diff --git a/.env.example b/.env.example
new file mode 100644
index 00000000..483cf232
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,12 @@
+# Copy this file to .env and fill in real values.
+# .env is gitignored and must never be committed.
+
+# ── Provar Licensing OAuth (Cognito client credentials) ──────────────────────
+# Obtain from the Provar platform team.
+PROVAR_OAUTH_CLIENT_ID=your-client-id-here
+PROVAR_OAUTH_CLIENT_SECRET=your-client-secret-here
+
+# ── Dev whitelist keys (comma-separated) ─────────────────────────────────────
+# Keys that bypass the licensing API entirely (development / CI only).
+# Obtain from the Provar platform team.
+PROVAR_DEV_WHITELIST_KEYS=your-dev-key-here
diff --git a/.github/workflows/CIRelease_Tagging.yml b/.github/workflows/CIRelease_Tagging.yml
index f65d60eb..4693b3e1 100644
--- a/.github/workflows/CIRelease_Tagging.yml
+++ b/.github/workflows/CIRelease_Tagging.yml
@@ -12,10 +12,10 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.pull_request.merged == true
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: 18
+          node-version: 20
       - name: Install Dependencies
         run: |
           yarn
diff --git a/.github/workflows/CI_Execution.yml b/.github/workflows/CI_Execution.yml
index a6c33d70..c5d03246 100644
--- a/.github/workflows/CI_Execution.yml
+++ b/.github/workflows/CI_Execution.yml
@@ -22,8 +22,8 @@ jobs:
   provardx-ci-execution:
     strategy:
       matrix:
-        os: ${{ fromJSON(format('[{0}]', inputs.OS || '"ubuntu-latest" || "macos-latest"')) }}
-        nodeversion: [18]
+        os: ${{ fromJSON(inputs.OS && format('[{0}]', inputs.OS) || '["ubuntu-latest", "macos-latest"]') }}
+        nodeversion: [20]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
@@ -31,7 +31,7 @@ jobs:
         with:
           node-version: ${{ matrix.nodeversion }}
       - name: 'Cache node_modules'
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ${{ matrix.os == 'windows-latest' && 'C:\\Users\\runneradmin\\AppData\\Roaming\\npm-cache' || '~/.npm' }}
           key: ${{ runner.os }}-node-v${{ matrix.nodeversion }}-${{ hashFiles('**/package.json') }}
@@ -39,7 +39,7 @@ jobs:
             ${{ runner.os }}-node-v${{ matrix.nodeversion }}-
       - name: 'sf installation'
         run: |
-          npm install -g @salesforce/cli 
+          npm install -g @salesforce/cli
 
       - name: Determine Branch Name
         if: matrix.os == 'windows-latest'
@@ -49,7 +49,7 @@ jobs:
           } else {
             echo "BRANCH_NAME=$(echo $env:GITHUB_REF -replace 'refs/heads/', '')" | Out-File -FilePath $env:GITHUB_ENV -Append
           }
-          
+
       - name: Determine Branch Name for Ubuntu/Mac
         if: matrix.os != 'windows-latest'
         run: |
@@ -88,23 +88,28 @@ jobs:
           token: ${{ secrets.PATUTILS }}
       - name: Utils build and link
         run: |
-            cd utils
-            yarn && yarn prepack
-            yarn link
+          cd utils
+          yarn && yarn prepack
+          yarn link
       - name: Install Dependencies
         run: yarn
       - name: Link utils package
         run: yarn link @provartesting/provardx-plugins-utils
       - name: Build the project
         run: |
-           sf plugins link .
-           yarn prepack
+          sf plugins link .
+          yarn prepack
+      - name: MCP smoke test
+        timeout-minutes: 5
+        env:
+          PROVAR_DEV_WHITELIST_KEYS: ${{ secrets.PROVAR_DEV_WHITELIST_KEYS }}
+        run: node scripts/mcp-smoke.cjs
       - name: Check out Regression repo
         uses: actions/checkout@v4
         with:
-          repository: ProvarTesting/ProvarRegression
+          repository: ProvarTesting/provar-manager-regression
           path: ProvarRegression
-          ref: AnchalGoel
+          ref: PM_Grid_AutomationPack
           token: ${{ secrets.PATREGRESSION }}
       - name: Change permissions
         run: |
@@ -119,7 +124,7 @@ jobs:
           sf plugins link .
           yarn run test:nuts
       - name: Archive NUTS results
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: nuts-report-${{ matrix.os }}
           path: mochawesome-report
diff --git a/.github/workflows/DeployManual.yml b/.github/workflows/DeployManual.yml
index 271f1d00..f0eea483 100644
--- a/.github/workflows/DeployManual.yml
+++ b/.github/workflows/DeployManual.yml
@@ -5,7 +5,7 @@ on:
   workflow_dispatch:
     inputs:
       tag:
-        description: 'tag name e.g. beta, latest etc.'
+        description: "tag name e.g. beta, latest etc."
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -13,11 +13,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
-          node-version: 18
-          registry-url: 'https://registry.npmjs.org'
-          scope: '@provartesting'
+          node-version: 20
+          registry-url: "https://registry.npmjs.org"
+          scope: "@provartesting"
       - name: Install dependencies and build
         run: |
           npm install -g @salesforce/cli
@@ -28,6 +28,7 @@ jobs:
           cat /home/runner/work/_temp/.npmrc
           cat $NPM_CONFIG_USERCONFIG
       - name: Publish package on NPM
-        run: yarn publish --tag ${{ inputs.tag }}
+        run: npm publish --tag "$TAG" --access public
         env:
+          TAG: ${{ github.event.inputs.tag || 'latest' }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/UnpublishManual.yml b/.github/workflows/UnpublishManual.yml
index 11beb3e7..e8a52bd7 100644
--- a/.github/workflows/UnpublishManual.yml
+++ b/.github/workflows/UnpublishManual.yml
@@ -10,9 +10,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
-          node-version: 18
+          node-version: 20
           registry-url: 'https://registry.npmjs.org'
           scope: '@provartesting'
       - name: Unpublish package from NPM
diff --git a/.gitignore b/.gitignore
index 1120f09f..25e73a53 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,9 @@ tmp/
 # never checkin npm config
 .npmrc
 
+# npm lockfile — this project uses yarn; suppress the warning
+package-lock.json
+
 # debug logs
 npm-error.log
 yarn-error.log
@@ -21,13 +24,11 @@ test/lib
 coverage
 test_session*
 
-# generated docs
-docs
-
 # ignore sfdx-trust files
 *.tgz
 *.sig
 package.json.bak.
+.sfdx
 
 # -- CLEAN ALL
 *.tsbuildinfo
@@ -46,4 +47,14 @@ oclif.manifest.json
 
 
 #Mocha Report Directory
-mochawesome-report
\ No newline at end of file
+mochawesome-report
+.gstack/
+
+# Local environment — never commit real credentials
+.env
+.env.local
+.env.*.local
+
+# Claude
+.claude/skills
+CLAUDE.md
\ No newline at end of file
diff --git a/.husky/pre-commit b/.husky/pre-commit
index 4fbfe02f..669c6d9a 100644
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -1,4 +1,2 @@
 #!/bin/sh
-. "$(dirname "$0")/_/husky.sh"
-
 yarn lint && yarn pretty-quick --staged
diff --git a/.husky/pre-push b/.husky/pre-push
index 56b63c31..2db7f505 100644
--- a/.husky/pre-push
+++ b/.husky/pre-push
@@ -1,4 +1,2 @@
 #!/bin/sh
-. "$(dirname "$0")/_/husky.sh"
-
 yarn build && yarn test
diff --git a/README.md b/README.md
index e903d77c..7598bca8 100644
--- a/README.md
+++ b/README.md
@@ -6,27 +6,58 @@
 
 # What is the ProvarDX CLI?
 
-The Provar DX CLI is a Salesforce CLI plugin for Provar customers who want to automate the execution of tests using Provar Automation, and the reporting of test results and other quality-related metrics to Provar Manager.
+The Provar DX CLI is a Salesforce CLI plugin for Provar customers who want to automate the execution of tests using Provar Automation, and the reporting of test results and other quality-related metrics to Provar Quality Hub.
 
 # Installation, Update, and Uninstall
 
 Install the plugin
+
 ```sh-session
 $ sf plugins install @provartesting/provardx-cli
 ```
 
 Update plugins
+
 ```sh-session
 $ sf plugins update
 ```
 
 Uninstall the plugin
+
 ```sh-session
 $ sf plugins uninstall @provartesting/provardx-cli
 ```
 
+# MCP Server (AI-Assisted Quality)
+
+The Provar DX CLI includes a built-in **Model Context Protocol (MCP) server** that connects AI assistants (Claude Desktop, Claude Code, Cursor) directly to your Provar project. Once connected, an AI agent can inspect your project structure, generate Page Objects and test cases, and validate every level of the test hierarchy with quality scores that match the Provar Quality Hub API.
+
+```sh
+sf provar mcp start --allowed-paths /path/to/your/provar/project
+```
+
+📖 **See [docs/mcp.md](https://github.com/ProvarTesting/provardx-cli/blob/main/docs/mcp.md) for full setup and tool documentation.**
+
+## License Validation
+
+The MCP server verifies your Provar license before accepting any connections. Validation is automatic — no extra flags are required for standard usage.
+
+**How it works:**
+
+1. **Auto-detection** — the server reads `~/Provar/.licenses/*.properties` (the same files written by Provar's IDE plugins). If a valid, activated license is found the server starts immediately.
+2. **Cache** — successful validations are cached at `~/Provar/.licenses/.mcp-license-cache.json` (2 h TTL). Subsequent starts within the TTL window skip the disk scan.
+3. **Grace fallback** — if the IDE license files cannot be found or read and the cache is stale (but ≤ 48 h old), the server starts with a warning on stderr using the cached result so CI pipelines are not broken by transient local file-access issues.
+4. **Fail closed** — if no valid license is detected the command exits with a non-zero exit code and a clear error message.
+
+**`NODE_ENV=test` fast-path:**
+
+When `NODE_ENV=test` the validation step is skipped entirely. This is intended only for the plugin's own unit-test suite.
+
+---
+
 # Commands
 
+- [`sf provar mcp start`](#sf-provar-mcp-start)
 - [`sf provar config get`](#sf-provar-config-get)
 - [`sf provar config set`](#sf-provar-config-set)
 - [`sf provar automation config generate`](#sf-provar-automation-config-generate)
@@ -38,13 +69,89 @@ $ sf plugins uninstall @provartesting/provardx-cli
 - [`sf provar automation project compile`](#sf-provar-automation-project-compile)
 - [`sf provar automation metadata download`](#sf-provar-automation-metadata-download)
 - [`sf provar automation test run`](#sf-provar-automation-test-run)
-- [`sf provar manager connect`](#sf-provar-manager-connect)
-- [`sf provar manager display`](#sf-provar-manager-display)
-- [`sf provar manager open`](#sf-provar-manager-open)
-- [`sf provar manager testcase retrieve`](#sf-provar-manager-testcase-retrieve)
-- [`sf provar manager test run`](#sf-provar-manager-test-run)
-- [`sf provar manager test run report`](#sf-provar-manager-test-run-report)
-- [`sf provar manager test run abort`](#sf-provar-manager-test-run-abort)
+- [`sf provar quality-hub connect`](#sf-provar-quality-hub-connect)
+- [`sf provar quality-hub display`](#sf-provar-quality-hub-display)
+- [`sf provar quality-hub open`](#sf-provar-quality-hub-open)
+- [`sf provar quality-hub testcase retrieve`](#sf-provar-quality-hub-testcase-retrieve)
+- [`sf provar quality-hub test run`](#sf-provar-quality-hub-test-run)
+- [`sf provar quality-hub test run report`](#sf-provar-quality-hub-test-run-report)
+- [`sf provar quality-hub test run abort`](#sf-provar-quality-hub-test-run-abort)
+- [`sf provar manager connect`](#sf-provar-manager-connect) _(deprecated — use `sf provar quality-hub connect`)_
+- [`sf provar manager display`](#sf-provar-manager-display) _(deprecated — use `sf provar quality-hub display`)_
+- [`sf provar manager open`](#sf-provar-manager-open) _(deprecated — use `sf provar quality-hub open`)_
+- [`sf provar manager testcase retrieve`](#sf-provar-manager-testcase-retrieve) _(deprecated — use `sf provar quality-hub testcase retrieve`)_
+- [`sf provar manager test run`](#sf-provar-manager-test-run) _(deprecated — use `sf provar quality-hub test run`)_
+- [`sf provar manager test run report`](#sf-provar-manager-test-run-report) _(deprecated — use `sf provar quality-hub test run report`)_
+- [`sf provar manager test run abort`](#sf-provar-manager-test-run-abort) _(deprecated — use `sf provar quality-hub test run abort`)_
+
+## `sf provar mcp start`
+
+Start a local MCP server for Provar tools over stdio transport.
+
+```
+USAGE
+  $ sf provar mcp start [-a <value>...]
+
+FLAGS
+  -a, --allowed-paths=<value>...  Allowed base directory paths for file operations.
+                                  Defaults to the current working directory.
+                                  Repeat the flag to allow multiple paths.
+
+DESCRIPTION
+  Launches a stateless MCP (Model Context Protocol) server that exposes Provar tools
+  to AI assistants (Claude Desktop, Claude Code, Cursor) via stdio transport. All MCP
+  JSON-RPC communication happens over stdout; all internal logging goes to stderr.
+
+  Note: --json is not available on this command — stdout is reserved for MCP traffic.
+
+TOOLS EXPOSED
+  provar.project.inspect               — inspect project folder inventory
+  provar.pageobject.generate           — generate Java Page Object skeleton
+  provar.pageobject.validate           — validate Page Object quality (30+ rules)
+  provar.testcase.generate             — generate XML test case skeleton
+  provar.testcase.validate             — validate test case XML (validity + best-practices scores)
+  provar.testsuite.validate            — validate test suite hierarchy
+  provar.testplan.validate             — validate test plan with metadata completeness checks
+  provar.project.validate              — validate full project: cross-cutting rules, connections, environments
+  provar.properties.generate           — generate provardx-properties.json from the standard template
+  provar.properties.read               — read and parse a provardx-properties.json file
+  provar.properties.set                — update fields in a provardx-properties.json file
+  provar.properties.validate           — validate a provardx-properties.json file against the schema
+  provar.ant.generate                  — generate an ANT build.xml for CI/CD pipeline execution
+  provar.ant.validate                  — validate an ANT build.xml for structural correctness
+  provar.qualityhub.connect            — connect to a Quality Hub org
+  provar.qualityhub.display            — display connected Quality Hub org info
+  provar.qualityhub.testrun            — trigger a Quality Hub test run
+  provar.qualityhub.testrun.report     — poll test run status
+  provar.qualityhub.testrun.abort      — abort an in-progress test run
+  provar.qualityhub.testcase.retrieve  — retrieve test cases by user story / component
+  provar.automation.setup              — detect or download/install Provar Automation binaries
+  provar.automation.testrun            — trigger a Provar Automation test run (LOCAL)
+  provar.automation.compile            — compile Page Objects after changes
+  provar.automation.config.load        — register a provardx-properties.json as the active config (required before compile/testrun)
+  provar.automation.metadata.download  — download Salesforce metadata into the project
+  provar.qualityhub.defect.create      — create Quality Hub defects from failed test executions
+  provar.testrun.report.locate         — resolve artifact paths (JUnit.xml, HTML reports) for a completed test run
+  provar.testrun.rca                   — analyse a completed test run: classify failures, extract page objects, detect pre-existing issues
+  provar.testplan.add-instance         — wire a test case into a plan suite by writing a .testinstance file
+  provar.testplan.create-suite         — create a new test suite directory with .planitem inside a plan
+  provar.testplan.remove-instance      — remove a .testinstance file from a plan suite
+
+EXAMPLES
+  Start MCP server (accepts stdio connections from Claude Desktop / Cursor):
+
+    $ sf provar mcp start
+
+  Start with an explicit allowed path:
+
+    $ sf provar mcp start --allowed-paths /workspace/provar
+
+  Allow multiple directories:
+
+    $ sf provar mcp start -a /workspace/project-a -a /workspace/project-b
+```
+
+📖 **Full tool documentation and client configuration: [docs/mcp.md](https://github.com/ProvarTesting/provardx-cli/blob/main/docs/mcp.md)**
 
 ## `sf provar config get`
 
@@ -163,7 +270,7 @@ DESCRIPTION
 
 EXAMPLES
   Check if the loaded properties file has all the required properties set:
-  
+
     $ sf provar automation config validate
 ```
 
@@ -301,6 +408,153 @@ EXAMPLES
     $ sf provar automation test run
 ```
 
+## `sf provar quality-hub connect`
+
+Connect to a Provar Quality Hub org.
+
+```
+USAGE
+  $ sf provar quality-hub connect -o <value> [--json]
+
+FLAGS
+  -o, --target-org=<value>  (required) Username or alias set in the SF CLI which corresponds to the Provar Quality Hub org.
+
+GLOBAL FLAGS
+  --json  Format output as json.
+
+DESCRIPTION
+  Load the alias or username to be used in subsequent Quality Hub commands.
+
+EXAMPLES
+  Connect to the Quality Hub org stored with alias "ProvarQualityHub":
+
+    $ sf provar quality-hub connect -o ProvarQualityHub
+```
+
+## `sf provar quality-hub display`
+
+Display information about the connected Provar Quality Hub org.
+
+```
+USAGE
+  $ sf provar quality-hub display [--json]
+
+GLOBAL FLAGS
+  --json  Format output as json.
+
+EXAMPLES
+  Display information about the connected Quality Hub org:
+
+    $ sf provar quality-hub display
+```
+
+## `sf provar quality-hub open`
+
+Open Provar Quality Hub in a browser.
+
+```
+USAGE
+  $ sf provar quality-hub open [--json]
+
+GLOBAL FLAGS
+  --json  Format output as json.
+
+EXAMPLES
+  Open Quality Hub in a browser:
+
+    $ sf provar quality-hub open
+```
+
+## `sf provar quality-hub testcase retrieve`
+
+Retrieve test cases related to the provided user stories or metadata components.
+
+```
+USAGE
+  $ sf provar quality-hub testcase retrieve -p <value> -t Apex|ProvarAutomation [--json] [-m <value>] [-f <value>] [-i <value>] [-o <value>] [-n <value>] [-l <value>]
+
+FLAGS
+  -f, --metadata-file=<value>          Path to a text file containing the list of metadata components.
+  -i, --issues=<value>                 Comma-separated list of issue IDs or keys.
+  -l, --test-plan=<value>              Test Plan name. Use to retrieve test instance file paths.
+  -m, --metadata-components=<value>    Semicolon-separated list of metadata components.
+  -n, --ignore-metadata=<value>        Semicolon-separated list of metadata types to ignore.
+  -o, --output=<value>                 Output to a specific file instead of stdout.
+  -p, --test-project=<value>           (required) Test Project key to filter by.
+  -t, --test-automation-tool=<option>  (required) <options: Apex|ProvarAutomation>
+
+EXAMPLES
+  Retrieve Provar Automation test cases for user story "TM-766":
+
+    $ sf provar quality-hub testcase retrieve -p PAT -t ProvarAutomation -i "TM-766" --json
+```
+
+## `sf provar quality-hub test run`
+
+Run tests via Provar Quality Hub.
+
+```
+USAGE
+  $ sf provar quality-hub test run -f <value> [--json] [-y] [-w <value>] [-p <value>] [-o <value>] [-r <value>]
+
+FLAGS
+  -f, --configuration-file=<value>  (required) Path to the configuration file.
+  -o, --output=<value>              Output to a specific file instead of stdout.
+  -p, --polling-interval=<value>    [default: 60] Polling interval in seconds.
+  -r, --result-format=<value>       [default: human] Format of the test results.
+  -w, --wait=<value>                Polling timeout in minutes.
+  -y, --synchronous                 Run synchronously.
+
+EXAMPLES
+  Run tests and store results as JSON:
+
+    $ sf provar quality-hub test run -f config/run-grid-tests.json -w 10 -p 30 -r json -o results.json
+```
+
+## `sf provar quality-hub test run report`
+
+Check or poll for the status of a Quality Hub test run.
+
+```
+USAGE
+  $ sf provar quality-hub test run report -i <value> [--json] [-r <value>] [-o <value>]
+
+FLAGS
+  -i, --test-run=<value>       (required) Test run ID.
+  -o, --output=<value>         Output to a specific file instead of stdout.
+  -r, --result-format=<value>  [default: human] Format of the test results.
+
+EXAMPLES
+  Retrieve results for a test run:
+
+    $ sf provar quality-hub test run report -i 45f70417-df21-4917-a667-abc2ee46dc63 -r json -o results.json
+```
+
+## `sf provar quality-hub test run abort`
+
+Abort an in-progress test run triggered via Provar Quality Hub.
+
+```
+USAGE
+  $ sf provar quality-hub test run abort -i <value> [--json] [-p <value>] [-w <value>]
+
+FLAGS
+  -i, --test-run=<value>          (required) Test run ID.
+  -p, --polling-interval=<value>  [default: 30] Polling interval in seconds.
+  -w, --wait=<value>              [default: 2] Polling timeout in minutes.
+
+EXAMPLES
+  Abort a test run:
+
+    $ sf provar quality-hub test run abort -i 45f70417-df21-4917-a667-abc2ee46dc63
+```
+
+---
+
+> **Deprecated commands:** The `sf provar manager *` commands below are retained for backwards compatibility and will print a deprecation warning when used. Use the equivalent `sf provar quality-hub *` commands above for all new pipelines.
+
+---
+
 ## `sf provar manager connect`
 
