCP_PORT}/.well-known/oauth-protected-resource/mcp`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Shutting down server...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Closing transport for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Server shutdown complete');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[Server] Delivering queued ${message.type} message for task ${taskId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\n[Server] ${name} called, task created: ${task.taskId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[Server] confirm_delete: asking about '${filename}'`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Server] Sending elicitation request to client...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[Server] Completing task with result: ${text}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[Server] write_haiku: topic '${topic}'`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Server] Sending sampling request to client...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[Server] Received sampling response: ${haiku.slice(0, 50)}...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Server] Completing task with haiku');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[Server] tasks/result called for task ${taskId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Session initialized: ${sid}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Transport closed for session ${sid}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Session termination request: ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Starting server on http://localhost:${PORT}/mcp`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\nAvailable tools:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' - confirm_delete: Demonstrates elicitation (asks user y/n)');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(' - write_haiku: Demonstrates sampling (requests LLM completion)');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\nShutting down server...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Server shutdown complete');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[${ctx.sessionId}] Starting long-task...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[${ctx.sessionId}] Closing SSE stream to trigger client polling...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[${ctx.sessionId}] Task complete`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[${id}] Session initialized`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`SSE Polling Example Server running on http://localhost:${PORT}/mcp`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('This server demonstrates SEP-1699 SSE polling:');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('- retryInterval: 2000ms (client waits 2s before reconnecting)');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('- eventStore: InMemoryEventStore (events are persisted for replay)');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Try calling the "long-task" tool to see server-initiated disconnect in action.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Received MCP request:', req.body);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Session initialized with ID: ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Establishing SSE stream for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Server listening on port ${PORT}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Shutting down server...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Closing transport for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Server shutdown complete');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('MCP server is running...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.
console.log('[Auth] Demo user credentials (auto-login):');Remove sensitive data from log statements. If you must reference sensitive fields, redact or mask them before logging.
Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.
console.log(`[Auth] Email: ${DEMO_USER_CREDENTIALS.email}`);Remove sensitive data from log statements. If you must reference sensitive fields, redact or mask them before logging.
Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.
console.log(`[Auth] Password: ${DEMO_USER_CREDENTIALS.password}`);Remove sensitive data from log statements. If you must reference sensitive fields, redact or mask them before logging.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Auth] In-memory database schema initialized');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Auth] ========================================');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Auth] Demo user credentials (auto-login):');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[Auth] Email: ${DEMO_USER_CREDENTIALS.email}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[Auth] Password: ${DEMO_USER_CREDENTIALS.password}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Auth] ========================================');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`${timestamp} ${prefix} ${message}`, ...args);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`${timestamp} ${prefix} ${message}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.
console.log(` Token: ${authServerUrl}api/auth/mcp/token`);Remove sensitive data from log statements. If you must reference sensitive fields, redact or mask them before logging.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Auth] Demo user created via signUpEmail');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Auth] Demo user already exists');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`\n${'='.repeat(60)}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`${ts} [AUTH] ${req.method} ${req.originalUrl}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`${ts} [AUTH] Query:`, JSON.stringify(req.query));Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`${ts} [AUTH] Headers.Cookie:`, req.headers.cookie?.slice(0, 100));Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`${ts} [AUTH] >>> Response Status: ${statusCode}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`${ts} [AUTH] >>> Location (redirect): ${headers.location || headers.Location}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`${ts} [AUTH] >>> Headers:`, JSON.stringify(headers));Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`${ts} [AUTH] >>> Body: ${bodyPreview}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Auth] Sign-in response status:', signInResponse.status);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('[Auth] Set-Cookie headers:', setCookieHeaders);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[Auth Server] Session created, redirecting to authorize`);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`OAuth Authorization Server listening on port ${authPort}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` Authorization: ${authServerUrl}api/auth/mcp/authorize`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` Token: ${authServerUrl}api/auth/mcp/token`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` Metadata: ${authServerUrl}.well-known/oauth-authorization-server`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected patterns that disable, silence, or suppress logging or audit trails. Disabling security logging can mask malicious activity and hinder incident investigation.
* Examples should be used for **demo** only and not for production purposes, however this mode disables some logging and other features.