 Load the alias or username to be used in subsequent commands to connect to Provar Manager.
diff --git a/docs/development.md b/docs/development.md
new file mode 100644
index 00000000..808726e4
--- /dev/null
+++ b/docs/development.md
@@ -0,0 +1,386 @@
+# Developer Guide — ProvarDX CLI
+
+Everything you need to clone, build, run locally, and test changes to `@provartesting/provardx-cli`.
+
+---
+
+## Table of Contents
+
+- [Prerequisites](#prerequisites)
+- [First-time setup](#first-time-setup)
+- [Project structure](#project-structure)
+- [Build system overview](#build-system-overview)
+- [Building](#building)
+- [Running locally (without installing)](#running-locally-without-installing)
+- [Testing](#testing)
+  - [Unit tests](#unit-tests)
+  - [Coverage](#coverage)
+  - [NUT integration tests](#nut-integration-tests)
+  - [Full test + lint gate](#full-test--lint-gate)
+- [Linting and formatting](#linting-and-formatting)
+- [Developing the MCP server locally](#developing-the-mcp-server-locally)
+- [Troubleshooting](#troubleshooting)
+
+---
+
+## Prerequisites
+
+| Tool | Minimum version | How to check |
+|------|----------------|--------------|
+| Node.js | 18.0.0 | `node --version` |
+| npm | 8+ (ships with Node 18) | `npm --version` |
+| Salesforce CLI (`sf`) | any recent | `sf --version` |
+| Git | any | `git --version` |
+
+The Salesforce CLI is required to run the compiled plugin commands in development mode (`bin/dev.js`). Install it from [developer.salesforce.com/tools/salesforcecli](https://developer.salesforce.com/tools/salesforcecli) if needed.
+
+---
+
+## First-time setup
+
+```sh
+# 1. Clone the repository
+git clone https://github.com/ProvarTesting/provardx-cli.git
+cd provardx-cli
+
+# 2. Install dependencies
+npm install
+
+# 3. Compile TypeScript + copy JSON rule files to lib/
+npm run compile
+```
+
+> **Windows note:** All scripts use `shx` for cross-platform shell commands, so `npm run compile` works identically on Windows, macOS, and Linux.
+
+---
+
+## Project structure
+
+```
+provardx-cli/
+├── src/
+│   ├── commands/provar/          # oclif CLI command implementations
+│   │   ├── config/               #   provar config get|set
+│   │   ├── automation/config/    #   provar automation config *
+│   │   └── mcp/                  #   provar mcp start
+│   └── mcp/
+│       ├── server.ts             # MCP server factory (registers all tools)
+│       ├── tools/                # One file per MCP tool + engine modules
+│       │   ├── bestPracticesEngine.ts   # Scoring engine (port of Lambda)
+│       │   ├── hierarchyValidate.ts     # Suite/plan/project validation engine
+│       │   ├── testCaseValidate.ts      # Schema-level TC validation
+│       │   ├── pageObjectValidate.ts    # Java Page Object validation
+│       │   ├── testCaseGenerate.ts      # XML generation
+│       │   ├── pageObjectGenerate.ts    # Java PO generation
+│       │   ├── projectInspect.ts        # Project folder inspection
+│       │   └── {testSuite,testPlan,testProject}Validate.ts
+│       ├── rules/                # provar_best_practices_rules.json (runtime)
+│       ├── schemas/              # Shared Zod schemas + common helpers
+│       ├── security/             # Path policy enforcement
+│       └── logging/              # Structured logger
+├── test/
+│   ├── unit/mcp/                 # Pure function unit tests (Mocha + Node assert)
+│   └── commands/provar/          # NUT integration tests (require sf CLI)
+├── docs/
+│   ├── development.md            # This file
+│   └── mcp.md                    # MCP server user guide
+├── messages/                     # oclif message files (descriptions, examples)
+├── lib/                          # Compiled output (git-ignored, generated by compile)
+├── bin/
+│   ├── dev.js                    # Local dev entry point (uses ts-node, reads src/)
+│   └── run.js                    # Production entry point (reads lib/)
+├── .mocharc.json                 # Mocha config (ts-node/esm loader, 10 min timeout)
+├── .nycrc                        # Istanbul/nyc coverage thresholds
+└── tsconfig.json                 # TypeScript config (strict ESM, outDir: lib)
+```
+
+---
+
+## Build system overview
+
+This project uses **[Wireit](https://github.com/google/wireit)** as a build orchestrator on top of npm scripts. Wireit provides:
+- **Incremental builds** — only recompiles files that changed
+- **Dependency ordering** — `build` depends on `compile` + `lint`; `test` depends on `test:compile` + `test:only` + `lint`
+- **Caching** — subsequent `npm run compile` runs skip unchanged files
+
+The compile step does two things:
+1. `tsc` — transpiles `src/**/*.ts` → `lib/`
+2. `shx cp src/mcp/rules/*.json lib/mcp/rules/` — copies the JSON rules file (TypeScript does not copy non-`.ts` assets automatically)
+
+---
+
+## Building
+
+```sh
+# Compile TypeScript only (fastest — use while iterating)
+npm run compile
+
+# Compile + lint (full build gate, same as CI)
+npm run build
+
+# Remove all compiled output and caches
+npm run clean
+
+# Remove all compiled output AND node_modules
+npm run clean-all
+```
+
+After `npm run compile` succeeds, the compiled plugin is available under `lib/` and the development entry point (`bin/dev.js`) is ready to use.
+
+---
+
+## Running locally (without installing)
+
+`bin/dev.js` is the **development entry point**. It loads the plugin directly from your local `lib/` directory rather than from the installed npm package, so any changes you compile are immediately available.
+
+```sh
+# General form
+node bin/dev.js <command> [flags]
+
+# Examples
+node bin/dev.js provar config get environment.testEnvironment -f provardx-properties.json
+node bin/dev.js provar automation config validate
+node bin/dev.js provar mcp start --allowed-paths /path/to/project
+```
+
+> **Tip:** On Unix you can `chmod +x bin/dev.js` and run it as `./bin/dev.js` or add a shell alias:
+> ```sh
+> alias sfdev="node $(pwd)/bin/dev.js"
+> sfdev provar mcp start
+> ```
+
+`bin/run.js` uses the installed `lib/` too but targets production settings. Prefer `bin/dev.js` during development.
+
+---
+
+## Testing
+
+### Unit tests
+
+Unit tests live in `test/unit/mcp/` and cover all pure validator functions (no filesystem, no network, no Salesforce CLI required). There are three ways to run them, depending on your workflow:
+
+| Command | When to use |
+|---------|-------------|
+| `npm run test:dev` | **Daily development** — always executes, never cached, fastest for iteration |
+| `npm run test:watch` | **TDD mode** — re-runs automatically whenever a `src/` or `test/` file changes |
+| `npm run test:only` | **CI / pre-commit** — wireit-managed; skips if no files changed since last run |
+
+```sh
+# Always runs — no caching, best for iterating on changes
+npm run test:dev
+
+# Re-runs on every file save — great for test-driven development
+npm run test:watch
+
+# Wireit-managed (may be skipped if inputs are unchanged — see note below)
+npm run test:only
+```
+
+Expected output: `96 passing (Xms)` — all tests should be green.
+
+The test runner is **Mocha** with `ts-node/esm` as the loader, so test files are executed directly from TypeScript source without a prior compile step.
+
+> **Wireit caching note:** `npm run test:only` is managed by Wireit, which fingerprints your source and test files. If nothing has changed since the last successful run it prints `Ran 0 scripts and skipped 1` and exits without executing Mocha — this is intentional for CI performance. If you want the tests to always run unconditionally, use `npm run test:dev` instead. To force a fresh run via `test:only` (e.g. after pulling changes), clear the cache first:
+>
+> ```sh
+> rm -rf .wireit && npm run test:only
+> ```
+
+**Current test files and what they cover:**
+
+| File | Covers |
+|------|--------|
+| `testCaseValidate.test.ts` | XML schema rules TC_001–TC_035 |
+| `pageObjectValidate.test.ts` | Java PO rules PO_001–PO_080 |
+| `pathPolicy.test.ts` | Path security policy (allowed paths, traversal) |
+| `hierarchyValidate.test.ts` | Suite/plan/project structural + naming rules, `buildHierarchySummary` |
+| `bestPracticesEngine.test.ts` | Scoring formula (exact Lambda parity), `runBestPractices` |
+
+### Coverage
+
+Coverage is collected by **nyc (Istanbul)** and runs as part of `test:only`. Thresholds are enforced in `.nycrc`:
+
+```json
+{ "lines": 80, "statements": 80, "functions": 60, "branches": 30 }
+```
+
+To view a coverage report:
+
+```sh
+# After running test:only, open the HTML report
+npx nyc report --reporter=html
+open coverage/index.html          # macOS
+start coverage/index.html         # Windows
+```
+
+### NUT integration tests
+
+NUT (Named Unit Test) files in `test/commands/provar/` perform end-to-end CLI execution and require a functioning Salesforce CLI installation. They are not run by default in the unit test suite.
+
+```sh
+# Run all NUT tests (requires sf CLI in PATH and a valid Salesforce org)
+npm run test:nuts
+```
+
+These are primarily run in CI against a real environment. For local development, the unit tests in `test/unit/mcp/` are sufficient for MCP-related changes.
+
+### Full test + lint gate
+
+```sh
+# Equivalent to what CI runs: test:compile + test:only + lint
+npm test
+```
+
+This must pass before any PR is merged.
+
+---
+
+## Linting and formatting
+
+```sh
+# Run ESLint (reports errors only, does not fix)
+npm run lint
+
+# Auto-format source and test files with Prettier
+npm run format
+```
+
+The project uses `@salesforce/dev-scripts` for shared ESLint and Prettier configs. The `camelcase` rule is suppressed in files that deal with JSON field names from external APIs (note the `/* eslint-disable camelcase */` comments in MCP tool files).
+
+---
+
+## Developing the MCP server locally
+
+To test MCP server changes interactively with an AI client:
+
+### Claude Code (simplest)
+
+1. Compile your changes: `npm run compile`
+2. Add a project-scoped MCP server entry in `.claude/mcp.json` at the repo root:
+
+```json
+{
+  "mcpServers": {
+    "provar-dev": {
+      "command": "node",
+      "args": ["bin/dev.js", "provar", "mcp", "start", "--allowed-paths", "/path/to/test/project"]
+    }
+  }
+}
+```
+
+3. Open Claude Code in this repo — the `provar-dev` MCP server is loaded automatically.
+
+### Claude Desktop
+
+Update `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\Claude\claude_desktop_config.json` (Windows):
+
+```json
+{
+  "mcpServers": {
+    "provar-dev": {
+      "command": "node",
+      "args": [
+        "/absolute/path/to/provardx-cli/bin/dev.js",
+        "provar", "mcp", "start",
+        "--allowed-paths", "/path/to/your/provar/project"
+      ]
+    }
+  }
+}
+```
+
+Restart Claude Desktop after saving.
+
+### Debugging MCP tool calls
+
+The MCP server writes structured logs to **stderr**. To see them when running manually:
+
+```sh
+# Start the server with verbose output visible
+node bin/dev.js provar mcp start 2>mcp-debug.log
+```
+
+In another terminal, tail the log:
+
+```sh
+tail -f mcp-debug.log
+```
+
+Each tool call logs a `requestId`, the tool name, and the key input parameters — helpful for tracing unexpected behaviour.
+
+### Adding a new MCP tool
+
+1. Create `src/mcp/tools/myTool.ts` and export a `registerMyTool(server: McpServer): void` function.
+2. Import and call it in `src/mcp/server.ts`.
+3. Write unit tests in `test/unit/mcp/myTool.test.ts`.
+4. Add the tool name to the tools list in `messages/sf.provar.mcp.start.md` and `docs/mcp.md`.
+5. Run `npm run compile && npm run test:only` to verify everything passes.
+
+---
+
+## Troubleshooting
+
+### `npm run test:only` shows "Ran 0 scripts and skipped 1" — tests don't run
+
+This is wireit's **input-fingerprinting cache** in action: it recorded a successful test run and sees no changes to `src/` or `test/` since then, so it skips execution entirely. This is expected behaviour in CI but can be surprising locally.
+
+**Fixes:**
+
+```sh
+# Option 1 (preferred for daily dev) — always executes, never cached
+npm run test:dev
+
+# Option 2 — clear the cache, then re-run via wireit
+rm -rf .wireit && npm run test:only
+```
+
+### `wireit` reports "script is already running"
+
+Wireit locks scripts to prevent concurrent runs. If a previous run was interrupted:
+
+```sh
+# Remove the wireit lock and cache files
+rm -rf .wireit
+npm run compile
+```
+
+### TypeScript incremental build is stale
+
+If you see type errors that don't match the source, force a clean rebuild:
+
+```sh
+npm run clean
+npm run compile
+```
+
+### `Cannot find module '.../lib/mcp/rules/provar_best_practices_rules.json'`
+
+The JSON rules file is not copied by `tsc` automatically. Make sure you compiled with the full wireit task (not bare `tsc`):
+
+```sh
+npm run compile   # ← copies JSON rules to lib/mcp/rules/
+```
+
+If using bare `tsc` for IDE integration, run the copy manually:
+
+```sh
+mkdir -p lib/mcp/rules && cp src/mcp/rules/*.json lib/mcp/rules/
+```
+
+### Tests fail with `ExperimentalWarning: --experimental-loader`
+
+This is an informational warning from Node.js about `ts-node/esm` and can be safely ignored. It does not indicate a test failure.
+
+### `sf` command not found when using `bin/dev.js`
+
+`bin/dev.js` delegates to the Salesforce CLI oclif runtime. Ensure `sf` is installed and on your PATH:
+
+```sh
+npm install -g @salesforce/cli
+sf --version
+```
+
+### ESLint `camelcase` errors in MCP files
+
+MCP tool files use `/* eslint-disable camelcase */` at the top because JSON field names from the Quality Hub API use `snake_case`. This is intentional — do not remove the disable comment.
diff --git a/docs/mcp-pilot-guide.md b/docs/mcp-pilot-guide.md
new file mode 100644
index 00000000..0dbc3ed0
--- /dev/null
+++ b/docs/mcp-pilot-guide.md
@@ -0,0 +1,352 @@
+# Provar MCP Server — Pilot Evaluation Guide
+
+This guide is for teams evaluating the Provar MCP server. It covers prerequisites, local setup, security and data handling, and suggested evaluation scenarios.
+
+---
+
+## What is the Provar MCP Server?
+
+The Provar MCP server is a built-in component of the Provar DX CLI that exposes Provar project operations to AI assistants (Claude Desktop, Claude Code, Cursor) via the [Model Context Protocol](https://modelcontextprotocol.io/) (MCP). Once connected, an AI agent can:
+
+- Inspect your Provar project structure and coverage gaps
+- Generate Java Page Objects and test case XML skeletons
+- Validate test cases, suites, plans, and the full project hierarchy against quality rules
+- Read, generate, and update `provardx-properties.json` run configurations
+- Trigger Provar Automation test runs and Quality Hub managed runs directly from the AI chat
+
+The server runs **locally on your machine**. It does not phone home, transmit your project files to Provar servers, or require any Provar-side infrastructure changes.
+
+---
+
+## Prerequisites
+
+| Requirement                 | Version | Notes                                                                                                                             |
+| --------------------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------- |
+| Provar Automation IDE       | ≥ 2.x   | Must be installed with an **activated licence** on the same machine. The MCP server reads the licence from `~/Provar/.licenses/`. |
+| Salesforce CLI (`sf`)       | ≥ 2.x   | `npm install -g @salesforce/cli`                                                                                                  |
+| Provar DX CLI plugin        | ≥ 1.5.0 | `sf plugins install @provartesting/provardx-cli`                                                                                  |
+| An MCP-compatible AI client | —       | Claude Desktop, Claude Code, or Cursor                                                                                            |
+| Node.js                     | ≥ 18    | Installed automatically with the SF CLI                                                                                           |
+
+---
+
+## Installation
+
+### 1. Install the Salesforce CLI
+
+```sh
+npm install -g @salesforce/cli
+```
+
+Verify:
+
+```sh
+sf --version
+```
+
+### 2. Install the Provar DX CLI plugin
+
+```sh
+sf plugins install @provartesting/provardx-cli
+```
+
+Verify:
+
+```sh
+sf provar mcp start --help
+```
+
+### 3. Configure your AI client
+
+#### Claude Desktop
+
+Edit `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\Claude\claude_desktop_config.json` (Windows):
+
+```json
+{
+  "mcpServers": {
+    "provar": {
+      "command": "sf",
+      "args": ["provar", "mcp", "start", "--allowed-paths", "/path/to/your/provar/project"]
+    }
+  }
+}
+```
+
+> **Licence:** The server reads your Provar Automation IDE licence automatically from `~/Provar/.licenses/`. No extra configuration is required — just ensure Provar Automation IDE is installed and activated on this machine.
+
+Restart Claude Desktop after saving the file. The Provar tools will appear in the tool list.
+
+#### Claude Code (VS Code / CLI)
+
+Add to your project's `.claude/mcp.json`:
+
+```json
+{
+  "mcpServers": {
+    "provar": {
+      "command": "sf",
+      "args": ["provar", "mcp", "start", "--allowed-paths", "/path/to/your/provar/project"]
+    }
+  }
+}
+```
+
+Or add directly from the Claude Code session:
+
+```
+/mcp add provar sf provar mcp start --allowed-paths /path/to/project
+```
+
+#### Cursor
+
+In Cursor settings → MCP, add:
+
+```json
+{
+  "provar": {
+    "command": "sf",
+    "args": ["provar", "mcp", "start", "--allowed-paths", "/path/to/your/provar/project"]
+  }
+}
+```
+
+---
+
+## Testing the Connection
+
+Before testing with a real project, verify the server is reachable using the `provardx.ping` tool. In your AI client, ask:
+
+> "Call provardx.ping with message 'hello'"
+
+Expected response:
+
+```json
+{ "pong": "hello", "ts": "2026-03-27T...", "server": "provar-mcp@1.0.0" }
+```
+
+If this fails, check that:
+
+- The SF CLI is on your `PATH` (`which sf` or `where sf`)
+- The Provar DX plugin is installed (`sf plugins`)
+- The `--allowed-paths` value matches the actual directory on disk
+
+---
+
+## Suggested Evaluation Scenarios
+
+Work through these in order — they build on each other.
+
+### Scenario 1: Project Inspection
+
+**Goal:** Understand what the AI can see in your project.
+
+Prompt your AI assistant:
+
+> "Use provar.project.inspect on `/path/to/my/project` and tell me what you find — how many test cases, any coverage gaps?"
+
+**What to look for:**
+
+- Accurate file counts
+- Identification of uncovered test cases (those not referenced by any test plan)
+- Detection of `provardx-properties.json` files and Provar home path
+
+---
+
+### Scenario 2: Test Case Validation
+
+**Goal:** Score an existing test case for quality issues.
+
+> "Validate the test case at `/path/to/project/tests/LoginTest.testcase` and explain any issues found."
+
+**What to look for:**
+
+- `validity_score` and `quality_score` both returned (0–100)
+- Specific rule violations called out (e.g. TC_010 missing test case ID, TC_001 missing XML declaration)
+- Best-practices suggestions (e.g. hardcoded credentials, missing step descriptions)
+
+---
+
+### Scenario 3: Generate a Page Object
+
+**Goal:** Have the AI scaffold a new Page Object for a Salesforce page.
+
+> "Generate a Salesforce Page Object for the Account Detail page, with fields for Account Name (input), Phone (input), and Save button (button). Write it to `/path/to/project/src/pageobjects/accounts/AccountDetailPage.java`."
+
+**What to look for:**
+
+- Valid Java output with correct `@SalesforcePage` annotation
+- `@FindBy` annotations with sensible locator strategies
+- File written to disk (or dry-run if you omit the path)
+
+---
+
+### Scenario 4: Properties File Setup
+
+**Goal:** Have the AI create and configure the run properties file.
+
+> "Generate a `provardx-properties.json` at `/path/to/project/provardx-properties.json` with projectPath set to `/path/to/project` and provarHome set to `/path/to/provar`. Then validate it."
+
+**What to look for:**
+
+- File created with correct structure
+- Validation reports any remaining `${PLACEHOLDER}` values as warnings
+- No errors for the fields you provided
+
+---
+
+### Scenario 5: Full Hierarchy Validation
+
+**Goal:** Validate the entire project and get a quality report.
+
+> "Validate the full test project hierarchy. The project has connections named `SandboxOrg` and `ProdOrg`, environments `QA` and `UAT`, and the secrets password is set."
+
+**What to look for:**
+
+- `quality_score` for the project (0–100)
+- Any `PROJ-*` rule violations (duplicate names, unresolved references)
+- Suite and plan scores bubbled up into the project score
+
+---
+
+### Scenario 6 (requires SF CLI auth): Quality Hub Test Run
+
+**Goal:** Trigger a managed test run from the AI.
+
+Pre-requisite: `sf org login web -a MyQHOrg` then `sf provar quality-hub connect -o MyQHOrg`.
+
+> "Connect to the Quality Hub org MyQHOrg, start a test run using config file `config/smoke-run.json`, and poll every 30 seconds until it completes."
+
+**What to look for:**
+
+- The AI chaining: `provar.qualityhub.connect` → `provar.qualityhub.testrun` → `provar.qualityhub.testrun.report` (looped)
+- The run ID extracted from the `testrun` response and passed to `testrun.report`
+- Final result status reported back
+
+---
+
+## Security Model
+
+### What the server does
+
+- Reads and writes files **only within the paths you specify via `--allowed-paths`**
+- Validates all incoming paths against those roots before any file operation
+- Blocks path traversal attempts (`../`) with a `PATH_TRAVERSAL` error
+- Invokes `sf` CLI subprocesses for Quality Hub and Automation tools — these use the SF CLI's existing credential store (`~/.sf/credentials.json`), which the MCP server does not read directly
+
+### Licence validation
+
+At startup the server reads `~/Provar/.licenses/*.properties` to verify that a Provar Automation IDE licence is activated on the machine. No network call is made during this check — it relies entirely on the licence state that the IDE has already validated and written to disk. The server makes no outbound connections for licence purposes.
+
+**Evaluating without a local Provar IDE installation?** Set the `PROVAR_DEV_WHITELIST_KEYS` environment variable to one or more comma-separated licence keys to bypass the licence check entirely. This is intended for Provar engineering and CI environments:
+
+```json
+{
+  "mcpServers": {
+    "provar": {
+      "command": "sf",
+      "args": ["provar", "mcp", "start", "--allowed-paths", "/path/to/project"],
+      "env": {
+        "PROVAR_DEV_WHITELIST_KEYS": "your-provar-licence-key"
+      }
+    }
+  }
+}
+```
+
+> ⚠️ Do not use `PROVAR_DEV_WHITELIST_KEYS` in production environments — it bypasses all licence enforcement.
+
+### What the server does NOT do
+
+- It does not transmit your project files, test code, or credentials to Provar servers
+- It does not make any network calls (licence is validated locally from the IDE's state)
+- It does not open any network ports or HTTP listeners (stdio transport only)
+- It does not store state between requests — every tool call is stateless
+- It does not read or modify files outside `--allowed-paths`
+- It does not log sensitive field values (secrets, credentials) — log output goes to stderr only and contains request IDs and tool names
+
+### Transport security
+
+The MCP server uses **stdio transport** exclusively. Communication travels over the same process pipes that your AI client (Claude Desktop, Cursor, etc.) controls. There is no exposed TCP socket, no authentication token, and no network listener. The attack surface is limited to the process you explicitly launch.
+
+### Credential handling
+
+The Quality Hub and Automation tools invoke `sf` subprocesses. Salesforce org credentials are managed entirely by the Salesforce CLI and stored in its own credential store. The Provar MCP server never reads, parses, or transmits those credentials.
+
+### Path policy enforcement
+
+```
+PathPolicy: assertPathAllowed(filePath, allowedPaths)
+  → PATH_TRAVERSAL  if filePath contains ".."
+  → PATH_NOT_ALLOWED if resolved path is outside all allowed roots
+  → passes otherwise
+```
+
+This check runs before every file read and write. The allowed roots are set at server startup via `--allowed-paths` and cannot be changed while the server is running.
+
+### Audit log
+
+All tool invocations are logged to **stderr** with a unique `requestId` per call. The log format is structured JSON:
+
+```
+[INFO] provar.testcase.validate {"requestId":"req-a1b2c3","file_path":"/workspace/..."}
+```
+
+You can capture stderr from the MCP server process to maintain an audit trail of all AI agent tool calls.
+
+---
+
+## Known Limitations
+
+| Limitation                                            | Details                                                                                                                                                                                                 |
+| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| No async operations                                   | Quality Hub test run tools use synchronous SF CLI invocations. Long-running runs should use `provar.qualityhub.testrun.report` in a polling loop.                                                       |
+| SF CLI must be in PATH                                | The `provar.qualityhub.*` and `provar.automation.*` tools spawn `sf` as a subprocess. If `sf` is not on `PATH`, you get `SF_NOT_FOUND`.                                                                 |
+| No Windows native paths in `--allowed-paths` via JSON | Use forward slashes in MCP client config JSON, even on Windows. The server normalises paths internally.                                                                                                 |
+| Page Object validation is static                      | The `provar.pageobject.validate` tool parses Java source statically. It does not compile or resolve imports.                                                                                            |
+| Quality scores are local                              | The MCP quality scores are computed locally using the same formula as the Quality Hub Lambda. They are not submitted to or stored by any Provar service unless you call the Quality Hub API separately. |
+
+---
+
+## Troubleshooting
+
+**"No activated Provar license found on this machine" / `LICENSE_NOT_FOUND`**
+
+The server could not find an activated licence in `~/Provar/.licenses/`. Open Provar Automation IDE, go to **Help → Manage Licence**, and ensure your licence is activated. Then retry starting the MCP server.
+
+If you are evaluating without a local Provar IDE installation, set `PROVAR_DEV_WHITELIST_KEYS` in the MCP server environment to bypass the licence check (see below).
+
+**"[provar-mcp] Warning: license validated from offline cache" (appears on stderr)**
+
+The server started successfully but the MCP licence cache is stale (more than 2 hours since the last validation). This is a warning only — the server is running. The grace window is 48 hours; if the cache exceeds that without a successful re-validation the next startup will fail with `LICENSE_NOT_FOUND`. To reset: restart the MCP server while Provar Automation IDE is open and connected to the internet.
+
+**"SF_NOT_FOUND" error from quality hub / automation tools**
+
+The `sf` CLI binary is not on the `PATH` that the MCP server process sees. On macOS, GUI apps can have a different `PATH` than your terminal. Fix by using the full path in the MCP config:
+
+```json
+{
+  "command": "/usr/local/bin/sf",
+  "args": ["provar", "mcp", "start", "--allowed-paths", "..."]
+}
+```
+
+**"PATH_NOT_ALLOWED" error**
+
+The path you passed to a tool is outside the `--allowed-paths` root you configured. Either update `--allowed-paths` in your client config and restart the server, or use a path within the allowed root.
+
+**Tools not appearing in Claude Desktop**
+
+After editing `claude_desktop_config.json`, you must fully restart Claude Desktop (not just the window). On macOS, use `Cmd+Q` to quit, then reopen.
+
+**Server starts but immediately exits**
+
+Check that the SF CLI plugin is installed: `sf plugins | grep provardx`. If missing, run `sf plugins install @provartesting/provardx-cli`.
+
+---
+
+## Support
+
+For issues with the Provar DX CLI or MCP server, raise a ticket at [github.com/ProvarTesting/provardx-cli/issues](https://github.com/ProvarTesting/provardx-cli/issues).
+
+For issues with Provar Automation or Quality Hub, contact Provar support through your usual channel.
diff --git a/docs/mcp.md b/docs/mcp.md
new file mode 100644
index 00000000..f3707b67
--- /dev/null
+++ b/docs/mcp.md
@@ -0,0 +1,1056 @@
+# Provar MCP Server
+
+The Provar DX CLI ships with a built-in **Model Context Protocol (MCP) server** that exposes Provar tools to AI assistants such as Claude Desktop, Claude Code, and Cursor. The server lets an AI agent inspect your Provar project, generate Page Objects and test cases, and validate every level of the test hierarchy — all from inside your AI chat session.
+
+---
+
+## Table of Contents
+
+- [Starting the server](#starting-the-server)
+- [Client configuration](#client-configuration)
+  - [Claude Desktop](#claude-desktop)
+  - [Claude Code](#claude-code)
+  - [Cursor / other MCP clients](#cursor--other-mcp-clients)
+- [Path security](#path-security)
+- [Available tools](#available-tools)
+  - [provardx.ping](#provardxping)
+  - [provar.project.inspect](#provarprojectinspect)
+  - [provar.pageobject.generate](#provarpageobjectgenerate)
+  - [provar.pageobject.validate](#provarpageobjectvalidate)
+  - [provar.testcase.generate](#provartestcasegenerate)
+  - [provar.testcase.validate](#provartestcasevalidate)
+  - [provar.testsuite.validate](#provartestsuitevalidate)
+  - [provar.testplan.validate](#provartestplanvalidate)
+  - [provar.project.validate](#provarprojectvalidate)
+  - [provar.properties.generate](#provarpropertiesgenerate)
+  - [provar.properties.read](#provarpropertiesread)
+  - [provar.properties.set](#provarpropertiesset)
+  - [provar.properties.validate](#provarpropertiesvalidate)
+  - [provar.ant.generate](#provarantgenerate)
+  - [provar.ant.validate](#provarantvalidate)
+  - [provar.qualityhub.connect](#provarqualityhubconnect)
+  - [provar.qualityhub.display](#provarqualityhubdisplay)
+  - [provar.qualityhub.testrun](#provarqualityhubtestrun)
+  - [provar.qualityhub.testrun.report](#provarqualityhubtestrunreport)
+  - [provar.qualityhub.testrun.abort](#provarqualityhubtestrunabort)
+  - [provar.qualityhub.testcase.retrieve](#provarqualityhubtestcaseretrieve)
+  - [provar.automation.setup](#provarautomationsetup)
+  - [provar.automation.testrun](#provarautomationtestrun)
+  - [provar.automation.compile](#provarautomationcompile)
+  - [provar.automation.config.load](#provarautomationconfigload)
+  - [provar.automation.metadata.download](#provarautomationmetadatadownload)
+  - [provar.qualityhub.defect.create](#provarqualityhubdefectcreate)
+  - [provar.testrun.report.locate](#provartestrunreportlocate)
+  - [provar.testrun.rca](#provartestrunrca)
+  - [provar.testplan.add-instance](#provartestplanadinstance)
+  - [provar.testplan.create-suite](#provartestplancreatetsuite)
+  - [provar.testplan.remove-instance](#provartestplanremoveinstance)
+- [AI loop pattern](#ai-loop-pattern)
+- [Quality scores explained](#quality-scores-explained)
+- [API compatibility — `xml` vs `xml_content`](#api-compatibility--xml-vs-xml_content)
+
+---
+
+## Starting the server
+
+```sh
+sf provar mcp start
+```
+
+The server communicates over **stdio** (standard input / output). It must be started by your MCP client — do not run it interactively in a terminal.
+
+### Flags
+
+| Flag              | Alias | Default                   | Description                                                                                                       |
+| ----------------- | ----- | ------------------------- | ----------------------------------------------------------------------------------------------------------------- |
+| `--allowed-paths` | `-a`  | Current working directory | Base directories that file-system tools are permitted to read and write. Repeat the flag to allow multiple paths. |
+
+```sh
+# Allow access to a specific project directory
+sf provar mcp start --allowed-paths /workspace/my-provar-project
+
+# Allow multiple directories
+sf provar mcp start -a /workspace/project-a -a /workspace/project-b
+```
+
+> **Note:** `--json` is intentionally disabled on this command. stdout is reserved for MCP JSON-RPC messages; all internal logging goes to stderr.
+
+---
+
+## Client configuration
+
+### Claude Desktop
+
+Add a `provar` entry to your Claude Desktop MCP configuration file.
+
+**macOS / Linux:** `~/Library/Application Support/Claude/claude_desktop_config.json`
+**Windows:** `%APPDATA%\Claude\claude_desktop_config.json`
+
+```json
+{
+  "mcpServers": {
+    "provar": {
+      "command": "sf",
+      "args": ["provar", "mcp", "start", "--allowed-paths", "/path/to/your/provar/project"]
+    }
+  }
+}
+```
+
+Restart Claude Desktop after saving the file. The Provar tools will appear in the tool list.
+
+### Claude Code
+
+Add the server to your project's `.claude/mcp.json` (project-scoped) or `~/.claude/mcp.json` (user-scoped):
+
+```json
+{
+  "mcpServers": {
+    "provar": {
+      "command": "sf",
+      "args": ["provar", "mcp", "start", "--allowed-paths", "/path/to/your/provar/project"]
+    }
+  }
+}
+```
+
+Alternatively, run directly from a Claude Code session:
+
+```
+/mcp add provar sf provar mcp start --allowed-paths /path/to/project
+```
+
+### Cursor / other MCP clients
+
+Any MCP client that supports the **stdio transport** can use this server. Point `command` at `sf` (or the full path to the Salesforce CLI binary) and pass `["provar", "mcp", "start"]` as arguments, plus `--allowed-paths` as appropriate for your project layout.
+
+---
+
+## License requirement
+
+The MCP server requires **Provar Automation IDE** to be installed on the same machine with an activated license. At startup the server reads `~/Provar/.licenses/*.properties` and verifies that at least one icense is in the `Activated` state and was last verified online within the past 48 hours.
+
+If the license check fails, the server exits with a clear error message explaining the reason (not found, stale, or expired). Open Provar Automation IDE to refresh the license online, then retry.
+
+---
+
+## Path security
+
+All file-system operations (read, write, generate) are restricted to the paths supplied via `--allowed-paths`. Any attempt to access a path outside those roots is rejected with a `PATH_NOT_ALLOWED` error. Path traversal sequences (`../`) are also blocked.
+
+---
+
+## Available tools
+
+### `provardx.ping`
+
+A lightweight sanity-check tool. Echoes back the message you send. Useful for verifying the server is running and the client is connected.
+
+**Input**
+
+| Parameter | Type   | Required | Description           |
+| --------- | ------ | -------- | --------------------- |
+| `message` | string | no       | Any text to echo back |
+
+**Output** — `{ message: string }`
+
+---
+
+### `provar.project.inspect`
+
+Inspects a Provar project folder and returns a structured inventory of all key project artefacts. Compiled `bin/` directories are automatically excluded.
+
+**Input**
+
+| Parameter      | Type   | Required | Description                              |
+| -------------- | ------ | -------- | ---------------------------------------- |
+| `project_path` | string | yes      | Absolute path to the Provar project root |
+
+**Output** — JSON object containing:
+
+| Field                         | Description                                                                                                                          |
+| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
+| `provar_home`                 | The Provar installation path, or `null` if not found                                                                                 |
+| `provar_home_source`          | Where the value came from: `"PROVAR_HOME environment variable"`, `"provardx-properties.json (<rel>)"`, or `"ANT build file (<rel>)"` |
+| `provardx_properties_files`   | Relative paths to any `provardx-properties.json` files found (ProvarDX CLI run configs)                                              |
+| `ant_build_files`             | Relative paths to `build.xml` and `.properties` files in any `ANT/` directory (pipeline/CLI build configs)                           |
+| `source_page_object_dirs`     | `src/pageobjects` directories only — compiled `bin/pageobjects` is excluded                                                          |
+| `test_suite_dirs`             | Top-level suite folder names directly under `tests/`                                                                                 |
+| `test_case_files`             | Relative paths to all `.testcase` files found recursively under `tests/` (display-capped at 500; full set used for coverage)         |
+| `custom_test_step_file_count` | Number of `.java` / `.groovy` / `.jar` files in any `src/customapis/` directory                                                      |
+| `data_source_dirs`            | `data/` and `templates/` directories found                                                                                           |
+| `data_source_file_count`      | Number of data files (`.csv`, `.xlsx`, `.xls`, `.json`) across all data source dirs                                                  |
+| `test_plan_coverage`          | Plan coverage object (see below)                                                                                                     |
+| `summary`                     | Counts for every category above, including `coverage_percent`                                                                        |
+
+**`test_plan_coverage` object:**
+
+Provar test plans live in `plans/`. Each plan is a directory containing a `.planitem` definition file and `.testinstance` files (or nested suite sub-directories) that each reference one `.testcase` via the `testCasePath` attribute.
+
+| Field                       | Description                                                                           |
+| --------------------------- | ------------------------------------------------------------------------------------- |
+| `test_plan_count`           | Number of test plans (directories at depth 1 under `plans/` containing a `.planitem`) |
+| `test_suite_count`          | Number of test suites (`.planitem` directories nested inside a plan)                  |
+| `test_instance_count`       | Total number of `.testinstance` files across all plans and suites                     |
+| `covered_test_case_paths`   | Sorted list of `.testcase` paths referenced by at least one `.testinstance`           |
+| `uncovered_test_case_paths` | Sorted list of `.testcase` paths **not** referenced by any plan — gaps in coverage    |
+| `coverage_percent`          | `round(covered / total_test_cases × 100)`                                             |
+
+---
+
+### `provar.pageobject.generate`
+
+Generates a Java Page Object skeleton with the correct `@Page` or `@SalesforcePage` annotation and `@FindBy` field stubs.
+
+**Input**
+
+| Parameter                   | Type                                                   | Required | Description                                              |
+| --------------------------- | ------------------------------------------------------ | -------- | -------------------------------------------------------- |
+| `class_name`                | string                                                 | yes      | PascalCase Java class name (e.g. `AccountDetailPage`)    |
+| `package_name`              | string                                                 | yes      | Java package (e.g. `pageobjects.accounts`)               |
+| `page_type`                 | `standard` \| `salesforce`                             | yes      | Generates `@Page` or `@SalesforcePage` annotation        |
+| `title`                     | string                                                 | no       | Page title for the annotation                            |
+| `connection_name`           | string                                                 | no       | Salesforce connection name (for `@SalesforcePage`)       |
+| `salesforce_page_attribute` | string                                                 | no       | Additional Salesforce page attribute                     |
+| `fields`                    | array of `{ name, type, locator_type, locator_value }` | no       | WebElement field definitions                             |
+| `output_path`               | string                                                 | no       | Full file path to write (must be within `allowed-paths`) |
+| `overwrite`                 | boolean                                                | no       | Overwrite existing file (default: `false`)               |
+| `dry_run`                   | boolean                                                | no       | Return content without writing to disk                   |
+| `idempotency_key`           | string                                                 | no       | Prevents duplicate generation for the same key           |
+
+**Output** — `{ content: string, file_path?: string, written: boolean }`
+
+---
+
+### `provar.pageobject.validate`
+
+Validates a Java Page Object source file against 30+ quality rules (structural correctness, annotation completeness, locator best practices).
+
+**Input**
+
+| Parameter             | Type   | Required | Description                                         |
+| --------------------- | ------ | -------- | --------------------------------------------------- |
+| `content`             | string | yes      | Full Java source code                               |
+| `file_path`           | string | no       | Path to the `.java` file (for context)              |
+| `expected_class_name` | string | no       | Expected class name (triggers PO_006 if mismatched) |
+
+**Output**
+
+| Field           | Type           | Description                                           |
+| --------------- | -------------- | ----------------------------------------------------- |
+| `is_valid`      | boolean        | `true` if zero errors                                 |
+| `quality_score` | number (0–100) | Weighted quality score                                |
+| `error_count`   | integer        | Number of ERROR-severity issues                       |
+| `warning_count` | integer        | Number of WARNING-severity issues                     |
+| `class_name`    | string         | Detected class name                                   |
+| `package_name`  | string         | Detected package name                                 |
+| `field_count`   | integer        | Number of `@FindBy` WebElement fields                 |
+| `issues`        | array          | Full issue list with `rule_id`, `severity`, `message` |
+
+**Key rules checked:** PO_001 (missing package), PO_003 (missing class), PO_004 (non-PascalCase class name), PO_006 (class name mismatch), PO_036 (invalid element type), PO_060 (mismatched braces), PO_071–PO_073 (fragile XPath patterns).
+
+---
+
+### `provar.testcase.generate`
+
+Generates an XML test case skeleton with UUID v4 guids and sequential `testItemId` values.
+
+**Input**
+
+| Parameter         | Type                                    | Required | Description                                         |
+| ----------------- | --------------------------------------- | -------- | --------------------------------------------------- |
+| `test_case_name`  | string                                  | yes      | Human-readable test case name                       |
+| `test_case_id`    | string                                  | no       | Custom test case ID (auto-generated if omitted)     |
+| `steps`           | array of `{ api_id, name, arguments? }` | no       | Step definitions                                    |
+| `output_path`     | string                                  | no       | File path to write (must be within `allowed-paths`) |
+| `overwrite`       | boolean                                 | no       | Overwrite existing file (default: `false`)          |
+| `dry_run`         | boolean                                 | no       | Return XML without writing to disk                  |
+| `idempotency_key` | string                                  | no       | Prevents duplicate generation for the same key      |
+
+**Output** — `{ content: string, file_path?: string, written: boolean }`
+
+---
+
+### `provar.testcase.validate`
+
+Validates an XML test case for schema correctness (validity score) and best practices (quality score). The quality score uses the exact same weighted-deduction formula as the Provar Quality Hub Lambda service, guaranteeing score parity between the MCP and API surfaces.
+
+**Input**
+
+| Parameter   | Type   | Required                                    | Description                                    |
+| ----------- | ------ | ------------------------------------------- | ---------------------------------------------- |
+| `content`   | string | one of `content`/`xml`/`file_path` required | XML content to validate (MCP field name)       |
+| `xml`       | string | one of `content`/`xml`/`file_path` required | XML content to validate (API-compatible alias) |
+| `file_path` | string | one of `content`/`xml`/`file_path` required | Path to the `.testcase` XML file               |
+
+**Output**
+
+| Field                            | Type           | Description                                                               |
+| -------------------------------- | -------------- | ------------------------------------------------------------------------- |
+| `is_valid`                       | boolean        | `true` if zero ERROR-level schema violations                              |
+| `validity_score`                 | number (0–100) | Schema compliance score (100 − errorCount × 20)                           |
+| `quality_score`                  | number (0–100) | Best-practices score (weighted deduction formula)                         |
+| `error_count`                    | integer        | Schema error count                                                        |
+| `warning_count`                  | integer        | Schema warning count                                                      |
+| `step_count`                     | integer        | Number of `<apiCall>` steps                                               |
+| `test_case_id`                   | string         | Value of the `id` attribute                                               |
+| `test_case_name`                 | string         | Value of the `name` attribute                                             |
+| `issues`                         | array          | Schema issues with `rule_id`, `severity`, `message`                       |
+| `best_practices_violations`      | array          | Best-practices violations with `rule_id`, `severity`, `weight`, `message` |
+| `best_practices_rules_evaluated` | integer        | How many best-practices rules were checked                                |
+
+**Key schema rules:** TC_001 (missing XML declaration), TC_002 (malformed XML), TC_003 (wrong root element), TC_010/011/012 (missing/invalid id/guid), TC_031 (invalid apiCall guid), TC_034/035 (non-integer testItemId).
+
+---
+
+### `provar.testsuite.validate`
+
+Validates a Provar test suite — checks for empty suites, duplicate names (within the suite), oversized suites (>75 test cases), and naming convention consistency. Recursively validates child suites and individual test case XML.
+
+**Input**
+
+| Parameter           | Type           | Required | Description                                                                                                  |
+| ------------------- | -------------- | -------- | ------------------------------------------------------------------------------------------------------------ |
+| `suite_name`        | string         | yes      | Name of the test suite                                                                                       |
+| `test_cases`        | array          | no       | Test cases directly in this suite. Each item: `{ name, xml_content \| xml }`                                 |
+| `child_suites`      | array          | no       | Child suites (up to 2 levels of nesting). Each item: `{ name, test_cases?, test_suites?, test_case_count? }` |
+| `test_case_count`   | integer        | no       | Override total count for the size check (useful when not sending full XML)                                   |
+| `quality_threshold` | number (0–100) | no       | Minimum quality score for a test case to be "valid" (default: 80)                                            |
+
+**Output** — `{ name, level: "suite", quality_score, violations[], test_cases[], test_suites[], summary }`
+
+**Violation rule IDs:** SUITE-EMPTY-001, SUITE-DUP-001, SUITE-DUP-002, SUITE-SIZE-001, SUITE-NAMING-001, SUITE-NAMING-002
+
+---
+
+### `provar.testplan.validate`
+
+Validates a Provar test plan — checks for empty plans, duplicate suite names, oversized plans (>20 suites), plan-completeness metadata, and naming consistency. Recursively validates suites and test cases.
+
+**Input**
+
+| Parameter           | Type           | Required | Description                             |
+| ------------------- | -------------- | -------- | --------------------------------------- |
+| `plan_name`         | string         | yes      | Name of the test plan                   |
+| `test_suites`       | array          | no       | Test suites in this plan                |
+| `test_cases`        | array          | no       | Test cases directly in this plan        |
+| `test_suite_count`  | integer        | no       | Override suite count for the size check |
+| `metadata`          | object         | no       | Plan completeness metadata (see below)  |
+| `quality_threshold` | number (0–100) | no       | Minimum quality score (default: 80)     |
+
+**`metadata` fields**
+
+| Field                  | Description                                |
+| ---------------------- | ------------------------------------------ |
+| `objectives`           | Testing objectives                         |
+| `in_scope`             | Features / areas in scope                  |
+| `testing_methodology`  | Approach (e.g. risk-based, regression)     |
+| `acceptance_criteria`  | Criteria for test completion               |
+| `acceptable_pass_rate` | Numeric pass-rate threshold (0–100)        |
+| `environments`         | Target environments (e.g. `["QA", "UAT"]`) |
+| `test_data_strategy`   | How test data is prepared and cleaned up   |
+| `risks`                | Identified risks and mitigations           |
+
+**Output** — `{ name, level: "plan", quality_score, violations[], test_suites[], test_cases[], summary }`
+
+**Violation rule IDs:** PLAN-EMPTY-001, PLAN-DUP-001, PLAN-SIZE-001, PLAN-NAMING-001, PLAN-META-001 through PLAN-META-007
+
+---
+
+### `provar.project.validate`
+
+Validates a Provar project directly from its directory on disk. Reads the plan/suite/testinstance hierarchy from `plans/`, resolves test case XML from `tests/`, extracts project context (connections, environments, secrets password) from the `.testproject` file, and runs the full cross-cutting rule set.
+
+> **Use this tool for whole-project validation.** Pass `project_path` and let the server handle all file reading. Do not read individual test case files and pass XML content inline — this tool does that for you.
+
+**Input**
+
+| Parameter              | Type           | Required | Description                                                                                                          |
+| ---------------------- | -------------- | -------- | -------------------------------------------------------------------------------------------------------------------- |
+| `project_path`         | string         | yes      | Absolute path to the Provar project root (directory containing `.testproject`)                                       |
+| `quality_threshold`    | number (0–100) | no       | Minimum quality score for a test case to be considered valid (default: 80)                                           |
+| `save_results`         | boolean        | no       | Write a QH-compatible JSON report to `{project_path}/provardx/validation/` (default: true)                           |
+| `results_dir`          | string         | no       | Override the output directory for the saved report (must be within `allowed-paths`)                                  |
+| `include_plan_details` | boolean        | no       | Include full per-suite and per-test-case data in the response (default: false — keep false to avoid token explosion) |
+| `max_uncovered`        | integer        | no       | Maximum uncovered test case paths to return (default: 20; set to `0` for none)                                       |
+| `max_violations`       | integer        | no       | When `include_plan_details: true`, caps project violations returned (default: 50)                                    |
+
+**Output** (slim mode, `include_plan_details: false`)
+
+| Field                  | Description                                           |
+| ---------------------- | ----------------------------------------------------- |
+| `quality_score`        | Project quality score (0–100)                         |
+| `coverage_percent`     | Percentage of test cases covered by at least one plan |
+| `violation_summary`    | Map of `rule_id → count` for all violations found     |
+| `plan_scores`          | Array of `{ name, quality_score }` per plan           |
+| `uncovered_test_cases` | Uncovered test case paths (capped at `max_uncovered`) |
+| `save_error`           | Present only if the results file could not be written |
+
+When `include_plan_details: true`, the response additionally includes full `test_plans[]` with nested suite and per-test-case data.
+
+**Violation rule IDs:** PROJ-EMPTY-001, PROJ-DUP-001, PROJ-DUP-002, PROJ-CALLABLE-001, PROJ-CALLABLE-002, PROJ-CONN-001, PROJ-ENV-001, PROJ-ENV-002, PROJ-SECRET-001
+
+**Error codes:** `NOT_A_PROJECT`, `AMBIGUOUS_PROJECT`, `PATH_NOT_FOUND`, `PATH_NOT_ALLOWED`, `PATH_TRAVERSAL`
+
+---
+
+## Quality scores explained
+
+Every validation tool returns one or two scores:
+
+| Score            | Range | Description                                                                                        |
+| ---------------- | ----- | -------------------------------------------------------------------------------------------------- |
+| `validity_score` | 0–100 | Schema compliance. Deducts 20 points per ERROR. Reflects structural correctness.                   |
+| `quality_score`  | 0–100 | Best-practices quality. Uses the same weighted-deduction formula as the Provar Quality Hub Lambda. |
+
+### Scoring formula (best practices)
+
+```
+score = max(0, 100 − Σ( weight × severity_multiplier × effective_count ))
+
+severity_multiplier:
+  critical → 1.00
+  major    → 0.75
+  minor    → 0.50
+  info     → 0.25
+
+effective_count (diminishing returns):
+  count = 1 → 1
+  count > 1 → 1 + log₂(count)
+```
+
+This formula is identical to the Lambda service, ensuring that a test case receives the **same quality score** whether it is validated by the MCP server or by the Quality Hub API.
+
+### Hierarchy scoring
+
+Suite, plan, and project scores are computed as:
+
+```
+quality_score = max(0, avg(child_scores) − Σ(violation_deductions))
+```
+
+where `child_scores` are the quality scores of directly contained test cases and child suites.
+
+---
+
+## API compatibility — `xml` vs `xml_content`
+
+Test case tools accept either field name for XML content:
+
+| Field         | Used by               | Notes                                                         |
+| ------------- | --------------------- | ------------------------------------------------------------- |
+| `xml_content` | Provar MCP (original) | Full XML content of the test case                             |
+| `xml`         | Quality Hub batch API | API-compatible alias; takes precedence when both are supplied |
+
+Both names are accepted in all four validation tools (`provar.testcase.validate`, `provar.testsuite.validate`, `provar.testplan.validate`, `provar.project.validate`). This makes it straightforward to share request payloads between the REST API and the MCP surface without conversion.
+
+---
+
+### `provar.properties.generate`
+
+Generates a `provardx-properties.json` file from the standard template. Placeholder values (`${...}`) are pre-filled where optional overrides are not provided.
+
+**Input**
+
+| Parameter      | Type    | Required | Description                                                           |
+| -------------- | ------- | -------- | --------------------------------------------------------------------- |
+| `output_path`  | string  | yes      | Where to write the file (must end in `.json`, within `allowed-paths`) |
+| `project_path` | string  | no       | Pre-fill the `projectPath` field                                      |
+| `provar_home`  | string  | no       | Pre-fill the `provarHome` field                                       |
+| `results_path` | string  | no       | Pre-fill the `resultsPath` field                                      |
+| `overwrite`    | boolean | no       | Overwrite existing file (default: `false`)                            |
+| `dry_run`      | boolean | no       | Return content without writing to disk (default: `false`)             |
+
+**Output** — `{ file_path, written, dry_run, content }`
+
+**Error codes:** `FILE_EXISTS`, `INVALID_PATH`, `PATH_NOT_ALLOWED`, `PATH_TRAVERSAL`
+
+---
+
+### `provar.properties.read`
+
+Reads and parses a `provardx-properties.json` file. Use this to inspect the current configuration before making changes with `provar.properties.set`.
+
+**Input**
+
+| Parameter   | Type   | Required | Description                                 |
+| ----------- | ------ | -------- | ------------------------------------------- |
+| `file_path` | string | yes      | Path to the `provardx-properties.json` file |
+
+**Output** — `{ file_path, content }` where `content` is the parsed JSON object.
+
+**Error codes:** `FILE_NOT_FOUND`, `MALFORMED_JSON`, `PATH_NOT_ALLOWED`
+
+---
+
+### `provar.properties.set`
+
+Updates one or more fields in a `provardx-properties.json` file. Only the supplied fields are changed. Object fields (`environment`, `metadata`) are deep-merged; array fields (`testCase`, `testPlan`, `connectionOverride`) replace the existing value entirely.
+
+**Input**
+
+| Parameter   | Type   | Required | Description                         |
+| ----------- | ------ | -------- | ----------------------------------- |
+| `file_path` | string | yes      | Path to the file to update          |
+| `updates`   | object | yes      | Fields to update (see schema below) |
+
+**`updates` schema**
+
+| Field                    | Type                                                             | Description                                              |
+| ------------------------ | ---------------------------------------------------------------- | -------------------------------------------------------- |
+| `provarHome`             | string                                                           | Path to Provar installation directory                    |
+| `projectPath`            | string                                                           | Path to the Provar test project root                     |
+| `resultsPath`            | string                                                           | Path where test results will be written                  |
+| `resultsPathDisposition` | `Increment` \| `Replace` \| `Fail`                               | Behaviour when results path already exists               |
+| `testOutputLevel`        | `BASIC` \| `DETAILED` \| `DIAGNOSTIC`                            | Amount of test output logged                             |
+| `pluginOutputlevel`      | `SEVERE` \| `WARNING` \| `INFO` \| `FINE` \| `FINER` \| `FINEST` | Plugin log verbosity                                     |
+| `stopOnError`            | boolean                                                          | Abort test run on first failure                          |
+| `excludeCallable`        | boolean                                                          | Omit callable test cases from execution                  |
+| `testprojectSecrets`     | string                                                           | Encryption password for test project secrets             |
+| `environment`            | object                                                           | `{ testEnvironment, webBrowser, webBrowserConfig, ... }` |
+| `metadata`               | object                                                           | `{ metadataLevel, cachePath }`                           |
+| `testCase`               | string[]                                                         | Specific test case file paths to run                     |
+| `testPlan`               | string[]                                                         | Test plan names to run (wildcards permitted)             |
+| `connectionOverride`     | `{ connection, username }[]`                                     | Override Provar connections with SFDX usernames          |
+
+**Output** — `{ file_path, updated_fields, content }`
+
+**Error codes:** `FILE_NOT_FOUND`, `MALFORMED_JSON`, `PATH_NOT_ALLOWED`
+
+---
+
+### `provar.properties.validate`
+
+Validates a `provardx-properties.json` file against the ProvarDX schema. Checks required fields, valid enum values, and warns about unfilled `${PLACEHOLDER}` values. Accepts either a file path or inline JSON content.
+
+**Input**
+
+| Parameter   | Type   | Required                     | Description                    |
+| ----------- | ------ | ---------------------------- | ------------------------------ |
+| `file_path` | string | one of `file_path`/`content` | Path to the file to validate   |
+| `content`   | string | one of `file_path`/`content` | Inline JSON string to validate |
+
+**Output**
+
+| Field           | Description                                     |
+| --------------- | ----------------------------------------------- |
+| `is_valid`      | `true` if no errors                             |
+| `error_count`   | Number of validation errors                     |
+| `warning_count` | Number of warnings (e.g. unfilled placeholders) |
+| `issues`        | Array of `{ field, severity, message }`         |
+
+**Error codes:** `MISSING_INPUT`, `FILE_NOT_FOUND`, `MALFORMED_JSON`, `PATH_NOT_ALLOWED`
+
+---
+
+### `provar.ant.generate`
+
+Generates a Provar ANT `build.xml` file from structured inputs. Produces the standard `<project>` skeleton with `<taskdef>` declarations, `<Provar-Compile>`, and `<Run-Test-Case>`. Supports targeting tests by folder, test plan, or individual `.testcase` files.
+
+**Input**
+
+| Parameter                           | Type                                                                                      | Required | Default                                | Description                                                           |
+| ----------------------------------- | ----------------------------------------------------------------------------------------- | -------- | -------------------------------------- | --------------------------------------------------------------------- |
+| `provar_home`                       | string                                                                                    | yes      | —                                      | Absolute path to the Provar installation directory                    |
+| `project_path`                      | string                                                                                    | no       | `..`                                   | Path to the test project root (relative to the ANT folder)            |
+| `results_path`                      | string                                                                                    | no       | `../ANT/Results`                       | Where test results are written                                        |
+| `project_cache_path`                | string                                                                                    | no       | `../../.provarCaches`                  | Path to the `.provarCaches` directory                                 |
+| `license_path`                      | string                                                                                    | no       | —                                      | Path to the Provar `.licenses` directory                              |
+| `smtp_path`                         | string                                                                                    | no       | —                                      | Path to the Provar `.smtp` directory                                  |
+| `filesets`                          | array                                                                                     | yes      | —                                      | One or more `{ dir, id?, includes? }` objects — see below             |
+| `web_browser`                       | `Chrome` \| `Chrome_Headless` \| `Firefox` \| `Edge` \| `Edge_Legacy` \| `Safari` \| `IE` | no       | `Chrome`                               | Browser for test execution                                            |
+| `web_browser_configuration`         | string                                                                                    | no       | `Full Screen`                          | Browser window configuration                                          |
+| `web_browser_provider_name`         | string                                                                                    | no       | `Desktop`                              | Browser provider name                                                 |
+| `web_browser_device_name`           | string                                                                                    | no       | `Full Screen`                          | Browser device name                                                   |
+| `test_environment`                  | string                                                                                    | no       | `""`                                   | Named test environment (empty = default)                              |
+| `salesforce_metadata_cache`         | `Reuse` \| `Refresh` \| `Reload`                                                          | no       | `Reuse`                                | Metadata cache strategy                                               |
+| `results_path_disposition`          | `Increment` \| `Replace` \| `Reuse`                                                       | no       | `Increment`                            | How to handle an existing results folder                              |
+| `test_output_level`                 | `BASIC` \| `WARNING` \| `DEBUG`                                                           | no       | `BASIC`                                | Test output verbosity                                                 |
+| `plugin_output_level`               | `BASIC` \| `WARNING` \| `DEBUG`                                                           | no       | `WARNING`                              | Plugin output verbosity                                               |
+| `stop_test_run_on_error`            | boolean                                                                                   | no       | `false`                                | Abort run on first failure                                            |
+| `exclude_callable_test_cases`       | boolean                                                                                   | no       | `true`                                 | Skip callable (library) test cases                                    |
+| `dont_fail_build`                   | boolean                                                                                   | no       | —                                      | Prevent ANT build failure even when tests fail                        |
+| `invoke_test_run_monitor`           | boolean                                                                                   | no       | `true`                                 | Enable the Provar test run monitor                                    |
+| `secrets_password`                  | string                                                                                    | no       | `${env.ProvarSecretsPassword}`         | Secrets store password                                                |
+| `test_environment_secrets_password` | string                                                                                    | no       | `${env.ProvarSecretsPassword_EnvName}` | Per-environment secrets password                                      |
+| `test_cycle_path`                   | string                                                                                    | no       | —                                      | Path to a TestCycle folder                                            |
+| `test_cycle_run_type`               | `ALL` \| `FAILED` \| `NEW`                                                                | no       | —                                      | Which tests in the cycle to run                                       |
+| `plan_features`                     | array of `{ name, type, enabled }`                                                        | no       | —                                      | Output/notification features (PDF, PIECHART, EMAIL, JUNIT)            |
+| `email_properties`                  | object                                                                                    | no       | —                                      | Email notification settings (omit to exclude `<emailProperties>`)     |
+| `attachment_properties`             | object                                                                                    | no       | —                                      | Report attachment settings (omit to exclude `<attachmentProperties>`) |
+| `output_path`                       | string                                                                                    | no       | —                                      | Where to write the `build.xml` file                                   |
+| `overwrite`                         | boolean                                                                                   | no       | `false`                                | Overwrite if `output_path` already exists                             |
+| `dry_run`                           | boolean                                                                                   | no       | `true`                                 | `true` = return XML only; `false` = write to `output_path`            |
+
+**Fileset objects**
+
+Each fileset maps to a `<fileset>` element inside `<Run-Test-Case>`:
+
+| Field      | Description                                                                                          |
+| ---------- | ---------------------------------------------------------------------------------------------------- |
+| `dir`      | Directory path (relative or absolute)                                                                |
+| `id`       | Optional fileset id — use `"testplan"` when pointing at a plans folder, `"testcases"` for test cases |
+| `includes` | Optional list of specific `.testcase` or `.testplan` file names — omit to run everything in `dir`    |
+
+Examples:
+
+- Run all tests in a folder: `{ dir: "../tests" }`
+- Run a specific test plan: `{ id: "testplan", dir: "../plans/Smoke" }`
+- Run specific test cases: `{ dir: "../tests/Accounts", includes: ["CreateAccount.testcase"] }`
+
+**Output** — `{ xml_content, file_path?, written, dry_run }`
+
+**Error codes:** `FILE_EXISTS`, `PATH_NOT_ALLOWED`, `PATH_TRAVERSAL`, `GENERATE_ERROR`
+
+---
+
+### `provar.ant.validate`
+
+Validates a Provar ANT `build.xml` for structural correctness. Accepts either a file path or inline XML content.
+
+**Input**
+
+| Parameter   | Type   | Required                     | Description                    |
+| ----------- | ------ | ---------------------------- | ------------------------------ |
+| `content`   | string | one of `content`/`file_path` | Inline XML content to validate |
+| `file_path` | string | one of `content`/`file_path` | Path to the `build.xml` file   |
+
+**Output**
+
+| Field              | Type           | Description                                                                       |
+| ------------------ | -------------- | --------------------------------------------------------------------------------- |
+| `is_valid`         | boolean        | `true` if zero ERROR-level issues                                                 |
+| `validity_score`   | number (0–100) | Schema compliance score (100 − errorCount × 20)                                   |
+| `provar_home`      | string \| null | Value of `provarHome` attribute detected in `<Run-Test-Case>`                     |
+| `project_path`     | string \| null | Value of `projectPath` attribute                                                  |
+| `results_path`     | string \| null | Value of `resultsPath` attribute                                                  |
+| `web_browser`      | string \| null | Value of `webBrowser` attribute                                                   |
+| `test_environment` | string \| null | Value of `testEnvironment` attribute                                              |
+| `fileset_count`    | integer        | Number of `<fileset>` children of `<Run-Test-Case>`                               |
+| `error_count`      | integer        | Number of ERROR-severity issues                                                   |
+| `warning_count`    | integer        | Number of WARNING-severity issues                                                 |
+| `issues`           | array          | Full issue list with `rule_id`, `severity`, `message`, `applies_to`, `suggestion` |
+
+**Validation rules checked:**
+
+| Rule ID   | Severity | Description                                               |
+| --------- | -------- | --------------------------------------------------------- |
+| `ANT_001` | WARNING  | Missing XML declaration                                   |
+| `ANT_002` | ERROR    | Malformed XML                                             |
+| `ANT_003` | ERROR    | Root element is not `<project>`                           |
+| `ANT_004` | ERROR    | `<project>` missing `default` attribute                   |
+| `ANT_005` | ERROR    | Missing `<taskdef>` for `CompileTask` or `RunnerTask`     |
+| `ANT_006` | ERROR    | Default target name not found in `<project>`              |
+| `ANT_007` | ERROR    | No `<target>` elements present                            |
+| `ANT_010` | WARNING  | No `<Provar-Compile>` step in the default target          |
+| `ANT_020` | ERROR    | No `<Run-Test-Case>` element in the default target        |
+| `ANT_021` | ERROR    | `<Run-Test-Case>` missing `provarHome` attribute          |
+| `ANT_022` | ERROR    | `<Run-Test-Case>` missing `projectPath` attribute         |
+| `ANT_023` | ERROR    | `<Run-Test-Case>` missing `resultsPath` attribute         |
+| `ANT_030` | WARNING  | `webBrowser` value not in the recognised set              |
+| `ANT_031` | WARNING  | `salesforceMetadataCache` value not in the recognised set |
+| `ANT_032` | WARNING  | `testOutputlevel` value not in the recognised set         |
+| `ANT_033` | WARNING  | `resultsPathDisposition` value not in the recognised set  |
+| `ANT_040` | ERROR    | `<Run-Test-Case>` has no `<fileset>` children             |
+| `ANT_041` | ERROR    | A `<fileset>` is missing the required `dir` attribute     |
+
+**Error codes:** `MISSING_INPUT`, `FILE_NOT_FOUND`, `PATH_NOT_ALLOWED`, `VALIDATE_ERROR`
+
+---
+
+### `provar.qualityhub.connect`
+
+Connects to a Provar Quality Hub org. Invokes `sf provar quality-hub connect` via the Salesforce CLI.
+
+> **Prerequisite:** The org must already be authorised in the SF CLI (`sf org login web` or `sf org login jwt`).
+
+**Input**
+
+| Parameter    | Type     | Required | Description                         |
+| ------------ | -------- | -------- | ----------------------------------- |
+| `target_org` | string   | yes      | SF CLI org alias or username        |
+| `flags`      | string[] | no       | Additional raw CLI flags to forward |
+
+**Output** — `{ requestId, exitCode, stdout, stderr }`
+
+**Error codes:** `QH_CONNECT_FAILED`, `SF_NOT_FOUND`
+
+---
+
+### `provar.qualityhub.display`
+
+Displays information about the currently connected Quality Hub org. Invokes `sf provar quality-hub display`.
+
+**Input**
+
+| Parameter    | Type     | Required | Description                                |
+| ------------ | -------- | -------- | ------------------------------------------ |
+| `target_org` | string   | no       | SF CLI org alias (uses default if omitted) |
+| `flags`      | string[] | no       | Additional raw CLI flags                   |
+
+**Output** — `{ requestId, exitCode, stdout, stderr }`
+
+---
+
+### `provar.qualityhub.testrun`
+
+Triggers a Quality Hub test run. Invokes `sf provar quality-hub test run`. Returns the test run ID which can be passed to `provar.qualityhub.testrun.report` to poll for results.
+
+**Input**
+
+| Parameter    | Type     | Required | Description                                                                   |
+| ------------ | -------- | -------- | ----------------------------------------------------------------------------- |
+| `target_org` | string   | yes      | SF CLI org alias or username                                                  |
+| `flags`      | string[] | no       | Additional raw CLI flags (e.g. `["--configuration-file", "config/run.json"]`) |
+
+**Output** — `{ requestId, exitCode, stdout, stderr }`
+
+**Error codes:** `QH_TESTRUN_FAILED`, `SF_NOT_FOUND`
+
+---
+
+### `provar.qualityhub.testrun.report`
+
+Polls the status of an in-progress or completed Quality Hub test run. Invokes `sf provar quality-hub test run report`.
+
+**Input**
+
+| Parameter    | Type     | Required | Description                                                   |
+| ------------ | -------- | -------- | ------------------------------------------------------------- |
+| `target_org` | string   | yes      | SF CLI org alias or username                                  |
+| `run_id`     | string   | yes      | Test run ID returned by `provar.qualityhub.testrun`           |
+| `flags`      | string[] | no       | Additional raw CLI flags (e.g. `["--result-format", "json"]`) |
+
+**Output** — `{ requestId, exitCode, stdout, stderr }`
+
+**Error codes:** `QH_REPORT_FAILED`, `SF_NOT_FOUND`
+
+---
+
+### `provar.qualityhub.testrun.abort`
+
+Aborts an in-progress Quality Hub test run. Invokes `sf provar quality-hub test run abort`.
+
+**Input**
+
+| Parameter    | Type     | Required | Description                  |
+| ------------ | -------- | -------- | ---------------------------- |
+| `target_org` | string   | yes      | SF CLI org alias or username |
+| `run_id`     | string   | yes      | Test run ID to abort         |
+| `flags`      | string[] | no       | Additional raw CLI flags     |
+
+**Output** — `{ requestId, exitCode, stdout, stderr }`
+
+**Error codes:** `QH_ABORT_FAILED`, `SF_NOT_FOUND`
+
+---
+
+### `provar.qualityhub.testcase.retrieve`
+
+Retrieves test cases from Quality Hub by user story or metadata component. Invokes `sf provar quality-hub testcase retrieve`.
+
+**Input**
+
+| Parameter    | Type     | Required | Description                                                                          |
+| ------------ | -------- | -------- | ------------------------------------------------------------------------------------ |
+| `target_org` | string   | yes      | SF CLI org alias or username                                                         |
+| `flags`      | string[] | no       | Additional raw CLI flags (e.g. `["--issues", "US-123", "--test-project", "MyProj"]`) |
+
+**Output** — `{ requestId, exitCode, stdout, stderr }`
+
+**Error codes:** `QH_RETRIEVE_FAILED`, `SF_NOT_FOUND`
+
+---
+
+### `provar.automation.setup`
+
+Detects existing Provar Automation installations on the machine. If found, returns the install path so you can set `provarHome` in your properties file — without downloading anything. If no installation is found, invokes `sf provar automation setup` to download and install the binaries.
+
+Checks in this order:
+
+1. `PROVAR_HOME` environment variable
+2. `./ProvarHome` (default CLI install location)
+3. `C:\Program Files\Provar*` (Windows system installs)
+4. `/Applications/Provar*` (macOS app installs)
+
+**Input**
+
+| Parameter | Type    | Required | Description                                                                   |
+| --------- | ------- | -------- | ----------------------------------------------------------------------------- |
+| `version` | string  | no       | Specific version to install (e.g. `"2.12.0"`). Omit for latest.               |
+| `force`   | boolean | no       | Force a fresh download even if an installation is detected (default: `false`) |
+
+**Output**
+
+| Field               | Type           | Description                                                      |
+| ------------------- | -------------- | ---------------------------------------------------------------- |
+| `already_installed` | boolean        | `true` if an existing install was found and download was skipped |
+| `installations`     | array          | All detected installs: `{ path, version, source }`               |
+| `install_path`      | string         | Path to use for `provarHome`                                     |
+| `version`           | string \| null | Detected or installed version                                    |
+| `message`           | string         | Human-readable summary                                           |
+
+After a successful setup, update `provarHome` in your `provardx-properties.json` using `provar.properties.set`.
+
+**Error codes:** `AUTOMATION_SETUP_FAILED`, `SF_NOT_FOUND`
+
+---
+
+### `provar.automation.testrun`
+
+Triggers a Provar Automation test run using the currently loaded properties file. Invokes `sf provar automation test run`. This is the **LOCAL Execute** step of the AI loop — for grid-managed runs use `provar.qualityhub.testrun`.
+
+**Input**
+
+| Parameter | Type     | Required | Description                                                              |
+| --------- | -------- | -------- | ------------------------------------------------------------------------ |
+| `flags`   | string[] | no       | Raw CLI flags to forward (e.g. `["--project-path", "/path/to/project"]`) |
+
+**Output** — `{ requestId, exitCode, stdout, stderr }`
+
+**Error codes:** `AUTOMATION_TESTRUN_FAILED`, `SF_NOT_FOUND`
+
+---
+
+### `provar.automation.compile`
+
+Compiles PageObject and PageControl Java source files. Invokes `sf provar automation project compile`. Run this after generating or modifying Page Objects, before triggering a test run.
+
+**Input**
+
+| Parameter | Type     | Required | Description              |
+| --------- | -------- | -------- | ------------------------ |
+| `flags`   | string[] | no       | Raw CLI flags to forward |
+
+**Output** — `{ requestId, exitCode, stdout, stderr }`
+
+**Error codes:** `AUTOMATION_COMPILE_FAILED`, `SF_NOT_FOUND`
+
+---
+
+### `provar.automation.metadata.download`
+
+Downloads Salesforce metadata into the Provar project cache. Invokes `sf provar automation metadata download`. Run this when you need up-to-date org metadata for Page Object generation or test execution.
+
+**Input**
+
+| Parameter | Type     | Required | Description                                                                   |
+| --------- | -------- | -------- | ----------------------------------------------------------------------------- |
+| `flags`   | string[] | no       | Raw CLI flags to forward (e.g. `["--connections", "MySalesforceConnection"]`) |
+
+**Output** — `{ requestId, exitCode, stdout, stderr }`
+
+**Error codes:** `AUTOMATION_METADATA_FAILED`, `SF_NOT_FOUND`
+
+---
+
+### `provar.qualityhub.defect.create`
+
+Creates `Defect__c` records in Quality Hub for every failed test execution in a given test run. For each failure, creates a `Defect__c` (with description, step, browser, environment, and tester populated), then links it via `Test_Case_Defect__c` and `Test_Execution_Defect__c` junction records. If Jira or ADO sync is configured in the Quality Hub org, defects automatically sync to those systems.
+
+**Input**
+
+| Parameter      | Type     | Required | Description                                                                                             |
+| -------------- | -------- | -------- | ------------------------------------------------------------------------------------------------------- |
+| `run_id`       | string   | yes      | Test run `Tracking_Id__c` returned by `provar.qualityhub.testrun`                                       |
+| `target_org`   | string   | yes      | SF CLI org alias or username for the Quality Hub org                                                    |
+| `failed_tests` | string[] | no       | Optional filter — list of `Test_Case__c` ID substrings to restrict defect creation to specific failures |
+
+**Output**
+
+| Field     | Type    | Description                                                                                    |
+| --------- | ------- | ---------------------------------------------------------------------------------------------- |
+| `created` | array   | Created records: `{ defectId, tcDefectId, execDefectId, executionId, testCaseId }` per failure |
+| `skipped` | integer | Number of failures skipped (already had defects, or filtered out)                              |
+| `message` | string  | Human-readable summary including Jira/ADO sync note                                            |
+
+**Error codes:** `DEFECT_CREATE_FAILED`, `SF_NOT_FOUND`
+
+---
+
+### `provar.automation.config.load`
+
+Register a `provardx-properties.json` file as the active Provar configuration. **Required before `provar.automation.compile` or `provar.automation.testrun`** — without this step those commands fail with `MISSING_FILE`.
+
+Invokes `sf provar automation config load --properties-file <path>`, writing the path to `~/.sf/config.json` under `PROVARDX_PROPERTIES_FILE_PATH`.
+
+| Input             | Type   | Required | Description                                                 |
+| ----------------- | ------ | -------- | ----------------------------------------------------------- |
+| `properties_path` | string | yes      | Absolute path to the `provardx-properties.json` to register |
+| `sf_path`         | string | no       | Path to `sf` executable when not in `PATH`                  |
+
+| Output field      | Description                     |
+| ----------------- | ------------------------------- |
+| `exitCode`        | Exit code from the sf CLI       |
+| `properties_path` | Echoes back the registered path |
+
+**Error codes:** `AUTOMATION_CONFIG_LOAD_FAILED`, `SF_NOT_FOUND`
+
+---
+
+### `provar.testrun.report.locate`
+
+Resolve artifact paths for a completed test run without parsing them. Returns the absolute paths to `JUnit.xml`, `Index.html`, per-test HTML reports, and validation JSONs.
+
+Uses a 4-step resolution algorithm (explicit path → `~/.sf/config.json` → `provardx-properties.json` scan → ANT `build.xml` parse).
+
+| Input          | Type    | Required | Description                                     |
+| -------------- | ------- | -------- | ----------------------------------------------- |
+| `project_path` | string  | yes      | Absolute path to the Provar project root        |
+| `results_path` | string  | no       | Explicit results directory override             |
+| `run_index`    | integer | no       | Specific Increment run number (default: latest) |
+
+| Output field         | Description                                                               |
+| -------------------- | ------------------------------------------------------------------------- |
+| `results_dir`        | Absolute path to the resolved results directory                           |
+| `junit_xml`          | Absolute path to `JUnit.xml` if present, else `null`                      |
+| `index_html`         | Absolute path to `Index.html` if present, else `null`                     |
+| `per_test_reports`   | Array of `{ test_name, html_path }` for each `*.testcase.html` found      |
+| `validation_reports` | Paths to JSON files in `{project_path}/provardx/validation/`              |
+| `run_index`          | Resolved run index (integer) or `null` if not Increment                   |
+| `disposition`        | `"Increment"`, `"Replace"`, or `"unknown"`                                |
+| `resolution_source`  | `"explicit"` \| `"sf_config"` \| `"properties_file"` \| `"ant_build_xml"` |
+
+**Error codes:** `RESULTS_NOT_CONFIGURED`
+
+---
+
+### `provar.testrun.rca`
+
+Analyse a completed test run and return a structured Root Cause Analysis report. Reads `JUnit.xml`, classifies each failure into a root cause category, extracts page object and operation names, and flags pre-existing failures across prior Increment runs.
+
+| Input          | Type    | Required | Description                                               |
+| -------------- | ------- | -------- | --------------------------------------------------------- |
+| `project_path` | string  | yes      | Absolute path to the Provar project root                  |
+| `results_path` | string  | no       | Explicit results directory override                       |
+| `run_index`    | integer | no       | Specific Increment run to analyse (default: latest)       |
+| `locate_only`  | boolean | no       | Skip parsing; return artifact paths only (default: false) |
+
+| Output field            | Description                                                                     |
+| ----------------------- | ------------------------------------------------------------------------------- |
+| `results_dir`           | Resolved results directory                                                      |
+| `run_in_progress`       | `true` when `JUnit.xml` is absent (run still executing)                         |
+| `rca_skipped`           | `true` when `locate_only: true`                                                 |
+| `run_summary`           | `{ total, passed, failures, errors, skipped, duration_seconds }`                |
+| `failures`              | Array of `FailureReport` (see below)                                            |
+| `infrastructure_issues` | Recommendations for infra-category failures (credential, driver, license, etc.) |
+| `recommendations`       | Deduplicated list of all recommended actions                                    |
+
+**`FailureReport` fields:**
+
+| Field                 | Description                                              |
+| --------------------- | -------------------------------------------------------- |
+| `test_case`           | Test case filename from JUnit `<testcase name>`          |
+| `error_class`         | Extracted exception class name                           |
+| `error_message`       | First 500 chars of failure/error text                    |
+| `root_cause_category` | One of 12 categories (see table below)                   |
+| `root_cause_summary`  | Human-readable cause description                         |
+| `recommendation`      | Suggested fix action                                     |
+| `page_object`         | Extracted from `Page Object: ...` pattern, or `null`     |
+| `operation`           | Extracted from `operation: ...` pattern, or `null`       |
+| `report_html`         | Path to per-test HTML report if found, else `null`       |
+| `screenshot_dir`      | Path to `Artifacts/` directory if it exists, else `null` |
+| `pre_existing`        | `true` if the same test failed in a prior Increment run  |
+
+**Root cause categories:** `DRIVER_VERSION_MISMATCH`, `LOCATOR_STALE`, `TIMEOUT`, `ASSERTION_FAILED`, `CREDENTIAL_FAILURE`, `MISSING_CALLABLE`, `METADATA_CACHE`, `PAGE_OBJECT_COMPILE`, `CONNECTION_REFUSED`, `DATA_SETUP`, `LICENSE_INVALID`, `UNKNOWN`
+
+**Error codes:** `RESULTS_NOT_CONFIGURED`
+
+---
+
+### `provar.testplan.add-instance`
+
+Wire a test case into a plan suite by writing a `.testinstance` file. Handles UUID generation, `testCaseId` extraction from the testcase file's `registryId`/`id`/`guid` attribute, and path normalisation (always forward slashes).
+
+| Input            | Type    | Required | Description                                                         |
+| ---------------- | ------- | -------- | ------------------------------------------------------------------- |
+| `project_path`   | string  | yes      | Absolute path to the Provar project root                            |
+| `test_case_path` | string  | yes      | Relative path from project root, e.g. `tests/Suite/MyTest.testcase` |
+| `plan_name`      | string  | yes      | Name of the plan directory under `plans/`                           |
+| `suite_path`     | string  | no       | Path within the plan, e.g. `MySuite` or `MySuite/SubSuite`          |
+| `dry_run`        | boolean | no       | Return content without writing (default: false)                     |
+
+| Output field     | Description                                                           |
+| ---------------- | --------------------------------------------------------------------- |
+| `instance_path`  | Absolute path to the written `.testinstance` file                     |
+| `guid`           | Generated UUID for the new instance                                   |
+| `test_case_id`   | `testCaseId` extracted from the testcase file, or `null` if not found |
+| `test_case_path` | Normalised (forward-slash) relative path stored in the XML            |
+| `written`        | `false` when `dry_run: true`                                          |
+
+**Error codes:** `NOT_A_PROJECT`, `TESTCASE_NOT_FOUND`, `INVALID_TESTCASE`, `SUITE_NOT_FOUND`, `INSTANCE_EXISTS`, `PATH_NOT_ALLOWED`
+
+---
+
+### `provar.testplan.create-suite`
+
+Create a new test suite directory with a `.planitem` file inside an existing plan. The plan directory and its `.planitem` must already exist.
+
+| Input               | Type    | Required | Description                                           |
+| ------------------- | ------- | -------- | ----------------------------------------------------- |
+| `project_path`      | string  | yes      | Absolute path to the Provar project root              |
+| `plan_name`         | string  | yes      | Name of the existing plan directory under `plans/`    |
+| `suite_name`        | string  | yes      | Name of the new suite directory to create             |
+| `parent_suite_path` | string  | no       | Path to a parent suite if nesting, e.g. `ParentSuite` |
+| `dry_run`           | boolean | no       | Return content without writing (default: false)       |
+
+| Output field    | Description                                   |
+| --------------- | --------------------------------------------- |
+| `suite_dir`     | Absolute path to the created suite directory  |
+| `planitem_path` | Absolute path to the written `.planitem` file |
+| `guid`          | Generated UUID for the suite                  |
+| `created`       | `false` when `dry_run: true`                  |
+
+**Error codes:** `NOT_A_PROJECT`, `PLAN_NOT_FOUND`, `SUITE_EXISTS`, `PATH_NOT_ALLOWED`
+
+---
+
+### `provar.testplan.remove-instance`
+
+Remove a `.testinstance` file from a plan suite. Path is validated to stay within the project root.
+
+| Input           | Type    | Required | Description                                                 |
+| --------------- | ------- | -------- | ----------------------------------------------------------- |
+| `project_path`  | string  | yes      | Absolute path to the Provar project root                    |
+| `instance_path` | string  | yes      | Relative path from project root to the `.testinstance` file |
+| `dry_run`       | boolean | no       | Validate and report without deleting (default: false)       |
+
+| Output field   | Description                       |
+| -------------- | --------------------------------- |
+| `removed_path` | Absolute path of the removed file |
+| `removed`      | `false` when `dry_run: true`      |
+
+**Error codes:** `NOT_A_PROJECT`, `INVALID_INSTANCE`, `INSTANCE_NOT_FOUND`, `PATH_TRAVERSAL`, `PATH_NOT_ALLOWED`
+
+---
+
+## AI loop pattern
+
+The automation tools are designed to support an **AI-driven fix loop**: an agent can iteratively improve test quality without leaving the chat session.
+
+```
+provar.project.inspect             → understand what's in the project, find uncovered tests
+provar.testcase.validate           → find quality issues in a test case
+provar.testcase.generate           → regenerate or fix the test case XML
+provar.testplan.add-instance       → wire a new/fixed test case into a plan suite
+provar.testplan.create-suite       → create a suite to organise new tests
+provar.ant.generate                → generate (or regenerate) the ANT build.xml for CI
+provar.ant.validate                → validate an existing build.xml before committing
+provar.automation.config.load      → register the properties file (required before compile/testrun)
+provar.automation.compile          → compile Page Objects after changes
+provar.automation.testrun          → execute tests locally against the real org
+provar.testrun.rca                 → diagnose failures: classify root cause, extract page objects
+provar.project.validate            → re-score the full project
+```
+
+Combined with Quality Hub (grid-managed runs):
+
+```
+provar.qualityhub.connect           → authenticate
+provar.qualityhub.testrun           → start a Quality Hub-managed grid run
+provar.qualityhub.testrun.report    → poll until complete
+provar.qualityhub.testcase.retrieve → pull test cases scoped to a user story
+provar.qualityhub.defect.create     → file defects for failures automatically
+```
+
+> **Note:** `provar.automation.*` and `provar.qualityhub.*` tools invoke `sf` CLI subprocesses. The Salesforce CLI must be installed and in `PATH`, or pass `sf_path` pointing to the executable directly (e.g. `~/.nvm/versions/node/v22.0.0/bin/sf`). A missing `sf` binary returns the error code `SF_NOT_FOUND` with an installation hint.
diff --git a/messages/sf.provar.automation.project.validate.md b/messages/sf.provar.automation.project.validate.md
new file mode 100644
index 00000000..2a868d38
--- /dev/null
+++ b/messages/sf.provar.automation.project.validate.md
@@ -0,0 +1,52 @@
+# summary
+
+Validate a Provar project from its directory on disk and report quality scores.
+
+# description
+
+Reads the plan/suite/testinstance hierarchy from the plans/ directory, resolves test
+case XML from the tests/ directory, and runs the full validation rule set. Reports a
+quality score, violation summary, and per-plan/suite breakdown. Saves a QH-compatible
+JSON report to {project_path}/provardx/validation/ by default.
+
+# flags.project-path.summary
+
+Path to the Provar project root (directory containing the .testproject file). Defaults to current directory.
+
+# flags.quality-threshold.summary
+
+Minimum quality score (0-100) for a test case to pass validation (default: 80).
+
+# flags.save-results.summary
+
+Write a QH-compatible JSON report to provardx/validation/. Use --no-save-results to skip (default: true).
+
+# flags.results-dir.summary
+
+Override the output directory for the saved validation report.
+
+# examples
+
+- Validate the Provar project in the current directory:
+
+  <%= config.bin %> <%= command.id %>
+
+- Validate a project at a specific path and output JSON:
+
+  <%= config.bin %> <%= command.id %> --project-path /path/to/MyProject --json
+
+- Validate with a custom quality threshold, saving results to a specific directory:
+
+  <%= config.bin %> <%= command.id %> -p /path/to/MyProject -q 90 -d /reports/validation
+
+- Validate without saving results:
+
+  <%= config.bin %> <%= command.id %> --no-save-results
+
+# success_message
+
+Project "%s" validated — quality score: %s/100 (%s)
+
+# saved_to_message
+
+Results saved to: %s
diff --git a/messages/sf.provar.mcp.start.md b/messages/sf.provar.mcp.start.md
new file mode 100644
index 00000000..eb8f0b32
--- /dev/null
+++ b/messages/sf.provar.mcp.start.md
@@ -0,0 +1,74 @@
+# summary
+Start a local MCP server for Provar tools over stdio transport.
+
+# description
+Launches a stateless MCP (Model Context Protocol) server that exposes Provar tools to
+AI assistants (Claude Desktop, Claude Code, Cursor) via stdio transport. All MCP
+JSON-RPC communication happens over stdout; all internal logging goes to stderr.
+
+Available tools:
+
+  Project & inspection:
+  - provar.project.inspect            — inspect project folder inventory
+  - provar.project.validate           — validate full project from disk: coverage, quality scores
+
+  Page Object:
+  - provar.pageobject.generate        — generate a Java Page Object skeleton
+  - provar.pageobject.validate        — validate Page Object quality and naming
+
+  Test Case:
+  - provar.testcase.generate          — generate an XML test case skeleton
+  - provar.testcase.validate          — validate test case XML (validity + best-practices scores)
+
+  Test Suite / Plan:
+  - provar.testsuite.validate         — validate test suite hierarchy
+  - provar.testplan.validate          — validate test plan metadata completeness
+  - provar.testplan.create-suite      — create a test suite under a plan
+  - provar.testplan.add-instance      — add a test instance to a plan
+  - provar.testplan.remove-instance   — remove a test instance from a plan
+
+  Properties files:
+  - provar.properties.read            — read a Provar properties file
+  - provar.properties.set             — set a key in a Provar properties file
+  - provar.properties.validate        — validate a properties file structure
+  - provar.properties.generate        — generate a properties file skeleton
+
+  Quality Hub (sf provar quality-hub wrappers):
+  - provar.qualityhub.connect         — connect to a Quality Hub org
+  - provar.qualityhub.display         — display connected org info
+  - provar.qualityhub.testrun         — trigger a Quality Hub test run
+  - provar.qualityhub.testrun.report  — poll test run status
+  - provar.qualityhub.testrun.abort   — abort a running test run
+  - provar.qualityhub.testcase.retrieve — retrieve test case results
+  - provar.qualityhub.defect.create   — create defects for failed test executions
+
+  Automation (sf provar automation wrappers):
+  - provar.automation.setup           — set up the Provar Automation runtime
+  - provar.automation.metadata.download — download Salesforce metadata
+  - provar.automation.compile         — compile Provar test assets
+  - provar.automation.testrun         — run Provar tests
+  - provar.automation.config.load     — load a Provar configuration
+
+  ANT build:
+  - provar.ant.generate               — generate an ANT build.xml
+  - provar.ant.validate               — validate an ANT build.xml
+
+  Test result analysis:
+  - provar.testrun.rca                — root cause analysis on a test result
+  - provar.testrun.report.locate      — locate a test result report
+
+For full tool documentation see docs/mcp.md in this repository.
+
+# flags.allowed-paths.summary
+Allowed base directory paths for file operations. Defaults to current directory.
+
+# flags.auto-defects.summary
+When enabled, testrun.report suggestions will prompt defect creation on failures.
+
+# examples
+- Start MCP server (accepts stdio connections from Claude Desktop / Cursor):
+  <%= config.bin %> <%= command.id %>
+- Start with explicit allowed paths:
+  <%= config.bin %> <%= command.id %> --allowed-paths /workspace/provar
+- Allow multiple project directories:
+  <%= config.bin %> <%= command.id %> -a /workspace/project-a -a /workspace/project-b
diff --git a/package.json b/package.json
index 577f8f4d..2b011e24 100644
--- a/package.json
+++ b/package.json
@@ -1,39 +1,35 @@
 {
   "name": "@provartesting/provardx-cli",
-  "description": "A plugin for the Salesforce CLI to orchestrate testing activities and report quality metrics to Provar Manager",
-  "version": "1.4.7",
+  "description": "A plugin for the Salesforce CLI to orchestrate testing activities and report quality metrics to Provar Quality Hub",
+  "version": "1.5.0-beta.1",
   "license": "BSD-3-Clause",
   "plugins": [
     "@provartesting/provardx-plugins-automation",
     "@provartesting/provardx-plugins-manager"
   ],
   "dependencies": {
-    "@oclif/core": "^3.26.2",
-    "@salesforce/core": "^6.5.1",
+    "@modelcontextprotocol/sdk": "^1.8.0",
+    "@oclif/core": "^3.27.0",
+    "@provartesting/provardx-plugins-automation": "1.2.2",
+    "@provartesting/provardx-plugins-manager": "1.3.2",
+    "@provartesting/provardx-plugins-utils": "1.3.3",
+    "@salesforce/core": "^7.0.0",
     "@salesforce/kit": "^3.0.15",
-    "@salesforce/sf-plugins-core": "^7.1.4",
+    "@salesforce/sf-plugins-core": "^9.0.0",
     "@salesforce/ts-types": "^2.0.9",
-    "axios": "^1.6.7",
-    "cli-ux": "^6.0.9",
     "fast-xml-parser": "^4.3.6",
-    "jsonschema": "^1.4.1",
-    "node-stream-zip": "^1.15.0",
-    "@provartesting/provardx-plugins-utils": "1.3.1",
-    "@provartesting/provardx-plugins-automation": "1.2.1",
-    "@provartesting/provardx-plugins-manager": "1.3.1",
-    "sync-request": "^6.1.0",
-    "xml-js": "^1.6.11"
+    "zod": "^3.22.0"
   },
   "devDependencies": {
     "@oclif/plugin-command-snapshot": "^5.0.2",
     "@salesforce/cli-plugins-testkit": "^5.1.7",
     "@salesforce/dev-scripts": "^8.3.0",
-    "@types/unzipper": "^0.10.9",
+    "@types/sinon": "^21.0.0",
     "eslint-plugin-sf-plugin": "^1.17.2",
     "mochawesome": "^7.1.3",
     "oclif": "^4.3.4",
     "shx": "0.3.4",
-    "sinon": "10.0.0",
+    "sinon": "^21.0.3",
     "ts-node": "^10.9.1",
     "typescript": "^5.1.6",
     "wireit": "^0.14.0"
@@ -70,22 +66,45 @@
       "provar": {
         "description": "CLI commands to interact with Provar.",
         "subtopics": {
+          "mcp": {
+            "description": "Commands to start and manage the Provar MCP server."
+          },
+          "config": {
+            "description": "Commands to manage ProvarDX property configuration files."
+          },
+          "manager": {
+            "description": "Commands to connect and interact with Provar Quality Hub."
+          },
+          "quality-hub": {
+            "description": "Commands to connect and interact with Provar Quality Hub.",
+            "subtopics": {
+              "test": {
+                "description": "Operations related to Quality Hub test runs.",
+                "subtopics": {
+                  "run": {
+                    "description": "Commands to launch, monitor, abort, and report on Quality Hub test runs."
+                  }
+                }
+              },
+              "testcase": {
+                "description": "Operations related to Quality Hub test cases."
+              }
+            }
+          },
           "automation": {
-            "description": "These commands are used to interact with Provar Automation.",
+            "description": "Commands to interact with Provar Automation.",
             "subtopics": {
               "config": {
-                "description": "commands to generate and manipulate provardx-properties file."
+                "description": "Commands to generate and manage the provardx-properties configuration file."
               },
-              "subtopics": {
-                "metadata": {
-                  "description": "commands to download metadata for required connections."
-                }
+              "metadata": {
+                "description": "Commands to download required metadata for Salesforce connections."
               },
               "test": {
-                "description": "Operations related to test run."
+                "description": "Commands to execute and manage Provar Automation test runs."
               },
               "project": {
-                "description": "Compile the project."
+                "description": "Commands to compile and manage Provar Automation projects."
               }
             }
           }
@@ -108,6 +127,8 @@
     "test": "wireit",
     "test:nuts": "nyc mocha  \"**/*generate.nut.ts\" \"**/*permission.nut.ts\" \"**/*load.nut.ts\" \"**/*validate.nut.ts\" \"**/*set.nut.ts\" \"**/*get.nut.ts\" --slow 4500 --timeout 600000 --reporter mochawesome",
     "test:only": "wireit",
+    "test:dev": "nyc mocha \"test/**/*.test.ts\"",
+    "test:watch": "mocha \"test/**/*.test.ts\" --watch --watch-files \"src/**/*.ts\" --watch-files \"test/**/*.ts\"",
     "version": "oclif readme"
   },
   "publishConfig": {
@@ -121,9 +142,10 @@
       ]
     },
     "compile": {
-      "command": "tsc -p . --pretty --incremental",
+      "command": "tsc -p . --pretty --incremental && shx mkdir -p lib/mcp/rules && shx cp src/mcp/rules/*.json lib/mcp/rules/",
       "files": [
         "src/**/*.ts",
+        "src/mcp/rules/*.json",
         "**/tsconfig.json",
         "messages/**"
       ],
@@ -217,4 +239,4 @@
   },
   "exports": "./lib/index.js",
   "type": "module"
-}
\ No newline at end of file
+}
diff --git a/scripts/mcp-smoke.cjs b/scripts/mcp-smoke.cjs
new file mode 100644
index 00000000..952f283f
--- /dev/null
+++ b/scripts/mcp-smoke.cjs
@@ -0,0 +1,307 @@
+// MCP smoke test — runs sf provar mcp start as a subprocess and exercises all tools via JSON-RPC
+//
+// PASS = JSON-RPC result received (tool responded; content may still contain an error code — that's fine)
+// FAIL = JSON-RPC error (protocol-level: unknown method, missing required arg, server crash, timeout)
+//
+// Usage:  node scripts/mcp-smoke.cjs [2>$null]
+// Note:   Run with stderr suppressed to avoid sf update warnings mixing into output.
+//
+// Env flags:
+//   SMOKE_REQUEST_TIMEOUT_MS  Per-request timeout in ms (default: 30000)
+//   SMOKE_OVERALL_TIMEOUT_MS  Hard deadline for the whole run in ms (default: 120000)
+//   SMOKE_INCLUDE_SETUP       Set to "1" to include provar.automation.setup (may download
+//                             binaries if no Provar install is found — disabled by default)
+
+const { spawn } = require('child_process');
+const readline = require('readline');
+const os = require('os');
+const path = require('path');
+
+const TMP = os.tmpdir();
+const REQUEST_TIMEOUT_MS = Number(process.env['SMOKE_REQUEST_TIMEOUT_MS'] ?? 30_000);
+const OVERALL_TIMEOUT_MS = Number(process.env['SMOKE_OVERALL_TIMEOUT_MS'] ?? 120_000);
+const INCLUDE_SETUP = process.env['SMOKE_INCLUDE_SETUP'] === '1';
+
+// ----------------------------------------------------------------------------
+// Server process
+// ----------------------------------------------------------------------------
+const server = spawn('sf', ['provar', 'mcp', 'start', '--allowed-paths', TMP], {
+  stdio: ['pipe', 'pipe', 'inherit'],
+  shell: process.platform === 'win32',
+  env: {
+    ...process.env,
+    PROVAR_DEV_WHITELIST_KEYS: process.env.PROVAR_DEV_WHITELIST_KEYS || '',
+  },
+});
+
+const rl = readline.createInterface({ input: server.stdout });
+let msgId = 0;
+const pending = new Map(); // id → { label, resolve, timer }
+const results = [];
+
+rl.on('line', (line) => {
+  if (!line.trim()) return;
+  let msg;
+  try { msg = JSON.parse(line); } catch { return; }
+
+  if (msg.id !== undefined && pending.has(msg.id)) {
+    const { label, resolve, timer } = pending.get(msg.id);
+    clearTimeout(timer);
+    pending.delete(msg.id);
+    const ok = !msg.error;
+    results.push({ label, ok, data: msg.error || msg.result });
+    resolve();
+  }
+});
+
+// ----------------------------------------------------------------------------
+// Overall hard deadline — kills the server so CI never hangs indefinitely
+// ----------------------------------------------------------------------------
+const overallTimer = setTimeout(() => {
+  console.error(`\nFATAL: overall timeout of ${OVERALL_TIMEOUT_MS}ms exceeded — aborting`);
+  // Mark every still-pending call as timed out
+  for (const [, { label, resolve }] of pending) {
+    results.push({ label, ok: false, data: { message: `overall timeout (${OVERALL_TIMEOUT_MS}ms)` } });
+    resolve();
+  }
+  pending.clear();
+  server.kill();
+}, OVERALL_TIMEOUT_MS);
+overallTimer.unref(); // don't prevent natural exit if tests finish early
+
+// ----------------------------------------------------------------------------
+// RPC helpers (with per-request timeout)
+// ----------------------------------------------------------------------------
+function rpc(label, method, params) {
+  return new Promise((resolve) => {
+    const id = ++msgId;
+    const timer = setTimeout(() => {
+      if (!pending.has(id)) return;
+      pending.delete(id);
+      results.push({ label, ok: false, data: { message: `request timeout (${REQUEST_TIMEOUT_MS}ms)` } });
+      console.error(`  TIMEOUT: ${label} did not respond within ${REQUEST_TIMEOUT_MS}ms`);
+      server.kill(); // kill so the process exits rather than hanging
+      resolve();
+    }, REQUEST_TIMEOUT_MS);
+    pending.set(id, { label, resolve, timer });
+    server.stdin.write(JSON.stringify({ jsonrpc: '2.0', id, method, params }) + '\n');
+  });
+}
+
+function send(method, params) {
+  return rpc(method, method, params);
+}
+
+function callTool(name, args) {
+  return rpc(name, 'tools/call', { name, arguments: args });
+}
+
+// ----------------------------------------------------------------------------
+// Test runner
+// ----------------------------------------------------------------------------
+async function runTests() {
+  // ── 0. Handshake ──────────────────────────────────────────────────────────
+  await send('initialize', {
+    protocolVersion: '2024-11-05',
+    capabilities: {},
+    clientInfo: { name: 'mcp-smoke', version: '1.0' },
+  });
+  server.stdin.write(
+    JSON.stringify({ jsonrpc: '2.0', method: 'notifications/initialized', params: {} }) + '\n'
+  );
+
+  // ── 1. tools/list ─────────────────────────────────────────────────────────
+  await send('tools/list', {});
+
+  // ── 2. provardx.ping ──────────────────────────────────────────────────────
+  await callTool('provardx.ping', { message: 'smoke-test' });
+
+  // ── 3. provar.project.inspect ─────────────────────────────────────────────
+  // TMP has no .testproject → structured "not a Provar project" response
+  await callTool('provar.project.inspect', { project_path: TMP });
+
+  // ── 4. provar.pageobject.generate (dry_run) ───────────────────────────────
+  await callTool('provar.pageobject.generate', {
+    class_name: 'AccountDetailPage',
+    package_name: 'pageobjects.accounts',
+    page_type: 'standard',
+    dry_run: true,
+  });
+
+  // ── 5. provar.pageobject.validate ─────────────────────────────────────────
+  await callTool('provar.pageobject.validate', {
+    content: 'public class AccountDetailPage {}',
+  });
+
+  // ── 6. provar.testcase.generate (dry_run) ─────────────────────────────────
+  await callTool('provar.testcase.generate', {
+    test_case_name: 'Smoke Test Case',
+    dry_run: true,
+  });
+
+  // ── 7. provar.testcase.validate ───────────────────────────────────────────
+  await callTool('provar.testcase.validate', { content: '<testCase/>' });
+
+  // ── 8. provar.testsuite.validate ──────────────────────────────────────────
+  await callTool('provar.testsuite.validate', { suite_name: 'SmokeTestSuite' });
+
+  // ── 9. provar.testplan.validate ───────────────────────────────────────────
+  await callTool('provar.testplan.validate', { plan_name: 'SmokeTestPlan' });
+
+  // ── 10. provar.project.validate ───────────────────────────────────────────
+  // TMP is not a Provar project → PATH_NOT_FOUND or NOT_A_PROJECT result
+  await callTool('provar.project.validate', { project_path: TMP });
+
+  // ── 11. provar.properties.generate (dry_run) ──────────────────────────────
+  await callTool('provar.properties.generate', {
+    output_path: path.join(TMP, 'smoke-props.json'),
+    dry_run: true,
+  });
+
+  // ── 12. provar.properties.read ────────────────────────────────────────────
+  // Non-existent file → FILE_NOT_FOUND result
+  await callTool('provar.properties.read', {
+    file_path: path.join(TMP, 'nonexistent-props.json'),
+  });
+
+  // ── 13. provar.properties.set ─────────────────────────────────────────────
+  // Non-existent file → FILE_NOT_FOUND result
+  await callTool('provar.properties.set', {
+    file_path: path.join(TMP, 'nonexistent-props.json'),
+    updates: { stopOnError: true },
+  });
+
+  // ── 14. provar.properties.validate ───────────────────────────────────────
+  // Empty JSON → validation issues about missing required fields
+  await callTool('provar.properties.validate', { content: '{}' });
+
+  // ── 15. provar.ant.generate (dry_run) ─────────────────────────────────────
+  await callTool('provar.ant.generate', {
+    provar_home: path.join(TMP, 'provar'),
+    filesets: [{ dir: '../tests' }],
+    dry_run: true,
+  });
+
+  // ── 16. provar.ant.validate ───────────────────────────────────────────────
+  // Minimal XML — will have validation issues but not crash
+  await callTool('provar.ant.validate', { content: '<project/>' });
+
+  // ── 17. provar.qualityhub.connect ─────────────────────────────────────────
+  // No real org → SF_NOT_FOUND or auth error result
+  await callTool('provar.qualityhub.connect', { target_org: 'smoke-test-org' });
+
+  // ── 18. provar.qualityhub.display ─────────────────────────────────────────
+  await callTool('provar.qualityhub.display', {});
+
+  // ── 19. provar.qualityhub.testrun ─────────────────────────────────────────
+  await callTool('provar.qualityhub.testrun', { target_org: 'smoke-test-org' });
+
+  // ── 20. provar.qualityhub.testrun.report ──────────────────────────────────
+  await callTool('provar.qualityhub.testrun.report', {
+    target_org: 'smoke-test-org',
+    run_id: 'fake-run-id-000',
+  });
+
+  // ── 21. provar.qualityhub.testrun.abort ───────────────────────────────────
+  await callTool('provar.qualityhub.testrun.abort', {
+    target_org: 'smoke-test-org',
+    run_id: 'fake-run-id-000',
+  });
+
+  // ── 22. provar.qualityhub.testcase.retrieve ───────────────────────────────
+  await callTool('provar.qualityhub.testcase.retrieve', { target_org: 'smoke-test-org' });
+
+  // ── 23. provar.qualityhub.defect.create ───────────────────────────────────
+  await callTool('provar.qualityhub.defect.create', {
+    run_id: 'fake-run-id-000',
+    target_org: 'smoke-test-org',
+  });
+
+  // ── 24. provar.automation.setup ───────────────────────────────────────────
+  // Skipped by default: when no Provar installation is found on the CI runner,
+  // this tool downloads the full Provar binary (~200 MB), which is a destructive
+  // side effect in a smoke test. Enable with SMOKE_INCLUDE_SETUP=1.
+  if (INCLUDE_SETUP) {
+    await callTool('provar.automation.setup', {});
+  }
+
+  // ── 25. provar.automation.metadata.download ───────────────────────────────
+  await callTool('provar.automation.metadata.download', {});
+
+  // ── 26. provar.automation.compile ─────────────────────────────────────────
+  await callTool('provar.automation.compile', {});
+
+  // ── 27. provar.automation.testrun ─────────────────────────────────────────
+  await callTool('provar.automation.testrun', {});
+
+  // ── 28. provar.automation.config.load ─────────────────────────────────────
+  await callTool('provar.automation.config.load', {
+    properties_path: path.join(TMP, 'nonexistent-props.json'),
+  });
+
+  // ── 29. provar.testrun.report.locate ─────────────────────────────────────
+  // TMP is not a Provar project → RESULTS_NOT_CONFIGURED result
+  await callTool('provar.testrun.report.locate', { project_path: TMP });
+
+  // ── 30. provar.testrun.rca ───────────────────────────────────────────────
+  await callTool('provar.testrun.rca', { project_path: TMP });
+
+  // ── 31. provar.testplan.add-instance ─────────────────────────────────────
+  // TMP is not a Provar project → NOT_A_PROJECT result
+  await callTool('provar.testplan.add-instance', {
+    project_path: TMP,
+    test_case_path: 'tests/Smoke/SmokeTest.testcase',
+    plan_name: 'SmokePlan',
+  });
+
+  // ── 32. provar.testplan.create-suite ─────────────────────────────────────
+  await callTool('provar.testplan.create-suite', {
+    project_path: TMP,
+    plan_name: 'SmokePlan',
+    suite_name: 'SmokeSuite',
+  });
+
+  // ── 33. provar.testplan.remove-instance ──────────────────────────────────
+  await callTool('provar.testplan.remove-instance', {
+    project_path: TMP,
+    instance_path: 'plans/SmokePlan/SmokeSuite/smoke.testinstance',
+  });
+
+  server.stdin.end();
+}
+
+// ----------------------------------------------------------------------------
+// Results
+// ----------------------------------------------------------------------------
+server.on('close', () => {
+  clearTimeout(overallTimer);
+  // initialize + tools/list + 32 tools (setup excluded from default count)
+  const TOTAL_EXPECTED = 33 + (INCLUDE_SETUP ? 1 : 0);
+  let passed = 0;
+  let failed = 0;
+
+  results.forEach((r) => {
+    const status = r.ok ? '[PASS]' : '[FAIL]';
+    const summary = r.ok
+      ? JSON.stringify(r.data).slice(0, 200)
+      : (r.data?.message || JSON.stringify(r.data) || '').slice(0, 200);
+    console.log(`${status} ${r.label}: ${summary}`);
+    r.ok ? passed++ : failed++;
+  });
+
+  console.log(`\n${passed} passed, ${failed} failed (${results.length}/${TOTAL_EXPECTED} responses received)`);
+
+  if (results.length < TOTAL_EXPECTED) {
+    console.error(`WARNING: Only ${results.length} of ${TOTAL_EXPECTED} expected responses received — server may have crashed mid-run`);
+  }
+
+  process.exit(failed > 0 || results.length < TOTAL_EXPECTED ? 1 : 0);
+});
+
+server.on('error', (err) => {
+  console.error('Failed to start MCP server:', err.message);
+  process.exit(1);
+});
+
+// Give server 3 s to initialise, then run tests
+setTimeout(runTests, 3000);
diff --git a/src/commands/provar/automation/config/validate.ts b/src/commands/provar/automation/config/validate.ts
index 4afce5ab..5daec9dd 100644
--- a/src/commands/provar/automation/config/validate.ts
+++ b/src/commands/provar/automation/config/validate.ts
@@ -6,7 +6,6 @@
  */
 
 import { SfCommand } from '@salesforce/sf-plugins-core';
-import { } from '@salesforce/core';
 import { ErrorHandler, SfProvarCommandResult, populateResult, PropertyFileValidator, Messages } from '@provartesting/provardx-plugins-utils';
 
 /**
diff --git a/src/commands/provar/automation/project/validate.ts b/src/commands/provar/automation/project/validate.ts
new file mode 100644
index 00000000..4db13bbf
--- /dev/null
+++ b/src/commands/provar/automation/project/validate.ts
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { SfCommand, Flags } from '@salesforce/sf-plugins-core';
+import { Messages } from '@salesforce/core';
+import { validateProjectFromPath, ProjectValidationError, type ProjectValidationResult } from '../../../../services/projectValidation.js';
+
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('@provartesting/provardx-cli', 'sf.provar.automation.project.validate');
+
+export default class SfProvarAutomationProjectValidate extends SfCommand<ProjectValidationResult> {
+  public static readonly summary = messages.getMessage('summary');
+  public static readonly description = messages.getMessage('description');
+  public static readonly examples = messages.getMessages('examples');
+
+  public static readonly flags = {
+    'project-path': Flags.string({
+      char: 'p',
+      summary: messages.getMessage('flags.project-path.summary'),
+      default: process.cwd(),
+    }),
+    'quality-threshold': Flags.integer({
+      char: 'q',
+      summary: messages.getMessage('flags.quality-threshold.summary'),
+      default: 80,
+      min: 0,
+      max: 100,
+    }),
+    'save-results': Flags.boolean({
+      summary: messages.getMessage('flags.save-results.summary'),
+      default: true,
+      allowNo: true,
+    }),
+    'results-dir': Flags.string({
+      char: 'd',
+      summary: messages.getMessage('flags.results-dir.summary'),
+    }),
+  };
+
+  public async run(): Promise<ProjectValidationResult> {
+    const { flags } = await this.parse(SfProvarAutomationProjectValidate);
+
+    try {
+      const result = validateProjectFromPath({
+        project_path: flags['project-path'],
+        quality_threshold: flags['quality-threshold'],
+        save_results: flags['save-results'],
+        results_dir: flags['results-dir'],
+      });
+
+      if (!this.jsonEnabled()) {
+        this.log(messages.getMessage('success_message', [result.project_name, result.quality_score, result.quality_grade]));
+        if (result.saved_to) {
+          this.log(messages.getMessage('saved_to_message', [result.saved_to]));
+        }
+      }
+
+      const threshold = flags['quality-threshold'];
+      if (result.quality_score < threshold) {
+        this.error(
+          `Quality score ${result.quality_score}/100 is below the required threshold of ${threshold}/100`,
+          { exit: 1 }
+        );
+      }
+
+      return result;
+    } catch (err: unknown) {
+      if (err instanceof ProjectValidationError) {
+        this.error(err.message, { exit: 1 });
+      }
+      throw err;
+    }
+  }
+}
diff --git a/src/commands/provar/mcp/start.ts b/src/commands/provar/mcp/start.ts
new file mode 100644
index 00000000..338aabe1
--- /dev/null
+++ b/src/commands/provar/mcp/start.ts
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import { Flags, SfCommand } from '@salesforce/sf-plugins-core';
+import { Messages } from '@provartesting/provardx-plugins-utils';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { createProvarMcpServer } from '../../../mcp/server.js';
+import { validateLicense, LicenseError } from '../../../mcp/licensing/index.js';
+
+Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
+const messages = Messages.loadMessages('@provartesting/provardx-cli', 'sf.provar.mcp.start');
+
+export default class SfProvarMcpStart extends SfCommand<void> {
+  public static readonly summary = messages.getMessage('summary');
+  public static readonly description = messages.getMessage('description');
+  public static readonly examples = messages.getMessages('examples');
+
+  /**
+   * Disable --json flag entirely: stdout is reserved for MCP JSON-RPC messages
+   * and must not be contaminated by oclif JSON output.
+   */
+  public static enableJsonFlag = false;
+
+  public static readonly flags = {
+    'allowed-paths': Flags.string({
+      summary: messages.getMessage('flags.allowed-paths.summary'),
+      char: 'a',
+      multiple: true,
+      default: [process.cwd()],
+    }),
+    'auto-defects': Flags.boolean({
+      summary: messages.getMessage('flags.auto-defects.summary'),
+      default: false,
+    }),
+  };
+
+  public async run(): Promise<void> {
+    const { flags } = await this.parse(SfProvarMcpStart);
+    const allowedPaths = flags['allowed-paths'];
+
+    if (flags['auto-defects']) {
+      process.env['PROVAR_AUTO_DEFECTS'] = '1';
+    }
+
+    // Validate that a Provar Automation IDE license is activated on this machine
+    // before handing stdin/stdout to the MCP transport.
+    try {
+      const result = await validateLicense();
+      if (result.offlineGrace) {
+        process.stderr.write(
+          '[provar-mcp] Warning: license validated from offline cache (last checked > 2h ago).\n'
+        );
+      }
+    } catch (err: unknown) {
+      if (err instanceof LicenseError) {
+        this.error(err.message, { exit: 1 });
+      }
+      throw err;
+    }
+
+    const server = createProvarMcpServer({ allowedPaths });
+    const transport = new StdioServerTransport();
+
+    // Connect hands stdin/stdout ownership to the SDK.
+    // The process stays alive until stdin closes (client disconnect).
+    await server.connect(transport);
+  }
+}
diff --git a/src/commands/provar/quality-hub/connect.ts b/src/commands/provar/quality-hub/connect.ts
new file mode 100644
index 00000000..05b37388
--- /dev/null
+++ b/src/commands/provar/quality-hub/connect.ts
@@ -0,0 +1,13 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import ManagerConnect from '@provartesting/provardx-plugins-manager/lib/commands/provar/manager/connect.js';
+
+export default class SfProvarQualityHubConnect extends ManagerConnect {
+  public static readonly aliases = ['provar:manager:connect'];
+  public static readonly deprecateAliases = true;
+}
diff --git a/src/commands/provar/quality-hub/display.ts b/src/commands/provar/quality-hub/display.ts
new file mode 100644
index 00000000..59b0b42e
--- /dev/null
+++ b/src/commands/provar/quality-hub/display.ts
@@ -0,0 +1,13 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import ManagerDisplay from '@provartesting/provardx-plugins-manager/lib/commands/provar/manager/display.js';
+
+export default class SfProvarQualityHubDisplay extends ManagerDisplay {
+  public static readonly aliases = ['provar:manager:display'];
+  public static readonly deprecateAliases = true;
+}
diff --git a/src/commands/provar/quality-hub/open.ts b/src/commands/provar/quality-hub/open.ts
new file mode 100644
index 00000000..2889c513
--- /dev/null
+++ b/src/commands/provar/quality-hub/open.ts
@@ -0,0 +1,13 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import ManagerOpen from '@provartesting/provardx-plugins-manager/lib/commands/provar/manager/open.js';
+
+export default class SfProvarQualityHubOpen extends ManagerOpen {
+  public static readonly aliases = ['provar:manager:open'];
+  public static readonly deprecateAliases = true;
+}
diff --git a/src/commands/provar/quality-hub/test/run.ts b/src/commands/provar/quality-hub/test/run.ts
new file mode 100644
index 00000000..61a56325
--- /dev/null
+++ b/src/commands/provar/quality-hub/test/run.ts
@@ -0,0 +1,13 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import ManagerTestRun from '@provartesting/provardx-plugins-manager/lib/commands/provar/manager/test/run.js';
+
+export default class SfProvarQualityHubTestRun extends ManagerTestRun {
+  public static readonly aliases = ['provar:manager:test:run'];
+  public static readonly deprecateAliases = true;
+}
diff --git a/src/commands/provar/quality-hub/test/run/abort.ts b/src/commands/provar/quality-hub/test/run/abort.ts
new file mode 100644
index 00000000..e30be180
--- /dev/null
+++ b/src/commands/provar/quality-hub/test/run/abort.ts
@@ -0,0 +1,13 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import ManagerTestRunAbort from '@provartesting/provardx-plugins-manager/lib/commands/provar/manager/test/run/abort.js';
+
+export default class SfProvarQualityHubTestRunAbort extends ManagerTestRunAbort {
+  public static readonly aliases = ['provar:manager:test:run:abort'];
+  public static readonly deprecateAliases = true;
+}
diff --git a/src/commands/provar/quality-hub/test/run/report.ts b/src/commands/provar/quality-hub/test/run/report.ts
new file mode 100644
index 00000000..c1205040
--- /dev/null
+++ b/src/commands/provar/quality-hub/test/run/report.ts
@@ -0,0 +1,13 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import ManagerTestRunReport from '@provartesting/provardx-plugins-manager/lib/commands/provar/manager/test/run/report.js';
+
+export default class SfProvarQualityHubTestRunReport extends ManagerTestRunReport {
+  public static readonly aliases = ['provar:manager:test:run:report'];
+  public static readonly deprecateAliases = true;
+}
diff --git a/src/commands/provar/quality-hub/testcase/retrieve.ts b/src/commands/provar/quality-hub/testcase/retrieve.ts
new file mode 100644
index 00000000..4725490b
--- /dev/null
+++ b/src/commands/provar/quality-hub/testcase/retrieve.ts
@@ -0,0 +1,13 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import ManagerTestcaseRetrieve from '@provartesting/provardx-plugins-manager/lib/commands/provar/manager/testcase/retrieve.js';
+
+export default class SfProvarQualityHubTestcaseRetrieve extends ManagerTestcaseRetrieve {
+  public static readonly aliases = ['provar:manager:testcase:retrieve'];
+  public static readonly deprecateAliases = true;
+}
diff --git a/src/mcp/licensing/algasClient.ts b/src/mcp/licensing/algasClient.ts
new file mode 100644
index 00000000..68f5cafc
--- /dev/null
+++ b/src/mcp/licensing/algasClient.ts
@@ -0,0 +1,186 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/**
+ * algasClient.ts — Provar licensing API client.
+ *
+ * Validates a license key via the Provar tag API:
+ * 1. Obtain a short-lived Cognito Bearer token (client credentials flow, cached 50 min).
+ * 2. GET /studio/licensing/{licenseKey} — returns tag metadata including `deleted` flag.
+ *
+ * Validation semantics:
+ * - `deleted === false` → key exists in the Provar system and has not been revoked → valid.
+ * - `deleted === true`  → key has been revoked → invalid.
+ * - HTTP 404            → key does not exist in the Provar system → invalid.
+ *
+ * Note: `validityPeriod` in the tag response is measured from the key's generation /
+ * modification date, NOT from now. It cannot be used to determine remaining validity.
+ * We rely on the tag's `deleted` flag only.
+ *
+ * The licenseType returned is 'None' when only the tag API is consulted (the tag endpoint
+ * does not expose the type). The IDE cross-reference step in licenseValidator.ts can
+ * supply a richer type when the key matches a locally-activated IDE license.
+ */
+
+import { LicenseError } from './licenseError.js';
+import type { LicenseType } from './licenseCache.js';
+
+const TOKEN_URL = 'https://prod.provar.cloud/studio/licensingauth/oauth2/token';
+const TAG_BASE_URL = 'https://prod.provar.cloud/studio/licensing';
+
+/** Cognito tokens expire at 1h; cache for 50 min to allow a margin for clock skew. */
+const TOKEN_TTL_MS = 50 * 60 * 1000;
+const TIMEOUT_MS = 15_000;
+
+function getOAuthCredentials(): { clientId: string; clientSecret: string } {
+  const clientId = process.env['PROVAR_OAUTH_CLIENT_ID'];
+  const clientSecret = process.env['PROVAR_OAUTH_CLIENT_SECRET'];
+  if (!clientId || !clientSecret) {
+    throw new LicenseError(
+      'ALGAS_UNREACHABLE',
+      'Provar OAuth credentials are not configured.\n' +
+        'Set PROVAR_OAUTH_CLIENT_ID and PROVAR_OAUTH_CLIENT_SECRET (see .env.example).'
+    );
+  }
+  return { clientId, clientSecret };
+}
+
+let cachedToken: string | null = null;
+let tokenExpiresAt = 0;
+
+export interface AlgasResult {
+  valid: boolean;
+  licenseType: LicenseType;
+  expiresAt?: number; // Unix ms — not available from tag API; reserved for future use
+}
+
+async function getCognitoToken(): Promise<string> {
+  if (cachedToken && Date.now() < tokenExpiresAt) return cachedToken;
+
+  const { clientId, clientSecret } = getOAuthCredentials();
+  const credentials = Buffer.from(`${clientId}:${clientSecret}`).toString('base64');
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), TIMEOUT_MS);
+
+  try {
+    const res = await fetch(TOKEN_URL, {
+      method: 'POST',
+      headers: {
+        Authorization: `Basic ${credentials}`,
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+      body: 'grant_type=client_credentials&scope=studio-licensing-api%2Fread',
+      signal: controller.signal,
+    });
+
+    if (!res.ok) {
+      throw new LicenseError(
+        'ALGAS_HTTP_ERROR',
+        `Provar licensing auth returned HTTP ${res.status}: ${res.statusText}`
+      );
+    }
+
+    const json = (await res.json()) as Record<string, unknown>;
+    const token = String(json['access_token'] ?? '');
+    if (!token) {
+      throw new LicenseError('ALGAS_HTTP_ERROR', 'Empty access_token in Cognito response');
+    }
+
+    cachedToken = token;
+    tokenExpiresAt = Date.now() + TOKEN_TTL_MS;
+    return token;
+  } catch (err: unknown) {
+    if ((err as Error).name === 'AbortError') {
+      throw new LicenseError('ALGAS_TIMEOUT', 'Provar licensing auth did not respond within 15s');
+    }
+    if (err instanceof LicenseError) throw err;
+    throw new LicenseError(
+      'ALGAS_UNREACHABLE',
+      `Could not reach Provar licensing auth: ${(err as Error).message}`
+    );
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+/**
+ * Validate a license key against the Provar tag API.
+ *
+ * Returns { valid: true, licenseType: 'None' } when the key exists and is not deleted.
+ * The licenseType is 'None' because the tag endpoint does not expose the license type;
+ * licenseValidator.ts enriches the type via the IDE cross-reference step when possible.
+ */
+export async function validateKeyWithAlgas(licenseKey: string): Promise<AlgasResult> {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), TIMEOUT_MS);
+
+  try {
+    const token = await getCognitoToken();
+    let res = await fetch(`${TAG_BASE_URL}/${encodeURIComponent(licenseKey)}`, {
+      headers: { Authorization: `Bearer ${token}` },
+      signal: controller.signal,
+    });
+
+    // 401 means the Cognito token was rotated mid-session — clear the module-level cache
+    // and retry exactly once with a fresh token before surfacing an error.
+    // A new AbortController is created for the retry: the original controller's timer
+    // may have partially elapsed during the first request, leaving insufficient time.
+    if (res.status === 401) {
+      cachedToken = null;
+      tokenExpiresAt = 0;
+      const retryController = new AbortController();
+      const retryTimeout = setTimeout(() => retryController.abort(), TIMEOUT_MS);
+      try {
+        const refreshedToken = await getCognitoToken();
+        res = await fetch(`${TAG_BASE_URL}/${encodeURIComponent(licenseKey)}`, {
+          headers: { Authorization: `Bearer ${refreshedToken}` },
+          signal: retryController.signal,
+        });
+      } finally {
+        clearTimeout(retryTimeout);
+      }
+    }
+
+    if (res.status === 404) {
+      // Key not found in the Provar system — definitively invalid
+      return { valid: false, licenseType: 'None' };
+    }
+
+    if (!res.ok) {
+      throw new LicenseError(
+        'ALGAS_HTTP_ERROR',
+        `Provar licensing tag API returned HTTP ${res.status}: ${res.statusText}`
+      );
+    }
+
+    const body = (await res.json()) as Record<string, unknown>;
+    const deleted = body['deleted'] === true;
+
+    // !deleted = key is present in the system and not revoked
+    return { valid: !deleted, licenseType: 'None' };
+  } catch (err: unknown) {
+    if ((err as Error).name === 'AbortError') {
+      throw new LicenseError('ALGAS_TIMEOUT', 'Provar licensing tag API did not respond within 15s');
+    }
+    if (err instanceof LicenseError) throw err;
+    throw new LicenseError(
+      'ALGAS_UNREACHABLE',
+      `Could not reach Provar licensing API: ${(err as Error).message}`
+    );
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+/**
+ * Exposed for testing only — resets the in-memory token cache.
+ * Do not call in production code.
+ */
+export function resetTokenCacheForTest(): void {
+  cachedToken = null;
+  tokenExpiresAt = 0;
+}
diff --git a/src/mcp/licensing/ideDetection.ts b/src/mcp/licensing/ideDetection.ts
new file mode 100644
index 00000000..6a6416dd
--- /dev/null
+++ b/src/mcp/licensing/ideDetection.ts
@@ -0,0 +1,121 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/**
+ * ideDetection.ts — Read activated Provar IDE license from disk.
+ *
+ * The Provar IDE stores license state in ~/Provar/.licenses/{name}.properties
+ *
+ * Fields we care about:
+ * - licenseStatus — Activated | NotActivated | Expired | Invalid | QuotaReached
+ * - licenseType — Fixed Seat | Floating | Trial | None
+ * - lastOnlineAvailabilityCheckUtc — epoch ms of last ALGAS check by the IDE
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+import type { LicenseType } from './licenseCache.js';
+
+/** Mirrors License4J's DEFAULT_LICENSE_FOLDER_PATH + PROVAR_USER_HOME. */
+function provarLicensesDir(): string {
+  const provarHome = process.env['PROVAR_HOME'] ?? path.join(os.homedir(), 'Provar');
+  return path.join(provarHome, '.licenses');
+}
+
+export interface IdeLicenseState {
+  /** Name of the .properties file (without extension). */
+  name: string;
+  licenseType: LicenseType;
+  activated: boolean;
+  /** When the IDE last checked this license online against ALGAS (Unix ms). */
+  lastOnlineCheckMs: number;
+}
+
+/**
+ * Parse a Java .properties file into a key→value map.
+ * Only handles simple `key=value` lines; ignores comments and blank lines.
+ */
+function parseProperties(content: string): Map<string, string> {
+  const map = new Map<string, string>();
+  for (const line of content.split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('!')) continue;
+    const eqIdx = trimmed.indexOf('=');
+    if (eqIdx < 0) continue;
+    const k = trimmed.slice(0, eqIdx).trim();
+    const v = trimmed.slice(eqIdx + 1).trim();
+    map.set(k, v);
+  }
+  return map;
+}
+
+function parseLicenseType(raw: string): LicenseType {
+  // Java stores LicenseType.name() = "FixedSeat"; "Fixed Seat" kept for defensive compat.
+  if (raw === 'FixedSeat' || raw === 'Fixed Seat') return 'FixedSeat';
+  if (raw === 'Floating') return 'Floating';
+  if (raw === 'Trial') return 'Trial';
+  return 'None';
+}
+
+/**
+ * Read all .properties files from the Provar IDE license folder and return
+ * the activation state of each. Returns an empty array when the folder does
+ * not exist or cannot be read.
+ */
+export function readIdeLicenses(): IdeLicenseState[] {
+  const dir = provarLicensesDir();
+  if (!fs.existsSync(dir)) return [];
+
+  const results: IdeLicenseState[] = [];
+
+  let entries: fs.Dirent[];
+  try {
+    entries = fs.readdirSync(dir, { withFileTypes: true });
+  } catch {
+    return [];
+  }
+
+  for (const entry of entries) {
+    if (!entry.isFile() || !entry.name.endsWith('.properties')) continue;
+    try {
+      const content = fs.readFileSync(path.join(dir, entry.name), 'utf-8');
+      const props = parseProperties(content);
+
+      const licenseStatus = props.get('licenseStatus') ?? '';
+      const licenseType = parseLicenseType(props.get('licenseType') ?? '');
+      const lastCheck = parseInt(props.get('lastOnlineAvailabilityCheckUtc') ?? '0', 10);
+
+      results.push({
+        name: entry.name.slice(0, -'.properties'.length),
+        licenseType,
+        activated: licenseStatus === 'Activated',
+        lastOnlineCheckMs: isNaN(lastCheck) ? 0 : lastCheck,
+      });
+    } catch {
+      // Unreadable file — skip
+    }
+  }
+
+  return results;
+}
+
+/**
+ * Find the best activated IDE license, if any.
+ *
+ * Priority: most recently validated activated license.
+ * Returns null when no activated license is present.
+ */
+export function findActivatedIdeLicense(): IdeLicenseState | null {
+  const all = readIdeLicenses();
+  const activated = all.filter((l) => l.activated);
+  if (activated.length === 0) return null;
+
+  // Return the one with the most recent online check
+  return activated.sort((a, b) => b.lastOnlineCheckMs - a.lastOnlineCheckMs)[0];
+}
+
diff --git a/src/mcp/licensing/index.ts b/src/mcp/licensing/index.ts
new file mode 100644
index 00000000..00a99662
--- /dev/null
+++ b/src/mcp/licensing/index.ts
@@ -0,0 +1,12 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+export { LicenseError } from './licenseError.js';
+export { validateLicense } from './licenseValidator.js';
+export type { LicenseValidationResult } from './licenseValidator.js';
+export { findActivatedIdeLicense, readIdeLicenses } from './ideDetection.js';
+export type { IdeLicenseState } from './ideDetection.js';
diff --git a/src/mcp/licensing/licenseCache.ts b/src/mcp/licensing/licenseCache.ts
new file mode 100644
index 00000000..ecad0eb8
--- /dev/null
+++ b/src/mcp/licensing/licenseCache.ts
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+import { createHash } from 'node:crypto';
+
+export type LicenseType = 'Trial' | 'Floating' | 'FixedSeat' | 'None' | 'Whitelisted';
+
+export interface CacheEntry {
+  keyHash: string;
+  valid: boolean;
+  licenseType: LicenseType;
+  checkedAt: number;   // Unix ms timestamp of last successful validation check
+  expiresAt?: number;  // Optional license expiry from ALGAS response (Unix ms)
+}
+
+type CacheFile = Record<string, CacheEntry>;
+
+/**
+ * Store the MCP license cache alongside the Provar IDE's own license folder
+ * (~/Provar/.licenses/) so there is a single authoritative location for all
+ * Provar license state on the machine.  This also enables auto-detection when
+ * a user switches from Provar Automation IDE to Claude + MCP.
+ *
+ * Computed lazily so tests can redirect HOME/USERPROFILE before calling any
+ * cache function without the path being baked in at module-load time.
+ */
+function cacheDir(): string {
+  const provarHome = process.env['PROVAR_HOME'] ?? path.join(os.homedir(), 'Provar');
+  return path.join(provarHome, '.licenses');
+}
+function cacheFile(): string {
+  return path.join(cacheDir(), '.mcp-license-cache.json');
+}
+
+/** Re-validate against ALGAS after 2 hours — mirrors License4J's online check interval. */
+export const ONLINE_TTL_MS = 2 * 60 * 60 * 1000;
+
+/** Allow cached result for up to 48 hours when ALGAS is unreachable. */
+export const OFFLINE_GRACE_MS = 48 * 60 * 60 * 1000;
+
+/** Hash the raw license key so we never store it on disk. */
+export function hashKey(licenseKey: string): string {
+  return createHash('sha256').update(licenseKey).digest('hex');
+}
+
+export function readCacheEntry(keyHash: string): CacheEntry | null {
+  try {
+    const file = cacheFile();
+    if (!fs.existsSync(file)) return null;
+    const raw = fs.readFileSync(file, 'utf-8');
+    const cache = JSON.parse(raw) as CacheFile;
+    return cache[keyHash] ?? null;
+  } catch {
+    return null;
+  }
+}
+
+export function writeCacheEntry(entry: CacheEntry): void {
+  try {
+    const dir = cacheDir();
+    const file = cacheFile();
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+    let cache: CacheFile = {};
+    if (fs.existsSync(file)) {
+      try {
+        cache = JSON.parse(fs.readFileSync(file, 'utf-8')) as CacheFile;
+      } catch {
+        cache = {};
+      }
+    }
+    cache[entry.keyHash] = entry;
+    fs.writeFileSync(file, JSON.stringify(cache, null, 2), { encoding: 'utf-8', mode: 0o600 });
+    try {
+      fs.chmodSync(file, 0o600);
+    } catch {
+      // Best-effort permission hardening; cache write itself already succeeded.
+    }
+  } catch {
+    // Cache write failure is non-fatal; validation result still returned to caller.
+  }
+}
+
+/** True when the cached entry is fresh enough to skip the next ALGAS call. */
+export function isCacheEntryFresh(entry: CacheEntry): boolean {
+  return Date.now() - entry.checkedAt < ONLINE_TTL_MS;
+}
+
+/** True when the cached entry is within the 48-hour offline grace window. */
+export function isCacheEntryWithinGrace(entry: CacheEntry): boolean {
+  return Date.now() - entry.checkedAt < OFFLINE_GRACE_MS;
+}
diff --git a/src/mcp/licensing/licenseError.ts b/src/mcp/licensing/licenseError.ts
new file mode 100644
index 00000000..ae317c37
--- /dev/null
+++ b/src/mcp/licensing/licenseError.ts
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+export class LicenseError extends Error {
+  public readonly code: string;
+
+  public constructor(code: string, message: string) {
+    super(message);
+    this.name = 'LicenseError';
+    this.code = code;
+  }
+}
diff --git a/src/mcp/licensing/licenseValidator.ts b/src/mcp/licensing/licenseValidator.ts
new file mode 100644
index 00000000..2634e2a8
--- /dev/null
+++ b/src/mcp/licensing/licenseValidator.ts
@@ -0,0 +1,142 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import { log } from '../logging/logger.js';
+import {
+  hashKey,
+  readCacheEntry,
+  writeCacheEntry,
+  isCacheEntryFresh,
+  isCacheEntryWithinGrace,
+  type CacheEntry,
+  type LicenseType,
+} from './licenseCache.js';
+import { findActivatedIdeLicense } from './ideDetection.js';
+import { LicenseError } from './licenseError.js';
+
+/**
+ * Stable cache key used for IDE-detection results.
+ * There is no user-supplied key in this flow, so we use a fixed sentinel.
+ */
+const IDE_CACHE_KEY = '__ide_detection__';
+
+export interface LicenseValidationResult {
+  valid: boolean;
+  licenseType: LicenseType;
+  /** True when the result came from disk cache rather than a live ALGAS call. */
+  fromCache: boolean;
+  /** True when ALGAS was unreachable and we fell back to the offline grace window. */
+  offlineGrace: boolean;
+}
+
+/**
+ * Validate the Provar license before starting the MCP server.
+ *
+ * Requires Provar Automation IDE to be installed with an activated licence.
+ * We trust the IDE's own licenseStatus field — if it says "Activated" we
+ * accept it. The IDE is responsible for setting licenseStatus to "Expired"
+ * or "Invalid" when a licence lapses; we do not re-check timing ourselves.
+ *
+ * The result is cached so repeated starts within 2 hours skip the IDE file
+ * read entirely. The 48-hour grace window lets the MCP server keep running
+ * when the IDE files become temporarily inaccessible (e.g. network share,
+ * permission change) after a successful read.
+ *
+ * Validation flow:
+ * 1. MCP cache fresh (< 2h) → serve from cache, skip IDE read
+ * 2. Scan ~/Provar/.licenses/*.properties for an Activated licence
+ * 3. Found → write cache, accept (offlineGrace=false)
+ * 4. Not found but MCP cache within 48h grace → serve, offlineGrace=true
+ * 5. Not found, no usable cache → throw LICENSE_NOT_FOUND
+ *
+ * When NODE_ENV=test this function returns immediately so unit tests never
+ * touch the filesystem.
+ */
+export function validateLicense(): Promise<LicenseValidationResult> {
+  // Skip validation in test environment
+  if (process.env.NODE_ENV === 'test') {
+    return Promise.resolve({ valid: true, licenseType: 'Whitelisted', fromCache: false, offlineGrace: false });
+  }
+
+  // Dev whitelist — PROVAR_DEV_WHITELIST_KEYS is a comma-separated list of bypass sentinels.
+  // Any non-empty entry (after trimming) bypasses all license checks, enabling headless CI/dev
+  // environments to run without an IDE or an API call.
+  const whitelistKeys = (process.env['PROVAR_DEV_WHITELIST_KEYS'] ?? '')
+    .split(',')
+    .map((k) => k.trim())
+    .filter(Boolean);
+  if (whitelistKeys.length > 0) {
+    log('info', 'licenseValidator: PROVAR_DEV_WHITELIST_KEYS active — bypassing license check');
+    return Promise.resolve({ valid: true, licenseType: 'Whitelisted', fromCache: false, offlineGrace: false });
+  }
+
+  try {
+    return Promise.resolve(validateViaIdeDetection());
+  } catch (err) {
+    return Promise.reject(err as Error);
+  }
+}
+
+// ── IDE auto-detection ───────────────────────────────────────────────────────
+
+function validateViaIdeDetection(): LicenseValidationResult {
+  const keyHash = hashKey(IDE_CACHE_KEY);
+  const cached = readCacheEntry(keyHash);
+
+  // 1. Serve from MCP cache when fresh (< 2h) — skip IDE file read entirely
+  if (cached && isCacheEntryFresh(cached)) {
+    log('info', 'licenseValidator: IDE detection — fresh cache hit', { licenseType: cached.licenseType });
+    return { valid: true, licenseType: cached.licenseType, fromCache: true, offlineGrace: false };
+  }
+
+  // 2. Read the IDE .properties files
+  const ideState = findActivatedIdeLicense();
+
+  if (!ideState) {
+    // IDE not readable — fall back to grace cache if available
+    if (cached && isCacheEntryWithinGrace(cached)) {
+      const ageHours = Math.round((Date.now() - cached.checkedAt) / (60 * 60 * 1000));
+      log('warn', 'licenseValidator: IDE license not found, serving from offline grace cache', { ageHours });
+      return { valid: true, licenseType: cached.licenseType, fromCache: true, offlineGrace: true };
+    }
+    throw new LicenseError(
+      'LICENSE_NOT_FOUND',
+      'No activated Provar license found on this machine.\n' +
+        'Activate a license in Provar Automation IDE to use the MCP server.\n' +
+        'Licenses are read from: ~/Provar/.licenses/'
+    );
+  }
+
+  // Warn when the IDE's own ALGAS check is stale (> 7 days) — the IDE may not have been
+  // opened recently enough to refresh the activation status from the licensing server.
+  const IDE_FRESHNESS_WARN_MS = 7 * 24 * 60 * 60 * 1000;
+  if (ideState.lastOnlineCheckMs > 0 && Date.now() - ideState.lastOnlineCheckMs > IDE_FRESHNESS_WARN_MS) {
+    const ageDays = Math.round((Date.now() - ideState.lastOnlineCheckMs) / (24 * 60 * 60 * 1000));
+    log('warn', 'licenseValidator: IDE license online check is stale — open Provar IDE to refresh', { ageDays });
+  }
+
+  // 3. Valid — write to MCP cache so next start within 2h skips this read
+  const entry: CacheEntry = {
+    keyHash,
+    valid: true,
+    licenseType: ideState.licenseType,
+    checkedAt: Date.now(),
+  };
+  writeCacheEntry(entry);
+
+  log('info', 'licenseValidator: IDE licence validated and cached', {
+    name: ideState.name,
+    licenseType: ideState.licenseType,
+  });
+
+  return {
+    valid: true,
+    licenseType: ideState.licenseType,
+    fromCache: false,
+    offlineGrace: false,
+  };
+}
diff --git a/src/mcp/logging/logger.ts b/src/mcp/logging/logger.ts
new file mode 100644
index 00000000..b008f4a2
--- /dev/null
+++ b/src/mcp/logging/logger.ts
@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+export type LogLevel = 'debug' | 'info' | 'warn' | 'error';
+
+/**
+ * Write a structured log entry to stderr.
+ * stdout is reserved exclusively for MCP JSON-RPC messages.
+ * IMPORTANT: data MUST NOT contain locator values, file content, or user PII.
+ */
+export function log(level: LogLevel, message: string, data?: Record<string, unknown>): void {
+  let entry: string;
+  try {
+    entry = JSON.stringify({ ts: new Date().toISOString(), level, message, ...data });
+  } catch {
+    entry = JSON.stringify({ ts: new Date().toISOString(), level, message, logError: 'data not serializable' });
+  }
+  process.stderr.write(entry + '\n');
+}
diff --git a/src/mcp/rules/page_object_validation_rules.json b/src/mcp/rules/page_object_validation_rules.json
new file mode 100644
index 00000000..20661834
--- /dev/null
+++ b/src/mcp/rules/page_object_validation_rules.json
@@ -0,0 +1,344 @@
+[
+  {
+    "id": "PO_001",
+    "name": "Missing package declaration",
+    "description": "Page Object is missing a package declaration.",
+    "penalty": 20,
+    "severity": "ERROR",
+    "appliesTo": "class",
+    "suggestion": "Add 'package pageobjects;' at the top of the file."
+  },
+  {
+    "id": "PO_002",
+    "name": "Invalid package name",
+    "description": "Package name format is invalid.",
+    "penalty": 18,
+    "severity": "ERROR",
+    "appliesTo": "class",
+    "suggestion": "Package names should be valid Java identifiers separated by dots (e.g., 'pageobjects' or 'pageobjects.MySubFolder')."
+  },
+  {
+    "id": "PO_003",
+    "name": "Missing class declaration",
+    "description": "Could not find public class declaration.",
+    "penalty": 25,
+    "severity": "ERROR",
+    "appliesTo": "class",
+    "suggestion": "Ensure the file has a 'public class ClassName' declaration."
+  },
+  {
+    "id": "PO_004",
+    "name": "Class name not PascalCase",
+    "description": "Class name should follow PascalCase naming convention.",
+    "penalty": 8,
+    "severity": "WARNING",
+    "appliesTo": "class",
+    "suggestion": "Rename class to use PascalCase (e.g., 'MyPageObject')."
+  },
+  {
+    "id": "PO_005",
+    "name": "Invalid class name",
+    "description": "Class name is not a valid Java identifier.",
+    "penalty": 20,
+    "severity": "ERROR",
+    "appliesTo": "class",
+    "suggestion": "Class names must start with a letter, $, or _ and contain only letters, digits, $, or _."
+  },
+  {
+    "id": "PO_006",
+    "name": "Class name mismatch",
+    "description": "Class name does not match the expected filename.",
+    "penalty": 18,
+    "severity": "ERROR",
+    "appliesTo": "class",
+    "suggestion": "Class name must match the filename."
+  },
+  {
+    "id": "PO_012",
+    "name": "Missing Provar annotations import",
+    "description": "Missing import for Provar annotations.",
+    "penalty": 10,
+    "severity": "WARNING",
+    "appliesTo": "class",
+    "suggestion": "Add 'import com.provar.core.testapi.annotations.*;'"
+  },
+  {
+    "id": "PO_020",
+    "name": "Missing @Page annotation",
+    "description": "Missing @Page or @SalesforcePage annotation.",
+    "penalty": 12,
+    "severity": "WARNING",
+    "appliesTo": "annotation",
+    "suggestion": "Add @Page annotation before the class declaration."
+  },
+  {
+    "id": "PO_021",
+    "name": "@Page missing title",
+    "description": "@Page annotation missing 'title' attribute.",
+    "penalty": 8,
+    "severity": "WARNING",
+    "appliesTo": "annotation",
+    "suggestion": "Add title attribute to @Page annotation."
+  },
+  {
+    "id": "PO_022",
+    "name": "@SalesforcePage missing required attribute",
+    "description": "@SalesforcePage annotation missing required 'title' or 'connection' attribute.",
+    "penalty": 18,
+    "severity": "ERROR",
+    "appliesTo": "annotation",
+    "suggestion": "Add required attributes to @SalesforcePage annotation."
+  },
+  {
+    "id": "PO_023",
+    "name": "@SalesforcePage missing page type",
+    "description": "@SalesforcePage should specify page type attribute.",
+    "penalty": 10,
+    "severity": "WARNING",
+    "appliesTo": "annotation",
+    "suggestion": "Add one of: page, auraComponent, object, or lightningWebComponent attribute."
+  },
+  {
+    "id": "PO_030",
+    "name": "No fields found",
+    "description": "No WebElement or WebComponent fields found in Page Object.",
+    "penalty": 12,
+    "severity": "WARNING",
+    "appliesTo": "class",
+    "suggestion": "Add at least one WebElement field with @FindBy locator and type annotation."
+  },
+  {
+    "id": "PO_031",
+    "name": "Duplicate field name",
+    "description": "Duplicate field name found within the same scope.",
+    "penalty": 20,
+    "severity": "ERROR",
+    "appliesTo": "field",
+    "suggestion": "Rename one of the duplicate fields."
+  },
+  {
+    "id": "PO_032",
+    "name": "Invalid field name",
+    "description": "Field name is not a valid Java identifier.",
+    "penalty": 18,
+    "severity": "ERROR",
+    "appliesTo": "field",
+    "suggestion": "Field names must be valid Java identifiers."
+  },
+  {
+    "id": "PO_033",
+    "name": "Reserved word field name",
+    "description": "Field name is a Java reserved word.",
+    "penalty": 20,
+    "severity": "ERROR",
+    "appliesTo": "field",
+    "suggestion": "Rename field to avoid Java reserved words."
+  },
+  {
+    "id": "PO_034",
+    "name": "Invalid locator strategy",
+    "description": "Invalid locator strategy used in @FindBy annotation.",
+    "penalty": 18,
+    "severity": "ERROR",
+    "appliesTo": "field",
+    "suggestion": "Use one of: xpath, id, css, name, className, tagName, linkText, partialLinkText, visualforce, label."
+  },
+  {
+    "id": "PO_035",
+    "name": "Empty locator",
+    "description": "Empty locator value for field (AI healing will populate at runtime).",
+    "penalty": 2,
+    "severity": "INFO",
+    "appliesTo": "field",
+    "suggestion": "Consider providing an initial locator value."
+  },
+  {
+    "id": "PO_036",
+    "name": "Invalid element type annotation",
+    "description": "Element type annotation is not a valid Provar type (e.g., @LookupType is not valid).",
+    "penalty": 10,
+    "severity": "WARNING",
+    "appliesTo": "field",
+    "suggestion": "Use a valid Provar element type: TextType, ButtonType, LinkType, ChoiceListType, RadioType, FileType, DateType, RichTextType, BooleanType (NOTE: CheckboxType is invalid). For lookup/reference fields, use @TextType()."
+  },
+  {
+    "id": "PO_040",
+    "name": "Duplicate frame class name",
+    "description": "Duplicate @PageFrame class name found.",
+    "penalty": 20,
+    "severity": "ERROR",
+    "appliesTo": "frame",
+    "suggestion": "Rename one of the duplicate frame classes."
+  },
+  {
+    "id": "PO_041",
+    "name": "Frame class not PascalCase",
+    "description": "Frame class name should follow PascalCase naming convention.",
+    "penalty": 8,
+    "severity": "WARNING",
+    "appliesTo": "frame",
+    "suggestion": "Rename frame class to use PascalCase."
+  },
+  {
+    "id": "PO_050",
+    "name": "Missing semicolon",
+    "description": "Possible missing semicolon after field declaration.",
+    "penalty": 20,
+    "severity": "ERROR",
+    "appliesTo": "field",
+    "suggestion": "Add semicolon after field declaration."
+  },
+  {
+    "id": "PO_051",
+    "name": "Unclosed string literal",
+    "description": "Possible unclosed string literal.",
+    "penalty": 10,
+    "severity": "WARNING",
+    "appliesTo": "field",
+    "suggestion": "Check for missing closing quote."
+  },
+  {
+    "id": "PO_060",
+    "name": "Mismatched braces",
+    "description": "Mismatched opening and closing braces.",
+    "penalty": 25,
+    "severity": "ERROR",
+    "appliesTo": "class",
+    "suggestion": "Check for missing or extra curly braces."
+  },
+  {
+    "id": "PO_070",
+    "name": "ID-based locator",
+    "description": "Using 'id' locator strategy in Salesforce Lightning. IDs are often dynamically generated and unreliable.",
+    "penalty": 15,
+    "severity": "WARNING",
+    "appliesTo": "field",
+    "suggestion": "Prefer xpath/css with stable attributes like data-testid, aria-label, name, or label-based locators."
+  },
+  {
+    "id": "PO_071",
+    "name": "Absolute XPath",
+    "description": "Absolute XPath starting from /html or /body. These break with any DOM structure change.",
+    "penalty": 20,
+    "severity": "ERROR",
+    "appliesTo": "field",
+    "suggestion": "Use relative XPath starting with // or .// anchored to stable elements."
+  },
+  {
+    "id": "PO_072",
+    "name": "Indexed XPath",
+    "description": "XPath with numeric positional indexes like [1], [2], etc. These are brittle as they break when elements are added/removed.",
+    "penalty": 8,
+    "severity": "WARNING",
+    "appliesTo": "field",
+    "suggestion": "Prefer attribute-based selection instead of positional indexes [n]."
+  },
+  {
+    "id": "PO_073",
+    "name": "Salesforce dynamic attribute",
+    "description": "Locators using Salesforce dynamic/Aura attributes (data-aura-rendered-by, aura-id, etc.). These change on every render and cause test flakiness.",
+    "penalty": 18,
+    "severity": "ERROR",
+    "appliesTo": "field",
+    "suggestion": "Remove dynamic Aura attributes; use stable identifiers like labels, data-testid, or semantic selectors."
+  },
+  {
+    "id": "PO_074",
+    "name": "Hardcoded Salesforce ID",
+    "description": "Hardcoded Salesforce record IDs (15 or 18 character). These make tests environment-specific and non-portable.",
+    "penalty": 18,
+    "severity": "ERROR",
+    "appliesTo": "field",
+    "suggestion": "Remove hardcoded IDs; use dynamic data or environment-independent locators."
+  },
+  {
+    "id": "PO_075",
+    "name": "Unstable class pattern",
+    "description": "CSS class patterns that appear autogenerated or framework-specific. These classes often change with framework updates.",
+    "penalty": 5,
+    "severity": "INFO",
+    "appliesTo": "field",
+    "suggestion": "Prefer stable attributes over autogenerated CSS classes."
+  },
+  {
+    "id": "PO_076",
+    "name": "Complex XPath",
+    "description": "Overly complex XPath expressions with many path segments, axes, or predicates. Complex XPaths are harder to maintain and more likely to break.",
+    "penalty": 12,
+    "severity": "WARNING",
+    "appliesTo": "field",
+    "suggestion": "Consider simplifying by using a more direct path, anchor + relative pattern, or data-testid attributes."
+  },
+  {
+    "id": "PO_077",
+    "name": "Text-based locator",
+    "description": "Locators that rely primarily on text content. Text-based locators may match multiple elements, fail with i18n changes, or break when labels are updated.",
+    "penalty": 5,
+    "severity": "INFO",
+    "appliesTo": "field",
+    "suggestion": "Combine text matching with other stable attributes; consider data-testid or aria-label."
+  },
+  {
+    "id": "PO_078",
+    "name": "Long locator",
+    "description": "Excessively long locators (>200 chars). Very long locators are harder to maintain and often indicate over-specification.",
+    "penalty": 3,
+    "severity": "INFO",
+    "appliesTo": "field",
+    "suggestion": "Consider using a shorter, more maintainable locator anchored to stable elements."
+  },
+  {
+    "id": "PO_079",
+    "name": "Position function in XPath",
+    "description": "XPath using position functions like last(), first(), position(). Position functions create fragile locators that break when DOM order changes.",
+    "penalty": 10,
+    "severity": "WARNING",
+    "appliesTo": "field",
+    "suggestion": "Avoid position-based selection; use unique identifiers like @id, @data-testid, or aria attributes."
+  },
+  {
+    "id": "PO_080",
+    "name": "Commented code detected",
+    "description": "Page Object contains commented-out code. Commented code adds clutter and may indicate incomplete refactoring.",
+    "penalty": 2,
+    "severity": "INFO",
+    "appliesTo": "class",
+    "suggestion": "Remove commented code. Use version control to track code history instead."
+  },
+  {
+    "id": "PO_081",
+    "name": "Inline locator in method",
+    "description": "Locator defined inline within a method body using By.xpath(), By.id(), etc. Inline locators reduce maintainability and reusability.",
+    "penalty": 10,
+    "severity": "WARNING",
+    "appliesTo": "method",
+    "suggestion": "Extract inline locators to @FindBy WebElement fields at the class level for better maintainability and reuse."
+  },
+  {
+    "id": "PO_082",
+    "name": "Visualforce indexed component",
+    "description": "VisualforceBy locator uses positional index like [1], [2], [3]. Indexed locators break when page structure changes.",
+    "penalty": 8,
+    "severity": "WARNING",
+    "appliesTo": "field",
+    "suggestion": "Use @id, @value, or @action attributes instead of positional indexes in componentXPath."
+  },
+  {
+    "id": "PO_083",
+    "name": "Visualforce not(@id) pattern",
+    "description": "VisualforceBy locator uses not(@id) pattern which matches any element without an ID. This is fragile and non-specific.",
+    "penalty": 10,
+    "severity": "WARNING",
+    "appliesTo": "field",
+    "suggestion": "Request developers add unique IDs to Visualforce components, or use more specific attributes like @value or @action."
+  },
+  {
+    "id": "PO_084",
+    "name": "Visualforce complex path",
+    "description": "VisualforceBy componentXPath contains complex nested path with multiple descendant selectors. Complex paths are harder to maintain.",
+    "penalty": 5,
+    "severity": "INFO",
+    "appliesTo": "field",
+    "suggestion": "Simplify the componentXPath by targeting a more specific ancestor component with @id or unique attributes."
+  }
+]
diff --git a/src/mcp/rules/provar_best_practices_rules.json b/src/mcp/rules/provar_best_practices_rules.json
new file mode 100644
index 00000000..298b39cb
--- /dev/null
+++ b/src/mcp/rules/provar_best_practices_rules.json
@@ -0,0 +1,3192 @@
+{
+  "schemaVersion": "1.0",
+  "name": "Provar Test Case Quality Best Practices",
+  "description": "Programmatic ruleset for validating and scoring Provar Automation test case quality based on the Best Practices project, README, and best-practices documentation.",
+  "artifactTypes": [
+    "Repository",
+    "Project",
+    "Folder",
+    "TestCase",
+    "Step",
+    "Parameter",
+    "PageObject",
+    "Field",
+    "DataSource"
+  ],
+  "scoring": {
+    "defaultMaxScore": 100,
+    "ruleWeighting": "weightedSum",
+    "categories": {
+      "NamingConventions": 0.2,
+      "StructureAndGrouping": 0.2,
+      "DataDrivenTesting": 0.2,
+      "ReusabilityAndCallables": 0.15,
+      "ConnectionsAndEnvironments": 0.1,
+      "TestCaseDesign": 0.1,
+      "MaintenanceAndFolders": 0.05,
+      "BuildAndCI": 0.0
+    },
+    "notes": "BuildAndCI contributes to repository health but is excluded from per-testCase quality score."
+  },
+  "rules": [
+    {
+      "id": "SCHEMA-ROOT-001",
+      "category": "XMLSchema",
+      "name": "Test case root element must be testCase",
+      "description": "The root XML element must be <testCase>. Any other root element prevents the test from being imported into Provar.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Ensure the root element is <testCase> with proper namespace and attributes.",
+      "check": {
+        "type": "disabled",
+        "comment": "Handled by validator handler's validate_schema_compliance() for early detection",
+        "target": "testCase"
+      },
+      "source": "Provar XML Schema: Test Case Structure"
+    },
+    {
+      "id": "SCHEMA-ID-001",
+      "category": "XMLSchema",
+      "name": "Test case must have valid identifier",
+      "description": "Test case must have one of: 'id' (recommended), 'guid' (Provar V3), or 'registryId' (legacy) attribute. Missing identifier prevents test case import.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Add 'id' attribute to <testCase> element (e.g., id=\"1\"), or use 'guid' for Provar V3 compatibility.",
+      "check": {
+        "type": "disabled",
+        "comment": "Handled by validator handler's validate_schema_compliance() for early detection",
+        "target": "testCase"
+      },
+      "source": "Provar XML Schema: Test Case Identification"
+    },
+    {
+      "id": "STRUCT-ATTR-001",
+      "category": "XMLSchema",
+      "name": "Test case should have failureBehaviour attribute",
+      "description": "The 'failureBehaviour' attribute is recommended for new tests (default: 'Continue'). While not required, it makes test behavior explicit.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "info",
+      "weight": 1,
+      "recommendation": "Add failureBehaviour=\"Continue\" to <testCase> element for explicit failure handling.",
+      "check": {
+        "type": "disabled",
+        "comment": "Handled by validator handler's validate_schema_compliance() for early detection",
+        "target": "testCase"
+      },
+      "source": "Provar XML Schema: Test Case Attributes"
+    },
+    {
+      "id": "SCHEMA-LEGACY-001",
+      "category": "XMLSchema",
+      "name": "Consider migrating from registryId to id or guid",
+      "description": "Using legacy 'registryId' attribute. Consider migrating to 'id' (simple) or 'guid' (Provar V3) for better compatibility.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "info",
+      "weight": 1,
+      "recommendation": "Replace registryId with 'id' or 'guid' attribute for Provar V3 compatibility.",
+      "check": {
+        "type": "disabled",
+        "comment": "Handled by validator handler's validate_schema_compliance() for early detection",
+        "target": "testCase"
+      },
+      "source": "Provar XML Schema: Version Compatibility"
+    },
+    {
+      "id": "SCHEMA-VALUE-001",
+      "category": "XMLSchema",
+      "name": "Value elements must not use text attribute",
+      "description": "Content must be inside <value> element, not as text=\"...\" attribute. Using text attribute causes XML parsing errors.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Change <value text=\"content\"/> to <value>content</value>",
+      "check": {
+        "type": "disabled",
+        "comment": "Handled by validator handler's validate_schema_compliance() for early detection",
+        "target": "testCase"
+      },
+      "source": "Provar XML Schema: Value Element Format"
+    },
+    {
+      "id": "SCHEMA-URI-001",
+      "category": "XMLSchema",
+      "name": "URI attributes must properly encode ampersands",
+      "description": "Ampersands in URI attributes must be encoded as &amp; for valid XML. Unencoded & causes XML parsing errors.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Replace & with &amp; in all uri=\"...\" attributes (e.g., uri=\"sf:ui:binding:object?object=Lead&amp;action=View\")",
+      "check": {
+        "type": "disabled",
+        "comment": "Handled by validator handler's validate_schema_compliance() for early detection",
+        "target": "testCase"
+      },
+      "source": "XML Specification: Entity Encoding"
+    },
+    {
+      "id": "SCHEMA-STEPS-001",
+      "category": "XMLSchema",
+      "name": "Test case must have steps element",
+      "description": "Test case must contain a <steps> element with at least one apiCall. Missing steps element prevents test case from loading.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Add <steps> element containing apiCall steps to the test case.",
+      "check": {
+        "type": "disabled",
+        "comment": "Handled by validator handler's validate_schema_compliance() for early detection",
+        "target": "testCase"
+      },
+      "source": "Provar XML Schema: Test Case Structure"
+    },
+    {
+      "id": "SCHEMA-EMPTY-001",
+      "category": "XMLSchema",
+      "name": "Test case should not be empty",
+      "description": "Test case <steps> element should contain at least one <apiCall>. Empty test cases have no executable logic.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Add apiCall steps to implement test logic.",
+      "check": {
+        "type": "disabled",
+        "comment": "Handled by validator handler's validate_schema_compliance() for early detection",
+        "target": "testCase"
+      },
+      "source": "Provar Test Design: Test Content"
+    },
+    {
+      "id": "API-UNKNOWN-001",
+      "category": "XMLSchema",
+      "name": "API identifier must be a valid Provar API",
+      "description": "The apiId attribute must reference a real Provar API. Unknown or hallucinated apiIds (like 'ApexDescribeObject') cause complete test step failures because Provar cannot find the API implementation.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Use only valid Provar apiIds. Common corrections: ApexDescribeObject→ApexReadObject, ApexQueryObject→ApexSoqlQuery, ApexInsertObject→ApexCreateObject. Refer to provar_test_step_schema.json for the complete list of valid APIs.",
+      "check": {
+        "type": "unknownApiId"
+      },
+      "notes": "CRITICAL severity - unknown apiIds cause complete test step failures. This rule catches LLM hallucinations where non-existent APIs are generated.",
+      "source": "Provar API Schema: Valid API Identifiers"
+    },
+    {
+      "id": "NC-FOLDER-001",
+      "category": "NamingConventions",
+      "name": "Folder names are modular and title-cased",
+      "description": "Test folders must be concise, modular, alphabetic, and use Title Case with spaces between words.",
+      "appliesTo": [
+        "Folder",
+        "TestCase"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Rename folder to be concise, alphabetic only, and in Title Case (e.g. 'Test Case Design').",
+      "check": {
+        "type": "regex",
+        "target": "folder.name",
+        "pattern": "^[A-Z][A-Za-z0-9]*( [A-Z][A-Za-z0-9]*)*$"
+      },
+      "source": "README: Naming Conventions - Test Folders"
+    },
+    {
+      "id": "NC-TESTCASE-001",
+      "category": "NamingConventions",
+      "name": "Test case names use consistent naming convention",
+      "description": "Test case names must follow a consistent naming pattern. NOTE: This rule only applies to test cases with an explicit 'name' attribute (typically callable test cases). The 'id' attribute can be any format.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Use a consistent naming style for callable test case names. Examples: 'CreateAndConvertLead', 'createAndConvertLead', 'Create And Convert Lead'.",
+      "check": {
+        "type": "disabled",
+        "comment": "Disabled - testCase.id can be any format (numeric, etc). Only explicit 'name' attributes need validation.",
+        "target": "testCase.name",
+        "pattern": "^([A-Z][a-z]+(?:[A-Z][a-z]+)*|[a-z]+(?:[A-Z][a-z]+)*|[A-Z][a-z]+(?: [A-Z][a-z]+)*|[a-z]+(?: [a-z]+)*|[a-z]+(?:_[a-z]+)*)$"
+      },
+      "source": "README: Naming Conventions - Test Cases"
+    },
+    {
+      "id": "NC-PARAM-001",
+      "category": "NamingConventions",
+      "name": "Parameters and variables use camelCase",
+      "description": "Test parameters, variables, and return values must be camelCase and unique within their scope.",
+      "appliesTo": [
+        "Parameter"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Rename parameters and variables to camelCase and ensure no duplicates in the same scope.",
+      "check": {
+        "type": "regex",
+        "target": "parameter.name",
+        "pattern": "^[a-z][A-Za-z0-9]*$"
+      },
+      "source": "README: Naming Conventions - Test Parameters, Variables, and Return Values"
+    },
+    {
+      "id": "NC-PO-001",
+      "category": "NamingConventions",
+      "name": "Page Objects use PascalCase",
+      "description": "Page Object names must follow PascalCase and represent a single logical page or screen.",
+      "appliesTo": [
+        "PageObject",
+        "TestCase"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Rename Page Object to PascalCase (e.g. 'AccountDetailsPage').",
+      "check": {
+        "type": "regex",
+        "target": "pageObject.name",
+        "pattern": "^[A-Z][A-Za-z0-9]*$"
+      },
+      "source": "README: Naming Conventions - Page Objects"
+    },
+    {
+      "id": "NC-FIELD-001",
+      "category": "NamingConventions",
+      "name": "Field names use camelCase",
+      "description": "Field mapping names must be camelCase for consistency and readability.",
+      "appliesTo": [
+        "Field",
+        "TestCase"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Rename field mapping to camelCase (e.g. 'billingStreet').",
+      "check": {
+        "type": "regex",
+        "target": "field.name",
+        "pattern": "^[a-z][A-Za-z0-9]*$"
+      },
+      "source": "README: Naming Conventions - Field Names"
+    },
+    {
+      "id": "STRUCT-GROUP-001",
+      "category": "StructureAndGrouping",
+      "name": "All steps are inside Group steps or BDD structure",
+      "description": "Every test step must be contained within a Group Step, BDD design step (Given/When/Then/And/But), or Finally block to improve readability and maintenance.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Wrap root-level steps into logically named Group Steps, BDD steps (Given/When/Then), or Finally blocks.",
+      "check": {
+        "type": "mustAllBeInGroups",
+        "target": "testCase.steps",
+        "acceptBddSteps": true,
+        "acceptFinallyBlocks": true
+      },
+      "source": "README: Naming Conventions - Group Steps"
+    },
+    {
+      "id": "STRUCT-SUMMARY-001",
+      "category": "StructureAndGrouping",
+      "name": "Test case has top-level summary",
+      "description": "Each test case must have a summary describing its purpose and usage.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "info",
+      "weight": 1,
+      "recommendation": "Add a concise summary describing scenario, preconditions, and outcome.",
+      "check": {
+        "type": "mustExistAndNotEmpty",
+        "target": "testCase.summary"
+      },
+      "source": "README: Usage - Each test has its own summary"
+    },
+    {
+      "id": "STEP-NAMES-001",
+      "category": "StructureAndGrouping",
+      "name": "Custom step names for UI asserts and sets",
+      "description": "UI Assert, Set Values, and long SOQL query steps must be renamed to be descriptive.",
+      "appliesTo": [
+        "Step",
+        "TestCase"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Rename the step to describe what is being asserted or set (e.g. 'assertAccountStatusIsActive').",
+      "check": {
+        "type": "semanticPattern",
+        "target": "step",
+        "appliesWhen": [
+          "step.type in ['UIAssert','SetValues','SOQL']"
+        ],
+        "mustHaveCustomName": true
+      },
+      "source": "README: Naming Conventions - Test Step Names"
+    },
+    {
+      "id": "DDT-EXCEL-001",
+      "category": "DataDrivenTesting",
+      "name": "Excel headers match field label or API name",
+      "description": "Excel/data source column headers must match either the field label or API name.",
+      "appliesTo": [
+        "DataSource"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Rename Excel column headers to match Salesforce field labels or API names.",
+      "check": {
+        "type": "semantic",
+        "target": "dataSource.columns[]",
+        "requireMappingTo": "SalesforceField"
+      },
+      "source": "README: Naming Conventions - Excel/Data Source"
+    },
+    {
+      "id": "DDT-NO-FUNC-001",
+      "category": "DataDrivenTesting",
+      "name": "No Excel functions in data",
+      "description": "Excel test data must be static; functions are not allowed in cells.",
+      "appliesTo": [
+        "DataSource",
+        "TestCase"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Replace Excel formulas with static values to keep tests deterministic.",
+      "check": {
+        "type": "mustNotMatchRegex",
+        "target": "dataSource.cells[]",
+        "pattern": "^="
+      },
+      "source": "README: Naming Conventions - Excel/Data Source"
+    },
+    {
+      "id": "VAR-NAMING-001",
+      "category": "DataDrivenTesting",
+      "name": "Variable names must use valid identifiers",
+      "description": "Variable names, field references, and result names must contain only letters, digits, and underscores. Spaces, hyphens, and special characters cause RUNTIME FAILURES in Provar. Examples: {Account.Name} ✅ | {Account.Account Name} ❌ (space will fail)",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Replace spaces and special characters with underscores. Use API field names (e.g., Account.Name) instead of field labels (e.g., Account.Account Name).",
+      "check": {
+        "type": "variableNaming",
+        "target": "step.variable",
+        "pattern": "^[A-Za-z_][A-Za-z0-9_]*$"
+      },
+      "source": "Provar Runtime Requirements - Variable identifier rules",
+      "notes": "CRITICAL severity - spaces/hyphens in variable names cause test step failures at runtime. Affects SetValues, variable references, result names (resultName, resultIdName, sfUiTargetResultName), and array notation."
+    },
+    {
+      "id": "DDT-VAR-001",
+      "category": "DataDrivenTesting",
+      "name": "No hardcoded values in steps",
+      "description": "Fields and values used more than once in a test must be parameterized or stored in variables.",
+      "appliesTo": [
+        "Step",
+        "TestCase"
+      ],
+      "severity": "minor",
+      "weight": 3,
+      "recommendation": "Replace repeated literal values with variables or parameters defined in the test case.",
+      "check": {
+        "type": "detectDuplicatesLiterals",
+        "target": "step.value",
+        "minOccurrences": 2
+      },
+      "source": "Best Practices: Data-Driven Testing & Additional Best Practices",
+      "notes": "Severity downgraded from major to minor in Session 4 - style/cosmetic issue, not functional"
+    },
+    {
+      "id": "REUSE-CALL-001",
+      "category": "ReusabilityAndCallables",
+      "name": "Callable tests reside in Callables folder",
+      "description": "Callable tests must be stored under a designated Callables folder for discoverability.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Move callable test into 'tests/Callables' (or equivalent) folder.",
+      "check": {
+        "type": "callableFolder",
+        "target": "testCase.path"
+      },
+      "source": "README: Test Case Reusability & Callables"
+    },
+    {
+      "id": "REUSE-CALL-002",
+      "category": "ReusabilityAndCallables",
+      "name": "Callable tests are parameterized",
+      "description": "Callable tests must define input parameters instead of using internal hardcoded values.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Add input parameters to the callable test and reference them in steps instead of literals.",
+      "check": {
+        "type": "mustHaveParameters",
+        "target": "testCase",
+        "minParameters": 1
+      },
+      "source": "README: Callables & Best Practices text"
+    },
+    {
+      "id": "REUSE-CALL-003",
+      "category": "ReusabilityAndCallables",
+      "name": "Callable tests executable in isolation",
+      "description": "Callable tests must be self-contained and executable independently for debugging.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Ensure callable tests create their own preconditions (records, connections) or accept them as parameters.",
+      "check": {
+        "type": "semantic",
+        "target": "testCase",
+        "mustNotDependOnExternalState": true
+      },
+      "source": "README: Callables & Best Practices text - Additional Best Practices"
+    },
+    {
+      "id": "ENV-CONN-001",
+      "category": "ConnectionsAndEnvironments",
+      "name": "Admin connection supports Login-As",
+      "description": "There must be an Admin connection configured to perform Login-As for other profiles.",
+      "appliesTo": [
+        "Project"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Create an Admin connection with 'login as' permissions for target profiles.",
+      "check": {
+        "type": "mustContain",
+        "target": "project.connections",
+        "connectionRole": "AdminLoginAs"
+      },
+      "source": "Best Practices: Environment Overrides"
+    },
+    {
+      "id": "ENV-CONN-002",
+      "category": "ConnectionsAndEnvironments",
+      "name": "Connection names should not contain environment specifiers",
+      "description": "Connection names should be environment-agnostic. Avoid embedding UAT, QA, Sandbox, Prod, Production, or Scratch in connection names. Use environment overrides instead.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Remove environment specifiers from connection names. Create environment-specific connections via Provar environment overrides.",
+      "check": {
+        "type": "environmentConnectionName",
+        "target": "testCase"
+      },
+      "source": "Best Practices: Environment Overrides"
+    },
+    {
+      "id": "DESIGN-APIUI-001",
+      "category": "TestCaseDesign",
+      "name": "Prefer API for setup where possible",
+      "description": "Test setup steps that only prepare data should use API/SOQL instead of UI flows when feasible.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "minor",
+      "weight": 3,
+      "recommendation": "Replace UI-based record creation for setup with API or SOQL-based data creation where appropriate.",
+      "check": {
+        "type": "semantic",
+        "target": "step",
+        "detectSetupViaUI": true,
+        "suggestAPIAlternative": true
+      },
+      "source": "Best Practices: Test Case Design - API vs UI"
+    },
+    {
+      "id": "DESIGN-GROUP-001",
+      "category": "TestCaseDesign",
+      "name": "Use Group Steps or BDD structure for logical phases",
+      "description": "Long tests should be organized using Group Steps, BDD design steps (Given/When/Then/And/But), or Finally blocks that represent logical phases of the flow.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Organize test with Group Steps (e.g. 'Setup', 'Execute Scenario', 'Validate Results'), BDD steps (Given/When/Then), or Finally blocks around related actions.",
+      "check": {
+        "type": "mustHaveMinGroups",
+        "target": "testCase.groups",
+        "minGroups": 2,
+        "acceptBddSteps": true,
+        "acceptFinallyBlocks": true
+      },
+      "source": "Best Practices: Test Case Design"
+    },
+    {
+      "id": "STEP-DISABLED-001",
+      "category": "TestCaseDesign",
+      "name": "Disabled test steps should be removed",