Ensure security-related logging is always enabled in production. Never suppress audit trails or security event logs.
Detected patterns that disable, silence, or suppress logging or audit trails. Disabling security logging can mask malicious activity and hinder incident investigation.
const { authServerUrl, mcpServerUrl, demoMode, dangerousLoggingEnabled = false } = options;Ensure security-related logging is always enabled in production. Never suppress audit trails or security event logs.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Tools updated:', tools);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
onChanged: (error, prompts) => console.log('Prompts updated:', prompts)Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(result.content);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(result.structuredContent); // e.g. { bmi: 22.86 }Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Sampling request:', lastMessage);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log('Tools updated:', tools);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* onChanged: (error, prompts) => console.log('Prompts updated:', prompts)Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log('Sampling request:', lastMessage);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log(
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log(
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log(result.content);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log(result.structuredContent); // e.g. { bmi: 22.86 }Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log(
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Authentication failed');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(message);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log('Authentication failed');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected patterns that disable, silence, or suppress logging or audit trails. Disabling security logging can mask malicious activity and hinder incident investigation.
const { logger, includeRequestHeaders = false, includeResponseHeaders = false, statusLevel = 0 } = options;Ensure security-related logging is always enabled in production. Never suppress audit trails or security event logs.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Tool execution started:', message.task.taskId);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Tool status:', message.task.status);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Tool result:', message.result);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Task created:', message.task.taskId);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Task status:', message.task.status);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Final result:', message.result);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log('Tool execution started:', message.task.taskId);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log('Tool status:', message.task.status);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log('Tool result:', message.result);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log('Task created:', message.task.taskId);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log('Task status:', message.task.status);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log('Final result:', message.result);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log('Progress:', progress.message);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log('Task created:', message.task.taskId);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log('Task status:', message.task.status);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log('Final result:', message.result);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log('Task created:', message.task.taskId);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log('Task status:', message.task.status);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
* console.log('User action:', message.result.action);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected patterns that disable, silence, or suppress logging or audit trails. Disabling security logging can mask malicious activity and hinder incident investigation.
return currentLevel ? this.LOG_LEVEL_SEVERITY.get(level)! < this.LOG_LEVEL_SEVERITY.get(currentLevel)! : false;
Ensure security-related logging is always enabled in production. Never suppress audit trails or security event logs.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Connected to server.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Initialized.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Closed.');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Got new SSE connection');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('SSE connection closed');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Received message');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Server running on http://localhost:${port}/sse`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Server running on stdio');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Using provided SHA: ${providedSHA}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Fetching latest commit SHA...');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Fetching spec.types.ts from commit: ${latestSHA}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Successfully updated packages/core/src/types/spec.types.ts');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Modified ${modified.length} file(s):`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` ${r.filePath} (${r.snippetsProcessed} snippet(s))`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('All snippets are up to date');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('\nSnippet sync complete!');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Fetching authorization server metadata from ${AUTH_SERVER_URL}...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Using introspection endpoint: ${asMetadata.introspection_endpoint}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Session initialized with ID: ${newSessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Session ${sid} closed`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Establishing SSE stream for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Received session termination request for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`MCP Auth Test Server running at http://localhost:${PORT}/mcp`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` - PRM endpoint: http://localhost:${PORT}/.well-known/oauth-protected-resource`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` - Auth server: ${AUTH_SERVER_URL}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` - Introspection: ${asMetadata.introspection_endpoint}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console logging statements that reference sensitive fields such as password, secret, token, or API keys. Logging sensitive data can expose credentials in log files, monitoring systems, and log aggregation services.
console.log('Progress token:', progressToken);Remove sensitive data from log statements. If you must reference sensitive fields, redact or mask them before logging.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Progress token:', progressToken);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[${ctx.sessionId}] Starting test_reconnection tool...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[${ctx.sessionId}] Closing SSE stream to trigger client polling...`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`[${ctx.sessionId}] test_reconnection tool complete`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Session initialized with ID: ${newSessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Session ${sid} closed`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Client reconnecting with Last-Event-ID: ${lastEventId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Establishing SSE stream for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Received session termination request for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`MCP Conformance Test Server running on http://localhost:${PORT}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(` - MCP endpoint: http://localhost:${PORT}/mcp`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(...args);
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const transport = new StreamableHTTPClientTransport(new URL('http://localhost:3000/mcp'), { authProvider });Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const transport = new StreamableHTTPClientTransport(new URL('http://localhost:3000/mcp'), { authProvider });Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const transport = new StreamableHTTPClientTransport(new URL('http://localhost:3000/mcp'), { authProvider });Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const transport = new StreamableHTTPClientTransport(new URL('http://localhost:3000/mcp'), { authProvider });Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const transport = new StreamableHTTPClientTransport(new URL('http://localhost:3000/mcp'), {Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
file://, gopher://, dict://, and other non-HTTP schemas can be exploited for SSRF.
{ uri: 'file:///home/user/projects/my-app', name: 'My App' },Only allow http:// and https:// URL schemas. Validate URL schemas before making requests.
file://, gopher://, dict://, and other non-HTTP schemas can be exploited for SSRF.
{ uri: 'file:///home/user/data', name: 'Data' }Only allow http:// and https:// URL schemas. Validate URL schemas before making requests.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const serverUrl = new URL(process.env.MCP_SERVER_URL || 'http://localhost:3000/mcp');
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const toolsResult = await client.request(toolsRequest);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const OAUTH_CALLBACK_URL = `http://localhost:${OAUTH_CALLBACK_PORT}/callback`;Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
let serverUrl = 'http://localhost:3000/mcp';
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const parsedUrl = new URL(req.url || '', 'http://localhost');
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const serverUrl = args[0] || 'http://localhost:3000/mcp';
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const toolsResult = await client.request(toolsRequest);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const serverUrl = args[0] || 'http://localhost:3000/mcp';
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const DEFAULT_SERVER_URL = process.env.MCP_SERVER_URL || 'http://localhost:3000/mcp';
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const result = await this.client.request(request);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const DEFAULT_SERVER_URL = 'http://localhost:3000/mcp';
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const CALLBACK_URL = `http://localhost:${CALLBACK_PORT}/callback`;Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const parsedUrl = new URL(req.url || '', 'http://localhost');
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const toolsResult = await client.request(toolsRequest);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const promptsResult = await client.request(promptsRequest);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const promptResult = await client.request(promptRequest);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const resourcesResult = await client.request(resourcesRequest);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const result = await client.request(request);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
let serverUrl = 'http://localhost:3000/mcp';
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
let url = 'http://localhost:8000/mcp';
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const DEFAULT_SERVER_URL = process.env.MCP_SERVER_URL || 'http://localhost:3000/mcp';
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const SERVER_URL = 'http://localhost:3001/mcp';
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const toolsResult = await client.request(toolsRequest);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const serverUrl = args[0] || 'http://localhost:3000/mcp';
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const response = await fetch(url, { headers });Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
url: `http://localhost:${MCP_PORT}/confirm-payment?session=${sessionId}&elicitation=${elicitationId}&cartId=${encodeURIComponent(cartId)}`,Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const mcpServerUrl = new URL(`http://localhost:${MCP_PORT}/mcp`);Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const authServerUrl = new URL(`http://localhost:${AUTH_PORT}`);Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
url: `http://localhost:${MCP_PORT}/api-key-form?session=${sessionId}&elicitation=${elicitationId}`,Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.
const mcpServerUrl = new URL(`http://localhost:${MCP_PORT}/mcp`);Do not construct URLs from unvalidated user input. Use a URL allowlist or domain restriction.
Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.
const authServerUrl = new URL(`http://localhost:${AUTH_PORT}`);Do not construct URLs from unvalidated user input. Use a URL allowlist or domain restriction.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const res = await fetch(url);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const res = await fetch(url);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
file://, gopher://, dict://, and other non-HTTP schemas can be exploited for SSRF.
uri: 'file:///projects/readme.md',
Only allow http:// and https:// URL schemas. Validate URL schemas before making requests.
file://, gopher://, dict://, and other non-HTTP schemas can be exploited for SSRF.
uri: 'file:///projects/config.json',
Only allow http:// and https:// URL schemas. Validate URL schemas before making requests.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const mcpServerUrl = new URL(`http://localhost:${MCP_PORT}/mcp`);Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const authServerUrl = new URL(`http://localhost:${AUTH_PORT}`);Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.
const mcpServerUrl = new URL(`http://localhost:${MCP_PORT}/mcp`);Do not construct URLs from unvalidated user input. Use a URL allowlist or domain restriction.
Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.
const authServerUrl = new URL(`http://localhost:${AUTH_PORT}`);Do not construct URLs from unvalidated user input. Use a URL allowlist or domain restriction.
file://, gopher://, dict://, and other non-HTTP schemas can be exploited for SSRF.
'file:///example/file1.txt',
Only allow http:// and https:// URL schemas. Validate URL schemas before making requests.
file://, gopher://, dict://, and other non-HTTP schemas can be exploited for SSRF.
uri: 'file:///example/file1.txt',
Only allow http:// and https:// URL schemas. Validate URL schemas before making requests.
file://, gopher://, dict://, and other non-HTTP schemas can be exploited for SSRF.
'file:///example/file2.txt',
Only allow http:// and https:// URL schemas. Validate URL schemas before making requests.
file://, gopher://, dict://, and other non-HTTP schemas can be exploited for SSRF.
uri: 'file:///example/file2.txt',
Only allow http:// and https:// URL schemas. Validate URL schemas before making requests.
file://, gopher://, dict://, and other non-HTTP schemas can be exploited for SSRF.
uri: 'file:///example/file1.txt',
Only allow http:// and https:// URL schemas. Validate URL schemas before making requests.
file://, gopher://, dict://, and other non-HTTP schemas can be exploited for SSRF.
uri: 'file:///example/file2.txt',
Only allow http:// and https:// URL schemas. Validate URL schemas before making requests.
Automatically following HTTP redirects can be exploited to reach internal endpoints.
follow: true
Disable automatic redirects or validate redirect targets against allow-lists.
Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.
const rootUrl = new URL(`/.well-known/${wellKnownType}`, issuer);Do not construct URLs from unvalidated user input. Use a URL allowlist or domain restriction.
Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.
url: new URL(`/.well-known/oauth-authorization-server${pathname}`, url.origin),Do not construct URLs from unvalidated user input. Use a URL allowlist or domain restriction.
Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.
url: new URL(`/.well-known/openid-configuration${pathname}`, url.origin),Do not construct URLs from unvalidated user input. Use a URL allowlist or domain restriction.
Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.
url: new URL(`${pathname}/.well-known/openid-configuration`, url.origin),Do not construct URLs from unvalidated user input. Use a URL allowlist or domain restriction.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
* original request (e.g., a `tools/call` task returns a `CallToolResult`).
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
* @param taskParams - The task creation parameters from the request (ttl, pollInterval)
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
* The method name of the request (e.g., 'tools/call', 'ping').
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
this._onrequest(message, extra);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const result = await host.request(request, resultSchema, options);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const createResult = await host.request(request, CreateTaskResultSchema, options);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
file://, gopher://, dict://, and other non-HTTP schemas can be exploited for SSRF.
* The URI identifying the root. This *must* start with `file://` for now.
Only allow http:// and https:// URL schemas. Validate URL schemas before making requests.
file://, gopher://, dict://, and other non-HTTP schemas can be exploited for SSRF.
uri: z.string().startsWith('file://'),Only allow http:// and https:// URL schemas. Validate URL schemas before making requests.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
* A JSON-RPC error indicating that the request is not a valid request object. This error is returned when the message structure does not conform to the JSON-RPC 2.0 specification requirements for a request (e.g., missing required fields like `jsonrpc` or `method`, or using invalid types for these fields).
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
file://, gopher://, dict://, and other non-HTTP schemas can be exploited for SSRF.
* The URI identifying the root. This *must* start with `file://` for now.
Only allow http:// and https:// URL schemas. Validate URL schemas before making requests.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
* original request (e.g., a `tools/call` task returns a `CallToolResult`).