+      "description": "Test steps marked with <tags><string>disabled</string></tags> should be removed from the test case to maintain clean, maintainable code. Disabled steps create technical debt and confusion.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Remove disabled test steps entirely. If the step is needed for future use, consider creating a separate test case or adding it when actually required.",
+      "check": {
+        "type": "disabledStep",
+        "target": "step"
+      },
+      "source": "Best Practices: Test Case Maintenance"
+    },
+    {
+      "id": "MAINT-FOLDER-001",
+      "category": "MaintenanceAndFolders",
+      "name": "Folder-level setup test per application segment",
+      "description": "Each folder representing an application segment must include a setup test case for connections.",
+      "appliesTo": [
+        "Folder"
+      ],
+      "severity": "minor",
+      "weight": 3,
+      "recommendation": "Add a setup test case that establishes folder-wide connections (even if folder scope bug exists).",
+      "check": {
+        "type": "mustContainSetupTest",
+        "target": "folder.tests",
+        "setupNamePattern": "(?i)setup"
+      },
+      "source": "README: Test Case Maintenance"
+    },
+    {
+      "id": "MAINT-VERSION-001",
+      "category": "MaintenanceAndFolders",
+      "name": "Consistent Provar/OS/browser versions",
+      "description": "Execution environments and authors should align on Provar, OS, and browser versions.",
+      "appliesTo": [
+        "Project"
+      ],
+      "severity": "info",
+      "weight": 1,
+      "recommendation": "Document and standardize supported Provar, OS, and browser versions in project configuration.",
+      "check": {
+        "type": "informational",
+        "target": "project.config"
+      },
+      "source": "Best Practices: Additional Best Practices"
+    },
+    {
+      "id": "BUILD-PLAN-001",
+      "category": "BuildAndCI",
+      "name": "Regression Test Plan exists for CI",
+      "description": "A Regression Test Plan must exist and be referenced by CI builds.",
+      "appliesTo": [
+        "Project"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Ensure there is a 'Regression' plan and that the CI workflow references it.",
+      "check": {
+        "type": "mustContain",
+        "target": "project.plans",
+        "planName": "Regression"
+      },
+      "source": "README: Builds"
+    },
+    {
+      "id": "VALID-GUID-001",
+      "category": "TestCaseDesign",
+      "name": "Test case has valid identifier",
+      "description": "Test case must have a valid identifier: 'guid' (V3), 'id', or 'registryId' (legacy) attribute.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add a valid identifier to the <testCase> element: guid (preferred), id, or registryId attribute.",
+      "check": {
+        "type": "validIdentifier",
+        "target": "testCase"
+      },
+      "source": "INSTRUCTIONS.md: Top-Level Format & Structure"
+    },
+    {
+      "id": "VALID-STEPS-001",
+      "category": "TestCaseDesign",
+      "name": "Test case has steps element",
+      "description": "Test case must contain a <steps> element with at least one step.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add a <steps> element containing apiCall steps.",
+      "check": {
+        "type": "mustExist",
+        "target": "testCase.steps"
+      },
+      "source": "INSTRUCTIONS.md: Top-Level Format & Structure"
+    },
+    {
+      "id": "UI-CONNECT-ARGS-001",
+      "category": "ConnectionsAndEnvironments",
+      "name": "UiConnect has invalid arguments (ApexConnect arguments used)",
+      "description": "UiConnect steps have different arguments than ApexConnect. UiConnect does NOT support: autoCleanup, enableObjectIdLogging, quickUiLogin, closeAllPrimaryTabs, alreadyOpenBehaviour, lightningMode, uiApplicationName, cleanupConnectionName. Valid UiConnect arguments are: connectionName, connectionId, resultName, resultScope, reuseConnectionName, privateBrowsingMode, webBrowser.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Remove invalid arguments from UiConnect. For Salesforce connections requiring autoCleanup, use ApexConnect instead of UiConnect. UiConnect is for non-Salesforce UI connections only.",
+      "check": {
+        "type": "uiConnectInvalidArgs",
+        "target": "step"
+      },
+      "source": "Provar API Reference: UiConnect vs ApexConnect"
+    },
+    {
+      "id": "APEX-AUTOCLEANUP-001",
+      "category": "ConnectionsAndEnvironments",
+      "name": "Prefer autoCleanup over manual ApexDeleteObject steps",
+      "description": "ApexConnect should use autoCleanup=true instead of manual ApexDeleteObject steps. autoCleanup is preferred because it requires fewer steps, is more reliable (cleanup happens even if test fails), and automatically handles deletion order. Only use manual deletes when records are created indirectly and IDs aren't captured. Note: With multiple ApexConnect steps, autoCleanup only deletes records created using that specific connection's resultName.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Set autoCleanup=true in ApexConnect and remove manual ApexDeleteObject steps. autoCleanup automatically deletes records created via ApexCreateObject and UiWithScreen action=New (when sfUiTargetResultName captures the ID). With multiple connections, each autoCleanup only handles its own connection's records.",
+      "check": {
+        "type": "apexConnectAutoCleanup",
+        "target": "step"
+      },
+      "source": "INSTRUCTIONS.md: Salesforce Connect Steps"
+    },
+    {
+      "id": "UI-SCREEN-NAV-001",
+      "category": "TestCaseDesign",
+      "name": "First UiWithScreen must use navigate=Always or IfNeccessary",
+      "description": "The first UiWithScreen step must use navigate='Always' or 'IfNeccessary' to ensure proper navigation. Using 'Dont' will cause failures in CLI/debug mode. This rule is skipped for callable tests (visibility='Internal').",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Set navigate='Always' (preferred) or 'IfNeccessary' for the first UiWithScreen step. Never use 'Dont' on the first UiWithScreen unless in a callable test.",
+      "check": {
+        "type": "uiScreenNavigation",
+        "target": "step"
+      },
+      "source": "Provar UI Navigation Best Practices - CLI/Pipeline Compatibility"
+    },
+    {
+      "id": "UI-SCREEN-NAV-002",
+      "category": "TestCaseDesign",
+      "name": "First UiWithScreen should prefer navigate=Always over IfNeccessary",
+      "description": "The first UiWithScreen step should use navigate='Always' rather than 'IfNeccessary' for more reliable navigation. While 'IfNeccessary' works, 'Always' provides more consistent behavior. This rule is skipped for callable tests (visibility='Internal').",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Change navigate='IfNeccessary' to navigate='Always' for the first UiWithScreen step for more reliable navigation.",
+      "check": {
+        "type": "uiScreenNavigationIfNeccessary",
+        "target": "step"
+      },
+      "source": "Provar UI Navigation Best Practices"
+    },
+    {
+      "id": "UI-SCREEN-OBJID-001",
+      "category": "TestCaseDesign",
+      "name": "UiWithScreen with navigate=Always for Edit/View must have sfUiTargetObjectId",
+      "description": "When UiWithScreen navigates to an Edit or View screen with navigate='Always', the sfUiTargetObjectId argument must be populated to specify which record to edit or view. Without this, Provar cannot determine which record to navigate to. This does not apply to New screens (which create new records) or List/Home screens.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Add sfUiTargetObjectId argument referencing a previously captured record ID variable (e.g., AccountId from a prior UiWithScreen with action=New or ApexCreateObject).",
+      "check": {
+        "type": "uiScreenObjectId",
+        "target": "step"
+      },
+      "source": "Provar UI Navigation Best Practices - Record Context"
+    },
+    {
+      "id": "APEX-RESULTNAME-001",
+      "category": "NamingConventions",
+      "name": "ApexConnect resultName is unique",
+      "description": "Each ApexConnect step must have a unique resultName for proper connection tracking.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Use unique resultName values like 'ApexConnection', 'ApexConnection2', etc.",
+      "check": {
+        "type": "uniqueResultNames",
+        "target": "step"
+      },
+      "source": "INSTRUCTIONS.md: Salesforce Connect Steps",
+      "notes": "Severity downgraded from major to minor in Session 4 - naming convention, not functional issue"
+    },
+    {
+      "id": "STEP-ITEMID-001",
+      "category": "TestCaseDesign",
+      "name": "testItemId values are whole numbers",
+      "description": "All testItemId attributes must be whole numbers, not decimals.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Use whole numbers for testItemId (1, 2, 3...) not decimals (1.0, 2.5).",
+      "check": {
+        "type": "wholeNumberTestItemId",
+        "target": "step"
+      },
+      "source": "INSTRUCTIONS.md: Top-Level Format & Structure"
+    },
+    {
+      "id": "VAR-USAGE-001",
+      "category": "DataDrivenTesting",
+      "name": "Variable references use correct syntax",
+      "description": "Variable references must use {VarName[1].Field} syntax, not {VarName.1.Field}.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Use {ResultName[index].FieldName} where index starts at 1, not 0.",
+      "check": {
+        "type": "variableSyntax",
+        "target": "step"
+      },
+      "source": "INSTRUCTIONS.md: Apex CRUD Steps",
+      "notes": "Severity downgraded from major to minor in Session 4 - code cleanliness, similar to unused imports"
+    },
+    {
+      "id": "CUSTOM-FIELD-001",
+      "category": "NamingConventions",
+      "name": "Custom fields end with __c",
+      "description": "Custom field references must end with '__c' suffix.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Add '__c' suffix to custom field names (e.g. 'CustomField__c').",
+      "check": {
+        "type": "customFieldSuffix",
+        "target": "step"
+      },
+      "source": "INSTRUCTIONS.md: Final Reminders"
+    },
+    {
+      "id": "SOQL-SELECT-ID-001",
+      "category": "TestCaseDesign",
+      "name": "SOQL queries include Id and Name",
+      "description": "SOQL queries should retrieve Id and Name fields by default.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Add 'Id, Name' to SELECT clause for object queries.",
+      "check": {
+        "type": "disabled",
+        "subType": "soqlSelectFields",
+        "target": "step"
+      },
+      "source": "INSTRUCTIONS.md: Apex CRUD Steps"
+    },
+    {
+      "id": "CONTROL-FOREACH-001",
+      "category": "TestCaseDesign",
+      "name": "ForEach loops have valid source collection",
+      "description": "ForEach steps must specify a valid source collection to iterate over.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 4,
+      "recommendation": "Add 'list' argument to ForEach step referencing a valid collection variable.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.control.ForEach",
+        "argument": "list"
+      },
+      "source": "Provar Test Step Schema: Control Flow Steps"
+    },
+    {
+      "id": "CONTROL-IF-001",
+      "category": "TestCaseDesign",
+      "name": "If statements have conditions",
+      "description": "If steps must have a boolean condition expression.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'condition' argument to If step with valid boolean expression.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.If",
+        "argument": "condition"
+      },
+      "source": "Provar Test Step Schema: Control Flow Steps"
+    },
+    {
+      "id": "CONTROL-WHILE-001",
+      "category": "TestCaseDesign",
+      "name": "While loops have exit conditions",
+      "description": "While loops must have a condition to prevent infinite loops.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'condition' argument to While step that will eventually evaluate to false.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.control.DoWhile",
+        "argument": "condition"
+      },
+      "source": "Provar Test Step Schema: Control Flow Steps"
+    },
+    {
+      "id": "CONTROL-FOREACH-002",
+      "category": "TestCaseDesign",
+      "name": "ForEach loops have valueName to store current item",
+      "description": "ForEach steps must specify a valueName argument to store the current iteration value.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'valueName' argument to ForEach step to name the variable that will hold each item during iteration.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.control.ForEach",
+        "argument": "valueName"
+      },
+      "source": "Provar Test Step Schema: Control Flow Steps"
+    },
+    {
+      "id": "CONTROL-SWITCH-001",
+      "category": "TestCaseDesign",
+      "name": "Switch statements have value expression",
+      "description": "Switch steps must specify a value argument to evaluate against cases.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'value' argument to Switch step with the expression to evaluate.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.control.Switch",
+        "argument": "value"
+      },
+      "source": "Provar Test Step Schema: Control Flow Steps"
+    },
+    {
+      "id": "CONTROL-SLEEP-002",
+      "category": "TestCaseDesign",
+      "name": "Sleep steps have duration specified",
+      "description": "Sleep steps must specify sleepSecs argument with the number of seconds to wait.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'sleepSecs' argument to Sleep step with a positive decimal value.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.control.Sleep",
+        "argument": "sleepSecs"
+      },
+      "source": "Provar Test Step Schema: Control Flow Steps"
+    },
+    {
+      "id": "CONTROL-WAITFOR-001",
+      "category": "TestCaseDesign",
+      "name": "WaitFor steps have condition",
+      "description": "WaitFor steps must specify a condition argument to evaluate each iteration.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'condition' argument to WaitFor step with a boolean expression to wait for.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.control.WaitFor",
+        "argument": "condition"
+      },
+      "source": "Provar Test Step Schema: Control Flow Steps"
+    },
+    {
+      "id": "CONTROL-WAITFOR-002",
+      "category": "TestCaseDesign",
+      "name": "WaitFor steps have max iterations limit",
+      "description": "WaitFor steps must specify maxIterations to prevent infinite waiting.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Add 'maxIterations' argument to WaitFor step to limit wait cycles.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.control.WaitFor",
+        "argument": "maxIterations"
+      },
+      "source": "Provar Test Step Schema: Control Flow Steps"
+    },
+    {
+      "id": "ASSERT-COMPARISON-001",
+      "category": "TestCaseDesign",
+      "name": "AssertValues has comparisonType",
+      "description": "AssertValues steps must specify a comparisonType argument (EqualTo, Contains, etc.).",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'comparisonType' argument with valid value: EqualTo, NotEqualTo, Contains, NotContains, StartsWith, EndsWith, GreaterThan, LessThan, Matches, IsNull, NotNull.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.AssertValues",
+        "argument": "comparisonType"
+      },
+      "source": "Provar Test Step Schema: Assertion Steps"
+    },
+    {
+      "id": "ASSERT-EXPECTED-001",
+      "category": "TestCaseDesign",
+      "name": "AssertValues has expectedValue",
+      "description": "AssertValues steps must specify an expectedValue argument containing the value to test.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'expectedValue' argument with the variable or value being verified.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.AssertValues",
+        "argument": "expectedValue"
+      },
+      "source": "Provar Test Step Schema: Assertion Steps"
+    },
+    {
+      "id": "ASSERT-ACTUAL-001",
+      "category": "TestCaseDesign",
+      "name": "AssertValues has actualValue",
+      "description": "AssertValues steps must specify an actualValue argument containing the expected result. NOTE: actualValue CAN be empty when using NotEqualTo to check if a string is NOT blank (common pattern for null/blank checks).",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'actualValue' argument with the expected result to compare against. For blank string checks, actualValue can be empty with NotEqualTo comparison.",
+      "check": {
+        "type": "disabled",
+        "comment": "DISABLED: False positive - actualValue CAN be empty for NotEqualTo blank string checks. Valid pattern: <argument id='actualValue'/> with NotEqualTo checks if string is not blank. Need to reimplement as conditional check that allows empty actualValue when comparisonType=NotEqualTo.",
+        "subtype": "assertActualValue"
+      },
+      "source": "Provar Test Step Schema: Assertion Steps"
+    },
+    {
+      "id": "BDD-GIVEN-001",
+      "category": "TestCaseDesign",
+      "name": "Given steps have description",
+      "description": "BDD Given steps must specify a description argument explaining the precondition.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Add 'description' argument to Given step with a clear precondition statement.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.bdd.Given",
+        "argument": "description"
+      },
+      "source": "Provar Test Step Schema: BDD Steps"
+    },
+    {
+      "id": "BDD-WHEN-001",
+      "category": "TestCaseDesign",
+      "name": "When steps have description",
+      "description": "BDD When steps must specify a description argument explaining the action.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Add 'description' argument to When step with a clear action statement.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.bdd.When",
+        "argument": "description"
+      },
+      "source": "Provar Test Step Schema: BDD Steps"
+    },
+    {
+      "id": "BDD-THEN-001",
+      "category": "TestCaseDesign",
+      "name": "Then steps have description",
+      "description": "BDD Then steps must specify a description argument explaining the expected outcome.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Add 'description' argument to Then step with a clear expected outcome statement.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.bdd.Then",
+        "argument": "description"
+      },
+      "source": "Provar Test Step Schema: BDD Steps"
+    },
+    {
+      "id": "SOQL-QUERY-001",
+      "category": "TestCaseDesign",
+      "name": "ApexSoqlQuery has soqlQuery argument",
+      "description": "ApexSoqlQuery steps must specify a soqlQuery argument with the SOQL statement.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'soqlQuery' argument with valid SOQL statement (e.g., SELECT Id, Name FROM Account).",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.forcedotcom.core.testapis.ApexSoqlQuery",
+        "argument": "soqlQuery"
+      },
+      "source": "Provar Test Step Schema: Apex Steps"
+    },
+    {
+      "id": "DB-CONNECT-001",
+      "category": "ConnectionsAndEnvironments",
+      "name": "DbConnect has connectionName",
+      "description": "DbConnect steps must specify a connectionName argument identifying the database connection.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'connectionName' argument with the database connection identifier from environment settings.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.db.DbConnect",
+        "argument": "connectionName"
+      },
+      "source": "Provar Test Step Schema: Database Steps"
+    },
+    {
+      "id": "DB-CONNECT-002",
+      "category": "ConnectionsAndEnvironments",
+      "name": "DbConnect has resultName",
+      "description": "DbConnect steps must specify a resultName argument to store the connection reference.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'resultName' argument with the variable name to store the connection reference.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.db.DbConnect",
+        "argument": "resultName"
+      },
+      "source": "Provar Test Step Schema: Database Steps"
+    },
+    {
+      "id": "SQL-QUERY-001",
+      "category": "TestCaseDesign",
+      "name": "SqlQuery has query argument",
+      "description": "SqlQuery steps must specify a query argument with the SQL statement.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'query' argument with valid SQL statement.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.db.SqlQuery",
+        "argument": "query"
+      },
+      "source": "Provar Test Step Schema: Database Steps"
+    },
+    {
+      "id": "SQL-QUERY-002",
+      "category": "TestCaseDesign",
+      "name": "SqlQuery has dbConnectionName",
+      "description": "SqlQuery steps must specify a dbConnectionName argument referencing the database connection.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'dbConnectionName' argument with the resultName from a DbConnect step.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.db.SqlQuery",
+        "argument": "dbConnectionName"
+      },
+      "source": "Provar Test Step Schema: Database Steps"
+    },
+    {
+      "id": "REST-CONN-001",
+      "category": "ConnectionsAndEnvironments",
+      "name": "WebConnect has connectionName",
+      "description": "WebConnect steps must specify a connectionName argument identifying the web service connection.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'connectionName' argument with the web service connection identifier.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.restservice.WebConnect",
+        "argument": "connectionName"
+      },
+      "source": "Provar Test Step Schema: Web Service Steps"
+    },
+    {
+      "id": "REST-CONN-002",
+      "category": "ConnectionsAndEnvironments",
+      "name": "WebConnect has resultName",
+      "description": "WebConnect steps must specify a resultName argument to store the connection reference.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'resultName' argument with the variable name to store the connection reference.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.restservice.WebConnect",
+        "argument": "resultName"
+      },
+      "source": "Provar Test Step Schema: Web Service Steps"
+    },
+    {
+      "id": "REST-REQUEST-001",
+      "category": "TestCaseDesign",
+      "name": "RestRequest has connectionName",
+      "description": "RestRequest steps must specify a connectionName argument referencing the web service connection.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'connectionName' argument with the resultName from a WebConnect step.",
+      "check": {
+        "type": "mustContainArgument",
+        "apiId": "com.provar.plugins.bundled.apis.restservice.RestRequest",
+        "argument": "connectionName"
+      },
+      "source": "Provar Test Step Schema: Web Service Steps"
+    },
+    {
+      "id": "VAR-REFERENCE-001",
+      "category": "TestCaseDesign",
+      "name": "Variables are defined before use",
+      "description": "Variables referenced in test should be defined via SetValues or result from previous steps.",
+      "appliesTo": [
+        "Step",
+        "TestCase"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Define variable with SetValues step or ensure it's populated by previous step (SOQL, CreateObject, etc.).",
+      "check": {
+        "type": "variableDefinition",
+        "target": "testCase"
+      },
+      "source": "Provar Test Step Schema: Variable Validation"
+    },
+    {
+      "id": "CONN-APEX-001",
+      "category": "ConnectionsAndEnvironments",
+      "name": "Apex API calls reference valid connections",
+      "description": "Apex API operations must reference an existing ApexConnect connection.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Ensure ApexConnect step exists before Apex API calls and connection names match.",
+      "check": {
+        "type": "apexConnectionReference",
+        "target": "testCase"
+      },
+      "source": "Provar Test Step Schema: Connection Validation"
+    },
+    {
+      "id": "CONN-DB-001",
+      "category": "ConnectionsAndEnvironments",
+      "name": "Database operations reference valid connections",
+      "description": "Database API operations must reference an existing DbConnect connection.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Ensure DbConnect step exists before database operations and connection names match.",
+      "check": {
+        "type": "dbConnectionReference",
+        "target": "testCase"
+      },
+      "source": "Provar Test Step Schema: Connection Validation"
+    },
+    {
+      "id": "CONN-UI-001",
+      "category": "ConnectionsAndEnvironments",
+      "name": "UI operations reference valid connections",
+      "description": "UI API operations must reference an existing UiConnect connection.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Ensure UiConnect step exists before UI operations and connection names match.",
+      "check": {
+        "type": "uiConnectionReference",
+        "target": "testCase"
+      },
+      "source": "Provar Test Step Schema: Connection Validation"
+    },
+    {
+      "id": "UI-CONN-LITERAL-001",
+      "category": "ConnectionsAndEnvironments",
+      "name": "uiConnectionName must be a literal string",
+      "description": "UiWithScreen/UiDoAction/UiAssert steps must set uiConnectionName to a literal string (the resultName from UiConnect/ApexConnect). Using <value class=\"variable\"> for uiConnectionName causes Provar to error.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Set uiConnectionName using <value class=\"value\" valueClass=\"string\">AdminConnection</value> (not a variable reference).",
+      "check": {
+        "type": "uiConnectionNameLiteral",
+        "target": "step"
+      },
+      "source": "Provar Runtime Requirement - UI connection name must be literal"
+    },
+    {
+      "id": "SOQL-STRUCTURE-001",
+      "category": "TestCaseDesign",
+      "name": "SOQL queries have SELECT and FROM clauses",
+      "description": "Valid SOQL queries must contain both SELECT and FROM clauses.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Ensure SOQL query has format: SELECT <fields> FROM <object>",
+      "check": {
+        "type": "soqlStructure",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.testapis.ApexSoqlQuery"
+      },
+      "source": "Provar Test Step Schema: SOQL Validation"
+    },
+    {
+      "id": "SOQL-WHERE-001",
+      "category": "TestCaseDesign",
+      "name": "SOQL queries include WHERE or LIMIT clause",
+      "description": "SOQL queries must have WHERE clause or LIMIT to prevent unreasonably large result sets and potential heap size errors. This prevents Apex governance violations and performance issues.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Add WHERE clause to filter results (e.g. WHERE Id = :recordId) or LIMIT clause to cap result size (e.g. LIMIT 100). For large data volumes, always include both WHERE and LIMIT.",
+      "check": {
+        "type": "soqlWhereOrLimit",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.testapis.ApexSoqlQuery"
+      },
+      "source": "SOQL Best Practices: Building Efficient & Selective Queries"
+    },
+    {
+      "id": "SOQL-IN-LOOP-001",
+      "category": "TestCaseDesign",
+      "name": "SOQL queries must not be inside loops",
+      "description": "SOQL queries inside For/ForEach/While/DoWhile loops violate Apex governor limits. Each SOQL query execution consumes from the 100 SOQL query limit per transaction. Queries in loops can quickly exceed this limit causing 'Too many SOQL queries: 101' errors.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Move SOQL query outside the loop and store results in a collection. Then iterate over the collection. Use SOQL WHERE clauses to filter in the query rather than filtering in a loop. Consider using aggregate queries or bulk processing patterns.",
+      "check": {
+        "type": "soqlInLoop",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.testapis.ApexSoqlQuery"
+      },
+      "source": "SOQL Best Practices: Avoid SOQL inside FOR Loops - Apex Governance"
+    },
+    {
+      "id": "APEX-CONNECTION-REF-001",
+      "category": "ApexAPI",
+      "name": "Apex API steps must reference a valid connection",
+      "description": "All Apex API calls (ApexCreate, ApexUpdate, ApexDelete, ApexRead, ApexSoqlQuery) must reference a valid Salesforce connection defined earlier in the test using ApexConnect. Tests will fail if connection is missing, empty, or references an undefined connection name.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Add an ApexConnect step before any Apex API calls to establish a Salesforce connection. Reference the connection name in all subsequent Apex API calls. Use variables for connection names if dynamically determined.",
+      "check": {
+        "type": "apexConnectionReference",
+        "target": "step"
+      },
+      "source": "Provar API Best Practices - Connection Management"
+    },
+    {
+      "id": "APEX-OBJECT-TYPE-001",
+      "category": "ApexAPI",
+      "name": "Apex CRUD operations must have valid object types",
+      "description": "ApexCreate, ApexUpdate, ApexDelete, and ApexRead steps must specify a valid Salesforce object type (e.g., Account, Contact, Broker__c). Object type must start with capital letter and contain only alphanumeric characters and underscores. Invalid or missing object types cause test failures.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Specify the correct Salesforce object API name (e.g., Account, Contact, Custom__c). Use standard object names or custom object API names ending with __c. Verify object exists in the target Salesforce org.",
+      "check": {
+        "type": "apexObjectType",
+        "target": "step"
+      },
+      "source": "Provar API Best Practices - Object Validation"
+    },
+    {
+      "id": "APEX-UPDATE-ID-001",
+      "category": "ApexAPI",
+      "name": "ApexUpdateObject must have valid record ID",
+      "description": "ApexUpdateObject requires a valid Salesforce record ID (15 or 18 characters) or a variable reference containing the ID. Missing, empty, or invalid record IDs cause test failures. Record IDs must be alphanumeric Salesforce IDs.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Provide a valid 15 or 18 character Salesforce record ID, or use a variable like {AccountId} that contains a valid ID from a prior Create or Read operation. Verify the record exists before attempting update.",
+      "check": {
+        "type": "apexRecordId",
+        "target": "step"
+      },
+      "source": "Provar API Best Practices - Record ID Validation"
+    },
+    {
+      "id": "APEX-UPDATE-FIELDS-001",
+      "category": "ApexAPI",
+      "name": "ApexUpdateObject must specify fields to update",
+      "description": "ApexUpdateObject steps should specify at least one field to update in the field definitions. Update operations without field specifications have no effect and represent incomplete test logic. System arguments (objectType, recordId, objectId, apexConnectionName, resultScope, assignmentRuleId, resultIdName) are excluded from this check.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Add field definitions to the ApexUpdateObject step and provide values for at least one field to update. For example, specify Name, Status, or other relevant fields with test data or variable references.",
+      "check": {
+        "type": "apexUpdateFields",
+        "target": "step"
+      },
+      "source": "Provar API Best Practices - Field Validation"
+    },
+    {
+      "id": "APEX-DELETE-ID-001",
+      "category": "ApexAPI",
+      "name": "ApexDeleteObject must have valid record ID",
+      "description": "ApexDeleteObject requires a valid Salesforce record ID (15 or 18 characters) or a variable reference containing the ID. Missing, empty, or invalid record IDs cause test failures. Record IDs must be alphanumeric Salesforce IDs.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Provide a valid 15 or 18 character Salesforce record ID, or use a variable like {AccountId} that contains a valid ID from a prior Create or Read operation. Verify the record exists before attempting delete.",
+      "check": {
+        "type": "apexRecordId",
+        "target": "step"
+      },
+      "source": "Provar API Best Practices - Record ID Validation"
+    },
+    {
+      "id": "APEX-READ-ID-001",
+      "category": "ApexAPI",
+      "name": "ApexReadObject must have valid record ID",
+      "description": "ApexReadObject requires a valid Salesforce record ID (15 or 18 characters) or a variable reference containing the ID. Missing, empty, or invalid record IDs cause test failures. Record IDs must be alphanumeric Salesforce IDs.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Provide a valid 15 or 18 character Salesforce record ID, or use a variable like {AccountId} that contains a valid ID from a prior Create operation. Verify the record exists before attempting read.",
+      "check": {
+        "type": "apexRecordId",
+        "target": "step"
+      },
+      "source": "Provar API Best Practices - Record ID Validation"
+    },
+    {
+      "id": "APEX-CREATE-FIELDS-001",
+      "category": "ApexAPI",
+      "name": "ApexCreateObject with fields must populate at least one field",
+      "description": "When ApexCreateObject includes a fields structure, at least one field must be populated with a value. Empty field structures indicate incomplete test implementation and may cause test failures or create records with default values only.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Populate at least one field with a value or variable reference in the ApexCreateObject fields structure. Remove the fields structure if not needed. Verify required fields for the object are populated.",
+      "check": {
+        "type": "apexCreateFields",
+        "target": "step"
+      },
+      "source": "Provar API Best Practices - Field Validation"
+    },
+    {
+      "id": "APEX-CREATE-METADATA-001",
+      "category": "ApexAPI",
+      "name": "ApexCreateObject and ApexUpdateObject must include parameter metadata",
+      "description": "ApexCreateObject and ApexUpdateObject steps MUST include <parameterGeneratorProperties> and <generatedParameters> sections after </arguments>. These metadata sections enable Provar IDE features like field auto-complete, field suggestions, and proper object binding. Missing metadata causes degraded IDE experience and prevents field discovery.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Add <parameterGeneratorProperties> with ConnectionName and CustomObjectName properties, and <generatedParameters> with apiParam elements for each field used in arguments. Study existing tier4 examples to see the exact structure required.",
+      "check": {
+        "type": "apexCreateMetadata",
+        "target": "step"
+      },
+      "source": "Provar IDE Requirements - Parameter Metadata for Object Operations"
+    },
+    {
+      "id": "APEX-CREATE-UPDATE-STRUCTURE-001",
+      "category": "ApexAPI",
+      "name": "ApexUpdateObject/ApexCreateObject field arguments must be direct, not nested in uiObjectFieldValue",
+      "description": "ApexUpdateObject and ApexCreateObject steps MUST use direct field arguments (e.g., <argument id='Status'><value.../></argument>) instead of nesting fields within uiObjectFieldValue elements inside the values argument. The values argument should contain only an empty valueList. Nested uiObjectFieldValue structures cause runtime failures and prevent proper field serialization.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Use direct field arguments: <argument id='FieldName'><value class='value' valueClass='string'>FieldValue</value></argument> with a separate empty <argument id='values'><value class='valueList' mutable='Mutable'/></argument>. Do NOT nest fields inside uiObjectFieldValue within the values argument.",
+      "check": {
+        "type": "apexUpdateFieldStructure",
+        "target": "step"
+      },
+      "source": "Provar Runtime Requirements - API Object Field Structure"
+    },
+    {
+      "id": "APEX-READ-FIELDS-STRUCTURE-001",
+      "category": "ApexAPI",
+      "name": "ApexReadObject must use generatedParameters for field references, not fields argument with textType",
+      "description": "ApexReadObject steps should NOT use a 'fields' argument containing textType elements for field names. Instead, fields must be properly referenced via generatedParameters with modelBinding attributes. The incorrect pattern uses <argument id='fields'><value class='valueList'><textType>FieldName</textType></value></argument> which prevents proper field metadata and IDE integration. The correct pattern includes proper <generatedParameters> with <apiParam group='fields' modelBinding='sf:ui:binding:object?field=FieldName&object=ObjectType'> elements.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Remove the 'fields' argument with textType elements. Ensure each field has a corresponding <apiParam> entry in <generatedParameters> with proper modelBinding. Fields should be declared through generatedParameters, not through a fields argument.",
+      "check": {
+        "type": "apexReadFieldsStructure",
+        "target": "step"
+      },
+      "source": "Provar IDE Requirements - ApexReadObject Field Metadata"
+    },
+    {
+      "id": "APEX-APIPARAM-HALLUCINATION-001",
+      "category": "XMLSchema",
+      "name": "Apex CRUD apiParam elements must be self-closing without summary/type children",
+      "description": "In ApexCreateObject, ApexUpdateObject, and ApexReadObject steps, <apiParam> elements within <generatedParameters> MUST be self-closing tags without child elements. LLMs commonly hallucinate <summary> and <type> elements inside apiParam, which causes Provar to reject the test case as invalid XML. The correct pattern is: <apiParam group=\"fields\" modelBinding=\"sf:ui:binding:object?object=Account&field=Name\" name=\"Name\" title=\"Name\"/>. The hallucinated pattern includes <summary>description</summary> and <type><textType>...</textType></type> children which are ONLY valid in other contexts (RestRequest, UiDoAction) but NEVER in Apex CRUD operations.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Remove all <summary> and <type> child elements from apiParam elements in ApexCreateObject, ApexUpdateObject, and ApexReadObject steps. Use self-closing <apiParam .../> tags. For example: <apiParam group=\"fields\" modelBinding=\"sf:ui:binding:object?object=Account&amp;field=Name\" name=\"Name\" title=\"Name\"/>",
+      "check": {
+        "type": "apexApiParamHallucination",
+        "target": "step"
+      },
+      "notes": "CRITICAL severity - hallucinated summary/type elements in Apex CRUD apiParam cause Provar to mark test as invalid XML. Based on corpus analysis: 100% of Apex CRUD apiParam elements use self-closing tags without children. LLMs confuse this with RestRequest/UiDoAction patterns which DO allow summary/type children.",
+      "source": "Corpus analysis: InternalProjects - Apex CRUD apiParam structure validation"
+    },
+    {
+      "id": "APEX-READ-ASSERTIONS-001",
+      "category": "ApexAPI",
+      "name": "ApexReadObject should use resultAssertions instead of separate AssertValues",
+      "description": "When asserting field values after ApexReadObject, use <resultAssertions> within the ApexReadObject step rather than separate AssertValues API calls. This pattern is more efficient, provides better error messages, and maintains field metadata associations. The resultAssertions element should contain <resultAssertion> children with comparisonType, resultName, title, and optional <expected> elements.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "minor",
+      "weight": 3,
+      "recommendation": "Add <resultAssertions> block within ApexReadObject after the <arguments> section. Move AssertValues logic into <resultAssertion> elements with appropriate comparisonType (EqualTo, IsPresent, NotEqualTo, etc.) and expected values where applicable.",
+      "check": {
+        "type": "apexReadAssertions",
+        "target": "step"
+      },
+      "source": "Provar Best Practices - Efficient Read and Assert Pattern"
+    },
+    {
+      "id": "APEX-EXTRACT-LAYOUT-001",
+      "category": "ApexAPI",
+      "name": "ApexExtractLayout must have object, file type, and path",
+      "description": "ApexExtractLayout requires three parameters: object (Salesforce object API name), fileType (.xlsx only supported), and filePath (where to save the layout). Missing any parameter causes test failure. Only .xlsx file format is supported for layout extraction.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Specify the Salesforce object API name, set fileType to .xlsx, and provide a valid file path for the extracted layout. Ensure the directory path exists and is writable. Use relative paths for portability.",
+      "check": {
+        "type": "apexExtractLayout",
+        "target": "step"
+      },
+      "source": "Provar API Best Practices - Layout Extraction"
+    },
+    {
+      "id": "APEX-ASSERT-LAYOUT-001",
+      "category": "ApexAPI",
+      "name": "ApexAssertLayout must have object and expected file",
+      "description": "ApexAssertLayout requires two parameters: object (Salesforce object API name) and expectedFile (path to expected .xlsx layout file). Missing either parameter causes test failure. Only .xlsx file format is supported for layout assertions.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Specify the Salesforce object API name and provide path to expected .xlsx layout file. Ensure the expected file exists and is in .xlsx format. Use ApexExtractLayout to generate baseline layouts.",
+      "check": {
+        "type": "apexAssertLayout",
+        "target": "step"
+      },
+      "source": "Provar API Best Practices - Layout Assertion"
+    },
+    {
+      "id": "CONN-ARG-001",
+      "category": "ApexAPI",
+      "name": "Connection arguments must use correct naming convention",
+      "description": "Different step types require specific connection argument names: 'connectionName' for Connect steps (ApexConnect, UiConnect, DbConnect, WebConnect) and web requests (RestRequest, SoapRequest); 'apexConnectionName' for Apex CRUD/SOQL operations (ApexCreateObject, ApexReadObject, ApexUpdateObject, ApexDeleteObject, ApexSoqlQuery, ApexBulk, etc.); 'uiConnectionName' for UI steps (UiWithScreen, UiDoAction, UiAssert); 'dbConnectionName' for database operations (DbDelete, DbInsert, DbRead, DbUpdate, SqlQuery). Using incorrect connection argument names causes connection lookup failures.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Use the correct connection argument name for each step type. Connect steps and web requests use 'connectionName'. Apex CRUD/SOQL operations use 'apexConnectionName'. UI steps use 'uiConnectionName'. Database operations use 'dbConnectionName'. Review Provar API documentation for the specific step type being used.",
+      "check": {
+        "type": "connectionArgumentNaming",
+        "target": "step"
+      },
+      "source": "Provar API Best Practices - Connection Argument Conventions"
+    },
+    {
+      "id": "APEX-PARAM-GEN-URI-001",
+      "category": "ApexAPI",
+      "name": "Apex CRUD operations should include parameterGeneratorUri",
+      "description": "ApexCreateObject, ApexReadObject, and ApexUpdateObject steps should include the parameterGeneratorUri attribute for proper IDE support. This attribute enables field auto-complete, field suggestions, and proper object binding in Provar IDE. Missing this attribute degrades IDE experience and may cause issues in some Provar versions.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Add parameterGeneratorUri attribute to Apex CRUD steps: ApexCreateObject uses 'command:com.provar.plugins.forcedotcom.ui.commands.CreateCustomObjectTestStepCommand', ApexReadObject uses 'command:com.provar.plugins.forcedotcom.ui.commands.ReadCustomObjectTestStepCommand', ApexUpdateObject uses 'command:com.provar.plugins.forcedotcom.ui.commands.UpdateCustomObjectTestStepCommand'.",
+      "check": {
+        "type": "apexParameterGeneratorUri",
+        "target": "step"
+      },
+      "source": "Provar IDE Requirements - Parameter Generator Metadata"
+    },
+    {
+      "id": "ASSERT-ARG-ORDER-001",
+      "category": "TestCaseDesign",
+      "name": "AssertValues arguments must be in correct order",
+      "description": "AssertValues steps should contain the variable being tested (from Read/Query operations) and actualValue containing the expected literal value. Reversed arguments cause assertion logic to be backwards - comparing literals against variables instead of variables against expected values. This can result in unclear test step outcomes, although results are the same.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "info",
+      "weight": 1,
+      "recommendation": "Correct the argument order: expectedValue should contain the variable reference (e.g., {OpportunityRead.Name}), actualValue should contain the expected literal value (e.g., 'Demo Opportunity'). The assertion logic is: 'Assert that expectedValue equals actualValue', which reads as 'Assert that {variable} equals literal'.",
+      "check": {
+        "type": "assertValuesArgumentOrder",
+        "target": "step"
+      },
+      "source": "Provar API Best Practices - Assertion Patterns"
+    },
+    {
+      "id": "ASSERT-API-001",
+      "category": "TestCaseDesign",
+      "name": "Must use AssertValues API, not deprecated Assert API",
+      "description": "Test cases must use the supported com.provar.plugins.bundled.apis.AssertValues API with expectedValue/actualValue/comparisonType arguments. The com.provar.plugins.bundled.core.testapis.Assert API is not supported and will not load properly in Provar. AssertValues provides more flexible comparison operators and clearer assertion semantics.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Replace com.provar.plugins.bundled.core.testapis.Assert steps with com.provar.plugins.bundled.apis.AssertValues. Use expectedValue (the variable being tested), comparisonType (EqualTo, NotEqualTo, etc.), actualValue (the expected result), and failureMessage (explanation of what failed).",
+      "check": {
+        "type": "assertApi",
+        "target": "step"
+      },
+      "source": "Provar API Reference - Assertion Steps"
+    },
+    {
+      "id": "ASSERT-VALUES-COMPARISON-001",
+      "category": "TestCaseDesign",
+      "name": "AssertValues should have meaningful expected values",
+      "description": "AssertValues steps using comparison operators (EqualTo, Contains, GreaterThan, etc.) should specify meaningful expectedValue arguments. Empty or missing expected values defeat the purpose of assertions and provide no validation. Without expected values, assertions cannot verify correct behavior. Comparison types requiring values: EqualTo, NotEqualTo, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Matches, NotMatches, GreaterThan, LessThan, GreaterThanOrEqualTo, LessThanOrEqualTo.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Specify a clear expectedValue for the assertion based on requirements. Use test data variables or literals that represent the expected state. Empty expected values provide no validation. For example: expectedValue='{Account.Name}', comparisonType='EqualTo', actualValue='ACME Corporation'.",
+      "check": {
+        "type": "assertValuesComparison",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.AssertValues"
+      },
+      "source": "Provar Test Step Schema: Meaningful Assertions (Phase 2 API Usage Analysis)"
+    },
+    {
+      "id": "CONTROL-SLEEP-001",
+      "category": "TestCaseDesign",
+      "name": "Sleep step duration and frequency issues",
+      "description": "Sleep steps with duration > 10 seconds cause unnecessary test execution time (major). Sleep inside loops multiplies wait time and indicates polling anti-pattern (minor). More than 5 sleeps per 50 steps indicates excessive waiting rather than proper synchronization (minor).",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Replace long sleeps with explicit waits for conditions. Move sleeps outside loops and use proper wait-until-ready patterns. Replace multiple sleeps with single targeted waits. Use UI wait conditions, API polling with timeout, or event-driven synchronization.",
+      "check": {
+        "type": "controlSleep",
+        "target": "step"
+      },
+      "source": "Provar Best Practices - Synchronization and Waits"
+    },
+    {
+      "id": "CONTROL-WHILE-MAX-001",
+      "category": "TestCaseDesign",
+      "name": "While loop must have termination condition",
+      "description": "While loops without counterEnd and without a terminating condition (<=, <, >=, >, ==, !=) can run infinitely if no termination is defined (major). While loops with condition='true' or '{true}' are infinite loops that rely solely on break statements, making them difficult to debug (minor). A loop is valid if it has either counterEnd OR a comparison condition.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Either set counterEnd to a reasonable limit (e.g., 10, 50, 100) OR use a terminating condition with a comparison operator (e.g., {Counter <= MaxIterations}). Avoid while{true} - use a meaningful condition instead. Add timeout handling and clear exit conditions. Consider using For loop with fixed iteration count if possible.",
+      "check": {
+        "type": "controlWhileMaxIterations",
+        "target": "step"
+      },
+      "source": "Provar Best Practices - Loop Control and Safety"
+    },
+    {
+      "id": "CONTROL-FINALLY-001",
+      "category": "TestCaseDesign",
+      "name": "Finally block must have description and be at end",
+      "description": "Finally blocks without descriptions make it unclear what cleanup actions are performed (major). Finally blocks not at the end of the test may not execute if test stops before reaching them (minor). Finally is meant for cleanup that always runs regardless of test outcome.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Add clear description to Finally block explaining what cleanup actions are performed (e.g., 'Delete test data', 'Logout'). Move Finally block to the end of the test to ensure cleanup runs. Use Finally for critical cleanup like deleting test records or closing connections.",
+      "check": {
+        "type": "controlFinallyEnhanced",
+        "target": "step"
+      },
+      "source": "Provar Best Practices - Exception Handling and Cleanup"
+    },
+    {
+      "id": "SOQL-RESULT-001",
+      "category": "TestCaseDesign",
+      "name": "SOQL queries specify resultListName",
+      "description": "SOQL queries must specify resultListName to capture query results.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'resultListName' argument to store query results.",
+      "check": {
+        "type": "soqlResultName",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.testapis.ApexSoqlQuery"
+      },
+      "source": "Provar Test Step Schema: SOQL Validation"
+    },
+    {
+      "id": "DATA-TYPE-BOOL-001",
+      "category": "TestCaseDesign",
+      "name": "Boolean values are 'true' or 'false'",
+      "description": "Boolean value elements must contain exactly 'true' or 'false' (lowercase).",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Set boolean value to 'true' or 'false' (not 'True', 'FALSE', '1', '0', etc.).",
+      "check": {
+        "type": "booleanValue",
+        "target": "step"
+      },
+      "source": "Provar Test Step Schema: Data Type Validation"
+    },
+    {
+      "id": "DATA-TYPE-NUMBER-001",
+      "category": "TestCaseDesign",
+      "name": "Numeric values are valid numbers",
+      "description": "DISABLED: Rule generates false positives. Flags numeric-looking strings in SetValues without checking Salesforce field types. Many text fields (ZIP codes, IDs with leading zeros, year fields) legitimately store numeric strings.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "info",
+      "weight": 0,
+      "recommendation": "Review if this value should be valueClass='decimal' for calculations, or valueClass='string' for text fields like IDs, ZIP codes, phone numbers. Consider field type in Salesforce.",
+      "check": {
+        "type": "numericValue",
+        "target": "step"
+      },
+      "source": "Provar Test Step Schema: Data Type Validation (DISABLED due to false positives - needs field-type awareness)"
+    },
+    {
+      "id": "SETVALUES-STRUCTURE-001",
+      "category": "TestCaseDesign",
+      "name": "SetValues steps have namedValues container",
+      "description": "SetValues steps must have <namedValues> container element.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add <namedValues> container inside values argument.",
+      "check": {
+        "type": "setValuesStructure",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.control.SetValues"
+      },
+      "source": "Provar Test Step Schema: SetValues Validation"
+    },
+    {
+      "id": "SETVALUES-NAME-001",
+      "category": "NamingConventions",
+      "name": "SetValues namedValue elements have name attribute",
+      "description": "Each namedValue element must have a 'name' attribute defining the variable name.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'name' attribute to each <namedValue> element.",
+      "check": {
+        "type": "namedValueName",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.control.SetValues"
+      },
+      "source": "Provar Test Step Schema: SetValues Validation"
+    },
+    {
+      "id": "SETVALUES-VALUE-001",
+      "category": "TestCaseDesign",
+      "name": "SetValues namedValue elements have value element",
+      "description": "Each namedValue must contain a <value> element defining the variable value.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add <value> element inside each <namedValue>.",
+      "check": {
+        "type": "namedValueValue",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.control.SetValues"
+      },
+      "source": "Provar Test Step Schema: SetValues Validation"
+    },
+    {
+      "id": "SETVALUES-INVALID-ELEMENT-001",
+      "category": "StructureAndGrouping",
+      "name": "SetValues must not contain invalid child elements",
+      "description": "SetValues steps must use the correct structure with <namedValues> containing <namedValue> elements. AI models sometimes hallucinate invalid elements like <namedValueSet>, <name>, or nested <namedValues> incorrectly. The correct structure is: <namedValues mutable=\"Mutable\"><namedValue name=\"valuePath\">...</namedValue><namedValue name=\"value\">...</namedValue><namedValue name=\"valueScope\">...</namedValue></namedValues>",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Use correct SetValues structure: <value class=\"valueList\" mutable=\"Mutable\"><namedValues mutable=\"Mutable\"><namedValue name=\"valuePath\"><value class=\"value\" valueClass=\"string\">VariableName</value></namedValue><namedValue name=\"value\"><value>...</value></namedValue><namedValue name=\"valueScope\"><value class=\"value\" valueClass=\"string\">Test</value></namedValue></namedValues></value>. Each variable requires one <namedValues> block with three <namedValue> children: valuePath, value, and valueScope.",
+      "check": {
+        "type": "setValuesInvalidElements",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.control.SetValues",
+        "invalidElements": ["namedValueSet", "name"]
+      },
+      "notes": "AI models hallucinate <namedValueSet> and <name> elements which are not valid in Provar SetValues. The correct child elements are: <namedValues> (container) and <namedValue> (with name attribute).",
+      "source": "Field observation: SetValues structure hallucination pattern"
+    },
+    {
+      "id": "VAR-PROPERTY-001",
+      "category": "TestCaseDesign",
+      "name": "Variable property references must be valid",
+      "description": "Variable property references (<path element>) must reference valid properties. For SOQL query results, only fields in the SELECT clause are valid. Common hallucinations include: .size, .length, .count (use Count() function), duplicate path elements, and referencing fields not in the query.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 6,
+      "recommendation": "For list size, use Count(variable) function. For properties, ensure the field is included in the SOQL SELECT clause or ApexReadObject generatedParameters. Remove duplicate path elements.",
+      "check": {
+        "type": "invalidVariableProperty",
+        "target": "step",
+        "invalidProperties": ["size", "length", "count", "empty", "isEmpty", "first", "last", "keys", "values"]
+      },
+      "notes": "AI models hallucinate properties that don't exist on Provar variables: .size/.length/.count (use Count() function), .empty (use Count()=0), .first/.last (use index notation). Also catches: duplicate path elements (VarName.VarName.Field), undefined properties not in SOQL SELECT or generatedParameters.",
+      "source": "Field observation: Variable property hallucination patterns"
+    },
+    {
+      "id": "CLEANUP-CONSISTENCY-001",
+      "category": "TestCaseDesign",
+      "name": "Manual cleanup matches object creation",
+      "description": "When autoCleanup=false, test should have ApexDeleteObject steps matching ApexCreateObject steps.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Add ApexDeleteObject steps for created objects or set autoCleanup=true.",
+      "check": {
+        "type": "cleanupConsistency",
+        "target": "testCase"
+      },
+      "source": "Provar Test Step Schema: AutoCleanup Validation"
+    },
+    {
+      "id": "CLEANUP-ORDER-001",
+      "category": "TestCaseDesign",
+      "name": "Cleanup deletes objects in reverse order",
+      "description": "When manually deleting objects, delete child objects before parent objects.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Reorder ApexDeleteObject steps: delete child records before parent records.",
+      "check": {
+        "type": "cleanupOrder",
+        "target": "testCase"
+      },
+      "source": "Provar Test Step Schema: AutoCleanup Best Practices"
+    },
+    {
+      "id": "CREATE-RESULT-001",
+      "category": "TestCaseDesign",
+      "name": "ApexCreateObject steps specify resultIdName",
+      "description": "ApexCreateObject should specify resultIdName to capture created record ID for later reference or cleanup.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Add 'resultIdName' argument to store created record ID (e.g. 'CreatedAccountId', 'OpportunityId').",
+      "check": {
+        "type": "createResultName",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.testapis.ApexCreateObject"
+      },
+      "source": "Provar Test Step Schema: Apex CRUD Best Practices"
+    },
+    {
+      "id": "CALLABLE-VISIBILITY-001",
+      "category": "ReusabilityAndCallables",
+      "name": "Called test cases are marked as Callable",
+      "description": "Test cases invoked via TestCaseCall must have visibility='Callable' attribute.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Set visibility='Callable' on called test case or reference a callable test.",
+      "check": {
+        "type": "callableVisibility",
+        "target": "step",
+        "apiId": "com.provar.core.testapis.TestCaseCall"
+      },
+      "source": "Provar Test Step Schema: Callable Validation"
+    },
+    {
+      "id": "LOG-LEVEL-001",
+      "category": "TestCaseDesign",
+      "name": "Log messages use appropriate log levels",
+      "description": "Log steps should use appropriate log levels: INFO for general info, WARN for warnings, ERROR for errors.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "info",
+      "weight": 1,
+      "recommendation": "Set logLevel argument to appropriate value: INFO, WARN, ERROR, or DEBUG.",
+      "check": {
+        "type": "logLevel",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.control.Log"
+      },
+      "source": "Provar Test Step Schema: Logging Best Practices"
+    },
+    {
+      "id": "UI-ASSERT-TYPE-001",
+      "category": "TestCaseDesign",
+      "name": "UiAssert steps specify assertion type",
+      "description": "UiAssert steps should specify assertionType (Visible, Value, Enabled, etc.) for clarity.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Add 'assertionType' argument specifying the type of assertion.",
+      "check": {
+        "type": "uiAssertType",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.ui.UiAssert"
+      },
+      "source": "Provar Test Step Schema: UI Validation Best Practices"
+    },
+    {
+      "id": "UI-DOACTION-VALUE-001",
+      "category": "TestCaseDesign",
+      "name": "UiDoAction Set requires value argument",
+      "description": "UiDoAction steps with interactionType='Set' must have a value argument.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add 'value' argument when using Set interaction type.",
+      "check": {
+        "type": "uiDoActionValue",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.ui.UiDoAction"
+      },
+      "source": "Provar Test Step Schema: UI Interaction Validation"
+    },
+    {
+      "id": "UI-LOCATOR-BINDING-001",
+      "category": "TestCaseDesign",
+      "name": "Ui locator built-in actions use object binding",
+      "description": "For Salesforce built-in actions (New, Edit, Save, Convert, etc.), uiLocator URIs must use an object binding (sf:ui:binding:object?object=...&action=...). Using the action binding form (sf:ui:binding:action?actionName=...) is known to cause runtime execution failures in generated tests.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Use an object-binding locator like: ui:locator?name=<ActionName>&binding=sf%3Aui%3Abinding%3Aobject%3Fobject%3D<ObjectApiName>%26action%3D<ActionName> (replace object/action accordingly).",
+      "check": {
+        "type": "uiLocatorBinding",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.ui.UiDoAction"
+      },
+      "source": "Field observation: uiLocator bindings using action?actionName are unreliable; prefer object binding for built-in actions"
+    },
+    {
+      "id": "UI-ASSERT-FIELDLOCATOR-001",
+      "category": "TestCaseDesign",
+      "name": "UiAssert fieldLocator uses object+field binding",
+      "description": "UiAssert embedded field assertions (uiFieldAssertion) must use a fieldLocator with an object binding (sf:ui:binding:object?field=<Field>&object=<Object>) and a locator name matching the field (name=<Field>). Incorrect fieldLocator bindings can cause runtime failures or assertions targeting the wrong element.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Use one of: (1) sf:ui:locator?name=<FieldApiName>&binding=sf%3Aui%3Abinding%3Aobject%3Ffield%3D<FieldApiName>%26object%3D<ObjectApiName> (ensure name and field match), (2) ui:pageobject:field?field=<elementName>&pageId=pageobjects.<PageObjectClass>, or (3) ui:locator?name=<fieldName> for Page Object locator references.",
+      "check": {
+        "type": "uiAssertFieldLocatorBinding",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.ui.UiAssert"
+      },
+      "source": "Field observation: UiAssert fieldLocator must use valid binding pattern (SF metadata, Page Object, or locator reference)"
+    },
+    {
+      "id": "UI-ASSERT-FIELDLOCATOR-002",
+      "category": "TestCaseDesign",
+      "name": "UiAssert fieldAssertion must not wrap fieldLocator in uiLocator",
+      "description": "UiAssert embedded field assertions (uiFieldAssertion) must use fieldLocator with a uri attribute directly. DO NOT wrap the locator in a nested <uiLocator/> element. The correct format is <fieldLocator uri=\"...\"/> not <fieldLocator><uiLocator uri=\"...\"/></fieldLocator>. This incorrect nesting causes runtime failures.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Use <fieldLocator uri=\"ui:locator?name=FieldApiName&amp;binding=sf%3Aui%3Abinding%3Aobject%3Ffield%3DFieldApiName%26object%3DObjectApiName\"/> directly without wrapping in <uiLocator/>.",
+      "check": {
+        "type": "uiAssertFieldLocatorStructure",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.ui.UiAssert"
+      },
+      "source": "Field observation: UiAssert fieldLocator must be direct uri attribute, not nested uiLocator element"
+    },
+    {
+      "id": "UI-ASSERT-FIELDLOCATOR-003",
+      "category": "TestCaseDesign",
+      "name": "UiAssert bare locator in Salesforce metadata context causes render failure",