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const res = await fetch(url);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.
hostname = new URL(`http://${hostHeader}`).hostname;Do not construct URLs from unvalidated user input. Use a URL allowlist or domain restriction.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const response = await fetch(url);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const response = await fetch(url);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const response = await fetch(metadataUrl);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const response = await fetch(introspectionEndpoint, {Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const getBaseUrl = () => `http://localhost:${PORT}`;Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const provider = new ConformanceOAuthProvider('http://localhost:3000/callback', {Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
redirect_uris: ['http://localhost:3000/callback']
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
redirect_uris: ['http://localhost:3000/callback']
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Automatically following HTTP redirects can be exploited to reach internal endpoints.
redirect: 'manual' // Don't follow redirects automatically
Disable automatic redirects or validate redirect targets against allow-lists.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
'http://localhost:3000/callback',
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
redirect_uris: ['http://localhost:3000/callback']
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.
resolve(new URL(`http://${host}:${addr.port}`));Do not construct URLs from unvalidated user input. Use a URL allowlist or domain restriction.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* the full OAuth flow: token refresh on 401, or redirect for interactive
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
// --- MODE B: User-configured OAuth -----------------------------------------
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
// Built-in OAuth provider — the transport adapts it to AuthProvider internally.
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
} else if (mode === 'oauth') {Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
console.error('OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET required for oauth mode');Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
console.error(`Unknown mode: ${mode}. Use 'host' or 'oauth'.`);Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* MCP_CLIENT_ID - OAuth client ID (required)
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* MCP_CLIENT_SECRET - OAuth client secret (required)
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* MCP_CLIENT_ID - OAuth client ID (required)
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* Interactive MCP client with OAuth authentication
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* Demonstrates the complete OAuth flow with browser-based authorization
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* Example OAuth callback handler - in production, use a more robust approach
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* Starts a temporary HTTP server to receive the OAuth callback
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
reject(new Error(`OAuth authorization failed: ${error}`));Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
console.log(`OAuth callback server started on http://localhost:${CALLBACK_PORT}`);Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
console.log('🚢 Creating transport with OAuth provider...');Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
console.log('🔌 Attempting connection (this will trigger OAuth redirect)...');Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
console.log('🔐 OAuth required - waiting for authorization...');Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* Establishes connection to the MCP server with OAuth authentication
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
client_name: 'Simple OAuth MCP Client',
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
console.log('🔐 Creating OAuth provider...');Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
console.log(`📌 OAuth redirect handler called - opening browser`);
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
console.log('🔐 OAuth provider created');Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
name: 'simple-oauth-client',
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
console.log('🔐 Starting OAuth flow...');Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
console.log('\n🎯 Interactive MCP Client with OAuth');Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
console.log('🚀 Simple MCP OAuth Client');Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* In-memory OAuth client provider for demonstration purposes
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* Example demonstrating the minimal AuthProvider for bearer token authentication.
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* For OAuth flows (client_credentials, private_key_jwt, etc.), use the built-in
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* MCP_TOKEN - Bearer token to use for authentication (required)
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.post('/mcp', mcpPostHandler);Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.get('/mcp', mcpGetHandler);Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.delete('/mcp', mcpDeleteHandler);Add rate limiting middleware to all public API endpoints.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.post('/mcp', mcpPostHandler);Implement CSRF protection using tokens or SameSite cookies.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.delete('/mcp', mcpDeleteHandler);Implement CSRF protection using tokens or SameSite cookies.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.get('/api-key-form', (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.post('/api-key-form', express.urlencoded(), (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.get('/confirm-payment', (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.post('/confirm-payment', express.urlencoded(), (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.post('/mcp', authMiddleware, mcpPostHandler);Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.get('/mcp', authMiddleware, mcpGetHandler);Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.delete('/mcp', authMiddleware, mcpDeleteHandler);Add rate limiting middleware to all public API endpoints.