+      "description": "UiAssert uiFieldAssertion using a bare locator reference (ui:locator?name=X without a binding parameter) inside a UiWithScreen whose target is a Salesforce metadata context (sf:ui:target?object=...) will fail to render in Provar Automation. Bare locators are only valid inside Page Object contexts. In Salesforce metadata contexts, the fieldLocator must include a full binding (ui:locator?name=X&binding=sf%3Aui%3Abinding%3Aobject%3Fobject%3D...%26field%3D...). This commonly occurs when asserting button visibility (e.g., Run, Edit, Delete buttons) as uiFieldAssertions — buttons are not Salesforce fields and cannot be asserted this way.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Remove the bare-locator uiFieldAssertion for non-field elements (buttons, actions). If you need to verify a button exists, use a UiDoAction click interaction instead of a UiAssert fieldAssertion. For Salesforce field assertions, always include the full binding: <fieldLocator uri=\"ui:locator?name=FieldApiName&amp;binding=sf%3Aui%3Abinding%3Aobject%3Fobject%3DObjectApiName%26field%3DFieldApiName\"/>. NEVER use bare ui:locator?name=X without a binding inside a Salesforce metadata UiWithScreen.",
+      "check": {
+        "type": "uiAssertBareLocatorInSfContext",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.ui.UiAssert"
+      },
+      "source": "Field observation: Bare ui:locator?name=X in Salesforce metadata UiWithScreen causes Provar Automation render failure (CRITICAL)"
+    },
+    {
+      "id": "UI-LOCATOR-ACTION-001",
+      "category": "TestCaseDesign",
+      "name": "UiDoAction locator URIs must use valid patterns",
+      "description": "Validates all UiDoAction locator URI patterns including: (1) SF locators: ui:locator?name=...&binding=sf:ui:binding:object?... with required name and binding params, (2) Page Object Fields: ui:pageobject:field?field=...&pageId=pageobjects... with required field and pageId params, (3) Page Object Methods: ui:pageobject:method?pageId=...&operation=... with required pageId and operation params, (4) Lead Conversion context-aware patterns (Convert on View vs submitConvert in Dialog). Detects malformed URIs like '%3Action' which should be '%3Faction'.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "SF locators: ui:locator?name=<Name>&binding=sf%3Aui%3Abinding%3Aobject%3F<params>. Page Object Fields: ui:pageobject:field?field=<elementName>&pageId=pageobjects.<Class>. Page Object Methods: ui:pageobject:method?pageId=pageobjects.<Class>&operation=<methodName>. Ensure '%3F' (?) precedes query params in bindings, not '%3A' (colon).",
+      "check": {
+        "type": "uiLocatorActionBinding",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.ui.UiDoAction"
+      },
+      "notes": "Validates: (1) SF locator structure (name, binding params), (2) Page Object Field locators (field, pageId params), (3) Page Object Method locators (pageId, operation params), (4) Lead Conversion context patterns, (5) Malformed URI detection (%3Action→%3Faction).",
+      "source": "Field observation: UiDoAction locators require specific URI formats for proper Provar UI rendering"
+    },
+    {
+      "id": "UI-SCREEN-TARGET-001",
+      "category": "TestCaseDesign",
+      "name": "UiWithScreen target URIs must use valid patterns",
+      "description": "Validates all UiWithScreen target URI patterns including: (1) SF targets with valid parameters (object/action, lightningComponent, lightningWebComponent, auraComponent, application/tab, lookup, fieldService, action-only), (2) Page Object targets: ui:pageobject:target?pageId=pageobjects... with required pageId param starting with 'pageobjects.' prefix.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "SF Object-Action targets: sf:ui:target?object=<Object>&action=<Action>. SF Lightning targets: sf:ui:target?lightningComponent=<Component>. Page Object targets: ui:pageobject:target?pageId=pageobjects.<PageObjectClass>.",
+      "check": {
+        "type": "uiWithScreenTarget",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.ui.UiWithScreen"
+      },
+      "notes": "Validates: (1) SF target has at least one valid param (object, action, lightningComponent, lightningWebComponent, auraComponent, application, lookup, fieldService), (2) Page Object target has pageId with 'pageobjects.' prefix.",
+      "source": "Field observation: UiWithScreen targets require specific URI formats for proper Provar UI rendering"
+    },
+    {
+      "id": "APEX-REUSE-CONN-001",
+      "category": "TestCaseDesign",
+      "name": "ApexConnect reuseConnectionName should be left blank",
+      "description": "The reuseConnectionName argument in ApexConnect steps should be left empty/blank. AI models may hallucinate invalid values like 'Reuse' which cause runtime errors.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Leave reuseConnectionName blank: <argument id=\"reuseConnectionName\"/> or <argument id=\"reuseConnectionName\"><value class=\"value\"/></argument>. Do not use string values.",
+      "check": {
+        "type": "apexConnectReuseConnection",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.testapis.ApexConnect"
+      },
+      "notes": "Corpus analysis shows reuseConnectionName is always empty in valid test cases. Non-empty values are AI hallucinations.",
+      "source": "Field observation: ApexConnect reuseConnectionName hallucination pattern"
+    },
+    {
+      "id": "APEX-CONNECT-ARGS-001",
+      "category": "XMLSchema",
+      "name": "ApexConnect - Only valid argument IDs allowed",
+      "description": "ApexConnect steps must use ONLY the 21 valid argument IDs defined in Provar schema. AI models commonly hallucinate plausible-sounding but invalid arguments like autoPopulateRequiredFields, assertObjectFieldsPopulated, commandTimeout which cause Provar to reject the test case.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Only use these 21 valid ApexConnect argument IDs: connectionName, resultName, resultScope, uiApplicationName, quickUiLogin, closeAllPrimaryTabs, reuseConnectionName, alreadyOpenBehaviour, autoCleanup, cleanupConnectionName, logFileLocation, connectionId, enableObjectIdLogging, privateBrowsingMode, lightningMode, username, password, securityToken, environment, webBrowser. If you don't have a value, leave the argument empty: <argument id=\"username\"/> rather than inventing values.",
+      "check": {
+        "type": "apexConnectValidArguments",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.testapis.ApexConnect",
+        "validArgumentIds": [
+          "connectionName",
+          "resultName",
+          "resultScope",
+          "uiApplicationName",
+          "quickUiLogin",
+          "closeAllPrimaryTabs",
+          "reuseConnectionName",
+          "alreadyOpenBehaviour",
+          "autoCleanup",
+          "cleanupConnectionName",
+          "logFileLocation",
+          "connectionId",
+          "enableObjectIdLogging",
+          "privateBrowsingMode",
+          "lightningMode",
+          "username",
+          "password",
+          "securityToken",
+          "environment",
+          "webBrowser"
+        ]
+      },
+      "notes": "Provar performs strict schema validation and will reject test cases with unknown argument IDs. Common hallucinated arguments: autoPopulateRequiredFields, assertObjectFieldsPopulated, commandTimeout, autoRetry, timeout, connectionTimeout.",
+      "source": "Provar XML Schema: ApexConnect Argument Whitelist"
+    },
+    {
+      "id": "APEX-CONNECT-CONNID-001",
+      "category": "XMLSchema",
+      "name": "ApexConnect connectionId must use valueClass='id'",
+      "description": "The connectionId argument in ApexConnect steps MUST use valueClass='id' with a GUID format value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx), NOT valueClass='string'. Using valueClass='string' breaks connection references in Provar.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Use correct format: <argument id=\"connectionId\"><value class=\"value\" valueClass=\"id\">bce7fd3f-0f81-4c5c-ab68-c3edd44b5d1e</value></argument>. NEVER use valueClass=\"string\" or value=\"default\". If you don't have a specific GUID, leave the argument empty: <argument id=\"connectionId\"/>",
+      "check": {
+        "type": "apexConnectConnectionIdValueClass",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.testapis.ApexConnect"
+      },
+      "notes": "AI models commonly use valueClass='string' with value='default' which is invalid. connectionId must reference a valid Provar connection using its GUID identifier with valueClass='id'.",
+      "source": "Provar XML Schema: connectionId Type Constraint"
+    },
+    {
+      "id": "UI-WAIT-VALUECLASS-001",
+      "category": "TestCaseDesign",
+      "name": "Wait arguments must use uiWait value class",
+      "description": "The beforeWait, afterWait, and autoRetry arguments in UiDoAction and UiAssert steps must use class=\"uiWait\" with a uri attribute. Using valueClass=\"boolean\" is incorrect and causes runtime errors.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Use uiWait class with uri: <value class=\"uiWait\" uri=\"default\"/> or <value class=\"uiWait\" uri=\"ui:wait:timed?seconds=5\"/>. Valid uri patterns: default, NoWait, ui:wait:timed?seconds=N, ui:wait:autoRetry:timeout=N, ui:wait:auraBusy?timeout=N, ui:wait:pageload?timeout=N.",
+      "check": {
+        "type": "uiWaitValueClass",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.ui.UiDoAction"
+      },
+      "notes": "AI models sometimes hallucinate boolean values for wait arguments. The correct pattern is class=\"uiWait\" with uri attribute.",
+      "source": "Field observation: Wait argument valueClass hallucination pattern"
+    },
+    {
+      "id": "UI-LOCATOR-SAVE-001",
+      "category": "TestCaseDesign",
+      "name": "Save button locator must use correct pattern",
+      "description": "Save button locators in UiDoAction steps must use lowercase 'save' and correct URI parameter order. Common error: using 'Save' (capital S) with action before object, or using %3A instead of %3F after object?",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Use correct pattern: name=save (lowercase), binding=sf%3Aui%3Abinding%3Aobject%3Fobject%3D<Object>%26action%3Dsave. Common mistakes: (1) Capital S in 'Save', (2) action before object in binding, (3) using %3Action instead of %3Faction, (4) using %3A instead of %3F after 'object?'",
+      "check": {
+        "type": "uiLocatorSaveButton",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.ui.UiDoAction"
+      },
+      "notes": "Corpus analysis shows Save button should use lowercase 'save' with object parameter before action parameter. Pattern: object?object=<Type>&action=save",
+      "source": "Field observation: Save button locator pattern"
+    },
+    {
+      "id": "UI-TARGET-ACTION-001",
+      "category": "TestCaseDesign",
+      "name": "UiWithScreen target uses invalid action value",
+      "description": "The action parameter in sf:ui:target URIs must use valid Provar action names. AI models commonly hallucinate 'action=Home' when the correct value is 'action=ObjectHome'.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Use valid action values: ObjectHome (for object list/home), New, View, Edit, List, Convert, GlobalSearch, QuickAction, etc. Common fixes: Home→ObjectHome, Create→New, Update→Edit, Details→View.",
+      "check": {
+        "type": "uiTargetActionValue",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.ui.UiWithScreen"
+      },
+      "notes": "Corpus analysis shows valid actions: ObjectHome, New, View, Edit, List, Convert, GlobalSearch, QuickAction, ChangeStatus, Search, recordTypeNew, attachFile, addProd, ownershipTransfer, PathAssistant, piSubmit, OppContactRoleMultiAdd, ActivityTimeline. 'Home' alone is never valid - always use 'ObjectHome'.",
+      "source": "Field observation: action=Home hallucination pattern"
+    },
+    {
+      "id": "CONTROL-SLEEP-001",
+      "category": "TestCaseDesign",
+      "name": "Sleep duration should be under 5 seconds",
+      "description": "Fixed sleep durations should be kept short (<5 seconds). Prefer WaitFor with condition over fixed Sleep.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "info",
+      "weight": 1,
+      "recommendation": "Use WaitFor with condition instead of Sleep, or reduce sleep duration to <5 seconds.",
+      "check": {
+        "type": "sleepDuration",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.control.Sleep",
+        "maxDuration": 5
+      },
+      "source": "Provar Best Practices: Prefer conditional waits over fixed sleeps"
+    },
+    {
+      "id": "CONTROL-FINALLY-001",
+      "category": "StructureAndGrouping",
+      "name": "Finally block should be at end of test",
+      "description": "Finally blocks should be placed at the end of the test to ensure cleanup always executes.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Move Finally block to end of test case.",
+      "check": {
+        "type": "finallyPlacement",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.control.Finally"
+      },
+      "source": "Provar Best Practices: Finally blocks for reliable cleanup"
+    },
+    {
+      "id": "BDD-GIVEN-FIRST-001",
+      "category": "StructureAndGrouping",
+      "name": "BDD scenario should start with Given",
+      "description": "BDD test cases should start with Given step to establish preconditions.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "info",
+      "weight": 1,
+      "recommendation": "Start BDD scenario with Given step.",
+      "check": {
+        "type": "bddGivenFirst",
+        "target": "testCase"
+      },
+      "source": "BDD Best Practices: Given-When-Then structure"
+    },
+    {
+      "id": "BDD-ORDER-001",
+      "category": "StructureAndGrouping",
+      "name": "BDD steps should follow logical order",
+      "description": "BDD steps should follow Given->When->Then order (with And/But as connectors).",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "info",
+      "weight": 1,
+      "recommendation": "Reorder BDD steps to follow Given->When->Then pattern.",
+      "check": {
+        "type": "bddOrder",
+        "target": "testCase"
+      },
+      "source": "BDD Best Practices: Scenario structure"
+    },
+    {
+      "id": "BDD-AND-LIMIT-001",
+      "category": "StructureAndGrouping",
+      "name": "Limit And/But chain length",
+      "description": "Chains of And/But steps should be limited to 3-5 for readability.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "info",
+      "weight": 1,
+      "recommendation": "Break long And/But chains into separate scenarios.",
+      "check": {
+        "type": "bddAndChainLength",
+        "target": "testCase",
+        "maxChainLength": 5
+      },
+      "source": "BDD Best Practices: Readability"
+    },
+    {
+      "id": "APEX-EXECUTE-SYNTAX-001",
+      "category": "TestCaseDesign",
+      "name": "ApexExecute code should be valid Apex syntax",
+      "description": "Anonymous Apex code blocks should be syntactically valid.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Validate Apex syntax before execution. Test in Developer Console first.",
+      "check": {
+        "type": "apexSyntax",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.testapis.ApexExecute"
+      },
+      "source": "Salesforce Development Best Practices"
+    },
+    {
+      "id": "APEX-BULK-LIMIT-001",
+      "category": "TestCaseDesign",
+      "name": "ApexBulk should be used for large data volumes",
+      "description": "Use ApexBulk for operations with more than 200 records.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "info",
+      "weight": 1,
+      "recommendation": "Use ApexBulk instead of individual CRUD operations for >200 records.",
+      "check": {
+        "type": "apexBulkUsage",
+        "target": "testCase"
+      },
+      "source": "Salesforce API Best Practices: Bulk operations"
+    },
+    {
+      "id": "UI-NAVIGATE-PREFER-SCREEN-001",
+      "category": "TestCaseDesign",
+      "name": "Prefer UiWithScreen over UiNavigate for Salesforce",
+      "description": "For Salesforce navigation, prefer UiWithScreen over direct URL navigation with UiNavigate.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "info",
+      "weight": 1,
+      "recommendation": "Use UiWithScreen for Salesforce screens instead of UiNavigate.",
+      "check": {
+        "type": "uiNavigateUsage",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.ui.UiNavigate"
+      },
+      "source": "Provar UI Testing Best Practices"
+    },
+    {
+      "id": "UI-FILL-VERIFY-001",
+      "category": "TestCaseDesign",
+      "name": "Verify fields after UiFill",
+      "description": "UiFill should be followed by UiAssert to verify all fields were filled correctly.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "info",
+      "weight": 1,
+      "recommendation": "Add UiAssert steps after UiFill to verify field values.",
+      "check": {
+        "type": "uiFillVerification",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.ui.UiFill"
+      },
+      "source": "Provar UI Testing Best Practices"
+    },
+    {
+      "id": "UI-ALERT-HANDLE-001",
+      "category": "TestCaseDesign",
+      "name": "UiHandleAlert should capture alert text",
+      "description": "When handling alerts with GetText action, store the text in a result variable.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "info",
+      "weight": 1,
+      "recommendation": "Set resultName when using GetText action on UiHandleAlert.",
+      "check": {
+        "type": "uiHandleAlertResult",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.ui.UiHandleAlert"
+      },
+      "source": "Provar UI Testing Best Practices"
+    },
+    {
+      "id": "UTIL-REPLACE-EMPTY-001",
+      "category": "TestCaseDesign",
+      "name": "Replace searchString should not be empty",
+      "description": "Replace step searchString parameter should not be empty string.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Provide non-empty searchString for Replace operation.",
+      "check": {
+        "type": "replaceSearchString",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.string.Replace"
+      },
+      "source": "Utility Operations Best Practices"
+    },
+    {
+      "id": "UTIL-SPLIT-DELIMITER-001",
+      "category": "TestCaseDesign",
+      "name": "Split delimiter should not be empty",
+      "description": "Split step delimiter parameter should not be empty string.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Provide non-empty delimiter for Split operation.",
+      "check": {
+        "type": "splitDelimiter",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.string.Split"
+      },
+      "source": "Utility Operations Best Practices"
+    },
+    {
+      "id": "UTIL-MATCH-REGEX-001",
+      "category": "TestCaseDesign",
+      "name": "Match regex pattern should be valid",
+      "description": "When using isRegex=true, pattern must be valid regular expression.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Validate regex pattern syntax before using in Match step.",
+      "check": {
+        "type": "matchRegexValid",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.string.Match"
+      },
+      "source": "Utility Operations Best Practices"
+    },
+    {
+      "id": "DATA-DB-WHERE-001",
+      "category": "TestCaseDesign",
+      "name": "DbDelete and DbUpdate should have WHERE clause",
+      "description": "Database delete and update operations should include WHERE clause to avoid affecting all records.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add WHERE clause to DbDelete/DbUpdate to limit affected records.",
+      "check": {
+        "type": "dbWhereClause",
+        "target": "step",
+        "apiIds": [
+          "com.provar.plugins.bundled.apis.db.DbDelete",
+          "com.provar.plugins.bundled.apis.db.DbUpdate"
+        ]
+      },
+      "source": "Database Testing Best Practices"
+    },
+    {
+      "id": "DATA-REST-METHOD-001",
+      "category": "TestCaseDesign",
+      "name": "RestRequest method should be valid HTTP method",
+      "description": "RestRequest method must be one of: GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Use valid HTTP method (GET, POST, PUT, DELETE, PATCH).",
+      "check": {
+        "type": "restHttpMethod",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.restservice.RestRequest",
+        "validMethods": [
+          "GET",
+          "POST",
+          "PUT",
+          "DELETE",
+          "PATCH",
+          "HEAD",
+          "OPTIONS"
+        ]
+      },
+      "source": "REST API Testing Best Practices"
+    },
+    {
+      "id": "DATA-REST-BODY-001",
+      "category": "TestCaseDesign",
+      "name": "POST/PUT/PATCH should have request body",
+      "description": "RestRequest with POST, PUT, or PATCH method should include request body.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Add request body for POST/PUT/PATCH operations.",
+      "check": {
+        "type": "restRequestBody",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.restservice.RestRequest"
+      },
+      "source": "REST API Testing Best Practices"
+    },
+    {
+      "id": "DATA-REST-STATUS-001",
+      "category": "TestCaseDesign",
+      "name": "Validate REST response status",
+      "description": "RestRequest should be followed by assertion to validate response status code.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "info",
+      "weight": 1,
+      "recommendation": "Add Assert step to validate REST response status code.",
+      "check": {
+        "type": "restStatusValidation",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.restservice.RestRequest"
+      },
+      "source": "REST API Testing Best Practices"
+    },
+    {
+      "id": "DATA-SOAP-XML-001",
+      "category": "TestCaseDesign",
+      "name": "SOAP request body should be well-formed XML",
+      "description": "WebServiceRequest requestBody must be valid XML for SOAP operations.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Validate SOAP XML syntax before execution.",
+      "check": {
+        "type": "soapXmlValid",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.web.WebServiceRequest"
+      },
+      "source": "SOAP Web Service Testing Best Practices"
+    },
+    {
+      "id": "AI-SESSION-WEBCONNECT-001",
+      "category": "TestCaseDesign",
+      "name": "AIAgentSession requires WebConnect first",
+      "description": "AIAgentSession step must be preceded by WebConnect step.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add WebConnect step before AIAgentSession.",
+      "check": {
+        "type": "aiSessionWebConnect",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.testapis.ai.AIAgentSession"
+      },
+      "source": "Agentforce Testing Best Practices"
+    },
+    {
+      "id": "AI-CONVERSATION-SESSION-001",
+      "category": "TestCaseDesign",
+      "name": "AIAgentConversation requires valid session",
+      "description": "AIAgentConversation must reference sessionID from AIAgentSession.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Ensure AIAgentSession is called first and sessionID is stored.",
+      "check": {
+        "type": "aiConversationSession",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.testapis.ai.AIAgentConversation"
+      },
+      "source": "Agentforce Testing Best Practices"
+    },
+    {
+      "id": "AI-UTTERANCE-COUNT-001",
+      "category": "TestCaseDesign",
+      "name": "GenerateUtterance count should be reasonable",
+      "description": "GenerateUtterance count parameter should be between 1-100 for performance.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "info",
+      "weight": 1,
+      "recommendation": "Set GenerateUtterance count between 1-100.",
+      "check": {
+        "type": "aiUtteranceCount",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.testapis.ai.GenerateUtterance",
+        "minCount": 1,
+        "maxCount": 100
+      },
+      "source": "AI Testing Best Practices"
+    },
+    {
+      "id": "AI-IMAGE-CONFIDENCE-001",
+      "category": "TestCaseDesign",
+      "name": "ImageValidator confidence should be 0.0-1.0",
+      "description": "ImageValidator confidenceThreshold must be between 0.0 and 1.0.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Set confidenceThreshold between 0.0 and 1.0.",
+      "check": {
+        "type": "imageConfidence",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.testapis.ai.ImageValidator",
+        "minConfidence": 0.0,
+        "maxConfidence": 1.0
+      },
+      "source": "AI Image Testing Best Practices"
+    },
+    {
+      "id": "SF-LAYOUT-EXTRACT-BEFORE-ASSERT-001",
+      "category": "TestCaseDesign",
+      "name": "ExtractSalesforceLayout before AssertSalesforceLayout",
+      "description": "AssertSalesforceLayout should be preceded by ExtractSalesforceLayout to create baseline. Otherwise ensure you have a compatible data source to compare to.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "minor",
+      "weight": 2,
+      "recommendation": "Run ExtractSalesforceLayout first to create baseline layout file.",
+      "check": {
+        "type": "layoutExtractBeforeAssert",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.testapis.ApexAssertLayout"
+      },
+      "source": "Salesforce Layout Testing Best Practices"
+    },
+    {
+      "id": "SF-CONVERT-LEAD-STATUS-001",
+      "category": "TestCaseDesign",
+      "name": "ConvertLead status must be valid",
+      "description": "ConvertLead convertedStatus must be a valid lead conversion status.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Use valid lead conversion status (Converted, Qualified, etc.).",
+      "check": {
+        "type": "convertLeadStatus",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.testapis.ApexConvertLead"
+      },
+      "source": "Salesforce Lead Management Best Practices"
+    },
+    {
+      "id": "FILE-READ-PATH-001",
+      "category": "TestCaseDesign",
+      "name": "Read dataUrl should be valid file path",
+      "description": "Read step dataUrl must point to existing Excel/CSV file.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Verify file exists before Read operation.",
+      "check": {
+        "type": "fileReadPath",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.io.Read"
+      },
+      "source": "File I/O Best Practices"
+    },
+    {
+      "id": "FILE-WRITE-PATH-001",
+      "category": "TestCaseDesign",
+      "name": "Write dataUrl should be writable",
+      "description": "Write step dataUrl directory must be writable.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Ensure output directory exists and is writable.",
+      "check": {
+        "type": "fileWritePath",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.io.Write"
+      },
+      "source": "File I/O Best Practices"
+    },
+    {
+      "id": "MESSAGING-SUBSCRIBE-BEFORE-RECEIVE-001",
+      "category": "TestCaseDesign",
+      "name": "Subscribe before ReceiveMessage",
+      "description": "ReceiveMessage should be preceded by Subscribe to topic/channel.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Add Subscribe step before ReceiveMessage.",
+      "check": {
+        "type": "subscribeBeforeReceive",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.messaging.ReceiveMessage"
+      },
+      "source": "Messaging Best Practices"
+    },
+    {
+      "id": "MESSAGING-TIMEOUT-001",
+      "category": "TestCaseDesign",
+      "name": "ReceiveMessage timeout should be reasonable",
+      "description": "ReceiveMessage timeout should be between 5-60 seconds.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "info",
+      "weight": 1,
+      "recommendation": "Set timeout between 5-60 seconds.",
+      "check": {
+        "type": "messageTimeout",
+        "target": "step",
+        "apiId": "com.provar.plugins.bundled.apis.messaging.ReceiveMessage",
+        "minTimeout": 5,
+        "maxTimeout": 60
+      },
+      "source": "Messaging Best Practices"
+    },
+    {
+      "id": "RENDER-ARG-001",
+      "category": "StructureAndGrouping",
+      "name": "All arguments must have value elements",
+      "description": "Every <argument> element must contain a <value> child element, even if empty. Missing <value> elements prevent test cases from loading in Provar.",
+      "appliesTo": [
+        "TestCase",
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Add <value class=\"value\" valueClass=\"string\"></value> (or appropriate type) to all <argument> elements.",
+      "check": {
+        "type": "disabled",
+        "comment": "DISABLED: Too many false positives (1378/1454 = 95%). Valid Provar test cases have many optional arguments without values. Need to reimplement as targeted check for specific critical arguments only (apexConnectionName, objectType, etc.).",
+        "subtype": "argumentValue"
+      },
+      "source": "Provar XML Schema Requirements"
+    },
+    {
+      "id": "RENDER-CASE-001",
+      "category": "StructureAndGrouping",
+      "name": "valueClass attributes must use lowercase",
+      "description": "All valueClass attributes must use lowercase values (e.g., 'boolean' not 'Boolean', 'string' not 'String'). Incorrect casing prevents test cases from loading in Provar.",
+      "appliesTo": [
+        "TestCase",
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Change all valueClass attributes to lowercase: boolean, string, decimal, integer, date, datetime, variable, compound, funcCall, value, valueList.",
+      "check": {
+        "type": "valueClassCasing",
+        "subtype": "valueClassCasing"
+      },
+      "source": "Provar XML Schema Requirements"
+    },
+    {
+      "id": "RENDER-BOOL-001",
+      "category": "StructureAndGrouping",
+      "name": "Boolean values must use lowercase",
+      "description": "Boolean values in <value> elements must be lowercase 'true' or 'false', not 'True', 'False', 'TRUE', or 'FALSE'. Incorrect casing prevents test cases from loading in Provar.",
+      "appliesTo": [
+        "TestCase",
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Change all boolean values to lowercase: true, false.",
+      "check": {
+        "type": "booleanCasing",
+        "subtype": "booleanCasing"
+      },
+      "source": "Provar XML Schema Requirements"
+    },
+    {
+      "id": "RENDER-ROOT-001",
+      "category": "StructureAndGrouping",
+      "name": "Test case root element should not have unknown attributes",
+      "description": "The root <testCase> element should only contain known attributes: guid, id, name, visibility, registryId, failureBehaviour. Unknown attributes may prevent test cases from loading in Provar.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "minor",
+      "weight": 3,
+      "recommendation": "Remove unknown attributes from the root <testCase> element.",
+      "check": {
+        "type": "rootAttributes",
+        "subtype": "rootAttributes"
+      },
+      "source": "Provar XML Schema Requirements"
+    },
+    {
+      "id": "TEST-LENGTH-001",
+      "category": "TestCaseDesign",
+      "name": "Test case should not be excessively long",
+      "description": "Test cases with more than 150 steps become difficult to maintain, debug, and understand. Consider breaking long tests into smaller, focused test cases or using callable test cases.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "minor",
+      "weight": 3,
+      "recommendation": "Break test into smaller test cases or extract common logic into callable test cases.",
+      "check": {
+        "type": "testLength",
+        "threshold": 150
+      },
+      "source": "Provar Best Practices: Test Design and Maintainability"
+    },
+    {
+      "id": "PICKLIST-001",
+      "category": "TestCaseDesign",
+      "name": "Picklist values should match Salesforce metadata",
+      "description": "Picklist values used in test data should match the valid values defined in Salesforce. Common hallucinated values like 'Active' for Campaign.Status or 'Open' for Opportunity.StageName are often invalid and will cause test failures.",
+      "appliesTo": [
+        "Step",
+        "TestCase"
+      ],
+      "severity": "major",
+      "weight": 7,
+      "recommendation": "Use only picklist values provided in the metadata context. For Campaign.Status, valid values are typically: Planned, In Progress, Completed, Aborted. For Opportunity.StageName, check your org's sales process stages. For Lead.Status, check your org's lead process. Never assume generic values like 'Active', 'Inactive', 'Open', 'Closed' unless explicitly confirmed.",
+      "check": {
+        "type": "hallucinatedPicklistValue",
+        "target": "step",
+        "knownHallucinations": {
+          "Campaign.Status": ["Active", "Inactive", "Running", "Paused", "Pending", "Draft"],
+          "Opportunity.StageName": ["Active", "Open", "In Progress", "Pending", "Draft", "New"],
+          "Lead.Status": ["Active", "Inactive", "Pending", "Converted", "Rejected"],
+          "Case.Status": ["Active", "Inactive", "Pending", "Draft", "Resolved"],
+          "Task.Status": ["Active", "Pending", "Done", "Cancelled"],
+          "Event.Status": ["Active", "Pending", "Cancelled"]
+        }
+      },
+      "notes": "Common AI hallucination: Using 'Active' as a status value when it doesn't exist in the org's picklist. Campaign.Status typically uses: Planned, In Progress, Completed, Aborted.",
+      "source": "Standard Salesforce object picklist values and common hallucination patterns"
+    },
+    {
+      "id": "VALUE-CLASS-001",
+      "category": "StructureAndGrouping",
+      "name": "Value elements must use valid class attribute",
+      "description": "The 'class' attribute on <value> elements must be one of the valid Provar value classes. Invalid class values like 'null' cause runtime errors. Valid classes are: value, variable, compound, funcCall, valueList, uiWait, uiLocator, uiTarget, uiInteraction, restTarget, excelTarget, csvTarget, namedValues, url, template, and expression operators (add, sub, mult, div, eq, ne, gt, lt, ge, le, and, or, match).",
+      "appliesTo": [
+        "Step",
+        "TestCase"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Use a valid class attribute. For literal values use class='value' with appropriate valueClass (string, boolean, decimal, id, date, dateTime). For variables use class='variable'. For empty/optional arguments, omit the <value> element entirely: <argument id=\"argId\"/>",
+      "check": {
+        "type": "invalidValueClass",
+        "target": "step",
+        "validClasses": ["value", "variable", "compound", "funcCall", "valueList", "uiWait", "uiLocator", "uiTarget", "uiInteraction", "restTarget", "excelTarget", "csvTarget", "namedValues", "url", "template", "add", "sub", "mult", "div", "eq", "ne", "gt", "lt", "ge", "le", "and", "or", "match"],
+        "validValueClasses": ["string", "boolean", "decimal", "id", "date", "dateTime"]
+      },
+      "notes": "Based on corpus analysis of 1451 test files with 329,424 <value> elements. Common AI hallucination: class='null' (never valid). Empty arguments should have no <value> child.",
+      "source": "Corpus analysis: All valid value class patterns from InternalProjects"
+    },
+    {
+      "id": "UI-ASSERT-STRUCT-001",
+      "category": "StructureAndGrouping",
+      "name": "UiAssert steps must include all required arguments",
+      "description": "UiAssert steps must include columnAssertions, pageAssertions, resultScope, captureAfter, beforeWait, and autoRetry arguments. Based on corpus analysis of 4,577 UiAssert instances, 100% include these arguments (even if empty). Missing these required arguments causes Provar validation failures at runtime.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 8,
+      "recommendation": "Include all required arguments in UiAssert steps. Use empty value lists for unused assertions: <argument id=\"columnAssertions\"><value class=\"valueList\" mutable=\"Mutable\"/></argument>. For resultScope use 'Test'. For captureAfter use 'false'. For beforeWait and autoRetry, include empty argument tags: <argument id=\"beforeWait\"/><argument id=\"autoRetry\"/>",
+      "check": {
+        "type": "uiAssertMissingArguments",
+        "target": "step",
+        "requiredArguments": ["fieldAssertions", "columnAssertions", "pageAssertions", "resultScope", "captureAfter", "beforeWait", "autoRetry"],
+        "recommendedArguments": ["resultName"]
+      },
+      "notes": "Based on corpus analysis of 4,577 UiAssert instances across 694 test files. All instances include these arguments. AI commonly omits columnAssertions, pageAssertions, resultScope, beforeWait, and autoRetry.",
+      "source": "Corpus analysis: InternalProjects - 100% of UiAssert steps have these arguments"
+    },
+    {
+      "id": "UI-ASSERT-STRUCT-002",
+      "category": "StructureAndGrouping",
+      "name": "UiAssert steps must NOT contain generatedParameters",
+      "description": "UiAssert steps should NOT contain <generatedParameters> element. Based on corpus analysis of 4,577 UiAssert instances, 0% contain generatedParameters. This element is 100% hallucinated by AI and causes Provar validation failures.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Remove the entire <generatedParameters> section from UiAssert steps. Unlike UiDoAction steps which use generatedParameters for field metadata, UiAssert steps never use this element. The assertion configuration is entirely within the arguments element.",
+      "check": {
+        "type": "uiAssertHallucinatedGeneratedParameters",
+        "target": "step"
+      },
+      "notes": "Based on corpus analysis of 4,577 UiAssert instances. 0 instances have generatedParameters - this is a 100% AI hallucination. UiDoAction correctly uses generatedParameters, but UiAssert does not.",
+      "source": "Corpus analysis: InternalProjects - 0% of UiAssert steps have generatedParameters"
+    },
+    {
+      "id": "UI-BINDING-ORDER-001",
+      "category": "LocatorPatterns",
+      "name": "UI binding parameter order must have object= first",
+      "description": "In UI binding URIs, the object= parameter MUST come FIRST, followed by field= or action=. Wrong order causes 'Unknown control' errors in Provar at runtime.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Correct the binding parameter order. Use 'object?object=ObjectName&action=ActionName' or 'object?object=ObjectName&field=FieldName'. Never put action= or field= before object=.",
+      "check": {
+        "type": "bindingParameterOrder",
+        "target": "step"
+      },
+      "examples": {
+        "correct": [
+          "sf:ui:binding:object?object=Lead&action=New",
+          "sf:ui:binding:object?object=Account&field=Name",
+          "sf%3Aui%3Abinding%3Aobject%3Fobject%3DLead%26action%3DNew"
+        ],
+        "incorrect": [
+          "sf:ui:binding:object?action=New&object=Lead",
+          "sf:ui:binding:object?field=Name&object=Account",
+          "sf%3Aui%3Abinding%3Aobject%3Faction%3DNew%26object%3DLead"
+        ]
+      },
+      "notes": "Based on corpus analysis: Field bindings 94.4% have object= first (6,017 vs 354). Action bindings 94.7% have object= first (1,554 vs 87). The 5% with wrong order are edge cases that often cause issues.",
+      "source": "Corpus analysis: InternalProjects - 95% of bindings have object= parameter first"
+    },
+    {
+      "id": "UI-FIELD-METADATA-001",
+      "category": "TestCaseDesign",
+      "name": "UiDoAction/UiAssert fields should exist in Salesforce metadata",
+      "description": "When Salesforce object metadata is provided in the context, UI operations (UiDoAction field sets, UiAssert field assertions) should only reference fields that exist in the metadata. Fields mentioned in user story but not present in Salesforce metadata may cause 'Unknown control' errors at runtime. This validation catches hallucinated or non-existent fields before test execution.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Only use fields that exist in the Salesforce org metadata. If a field from the user story shows 'Unknown control' in Provar, either: (1) the field doesn't exist in this org, (2) the field API name is different, or (3) the field isn't on the page layout. Check the org's metadata or remove the field operation from the test.",
+      "check": {
+        "type": "disabled",
+        "target": "step",
+        "apiIds": [
+          "com.provar.plugins.forcedotcom.core.ui.UiDoAction",
+          "com.provar.plugins.forcedotcom.core.ui.UiAssert"
+        ]
+      },
+      "notes": "This validation requires metadata context (objects with field information) to be passed to the validator. When metadata is not available, this validation is skipped. Common issue: user story mentions 'Account Number' but org only has 'AccountNumber' or field doesn't exist at all.",
+      "source": "Field observation: AI generates steps for fields mentioned in user story that don't exist in org metadata"
+    },
+    {
+      "id": "PO-FIELD-EXISTS-001",
+      "category": "TestCaseDesign",
+      "name": "Page Object locator references non-existent field",
+      "description": "When Page Objects are provided, ui:pageobject:field locators must reference fields (WebElement variables) that actually exist in the corresponding Page Object Java class. AI models commonly hallucinate field names that are not defined in the provided Page Objects, causing 'Unknown control' errors at runtime.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 5,
+      "recommendation": "Only reference field names that exist in the provided Page Object definitions. Check the Page Object class for available WebElement variables. If the field you need is not in the Page Object, either: (1) use SF metadata binding (sf:ui:binding:object) instead, or (2) ensure the Page Object includes the required field. Available fields are listed in the Page Object section of the generation context.",
+      "check": {
+        "type": "pageObjectFieldExists",
+        "target": "step",
+        "apiIds": [
+          "com.provar.plugins.forcedotcom.core.ui.UiDoAction",
+          "com.provar.plugins.forcedotcom.core.ui.UiAssert"
+        ]
+      },
+      "notes": "This validation requires page_objects context to be passed to the validator via additional_context. When page_objects are not available, validation is skipped. Common issue: AI generates field names based on the user story text rather than the actual Page Object WebElement variable names.",
+      "source": "Field observation: AI generates PO field references for fields not defined in provided Page Objects"
+    },
+    {
+      "id": "FUNCCALL-VALID-001",
+      "category": "XMLSchema",
+      "name": "funcCall id must be a valid Provar function",
+      "description": "When using <value class=\"funcCall\" id=\"FunctionName\">, the function name must be one of Provar's known built-in functions. Unknown function names cause runtime errors as Provar cannot evaluate them. Common hallucinations include JavaScript-style functions like 'concat', 'toString', 'parseInt' instead of Provar's actual functions.",
+      "appliesTo": [
+        "TestCase"
+      ],
+      "severity": "major",
+      "weight": 6,
+      "recommendation": "Use only valid Provar function names: Count, DateAdd, DateFormat, DateParse, GetEnvironmentVariable, GetSelectedEnvironment, IsSorted, Not, NumberFormat, Round, StringNormalize, StringReplace, StringTrim, TestCaseErrors, TestCaseName, TestCaseOutcome, TestCasePath, TestCaseSuccessful, TestRunErrors, UniqueId. NOTE: Concatenate, PadLeft, PadRight, Substring are NOT valid - use valueList for string building.",
+      "check": {
+        "type": "validFuncCallId",
+        "target": "testCase"
+      },
+      "examples": {
+        "correct": [
+          "<value class=\"funcCall\" id=\"Count\">",
+          "<value class=\"funcCall\" id=\"DateAdd\">",
+          "<value class=\"funcCall\" id=\"UniqueId\">",
+          "<value class=\"funcCall\" id=\"StringReplace\">",
+          "<value class=\"funcCall\" id=\"Round\">"
+        ],
+        "incorrect": [
+          "<value class=\"funcCall\" id=\"Concatenate\">",
+          "<value class=\"funcCall\" id=\"PadLeft\">",
+          "<value class=\"funcCall\" id=\"concat\">",
+          "<value class=\"funcCall\" id=\"toString\">",
+          "<value class=\"funcCall\" id=\"Format\">"
+        ]
+      },
+      "notes": "Provar functions use PascalCase naming. Concatenate, PadLeft, PadRight, Substring are NOT valid Provar funcCalls - for string building use valueList or compound. Common hallucinations: 'concat' and 'Concatenate' should use valueList instead.",
+      "source": "Corpus analysis: PROVAR_BUILTIN_VARIABLES.md and BUILTIN_FUNCTIONS_ANALYSIS.md document all valid Provar functions"
+    },
+    {
+      "id": "UI-ASSERT-COMPOUND-001",
+      "category": "TestCaseDesign",
+      "name": "UiAssert must use compound fields for component field assertions",
+      "description": "Salesforce compound fields (Name=FirstName+LastName, BillingAddress=BillingStreet+BillingCity+BillingState+BillingPostalCode+BillingCountry, ShippingAddress, MailingAddress) are displayed as single fields in the UI View screen but set as individual component fields in UiDoAction. UiAssert steps MUST assert the compound field (e.g., 'Name', 'BillingAddress') using a compound value that combines the individual component variables, NOT assert the individual component fields directly which don't exist in the View UI.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 6,
+      "recommendation": "For Name field: Assert 'Name' using <value class=\"compound\"><parts><variable><path element=\"FirstName\"/></variable><value class=\"value\" valueClass=\"string\"> </value><variable><path element=\"LastName\"/></variable></parts></value>. For Address fields: Assert 'BillingAddress' or 'ShippingAddress' as the compound field, not individual BillingStreet/BillingCity etc. The fieldLocator should reference the compound field name (e.g., field=Name, field=BillingAddress).",
+      "check": {
+        "type": "uiAssertCompoundField",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.ui.UiAssert",
+        "compoundFields": {
+          "Name": ["FirstName", "LastName", "Salutation", "MiddleName", "Suffix"],
+          "BillingAddress": ["BillingStreet", "BillingCity", "BillingState", "BillingStateCode", "BillingPostalCode", "BillingCountry", "BillingCountryCode", "BillingLatitude", "BillingLongitude"],
+          "ShippingAddress": ["ShippingStreet", "ShippingCity", "ShippingState", "ShippingStateCode", "ShippingPostalCode", "ShippingCountry", "ShippingCountryCode", "ShippingLatitude", "ShippingLongitude"],
+          "MailingAddress": ["MailingStreet", "MailingCity", "MailingState", "MailingStateCode", "MailingPostalCode", "MailingCountry", "MailingCountryCode", "MailingLatitude", "MailingLongitude"]
+        }
+      },
+      "examples": {
+        "correct": [
+          "<uiFieldAssertion resultName=\"Name\"><fieldLocator uri=\"ui:locator?name=Name&amp;binding=sf%3Aui%3Abinding%3Aobject%3Ffield%3DName%26object%3DLead\"/><attributeAssertions><uiAttributeAssertion attributeName=\"value\" comparisonType=\"EqualTo\"><value class=\"compound\"><parts><variable><path element=\"LeadFirstName\"/></variable><value class=\"value\" valueClass=\"string\"> </value><variable><path element=\"LeadLastName\"/></variable></parts></value></uiAttributeAssertion></attributeAssertions></uiFieldAssertion>",
+          "<uiFieldAssertion resultName=\"BillingAddress\"><fieldLocator uri=\"ui:locator?name=BillingAddress&amp;binding=sf%3Aui%3Abinding%3Aobject%3Ffield%3DBillingAddress%26object%3DAccount\"/>...</uiFieldAssertion>"
+        ],
+        "incorrect": [
+          "<uiFieldAssertion resultName=\"FirstName\"><fieldLocator uri=\"...field=FirstName...\"/>... (FirstName doesn't exist as separate field in View UI)",
+          "<uiFieldAssertion resultName=\"BillingCity\"><fieldLocator uri=\"...field=BillingCity...\"/>... (individual address components not visible separately)"
+        ]
+      },
+      "notes": "UiDoAction sets individual fields (FirstName, LastName, BillingStreet, etc.) because the New/Edit form has separate inputs. UiAssert on View screen must use compound field names (Name, BillingAddress) because that's how Salesforce displays them. The assertion value should use <value class=\"compound\"> with <parts> containing variables for each component separated by appropriate delimiters (space for names, newlines for addresses).",
+      "source": "Field observation: Salesforce UI View screens display compound fields, not individual components"
+    },
+    {
+      "id": "UI-LOOKUP-ID-001",
+      "category": "TestCaseDesign",
+      "name": "UiDoAction lookup fields should use Name values, not IDs",
+      "description": "When setting lookup/reference fields via UiDoAction (UI automation), use the record Name (text value the user sees) instead of the record Id. The Salesforce UI expects display values like 'ABC Corp' for Account lookups, not 18-character IDs like '001xx000003DGWaAAO'. Using IDs in UI fields causes lookup failures. Note: Apex CRUD operations (ApexCreateObject, ApexUpdateObject) correctly use IDs for lookup fields.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "major",
+      "weight": 6,
+      "recommendation": "For UiDoAction on lookup fields (AccountId, ContactId, OwnerId, etc.): 1) Create a variable for the record Name BEFORE creating the record (e.g., AccountName = 'ABC Corp'), 2) Use that Name variable in UiDoAction for lookups, 3) Only use ID variables for Apex CRUD operations or sfUiTargetObjectId navigation. Example: Set AccountName='ABC Corp' via SetValues, then use {AccountName} for UiDoAction on AccountId field.",
+      "check": {
+        "type": "uiLookupIdUsage",
+        "target": "step",
+        "apiId": "com.provar.plugins.forcedotcom.core.ui.UiDoAction",
+        "lookupFieldSuffixes": ["Id", "ID"],
+        "idVariableSuffixes": ["Id", "ID", "RecordId"]
+      },
+      "examples": {
+        "correct": [
+          "SetValues: AccountName = 'ABC Corp'",
+          "UiDoAction: Set AccountId field using {AccountName} variable",
+          "ApexCreateObject: Set AccountId using {AccountId} variable (IDs are correct for Apex)"
+        ],
+        "incorrect": [
+          "UiDoAction: Set AccountId field using {AccountId} variable (ID won't work in UI lookup)",
+          "UiDoAction: Set OwnerId field using {UserId} variable"
+        ]
+      },
+      "notes": "Salesforce UI lookup fields expect the display Name (what the user types/sees), not the record ID. The UI performs a search on the Name and selects the matching record. Apex CRUD operations directly accept IDs because they bypass the UI. This is a common AI generation mistake.",
+      "source": "Field observation: UI lookup fields require Name values, not record IDs"
+    },
+    {
+      "id": "ASSERT-DATE-FORMAT-001",
+      "category": "TestCaseDesign",
+      "name": "Date/DateTime assertions should use proper format functions",
+      "description": "Salesforce Date and DateTime fields are stored in specific formats: DateTime uses ISO 8601 format (2026-01-14T05:36:12.000+0000) and Date uses yyyy-MM-dd format (2026-01-14). When asserting these fields in UI or API tests, raw date strings may cause assertion failures due to format mismatches, timezone differences, or precision issues. Use Provar's date functions (DateFormat, DateParse, DateAdd, TODAY, NOW) for reliable date comparisons.",
+      "appliesTo": [
+        "Step"
+      ],
+      "severity": "minor",
+      "weight": 4,
+      "recommendation": "For date assertions: 1) Use DateFormat() to format dates consistently: DateFormat(variable, 'yyyy-MM-dd', 'GMT'), 2) Use DateParse() to parse date strings with known formats, 3) Use TODAY for current date comparisons (yyyy-MM-dd format), 4) Use NOW for current datetime (yyyy-MM-dd HH:mm:ss.SSS format), 5) Use DateAdd() for date calculations. Always specify timezone for DateTime comparisons. Example: Assert CloseDate equals DateFormat(ExpectedDate, 'yyyy-MM-dd').",
+      "check": {
+        "type": "dateFormatAssertion",
+        "target": "step",
+        "apiIds": [
+          "com.provar.plugins.forcedotcom.core.ui.UiAssert",
+          "com.provar.plugins.bundled.apis.AssertValues"
+        ],
+        "dateFieldPatterns": ["Date$", "DateTime$", "^Close", "^Start", "^End", "^Created", "^LastModified", "^Birth", "^Expir"],
+        "sfDateTimeFormat": "yyyy-MM-dd'T'HH:mm:ss.SSSZ",
+        "sfDateFormat": "yyyy-MM-dd"
+      },
+      "examples": {
+        "correct": [
+          "AssertValues: Assert CloseDate equals DateFormat(ExpectedCloseDate, 'yyyy-MM-dd')",
+          "UiAssert: Assert CreatedDate using DateFormat(expectedDate, 'yyyy-MM-dd', 'GMT')",
+          "AssertValues: Assert field using TODAY for today's date",
+          "AssertValues: Assert datetime using DateParse(value, 'yyyy-MM-dd\\'T\\'HH:mm:ss.SSSZ')"
+        ],
+        "incorrect": [
+          "AssertValues: Assert CloseDate equals '2026-01-14' (hardcoded date string)",
+          "UiAssert: Assert CreatedDate equals {CreatedDateVariable} (raw datetime may have timezone/format issues)",
+          "AssertValues: Assert DateTime field using string comparison (precision mismatch)"
+        ]
+      },
+      "notes": "Salesforce DateTime format: 2026-01-14T05:36:12.000+0000 (ISO 8601). Salesforce Date format: 2026-01-14. NOW returns: 2026-01-15 15:03:16.690. TODAY returns: 2026-01-15. DateFormat output format defaults to yyyy-MM-dd. DateParse input format defaults to international format. Always consider timezone when comparing DateTime values across different contexts.",
+      "source": "Field observation: Date/DateTime format inconsistencies cause assertion failures"
+    },
+    {
+      "id": "RENDER-DATE-VALUECLASS-001",
+      "category": "XMLSchema",
+      "name": "valueClass='date' requires epoch timestamp, not date string",
+      "description": "When using valueClass='date' or valueClass='dateTime' in Provar test cases, the value MUST be an epoch timestamp in milliseconds (a numeric value like 1736899200000), NOT an ISO date string like '2025-01-15' or '2025-01-15T00:00:00.000Z'. Using string date formats with valueClass='date' causes the test case to fail loading in Provar IDE. This is a critical XML schema violation that completely breaks the test case.",
+      "appliesTo": [
+        "Step",
+        "TestCase"
+      ],
+      "severity": "critical",
+      "weight": 10,
+      "recommendation": "Either: 1) Use valueClass='string' if you want to specify dates as strings like '2025-01-15', OR 2) Use valueClass='date' with epoch timestamp in milliseconds (e.g., 1736899200000 for 2025-01-15). For ApexCreateObject/ApexUpdateObject date fields, use valueClass='string' with the date in 'YYYY-MM-DD' format. To convert: new Date('2025-01-15').getTime() = 1736899200000.",
+      "check": {
+        "type": "dateValueClassFormat",
+        "target": "step"
+      },
+      "examples": {
+        "correct": [
+          "<value class=\"value\" valueClass=\"date\">1736899200000</value>",
+          "<value class=\"value\" valueClass=\"string\">2025-01-15</value>",
+          "<value class=\"value\" valueClass=\"dateTime\">1736899200000</value>"
+        ],
+        "incorrect": [
+          "<value class=\"value\" valueClass=\"date\">2025-01-15</value>",
+          "<value class=\"value\" valueClass=\"date\">2025-01-15T00:00:00.000Z</value>",
+          "<value class=\"value\" valueClass=\"dateTime\">2025-01-15T12:30:00</value>"
+        ]
+      },
+      "notes": "Provar internally stores dates as epoch timestamps (milliseconds since 1970-01-01). When valueClass='date' is used, Provar expects a numeric epoch value. String dates cause XML parsing/loading failures. All valid corpus examples use epoch timestamps with valueClass='date': 1637798400000, 1513209600000, etc.",
+      "source": "Corpus analysis: All valueClass='date' values are epoch timestamps; string dates cause Provar IDE load failures"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/src/mcp/schemas/common.ts b/src/mcp/schemas/common.ts
new file mode 100644
index 00000000..35702804
--- /dev/null
+++ b/src/mcp/schemas/common.ts
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { randomUUID } from 'node:crypto';
+
+/** Stable error shape returned in every isError=true response */
+export interface ErrorResponse {
+  error_code: string;
+  message: string;
+  retryable: boolean;
+  details?: Record<string, unknown>;
+  requestId: string;
+}
+
+/** Single validation finding produced by the PO / TC validators */
+export interface ValidationIssue {
+  rule_id: string;
+  severity: 'ERROR' | 'WARNING' | 'INFO';
+  message: string;
+  applies_to: string;
+  suggestion?: string;
+  line_number?: number;
+}
+
+export function makeError(
+  code: string,
+  message: string,
+  requestId: string,
+  retryable = false,
+  details?: Record<string, unknown>
+): ErrorResponse {
+  return { error_code: code, message, retryable, details, requestId };
+}
+
+/** Generate a correlation ID for each tool invocation */
+export function makeRequestId(): string {
+  return randomUUID();
+}
diff --git a/src/mcp/security/pathPolicy.ts b/src/mcp/security/pathPolicy.ts
new file mode 100644
index 00000000..00eeef1e
--- /dev/null
+++ b/src/mcp/security/pathPolicy.ts
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+
+export class PathPolicyError extends Error {
+  public readonly code: string;
+  public constructor(code: string, message: string) {
+    super(message);
+    this.name = 'PathPolicyError';
+    this.code = code;
+  }
+}
+
+/**
+ * Asserts that filePath is within at least one of allowedPaths.
+ *
+ * Throws PathPolicyError with code:
+ * - PATH_TRAVERSAL  — path contains `..` segments
+ * - PATH_NOT_ALLOWED — resolved path is outside all allowed roots
+ *
+ * When allowedPaths is empty, all paths are permitted (unrestricted mode).
+ *
+ * Symlinks are resolved via fs.realpathSync so that a symlink inside an allowed
+ * directory pointing to a location outside it cannot bypass containment.
+ * If the path does not yet exist (e.g. an output file to be created), the parent
+ * directory is resolved instead and the basename re-attached.
+ */
+export function assertPathAllowed(filePath: string, allowedPaths: string[]): void {
+  // Check the original path for `..` segments before any normalization resolves them away
+  const rawSegments = filePath.split(/[/\\]+/).filter((s) => s.length > 0);
+  if (rawSegments.some((s) => s === '..')) {
+    throw new PathPolicyError('PATH_TRAVERSAL', `Path traversal detected: ${filePath}`);
+  }
+
+  // Resolve symlinks so a symlink inside an allowed dir that points outside cannot bypass
+  // the containment check. Fall back to lexical resolution when the path doesn't exist yet.
+  let resolved: string;
+  try {
+    resolved = fs.realpathSync(filePath);
+  } catch {
+    // Path doesn't exist — resolve the parent (which should exist) to catch symlinks there
+    const parent = path.dirname(path.resolve(filePath));
+    try {
+      resolved = path.join(fs.realpathSync(parent), path.basename(filePath));
+    } catch {
+      resolved = path.resolve(filePath);
+    }
+  }
+
+  const resolvedAllowed = allowedPaths.map((p) => {
+    try {
+      return fs.realpathSync(p);
+    } catch {
+      return path.resolve(path.normalize(p));
+    }
+  });
+
+  if (
+    resolvedAllowed.length > 0 &&
+    !resolvedAllowed.some((base) => resolved === base || resolved.startsWith(base + path.sep))
+  ) {
+    throw new PathPolicyError(
+      'PATH_NOT_ALLOWED',
+      `Path "${resolved}" is not within allowed paths: [${resolvedAllowed.join(', ')}]`
+    );
+  }
+}
diff --git a/src/mcp/server.ts b/src/mcp/server.ts
new file mode 100644
index 00000000..a81320d7
--- /dev/null
+++ b/src/mcp/server.ts
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import { createRequire } from 'node:module';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { z } from 'zod';
+import { log } from './logging/logger.js';
+
+const requireJson = createRequire(import.meta.url);
+const SERVER_VERSION: string = (requireJson('../../package.json') as { version: string }).version;
+import { registerProjectInspect } from './tools/projectInspect.js';
+import { registerPageObjectGenerate } from './tools/pageObjectGenerate.js';
+import { registerPageObjectValidate } from './tools/pageObjectValidate.js';
+import { registerTestCaseGenerate } from './tools/testCaseGenerate.js';
+import { registerTestCaseValidate } from './tools/testCaseValidate.js';
+import { registerTestSuiteValidate } from './tools/testSuiteValidate.js';
+import { registerTestPlanValidate } from './tools/testPlanValidate.js';
+import { registerProjectValidateFromPath } from './tools/projectValidateFromPath.js';
+import { registerAllPropertiesTools } from './tools/propertiesTools.js';
+import { registerAllQualityHubTools } from './tools/qualityHubTools.js';
+import { registerAllAutomationTools } from './tools/automationTools.js';
+import { registerAllDefectTools } from './tools/defectTools.js';
+import { registerAllAntTools } from './tools/antTools.js';
+import { registerAllRcaTools } from './tools/rcaTools.js';
+import { registerAllTestPlanTools } from './tools/testPlanTools.js';
+
+export interface ServerConfig {
+  allowedPaths: string[];
+}
+
+export function createProvarMcpServer(config: ServerConfig): McpServer {
+  log('info', 'Creating Provar MCP server', { allowedPaths: config.allowedPaths });
+
+  const server = new McpServer({
+    name: 'provar-mcp',
+    version: SERVER_VERSION,
+  });
+
+  // ── Sanity-check tool ────────────────────────────────────────────────────────
+  server.tool(
+    'provardx.ping',
+    'Sanity-check tool. Echoes back a message with a timestamp. Use this to verify the MCP server is reachable before calling other tools.',
+    {
+      message: z.string().optional().default('ping').describe('Optional message to echo back'),
+    },
+    ({ message }) => {
+      const result = { pong: message, ts: new Date().toISOString(), server: `provar-mcp@${SERVER_VERSION}` };
+      return {
+        content: [{ type: 'text' as const, text: JSON.stringify(result) }],
+        structuredContent: result,
+      };
+    }
+  );
+
+  // ── Provar tools ─────────────────────────────────────────────────────────────
+  registerProjectInspect(server, config);
+  registerPageObjectGenerate(server, config);
+  registerPageObjectValidate(server, config);
+  registerTestCaseGenerate(server, config);
+  registerTestCaseValidate(server, config);
+  registerTestSuiteValidate(server);
+  registerTestPlanValidate(server);
+  registerProjectValidateFromPath(server, config);
+  registerAllPropertiesTools(server, config);
+  registerAllQualityHubTools(server);
+  registerAllAutomationTools(server, config);
+  registerAllDefectTools(server);
+  registerAllAntTools(server, config);
+  registerAllRcaTools(server);
+  registerAllTestPlanTools(server, config);
+
+  return server;
+}
diff --git a/src/mcp/tools/antTools.ts b/src/mcp/tools/antTools.ts
new file mode 100644
index 00000000..056facbe
--- /dev/null
+++ b/src/mcp/tools/antTools.ts
@@ -0,0 +1,839 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import fs from 'node:fs';
+import path from 'node:path';
+import { z } from 'zod';
+import { XMLParser } from 'fast-xml-parser';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import type { ServerConfig } from '../server.js';
+import { assertPathAllowed, PathPolicyError } from '../security/pathPolicy.js';
+import { makeError, makeRequestId, type ValidationIssue } from '../schemas/common.js';
+import { log } from '../logging/logger.js';
+
+// ── Sub-schemas ───────────────────────────────────────────────────────────────
+
+const FilesetSchema = z.object({
+  dir: z.string().describe('Directory path (relative or absolute) for the fileset'),
+  id: z
+    .string()
+    .optional()
+    .describe(
+      'Fileset id — use "testplan" for plan-based runs, "testcases" for test case runs, omit for default'
+    ),
+  includes: z
+    .array(z.string())
+    .optional()
+    .describe(
+      'Specific .testcase or .testplan file names to include (e.g. ["Login.testcase"]). Omit to run everything in dir.'
+    ),
+});
+
+const PlanFeatureSchema = z.object({
+  name: z
+    .enum(['PDF', 'PIECHART', 'EMAIL', 'JUNIT'])
+    .describe('Feature name (PDF, PIECHART, EMAIL, JUNIT)'),
+  type: z.enum(['OUTPUT', 'NOTIFICATION']).describe('Feature type'),
+  enabled: z.boolean().describe('Whether this feature is enabled'),
+});
+
+const EmailPropertiesSchema = z.object({
+  send_email: z.boolean().default(false),
+  primary_recipients: z.string().default(''),
+  cc_recipients: z.string().optional().default(''),
+  bcc_recipients: z.string().optional().default(''),
+  email_subject: z.string().default('Provar test run report'),
+  attach_execution_report: z.boolean().default(true),
+  attach_zip: z.boolean().default(false),
+});
+
+const AttachmentPropertiesSchema = z.object({
+  include_all_failures_in_summary: z.boolean().default(true),
+  include_only_failures: z.boolean().default(false),
+  include_bdd: z.boolean().default(false),
+  include_skipped: z.boolean().default(false),
+  include_test_case_description: z.boolean().default(false),
+  include_screenshots: z.boolean().default(true),
+  include_warning_messages: z.boolean().default(false),
+  include_info_messages: z.boolean().default(false),
+  include_debug_messages: z.boolean().default(false),
+  include_test_step_time: z.boolean().default(true),
+  include_test_step_path_hierarchy: z.boolean().default(true),
+  include_full_screen_shot: z.boolean().default(false),
+});
+
+// ── Generate tool ─────────────────────────────────────────────────────────────