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.post('/api-key-form', express.urlencoded(), (req: Request, res: Response) => {Implement CSRF protection using tokens or SameSite cookies.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.post('/confirm-payment', express.urlencoded(), (req: Request, res: Response) => {Implement CSRF protection using tokens or SameSite cookies.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.post('/mcp', authMiddleware, mcpPostHandler);Implement CSRF protection using tokens or SameSite cookies.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.delete('/mcp', authMiddleware, mcpDeleteHandler);Implement CSRF protection using tokens or SameSite cookies.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.get('/health', c => c.json({ status: 'ok' }));Add rate limiting middleware to all public API endpoints.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.post('/mcp', async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.get('/mcp', async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.post('/mcp', async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.get('/mcp', async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.post('/mcp', async (req: Request, res: Response) => {Implement CSRF protection using tokens or SameSite cookies.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.post('/mcp', async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.get('/mcp', async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.delete('/mcp', async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.post('/mcp', async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.get('/mcp', async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.delete('/mcp', async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.post('/mcp', async (req: Request, res: Response) => {Implement CSRF protection using tokens or SameSite cookies.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.delete('/mcp', async (req: Request, res: Response) => {Implement CSRF protection using tokens or SameSite cookies.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.post('/mcp', authMiddleware, mcpPostHandler);Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.post('/mcp', mcpPostHandler);Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.get('/mcp', authMiddleware, mcpGetHandler);Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.get('/mcp', mcpGetHandler);Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.delete('/mcp', authMiddleware, mcpDeleteHandler);Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.delete('/mcp', mcpDeleteHandler);Add rate limiting middleware to all public API endpoints.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.post('/mcp', authMiddleware, mcpPostHandler);Implement CSRF protection using tokens or SameSite cookies.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.post('/mcp', mcpPostHandler);Implement CSRF protection using tokens or SameSite cookies.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.delete('/mcp', authMiddleware, mcpDeleteHandler);Implement CSRF protection using tokens or SameSite cookies.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.delete('/mcp', mcpDeleteHandler);Implement CSRF protection using tokens or SameSite cookies.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.post('/mcp', async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.get('/mcp', async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.delete('/mcp', async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.post('/mcp', async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.get('/mcp', async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.delete('/mcp', async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.post('/mcp', async (req: Request, res: Response) => {Implement CSRF protection using tokens or SameSite cookies.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.delete('/mcp', async (req: Request, res: Response) => {Implement CSRF protection using tokens or SameSite cookies.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.all('/mcp', async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.post('/mcp', async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.get('/mcp', async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.post('/mcp', async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.get('/mcp', async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.post('/mcp', async (req: Request, res: Response) => {Implement CSRF protection using tokens or SameSite cookies.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
export type { CreateDemoAuthOptions, DemoAuth } from './auth.js';Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
export { createDemoAuth } from './auth.js';Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
export { createProtectedResourceMetadataRouter, getAuth, setupAuthServer, verifyAccessToken } from './authServer.js';Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
"examples:simple-server:w": "pnpm --filter @modelcontextprotocol/examples-server exec tsx --watch src/simpleStreamableHttp.ts --oauth",
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* Example: Using ClientCredentialsProvider for OAuth client credentials flow.
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* Example: Using PrivateKeyJwtProvider for OAuth with private key JWT.
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
declare function withOAuth(provider: unknown, url: string): Middleware;
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* Example: Creating a middleware pipeline for OAuth and logging.
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
// Create a middleware pipeline that handles both OAuth and logging
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
const enhancedFetch = applyMiddlewares(withOAuth(oauthProvider, 'https://api.example.com'), withLogging({ statusLevel: 400 }))(fetch);Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
export { applyMiddlewares, createMiddleware, withLogging, withOAuth } from './client/middleware.js';Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* Utilities for handling OAuth resource URIs.
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* (e.g., "io.modelcontextprotocol/oauth-client-credentials"), and values are
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.post('/mcp', (req, res) => {Add authentication middleware to all routes that access or modify data.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.post('/mcp', (req, res) => {Add rate limiting middleware to all public API endpoints.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.post('/mcp', (req, res) => {Implement CSRF protection using tokens or SameSite cookies.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
* app.post('/mcp', (req, res) => {Add rate limiting middleware to all public API endpoints.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
* app.post('/mcp', (req, res) => {Implement CSRF protection using tokens or SameSite cookies.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.get('/sse', async (req, res) => {Add authentication middleware to all routes that access or modify data.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.post('/message', async (req, res) => {Add authentication middleware to all routes that access or modify data.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.get('/sse', async (req, res) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.post('/message', async (req, res) => {Add rate limiting middleware to all public API endpoints.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.post('/message', async (req, res) => {Implement CSRF protection using tokens or SameSite cookies.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.get('/.well-known/oauth-protected-resource', (_req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.post('/mcp', bearerAuth, adminScopeCheck, async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.get('/mcp', bearerAuth, async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.delete('/mcp', bearerAuth, async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.post('/mcp', bearerAuth, adminScopeCheck, async (req: Request, res: Response) => {Implement CSRF protection using tokens or SameSite cookies.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.delete('/mcp', bearerAuth, async (req: Request, res: Response) => {Implement CSRF protection using tokens or SameSite cookies.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.post('/mcp', async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.get('/mcp', async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.delete('/mcp', async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.post('/mcp', async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.get('/mcp', async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.delete('/mcp', async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.post('/mcp', async (req: Request, res: Response) => {Implement CSRF protection using tokens or SameSite cookies.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.delete('/mcp', async (req: Request, res: Response) => {Implement CSRF protection using tokens or SameSite cookies.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* Shared mock fetch implementation for OAuth flows used in client tests.
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* - OAuth Protected Resource Metadata discovery
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
if (url.origin === resourceServerUrl.slice(0, -1) && url.pathname === '/.well-known/oauth-protected-resource') {Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
if (url.origin === authServerUrl && url.pathname === '/.well-known/oauth-authorization-server') {Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
access_token: 'test-access-token',
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
token_type: 'Bearer'
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
throw new Error(`Unexpected URL in mock OAuth fetch: ${url.toString()}`);Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
export * from './helpers/oauth.js';
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
Backslash-based directory traversal patterns targeting Windows file systems.
? 'Checking code snippets are in sync...\n'
Normalize path separators and apply traversal checks for both forward and backslashes.
Backslash-based directory traversal patterns targeting Windows file systems.
: 'Syncing code snippets from example files...\n',
Normalize path separators and apply traversal checks for both forward and backslashes.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
server.listen(OAUTH_CALLBACK_PORT, () => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
const server = createServer((req, res) => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
server.listen(CALLBACK_PORT, () => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
createServer(async (req, res) => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
}).listen(PORT, () => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
app.listen(PORT, error => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
app.listen(MCP_PORT, error => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
app.listen(PORT, error => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
const httpServer = app.listen(3000);
Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
app.listen(PORT, error => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
app.listen(MCP_PORT, error => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
const server = createServer();
Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
app.listen(PORT, () => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
app.listen(PORT, () => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
app.listen(PORT, error => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
authApp.listen(authPort, (error?: Error) => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
app.listen(port, error => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
app.listen(PORT, () => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
app.listen(PORT, () => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
server.listen(0, host, () => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(404).send('Session not found');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(400).send('Missing session ID');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(404).send('Session not found');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(500).send('Error processing session termination');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(400).send('Missing session ID');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(404).send('Session not found');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(400).send('Missing session ID');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(404).send('Session not found');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(500).send('Error processing session termination');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(400).send('Missing session ID');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(404).send('Session not found');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(400).send('Missing session ID');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(404).send('Session not found');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(500).send('Error processing session termination');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(400).send('Missing session ID');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(404).send('Session not found');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(400).send('Missing session ID');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(404).send('Session not found');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(400).send('Missing session ID');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(404).send('Session not found');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
await this._transport?.send(message, { relatedRequestId });Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
return this._webStandardTransport.send(message, options);
Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(404).send('Session not found');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(400).send('Missing session ID');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(404).send('Session not found');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(400).send('Missing session ID');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(404).send('Session not found');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(500).send('Error processing session termination');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(400).send('Missing session ID');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(404).send('Session not found');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(400).send('Missing session ID');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(404).send('Session not found');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
res.status(500).send('Error processing session termination');Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Detected multiple McpServer or Server instantiations in a single file. Multiple server instances in one project may indicate a shadow MCP server that intercepts or duplicates tool traffic without authorization.
const server = new McpServer({ name: 'my-server', version: '1.0.0' }, { capabilities: { logging: {} } });Consolidate MCP server instances into a single, well-documented server. Remove any duplicate or shadow server instantiations.