+
+export function registerAntGenerate(server: McpServer, config: ServerConfig): void {
+  server.tool(
+    'provar.ant.generate',
+    [
+      'Generate a Provar ANT build.xml file.',
+      'Produces the standard <project> skeleton with Provar-Compile and Run-Test-Case tasks.',
+      'Supports targeting tests by project folder, plan folder, or specific .testcase files via filesets.',
+      'Returns XML content. Writes to disk only when dry_run=false.',
+    ].join(' '),
+    {
+      // ── Core paths ──────────────────────────────────────────────────────────
+      provar_home: z
+        .string()
+        .describe(
+          'Absolute path to the Provar installation directory (e.g. "C:/Program Files/Provar/"). Used for provar.home property and ant taskdef classpaths.'
+        ),
+      project_path: z
+        .string()
+        .default('..')
+        .describe(
+          'Path to the Provar test project root. Defaults to ".." (parent of the ANT folder).'
+        ),
+      results_path: z
+        .string()
+        .default('../ANT/Results')
+        .describe('Path where test results are written. Defaults to "../ANT/Results".'),
+      project_cache_path: z
+        .string()
+        .optional()
+        .describe(
+          'Path to the .provarCaches directory. Defaults to "../../.provarCaches" relative to the ANT folder.'
+        ),
+      license_path: z
+        .string()
+        .optional()
+        .describe('Path to the Provar .licenses directory (e.g. "${env.PROVAR_HOME}/.licenses").'),
+      smtp_path: z
+        .string()
+        .optional()
+        .describe('Path to the Provar .smtp directory (e.g. "${env.PROVAR_HOME}/.smtp").'),
+
+      // ── Test selection ──────────────────────────────────────────────────────
+      filesets: z
+        .array(FilesetSchema)
+        .min(1)
+        .describe(
+          'One or more filesets defining which tests to run. ' +
+            'To run all tests under a folder: { dir: "../tests" }. ' +
+            'To run a plan: { id: "testplan", dir: "../plans/MyPlan" }. ' +
+            'To run specific test cases: { dir: "../tests/Suite", includes: ["MyTest.testcase"] }.'
+        ),
+
+      // ── Browser / environment ───────────────────────────────────────────────
+      web_browser: z
+        .enum(['Chrome', 'Chrome_Headless', 'Firefox', 'Edge', 'Edge_Legacy', 'Safari', 'IE'])
+        .default('Chrome')
+        .describe('Web browser to use for test execution.'),
+      web_browser_configuration: z
+        .string()
+        .default('Full Screen')
+        .describe('Browser window configuration (e.g. "Full Screen").'),
+      web_browser_provider_name: z
+        .string()
+        .default('Desktop')
+        .describe('Browser provider name (e.g. "Desktop").'),
+      web_browser_device_name: z
+        .string()
+        .default('Full Screen')
+        .describe('Browser device name (e.g. "Full Screen").'),
+      test_environment: z
+        .string()
+        .default('')
+        .describe('Named test environment to use (must match a connection in the project). Empty string uses default.'),
+
+      // ── Cache / metadata ────────────────────────────────────────────────────
+      salesforce_metadata_cache: z
+        .enum(['Reuse', 'Refresh', 'Reload'])
+        .default('Reuse')
+        .describe(
+          'Salesforce metadata cache strategy: Reuse (fastest, uses cached), Refresh (re-downloads), Reload (clears and re-downloads).'
+        ),
+
+      // ── Output / logging ────────────────────────────────────────────────────
+      results_path_disposition: z
+        .enum(['Increment', 'Replace', 'Reuse'])
+        .default('Increment')
+        .describe(
+          'How to handle the results folder when it already exists: Increment (new subfolder), Replace (overwrite), Reuse (append).'
+        ),
+      test_output_level: z
+        .enum(['BASIC', 'WARNING', 'DEBUG'])
+        .default('BASIC')
+        .describe('Verbosity level for test output logs.'),
+      plugin_output_level: z
+        .enum(['BASIC', 'WARNING', 'DEBUG'])
+        .default('WARNING')
+        .describe('Verbosity level for plugin output logs.'),
+
+      // ── Execution behaviour ─────────────────────────────────────────────────
+      stop_test_run_on_error: z
+        .boolean()
+        .default(false)
+        .describe('Abort the entire test run when any test case fails.'),
+      exclude_callable_test_cases: z
+        .boolean()
+        .default(true)
+        .describe('Skip test cases marked as callable (library/helper) when true.'),
+      dont_fail_build: z
+        .boolean()
+        .optional()
+        .describe(
+          'When true, the ANT build does not fail even if tests fail. Useful for CI pipelines that collect results separately.'
+        ),
+      invoke_test_run_monitor: z
+        .boolean()
+        .default(true)
+        .describe('Enable the Provar test run monitor.'),
+
+      // ── Secrets / security ──────────────────────────────────────────────────
+      secrets_password: z
+        .string()
+        .default('${env.ProvarSecretsPassword}')
+        .describe(
+          'Password for the Provar secrets store. Defaults to reading from the ProvarSecretsPassword environment variable.'
+        ),
+      test_environment_secrets_password: z
+        .string()
+        .optional()
+        .describe(
+          'Per-environment secrets password. Defaults to reading from the ProvarSecretsPassword_EnvName environment variable.'
+        ),
+
+      // ── Test Cycle ──────────────────────────────────────────────────────────
+      test_cycle_path: z
+        .string()
+        .optional()
+        .describe('Path to a TestCycle folder (used with test cycle reporting).'),
+      test_cycle_run_type: z
+        .enum(['ALL', 'FAILED', 'NEW'])
+        .optional()
+        .describe('Which tests in the cycle to run (ALL, FAILED, NEW).'),
+
+      // ── Plan features ───────────────────────────────────────────────────────
+      plan_features: z
+        .array(PlanFeatureSchema)
+        .optional()
+        .describe(
+          'Output and notification features to enable/disable (e.g. PDF, PIECHART, EMAIL). ' +
+            'Only meaningful when running by test plan.'
+        ),
+
+      // ── Email / attachment reporting ────────────────────────────────────────
+      email_properties: EmailPropertiesSchema.optional().describe(
+        'Email notification settings. Omit to exclude <emailProperties> from the XML.'
+      ),
+      attachment_properties: AttachmentPropertiesSchema.optional().describe(
+        'Attachment/report content settings. Omit to exclude <attachmentProperties> from the XML.'
+      ),
+
+      // ── File output ─────────────────────────────────────────────────────────
+      output_path: z
+        .string()
+        .optional()
+        .describe('Where to write the build.xml file (returned in response). Required when dry_run=false.'),
+      overwrite: z
+        .boolean()
+        .default(false)
+        .describe('Overwrite output_path if the file already exists.'),
+      dry_run: z
+        .boolean()
+        .default(true)
+        .describe('true = return XML only (default); false = write to output_path.'),
+    },
+    (input) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.ant.generate', {
+        requestId,
+        output_path: input.output_path,
+        dry_run: input.dry_run,
+      });
+
+      try {
+        // Validate all path inputs before writing anything — these get embedded in the
+        // generated ANT build.xml and would be accessed by ANT at execution time.
+        assertPathAllowed(input.provar_home, config.allowedPaths);
+        assertPathAllowed(input.project_path, config.allowedPaths);
+        assertPathAllowed(input.results_path, config.allowedPaths);
+        if (input.license_path) assertPathAllowed(input.license_path, config.allowedPaths);
+        if (input.smtp_path) assertPathAllowed(input.smtp_path, config.allowedPaths);
+        if (input.project_cache_path) assertPathAllowed(input.project_cache_path, config.allowedPaths);
+
+        const xmlContent = buildAntXml(input);
+        const filePath = input.output_path ? path.resolve(input.output_path) : undefined;
+        let written = false;
+
+        if (filePath && !input.dry_run) {
+          assertPathAllowed(filePath, config.allowedPaths);
+
+          if (fs.existsSync(filePath) && !input.overwrite) {
+            const err = makeError(
+              'FILE_EXISTS',
+              `File already exists: ${filePath}. Set overwrite=true to replace.`,
+              requestId
+            );
+            return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(err) }] };
+          }
+
+          fs.mkdirSync(path.dirname(filePath), { recursive: true });
+          fs.writeFileSync(filePath, xmlContent, 'utf-8');
+          written = true;
+          log('info', 'provar.ant.generate: wrote file', { requestId, filePath });
+        }
+
+        const result = {
+          requestId,
+          xml_content: xmlContent,
+          file_path: filePath,
+          written,
+          dry_run: input.dry_run,
+        };
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(result) }],
+          structuredContent: result,
+        };
+      } catch (err: unknown) {
+        const error = err as Error & { code?: string };
+        const errResult = makeError(
+          error instanceof PathPolicyError ? error.code : (error.code ?? 'GENERATE_ERROR'),
+          error.message,
+          requestId,
+          false
+        );
+        log('error', 'provar.ant.generate failed', { requestId, error: error.message });
+        return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(errResult) }] };
+      }
+    }
+  );
+}
+
+// ── Validate tool ─────────────────────────────────────────────────────────────
+
+export function registerAntValidate(server: McpServer, config: ServerConfig): void {
+  server.tool(
+    'provar.ant.validate',
+    [
+      'Validate a Provar ANT build.xml for structural correctness.',
+      'Checks XML well-formedness, required <taskdef> declarations, <Provar-Compile> step,',
+      '<Run-Test-Case> with required attributes (provarHome, projectPath, resultsPath),',
+      'and at least one <fileset> child. Returns is_valid, issues list, and a validity_score.',
+    ].join(' '),
+    {
+      content: z
+        .string()
+        .optional()
+        .describe('XML content to validate directly'),
+      file_path: z
+        .string()
+        .optional()
+        .describe('Path to the build.xml file to validate'),
+    },
+    ({ content, file_path }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.ant.validate', { requestId, has_content: !!content, file_path });
+
+      try {
+        let source = content;
+
+        if (!source && file_path) {
+          assertPathAllowed(file_path, config.allowedPaths);
+          const resolved = path.resolve(file_path);
+          if (!fs.existsSync(resolved)) {
+            const err = makeError('FILE_NOT_FOUND', `File not found: ${resolved}`, requestId);
+            return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(err) }] };
+          }
+          source = fs.readFileSync(resolved, 'utf-8');
+        }
+
+        if (!source) {
+          const err = makeError('MISSING_INPUT', 'Provide either content or file_path.', requestId);
+          return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(err) }] };
+        }
+
+        const validation = validateAntXml(source);
+        const result = { requestId, ...validation };
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(result) }],
+          structuredContent: result,
+        };
+      } catch (err: unknown) {
+        const error = err as Error & { code?: string };
+        const errResult = makeError(
+          error instanceof PathPolicyError ? error.code : 'VALIDATE_ERROR',
+          error.message,
+          requestId,
+          false
+        );
+        log('error', 'provar.ant.validate failed', { requestId, error: error.message });
+        return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(errResult) }] };
+      }
+    }
+  );
+}
+
+// ── XML builder ───────────────────────────────────────────────────────────────
+
+type AntGenerateInput = {
+  provar_home: string;
+  project_path: string;
+  results_path: string;
+  project_cache_path?: string;
+  license_path?: string;
+  smtp_path?: string;
+  filesets: Array<{ dir: string; id?: string; includes?: string[] }>;
+  web_browser: string;
+  web_browser_configuration: string;
+  web_browser_provider_name: string;
+  web_browser_device_name: string;
+  test_environment: string;
+  salesforce_metadata_cache: string;
+  results_path_disposition: string;
+  test_output_level: string;
+  plugin_output_level: string;
+  stop_test_run_on_error: boolean;
+  exclude_callable_test_cases: boolean;
+  dont_fail_build?: boolean;
+  invoke_test_run_monitor: boolean;
+  secrets_password: string;
+  test_environment_secrets_password?: string;
+  test_cycle_path?: string;
+  test_cycle_run_type?: string;
+  plan_features?: Array<{ name: string; type: string; enabled: boolean }>;
+  email_properties?: {
+    send_email: boolean;
+    primary_recipients: string;
+    cc_recipients?: string;
+    bcc_recipients?: string;
+    email_subject: string;
+    attach_execution_report: boolean;
+    attach_zip: boolean;
+  };
+  attachment_properties?: {
+    include_all_failures_in_summary: boolean;
+    include_only_failures: boolean;
+    include_bdd: boolean;
+    include_skipped: boolean;
+    include_test_case_description: boolean;
+    include_screenshots: boolean;
+    include_warning_messages: boolean;
+    include_info_messages: boolean;
+    include_debug_messages: boolean;
+    include_test_step_time: boolean;
+    include_test_step_path_hierarchy: boolean;
+    include_full_screen_shot: boolean;
+  };
+};
+
+function buildRtcOptionalAttrs(input: AntGenerateInput, a: (s: string) => string): string[] {
+  const attrs: string[] = [];
+  if (input.dont_fail_build !== undefined) {
+    attrs.push(`\t\t\t\tdontFailBuild="${input.dont_fail_build}"`);
+  }
+  if (input.invoke_test_run_monitor) {
+    attrs.push('\t\t\t\tinvokeTestRunMonitor="true"');
+  }
+  if (input.license_path) {
+    attrs.push(`\t\t\t\tlicensePath="${a(input.license_path)}"`);
+  }
+  if (input.smtp_path) {
+    attrs.push(`\t\t\t\tsmtpPath="${a(input.smtp_path)}"`);
+  }
+  if (input.test_cycle_path) {
+    attrs.push('\t\t\t\ttestCyclePath="${testcycle.path}"');
+  }
+  if (input.test_cycle_run_type) {
+    attrs.push(`\t\t\t\ttestCycleRunType="${a(input.test_cycle_run_type)}"`);
+  }
+  return attrs;
+}
+
+function buildAntXml(input: AntGenerateInput): string {
+  const a = escapeXmlAttr;
+  const cachePath = input.project_cache_path ?? '../../.provarCaches';
+
+  // ── Properties ──────────────────────────────────────────────────────────────
+  const lines: string[] = [
+    '<project default="runtests">',
+    '\t<property environment="env"/>',
+    `\t<property name="provar.home" value="${a(input.provar_home)}"/>`,
+    `\t<property name="testproject.home" value="${a(input.project_path)}"/>`,
+    `\t<property name="testproject.results" value="${a(input.results_path)}"/>`,
+    `\t<property name="secrets.password" value="${a(input.secrets_password)}"/>`,
+  ];
+
+  if (input.test_environment_secrets_password) {
+    lines.push(
+      `\t<property name="testenvironment.secretspassword" value="${a(input.test_environment_secrets_password)}"/>`
+    );
+  } else {
+    lines.push(
+      '\t<property name="testenvironment.secretspassword" value="${env.ProvarSecretsPassword_EnvName}"/>'
+    );
+  }
+
+  if (input.test_cycle_path) {
+    lines.push(`\t<property name="testcycle.path" value="${a(input.test_cycle_path)}"/>`);
+  }
+
+  lines.push('');
+
+  // ── Taskdefs ────────────────────────────────────────────────────────────────
+  lines.push(
+    '\t<taskdef name="Provar-Compile" classname="com.provar.testrunner.ant.CompileTask" classpath="${provar.home}/ant/ant-provar.jar"/>',
+    '\t<taskdef name="Run-Test-Case" classname="com.provar.testrunner.ant.RunnerTask" classpath="${provar.home}/ant/ant-provar.jar;${provar.home}/ant/ant-provar-bundled.jar;${provar.home}/ant/ant-provar-sf.jar"/>',
+    '\t<taskdef name="Test-Cycle-Report" classname="com.provar.testrunner.ant.TestCycleReportTask" classpath="${provar.home}/ant/ant-provar.jar;${provar.home}/ant/ant-provar-bundled.jar;${provar.home}/ant/ant-provar-sf.jar"/>',
+    ''
+  );
+
+  // ── Target ──────────────────────────────────────────────────────────────────
+  lines.push('\t<target name="runtests">', '');
+  lines.push('\t\t<Provar-Compile provarHome="${provar.home}" projectPath="${testproject.home}"/>', '');
+
+  // ── Run-Test-Case opening tag ────────────────────────────────────────────────
+  const rtcAttrs: string[] = [
+    '\t\t<Run-Test-Case provarHome="${provar.home}"',
+    '\t\t\t\tprojectPath="${testproject.home}"',
+    '\t\t\t\tresultsPath="${testproject.results}"',
+    `\t\t\t\tresultsPathDisposition="${a(input.results_path_disposition)}"`,
+    `\t\t\t\ttestEnvironment="${a(input.test_environment)}"`,
+    `\t\t\t\twebBrowser="${a(input.web_browser)}"`,
+    `\t\t\t\twebBrowserConfiguration="${a(input.web_browser_configuration)}"`,
+    `\t\t\t\twebBrowserProviderName="${a(input.web_browser_provider_name)}"`,
+    `\t\t\t\twebBrowserDeviceName="${a(input.web_browser_device_name)}"`,
+    `\t\t\t\texcludeCallableTestCases="${input.exclude_callable_test_cases}"`,
+    `\t\t\t\tsalesforceMetadataCache="${a(input.salesforce_metadata_cache)}"`,
+    `\t\t\t\tprojectCachePath="${a(cachePath)}"`,
+    `\t\t\t\ttestOutputlevel="${a(input.test_output_level)}"`,
+    `\t\t\t\tpluginOutputlevel="${a(input.plugin_output_level)}"`,
+    `\t\t\t\tstopTestRunOnError="${input.stop_test_run_on_error}"`,
+    '\t\t\t\tsecretsPassword="${secrets.password}"',
+    '\t\t\t\ttestEnvironmentSecretsPassword="${testenvironment.secretspassword}"',
+  ];
+
+  rtcAttrs.push(...buildRtcOptionalAttrs(input, a));
+
+  // Join: all but last get no closing, last gets >
+  lines.push(rtcAttrs.join('\n') + '\n\t\t\t\t>');
+  lines.push('');
+
+  // ── Filesets ─────────────────────────────────────────────────────────────────
+  for (const fileset of input.filesets) {
+    const idAttr = fileset.id ? ` id="${a(fileset.id)}"` : '';
+    if (fileset.includes && fileset.includes.length > 0) {
+      lines.push(`\t\t\t<fileset${idAttr} dir="${a(fileset.dir)}">`);
+      for (const inc of fileset.includes) {
+        lines.push(`\t\t\t\t<include name="${a(inc)}"/>`);
+      }
+      lines.push('\t\t\t</fileset>');
+    } else {
+      lines.push(`\t\t\t<fileset${idAttr} dir="${a(fileset.dir)}"></fileset>`);
+    }
+  }
+
+  lines.push('');
+
+  // ── Plan features ─────────────────────────────────────────────────────────────
+  if (input.plan_features && input.plan_features.length > 0) {
+    for (const pf of input.plan_features) {
+      lines.push(
+        `\t\t\t<planFeature name="${a(pf.name)}" type="${a(pf.type)}" enabled="${pf.enabled}"/>`
+      );
+    }
+    lines.push('');
+  }
+
+  // ── Email properties ──────────────────────────────────────────────────────────
+  if (input.email_properties) {
+    const ep = input.email_properties;
+    lines.push(
+      `\t\t\t<emailProperties sendEmail="${ep.send_email}" primaryRecipients="${a(ep.primary_recipients)}" ccRecipients="${a(ep.cc_recipients ?? '')}" bccRecipients="${a(ep.bcc_recipients ?? '')}" emailSubject="${a(ep.email_subject)}" attachExecutionReport="${ep.attach_execution_report}" attachZip="${ep.attach_zip}"/>`
+    );
+  }
+
+  // ── Attachment properties ─────────────────────────────────────────────────────
+  if (input.attachment_properties) {
+    const ap = input.attachment_properties;
+    lines.push(
+      `\t\t\t<attachmentProperties includeAllFailuresInSummary="${ap.include_all_failures_in_summary}" includeOnlyFailures="${ap.include_only_failures}" includeBdd="${ap.include_bdd}" includeSkipped="${ap.include_skipped}" includeTestCaseDescription="${ap.include_test_case_description}" includeScreenshots="${ap.include_screenshots}" includeWarningMessages="${ap.include_warning_messages}" includeInfoMessages="${ap.include_info_messages}" includeDebugMessages="${ap.include_debug_messages}" includeTestStepTime="${ap.include_test_step_time}" includeTestStepPathHierarchy="${ap.include_test_step_path_hierarchy}" includeFullScreenShot="${ap.include_full_screen_shot}"/>`
+    );
+  }
+
+  lines.push('\t\t</Run-Test-Case>', '', '\t</target>', '</project>', '');
+
+  return lines.join('\n');
+}
+
+function escapeXmlAttr(value: string): string {
+  return value
+    .replace(/&/g, '&amp;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&apos;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;');
+}
+
+// ── Validator ─────────────────────────────────────────────────────────────────
+
+export interface AntValidationResult {
+  is_valid: boolean;
+  validity_score: number;
+  provar_home: string | null;
+  project_path: string | null;
+  results_path: string | null;
+  web_browser: string | null;
+  test_environment: string | null;
+  fileset_count: number;
+  error_count: number;
+  warning_count: number;
+  issues: ValidationIssue[];
+}
+
+const REQUIRED_TASKDEF_CLASSNAMES = [
+  'com.provar.testrunner.ant.CompileTask',
+  'com.provar.testrunner.ant.RunnerTask',
+];
+
+const VALID_BROWSERS = ['Chrome', 'Chrome_Headless', 'Firefox', 'Edge', 'Edge_Legacy', 'Safari', 'IE'];
+const VALID_CACHE = ['Reuse', 'Refresh', 'Reload'];
+const VALID_OUTPUT_LEVELS = ['BASIC', 'WARNING', 'DEBUG'];
+const VALID_DISPOSITIONS = ['Increment', 'Replace', 'Reuse'];
+
+interface RtcValidationResult {
+  provarHome: string | null;
+  projectPath: string | null;
+  resultsPath: string | null;
+  webBrowser: string | null;
+  testEnvironment: string | null;
+  filesetCount: number;
+}
+
+function validateProjectStructure(
+  project: Record<string, unknown>,
+  defaultTarget: string | undefined,
+  issues: ValidationIssue[]
+): Record<string, unknown> | null {
+  if (!defaultTarget) {
+    issues.push({
+      rule_id: 'ANT_004',
+      severity: 'ERROR',
+      message: '<project> missing required "default" attribute.',
+      applies_to: 'project',
+      suggestion: 'Add default="runtests" (or your target name) to <project>.',
+    });
+  }
+
+  const taskdefs = (project['taskdef'] as Array<Record<string, unknown>> | undefined) ?? [];
+  for (const requiredClass of REQUIRED_TASKDEF_CLASSNAMES) {
+    const found = taskdefs.some((td) => (td['@_classname'] as string | undefined) === requiredClass);
+    if (!found) {
+      issues.push({
+        rule_id: 'ANT_005',
+        severity: 'ERROR',
+        message: `Missing <taskdef> for classname "${requiredClass}".`,
+        applies_to: 'taskdef',
+        suggestion: `Add <taskdef classname="${requiredClass}" ...> to the project.`,
+      });
+    }
+  }
+
+  const targets = (project['target'] as Array<Record<string, unknown>> | undefined) ?? [];
+  const defaultTargetEl = defaultTarget
+    ? targets.find((t) => (t['@_name'] as string | undefined) === defaultTarget)
+    : undefined;
+
+  if (defaultTarget && !defaultTargetEl) {
+    issues.push({
+      rule_id: 'ANT_006',
+      severity: 'ERROR',
+      message: `Default target "${defaultTarget}" not found in <project>.`,
+      applies_to: 'project',
+      suggestion: `Add a <target name="${defaultTarget}"> element.`,
+    });
+    return null;
+  }
+
+  const target = defaultTargetEl ?? targets[0];
+  if (!target) {
+    issues.push({
+      rule_id: 'ANT_007',
+      severity: 'ERROR',
+      message: 'No <target> elements found in <project>.',
+      applies_to: 'project',
+      suggestion: 'Add at least one <target> element.',
+    });
+    return null;
+  }
+  return target;
+}
+
+function validateRtcEnumAttrs(rtc: Record<string, unknown>, webBrowser: string | null, issues: ValidationIssue[]): void {
+  if (webBrowser && !VALID_BROWSERS.includes(webBrowser)) {
+    issues.push({ rule_id: 'ANT_030', severity: 'WARNING', message: `webBrowser "${webBrowser}" is not a recognised value. Expected one of: ${VALID_BROWSERS.join(', ')}.`, applies_to: 'Run-Test-Case', suggestion: `Use one of the supported browser values: ${VALID_BROWSERS.join(', ')}.` });
+  }
+  const metadataCache = rtc['@_salesforceMetadataCache'] as string | undefined;
+  if (metadataCache && !VALID_CACHE.includes(metadataCache)) {
+    issues.push({ rule_id: 'ANT_031', severity: 'WARNING', message: `salesforceMetadataCache "${metadataCache}" is not a recognised value. Expected one of: ${VALID_CACHE.join(', ')}.`, applies_to: 'Run-Test-Case', suggestion: `Use one of: ${VALID_CACHE.join(', ')}.` });
+  }
+  const testOutputLevel = rtc['@_testOutputlevel'] as string | undefined;
+  if (testOutputLevel && !VALID_OUTPUT_LEVELS.includes(testOutputLevel)) {
+    issues.push({ rule_id: 'ANT_032', severity: 'WARNING', message: `testOutputlevel "${testOutputLevel}" is not a recognised value. Expected one of: ${VALID_OUTPUT_LEVELS.join(', ')}.`, applies_to: 'Run-Test-Case', suggestion: `Use one of: ${VALID_OUTPUT_LEVELS.join(', ')}.` });
+  }
+  const disposition = rtc['@_resultsPathDisposition'] as string | undefined;
+  if (disposition && !VALID_DISPOSITIONS.includes(disposition)) {
+    issues.push({ rule_id: 'ANT_033', severity: 'WARNING', message: `resultsPathDisposition "${disposition}" is not a recognised value. Expected one of: ${VALID_DISPOSITIONS.join(', ')}.`, applies_to: 'Run-Test-Case', suggestion: `Use one of: ${VALID_DISPOSITIONS.join(', ')}.` });
+  }
+}
+
+function validateRunTestCase(rtc: Record<string, unknown>, issues: ValidationIssue[]): RtcValidationResult {
+  const provarHome = (rtc['@_provarHome'] as string | undefined) ?? null;
+  const projectPath = (rtc['@_projectPath'] as string | undefined) ?? null;
+  const resultsPath = (rtc['@_resultsPath'] as string | undefined) ?? null;
+  const webBrowser = (rtc['@_webBrowser'] as string | undefined) ?? null;
+  const testEnvironment = (rtc['@_testEnvironment'] as string | undefined) ?? null;
+
+  if (!provarHome) {
+    issues.push({ rule_id: 'ANT_021', severity: 'ERROR', message: '<Run-Test-Case> missing required "provarHome" attribute.', applies_to: 'Run-Test-Case', suggestion: 'Add provarHome="${provar.home}" to <Run-Test-Case>.' });
+  }
+  if (!projectPath) {
+    issues.push({ rule_id: 'ANT_022', severity: 'ERROR', message: '<Run-Test-Case> missing required "projectPath" attribute.', applies_to: 'Run-Test-Case', suggestion: 'Add projectPath="${testproject.home}" to <Run-Test-Case>.' });
+  }
+  if (!resultsPath) {
+    issues.push({ rule_id: 'ANT_023', severity: 'ERROR', message: '<Run-Test-Case> missing required "resultsPath" attribute.', applies_to: 'Run-Test-Case', suggestion: 'Add resultsPath="${testproject.results}" to <Run-Test-Case>.' });
+  }
+  validateRtcEnumAttrs(rtc, webBrowser, issues);
+  const filesets = (rtc['fileset'] as Array<Record<string, unknown>> | undefined) ?? [];
+  if (filesets.length === 0) {
+    issues.push({ rule_id: 'ANT_040', severity: 'ERROR', message: '<Run-Test-Case> has no <fileset> children — no tests will be selected.', applies_to: 'Run-Test-Case', suggestion: 'Add at least one <fileset dir="..."/> pointing to your tests or plans folder.' });
+  }
+  for (const [i, fsEntry] of filesets.entries()) {
+    if (!(fsEntry['@_dir'] as string | undefined)) {
+      issues.push({ rule_id: 'ANT_041', severity: 'ERROR', message: `<fileset> at index ${i} is missing required "dir" attribute.`, applies_to: 'fileset', suggestion: 'Add dir="..." to each <fileset> element.' });
+    }
+  }
+  return { provarHome, projectPath, resultsPath, webBrowser, testEnvironment, filesetCount: filesets.length };
+}
+
+/** Pure function — exported for unit testing */
+export function validateAntXml(xmlContent: string): AntValidationResult {
+  const issues: ValidationIssue[] = [];
+
+  // ANT_001: XML declaration
+  if (!xmlContent.trimStart().startsWith('<?xml')) {
+    issues.push({
+      rule_id: 'ANT_001',
+      severity: 'WARNING',
+      message: 'Missing XML declaration. Consider adding <?xml version="1.0" encoding="UTF-8"?> as the first line.',
+      applies_to: 'document',
+      suggestion: 'Add XML declaration as the first line.',
+    });
+  }
+
+  // Parse
+  const parser = new XMLParser({
+    ignoreAttributes: false,
+    attributeNamePrefix: '@_',
+    parseAttributeValue: false,
+    isArray: (tagName) =>
+      ['taskdef', 'target', 'fileset', 'include', 'planFeature'].includes(tagName),
+  });
+  let parsed: Record<string, unknown>;
+  try {
+    parsed = parser.parse(xmlContent) as Record<string, unknown>;
+  } catch (e: unknown) {
+    const parseError = e as Error;
+    issues.push({
+      rule_id: 'ANT_002',
+      severity: 'ERROR',
+      message: `XML parse error: ${parseError.message}`,
+      applies_to: 'document',
+      suggestion: 'Fix XML syntax errors.',
+    });
+    return finalizeAnt(issues, null, null, null, null, null, 0);
+  }
+
+  // ANT_003: Root element must be <project>
+  if (!('project' in parsed)) {
+    issues.push({
+      rule_id: 'ANT_003',
+      severity: 'ERROR',
+      message: 'Root element must be <project>.',
+      applies_to: 'document',
+      suggestion: 'Wrap content in a <project> element.',
+    });
+    return finalizeAnt(issues, null, null, null, null, null, 0);
+  }
+
+  const project = parsed['project'] as Record<string, unknown>;
+  const defaultTarget = project['@_default'] as string | undefined;
+
+  const target = validateProjectStructure(project, defaultTarget, issues);
+  if (!target) {
+    return finalizeAnt(issues, null, null, null, null, null, 0);
+  }
+
+  // ANT_010: Provar-Compile step
+  const compileStep = target['Provar-Compile'] as Record<string, unknown> | undefined;
+  if (!compileStep) {
+    issues.push({
+      rule_id: 'ANT_010',
+      severity: 'WARNING',
+      message: 'No <Provar-Compile> step found in the default target.',
+      applies_to: 'target',
+      suggestion: 'Add <Provar-Compile provarHome="..." projectPath="..."/> before Run-Test-Case.',
+    });
+  }
+
+  // ANT_020: Run-Test-Case step
+  const rtc = target['Run-Test-Case'] as Record<string, unknown> | undefined;
+  if (!rtc) {
+    issues.push({
+      rule_id: 'ANT_020',
+      severity: 'ERROR',
+      message: 'No <Run-Test-Case> element found in the default target.',
+      applies_to: 'target',
+      suggestion: 'Add a <Run-Test-Case ...> element to run tests.',
+    });
+    return finalizeAnt(issues, null, null, null, null, null, 0);
+  }
+
+  const { provarHome, projectPath, resultsPath, webBrowser, testEnvironment, filesetCount } =
+    validateRunTestCase(rtc, issues);
+
+  return finalizeAnt(issues, provarHome, projectPath, resultsPath, webBrowser, testEnvironment, filesetCount);
+}
+
+function finalizeAnt(
+  issues: ValidationIssue[],
+  provarHome: string | null,
+  projectPath: string | null,
+  resultsPath: string | null,
+  webBrowser: string | null,
+  testEnvironment: string | null,
+  filesetCount: number
+): AntValidationResult {
+  const errorCount = issues.filter((i) => i.severity === 'ERROR').length;
+  const warningCount = issues.filter((i) => i.severity === 'WARNING').length;
+  const validityScore = Math.max(0, 100 - errorCount * 20);
+
+  return {
+    is_valid: errorCount === 0,
+    validity_score: validityScore,
+    provar_home: provarHome,
+    project_path: projectPath,
+    results_path: resultsPath,
+    web_browser: webBrowser,
+    test_environment: testEnvironment,
+    fileset_count: filesetCount,
+    error_count: errorCount,
+    warning_count: warningCount,
+    issues,
+  };
+}
+
+// ── Registration ──────────────────────────────────────────────────────────────
+
+export function registerAllAntTools(server: McpServer, config: ServerConfig): void {
+  registerAntGenerate(server, config);
+  registerAntValidate(server, config);
+}
diff --git a/src/mcp/tools/automationTools.ts b/src/mcp/tools/automationTools.ts
new file mode 100644
index 00000000..130b1c49
--- /dev/null
+++ b/src/mcp/tools/automationTools.ts
@@ -0,0 +1,459 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { z } from 'zod';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { makeError, makeRequestId } from '../schemas/common.js';
+import { log } from '../logging/logger.js';
+import type { ServerConfig } from '../server.js';
+import { assertPathAllowed, PathPolicyError } from '../security/pathPolicy.js';
+import { sfSpawnHelper, SfNotFoundError } from './sfSpawn.js';
+
+// ── SF CLI discovery ──────────────────────────────────────────────────────────
+
+/**
+ * Returns candidate sf CLI paths in common npm/nvm/volta install locations.
+ * Used as a fallback when `sf` is not in PATH.
+ */
+export function getSfCommonPaths(): string[] {
+  const home = os.homedir();
+  if (process.platform === 'win32') {
+    const appData = process.env['APPDATA'] ?? path.join(home, 'AppData', 'Roaming');
+    return [
+      path.join(appData, 'npm', 'sf.cmd'),
+      path.join('C:', 'Program Files', 'nodejs', 'sf.cmd'),
+      path.join('C:', 'Program Files (x86)', 'nodejs', 'sf.cmd'),
+    ];
+  }
+  const candidates = [
+    '/usr/local/bin/sf',
+    path.join(home, '.npm-global', 'bin', 'sf'),
+    path.join(home, '.local', 'bin', 'sf'),
+    path.join(home, '.volta', 'bin', 'sf'),
+  ];
+  // nvm — scan the three most-recently installed Node versions
+  const nvmBinDir = path.join(process.env['NVM_DIR'] ?? path.join(home, '.nvm'), 'versions', 'node');
+  if (fs.existsSync(nvmBinDir)) {
+    try {
+      for (const v of fs.readdirSync(nvmBinDir).sort().reverse().slice(0, 3)) {
+        candidates.push(path.join(nvmBinDir, v, 'bin', 'sf'));
+      }
+    } catch { /* skip */ }
+  }
+  return candidates;
+}
+
+// ── Shared spawn helper ───────────────────────────────────────────────────────
+
+const MAX_BUFFER = 50 * 1024 * 1024; // 50 MB — prevents ENOBUFS on verbose Provar runs
+
+interface SpawnResult {
+  stdout: string;
+  stderr: string;
+  exitCode: number;
+}
+
+// Proactively resolve the sf executable path once on first use and cache it.
+// This ensures sf is always found even when ENOENT is masked by other errors (e.g. ENOBUFS).
+let cachedSfPath: string | null | undefined; // undefined = not yet probed
+
+/** Exposed for testing only — pre-seeds the cached sf executable path, bypassing the probe spawn. */
+export function setSfPathCacheForTesting(value: string | null): void {
+  cachedSfPath = value;
+}
+
+function resolveSfExecutable(): string | null {
+  if (cachedSfPath !== undefined) return cachedSfPath;
+  // Check PATH first via a cheap version probe
+  const probe = sfSpawnHelper.spawnSync('sf', ['--version'], { encoding: 'utf-8', shell: false, maxBuffer: 1024 * 1024 });
+  if (!probe.error) {
+    cachedSfPath = 'sf';
+    return cachedSfPath;
+  }
+  // Fall back to common install locations
+  for (const candidate of getSfCommonPaths()) {
+    if (fs.existsSync(candidate)) {
+      cachedSfPath = candidate;
+      return cachedSfPath;
+    }
+  }
+  cachedSfPath = null;
+  return null;
+}
+
+
+function runSfCommand(args: string[], sfPath?: string): SpawnResult {
+  // Use explicit path if provided; otherwise use cached probe result
+  const executable = sfPath ?? resolveSfExecutable();
+  if (!executable) throw new SfNotFoundError();
+
+  const result = sfSpawnHelper.spawnSync(executable, args, { encoding: 'utf-8', shell: false, maxBuffer: MAX_BUFFER });
+
+  if (result.error) {
+    const err = result.error as NodeJS.ErrnoException;
+    if (err.code === 'ENOENT') {
+      throw new SfNotFoundError(sfPath);
+    }
+    throw result.error;
+  }
+
+  return {
+    stdout: result.stdout ?? '',
+    stderr: result.stderr ?? '',
+    exitCode: result.status ?? 1,
+  };
+}
+
+function handleSpawnError(err: unknown, requestId: string, toolName: string): { isError: true; content: Array<{ type: 'text'; text: string }> } {
+  const error = err as Error & { code?: string };
+  log('error', `${toolName} failed`, { requestId, error: error.message });
+  return {
+    isError: true as const,
+    content: [{ type: 'text' as const, text: JSON.stringify(makeError(error.code ?? 'SF_ERROR', error.message, requestId, false)) }],
+  };
+}
+
+// ── Tool: provar.automation.config.load ──────────────────────────────────────
+
+export function registerAutomationConfigLoad(server: McpServer, config: ServerConfig): void {
+  server.tool(
+    'provar.automation.config.load',
+    [
+      'Register a provardx-properties.json file as the active Provar configuration.',
+      'Invokes `sf provar automation config load --properties-file <path>`, writing the path to ~/.sf/config.json.',
+      'REQUIRED before provar.automation.compile or provar.automation.testrun — without this step those commands fail with MISSING_FILE.',
+      'Typical workflow: provar.automation.config.load → provar.automation.compile → provar.automation.testrun.',
+    ].join(' '),
+    {
+      properties_path: z.string().describe('Absolute path to the provardx-properties.json file to register as active configuration'),
+      sf_path: z.string().optional().describe('Path to the sf CLI executable when not in PATH (e.g. "~/.nvm/versions/node/v22.0.0/bin/sf")'),
+    },
+    ({ properties_path, sf_path }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.automation.config.load', { requestId, properties_path });
+
+      try {
+        assertPathAllowed(properties_path, config.allowedPaths);
+        const result = runSfCommand(['provar', 'automation', 'config', 'load', '--properties-file', properties_path], sf_path);
+        const response = { requestId, exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr, properties_path };
+
+        if (result.exitCode !== 0) {
+          return { isError: true as const, content: [{ type: 'text' as const, text: JSON.stringify(makeError('AUTOMATION_CONFIG_LOAD_FAILED', result.stderr || result.stdout, requestId)) }] };
+        }
+
+        return { content: [{ type: 'text' as const, text: JSON.stringify(response) }], structuredContent: response };
+      } catch (err) {
+        if (err instanceof PathPolicyError) {
+          return { isError: true as const, content: [{ type: 'text' as const, text: JSON.stringify(makeError(err.code, err.message, requestId, false)) }] };
+        }
+        return handleSpawnError(err, requestId, 'provar.automation.config.load');
+      }
+    }
+  );
+}
+
+// ── Tool: provar.automation.testrun ───────────────────────────────────────────
+
+export function registerAutomationTestRun(server: McpServer): void {
+  server.tool(
+    'provar.automation.testrun',
+    [
+      'Trigger a LOCAL Provar automation test run using installed Provar binaries. Invokes `sf provar automation test run`.',
+      'PREREQUISITE: Run provar.automation.config.load first to register a provardx-properties.json — without this the command fails with MISSING_FILE.',
+      'Requires Provar to be installed locally and provarHome set correctly in the properties file.',
+      'Use provar.automation.setup first if Provar is not yet installed.',
+      'For grid/CI execution via Provar Quality Hub instead of running locally, use provar.qualityhub.testrun.',
+      'Typical local AI loop: config.load → compile → testrun → inspect results.',
+    ].join(' '),
+    {
+      flags: z.array(z.string()).optional().default([]).describe('Raw CLI flags to forward (e.g. ["--project-path", "/path/to/project"])'),
+      sf_path: z.string().optional().describe('Path to the sf CLI executable when not in PATH (e.g. "~/.nvm/versions/node/v22.0.0/bin/sf")'),
+    },
+    ({ flags, sf_path }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.automation.testrun', { requestId });
+
+      try {
+        const result = runSfCommand(['provar', 'automation', 'test', 'run', ...flags], sf_path);
+        const response = { requestId, exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
+
+        if (result.exitCode !== 0) {
+          return { isError: true as const, content: [{ type: 'text' as const, text: JSON.stringify(makeError('AUTOMATION_TESTRUN_FAILED', result.stderr || result.stdout, requestId)) }] };
+        }
+
+        return { content: [{ type: 'text' as const, text: JSON.stringify(response) }], structuredContent: response };
+      } catch (err) {
+        return handleSpawnError(err, requestId, 'provar.automation.testrun');
+      }
+    }
+  );
+}
+
+// ── Tool: provar.automation.compile ───────────────────────────────────────────
+
+export function registerAutomationCompile(server: McpServer): void {
+  server.tool(
+    'provar.automation.compile',
+    [
+      'Compile a Provar automation project. Invokes `sf provar automation project compile`.',
+      'PREREQUISITE: Run provar.automation.config.load first to register a provardx-properties.json — without this the command fails with MISSING_FILE.',
+      'Run this before triggering a test run after modifying test cases.',
+    ].join(' '),
+    {
+      flags: z.array(z.string()).optional().default([]).describe('Raw CLI flags to forward (e.g. ["--project-path", "/path/to/project"])'),
+      sf_path: z.string().optional().describe('Path to the sf CLI executable when not in PATH (e.g. "~/.nvm/versions/node/v22.0.0/bin/sf")'),
+    },
+    ({ flags, sf_path }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.automation.compile', { requestId });
+
+      try {
+        const result = runSfCommand(['provar', 'automation', 'project', 'compile', ...flags], sf_path);
+        const response = { requestId, exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
+
+        if (result.exitCode !== 0) {
+          return { isError: true as const, content: [{ type: 'text' as const, text: JSON.stringify(makeError('AUTOMATION_COMPILE_FAILED', result.stderr || result.stdout, requestId)) }] };
+        }
+
+        return { content: [{ type: 'text' as const, text: JSON.stringify(response) }], structuredContent: response };
+      } catch (err) {
+        return handleSpawnError(err, requestId, 'provar.automation.compile');
+      }
+    }
+  );
+}
+
+// ── Tool: provar.automation.metadata.download ─────────────────────────────────
+
+export function registerAutomationMetadataDownload(server: McpServer): void {
+  server.tool(
+    'provar.automation.metadata.download',
+    'Download Salesforce metadata into a Provar project. Invokes `sf provar automation metadata download`.',
+    {
+      flags: z.array(z.string()).optional().default([]).describe('Raw CLI flags to forward (e.g. ["--target-org", "myorg"])'),
+      sf_path: z.string().optional().describe('Path to the sf CLI executable when not in PATH (e.g. "~/.nvm/versions/node/v22.0.0/bin/sf")'),
+    },
+    ({ flags, sf_path }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.automation.metadata.download', { requestId });
+
+      try {
+        const result = runSfCommand(['provar', 'automation', 'metadata', 'download', ...flags], sf_path);
+        const response = { requestId, exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
+
+        if (result.exitCode !== 0) {
+          return { isError: true as const, content: [{ type: 'text' as const, text: JSON.stringify(makeError('AUTOMATION_METADATA_FAILED', result.stderr || result.stdout, requestId)) }] };
+        }
+
+        return { content: [{ type: 'text' as const, text: JSON.stringify(response) }], structuredContent: response };
+      } catch (err) {
+        return handleSpawnError(err, requestId, 'provar.automation.metadata.download');
+      }
+    }
+  );
+}
+
+// ── Tool: provar.automation.setup ─────────────────────────────────────────────
+
+/** Known system-level Provar install paths per platform. */
+const SYSTEM_INSTALL_BASES: Record<string, string[]> = {
+  win32: [
+    'C:/Program Files',
+    'C:/Program Files (x86)',
+  ],
+  darwin: [
+    '/Applications',
+  ],
+  linux: [
+    '/opt',
+    '/usr/local',
+  ],
+};
+
+interface ProvarInstall {
+  path: string;
+  version: string | null;
+  source: 'local' | 'env' | 'system';
+}
+
+/** Try to read a Provar version string from well-known files inside an install dir. */
+function readProvarVersion(installPath: string): string | null {
+  for (const candidate of ['version.txt', 'VERSION', 'provardx/version.txt', 'lib/version.txt']) {
+    try {
+      const content = fs.readFileSync(path.join(installPath, candidate), 'utf-8').trim();
+      if (content) return content;
+    } catch {
+      // try next candidate
+    }
+  }
+  return null;
+}
+
+/** Return true if the directory looks like a valid Provar installation (has provardx.jar). */
+function isValidProvarHome(dir: string): boolean {
+  return fs.existsSync(path.join(dir, 'provardx', 'provardx.jar'));
+}
+
+/**
+ * Scan common install locations and return every Provar installation found on this machine.
+ * Checks (in order): PROVAR_HOME env var, ./ProvarHome (CLI-installed), platform system dirs.
+ */
+function findExistingInstallations(): ProvarInstall[] {
+  const found: ProvarInstall[] = [];
+  const seen = new Set<string>();
+
+  function addIfValid(installPath: string, source: ProvarInstall['source']): void {
+    const resolved = path.resolve(installPath);
+    if (seen.has(resolved)) return;
+    if (!fs.existsSync(resolved)) return;
+    if (isValidProvarHome(resolved)) {
+      seen.add(resolved);
+      found.push({ path: resolved, version: readProvarVersion(resolved), source });
+    }
+  }
+
+  // 1. PROVAR_HOME environment variable
+  const envHome = process.env['PROVAR_HOME'];
+  if (envHome) addIfValid(envHome, 'env');
+
+  // 2. ./ProvarHome — where `sf provar automation setup` installs by default
+  addIfValid(path.join(process.cwd(), 'ProvarHome'), 'local');
+
+  // 3. Platform-specific system install dirs — scan for any Provar* subdirectory
+  const bases = SYSTEM_INSTALL_BASES[process.platform] ?? [];
+  for (const base of bases) {
+    if (!fs.existsSync(base)) continue;
+    let entries: string[];
+    try {
+      entries = fs.readdirSync(base);
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      if (entry.toLowerCase().startsWith('provar')) {
+        const fullPath = path.join(base, entry);
+        // For macOS .app bundles the resources sit inside Contents/Resources
+        const candidates = [
+          fullPath,
+          path.join(fullPath, 'Contents', 'Resources'),
+          path.join(fullPath, 'Contents', 'Resources', 'ProvarHome'),
+        ];
+        for (const candidate of candidates) {
+          addIfValid(candidate, 'system');
+        }
+      }
+    }
+  }
+
+  return found;
+}
+
+export function registerAutomationSetup(server: McpServer): void {
+  server.tool(
+    'provar.automation.setup',
+    [
+      'Download and install Provar Automation binaries locally. Invokes `sf provar automation setup`.',
+      'Before downloading, checks for existing Provar installations in:',
+      '  • PROVAR_HOME environment variable',
+      '  • ./ProvarHome (default CLI install location)',
+      '  • C:\\Program Files\\Provar* (Windows system installs)',
+      '  • /Applications/Provar* (macOS app installs)',
+      'If an existing installation is found, returns its path so you can set provarHome in the properties file — skipping the download unless force is true.',
+      'After a successful install, update the provarHome property in provardx-properties.json to the returned install_path using provar.properties.set.',
+    ].join(' '),
+    {
+      version: z.string().optional().describe(
+        'Specific Provar Automation version to install, e.g. "2.12.0". Omit to install the latest release.'
+      ),
+      force: z.boolean().optional().default(false).describe(
+        'Force a fresh download even if an existing installation is already detected (default: false).'
+      ),
+      sf_path: z.string().optional().describe('Path to the sf CLI executable when not in PATH (e.g. "~/.nvm/versions/node/v22.0.0/bin/sf")'),
+    },
+    ({ version, force, sf_path }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.automation.setup', { requestId, version, force });
+
+      try {
+        // ── 1. Check for existing installations ──────────────────────────────
+        const existing = findExistingInstallations();
+
+        if (existing.length > 0 && !force) {
+          const primary = existing[0];
+          const response = {
+            requestId,
+            already_installed: true,
+            installations: existing,
+            install_path: primary.path,
+            version: primary.version,
+            message: [
+              `Found ${existing.length} existing Provar installation(s). Skipped download.`,
+              `Set provarHome to "${primary.path}" in your provardx-properties.json,`,
+              'or pass force: true to download and overwrite with a fresh copy.',
+            ].join(' '),
+          };
+          return {
+            content: [{ type: 'text' as const, text: JSON.stringify(response) }],
+            structuredContent: response,
+          };
+        }
+
+        // ── 2. Run sf provar automation setup ────────────────────────────────
+        const flags = version ? ['--version', version] : [];
+        const result = runSfCommand(['provar', 'automation', 'setup', ...flags], sf_path);
+
+        if (result.exitCode !== 0) {
+          return {
+            isError: true as const,
+            content: [{ type: 'text' as const, text: JSON.stringify(makeError('AUTOMATION_SETUP_FAILED', result.stderr || result.stdout, requestId)) }],
+          };
+        }
+
+        // ── 3. Locate the freshly installed ProvarHome ───────────────────────
+        const freshInstalls = findExistingInstallations();
+        const localInstall = freshInstalls.find(i => i.source === 'local') ?? freshInstalls[0];
+        const installPath = localInstall?.path ?? path.resolve(process.cwd(), 'ProvarHome');
+        const detectedVersion = localInstall?.version ?? version ?? null;
+
+        const response = {
+          requestId,
+          already_installed: false,
+          forced: force,
+          exitCode: result.exitCode,
+          stdout: result.stdout,
+          stderr: result.stderr,
+          install_path: installPath,
+          version: detectedVersion,
+          message: [
+            `Provar Automation installed successfully at: ${installPath}.`,
+            'Update provarHome in your provardx-properties.json to this path using provar.properties.set.',
+          ].join(' '),
+        };
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(response) }],
+          structuredContent: response,
+        };
+      } catch (err) {
+        return handleSpawnError(err, requestId, 'provar.automation.setup');
+      }
+    }
+  );
+}
+
+// ── Bulk registration ─────────────────────────────────────────────────────────
+
+export function registerAllAutomationTools(server: McpServer, config: ServerConfig): void {
+  registerAutomationSetup(server);
+  registerAutomationConfigLoad(server, config);
+  registerAutomationTestRun(server);
+  registerAutomationCompile(server);
+  registerAutomationMetadataDownload(server);
+}
diff --git a/src/mcp/tools/bestPracticesEngine.ts b/src/mcp/tools/bestPracticesEngine.ts
new file mode 100644
index 00000000..ecee7fbd
--- /dev/null
+++ b/src/mcp/tools/bestPracticesEngine.ts
@@ -0,0 +1,740 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+/**
+ * Provar Best Practices Engine — TypeScript port of quality-hub-agents/lambda/src/validator/best_practices_engine.py
+ *
+ * Loads rules from provar_best_practices_rules.json and validates XML test cases,
+ * producing violations and a quality score using the exact same weighted deduction
+ * formula as the Lambda service to guarantee score parity between API and MCP.
+ *
+ * Scoring formula (matching Lambda exactly):
+ * score = max(0, 100 − Σ(weight × severity_mult × effective_count))
+ * severity_mult = { critical:1.0, major:0.75, minor:0.5, info:0.25 }
+ * effective_count = count > 1 ? 1 + log2(count) : 1 (diminishing returns)
+ */
+
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
+import { XMLParser } from 'fast-xml-parser';
+
+// ── Rule / config interfaces ──────────────────────────────────────────────────
+
+interface BPCheck {
+  [key: string]: unknown;
+  type: string;
+}
+
+interface BPRule {
+  id: string;
+  category: string;
+  name: string;
+  description: string;
+  appliesTo: string[];
+  severity: 'critical' | 'major' | 'minor' | 'info';
+  weight: number;
+  recommendation: string;
+  check: BPCheck;
+}
+
+interface BPRulesConfig {
+  schemaVersion: string;
+  rules: BPRule[];
+  scoring?: { defaultMaxScore: number };
+}
+
+// ── Public output interfaces ──────────────────────────────────────────────────
+
+export interface BPViolation {
+  rule_id: string;
+  name: string;
+  description: string;
+  category: string;
+  severity: 'critical' | 'major' | 'minor' | 'info';
+  weight: number;
+  message: string;
+  recommendation: string;
+  applies_to: string[];
+  count?: number;
+}
+
+export interface BPEngineResult {
+  quality_score: number;
+  violations: BPViolation[];
+  rules_evaluated: number;
+}
+
+export interface BPMetadata {
+  testName?: string;
+  filePath?: string;
+}
+
+// ── Rules loading (lazy, module-level singleton) ──────────────────────────────
+
+const dirPath = dirname(fileURLToPath(import.meta.url));
+let rulesConfig: BPRulesConfig | null = null;
+
+function getRulesConfig(): BPRulesConfig {
+  if (!rulesConfig) {
+    try {
+      const raw = readFileSync(
+        join(dirPath, '..', 'rules', 'provar_best_practices_rules.json'),
+        'utf-8'
+      );
+      rulesConfig = JSON.parse(raw) as BPRulesConfig;
+    } catch {
+      rulesConfig = { schemaVersion: '1.0', rules: [], scoring: { defaultMaxScore: 100 } };
+    }
+  }
+  return rulesConfig;
+}
+
+// ── Valid Provar API IDs (extracted from provar_test_step_schema.json) ────────
+
+const VALID_API_IDS = new Set<string>([
+  // Bundled — assertions & control flow
+  'com.provar.plugins.bundled.apis.AssertValues',
+  'com.provar.plugins.bundled.apis.If',
+  'com.provar.plugins.bundled.apis.Switch',
+  'com.provar.plugins.bundled.apis.SwitchCase',
+  'com.provar.plugins.bundled.apis.control.Break',
+  'com.provar.plugins.bundled.apis.control.Fail',
+  'com.provar.plugins.bundled.apis.control.Finally',
+  'com.provar.plugins.bundled.apis.control.ForEach',
+  'com.provar.plugins.bundled.apis.control.StepGroup',
+  'com.provar.plugins.bundled.apis.control.SetValues',
+  'com.provar.plugins.bundled.apis.control.Sleep',
+  'com.provar.plugins.bundled.apis.control.WaitFor',
+  'com.provar.plugins.bundled.apis.control.DoWhile',
+  'com.provar.plugins.bundled.apis.control.ActualResult',
+  'com.provar.plugins.bundled.apis.control.DesignStep',
+  'com.provar.plugins.bundled.apis.control.CallTest',
+  'com.provar.plugins.bundled.apis.control.TryCatchFinally',
+  // Bundled — database
+  'com.provar.plugins.bundled.apis.db.DbConnect',
+  'com.provar.plugins.bundled.apis.db.DbDelete',
+  'com.provar.plugins.bundled.apis.db.DbInsert',
+  'com.provar.plugins.bundled.apis.db.DbRead',
+  'com.provar.plugins.bundled.apis.db.DbUpdate',
+  'com.provar.plugins.bundled.apis.db.SqlQuery',
+  // Bundled — REST / SOAP
+  'com.provar.plugins.bundled.apis.restservice.WebConnect',
+  'com.provar.plugins.bundled.apis.restservice.RestRequest',
+  'com.provar.plugins.bundled.apis.restservice.SoapRequest',
+  // Bundled — messaging
+  'com.provar.plugins.bundled.apis.messaging.PublishMessage',
+  'com.provar.plugins.bundled.apis.messaging.ReceiveMessage',
+  'com.provar.plugins.bundled.apis.messaging.SendMessage',
+  'com.provar.plugins.bundled.apis.messaging.Subscribe',
+  // Bundled — BDD
+  'com.provar.plugins.bundled.apis.bdd.Given',
+  'com.provar.plugins.bundled.apis.bdd.When',
+  'com.provar.plugins.bundled.apis.bdd.Then',
+  'com.provar.plugins.bundled.apis.bdd.And',
+  'com.provar.plugins.bundled.apis.bdd.But',
+  // Bundled — I/O, strings, lists
+  'com.provar.plugins.bundled.apis.io.Read',
+  'com.provar.plugins.bundled.apis.io.Write',
+  'com.provar.plugins.bundled.apis.string.Replace',
+  'com.provar.plugins.bundled.apis.string.Split',
+  'com.provar.plugins.bundled.apis.string.Match',
+  'com.provar.plugins.bundled.apis.list.ListCompare',
+  // Provar Labs
+  'com.provar.plugins.bundled.apis.provarlabs.PageObjectCleaner',
+  // Forcedotcom — AI / agent
+  'com.provar.plugins.forcedotcom.core.testapis.ai.AIAgentSession',
+  'com.provar.plugins.forcedotcom.core.testapis.ai.AIAgentConversation',
+  'com.provar.plugins.forcedotcom.core.testapis.ai.GenerateUtterance',
+  'com.provar.plugins.forcedotcom.core.testapis.ai.IntentValidator',
+  'com.provar.plugins.forcedotcom.core.testapis.ai.ImageValidator',
+  'com.provar.plugins.forcedotcom.core.testapis.generate.GenerateTestData',
+  'com.provar.plugins.forcedotcom.core.testapis.GenerateTestCase',
+  // Forcedotcom — Apex / API
+  'com.provar.plugins.forcedotcom.core.testapis.ApexConnect',
+  'com.provar.plugins.forcedotcom.core.testapis.ApexCreateObject',
+  'com.provar.plugins.forcedotcom.core.testapis.ApexReadObject',
+  'com.provar.plugins.forcedotcom.core.testapis.ApexUpdateObject',
+  'com.provar.plugins.forcedotcom.core.testapis.ApexDeleteObject',
+  'com.provar.plugins.forcedotcom.core.testapis.ApexSoqlQuery',
+  'com.provar.plugins.forcedotcom.core.testapis.ApexSoqlBuilder',
+  'com.provar.plugins.forcedotcom.core.testapis.ApexExecute',
+  'com.provar.plugins.forcedotcom.core.testapis.ApexBulk',
+  'com.provar.plugins.forcedotcom.core.testapis.ApexApproveWorkItem',
+  'com.provar.plugins.forcedotcom.core.testapis.ApexSubmitForApproval',
+  'com.provar.plugins.forcedotcom.core.testapis.ApexConvertLead',
+  'com.provar.plugins.forcedotcom.core.testapis.ApexExtractLayout',
+  'com.provar.plugins.forcedotcom.core.testapis.ApexAssertLayout',
+  'com.provar.plugins.forcedotcom.core.testapis.ApexLogForCleanup',
+  // Forcedotcom — UI
+  'com.provar.plugins.forcedotcom.core.ui.UiConnect',
+  'com.provar.plugins.forcedotcom.core.ui.UiWithScreen',
+  'com.provar.plugins.forcedotcom.core.ui.UiDoAction',
+  'com.provar.plugins.forcedotcom.core.ui.UiAssert',
+  'com.provar.plugins.forcedotcom.core.ui.UiNavigate',
+  'com.provar.plugins.forcedotcom.core.ui.UiFill',
+  'com.provar.plugins.forcedotcom.core.ui.UiWithRow',
+  'com.provar.plugins.forcedotcom.core.ui.UiHandleAlert',
+]);
+
+// ── XML tree types & helpers ──────────────────────────────────────────────────
+
+type XmlNode = Record<string, unknown>;
+
+/** Normalise a possibly-singular value to an array. */
+function toArr<T>(v: T | T[] | undefined | null): T[] {
+  if (v == null) return [];
+  return Array.isArray(v) ? v : [v];
+}
+
+/**
+ * Recursively collect every <apiCall> element in the parsed tree.
+ * Works for flat and deeply nested structures (StepGroup, BDD, TryCatch…).
+ */
+function getAllApiCalls(node: XmlNode): XmlNode[] {
+  const results: XmlNode[] = [];
+
+  function collect(obj: unknown): void {
+    if (!obj || typeof obj !== 'object') return;
+    if (Array.isArray(obj)) {
+      for (const item of obj) collect(item);
+      return;
+    }
+    const n = obj as XmlNode;
+    for (const [key, val] of Object.entries(n)) {
+      if (key === 'apiCall') {
+        for (const call of toArr(val as XmlNode | XmlNode[])) {
+          if (call && typeof call === 'object') results.push(call);
+        }
+      }
+      if (val && typeof val === 'object') collect(val);
+    }
+  }
+
+  collect(node);
+  return results;
+}
+
+/** Return the DIRECT <apiCall> children of <steps> (not nested). */
+function getDirectSteps(tc: XmlNode): XmlNode[] {
+  const steps = tc['steps'] as XmlNode | undefined;
+  if (!steps || typeof steps !== 'object') return [];
+  return toArr(steps['apiCall'] as XmlNode | XmlNode[]).filter(
+    (c) => c && typeof c === 'object'
+  );
+}
+
+/**
+ * Get the text value for a named argument from an apiCall.
+ * Handles simple (class="value"), variable (class="variable"), and compound values.
+ */
+function getArgValue(call: XmlNode, argId: string): string | undefined {
+  for (const arg of toArr(call['argument'] as XmlNode | XmlNode[])) {
+    if (!arg || typeof arg !== 'object') continue;
+    const a = arg;
+    if (a['@_id'] !== argId) continue;
+    const valElem = a['value'] as XmlNode | undefined;
+    if (!valElem || typeof valElem !== 'object') continue;
+    const vClass = valElem['@_class'] as string | undefined;
+    if (vClass === 'variable') {
+      const firstPath = toArr(valElem['path'] as XmlNode | XmlNode[])[0] as XmlNode | undefined;
+      return firstPath?.['@_element'] as string | undefined;
+    }
+    if (vClass === 'compound') {
+      const partsNode = (valElem['parts'] as XmlNode | undefined)?.['value'];
+      const texts = toArr(partsNode as XmlNode | XmlNode[])
+        .filter((p) => p && typeof p === 'object')
+        .map((p) => (p)['#text'] as string | undefined)
+        .filter(Boolean) as string[];
+      return texts.join('') || undefined;
+    }
+    return (valElem['#text'] as string | undefined) ?? undefined;
+  }
+  return undefined;
+}
+
+/** Return all <argument> elements from an apiCall. */
+function getArguments(call: XmlNode): XmlNode[] {
+  return toArr(call['argument'] as XmlNode | XmlNode[]).filter(
+    (a) => a && typeof a === 'object'
+  );
+}
+
+/** Return true if the apiCall has a <tags><string>disabled</string></tags>. */
+function isDisabledCall(call: XmlNode): boolean {
+  const tags = call['tags'] as XmlNode | undefined;
+  if (!tags || typeof tags !== 'object') return false;
+  const strings = toArr(tags['string'] as string | string[]);
+  return strings.some((s) => typeof s === 'string' && s.trim().toLowerCase() === 'disabled');
+}
+
+// ── Scoring formula (exact Lambda match) ─────────────────────────────────────
+
+const SEVERITY_MULT: Record<string, number> = {
+  critical: 1.0, major: 0.75, minor: 0.5, info: 0.25,
+};
+
+export function calculateBPScore(violations: BPViolation[]): number {
+  let total = 0;
+  for (const v of violations) {
+    const mult = SEVERITY_MULT[v.severity] ?? 0.5;
+    const rawCount = v.count ?? 1;
+    const effectiveCount = rawCount > 1 ? 1 + Math.log2(rawCount) : 1;
+    total += v.weight * mult * effectiveCount;
+  }
+  return Math.max(0, Math.round((100 - total) * 100) / 100);
+}
+
+// ── Violation factory ─────────────────────────────────────────────────────────
+
+function makeViolation(rule: BPRule, message: string, count?: number): BPViolation {
+  const v: BPViolation = {
+    rule_id: rule.id,
+    name: rule.name,
+    description: rule.description,
+    category: rule.category,
+    severity: rule.severity,
+    weight: rule.weight,
+    message,
+    recommendation: rule.recommendation,
+    applies_to: rule.appliesTo ?? [],
+  };
+  if (count !== undefined && count > 1) v.count = count;
+  return v;
+}
+
+// ── Validator implementations ─────────────────────────────────────────────────
+
+/** API-UNKNOWN-001 — check all apiCall apiId values against the known-valid set. */
+function validateUnknownApiId(tc: XmlNode, rule: BPRule): BPViolation | null {
+  const calls = getAllApiCalls(tc);
+  const unknowns: Array<{ apiId: string; tid?: string }> = [];
+
+  for (const call of calls) {
+    const apiId = call['@_apiId'] as string | undefined;
+    if (!apiId) continue;
+    // Custom and third-party APIs are always allowed
+    if (apiId.startsWith('customapis.') || apiId.includes('.customapis.')) continue;
+    if (!VALID_API_IDS.has(apiId)) {
+      unknowns.push({ apiId, tid: call['@_testItemId'] as string | undefined });
+    }
+  }
+
+  if (!unknowns.length) return null;
+
+  const MAX = 5;
+  const msgs = unknowns.slice(0, 3).map(
+    (v) => `'${v.apiId}'${v.tid ? ` (testItemId=${v.tid})` : ''}`
+  );
+  let message = `Unknown apiId(s) detected — these APIs do not exist in Provar: ${msgs.join('; ')}`;
+  if (unknowns.length > 3) message += ` (+${unknowns.length - 3} more)`;
+  return makeViolation(rule, message, Math.min(unknowns.length, MAX));
+}
+
+/** VALID-GUID-001 — test case must have at least one valid identifier. */
+function validateValidIdentifier(tc: XmlNode, rule: BPRule): BPViolation | null {
+  const guid = tc['@_guid'] as string | undefined;
+  const id   = tc['@_id']   as string | undefined;
+  const rid  = tc['@_registryId'] as string | undefined;
+  if (!guid && !id && !rid) {
+    return makeViolation(rule, 'Test case missing valid identifier (guid, id, or registryId)');
+  }
+  return null;
+}
+
+/** VALID-STEPS-001 / mustExist — element must exist (and not be empty). */
+function validateMustExist(tc: XmlNode, rule: BPRule): BPViolation | null {
+  const target = (rule.check['target'] as string | undefined) ?? '';
+  const elementName = target.split('.').pop() ?? target;
+  const elem = tc[elementName];
+  if (elem === undefined || elem === null) {
+    return makeViolation(rule, `${target} is missing`);
+  }
+  if (typeof elem === 'object' && !Array.isArray(elem)) {
+    const obj = elem as XmlNode;
+    const hasText = typeof obj['#text'] === 'string' && obj['#text'].trim().length > 0;
+    const hasChildren = Object.keys(obj).some((k) => !k.startsWith('@_') && k !== '#text');
+    if (!hasText && !hasChildren) {
+      return makeViolation(rule, `${target} exists but is empty`);
+    }
+  } else if (typeof elem === 'string' && !elem.trim()) {
+    return makeViolation(rule, `${target} exists but is empty`);
+  }
+  return null;
+}
+