Detected multiple McpServer or Server instantiations in a single file. Multiple server instances in one project may indicate a shadow MCP server that intercepts or duplicates tool traffic without authorization.
const server = new McpServer({ name: 'my-server', version: '1.0.0' });Consolidate MCP server instances into a single, well-documented server. Remove any duplicate or shadow server instantiations.
Detected multiple McpServer or Server instantiations in a single file. Multiple server instances in one project may indicate a shadow MCP server that intercepts or duplicates tool traffic without authorization.
const server = new McpServer({ name: 'my-server', version: '1.0.0' });Consolidate MCP server instances into a single, well-documented server. Remove any duplicate or shadow server instantiations.
Detected multiple McpServer or Server instantiations in a single file. Multiple server instances in one project may indicate a shadow MCP server that intercepts or duplicates tool traffic without authorization.
const server = new McpServer({ name: 'my-server', version: '1.0.0' });Consolidate MCP server instances into a single, well-documented server. Remove any duplicate or shadow server instantiations.
Detected multiple McpServer or Server instantiations in a single file. Multiple server instances in one project may indicate a shadow MCP server that intercepts or duplicates tool traffic without authorization.
const server = new McpServer({ name: 'my-server', version: '1.0.0' });Consolidate MCP server instances into a single, well-documented server. Remove any duplicate or shadow server instantiations.
Detected multiple McpServer or Server instantiations in a single file. Multiple server instances in one project may indicate a shadow MCP server that intercepts or duplicates tool traffic without authorization.
const server = new McpServer({Consolidate MCP server instances into a single, well-documented server. Remove any duplicate or shadow server instantiations.
Detected multiple McpServer or Server instantiations in a single file. Multiple server instances in one project may indicate a shadow MCP server that intercepts or duplicates tool traffic without authorization.
const server = new McpServer({ name: 'my-server', version: '1.0.0' });Consolidate MCP server instances into a single, well-documented server. Remove any duplicate or shadow server instantiations.
Detected multiple McpServer or Server instantiations in a single file. Multiple server instances in one project may indicate a shadow MCP server that intercepts or duplicates tool traffic without authorization.
* const server = new McpServer({Consolidate MCP server instances into a single, well-documented server. Remove any duplicate or shadow server instantiations.
Detected multiple McpServer or Server instantiations in a single file. Multiple server instances in one project may indicate a shadow MCP server that intercepts or duplicates tool traffic without authorization.
this.server = new Server(serverInfo, options);
Consolidate MCP server instances into a single, well-documented server. Remove any duplicate or shadow server instantiations.
Detected multiple McpServer or Server instantiations in a single file. Multiple server instances in one project may indicate a shadow MCP server that intercepts or duplicates tool traffic without authorization.
* const server = new McpServer({ name: 'my-server', version: '1.0.0' });Consolidate MCP server instances into a single, well-documented server. Remove any duplicate or shadow server instantiations.
Detected multiple McpServer or Server instantiations in a single file. Multiple server instances in one project may indicate a shadow MCP server that intercepts or duplicates tool traffic without authorization.
const server = new Server(
Consolidate MCP server instances into a single, well-documented server. Remove any duplicate or shadow server instantiations.
Detected multiple McpServer or Server instantiations in a single file. Multiple server instances in one project may indicate a shadow MCP server that intercepts or duplicates tool traffic without authorization.
const server = new Server(
Consolidate MCP server instances into a single, well-documented server. Remove any duplicate or shadow server instantiations.
Use only static, hardcoded string literals for tool descriptions. Never assign descriptions from variables, user input, or external data sources.
Detected runtime reassignment of a tool's description property to a non-literal value. Dynamically modifying tool descriptions can allow an attacker to inject misleading instructions that alter LLM behavior.
if (updates.description !== undefined) registeredTool.description = updates.description;
Use only static, hardcoded string literals for tool descriptions. Never assign descriptions from variables, user input, or external data sources.