+/** STRUCT-SUMMARY-001 / mustExistAndNotEmpty — same as mustExist. */
+const validateMustExistAndNotEmpty = validateMustExist;
+
+/** STEP-ITEMID-001 — all testItemId attributes must be positive integers. */
+function validateWholeNumberTestItemId(tc: XmlNode, rule: BPRule): BPViolation | null {
+  const calls = getAllApiCalls(tc);
+  const invalid: string[] = [];
+
+  for (const call of calls) {
+    const tid = call['@_testItemId'] as string | undefined;
+    if (!tid) continue;
+    const n = parseInt(tid, 10);
+    if (isNaN(n) || n <= 0 || String(n) !== tid.trim()) {
+      invalid.push(tid);
+    }
+  }
+
+  if (!invalid.length) return null;
+  return makeViolation(
+    rule,
+    `Invalid testItemId values: ${invalid.slice(0, 3).join(', ')}`,
+    invalid.length
+  );
+}
+
+/** VAR-NAMING-001 — variable names must match the identifier pattern. */
+function validateVariableNaming(tc: XmlNode, rule: BPRule): BPViolation | null {
+  const patternStr = (rule.check['pattern'] as string | undefined) ?? '^[A-Za-z_][A-Za-z0-9_]*$';
+  const re = new RegExp(patternStr);
+  const violations: string[] = [];
+
+  function checkName(name: string, label: string): void {
+    if (name && !re.test(name) && violations.length < 7) {
+      violations.push(`${label} '${name}'`);
+    }
+  }
+
+  const calls = getAllApiCalls(tc);
+  for (const call of calls) {
+    const apiId = call['@_apiId'] as string | undefined;
+
+    // Result name attributes on the apiCall element itself
+    for (const attr of ['@_resultName', '@_resultIdName', '@_sfUiTargetResultName']) {
+      const v = call[attr] as string | undefined;
+      if (v) checkName(v, attr.slice(2));
+    }
+
+    // SetValues variable names
+    if (apiId === 'com.provar.plugins.bundled.apis.control.SetValues') {
+      const nvContainer = call['namedValues'] as XmlNode | undefined;
+      if (nvContainer && typeof nvContainer === 'object') {
+        for (const nv of toArr(nvContainer['namedValue'] as XmlNode | XmlNode[])) {
+          if (!nv || typeof nv !== 'object') continue;
+          const name = (nv)['@_name'] as string | undefined;
+          if (name && !['valuePath', 'value', 'valueScope'].includes(name)) {
+            checkName(name, 'SetValues variable');
+          }
+        }
+      }
+    }
+  }
+
+  if (!violations.length) return null;
+  const shown = violations.slice(0, 3);
+  let msg = shown.join('; ');
+  if (violations.length > 3) msg += ` (+${violations.length - 3} more)`;
+  return makeViolation(rule, msg, violations.length);
+}
+
+/** STRUCT-GROUP-001 — direct steps should be wrapped in grouping elements. */
+function validateMustAllBeInGroups(tc: XmlNode, rule: BPRule): BPViolation | null {
+  const check = rule.check;
+  const acceptBdd     = (check['acceptBddSteps']      as boolean | undefined) ?? true;
+  const acceptFinally = (check['acceptFinallyBlocks'] as boolean | undefined) ?? true;
+
+  const GROUPING_IDS = new Set<string>(['com.provar.plugins.bundled.apis.control.StepGroup']);
+  if (acceptBdd) {
+    for (const id of [
+      'com.provar.plugins.bundled.apis.bdd.Given',
+      'com.provar.plugins.bundled.apis.bdd.When',
+      'com.provar.plugins.bundled.apis.bdd.Then',
+      'com.provar.plugins.bundled.apis.bdd.And',
+      'com.provar.plugins.bundled.apis.bdd.But',
+    ]) GROUPING_IDS.add(id);
+  }
+  if (acceptFinally) GROUPING_IDS.add('com.provar.plugins.bundled.apis.control.Finally');
+
+  const directSteps = getDirectSteps(tc);
+  if (directSteps.length < 5) return null; // exemption: tiny tests
+
+  let apiCallCount = 0;
+  const ungrouped: string[] = [];
+
+  for (const step of directSteps) {
+    const apiId = (step['@_apiId'] as string | undefined) ?? '';
+    if (/\.apex[a-z]|\.soql[a-z]|\.rest[a-z]|\.db[A-Z]|\.web[A-Z]/i.test(apiId)) apiCallCount++;
+    if (!GROUPING_IDS.has(apiId)) {
+      const title =
+        (step['@_title'] as string | undefined) ??
+        (step['@_name']  as string | undefined) ??
+        apiId.split('.').pop() ?? '';
+      ungrouped.push(title.substring(0, 30));
+    }
+  }
+
+  // Exemption: API-heavy tests (≥80% are API calls)
+  if (directSteps.length > 0 && apiCallCount / directSteps.length >= 0.8) return null;
+
+  if (ungrouped.length > 3) {
+    return makeViolation(
+      rule,
+      `${ungrouped.length} steps not in groups: ${ungrouped.slice(0, 3).join(', ')}...`
+    );
+  }
+  return null;
+}
+
+/** STEP-DISABLED-001 — flag any apiCall tagged as disabled. */
+function validateDisabledStep(tc: XmlNode, rule: BPRule): BPViolation | null {
+  for (const call of getAllApiCalls(tc)) {
+    if (!isDisabledCall(call)) continue;
+    const tid    = call['@_testItemId'] as string | undefined;
+    const apiId  = (call['@_apiId']    as string | undefined) ?? 'unknown';
+    const name   =
+      (call['@_name']  as string | undefined) ??
+      (call['@_title'] as string | undefined) ??
+      apiId.split('.').pop() ?? 'unnamed';
+    return makeViolation(
+      rule,
+      `Disabled step found: "${name}"${tid ? ` (testItemId=${tid})` : ''}`
+    );
+  }
+  return null;
+}
+
+// Arguments that should NOT be checked for duplicate literals
+const LITERAL_EXCLUDE_ARGS = new Set([
+  'uiConnectionName', 'apexConnectionName', 'resultScope', 'resultName',
+  'sfUiTargetResultScope', 'sfUiTargetResultName', 'objectType', 'connectionId',
+  'connectionName', 'comparisonType', 'assertionType', 'httpMethod', 'controlType',
+  'loopType', 'navigate', 'windowSelection', 'windowSize', 'alreadyOpenBehaviour',
+  'captureBefore', 'captureAfter', 'interactionDescription', 'targetDescription', 'title',
+]);
+const METADATA_FIELDS = new Set([
+  'status', 'stage', 'recordtype', 'recordtypeid', 'type', 'subtype', 'category',
+  'priority', 'source', 'origin', 'reason', 'result', 'state', 'severity',
+  'casestatus', 'leadstatus', 'opportunitystage', 'accounttype', 'industry',
+]);
+const DEFAULT_LITERAL_VALUES = new Set([
+  '0', '1', '0.0', '1.0', '', 'N/A', 'n/a', 'NA', 'None', 'Default', 'default',
+  'Test', 'Global', 'Local', 'Folder', 'GroupStep',
+]);
+
+/** DDT-VAR-001 — detect hardcoded literal values repeated ≥2 times. */
+// eslint-disable-next-line complexity
+function validateDetectDuplicatesLiterals(tc: XmlNode, rule: BPRule): BPViolation | null {
+  const literals: string[] = [];
+
+  for (const call of getAllApiCalls(tc)) {
+    for (const arg of getArguments(call)) {
+      const argId = (arg['@_id'] as string | undefined) ?? '';
+      if (LITERAL_EXCLUDE_ARGS.has(argId)) continue;
+      if (METADATA_FIELDS.has(argId.toLowerCase())) continue;
+
+      const valElem = arg['value'] as XmlNode | undefined;
+      if (!valElem || typeof valElem !== 'object') continue;
+      if ((valElem['@_class'] as string | undefined) !== 'value') continue; // skip variables/compounds
+
+      const text = ((valElem['#text'] as string | undefined) ?? '').trim();
+      if (!text || text.length <= 3) continue;
+      if (DEFAULT_LITERAL_VALUES.has(text)) continue;
+      if (text.toLowerCase() === 'true' || text.toLowerCase() === 'false') continue;
+      if (text.startsWith('{') && text.endsWith('}')) continue; // inline variable ref
+
+      literals.push(text);
+    }
+  }
+
+  const counts = new Map<string, number>();
+  for (const lit of literals) counts.set(lit, (counts.get(lit) ?? 0) + 1);
+
+  const dups = [...counts.entries()].filter(([, c]) => c >= 2);
+  if (!dups.length) return null;
+
+  const MAX = 3;
+  const examples = dups.slice(0, MAX).map(([v, c]) => `'${v}' (×${c})`);
+  const msg =
+    dups.length > MAX
+      ? `Found ${dups.length} hardcoded values used multiple times (showing ${MAX}): ${examples.join(', ')}`
+      : `Found ${dups.length} hardcoded value(s) used multiple times: ${examples.join(', ')}`;
+  return makeViolation(rule, msg, Math.min(dups.length, MAX));
+}
+
+/** NC-FOLDER-001 / NC-PARAM-001 — regex check on target value. */
+function validateRegex(tc: XmlNode, rule: BPRule, metadata: BPMetadata): BPViolation | null {
+  const check   = rule.check;
+  const target  = (check['target']  as string | undefined) ?? '';
+  const pattern = (check['pattern'] as string | undefined) ?? '';
+  if (!pattern) return null;
+
+  const targetType = target.split('.')[0];
+  let value: string | undefined;
+
+  if (targetType === 'testCase') {
+    value = metadata.testName;
+  }
+  // folder.name requires filesystem paths — not available in MCP context, skip silently
+  // parameter.name — check first argument ID found
+  else if (targetType === 'parameter') {
+    outer: for (const call of getAllApiCalls(tc)) {
+      for (const arg of getArguments(call)) {
+        const argId = arg['@_id'] as string | undefined;
+        if (argId) { value = argId; break outer; }
+      }
+    }
+  }
+
+  if (!value) return null;
+
+  try {
+    if (!new RegExp(pattern).test(value)) {
+      return makeViolation(rule, `${target} '${value}' does not match expected naming pattern`);
+    }
+  } catch {
+    // invalid regex in rules — silently skip
+  }
+  return null;
+}
+
+// Steps that WRITE to resultName (not just read)
+const RESULT_WRITE_STEPS = new Set([
+  'ApexConnect', 'UiConnect', 'DbConnect', 'WebConnect',
+  'ApexCreateObject', 'ApexUpdateObject', 'ApexReadObject',
+  'ApexSoqlQuery', 'ApexSoqlBuilder',
+  'RestRequest', 'SoapRequest',
+  'SqlQuery', 'DbInsert', 'DbRead', 'DbUpdate',
+  'UiWithScreen', 'UiWithRow',
+]);
+// Patterns to exclude from result-name tracking
+const RESULT_EXCLUDE_PATTERNS = [
+  'StepGroup', 'control.If', 'control.While', 'control.ForEach',
+  'control.Try', 'control.Finally', 'control.SetValues',
+];
+
+/** APEX-RESULTNAME-001 — detect duplicate resultNames within the same scope. */
+function validateUniqueResultNames(tc: XmlNode, rule: BPRule): BPViolation | null {
+  // scope → resultName → list of step types that wrote it
+  const byScope = new Map<string, Map<string, string[]>>();
+
+  for (const call of getAllApiCalls(tc)) {
+    if (isDisabledCall(call)) continue;
+    const apiId = (call['@_apiId'] as string | undefined) ?? '';
+    if (RESULT_EXCLUDE_PATTERNS.some((p) => apiId.includes(p))) continue;
+
+    const resultName = (getArgValue(call, 'resultName') ?? '').trim();
+    if (!resultName) continue;
+
+    const scope = (getArgValue(call, 'resultScope') ?? 'Test').trim() || 'Test';
+
+    const stepType = apiId.split('.').pop() ?? 'Unknown';
+    if (!RESULT_WRITE_STEPS.has(stepType)) continue;
+
+    if (!byScope.has(scope)) byScope.set(scope, new Map());
+    const names = byScope.get(scope)!;
+    if (!names.has(resultName)) names.set(resultName, []);
+    names.get(resultName)!.push(stepType);
+  }
+
+  const violations: string[] = [];
+  for (const [scope, names] of byScope) {
+    for (const [name, steps] of names) {
+      if (steps.length > 1) {
+        violations.push(
+          `'${name}' in ${scope} scope: written ${steps.length} times (${steps.slice(0, 2).join(', ')})`
+        );
+      }
+    }
+  }
+
+  if (!violations.length) return null;
+
+  const MAX = 3;
+  let msg = violations.slice(0, 2).join('; ');
+  if (violations.length > 2) msg += ` (and ${violations.length - 2} more)`;
+  return makeViolation(rule, msg, Math.min(violations.length, MAX));
+}
+
+// ── Validator dispatch map ────────────────────────────────────────────────────
+
+type ValidatorFn = (tc: XmlNode, rule: BPRule) => BPViolation | null;
+
+const VALIDATOR_REGISTRY: Record<string, ValidatorFn> = {
+  unknownApiId:            validateUnknownApiId,
+  validIdentifier:         validateValidIdentifier,
+  mustExist:               validateMustExist,
+  mustExistAndNotEmpty:    validateMustExistAndNotEmpty,
+  wholeNumberTestItemId:   validateWholeNumberTestItemId,
+  variableNaming:          validateVariableNaming,
+  mustAllBeInGroups:       validateMustAllBeInGroups,
+  disabledStep:            validateDisabledStep,
+  detectDuplicatesLiterals: validateDetectDuplicatesLiterals,
+  uniqueResultNames:       validateUniqueResultNames,
+  // 'regex' is dispatched separately (needs metadata)
+};
+
+// ── XML parser (shared settings) ─────────────────────────────────────────────
+
+const XML_PARSER = new XMLParser({
+  ignoreAttributes: false,
+  attributeNamePrefix: '@_',
+  parseAttributeValue: false,
+});
+
+// ── Main entry point ──────────────────────────────────────────────────────────
+
+/**
+ * Run all active best-practice rules against a single test case XML string.
+ *
+ * @param xmlContent  Raw XML of the test case file.
+ * @param metadata    Optional context (testName used for regex rules).
+ * @returns           Quality score (0–100) + list of violations.
+ */
+export function runBestPractices(
+  xmlContent: string,
+  metadata: BPMetadata = {}
+): BPEngineResult {
+  let parsed: XmlNode;
+  try {
+    parsed = XML_PARSER.parse(xmlContent) as XmlNode;
+  } catch {
+    return { quality_score: 0, violations: [], rules_evaluated: 0 };
+  }
+
+  const tc = parsed['testCase'] as XmlNode | undefined;
+  if (!tc || typeof tc !== 'object') {
+    return { quality_score: 0, violations: [], rules_evaluated: 0 };
+  }
+
+  const config = getRulesConfig();
+  const violations: BPViolation[] = [];
+  let rulesEvaluated = 0;
+
+  for (const rule of config.rules) {
+    const checkType = rule.check?.type;
+    if (!checkType) continue;
+
+    // Schema-compliance rules are handled by testCaseValidate.ts — skip here
+    if (checkType === 'disabled') continue;
+
+    // Weight-0 rules are purely informational — skip from scoring
+    if (rule.weight === 0) continue;
+
+    let violation: BPViolation | null;
+
+    if (checkType === 'regex') {
+      rulesEvaluated++;
+      violation = validateRegex(tc, rule, metadata);
+    } else {
+      const fn = VALIDATOR_REGISTRY[checkType];
+      if (!fn) continue; // unimplemented validator → silently pass
+      rulesEvaluated++;
+      violation = fn(tc, rule);
+    }
+
+    if (violation) violations.push(violation);
+  }
+
+  const quality_score = calculateBPScore(violations);
+  return { quality_score, violations, rules_evaluated: rulesEvaluated };
+}
diff --git a/src/mcp/tools/defectTools.ts b/src/mcp/tools/defectTools.ts
new file mode 100644
index 00000000..9dc9685a
--- /dev/null
+++ b/src/mcp/tools/defectTools.ts
@@ -0,0 +1,318 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { z } from 'zod';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { makeError, makeRequestId } from '../schemas/common.js';
+import { log } from '../logging/logger.js';
+import { runSfCommand, soqlEscape } from './sfSpawn.js';
+
+// ── Types ──────────────────────────────────────────────────────────────────────
+
+interface SfRecord {
+  [key: string]: unknown;
+  Id: string;
+}
+
+interface SfQueryResponse {
+  status: number;
+  result: { totalSize: number; records: SfRecord[] };
+}
+
+interface SfCreateResponse {
+  status: number;
+  result: { id: string; success: boolean; errors: unknown[] };
+}
+
+interface FailureContext {
+  executionId: string;
+  testCaseId: string;
+  tester: string;
+  stepExecutionId: string;
+  stepId: string;
+  stepAction: string;
+  stepResult: string;
+  stepSeq: number;
+  browser: string;
+  browserVersion: string;
+  environment: string;
+}
+
+// ── SF CLI helpers ─────────────────────────────────────────────────────────────
+
+function runSfArgs(args: string[]): { stdout: string; stderr: string; exitCode: number } {
+  const { stdout, stderr, exitCode } = runSfCommand(args);
+  return { stdout, stderr, exitCode };
+}
+
+function formatSfCommandError(action: string, exitCode: number, stderr: string, stdout: string): string {
+  const details = [stderr?.trim(), stdout?.trim()].filter(Boolean).join('\n');
+  return details
+    ? `${action} failed with exit code ${exitCode}: ${details}`
+    : `${action} failed with exit code ${exitCode}`;
+}
+
+function runQuery(soql: string, targetOrg: string): SfQueryResponse {
+  const { stdout, stderr, exitCode } = runSfArgs([
+    'data', 'query',
+    '--query', soql,
+    '--target-org', targetOrg,
+    '--json',
+  ]);
+  if (exitCode !== 0) {
+    throw new Error(formatSfCommandError('Salesforce query', exitCode, stderr, stdout));
+  }
+  return JSON.parse(stdout) as SfQueryResponse;
+}
+
+function createRecord(sobject: string, values: string, targetOrg: string): string {
+  const { stdout, stderr, exitCode } = runSfArgs([
+    'data', 'create', 'record',
+    '--sobject', sobject,
+    '--values', values,
+    '--target-org', targetOrg,
+    '--json',
+  ]);
+  if (exitCode !== 0) {
+    throw new Error(formatSfCommandError(`Failed to create ${sobject}`, exitCode, stderr, stdout));
+  }
+  const parsed = JSON.parse(stdout) as SfCreateResponse;
+  if (!parsed.result?.success) {
+    throw new Error(formatSfCommandError(`Failed to create ${sobject}`, exitCode, stderr, stdout));
+  }
+  return parsed.result.id;
+}
+
+/** Strip characters unsafe for sf --values double-quoted strings and truncate. */
+function safeText(value: unknown, maxLen = 200): string {
+  if (value === null || value === undefined) return '';
+  return String(value)
+    .replace(/"/g, "'")
+    .replace(/\n|\r/g, ' ')
+    .substring(0, maxLen);
+}
+
+// ── Core defect creation logic (exported for auto-defects use) ─────────────────
+
+export interface DefectCreateResult {
+  defectId: string;
+  tcDefectId: string;
+  execDefectId: string;
+  executionId: string;
+  testCaseId: string;
+}
+
+export function createDefectsForRun(
+  runId: string,
+  targetOrg: string,
+  failedTestFilter?: string[]
+): { created: DefectCreateResult[]; skipped: number; message: string } {
+  // Step 1: resolve job record ID from tracking ID
+  const jobQuery = runQuery(
+    `SELECT Id FROM provar__Test_Plan_Schedule_Job__c WHERE provar__Tracking_Id__c = '${soqlEscape(runId)}'`,
+    targetOrg
+  );
+  if (jobQuery.result.totalSize === 0) {
+    throw new Error(`No Test_Plan_Schedule_Job__c found with Tracking_Id__c = '${runId}'`);
+  }
+  const jobId = jobQuery.result.records[0].Id;
+
+  // Step 2: find Test_Cycle__c — carries browser + environment context
+  const cycleQuery = runQuery(
+    `SELECT Id, provar__Web_Browser__c, provar__Browser_Version__c, provar__Environment_Text__c
+     FROM provar__Test_Cycle__c
+     WHERE provar__Test_Plan_Schedule_Job__c = '${soqlEscape(jobId)}'
+     LIMIT 1`,
+    targetOrg
+  );
+  const cycle = cycleQuery.result.records[0] ?? {};
+  const browser = safeText(cycle['provar__Web_Browser__c'], 100);
+  const browserVersion = safeText(cycle['provar__Browser_Version__c'], 100);
+  const environmentText = safeText(cycle['provar__Environment_Text__c'], 255);
+  const cycleId = String(cycle['Id'] ?? '');
+
+  if (!cycleId) {
+    throw new Error(`No Test_Cycle__c found for job ${jobId}`);
+  }
+
+  // Step 3: find failed Test_Execution__c records
+  const execQuery = runQuery(
+    `SELECT Id, provar__Test_Case__c, provar__Tester__c
+     FROM provar__Test_Execution__c
+     WHERE provar__Test_Cycle__c = '${soqlEscape(cycleId)}'
+     AND provar__Status__c = 'Failed'`,
+    targetOrg
+  );
+
+  if (execQuery.result.totalSize === 0) {
+    return { created: [], skipped: 0, message: 'No failed test executions found for this run.' };
+  }
+
+  let executions = execQuery.result.records;
+
+  // Apply optional TC name filter (filter by ID prefix match — caller must resolve names to IDs first
+  // if needed; here we filter by TC record ID substring for flexibility)
+  if (failedTestFilter && failedTestFilter.length > 0) {
+    executions = executions.filter((e) =>
+      failedTestFilter.some((f) => String(e['provar__Test_Case__c']).includes(f) || f.includes(String(e['provar__Test_Case__c'])))
+    );
+  }
+
+  const created: DefectCreateResult[] = [];
+
+  for (const exec of executions) {
+    const executionId = exec.Id;
+    const testCaseId = String(exec['provar__Test_Case__c'] ?? '');
+    const tester = safeText(exec['provar__Tester__c'], 100);
+
+    // Step 4: first failed step in this execution
+    const stepQuery = runQuery(
+      `SELECT Id, provar__ActionObs__c, provar__Actual_Result__c, provar__Sequence_No__c, provar__Test_Step__c
+       FROM provar__Test_Step_Execution__c
+       WHERE provar__Test_Execution__c = '${soqlEscape(executionId)}'
+       AND provar__Result__c = 'Fail'
+       ORDER BY provar__Sequence_No__c ASC
+       LIMIT 1`,
+      targetOrg
+    );
+
+    const step = stepQuery.result.records[0] ?? {};
+    const stepExecutionId = step['Id'] ?? '';
+    const stepId = String(step['provar__Test_Step__c'] ?? '');
+    const stepAction = safeText(step['provar__ActionObs__c'], 200);
+    const stepResult = safeText(step['provar__Actual_Result__c'], 200);
+    const stepSeq = Number(step['provar__Sequence_No__c'] ?? 0);
+
+    const ctx: FailureContext = {
+      executionId,
+      testCaseId,
+      tester,
+      stepExecutionId: String(stepExecutionId),
+      stepId,
+      stepAction,
+      stepResult,
+      stepSeq,
+      browser,
+      browserVersion,
+      environment: environmentText,
+    };
+
+    // Step 5a: create Defect__c
+    const descLines = [
+      `Failure: ${ctx.stepResult || 'See test execution for details'}`,
+      `Step ${ctx.stepSeq}: ${ctx.stepAction}`,
+      `Browser: ${ctx.browser} ${ctx.browserVersion}`.trim(),
+      `Environment: ${ctx.environment}`,
+      `Tester: ${ctx.tester}`,
+      `Test Execution ID: ${ctx.executionId}`,
+      `Run ID: ${runId}`,
+    ]
+      .filter((l) => l.split(': ')[1]?.trim())
+      .join(' | ');
+
+    const defectValues =
+      `Name="TC Failure: ${safeText(testCaseId, 100)}" ` +
+      `provar__Description__c="${safeText(descLines, 2000)}" ` +
+      'provar__Status__c="Open"';
+
+    const defectId = createRecord('provar__Defect__c', defectValues, targetOrg);
+
+    // Step 5b: link TC → Defect
+    const tcDefectValues =
+      `provar__Defect__c="${defectId}" ` +
+      `provar__Test_Case__c="${testCaseId}"` +
+      (stepId ? ` provar__Test_Step__c="${stepId}"` : '');
+
+    const tcDefectId = createRecord('provar__Test_Case_Defect__c', tcDefectValues, targetOrg);
+
+    // Step 5c: link Execution → Defect (with step execution if available)
+    const execDefectValues =
+      `provar__Defect__c="${defectId}" ` +
+      `provar__Test_Execution__c="${executionId}"` +
+      (stepExecutionId ? ` provar__Test_Step_Execution__c="${stepExecutionId}"` : '');
+
+    const execDefectId = createRecord(
+      'provar__Test_Execution_Defect__c',
+      execDefectValues,
+      targetOrg
+    );
+
+    log('info', 'defect created', { defectId, tcDefectId, execDefectId, executionId });
+
+    created.push({ defectId, tcDefectId, execDefectId, executionId, testCaseId });
+  }
+
+  const syncNote =
+    'If Jira or ADO sync is enabled in your Quality Hub org, these defects will sync automatically.';
+  return {
+    created,
+    skipped: execQuery.result.totalSize - created.length,
+    message: `Created ${created.length} defect(s) for run ${runId}. ${syncNote}`,
+  };
+}
+
+// ── Tool registration ──────────────────────────────────────────────────────────
+
+export function registerQualityHubDefectCreate(server: McpServer): void {
+  server.tool(
+    'provar.qualityhub.defect.create',
+    [
+      'Create Defect__c records in Quality Hub for failed test executions in a given run.',
+      'Queries the run by Tracking_Id__c, finds failed Test_Execution__c records, creates a',
+      'Defect__c per failure (with description, step, browser, environment, tester), and links',
+      'it via Test_Case_Defect__c and Test_Execution_Defect__c junction records.',
+      'If Jira or ADO sync is configured in Quality Hub, defects sync to those systems automatically.',
+    ].join(' '),
+    {
+      run_id: z
+        .string()
+        .describe('Test run Tracking_Id__c value returned by provar.qualityhub.testrun'),
+      target_org: z.string().describe('SF org alias or username for the Quality Hub org'),
+      failed_tests: z
+        .array(z.string())
+        .optional()
+        .describe(
+          'Optional filter — list of Test_Case__c record ID substrings to restrict defect creation to specific failures'
+        ),
+    },
+    ({ run_id, target_org, failed_tests }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.qualityhub.defect.create', { requestId, run_id, target_org });
+
+      try {
+        const result = createDefectsForRun(run_id, target_org, failed_tests);
+        const response = { requestId, ...result };
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(response) }],
+          structuredContent: response,
+        };
+      } catch (err) {
+        const error = err as Error & { code?: string };
+        log('error', 'provar.qualityhub.defect.create failed', {
+          requestId,
+          error: error.message,
+        });
+        return {
+          isError: true as const,
+          content: [
+            {
+              type: 'text' as const,
+              text: JSON.stringify(
+                makeError(error.code ?? 'DEFECT_CREATE_FAILED', error.message, requestId, false)
+              ),
+            },
+          ],
+        };
+      }
+    }
+  );
+}
+
+export function registerAllDefectTools(server: McpServer): void {
+  registerQualityHubDefectCreate(server);
+}
diff --git a/src/mcp/tools/hierarchyValidate.ts b/src/mcp/tools/hierarchyValidate.ts
new file mode 100644
index 00000000..80b051f7
--- /dev/null
+++ b/src/mcp/tools/hierarchyValidate.ts
@@ -0,0 +1,785 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import path from 'node:path';
+import { XMLParser } from 'fast-xml-parser';
+import type { ValidationIssue } from '../schemas/common.js';
+import { validateTestCase } from './testCaseValidate.js';
+import type { BPViolation } from './bestPracticesEngine.js';
+
+// ── Input types ──────────────────────────────────────────────────────────────
+
+export interface TestCaseInput {
+  name: string;
+  /** XML content of the test case. The field `xml` (API standard) is accepted as an alias. */
+  xml_content?: string;
+  /** API-compatible alias for xml_content (Quality Hub batch validation API uses this field name). */
+  xml?: string;
+}
+
+export interface TestSuiteInput {
+  name: string;
+  test_cases?: TestCaseInput[];
+  test_suites?: TestSuiteInput[];
+  test_case_count?: number;
+}
+
+export interface PlanMetadata {
+  objectives?: string;
+  in_scope?: string;
+  testing_methodology?: string;
+  acceptance_criteria?: string;
+  acceptable_pass_rate?: number;
+  environments?: string[];
+  test_data_strategy?: string;
+  risks?: string;
+}
+
+export interface TestPlanInput {
+  name: string;
+  test_suites?: TestSuiteInput[];
+  test_cases?: TestCaseInput[];
+  test_suite_count?: number;
+  metadata?: PlanMetadata;
+}
+
+export interface ProjectContext {
+  connection_names?: string[];
+  environments?: string[];
+  secretsPasswordSet?: boolean;
+  /**
+   * Number of keys in the .secrets file whose values are NOT wrapped in ENC1().
+   * Populated by provar.project.inspect → secrets_validation.unencrypted_key_count.
+   * Any value > 0 triggers PROJ-ENC-001.
+   */
+  unencrypted_secret_count?: number;
+}
+
+export interface ProjectInput {
+  name: string;
+  test_plans?: TestPlanInput[];
+  test_suites?: TestSuiteInput[];
+  test_cases?: TestCaseInput[];
+  project_context?: ProjectContext;
+  /**
+   * Basenames (without extension) of every .testcase file found on disk, including
+   * callable tests (visibility="Internal") that have no plan instances.  Populated
+   * by validateProjectFromPath so that checkCaseCalls can resolve caseCall references
+   * against the full on-disk corpus rather than only plan-registered test cases.
+   */
+  all_disk_test_case_names?: string[];
+}
+
+// ── Result types ─────────────────────────────────────────────────────────────
+
+export interface HierarchyViolation {
+  rule_id: string;
+  name: string;
+  description: string;
+  category: string;
+  severity: 'critical' | 'major' | 'minor' | 'info';
+  weight: number;
+  message: string;
+  recommendation: string;
+  applies_to: string[];
+  affected_files?: string[];
+}
+
+export interface TestCaseResult {
+  name: string;
+  level: 'test_case';
+  status: 'valid' | 'invalid' | 'error';
+  quality_score: number;
+  validity_score: number;
+  is_valid: boolean;
+  error_count: number;
+  warning_count: number;
+  step_count: number;
+  issues: ValidationIssue[];
+  /** Best-practice violations from the BP engine (DESIGN-*, REUSE-*, STRUCT-*, etc.) */
+  best_practices_violations: BPViolation[];
+}
+
+export interface SuiteResult {
+  name: string;
+  level: 'suite';
+  quality_score: number;
+  violations: HierarchyViolation[];
+  test_cases: TestCaseResult[];
+  test_suites: SuiteResult[];
+}
+
+export interface PlanResult {
+  name: string;
+  level: 'plan';
+  quality_score: number;
+  violations: HierarchyViolation[];
+  test_suites: SuiteResult[];
+  test_cases: TestCaseResult[];
+}
+
+export interface ProjectResult {
+  name: string;
+  level: 'project';
+  quality_score: number;
+  violations: HierarchyViolation[];
+  test_plans: PlanResult[];
+  test_suites: SuiteResult[];
+  test_cases: TestCaseResult[];
+  project_context: ProjectContext;
+}
+
+export interface HierarchySummary {
+  total_test_cases: number;
+  test_cases_valid: number;
+  test_cases_invalid: number;
+  test_cases_error: number;
+  total_violations: number;
+  violations_by_severity: { critical: number; major: number; minor: number; info: number };
+  violations_by_level: { project: number; plan: number; suite: number; test_case: number };
+  quality_score_avg: number;
+  quality_score_min: number | null;
+  quality_score_max: number | null;
+}
+
+// ── Rule registry (ported from batch_validator/handler.py) ───────────────────
+
+const RULE_REGISTRY: Record<string, { name: string; description: string }> = {
+  'SUITE-EMPTY-001': { name: 'Empty Test Suite', description: 'A test suite must contain at least one test case or child suite.' },
+  'SUITE-DUP-001':   { name: 'Duplicate Test Case Name in Suite', description: 'Test case names within a suite must be unique.' },
+  'SUITE-DUP-002':   { name: 'Duplicate Child Suite Name', description: 'Child suite names within a parent suite must be unique.' },
+  'SUITE-SIZE-001':  { name: 'Oversized Test Suite', description: 'A test suite should contain no more than 75 test cases.' },
+  'SUITE-NAMING-001': { name: 'Inconsistent Child Suite Naming', description: 'All child suite names should follow a consistent naming convention.' },
+  'SUITE-NAMING-002': { name: 'Inconsistent Test Case Naming', description: 'All test case names within a suite should follow a consistent naming convention.' },
+  'PLAN-EMPTY-001':  { name: 'Empty Test Plan', description: 'A test plan must contain at least one test suite.' },
+  'PLAN-DUP-001':    { name: 'Duplicate Suite Name in Plan', description: 'Suite names within a test plan must be unique.' },
+  'PLAN-META-001':   { name: 'Missing Plan Objectives', description: 'Test plans should define clear testing objectives. This field is configured in the Provar Quality Hub app (not stored in local project files).' },
+  'PLAN-META-002':   { name: 'Missing In-Scope Definition', description: 'Test plans should specify which features are in scope. This field is configured in the Provar Quality Hub app (not stored in local project files).' },
+  'PLAN-META-003':   { name: 'Missing Testing Methodology', description: 'Test plans should document the testing methodology. This field is configured in the Provar Quality Hub app (not stored in local project files).' },
+  'PLAN-META-004':   { name: 'Missing Acceptance Criteria', description: 'Test plans should define acceptance criteria or an acceptable pass rate. This field is configured in the Provar Quality Hub app (not stored in local project files).' },
+  'PLAN-META-005':   { name: 'Missing Test Environments', description: 'Test plans should specify the target test environments. This field is configured in the Provar Quality Hub app (not stored in local project files).' },
+  'PLAN-META-006':   { name: 'Missing Test Data Strategy', description: 'Test plans should document how test data will be prepared and cleaned up. This field is configured in the Provar Quality Hub app (not stored in local project files).' },
+  'PLAN-META-007':   { name: 'Missing Risk Assessment', description: 'Test plans should identify potential risks and mitigations. This field is configured in the Provar Quality Hub app (not stored in local project files).' },
+  'PLAN-SIZE-001':   { name: 'Oversized Test Plan', description: 'A test plan should contain no more than 20 test suites.' },
+  'PLAN-NAMING-001': { name: 'Inconsistent Suite Naming in Plan', description: 'All suite names within a test plan should follow a consistent naming convention.' },
+  'PROJ-EMPTY-001':  { name: 'Empty Project', description: 'A project must contain at least one test plan.' },
+  'PROJ-DUP-001':    { name: 'Duplicate Test Case Name Across Project', description: 'Test case names must be unique across the entire project.' },
+  'PROJ-DUP-002':    { name: 'Duplicate Plan Name in Project', description: 'Test plan names within a project must be unique.' },
+  'PROJ-CALLABLE-001': { name: 'Unresolved caseCall Reference', description: 'All caseCall references must point to existing test cases in the project.' },
+  'PROJ-CALLABLE-002': { name: 'Missing Callable Test Case', description: 'All callable tests referenced by caseCall must exist in the project.' },
+  'PROJ-CONN-001':   { name: 'Undefined Connection Name', description: 'All connection names used in test cases must be defined in the project context.' },
+  'PROJ-ENV-001':    { name: 'Duplicate Environment Name', description: 'Environment names within a project must be unique.' },
+  'PROJ-ENV-002':    { name: 'Invalid Environment Name', description: 'Environment names must contain only letters, digits, and underscores.' },
+  'PROJ-SECRET-001': { name: 'Missing Secrets Password', description: 'A Provar Secrets Password must be configured to protect sensitive test data.' },
+  'PROJ-ENC-001':    { name: 'Unencrypted Credentials in .secrets', description: 'All values in the .secrets file must be wrapped in ENC1() encryption. Plaintext credentials are a critical security risk.' },
+};
+
+// ── Violation builder ─────────────────────────────────────────────────────────
+
+function makeViolation(
+  rule_id: string,
+  category: string,
+  severity: HierarchyViolation['severity'],
+  weight: number,
+  message: string,
+  recommendation: string,
+  applies_to: string[],
+  affected_files?: string[]
+): HierarchyViolation {
+  const entry = RULE_REGISTRY[rule_id] ?? { name: rule_id, description: '' };
+  const v: HierarchyViolation = {
+    rule_id,
+    name: entry.name,
+    description: entry.description,
+    category,
+    severity,
+    weight,
+    message,
+    recommendation,
+    applies_to,
+  };
+  if (affected_files?.length) v.affected_files = affected_files;
+  return v;
+}
+
+// ── Scoring helpers ───────────────────────────────────────────────────────────
+
+const SEVERITY_MULTIPLIER: Record<string, number> = {
+  critical: 1.0, major: 0.75, minor: 0.5, info: 0.25,
+};
+
+export function computeViolationDeduction(violations: HierarchyViolation[]): number {
+  let total = 0;
+  for (const v of violations) {
+    const mult = SEVERITY_MULTIPLIER[v.severity] ?? 0.5;
+    total += v.weight * mult;
+  }
+  return total;
+}
+
+function childAvg(scores: number[]): number {
+  return scores.length ? scores.reduce((a, b) => a + b, 0) / scores.length : 0;
+}
+
+// ── Naming consistency helpers ────────────────────────────────────────────────
+
+export function detectNamingStyle(nameStr: string): string {
+  const stem = nameStr.includes('.') ? path.basename(nameStr, path.extname(nameStr)) : nameStr;
+  if (!stem) return 'unknown';
+  if (stem.includes(' ')) return 'space separated';
+  if (stem.includes('-')) return 'kebab-case';
+  if (stem.includes('_')) return stem === stem.toUpperCase() ? 'UPPER_SNAKE' : 'snake_case';
+  if (/^[A-Z]/.test(stem) && /[a-z]/.test(stem)) return 'PascalCase';
+  if (/^[a-z]/.test(stem) && /[A-Z]/.test(stem)) return 'camelCase';
+  return 'unknown';
+}
+
+export function checkNamingConsistency(
+  names: string[],
+  contextLabel: string,
+  level: string,
+  ruleId: string
+): HierarchyViolation[] {
+  if (names.length < 2) return [];
+  const styles: Record<string, string[]> = {};
+  for (const n of names) {
+    const style = detectNamingStyle(n);
+    if (style !== 'unknown') {
+      (styles[style] ??= []).push(n);
+    }
+  }
+  if (Object.keys(styles).length <= 1) return [];
+
+  const styleSummary = Object.entries(styles)
+    .sort()
+    .map(([s, items]) => `${s} (${items.length})`)
+    .join(', ');
+  const examples = Object.entries(styles)
+    .sort()
+    .map(([s, items]) => `${s}: "${items[0]}"`)
+    .join(', ');
+
+  return [makeViolation(
+    ruleId, 'NamingConventions', 'info', 2,
+    `Inconsistent naming conventions in ${contextLabel}: ${styleSummary}`,
+    `Adopt a single naming convention across all items. Examples found: ${examples}`,
+    [level],
+  )];
+}
+
+// ── Test case validation (adapts existing validator to hierarchy result) ───────
+
+export function validateHierarchyTestCase(
+  tc: TestCaseInput,
+  qualityThreshold: number
+): TestCaseResult {
+  // Accept both `xml` (API standard) and `xml_content` (MCP original); prefer `xml`
+  const xmlSource = tc.xml ?? tc.xml_content ?? '';
+  try {
+    const r = validateTestCase(xmlSource, tc.name);
+    const status = !r.is_valid ? 'invalid' : r.quality_score < qualityThreshold ? 'invalid' : 'valid';
+    return {
+      name: tc.name,
+      level: 'test_case',
+      status,
+      quality_score: r.quality_score,
+      validity_score: r.validity_score,
+      is_valid: r.is_valid,
+      error_count: r.error_count,
+      warning_count: r.warning_count,
+      step_count: r.step_count,
+      issues: r.issues,
+      best_practices_violations: r.best_practices_violations ?? [],
+    };
+  } catch (e) {
+    return {
+      name: tc.name,
+      level: 'test_case',
+      status: 'error',
+      quality_score: 0,
+      validity_score: 0,
+      is_valid: false,
+      error_count: 1,
+      warning_count: 0,
+      step_count: 0,
+      issues: [{
+        rule_id: 'TC_000',
+        severity: 'ERROR',
+        message: `Unexpected error: ${(e as Error).message}`,
+        applies_to: 'document',
+      }],
+      best_practices_violations: [],
+    };
+  }
+}
+
+// ── Suite validation ──────────────────────────────────────────────────────────
+
+function checkSuiteStructure(
+  suiteName: string,
+  childSuites: TestSuiteInput[],
+  childCases: TestCaseInput[]
+): HierarchyViolation[] {
+  const violations: HierarchyViolation[] = [];
+  if (!childSuites.length && !childCases.length) {
+    violations.push(makeViolation(
+      'SUITE-EMPTY-001', 'SuiteStructure', 'major', 5,
+      `Test suite "${suiteName}" contains no test cases or child suites`,
+      `Add at least one test case or child suite to "${suiteName}"`,
+      ['TestSuite'],
+    ));
+  }
+  return violations;
+}
+
+function checkSuiteDuplicates(
+  suiteName: string,
+  childSuites: TestSuiteInput[],
+  childCases: TestCaseInput[]
+): HierarchyViolation[] {
+  const violations: HierarchyViolation[] = [];
+
+  const seenCases: Record<string, string> = {};
+  for (const tc of childCases) {
+    const base = path.basename(tc.name, path.extname(tc.name)).toLowerCase();
+    if (seenCases[base]) {
+      violations.push(makeViolation(
+        'SUITE-DUP-001', 'Maintainability', 'major', 5,
+        `Duplicate test case name "${base}" in suite "${suiteName}"`,
+        'Ensure all test case names within a suite are unique',
+        ['TestSuite'],
+        [seenCases[base], tc.name],
+      ));
+    } else {
+      seenCases[base] = tc.name;
+    }
+  }
+
+  const seenSuites = new Set<string>();
+  for (const cs of childSuites) {
+    const lower = cs.name.toLowerCase();
+    if (seenSuites.has(lower)) {
+      violations.push(makeViolation(
+        'SUITE-DUP-002', 'Maintainability', 'major', 5,
+        `Duplicate child suite name "${cs.name}" in suite "${suiteName}"`,
+        'Ensure all child suite names are unique within a parent suite',
+        ['TestSuite'],
+      ));
+    }
+    seenSuites.add(lower);
+  }
+  return violations;
+}
+
+function checkSuiteSize(suiteName: string, data: TestSuiteInput): HierarchyViolation[] {
+  const explicit = data.test_case_count;
+  const count = explicit ?? (data.test_cases?.length ?? 0);
+  if (count > 75) {
+    return [makeViolation(
+      'SUITE-SIZE-001', 'SuiteStructure', 'minor', 2,
+      `Test suite "${suiteName}" contains ${count} test cases (recommended maximum: 75)`,
+      'Break large suites into smaller, focused child suites',
+      ['TestSuite'],
+    )];
+  }
+  return [];
+}
+
+export function validateSuite(
+  data: TestSuiteInput,
+  qualityThreshold: number
+): SuiteResult {
+  const suiteName = data.name || 'Unnamed Suite';
+  const childSuites = data.test_suites ?? [];
+  const childCases = data.test_cases ?? [];
+
+  const violations: HierarchyViolation[] = [
+    ...checkSuiteStructure(suiteName, childSuites, childCases),
+    ...checkSuiteDuplicates(suiteName, childSuites, childCases),
+    ...checkSuiteSize(suiteName, data),
+    ...checkNamingConsistency(childSuites.map((cs) => cs.name), `suite "${suiteName}" child suites`, 'TestSuite', 'SUITE-NAMING-001'),
+    ...checkNamingConsistency(childCases.map((tc) => tc.name), `suite "${suiteName}" test cases`, 'TestSuite', 'SUITE-NAMING-002'),
+  ];
+
+  const suiteResults = childSuites.map((cs) => validateSuite(cs, qualityThreshold));
+  const caseResults = childCases.map((tc) => validateHierarchyTestCase(tc, qualityThreshold));
+
+  const scores = [
+    ...caseResults.map((r) => r.quality_score),
+    ...suiteResults.map((r) => r.quality_score),
+  ];
+  const quality_score = scores.length
+    ? Math.max(0, Math.round((childAvg(scores) - computeViolationDeduction(violations)) * 100) / 100)
+    : 0;
+
+  return {
+    name: suiteName,
+    level: 'suite',
+    quality_score,
+    violations,
+    test_cases: caseResults,
+    test_suites: suiteResults,
+  };
+}
+
+// ── Plan validation ───────────────────────────────────────────────────────────
+
+function checkPlanMetadata(planName: string, meta: PlanMetadata): HierarchyViolation[] {
+  const v: HierarchyViolation[] = [];
+  if (!meta.objectives) v.push(makeViolation('PLAN-META-001', 'PlanCompleteness', 'info', 1, `Test plan "${planName}" has no objectives defined`, 'Add testing objectives via the Provar Quality Hub app', ['TestPlan']));
+  if (!meta.in_scope) v.push(makeViolation('PLAN-META-002', 'PlanCompleteness', 'info', 1, `Test plan "${planName}" has no in-scope definition`, 'Specify in-scope features via the Provar Quality Hub app', ['TestPlan']));
+  if (!meta.testing_methodology) v.push(makeViolation('PLAN-META-003', 'PlanCompleteness', 'info', 1, `Test plan "${planName}" has no testing methodology defined`, 'Document the testing methodology via the Provar Quality Hub app', ['TestPlan']));
+  if (!meta.acceptance_criteria && meta.acceptable_pass_rate === undefined) v.push(makeViolation('PLAN-META-004', 'PlanCompleteness', 'info', 1, `Test plan "${planName}" has no acceptance criteria or acceptable pass rate`, 'Set acceptance criteria or an acceptable pass rate via the Provar Quality Hub app', ['TestPlan']));
+  if (!meta.environments?.length) v.push(makeViolation('PLAN-META-005', 'PlanCompleteness', 'info', 1, `Test plan "${planName}" has no test environments defined`, 'Specify target environments (e.g., QA, Staging, UAT) via the Provar Quality Hub app', ['TestPlan']));
+  if (!meta.test_data_strategy) v.push(makeViolation('PLAN-META-006', 'PlanCompleteness', 'minor', 2, `Test plan "${planName}" has no test data strategy`, 'Document the test data strategy via the Provar Quality Hub app', ['TestPlan']));
+  if (!meta.risks) v.push(makeViolation('PLAN-META-007', 'PlanCompleteness', 'info', 1, `Test plan "${planName}" has no risks identified`, 'Identify risks and mitigations via the Provar Quality Hub app', ['TestPlan']));
+  return v;
+}
+
+export function validatePlan(
+  data: TestPlanInput,
+  qualityThreshold: number
+): PlanResult {
+  const planName = data.name || 'Unnamed Plan';
+  const childSuites = data.test_suites ?? [];
+  const childCases = data.test_cases ?? [];
+
+  const violations: HierarchyViolation[] = [];
+
+  if (!childSuites.length && !childCases.length) {
+    violations.push(makeViolation(
+      'PLAN-EMPTY-001', 'PlanStructure', 'major', 5,
+      `Test plan "${planName}" contains no test suites or test cases`,
+      `Add at least one test suite or test case to "${planName}"`,
+      ['TestPlan'],
+    ));
+  }
+
+  const seenSuites = new Set<string>();
+  for (const s of childSuites) {
+    const lower = s.name.toLowerCase();
+    if (seenSuites.has(lower)) {
+      violations.push(makeViolation('PLAN-DUP-001', 'Maintainability', 'major', 5, `Duplicate suite name "${s.name}" in plan "${planName}"`, 'Ensure all suite names within a plan are unique', ['TestPlan']));
+    }
+    seenSuites.add(lower);
+  }
+
+  const meta = data.metadata ?? {};
+  violations.push(...checkPlanMetadata(planName, meta));
+
+  const suiteCount = data.test_suite_count ?? childSuites.length;
+  if (suiteCount > 20) {
+    violations.push(makeViolation('PLAN-SIZE-001', 'PlanStructure', 'minor', 2, `Test plan "${planName}" contains ${suiteCount} test suites (recommended maximum: 20)`, 'Split the plan into multiple focused test plans', ['TestPlan']));
+  }
+
+  violations.push(...checkNamingConsistency(childSuites.map((s) => s.name), `plan "${planName}"`, 'TestPlan', 'PLAN-NAMING-001'));
+
+  const suiteResults = childSuites.map((s) => validateSuite(s, qualityThreshold));
+  const caseResults = childCases.map((tc) => validateHierarchyTestCase(tc, qualityThreshold));
+
+  const scores = [
+    ...suiteResults.map((r) => r.quality_score),
+    ...caseResults.map((r) => r.quality_score),
+  ];
+  const quality_score = scores.length
+    ? Math.max(0, Math.round((childAvg(scores) - computeViolationDeduction(violations)) * 100) / 100)
+    : 0;
+
+  return {
+    name: planName,
+    level: 'plan',
+    quality_score,
+    violations,
+    test_suites: suiteResults,
+    test_cases: caseResults,
+  };
+}
+
+// ── Project cross-cutting rules ───────────────────────────────────────────────
+
+function buildCrossRefRegistry(
+  testPlans: TestPlanInput[],
+  testSuites: TestSuiteInput[],
+  testCases: TestCaseInput[]
+): Record<string, string> {
+  const registry: Record<string, string> = {};
+
+  function addSuiteTree(s: TestSuiteInput): void {
+    for (const tc of s.test_cases ?? []) registry[tc.name] = tc.xml ?? tc.xml_content ?? '';
+    for (const cs of s.test_suites ?? []) addSuiteTree(cs);
+  }
+
+  for (const tc of testCases) registry[tc.name] = tc.xml ?? tc.xml_content ?? '';
+  for (const s of testSuites) addSuiteTree(s);
+  for (const p of testPlans) {
+    for (const tc of p.test_cases ?? []) registry[tc.name] = tc.xml ?? tc.xml_content ?? '';
+    for (const s of p.test_suites ?? []) addSuiteTree(s);
+  }
+  return registry;
+}
+
+function checkDuplicateNames(registry: Record<string, string>): HierarchyViolation[] {
+  const violations: HierarchyViolation[] = [];
+  const seen: Record<string, string> = {};
+  for (const name of Object.keys(registry)) {
+    const base = path.basename(name, path.extname(name)).toLowerCase();
+    if (seen[base]) {
+      violations.push(makeViolation('PROJ-DUP-001', 'Maintainability', 'major', 5, `Duplicate test case name detected: "${base}"`, 'Ensure all test case names are unique across the project', ['Project'], [seen[base], name]));
+    } else {
+      seen[base] = name;
+    }
+  }
+  return violations;
+}
+
+function checkCaseCalls(registry: Record<string, string>, diskTestCaseNames: Set<string> = new Set()): HierarchyViolation[] {
+  const violations: HierarchyViolation[] = [];
+  // Include all on-disk test cases (callables have no .testinstance so they're absent from
+  // the plan-built registry — merging diskTestCaseNames prevents false PROJ-CALLABLE-001/002)
+  const available = new Set([...Object.keys(registry), ...diskTestCaseNames]);
+  const availableBase = new Set([...Object.keys(registry).map((n) => path.basename(n, path.extname(n))), ...diskTestCaseNames]);
+  const calledPaths = new Set<string>();
+
+  // Group callers by missing callee — avoids N violations for the same missing test
+  const missingCalleeCallers = new Map<string, Set<string>>();
+
+  const parser = new XMLParser({ ignoreAttributes: false, attributeNamePrefix: '@_', parseAttributeValue: false });
+
+  for (const [testName, xml] of Object.entries(registry)) {
+    if (!xml) continue;
+    try {
+      const parsed = parser.parse(xml) as Record<string, unknown>;
+      const tc = parsed['testCase'] as Record<string, unknown> | undefined;
+      if (!tc) continue;
+      const steps = tc['steps'] as Record<string, unknown> | undefined;
+      if (!steps) continue;
+      const rawCalls = steps['caseCall'];
+      const calls = rawCalls ? (Array.isArray(rawCalls) ? rawCalls : [rawCalls]) as Array<Record<string, unknown>> : [];
+      for (const call of calls) {
+        const called = (call['@_testCasePath'] as string | undefined)?.trim() ?? '';
+        if (!called) continue;
+        calledPaths.add(path.basename(called, path.extname(called)));
+        if (!available.has(called) && !availableBase.has(path.basename(called, path.extname(called)))) {
+          if (!missingCalleeCallers.has(called)) missingCalleeCallers.set(called, new Set());
+          missingCalleeCallers.get(called)!.add(testName);
+        }
+      }
+    } catch {
+      // skip unparseable XML
+    }
+  }
+
+  // One violation per unique missing callee (affected_files lists all callers)
+  for (const [called, callers] of missingCalleeCallers) {
+    const n = callers.size;
+    violations.push(makeViolation(
+      'PROJ-CALLABLE-001', 'ReusabilityAndCallables', 'major', 5,
+      `caseCall references non-existent test: "${called}" (referenced in ${n} test case${n > 1 ? 's' : ''})`,
+      `Ensure "${called}" exists in the project or update the reference`,
+      ['Project'],
+      [...callers].sort()
+    ));
+  }
+
+  for (const called of calledPaths) {
+    if (!availableBase.has(called)) {
+      violations.push(makeViolation('PROJ-CALLABLE-002', 'ReusabilityAndCallables', 'critical', 10, `Callable test "${called}" is referenced but does not exist in project`, `Add "${called}.testcase" to the project or remove the caseCall references`, ['Project']));
+    }
+  }
+
+  return violations;
+}
+
+function extractConnFromCall(call: Record<string, unknown>): string | undefined {
+  if (call['@_apiId'] !== 'com.provar.plugins.forcedotcom.core.testapis.ApexConnect') return undefined;
+  const args = call['argument'];
+  const argArr = args ? (Array.isArray(args) ? args : [args]) as Array<Record<string, unknown>> : [];
+  for (const arg of argArr) {
+    if (arg['@_id'] !== 'connectionName') continue;
+    const val = arg['value'] as Record<string, unknown> | undefined;
+    return (val?.['#text'] ?? val) as string | undefined;
+  }
+  return undefined;
+}
+
+function checkConnectionConsistency(registry: Record<string, string>, ctx: ProjectContext): HierarchyViolation[] {
+  const violations: HierarchyViolation[] = [];
+  const defined = new Set(ctx.connection_names ?? []);
+  if (!defined.size) return violations;
+
+  const parser = new XMLParser({ ignoreAttributes: false, attributeNamePrefix: '@_', parseAttributeValue: false });
+  const undefinedConns: Record<string, string[]> = {};
+
+  for (const [testName, xml] of Object.entries(registry)) {
+    if (!xml) continue;
+    try {
+      const parsed = parser.parse(xml) as Record<string, unknown>;
+      const tc = parsed['testCase'] as Record<string, unknown> | undefined;
+      if (!tc) continue;
+      const steps = tc['steps'] as Record<string, unknown> | undefined;
+      if (!steps) continue;
+      const rawCalls = steps['apiCall'];
+      const calls = rawCalls ? (Array.isArray(rawCalls) ? rawCalls : [rawCalls]) as Array<Record<string, unknown>> : [];
+      for (const call of calls) {
+        const conn = extractConnFromCall(call);
+        if (conn && !defined.has(conn)) {
+          (undefinedConns[conn] ??= []).push(testName);
+        }
+      }
+    } catch {
+      // skip
+    }
+  }
+
+  for (const [conn, files] of Object.entries(undefinedConns)) {
+    violations.push(makeViolation('PROJ-CONN-001', 'ConnectionsAndEnvironments', 'major', 5, `Connection "${conn}" used but not defined in project`, `Ensure connection "${conn}" is defined in your Provar project`, ['Project'], files));
+  }
+  return violations;
+}
+
+function checkEnvironments(ctx: ProjectContext): HierarchyViolation[] {
+  const violations: HierarchyViolation[] = [];
+  const envs = ctx.environments ?? [];
+  if (!envs.length) return violations;
+
+  const seen = new Set<string>();
+  const envPattern = /^[A-Za-z0-9_]+$/;
+  for (const env of envs) {
+    const lower = env.toLowerCase();
+    if (seen.has(lower)) {
+      violations.push(makeViolation('PROJ-ENV-001', 'ConnectionsAndEnvironments', 'major', 5, `Duplicate environment name: "${env}"`, 'Remove or rename duplicate environments', ['Project']));
+    }
+    seen.add(lower);
+    if (!envPattern.test(env)) {
+      violations.push(makeViolation('PROJ-ENV-002', 'ConnectionsAndEnvironments', 'major', 5, `Environment name "${env}" contains invalid characters`, 'Use only letters, digits, and underscores for environment names', ['Project']));
+    }
+  }
+  return violations;
+}
+
+export function validateProject(data: ProjectInput, qualityThreshold: number): ProjectResult {
+  const projectName = data.name || 'Unnamed Project';
+  const testPlans = data.test_plans ?? [];
+  const testSuites = data.test_suites ?? [];
+  const testCases = data.test_cases ?? [];
+  const ctx: ProjectContext = { ...data.project_context };
+
+  const planResults = testPlans.map((p) => validatePlan(p, qualityThreshold));
+  const suiteResults = testSuites.map((s) => validateSuite(s, qualityThreshold));
+  const caseResults = testCases.map((tc) => validateHierarchyTestCase(tc, qualityThreshold));
+
+  const violations: HierarchyViolation[] = [];
+
+  if (!testPlans.length && !testSuites.length && !testCases.length) {
+    violations.push(makeViolation('PROJ-EMPTY-001', 'ProjectStructure', 'major', 5, `Project "${projectName}" contains no test plans, test suites, or test cases`, `Add at least one test plan, test suite, or test case to "${projectName}"`, ['Project']));
+  }
+
+  const seenPlans = new Set<string>();
+  for (const p of testPlans) {
+    const lower = p.name.toLowerCase();
+    if (seenPlans.has(lower)) {
+      violations.push(makeViolation('PROJ-DUP-002', 'Maintainability', 'major', 5, `Duplicate plan name "${p.name}" in project "${projectName}"`, 'Ensure all test plan names within a project are unique', ['Project']));
+    }
+    seenPlans.add(lower);
+  }
+
+  // Cross-cutting rules require the full test case registry
+  const registry = buildCrossRefRegistry(testPlans, testSuites, testCases);
+  violations.push(...checkDuplicateNames(registry));
+  violations.push(...checkCaseCalls(registry, new Set(data.all_disk_test_case_names ?? [])));
+  violations.push(...checkConnectionConsistency(registry, ctx));
+  violations.push(...checkEnvironments(ctx));
+
+  if (!ctx.secretsPasswordSet) {
+    violations.push(makeViolation('PROJ-SECRET-001', 'ConnectionsAndEnvironments', 'major', 5, 'Provar Secrets Password is not configured for this project', 'Set a Secrets Password in the Provar project settings to encrypt sensitive test data', ['Project']));
+  }
+
+  if (ctx.unencrypted_secret_count !== undefined && ctx.unencrypted_secret_count > 0) {
+    violations.push(makeViolation(
+      'PROJ-ENC-001',
+      'ConnectionsAndEnvironments',
+      'critical',
+      20,
+      `${ctx.unencrypted_secret_count} credential(s) in .secrets are stored as plaintext (missing ENC1() wrapper)`,
+      'Re-configure the Provar Secrets Password and re-save all connections so credentials are re-encrypted',
+      ['Project']
+    ));
+  }
+
+  const scores = [
+    ...planResults.map((r) => r.quality_score),
+    ...suiteResults.map((r) => r.quality_score),
+    ...caseResults.map((r) => r.quality_score),
+  ];
+  const quality_score = scores.length
+    ? Math.max(0, Math.round((childAvg(scores) - computeViolationDeduction(violations)) * 100) / 100)
+    : 0;
+
+  return {
+    name: projectName,
+    level: 'project',
+    quality_score,
+    violations,
+    test_plans: planResults,
+    test_suites: suiteResults,
+    test_cases: caseResults,
+    project_context: ctx,
+  };
+}
+
+// ── Summary builder ───────────────────────────────────────────────────────────
+
+export function buildHierarchySummary(
+  result: SuiteResult | PlanResult | ProjectResult
+): HierarchySummary {
+  const stats: HierarchySummary = {
+    total_test_cases: 0,
+    test_cases_valid: 0,
+    test_cases_invalid: 0,
+    test_cases_error: 0,
+    total_violations: 0,
+    violations_by_severity: { critical: 0, major: 0, minor: 0, info: 0 },
+    violations_by_level: { project: 0, plan: 0, suite: 0, test_case: 0 },
+    quality_score_avg: 0,
+    quality_score_min: null,
+    quality_score_max: null,
+  };
+  const scores: number[] = [];
+
+  function walkNode(node: SuiteResult | PlanResult | ProjectResult | TestCaseResult): void {
+    const nodeLevel = node.level;
+    const nodeViolations = node.level === 'test_case' ? [] : node.violations;
+    stats.total_violations += nodeViolations.length;
+    if (nodeLevel in stats.violations_by_level) stats.violations_by_level[nodeLevel as keyof typeof stats.violations_by_level] += nodeViolations.length;
+    for (const v of nodeViolations) {
+      if (v.severity in stats.violations_by_severity) stats.violations_by_severity[v.severity]++;
+    }
+
+    if (node.level === 'test_case') {
+      stats.total_test_cases++;
+      if (node.status === 'valid') stats.test_cases_valid++;
+      else if (node.status === 'invalid') stats.test_cases_invalid++;
+      else stats.test_cases_error++;
+      scores.push(node.quality_score);
+      return;
+    }
+
+    for (const child of node.test_cases) walkNode(child);
+    for (const child of node.test_suites) walkNode(child);
+    if ('test_plans' in node) for (const child of node.test_plans) walkNode(child);
+  }
+
+  walkNode(result as SuiteResult | PlanResult | ProjectResult | TestCaseResult);
+
+  if (scores.length) {
+    stats.quality_score_avg = Math.round((scores.reduce((a, b) => a + b, 0) / scores.length) * 100) / 100;
+    stats.quality_score_min = Math.round(Math.min(...scores) * 100) / 100;
+    stats.quality_score_max = Math.round(Math.max(...scores) * 100) / 100;
+  }
+  return stats;
+}
diff --git a/src/mcp/tools/pageObjectGenerate.ts b/src/mcp/tools/pageObjectGenerate.ts
new file mode 100644
index 00000000..e40f295c
--- /dev/null
+++ b/src/mcp/tools/pageObjectGenerate.ts
@@ -0,0 +1,192 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import fs from 'node:fs';
+import path from 'node:path';
+import { z } from 'zod';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import type { ServerConfig } from '../server.js';
+import { assertPathAllowed, PathPolicyError } from '../security/pathPolicy.js';
+import { makeError, makeRequestId } from '../schemas/common.js';
+import { log } from '../logging/logger.js';
+
+const VALID_LOCATOR_STRATEGIES = [
+  'xpath', 'id', 'css', 'name', 'className', 'tagName',
+  'linkText', 'partialLinkText', 'visualforce', 'label',
+] as const;
+
+const VALID_ELEMENT_TYPES = [
+  'TextType', 'ButtonType', 'LinkType', 'ChoiceListType',
+  'RadioType', 'FileType', 'DateType', 'RichTextType', 'BooleanType',
+] as const;
+
+const FieldSchema = z.object({
+  name: z.string().describe('camelCase WebElement field name'),
+  locator_strategy: z.enum(VALID_LOCATOR_STRATEGIES).default('xpath'),
+  locator_value: z
+    .string()
+    .default('')
+    .describe('Locator value (empty string is valid — AI healing populates at runtime)'),
+  element_type: z.enum(VALID_ELEMENT_TYPES).default('TextType'),
+});
+
+export function registerPageObjectGenerate(server: McpServer, config: ServerConfig): void {
+  server.tool(
+    'provar.pageobject.generate',
+    'Generate a Provar Java Page Object skeleton with @Page/@SalesforcePage annotation, standard imports, and @FindBy WebElement fields. Returns Java source. Writes to disk only when dry_run=false.',
+    {
+      class_name: z.string().describe('PascalCase class name, e.g. AccountDetailPage'),
+      package_name: z
+        .string()
+        .default('pageobjects')
+        .describe('Java package, e.g. pageobjects or pageobjects.accounts'),
+      page_type: z
+        .enum(['standard', 'salesforce'])
+        .default('standard')
+        .describe('@Page (standard) or @SalesforcePage (salesforce)'),
+      title: z
+        .string()
+        .optional()
+        .describe('Page title attribute; defaults to class_name if omitted'),
+      connection_name: z
+        .string()
+        .optional()
+        .describe('Salesforce connection name (required when page_type=salesforce)'),
+      salesforce_page_attribute: z
+        .enum(['page', 'auraComponent', 'object', 'lightningWebComponent'])
+        .optional()
+        .describe('Page type attribute for @SalesforcePage'),
+      fields: z.array(FieldSchema).default([]).describe('WebElement fields to generate'),
+      output_path: z
+        .string()
+        .optional()
+        .describe('Suggested file path for the .java file (returned in response)'),
+      overwrite: z
+        .boolean()
+        .default(false)
+        .describe('Overwrite existing file when dry_run=false'),
+      dry_run: z
+        .boolean()
+        .default(true)
+        .describe('true = return source only (default); false = write to output_path'),
+      idempotency_key: z
+        .string()
+        .optional()
+        .describe('Caller-provided key echoed back for deduplication tracking'),
+    },
+    (input) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.pageobject.generate', {
+        requestId,
+        class_name: input.class_name,
+        dry_run: input.dry_run,
+      });
+
+      try {
+        const javaSource = buildPageObjectSource(input);
+        const filePath: string | undefined = input.output_path
+          ? path.resolve(input.output_path)
+          : undefined;
+        let written = false;
+
+        if (filePath && !input.dry_run) {
+          assertPathAllowed(filePath, config.allowedPaths);
+
+          if (fs.existsSync(filePath) && !input.overwrite) {
+            const err = makeError(
+              'FILE_EXISTS',
+              `File already exists: ${filePath}. Set overwrite=true to replace.`,
+              requestId
+            );
+            return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(err) }] };
+          }
+
+          fs.mkdirSync(path.dirname(filePath), { recursive: true });
+          fs.writeFileSync(filePath, javaSource, 'utf-8');
+          written = true;
+          log('info', 'provar.pageobject.generate: wrote file', { requestId, filePath });
+        }
+
+        const result = {
+          requestId,
+          java_source: javaSource,
+          file_path: filePath,
+          written,
+          dry_run: input.dry_run,
+          idempotency_key: input.idempotency_key,
+        };
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(result) }],
+          structuredContent: result,
+        };
+      } catch (err: unknown) {
+        const error = err as Error & { code?: string };
+        const errResult = makeError(
+          error instanceof PathPolicyError ? error.code : (error.code ?? 'GENERATE_ERROR'),
+          error.message,
+          requestId,
+          false
+        );
+        log('error', 'provar.pageobject.generate failed', { requestId, error: error.message });
+        return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(errResult) }] };
+      }
+    }
+  );
+}
+
+// ── Source builder ────────────────────────────────────────────────────────────
+
+function buildPageObjectSource(input: {
+  class_name: string;
+  package_name: string;
+  page_type: 'standard' | 'salesforce';
+  title?: string;
+  connection_name?: string;
+  salesforce_page_attribute?: string;
+  fields: Array<z.infer<typeof FieldSchema>>;
+}): string {
+  const { class_name, package_name, page_type, title, connection_name, salesforce_page_attribute, fields } =
+    input;
+  const pageTitle = title ?? class_name;
+
+  let annotation: string;
+  if (page_type === 'salesforce') {
+    const conn = connection_name ? `, connection = "${connection_name}"` : '';
+    const sfAttr = salesforce_page_attribute ? `, ${salesforce_page_attribute} = ""` : '';
+    annotation = `@SalesforcePage(title = "${pageTitle}"${conn}${sfAttr})`;
+  } else {
+    annotation = `@Page(title = "${pageTitle}")`;
+  }
+
+  const fieldBlocks =
+    fields.length > 0
+      ? fields
+          .map((f) => {
+            const locArg =
+              f.locator_strategy === 'xpath'
+                ? `xpath = "${f.locator_value}"`
+                : `${f.locator_strategy} = "${f.locator_value}"`;
+            return `    @FindBy(${locArg})\n    @${f.element_type}()\n    public WebElement ${f.name};`;
+          })
+          .join('\n\n')
+      : '    // TODO: Add @FindBy WebElement fields';
+
+  return `package ${package_name};
+
+import com.provar.core.testapi.annotations.*;
+import org.openqa.selenium.WebElement;
+import org.openqa.selenium.support.FindBy;
+
+${annotation}
+public class ${class_name} {
+
+${fieldBlocks}
+
+}
+`;
+}
diff --git a/src/mcp/tools/pageObjectValidate.ts b/src/mcp/tools/pageObjectValidate.ts
new file mode 100644
index 00000000..56514765
--- /dev/null
+++ b/src/mcp/tools/pageObjectValidate.ts
@@ -0,0 +1,501 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import fs from 'node:fs';
+import path, { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { z } from 'zod';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import type { ServerConfig } from '../server.js';
+import { assertPathAllowed, PathPolicyError } from '../security/pathPolicy.js';
+import { makeError, makeRequestId, type ValidationIssue } from '../schemas/common.js';
+import { log } from '../logging/logger.js';
+
+export function registerPageObjectValidate(server: McpServer, config: ServerConfig): void {
+  server.tool(
+    'provar.pageobject.validate',
+    'Validate a Provar Java Page Object against naming conventions, locator best practices, and structural requirements. Returns quality score (0–100) and list of issues.',
+    {
+      content: z.string().optional().describe('Java source code to validate directly'),
+      file_path: z.string().optional().describe('Path to .java Page Object file'),
+      expected_class_name: z
+        .string()
+        .optional()
+        .describe('Expected class name for PO_006 check; inferred from file_path when omitted'),
+    },
+    ({ content, file_path, expected_class_name }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.pageobject.validate', { requestId, has_content: !!content, file_path });
+
+      try {
+        let source = content;
+        let inferredClassName = expected_class_name;
+
+        if (!source && file_path) {
+          assertPathAllowed(file_path, config.allowedPaths);
+          const resolved = path.resolve(file_path);
+          if (!fs.existsSync(resolved)) {
+            const err = makeError('FILE_NOT_FOUND', `File not found: ${resolved}`, requestId);
+            return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(err) }] };
+          }
+          source = fs.readFileSync(resolved, 'utf-8');
+          if (!inferredClassName) {
+            inferredClassName = path.basename(resolved, '.java');
+          }
+        }
+
+        if (!source) {
+          const err = makeError('MISSING_INPUT', 'Provide either content or file_path.', requestId);
+          return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(err) }] };
+        }
+
+        const validation = validatePageObject(source, inferredClassName);
+        const result = { requestId, ...validation };
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(result) }],
+          structuredContent: result,
+        };
+      } catch (err: unknown) {
+        const error = err as Error & { code?: string };
+        const errResult = makeError(
+          error instanceof PathPolicyError ? error.code : 'VALIDATE_ERROR',
+          error.message,
+          requestId,
+          false
+        );
+        log('error', 'provar.pageobject.validate failed', { requestId, error: error.message });
+        return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(errResult) }] };
+      }
+    }
+  );
+}
+
+// ── Validator (ported from quality-hub-agents/lambda/src/validator/page_object_validator.py) ──
+
+const VALID_LOCATOR_STRATEGIES = new Set([
+  'xpath', 'id', 'css', 'name', 'className', 'tagName',
+  'linkText', 'partialLinkText', 'visualforce', 'label',
+]);
+const VALID_ELEMENT_TYPES = new Set([
+  'TextType', 'ButtonType', 'LinkType', 'ChoiceListType',
+  'RadioType', 'FileType', 'DateType', 'RichTextType', 'BooleanType',
+]);
+const PASCAL_CASE_RE = /^[A-Z][A-Za-z0-9]*$/;
+const VALID_JAVA_IDENT_RE = /^[A-Za-z_$][A-Za-z0-9_$]*$/;
+const JAVA_RESERVED = new Set([
+  'abstract', 'assert', 'boolean', 'break', 'byte', 'case', 'catch', 'char', 'class',
+  'const', 'continue', 'default', 'do', 'double', 'else', 'enum', 'extends', 'final',
+  'finally', 'float', 'for', 'goto', 'if', 'implements', 'import', 'instanceof', 'int',
+  'interface', 'long', 'native', 'new', 'package', 'private', 'protected', 'public',
+  'return', 'short', 'static', 'strictfp', 'super', 'switch', 'synchronized', 'this',
+  'throw', 'throws', 'transient', 'try', 'void', 'volatile', 'while',
+]);
+const SF_DYNAMIC_ATTRS_RE = /data-aura-rendered-by|data-aura-class|aura-id|data-component-id/i;
+const INDEXED_XPATH_RE = /\[\d+\]/;
+const POSITION_FN_RE = /\b(last|first|position)\s*\(\s*\)/;
+
+// ── Rule penalties (lazy-loaded from page_object_validation_rules.json) ────────
+
+interface PoRule {
+  id: string;
+  penalty: number;
+  severity: string;
+  name: string;
+}
+
+const poRulesDirPath = dirname(fileURLToPath(import.meta.url));
+let poRulePenaltiesCache: Record<string, number> | null = null;
+
+function getRulePenalties(): Record<string, number> {
+  if (!poRulePenaltiesCache) {
+    try {
+      const raw = fs.readFileSync(
+        join(poRulesDirPath, '..', 'rules', 'page_object_validation_rules.json'),
+        'utf-8'
+      );
+      const rules = JSON.parse(raw) as PoRule[];
+      poRulePenaltiesCache = Object.fromEntries(rules.map((r) => [r.id, r.penalty]));
+    } catch {
+      poRulePenaltiesCache = {}; // unknown rules fall back to the default 5-point penalty
+    }
+  }
+  return poRulePenaltiesCache;
+}
+
+export interface PageObjectValidationResult {
+  is_valid: boolean;
+  quality_score: number;
+  class_name: string | null;
+  package_name: string | null;
+  field_count: number;
+  frame_count: number;
+  error_count: number;
+  warning_count: number;
+  info_count: number;
+  issues: ValidationIssue[];
+}
+
+/** Pure function — exported for unit testing */
+export function validatePageObject(
+  source: string,
+  expectedClassName?: string
+): PageObjectValidationResult {
+  const issues: ValidationIssue[] = [];
+  const stripped = stripComments(source);
+
+  // ── Package ──────────────────────────────────────────────────────────────────
+  const packageMatch = /^\s*package\s+([\w.]+)\s*;/m.exec(stripped);
+  const packageName = packageMatch ? packageMatch[1] : null;
+  if (!packageMatch) {
+    issues.push({
+      rule_id: 'PO_001', severity: 'ERROR',
+      message: 'Missing package declaration.',
+      applies_to: 'class',
+      suggestion: "Add 'package pageobjects;' at the top of the file.",
+    });
+  } else if (!/^[a-z][a-z0-9_]*(\.[a-z][a-z0-9_]*)*$/.test(packageName!)) {
+    issues.push({
+      rule_id: 'PO_002', severity: 'ERROR',
+      message: `Invalid package name: "${packageName}".`,
+      applies_to: 'class',
+      suggestion: 'Package names should be valid lower-case Java identifiers separated by dots.',
+    });
+  }
+
+  // ── Class declaration ────────────────────────────────────────────────────────
+  const className = checkClassDeclaration(stripped, expectedClassName, issues);
+
+  // ── Brace balance ────────────────────────────────────────────────────────────
+  const openBraces = (stripped.match(/\{/g) ?? []).length;
+  const closeBraces = (stripped.match(/\}/g) ?? []).length;
+  if (openBraces !== closeBraces) {
+    issues.push({
+      rule_id: 'PO_060', severity: 'ERROR',
+      message: `Mismatched braces: ${openBraces} opening vs ${closeBraces} closing.`,
+      applies_to: 'class',
+      suggestion: 'Check for missing or extra curly braces.',
+    });
+  }
+
+  // ── Imports ──────────────────────────────────────────────────────────────────
+  if (!stripped.includes('import com.provar.core.testapi.annotations')) {
+    issues.push({
+      rule_id: 'PO_012', severity: 'WARNING',
+      message: 'Missing import for Provar annotations.',
+      applies_to: 'class',
+      suggestion: "Add 'import com.provar.core.testapi.annotations.*;'",
+    });
+  }
+
+  // ── Page annotation ──────────────────────────────────────────────────────────
+  const hasSalesforceAnnotation = checkAnnotations(stripped, issues);
+
+  // ── Fields ───────────────────────────────────────────────────────────────────
+  // Use original source (not stripped) so XPath "//" inside string literals
+  // is not mistakenly treated as a line comment by stripComments.
+  const fields = extractFields(source);
+  if (fields.length === 0 && !issues.some((i) => i.rule_id === 'PO_003')) {
+    issues.push({
+      rule_id: 'PO_030', severity: 'WARNING',
+      message: 'No WebElement or WebComponent fields found.',
+      applies_to: 'class',
+      suggestion: 'Add at least one WebElement field with @FindBy locator and type annotation.',
+    });
+  }
+  validateFields(fields, hasSalesforceAnnotation, issues);
+
+  // ── Frames ───────────────────────────────────────────────────────────────────
+  const frameCount = (stripped.match(/@PageFrame\b/g) ?? []).length;
+
+  // ── Commented code ───────────────────────────────────────────────────────────
+  if (/\/\/\s*(public|private|protected|@FindBy|WebElement|@\w+Type)/.test(source)) {
+    issues.push({
+      rule_id: 'PO_080', severity: 'INFO',
+      message: 'Commented-out code detected.',
+      applies_to: 'class',
+      suggestion: 'Remove commented code. Use version control to track history.',
+    });
+  }
+
+  // ── Quality score (sum penalties, capped at 100) ──────────────────────────
+  const rulePenalties = getRulePenalties();
+  let penalty = 0;
+  for (const issue of issues) {
+    penalty += rulePenalties[issue.rule_id] ?? 5;
+  }
+
+  return {
+    is_valid: issues.filter((i) => i.severity === 'ERROR').length === 0,
+    quality_score: Math.max(0, Math.min(100, 100 - penalty)),
+    class_name: className,
+    package_name: packageName,
+    field_count: fields.length,
+    frame_count: frameCount,
+    error_count: issues.filter((i) => i.severity === 'ERROR').length,
+    warning_count: issues.filter((i) => i.severity === 'WARNING').length,
+    info_count: issues.filter((i) => i.severity === 'INFO').length,
+    issues,
+  };
+}
+
+function checkClassDeclaration(
+  stripped: string,
+  expectedClassName: string | undefined,
+  issues: ValidationIssue[]
+): string | null {
+  const classMatch = /public\s+class\s+(\w+)/.exec(stripped);
+  const className = classMatch ? classMatch[1] : null;
+  if (!classMatch) {
+    issues.push({
+      rule_id: 'PO_003', severity: 'ERROR',
+      message: 'Missing public class declaration.',
+      applies_to: 'class',
+      suggestion: "Ensure the file has a 'public class ClassName' declaration.",
+    });
+  } else {
+    if (!PASCAL_CASE_RE.test(className!)) {
+      issues.push({
+        rule_id: 'PO_004', severity: 'WARNING',
+        message: `Class name "${className}" is not PascalCase.`,
+        applies_to: 'class',
+        suggestion: "Rename to PascalCase (e.g., 'MyPageObject').",
+      });
+    }
+    if (!VALID_JAVA_IDENT_RE.test(className!)) {
+      issues.push({
+        rule_id: 'PO_005', severity: 'ERROR',
+        message: `Class name "${className}" is not a valid Java identifier.`,
+        applies_to: 'class',
+        suggestion: 'Class names must start with a letter, $, or _ and contain only letters, digits, $, or _.',
+      });
+    }
+    if (expectedClassName && className !== expectedClassName) {
+      issues.push({
+        rule_id: 'PO_006', severity: 'ERROR',
+        message: `Class name "${className}" does not match expected "${expectedClassName}".`,
+        applies_to: 'class',
+        suggestion: 'Class name must match the filename.',
+      });
+    }
+  }
+  return className;
+}
+
+function checkAnnotations(stripped: string, issues: ValidationIssue[]): boolean {
+  const hasPageAnnotation = /@Page\s*\(/.test(stripped);
+  const hasSalesforceAnnotation = /@SalesforcePage\s*\(/.test(stripped);
+  if (!hasPageAnnotation && !hasSalesforceAnnotation) {
+    issues.push({
+      rule_id: 'PO_020', severity: 'WARNING',
+      message: 'Missing @Page or @SalesforcePage annotation.',
+      applies_to: 'annotation',
+      suggestion: 'Add @Page annotation before the class declaration.',
+    });
+  } else if (hasPageAnnotation) {
+    const m = /@Page\s*\(([^)]*)\)/.exec(stripped);
+    if (m && !m[1].includes('title')) {
+      issues.push({
+        rule_id: 'PO_021', severity: 'WARNING',
+        message: '@Page annotation missing title attribute.',
+        applies_to: 'annotation',
+        suggestion: 'Add title attribute to @Page annotation.',
+      });
+    }
+  } else if (hasSalesforceAnnotation) {
+    const m = /@SalesforcePage\s*\(([^)]*)\)/.exec(stripped);
+    if (m) {
+      if (!m[1].includes('title') || !m[1].includes('connection')) {
+        issues.push({
+          rule_id: 'PO_022', severity: 'ERROR',
+          message: '@SalesforcePage missing required title or connection attribute.',
+          applies_to: 'annotation',
+          suggestion: 'Add required attributes to @SalesforcePage annotation.',
+        });
+      }
+      const pageTypes = ['page', 'auraComponent', 'object', 'lightningWebComponent'];
+      if (!pageTypes.some((t) => m[1].includes(t))) {
+        issues.push({
+          rule_id: 'PO_023', severity: 'WARNING',
+          message: '@SalesforcePage should specify page type attribute.',
+          applies_to: 'annotation',
+          suggestion: 'Add one of: page, auraComponent, object, or lightningWebComponent.',
+        });
+      }
+    }
+  }
+  return hasSalesforceAnnotation;
+}
+
+function validateFields(
+  fields: FieldInfo[],
+  hasSalesforceAnnotation: boolean,
+  issues: ValidationIssue[]
+): void {
+  const fieldNames = new Set<string>();
+  for (const field of fields) {
+    if (fieldNames.has(field.name)) {
+      issues.push({
+        rule_id: 'PO_031', severity: 'ERROR',
+        message: `Duplicate field name: "${field.name}".`,
+        applies_to: 'field',
+        suggestion: 'Rename one of the duplicate fields.',
+      });
+    } else {
+      fieldNames.add(field.name);
+    }
+    if (!VALID_JAVA_IDENT_RE.test(field.name)) {
+      issues.push({
+        rule_id: 'PO_032', severity: 'ERROR',
+        message: `Invalid field name: "${field.name}".`,
+        applies_to: 'field',
+        suggestion: 'Field names must be valid Java identifiers.',
+      });
+    }
+    if (JAVA_RESERVED.has(field.name)) {
+      issues.push({
+        rule_id: 'PO_033', severity: 'ERROR',
+        message: `Field name "${field.name}" is a Java reserved word.`,
+        applies_to: 'field',
+        suggestion: 'Rename field to avoid Java reserved words.',
+      });
+    }
+    if (field.locatorStrategy && !VALID_LOCATOR_STRATEGIES.has(field.locatorStrategy)) {
+      issues.push({
+        rule_id: 'PO_034', severity: 'ERROR',
+        message: `Invalid locator strategy: "${field.locatorStrategy}".`,
+        applies_to: 'field',
+        suggestion:
+          'Use one of: xpath, id, css, name, className, tagName, linkText, partialLinkText, visualforce, label.',
+      });
+    }
+    if (field.elementType && !VALID_ELEMENT_TYPES.has(field.elementType)) {
+      issues.push({
+        rule_id: 'PO_036', severity: 'WARNING',
+        message: `Invalid element type: "@${field.elementType}". (CheckboxType is not valid — use BooleanType.)`,
+        applies_to: 'field',
+        suggestion:
+          'Use a valid Provar element type: TextType, ButtonType, LinkType, ChoiceListType, RadioType, FileType, DateType, RichTextType, BooleanType.',
+      });
+    }
+    checkLocatorQuality(field, hasSalesforceAnnotation, issues);
+  }
+}
+
+function checkLocatorQuality(
+  field: FieldInfo,
+  hasSalesforceAnnotation: boolean,
+  issues: ValidationIssue[]
+): void {
+  const lv = field.locatorValue ?? '';
+  const strat = field.locatorStrategy ?? '';
+  if (!lv) return;
+  if ((strat === 'xpath' || strat === '') && /^\/html|^\/body/i.test(lv)) {
+    issues.push({
+      rule_id: 'PO_071', severity: 'ERROR',
+      message: `Absolute XPath for field "${field.name}".`,
+      applies_to: 'field',
+      suggestion: 'Use relative XPath starting with // or .//',
+    });
+  }
+  if (SF_DYNAMIC_ATTRS_RE.test(lv)) {
+    issues.push({
+      rule_id: 'PO_073', severity: 'ERROR',
+      message: `Salesforce dynamic attribute in locator for "${field.name}".`,
+      applies_to: 'field',
+      suggestion: 'Use stable identifiers like labels, data-testid, or semantic selectors.',
+    });
+  }
+  if (strat === 'id' && hasSalesforceAnnotation) {
+    issues.push({
+      rule_id: 'PO_070', severity: 'WARNING',
+      message: `ID-based locator on Salesforce page for "${field.name}". IDs may be dynamic.`,
+      applies_to: 'field',
+      suggestion: 'Prefer xpath/css with stable attributes like data-testid, aria-label, name.',
+    });
+  }
+  if (INDEXED_XPATH_RE.test(lv)) {
+    issues.push({
+      rule_id: 'PO_072', severity: 'WARNING',
+      message: `Indexed XPath [n] for field "${field.name}".`,
+      applies_to: 'field',
+      suggestion: 'Prefer attribute-based selection over positional indexes.',
+    });
+  }
+  if (strat === 'xpath') {
+    const segments = (lv.match(/\/{2}/g) ?? []).length;
+    if (segments > 4) {
+      issues.push({
+        rule_id: 'PO_076', severity: 'WARNING',
+        message: `Complex XPath (${segments} descent operators) for "${field.name}".`,
+        applies_to: 'field',
+        suggestion: 'Simplify with a more direct path or data-testid attributes.',
+      });
+    }
+  }
+  if (POSITION_FN_RE.test(lv)) {
+    issues.push({
+      rule_id: 'PO_079', severity: 'WARNING',
+      message: `Position function (last/first/position) in XPath for "${field.name}".`,
+      applies_to: 'field',
+      suggestion: 'Use unique identifiers instead of position-based selection.',
+    });
+  }
+  if (strat === 'css' && /[a-z0-9]+-[a-z0-9]+-[a-z0-9]+/.test(lv)) {
+    issues.push({
+      rule_id: 'PO_075', severity: 'INFO',
+      message: `Possibly autogenerated CSS class pattern for "${field.name}".`,
+      applies_to: 'field',
+      suggestion: 'Prefer stable attributes over autogenerated CSS classes.',
+    });
+  }
+  if (lv.length > 200) {
+    issues.push({
+      rule_id: 'PO_078', severity: 'INFO',
+      message: `Very long locator (${lv.length} chars) for "${field.name}".`,
+      applies_to: 'field',
+      suggestion: 'Consider a shorter, more maintainable locator.',
+    });
+  }
+}
+
+// ── Helpers ───────────────────────────────────────────────────────────────────
+
+function stripComments(source: string): string {
+  return source
+    .replace(/\/\*[\s\S]*?\*\//g, '')   // block comments
+    .replace(/\/\/[^\n]*/g, '');         // line comments
+}
+
+interface FieldInfo {
+  name: string;
+  locatorStrategy?: string;
+  locatorValue?: string;
+  elementType?: string;
+}
+
+/**
+ * Extract @FindBy WebElement field declarations from stripped source.
+ * Regex captures: FindBy attrs | optional type annotation | field name.
+ */
+function extractFields(source: string): FieldInfo[] {
+  const fields: FieldInfo[] = [];
+  const re =
+    /@FindBy\s*\(([^)]*)\)[^;]*?(?:@(\w+)\s*\(\s*\)\s*)?(?:public|private|protected)?\s+(?:WebElement|WebComponent)\s+(\w+)\s*;/g;
+  let m: RegExpExecArray | null;
+  while ((m = re.exec(source)) !== null) {
+    const attrs = m[1] ?? '';
+    const stratMatch = /(\w+)\s*=\s*"([^"]*)"/.exec(attrs);
+    fields.push({
+      name: m[3],
+      locatorStrategy: stratMatch ? stratMatch[1] : undefined,
+      locatorValue: stratMatch ? stratMatch[2] : undefined,
+      elementType: m[2],
+    });
+  }
+  return fields;
+}
diff --git a/src/mcp/tools/projectInspect.ts b/src/mcp/tools/projectInspect.ts
new file mode 100644
index 00000000..ff01c815
--- /dev/null
+++ b/src/mcp/tools/projectInspect.ts
@@ -0,0 +1,821 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import fs from 'node:fs';
+import path from 'node:path';
+import { z } from 'zod';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import type { ServerConfig } from '../server.js';
+import { assertPathAllowed, PathPolicyError } from '../security/pathPolicy.js';
+import { makeError, makeRequestId } from '../schemas/common.js';
+import { log } from '../logging/logger.js';
+
+export function registerProjectInspect(server: McpServer, config: ServerConfig): void {
+  server.tool(
+    'provar.project.inspect',
+    [
+      'Inspect a Provar project folder and return a structured inventory.',
+      'Returns: provardx-properties.json config files (for ProvarDX CLI runs),',
+      'ANT build files (build.xml etc in ANT/ dirs, for CLI/pipeline runs),',
+      'source page object directories with Java file counts (src/pageobjects — compiled bin/ dirs excluded),',
+      '.testcase files found recursively under tests/,',
+      'count of custom test step files in src/customapis/,',
+      'count of data source files (CSV/XLSX/JSON) in data/ and templates/ dirs,',
+      'test plan coverage showing which test cases are covered vs uncovered,',
+      'and connection + environment overview parsed from the .testproject file',
+      '(Salesforce, UI Testing, Web Services, Quality Hub, Database, and other connection types).',
+    ].join(' '),
+    {
+      project_path: z
+        .string()
+        .describe('Absolute or relative path to the Provar project root directory'),
+    },
+    ({ project_path }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.project.inspect', { requestId, project_path });
+
+      try {
+        assertPathAllowed(project_path, config.allowedPaths);
+        const resolved = path.resolve(project_path);
+
+        if (!fs.existsSync(resolved)) {
+          const err = makeError('PATH_NOT_FOUND', `Project path does not exist: ${resolved}`, requestId);
+          return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(err) }] };
+        }
+
+        const result = buildProjectInventory(resolved, requestId);
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(result) }],
+          structuredContent: result,
+        };
+      } catch (err: unknown) {
+        const error = err as Error & { code?: string };
+        const errResult = makeError(
+          error instanceof PathPolicyError ? error.code : (error.code ?? 'INSPECT_ERROR'),
+          error.message,
+          requestId,
+          false
+        );
+        log('error', 'provar.project.inspect failed', { requestId, error: error.message });
+        return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(errResult) }] };
+      }
+    }
+  );
+}
+
+// ─── types ────────────────────────────────────────────────────────────────────
+
+interface PageObjectDir {
+  path: string;         // relative path from project root
+  java_file_count: number;
+}
+
+interface SecretsValidation {
+  secrets_file: string;           // relative path (from secureStoragePath in .testproject)
+  found: boolean;                 // whether the file exists
+  encryptor_check_present: boolean; // Provar Secrets Password has been configured
+  all_values_encrypted: boolean;  // every non-comment entry has an ENC1() value
+  total_entries: number;          // total key=value entries (excluding comments)
+  encrypted_count: number;        // entries with ENC1() values
+  unencrypted_key_count: number;  // entries WITHOUT ENC1() — pass to PROJ-ENC-001
+  unencrypted_keys: string[];     // key names only, never values — e.g. ["uuid.password"]
+}
+
+interface SfConnection {
+  name: string;
+  /** Connection type — "communities" (userType=COMMUNITIES), "portal", or "standard" */
+  sub_type: 'standard' | 'communities' | 'portal';
+  /**
+   * Auth method derived from the primary connectionUrl:
+   * - "login-as" — logonAsConnection= is set (delegates to another connection)
+   * - "oauth" — authenticationType=OAUTH
+   * - "basic" — password= present (username/password, credentials in .secrets)
+   * - "unknown" — none of the above matched
+   */
+  auth_method: 'login-as' | 'oauth' | 'basic' | 'unknown';
+  /** Target org type derived from environment= param: SANDBOX, PROD_DEV (Production/Developer), or other */
+  sf_environment: 'sandbox' | 'production-developer' | 'other' | null;
+  /** Name of the parent connection used for logon-as, or null */
+  logon_as_connection: string | null;
+  /** true when auth_method !== "login-as" — flag for admin-user review */
+  is_direct_login: boolean;
+}
+
+interface ConnectionOverview {
+  salesforce: SfConnection[];
+  ui_testing: string[];
+  quality_hub: string[];
+  web_service_rest: string[];
+  web_service_soap: string[];
+  database: string[];
+  google: string[];
+  microsoft: string[];
+  zephyr: string[];
+  sso: string[];
+  other: Array<{ class: string; name: string }>;
+  summary: Record<string, number>;
+}
+
+interface TestProjectInfo {
+  found: boolean;
+  file_path: string | null;
+  environments: string[];
+  connections: ConnectionOverview;
+}
+
+interface PlanCoverage {
+  test_plan_count: number;
+  test_suite_count: number;
+  test_instance_count: number;
+  covered_test_case_paths: string[];
+  uncovered_test_case_paths: string[];
+  coverage_percent: number;
+}
+
+// ─── inventory builder ────────────────────────────────────────────────────────
+
+function buildProjectInventory(projectPath: string, requestId: string): Record<string, unknown> {
+  const provardxPropertiesFiles: string[] = [];
+  const antBuildFiles: string[] = [];
+  const sourcePageObjectDirs: PageObjectDir[] = [];
+  const testCaseFilesDisplay: string[] = [];    // capped at 500 for API display
+  const allTestCasePaths = new Set<string>();   // uncapped — used for coverage
+  let customTestStepFileCount = 0;
+  let dataSourceFileCount = 0;
+  const dataSourceDirs: string[] = [];
+
+  walkDir(projectPath, (filePath, isDir, name) => {
+    const rel = path.relative(projectPath, filePath).replace(/\\/g, '/');
+
+    if (isDir) {
+      if (name === 'bin') return false;
+      if (name === 'plans') return false; // handled by buildPlanCoverage (needs dot-file visibility)
+
+      if (name === 'pageobjects') {
+        const parentRel = path.relative(projectPath, path.dirname(filePath)).replace(/\\/g, '/');
+        if (parentRel === 'src' || parentRel.endsWith('/src')) {
+          // Count .java files now — don't rely on recursion (we return false below)
+          const javaCount = countFilesRecursive(filePath, (n) => n.endsWith('.java'));
+          sourcePageObjectDirs.push({ path: rel, java_file_count: javaCount });
+        }
+        return false;
+      }
+
+      if (name === 'customapis') {
+        customTestStepFileCount += countFilesRecursive(filePath, isSourceFile);
+        return false;
+      }
+
+      if (name === 'data' || name === 'templates') {
+        dataSourceDirs.push(rel);
+        dataSourceFileCount += countFilesRecursive(filePath, isDataFile);
+        return false;
+      }
+
+      return true;
+    }
+
+    if (name === 'provardx-properties.json') {
+      provardxPropertiesFiles.push(rel);
+      return true;
+    }
+
+    if (name.endsWith('.testcase') && (rel.startsWith('tests/') || rel.includes('/tests/'))) {
+      allTestCasePaths.add(rel);
+      if (testCaseFilesDisplay.length < 500) testCaseFilesDisplay.push(rel);
+      return true;
+    }
+
+    if (rel.startsWith('ANT/') || rel.includes('/ANT/')) {
+      if (name.endsWith('.xml') || name.endsWith('.properties')) antBuildFiles.push(rel);
+      return true;
+    }
+
+    return true;
+  });
+
+  const { provarHome, provarHomeSource } = detectProvarHome(projectPath, provardxPropertiesFiles, antBuildFiles);
+  const testSuiteDirs = getTopLevelTestSuites(projectPath);
+  const planCoverage = buildPlanCoverage(projectPath, allTestCasePaths);
+  const testProject = parseTestProject(projectPath);
+  const secretsValidation = validateSecretsFile(projectPath, testProject);
+
+  return {
+    requestId,
+    project_path: projectPath,
+    provar_home: provarHome,
+    provar_home_source: provarHomeSource,
+    provardx_properties_files: provardxPropertiesFiles,
+    ant_build_files: antBuildFiles,
+    source_page_object_dirs: sourcePageObjectDirs,
+    test_suite_dirs: testSuiteDirs,
+    test_case_files: testCaseFilesDisplay,
+    custom_test_step_file_count: customTestStepFileCount,
+    data_source_dirs: dataSourceDirs,
+    data_source_file_count: dataSourceFileCount,
+    test_plan_coverage: planCoverage,
+    test_project: testProject,
+    secrets_validation: secretsValidation,
+    summary: {
+      provardx_properties_count: provardxPropertiesFiles.length,
+      ant_build_file_count: antBuildFiles.length,
+      source_page_object_dir_count: sourcePageObjectDirs.length,
+      page_object_file_count: sourcePageObjectDirs.reduce((s, d) => s + d.java_file_count, 0),
+      test_suite_count: testSuiteDirs.length,
+      test_case_count: allTestCasePaths.size,
+      custom_test_step_count: customTestStepFileCount,
+      data_source_count: dataSourceFileCount,
+      test_plan_count: planCoverage.test_plan_count,
+      test_suites_in_plans_count: planCoverage.test_suite_count,
+      test_instance_count: planCoverage.test_instance_count,
+      coverage_percent: planCoverage.coverage_percent,
+      environment_count: testProject.environments.length,
+      connection_count: testProject.connections.summary['total'] ?? 0,
+      secrets_encrypted: secretsValidation.all_values_encrypted,
+      unencrypted_secret_count: secretsValidation.unencrypted_key_count,
+    },
+  };
+}
+
+// ─── .testproject parser ──────────────────────────────────────────────────────
+
+/**
+ * Parses the .testproject file (a hidden dot-file at the project root).
+ * Extracts environments and connection overview.
+ *
+ * Connection class → label mapping (verified across 136 POC projects):
+ * - sf → Salesforce (sub-type detection: communities / portal / standard)
+ * - ui → UI Testing (browser/Selenium connections)
+ * - testmanager → Provar Quality Hub
+ * - webservice → Web Service REST (url starts with "restservice:") or SOAP
+ * - google → Google (Gmail / Google Workspace)
+ * - msexc → Microsoft (Exchange / Outlook via EWS — url starts with "exchange:")
+ * - database → Database (Oracle, SQL Server, DB2, MySQL, PostgreSQL — rare in field)
+ * - zephyr / zephyrScale / zephyrServer → Zephyr (Cloud & Server)
+ * - sso → SSO
+ * - anything else → other (raw class name preserved for forward-compatibility)
+ */
+function parseTestProject(projectPath: string): TestProjectInfo {
+  const testProjectPath = path.join(projectPath, '.testproject');
+  const empty: TestProjectInfo = {
+    found: false,
+    file_path: null,
+    environments: [],
+    connections: emptyConnectionOverview(),
+  };
+
+  if (!fs.existsSync(testProjectPath)) return empty;
+
+  let content: string;
+  try {
+    content = fs.readFileSync(testProjectPath, 'utf-8');
+  } catch {
+    return empty;
+  }
+
+  const environments = parseEnvironments(content);
+  const connections = parseConnectionClasses(content);
+
+  return {
+    found: true,
+    file_path: '.testproject',
+    environments,
+    connections,
+  };
+}
+
+// ─── .secrets validator ───────────────────────────────────────────────────────
+
+/**
+ * Reads the .secrets file (a Java properties file) and checks that every
+ * credential value is wrapped in an ENC1() block.
+ *
+ * Security note: only key NAMES are returned — plaintext values are never
+ * included in the output, even for unencrypted entries.
+ *
+ * The secrets file path comes from <secureStoragePath> in .testproject
+ * (defaults to ".secrets" at the project root).
+ *
+ * File format:
+ * - `# comment`
+ * - `<uuid>.<field>=ENC1(base64...)` — correctly encrypted
+ * - `<uuid>.<field>=plaintextpassword` — VIOLATION
+ * - `Encryptor.check=ENC1(...)` — sentinel (present when password is configured)
+ */
+function validateSecretsFile(projectPath: string, testProject: TestProjectInfo): SecretsValidation {
+  // Resolve path from .testproject <secureStoragePath>, defaulting to ".secrets"
+  let secretsRelPath = '.secrets';
+  if (testProject.found) {
+    try {
+      const raw = fs.readFileSync(path.join(projectPath, '.testproject'), 'utf-8');
+      const match = raw.match(/<secureStoragePath>([^<]+)<\/secureStoragePath>/);
+      if (match?.[1]) secretsRelPath = match[1].trim();
+    } catch { /* use default */ }
+  }
+
+  const notFound: SecretsValidation = {
+    secrets_file: secretsRelPath,
+    found: false,
+    encryptor_check_present: false,
+    all_values_encrypted: false,
+    total_entries: 0,
+    encrypted_count: 0,
+    unencrypted_key_count: 0,
+    unencrypted_keys: [],
+  };
+
+  const secretsPath = path.join(projectPath, secretsRelPath);
+  if (!fs.existsSync(secretsPath)) return notFound;
+
+  let content: string;
+  try {
+    content = fs.readFileSync(secretsPath, 'utf-8');
+  } catch {
+    return notFound;
+  }
+
+  let encryptorCheckPresent = false;
+  let totalEntries = 0;
+  let encryptedCount = 0;
+  const unencryptedKeys: string[] = [];
+
+  for (const rawLine of content.split('\n')) {
+    const line = rawLine.trimEnd();
+    // Skip blank lines and comment lines (Java properties # or ! prefix)
+    if (!line || line.startsWith('#') || line.startsWith('!')) continue;
+
+    // Split on the FIRST unescaped '=' — everything before is the key
+    const eqIdx = line.indexOf('=');
+    if (eqIdx === -1) continue;
+
+    const key = line.slice(0, eqIdx).trim();
+    const value = line.slice(eqIdx + 1); // do NOT trim — value may legitimately start with a space
+
+    if (key === 'Encryptor.check') {
+      // Sentinel entry — indicates Provar Secrets Password is configured
+      encryptorCheckPresent = true;
+      // Count it but don't add to unencrypted list even if somehow unwrapped
+      totalEntries++;
+      if (value.startsWith('ENC1(')) encryptedCount++;
+      continue;
+    }
+
+    totalEntries++;
+    if (value.startsWith('ENC1(')) {
+      encryptedCount++;
+    } else {
+      // Only record the KEY name — never the plaintext value
+      unencryptedKeys.push(key);
+    }
+  }
+
+  return {
+    secrets_file: secretsRelPath,
+    found: true,
+    encryptor_check_present: encryptorCheckPresent,
+    all_values_encrypted: unencryptedKeys.length === 0,
+    total_entries: totalEntries,
+    encrypted_count: encryptedCount,
+    unencrypted_key_count: unencryptedKeys.length,
+    unencrypted_keys: unencryptedKeys,
+  };
+}
+
+function parseEnvironments(content: string): string[] {
+  const names: string[] = [];
+  const section = content.match(/<environments>([\s\S]*?)<\/environments>/);
+  if (!section) return names;
+  const pattern = /<environment\s[^>]*\bname="([^"]+)"/g;
+  let m;
+  while ((m = pattern.exec(section[1])) !== null) names.push(m[1]);
+  return names;
+}
+
+function parseConnectionClasses(content: string): ConnectionOverview {
+  const result = emptyConnectionOverview();
+
+  const classesBlock = content.match(/<connectionClasses>([\s\S]*?)<\/connectionClasses>/);
+  if (!classesBlock) return result;
+
+  const classPattern = /<connectionClass\s+name="([^"]+)">([\s\S]*?)<\/connectionClass>/g;
+  let classMatch;
+  while ((classMatch = classPattern.exec(classesBlock[1])) !== null) {
+    const className = classMatch[1];
+    const classContent = classMatch[2];
+
+    const connPattern = /<connection\s[^>]*\bname="([^"]+)"[^>]*>([\s\S]*?)<\/connection>/g;
+    let connMatch;
+    while ((connMatch = connPattern.exec(classContent)) !== null) {
+      const connName = connMatch[1];
+      const connContent = connMatch[2];
+
+      // Collect all url="..." values for this connection (may have per-environment overrides)
+      const urlPattern = /\burl="([^"]+)"/g;
+      const urls: string[] = [];
+      let urlMatch;
+      while ((urlMatch = urlPattern.exec(connContent)) !== null) urls.push(urlMatch[1]);
+
+      categoriseConnection(result, className, connName, urls);
+    }
+  }
+
+  // Build summary totals
+  const sfCommunities  = result.salesforce.filter((c) => c.sub_type === 'communities').length;
+  const sfPortal       = result.salesforce.filter((c) => c.sub_type === 'portal').length;
+  const sfLoginAs      = result.salesforce.filter((c) => c.auth_method === 'login-as').length;
+  const sfOAuth        = result.salesforce.filter((c) => c.auth_method === 'oauth').length;
+  const sfBasic        = result.salesforce.filter((c) => c.auth_method === 'basic').length;
+  const sfDirectLogin  = result.salesforce.filter((c) => c.is_direct_login).length;
+  result.summary = {
+    salesforce: result.salesforce.length,
+    salesforce_standard: result.salesforce.length - sfCommunities - sfPortal,
+    salesforce_communities: sfCommunities,
+    salesforce_portal: sfPortal,
+    salesforce_auth_login_as: sfLoginAs,
+    salesforce_auth_oauth: sfOAuth,
+    salesforce_auth_basic: sfBasic,
+    salesforce_direct_login: sfDirectLogin,   // review these — may be admin users
+    ui_testing: result.ui_testing.length,
+    quality_hub: result.quality_hub.length,
+    web_service_rest: result.web_service_rest.length,
+    web_service_soap: result.web_service_soap.length,
+    database: result.database.length,
+    google: result.google.length,
+    microsoft: result.microsoft.length,
+    zephyr: result.zephyr.length,
+    sso: result.sso.length,
+    other: result.other.length,
+    total:
+      result.salesforce.length +
+      result.ui_testing.length +
+      result.quality_hub.length +
+      result.web_service_rest.length +
+      result.web_service_soap.length +
+      result.database.length +
+      result.google.length +
+      result.microsoft.length +
+      result.zephyr.length +
+      result.sso.length +
+      result.other.length,
+  };
+
+  return result;
+}
+
+// eslint-disable-next-line complexity
+function categoriseConnection(
+  result: ConnectionOverview,
+  className: string,
+  name: string,
+  urls: string[]
+): void {
+  // Use the first URL for type inference; env-override URLs share the same class
+  const primaryUrl = urls[0] ?? '';
+
+  switch (className) {
+    case 'sf': {
+      // ── sub-type ──────────────────────────────────────────────────────────
+      const isCommunities = primaryUrl.includes('userType=COMMUNITIES');
+      const isPortal = !isCommunities && primaryUrl.includes('portal=');
+      const subType: 'standard' | 'communities' | 'portal' = isCommunities
+        ? 'communities'
+        : isPortal
+          ? 'portal'
+          : 'standard';
+
+      // ── auth method ───────────────────────────────────────────────────────
+      const logonAsMatch = primaryUrl.match(/logonAsConnection=([^;]+)/);
+      const isLogonAs = logonAsMatch !== null;
+      const isOAuth = primaryUrl.includes('authenticationType=OAUTH');
+      const isBasic = primaryUrl.includes('password=');
+      const authMethod: SfConnection['auth_method'] = isLogonAs
+        ? 'login-as'
+        : isOAuth
+          ? 'oauth'
+          : isBasic
+            ? 'basic'
+            : 'unknown';
+
+      // ── SF environment (org type) ─────────────────────────────────────────
+      const envMatch = primaryUrl.match(/(?:^|;)environment=([^;]+)/);
+      const envValue = envMatch?.[1]?.toUpperCase();
+      const sfEnvironment: SfConnection['sf_environment'] =
+        envValue === 'SANDBOX'   ? 'sandbox' :
+        envValue === 'PROD_DEV'  ? 'production-developer' :
+        envValue                 ? 'other' :
+                                   null;
+
+      result.salesforce.push({
+        name,
+        sub_type: subType,
+        auth_method: authMethod,
+        sf_environment: sfEnvironment,
+        logon_as_connection: logonAsMatch?.[1] ?? null,
+        is_direct_login: !isLogonAs,
+      });
+      break;
+    }
+    case 'ui':
+      result.ui_testing.push(name);
+      break;
+    case 'testmanager':
+      result.quality_hub.push(name);
+      break;
+    case 'webservice':
+      if (primaryUrl.startsWith('restservice:')) {
+        result.web_service_rest.push(name);
+      } else {
+        result.web_service_soap.push(name);
+      }
+      break;
+    case 'database':
+      result.database.push(name);
+      break;
+    case 'google':
+      result.google.push(name);
+      break;
+    case 'msexc':        // Microsoft Exchange / Outlook (EWS)
+    case 'microsoft':    // kept as fallback in case variant exists
+      result.microsoft.push(name);
+      break;
+    case 'zephyr':
+    case 'zephyrScale':
+    case 'zephyrServer':
+      result.zephyr.push(name);
+      break;
+    case 'sso':
+      result.sso.push(name);
+      break;
+    default:
+      result.other.push({ class: className, name });
+      break;
+  }
+}
+
+function emptyConnectionOverview(): ConnectionOverview {
+  return {
+    salesforce: [],
+    ui_testing: [],
+    quality_hub: [],
+    web_service_rest: [],
+    web_service_soap: [],
+    database: [],
+    google: [],
+    microsoft: [],
+    zephyr: [],
+    sso: [],
+    other: [],
+    summary: {},
+  };
+}
+
+// ─── test plan coverage ───────────────────────────────────────────────────────
+
+/**
+ * Builds a map of testcase UUID (registryId / id / guid) → project-relative path.
+ * Used as a UUID-based fallback when testCasePath in a .testinstance doesn't match
+ * the on-disk path exactly (e.g. different separators or moved files).
+ */
+function buildProjectTestCaseIdMap(projectPath: string): Map<string, string> {
+  const testsDir = path.join(projectPath, 'tests');
+  const idMap = new Map<string, string>();
+  if (!fs.existsSync(testsDir)) return idMap;
+
+  function walk(dir: string): void {
+    try {
+      for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+        if (entry.name.startsWith('.') || entry.name === 'node_modules') continue;
+        const fullPath = path.join(dir, entry.name);
+        if (entry.isDirectory()) { walk(fullPath); }
+        else if (entry.name.endsWith('.testcase')) {
+          try {
+            const content = fs.readFileSync(fullPath, 'utf-8');
+            const rel = path.relative(projectPath, fullPath).replace(/\\/g, '/');
+            for (const attr of ['registryId', 'id', 'guid'] as const) {
+              const m = content.match(new RegExp(`${attr}=["']([^"']+)["']`));
+              if (m?.[1] && !idMap.has(m[1])) idMap.set(m[1], rel);
+            }
+          } catch { /* skip */ }
+        }
+      }
+    } catch { /* skip */ }
+  }
+  walk(testsDir);
+  return idMap;
+}
+
+/**
+ * Plans structure:
+ * - plans/
+ * - plans/{PlanName}/ — test plan directory
+ * - plans/{PlanName}/.planitem — plan definition (hidden dot-file)
+ * - plans/{PlanName}/{SuiteName}/ — test suite directory
+ * - plans/{PlanName}/{SuiteName}/.planitem — suite definition
+ * - plans/{PlanName}/{SuiteName}/{Name}.testinstance — references .testcase via testCasePath
+ *
+ * Depth (relative to plans/):
+ * - split('/').length === 2 → plan-level .planitem
+ * - split('/').length >= 3 → suite-level .planitem
+ */
+function buildPlanCoverage(projectPath: string, allTestCasePaths: Set<string>): PlanCoverage {
+  const plansDir = path.join(projectPath, 'plans');
+  const noCoverage: PlanCoverage = {
+    test_plan_count: 0,
+    test_suite_count: 0,
+    test_instance_count: 0,
+    covered_test_case_paths: [],
+    uncovered_test_case_paths: [...allTestCasePaths].sort(),
+    coverage_percent: 0,
+  };
+
+  if (!fs.existsSync(plansDir)) return noCoverage;
+
+  // Build UUID fallback map: registryId/id/guid → project-relative path
+  const testCaseIdMap = buildProjectTestCaseIdMap(projectPath);
+
+  let testPlanCount = 0;
+  let testSuiteCount = 0;
+  let testInstanceCount = 0;
+  const referencedPaths = new Set<string>();
+
+  walkPlansDir(plansDir, (filePath, isDir, name) => {
+    if (isDir) return true;
+
+    const relToPlans = path.relative(plansDir, filePath).replace(/\\/g, '/');
+    const depth = relToPlans.split('/').length;
+
+    if (name === '.planitem') {
+      if (depth === 2) testPlanCount++;
+      else if (depth >= 3) testSuiteCount++;
+      return true;
+    }
+
+    if (name.endsWith('.testinstance')) {
+      testInstanceCount++;
+      try {
+        const content = fs.readFileSync(filePath, 'utf-8');
+        // Primary: path-based match
+        const pathMatch = content.match(/testCasePath=["']([^"']+)["']/);
+        if (pathMatch?.[1]) referencedPaths.add(pathMatch[1].replace(/\\/g, '/'));
+        // Fallback: UUID match via testCaseId → testcase registryId/id/guid
+        const idMatch = content.match(/testCaseId=["']([^"']+)["']/);
+        if (idMatch?.[1]) {
+          const resolvedPath = testCaseIdMap.get(idMatch[1]);
+          if (resolvedPath) referencedPaths.add(resolvedPath);
+        }
+      } catch { /* skip */ }
+      return true;
+    }
+
+    return true;
+  });
+
+  const coveredPaths: string[] = [];
+  const uncoveredPaths: string[] = [];
+  for (const tc of [...allTestCasePaths].sort()) {
+    (referencedPaths.has(tc) ? coveredPaths : uncoveredPaths).push(tc);
+  }
+
+  return {
+    test_plan_count: testPlanCount,
+    test_suite_count: testSuiteCount,
+    test_instance_count: testInstanceCount,
+    covered_test_case_paths: coveredPaths,
+    uncovered_test_case_paths: uncoveredPaths,
+    coverage_percent:
+      allTestCasePaths.size > 0 ? Math.round((coveredPaths.length / allTestCasePaths.size) * 100) : 0,
+  };
+}
+
+// ─── provar home detection ────────────────────────────────────────────────────
+
+function detectProvarHome(
+  projectPath: string,
+  provardxFiles: string[],
+  antFiles: string[]
+): { provarHome: string | null; provarHomeSource: string | null } {
+  // 1. Environment variable (set by CI or local Provar installer)
+  const envHome = process.env['PROVAR_HOME'];
+  if (envHome) return { provarHome: envHome, provarHomeSource: 'PROVAR_HOME environment variable' };
+
+  // 2. provardx-properties.json — provarHome field
+  for (const rel of provardxFiles) {
+    try {
+      const props = JSON.parse(fs.readFileSync(path.join(projectPath, rel), 'utf-8')) as Record<string, unknown>;
+      if (typeof props['provarHome'] === 'string') {
+        return { provarHome: props['provarHome'], provarHomeSource: `provardx-properties.json (${rel})` };
+      }
+    } catch { /* skip */ }
+  }
+
+  // 3. ANT build.xml — <property name="provarHome" value="..." />
+  for (const rel of antFiles) {
+    if (!rel.endsWith('.xml')) continue;
+    try {
+      const content = fs.readFileSync(path.join(projectPath, rel), 'utf-8');
+      const match =
+        content.match(/name=["']provarHome["'][^/]*value=["']([^"']+)["']/i) ??
+        content.match(/value=["']([^"']+)["'][^/]*name=["']provarHome["']/i);
+      if (match?.[1]) return { provarHome: match[1], provarHomeSource: `ANT build file (${rel})` };
+    } catch { /* skip */ }
+  }
+
+  return { provarHome: null, provarHomeSource: null };
+}
+
+// ─── test suite folder structure ──────────────────────────────────────────────
+
+function getTopLevelTestSuites(projectPath: string): string[] {
+  const suites: string[] = [];
+  for (const candidate of ['tests', 'Tests']) {
+    const testsDir = path.join(projectPath, candidate);
+    if (!fs.existsSync(testsDir)) continue;
+    try {
+      const entries = fs.readdirSync(testsDir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (entry.isDirectory() && !entry.name.startsWith('.')) suites.push(`${candidate}/${entry.name}`);
+      }
+    } catch { /* skip */ }
+    break;
+  }
+  return suites;
+}
+
+// ─── helpers ─────────────────────────────────────────────────────────────────
+
+function isSourceFile(name: string): boolean {
+  return name.endsWith('.java') || name.endsWith('.groovy') || name.endsWith('.jar');
+}
+
+function isDataFile(name: string): boolean {
+  return name.endsWith('.xlsx') || name.endsWith('.xls') || name.endsWith('.csv') || name.endsWith('.json');
+}
+
+function countFilesRecursive(dir: string, filter: (name: string) => boolean): number {
+  let count = 0;
+  try {
+    const entries = fs.readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      if (entry.name.startsWith('.')) continue;
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        count += countFilesRecursive(full, filter);
+      } else if (filter(entry.name)) {
+        count++;
+      }
+    }
+  } catch { /* skip */ }
+  return count;
+}
+
+/**
+ * General project walker — skips dot-files and node_modules.
+ * Return false from visitor to skip recursion into a directory.
+ */
+function walkDir(
+  dir: string,
+  visitor: (filePath: string, isDir: boolean, name: string) => boolean,
+  depth = 0
+): void {
+  if (depth > 10) return;
+  let entries: fs.Dirent[];
+  try {
+    entries = fs.readdirSync(dir, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    if (entry.name.startsWith('.') || entry.name === 'node_modules') continue;
+    const fullPath = path.join(dir, entry.name);
+    const recurse = visitor(fullPath, entry.isDirectory(), entry.name);
+    if (entry.isDirectory() && recurse) walkDir(fullPath, visitor, depth + 1);
+  }
+}
+
+/**
+ * Plans-directory walker — does NOT skip dot-files (.planitem starts with '.').
+ */
+function walkPlansDir(
+  dir: string,
+  visitor: (filePath: string, isDir: boolean, name: string) => boolean,
+  depth = 0
+): void {
+  if (depth > 8) return;
+  let entries: fs.Dirent[];
+  try {
+    entries = fs.readdirSync(dir, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    if (entry.name === 'node_modules') continue;
+    const fullPath = path.join(dir, entry.name);
+    const recurse = visitor(fullPath, entry.isDirectory(), entry.name);
+    if (entry.isDirectory() && recurse) walkPlansDir(fullPath, visitor, depth + 1);
+  }
+}
diff --git a/src/mcp/tools/projectValidateFromPath.ts b/src/mcp/tools/projectValidateFromPath.ts
new file mode 100644
index 00000000..5151f3cf
--- /dev/null
+++ b/src/mcp/tools/projectValidateFromPath.ts
@@ -0,0 +1,194 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { z } from 'zod';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import type { ServerConfig } from '../server.js';
+import { assertPathAllowed, PathPolicyError } from '../security/pathPolicy.js';
+import { makeError, makeRequestId } from '../schemas/common.js';
+import { log } from '../logging/logger.js';
+import { validateProjectFromPath, ProjectValidationError } from '../../services/projectValidation.js';
+import type { ProjectValidationResult, ValidatedPlan } from '../../services/projectValidation.js';
+
+// ── Response shaping ──────────────────────────────────────────────────────────
+
+interface PlanSummary {
+  name: string;
+  quality_score: number;
+  suite_count: number;
+  test_case_count: number;
+  violation_count: number;
+}
+
+interface ViolationSummary {
+  rule_id: string;
+  count: number;
+  sample_message: string;
+}
+
+function buildPlanSummary(plan: ValidatedPlan): PlanSummary {
+  const test_case_count = plan.suites.reduce((n, s) => n + s.test_cases.length, 0)
+    + plan.unplanned_test_cases.length;
+  return {
+    name: plan.name,
+    quality_score: plan.quality_score,
+    suite_count: plan.suites.length,
+    test_case_count,
+    violation_count: plan.violations.length,
+  };
+}
+
+function groupViolations(violations: ValidatedPlan['violations']): ViolationSummary[] {
+  const byRule = new Map<string, ViolationSummary>();
+  for (const v of violations) {
+    const existing = byRule.get(v.rule_id);
+    if (existing) {
+      existing.count += 1;
+    } else {
+      byRule.set(v.rule_id, { rule_id: v.rule_id, count: 1, sample_message: v.message });
+    }
+  }
+  return [...byRule.values()].sort((a, b) => b.count - a.count);
+}
+
+function shapeResponse(
+  result: ProjectValidationResult,
+  includePlanDetails: boolean,
+  maxUncovered: number,
+  maxViolations: number
+): Record<string, unknown> {
+  const { uncovered_test_cases, ...coverageRest } = result.coverage;
+  const uncovered_shown = uncovered_test_cases.slice(0, maxUncovered);
+  const uncovered_truncated = uncovered_test_cases.length > maxUncovered;
+
+  const coverage = {
+    ...coverageRest,
+    uncovered_test_cases: uncovered_shown,
+    ...(uncovered_truncated
+      ? { uncovered_truncated: true, uncovered_total: uncovered_test_cases.length }
+      : {}),
+  };
+
+  if (includePlanDetails) {
+    const projViolationsShown = result.project_violations.slice(0, maxViolations);
+    const projViolationsTruncated = result.project_violations.length > maxViolations;
+    return {
+      ...result,
+      coverage,
+      project_violations: projViolationsShown,
+      ...(projViolationsTruncated ? { project_violations_total: result.project_violations.length } : {}),
+    };
+  }
+
+  // Slim default: grouped rule counts only, no per-violation detail
+  return {
+    project_path: result.project_path,
+    project_name: result.project_name,
+    quality_score: result.quality_score,
+    quality_tier: result.quality_tier,
+    quality_grade: result.quality_grade,
+    summary: result.summary,
+    project_violations_by_rule: groupViolations(result.project_violations),
+    project_violations_total: result.project_violations.length,
+    plans_summary: result.plans.map(buildPlanSummary),
+    coverage,
+    saved_to: result.saved_to,
+    ...(result.save_error ? { save_error: result.save_error } : {}),
+    hint: 'Set include_plan_details:true to get per-suite/test-case violations. project_violations and plan violations are grouped by rule_id in this view.',
+  };
+}
+
+// ── Tool registration ─────────────────────────────────────────────────────────
+
+export function registerProjectValidateFromPath(server: McpServer, config: ServerConfig): void {
+  server.tool(
+    'provar.project.validate',
+    [
+      'Validate a Provar project directly from its directory on disk.',
+      'Reads the plan/suite/testinstance hierarchy from the plans/ directory,',
+      'resolves test case XML from the tests/ directory, extracts project context',
+      '(connections, environments, secrets) from the .testproject file, then runs',
+      'the full validation rule set.',
+      'Returns a compact quality score, violation summary, and per-plan/suite scores.',
+      'By default returns a slim summary response to avoid token explosion.',
+      'Pass include_plan_details:true to get full per-suite and per-test-case data.',
+      'By default saves a QH-compatible JSON report to',
+      '{project_path}/provardx/validation/ (created if absent).',
+      'IMPORTANT: Use this tool for whole-project validation —',
+      'DO NOT read individual test case files and pass XML content inline.',
+      'Pass a project_path and let this tool handle all file reading.',
+    ].join(' '),
+    {
+      project_path: z.string().describe('Absolute path to the Provar project root (the directory containing the .testproject file)'),
+      quality_threshold: z.number().min(0).max(100).optional().default(80).describe('Minimum quality score for a test case to be considered valid (default: 80)'),
+      save_results: z.boolean().optional().default(true).describe('Write a QH-compatible JSON report to provardx/validation/ (default: true)'),
+      results_dir: z.string().optional().describe('Override the output directory for the saved report (default: {project_path}/provardx/validation)'),
+      include_plan_details: z
+        .boolean()
+        .optional()
+        .default(false)
+        .describe(
+          'When true, include full per-suite and per-test-case violation data in the response. ' +
+          'Default false to keep response small. Use only when you need to inspect specific test case failures.'
+        ),
+      max_uncovered: z
+        .number()
+        .int()
+        .min(0)
+        .optional()
+        .default(20)
+        .describe('Maximum number of uncovered test case paths to include in the response (default: 20). Set to 0 for none, or a large number for all.'),
+      max_violations: z
+        .number()
+        .int()
+        .min(0)
+        .optional()
+        .default(50)
+        .describe('When include_plan_details:true, caps project_violations returned (default: 50). Ignored in slim mode where violations are grouped by rule_id instead.'),
+    },
+    ({ project_path, quality_threshold, save_results, results_dir, include_plan_details, max_uncovered, max_violations }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.project.validate', { requestId, project_path, include_plan_details });
+
+      try {
+        assertPathAllowed(project_path, config.allowedPaths);
+        if (results_dir) assertPathAllowed(results_dir, config.allowedPaths);
+
+        const result = validateProjectFromPath({
+          project_path,
+          quality_threshold,
+          save_results,
+          results_dir,
+        });
+
+        if (result.save_error) {
+          log('warn', 'provar.project.validate: could not save results', { requestId, error: result.save_error });
+        }
+
+        const shaped = shapeResponse(result, include_plan_details, max_uncovered, max_violations);
+        const response = { requestId, ...shaped };
+
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(response) }],
+          structuredContent: response,
+        };
+      } catch (err: unknown) {
+        const error = err as Error & { code?: string };
+        const code = error instanceof PathPolicyError
+          ? error.code
+          : error instanceof ProjectValidationError
+            ? error.code
+            : (error.code ?? 'VALIDATE_ERROR');
+        const isUserError = error instanceof PathPolicyError || error instanceof ProjectValidationError;
+        const errResult = makeError(code, error.message, requestId, !isUserError);
+        log('error', 'provar.project.validate failed', { requestId, error: error.message });
+        return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(errResult) }] };
+      }
+    }
+  );
+}
diff --git a/src/mcp/tools/propertiesTools.ts b/src/mcp/tools/propertiesTools.ts
new file mode 100644
index 00000000..2e4b8baa
--- /dev/null
+++ b/src/mcp/tools/propertiesTools.ts
@@ -0,0 +1,374 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import fs from 'node:fs';
+import path from 'node:path';
+import { z } from 'zod';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { propertyFileContent } from '@provartesting/provardx-plugins-utils';
+import type { ServerConfig } from '../server.js';
+import { assertPathAllowed, PathPolicyError } from '../security/pathPolicy.js';
+import { makeError, makeRequestId } from '../schemas/common.js';
+import { log } from '../logging/logger.js';
+
+// ── Validation helpers ────────────────────────────────────────────────────────
+
+interface ValidationError {
+  field: string;
+  message: string;
+  severity: 'error' | 'warning';
+}
+
+const TOP_REQUIRED = ['provarHome', 'projectPath', 'resultsPath', 'metadata', 'environment'] as const;
+const METADATA_REQUIRED = ['metadataLevel', 'cachePath'] as const;
+const ENV_REQUIRED = ['webBrowser', 'webBrowserConfig', 'webBrowserProviderName', 'webBrowserDeviceName'] as const;
+
+const VALID_RESULTS_DISPOSITION = ['Increment', 'Replace', 'Fail'];
+const VALID_OUTPUT_LEVELS = ['BASIC', 'DETAILED', 'DIAGNOSTIC'];
+const VALID_PLUGIN_LEVELS = ['SEVERE', 'WARNING', 'INFO', 'FINE', 'FINER', 'FINEST'];
+const VALID_BROWSERS = ['Chrome', 'Safari', 'Edge', 'Edge_Legacy', 'Firefox', 'IE', 'Chrome_Headless'];
+const VALID_METADATA_LEVELS = ['Reuse', 'Reload', 'Refresh'];
+
+// eslint-disable-next-line complexity
+function validateProperties(props: Record<string, unknown>): ValidationError[] {
+  const errors: ValidationError[] = [];
+
+  // Required top-level fields
+  for (const field of TOP_REQUIRED) {
+    const val = props[field];
+    if (val === undefined || val === null) {
+      errors.push({ field, message: `Required field "${field}" is missing`, severity: 'error' });
+    } else if (typeof val === 'string' && val.trim() === '') {
+      errors.push({ field, message: `Required field "${field}" must not be empty`, severity: 'error' });
+    }
+  }
+
+  // metadata object
+  const meta = props['metadata'] as Record<string, unknown> | undefined;
+  if (meta && typeof meta === 'object') {
+    for (const f of METADATA_REQUIRED) {
+      if (!meta[f]) errors.push({ field: `metadata.${f}`, message: `Required field "metadata.${f}" is missing`, severity: 'error' });
+    }
+    if (meta['metadataLevel'] && !VALID_METADATA_LEVELS.includes(meta['metadataLevel'] as string)) {
+      errors.push({ field: 'metadata.metadataLevel', message: `metadata.metadataLevel must be one of: ${VALID_METADATA_LEVELS.join(', ')}`, severity: 'error' });
+    }
+  }
+
+  // environment object
+  const env = props['environment'] as Record<string, unknown> | undefined;
+  if (env && typeof env === 'object') {
+    for (const f of ENV_REQUIRED) {
+      if (!env[f]) errors.push({ field: `environment.${f}`, message: `Required field "environment.${f}" is missing`, severity: 'error' });
+    }
+    if (env['webBrowser'] && !VALID_BROWSERS.includes(env['webBrowser'] as string)) {
+      errors.push({ field: 'environment.webBrowser', message: `webBrowser must be one of: ${VALID_BROWSERS.join(', ')}`, severity: 'error' });
+    }
+  }
+
+  // Optional enum fields
+  if (props['resultsPathDisposition'] && !VALID_RESULTS_DISPOSITION.includes(props['resultsPathDisposition'] as string)) {
+    errors.push({ field: 'resultsPathDisposition', message: `Must be one of: ${VALID_RESULTS_DISPOSITION.join(', ')}`, severity: 'error' });
+  }
+  if (props['testOutputLevel'] && !VALID_OUTPUT_LEVELS.includes(props['testOutputLevel'] as string)) {
+    errors.push({ field: 'testOutputLevel', message: `Must be one of: ${VALID_OUTPUT_LEVELS.join(', ')}`, severity: 'error' });
+  }
+  if (props['pluginOutputlevel'] && !VALID_PLUGIN_LEVELS.includes(props['pluginOutputlevel'] as string)) {
+    errors.push({ field: 'pluginOutputlevel', message: `Must be one of: ${VALID_PLUGIN_LEVELS.join(', ')}`, severity: 'error' });
+  }
+
+  // Warn about placeholder values still in file
+  const placeholders = ['${PROVAR_HOME}', '${PROVAR_PROJECT_PATH}', '${PROVAR_RESULTS_PATH}', '${PROVAR_TEST_ENVIRONMENT}', '${PROVAR_TEST_PROJECT_SECRETS}'];
+  for (const [key, value] of Object.entries(props)) {
+    if (typeof value === 'string' && placeholders.includes(value)) {
+      errors.push({ field: key, message: `Field "${key}" still contains placeholder value "${value}" — replace with actual path or use an environment variable`, severity: 'warning' });
+    }
+  }
+
+  return errors;
+}
+
+/** Deep merge: source values overwrite target values recursively for objects. */
+function deepMerge(target: Record<string, unknown>, source: Record<string, unknown>): Record<string, unknown> {
+  const result = { ...target };
+  for (const [key, val] of Object.entries(source)) {
+    if (val !== null && typeof val === 'object' && !Array.isArray(val) &&
+        result[key] !== null && typeof result[key] === 'object' && !Array.isArray(result[key])) {
+      result[key] = deepMerge(result[key] as Record<string, unknown>, val as Record<string, unknown>);
+    } else {
+      result[key] = val;
+    }
+  }
+  return result;
+}
+
+// ── provar.properties.generate ────────────────────────────────────────────────
+
+export function registerPropertiesGenerate(server: McpServer, config: ServerConfig): void {
+  server.tool(
+    'provar.properties.generate',
+    [
+      'Generate a provardx-properties.json file from the standard template.',
+      'Optionally pre-fills projectPath and provarHome if provided.',
+      'The generated file uses ${PLACEHOLDER} values that must be replaced before running tests.',
+      'Use provar.properties.set afterwards to update specific fields.',
+    ].join(' '),
+    {
+      output_path: z.string().describe('Where to write the file (e.g. /path/to/project/provardx-properties.json)'),
+      project_path: z.string().optional().describe('Pre-fill the projectPath field with this value'),
+      provar_home: z.string().optional().describe('Pre-fill the provarHome field with this value'),
+      results_path: z.string().optional().describe('Pre-fill the resultsPath field with this value'),
+      overwrite: z.boolean().optional().default(false).describe('Overwrite the file if it already exists (default: false)'),
+      dry_run: z.boolean().optional().default(false).describe('Return the content without writing (default: false)'),
+    },
+    ({ output_path, project_path, provar_home, results_path, overwrite, dry_run }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.properties.generate', { requestId, output_path });
+
+      try {
+        assertPathAllowed(output_path, config.allowedPaths);
+        const resolved = path.resolve(output_path);
+
+        if (!overwrite && fs.existsSync(resolved)) {
+          return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(makeError('FILE_EXISTS', `File already exists: ${resolved}. Set overwrite: true to replace it.`, requestId)) }] };
+        }
+
+        if (!resolved.endsWith('.json')) {
+          return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(makeError('INVALID_PATH', 'output_path must end with .json', requestId)) }] };
+        }
+
+        // Start from the template and apply any provided overrides
+        const content: Record<string, unknown> = { ...propertyFileContent as unknown as Record<string, unknown> };
+        if (project_path) content['projectPath'] = project_path;
+        if (provar_home) content['provarHome'] = provar_home;
+        if (results_path) content['resultsPath'] = results_path;
+
+        const json = JSON.stringify(content, null, 2);
+
+        if (!dry_run) {
+          fs.mkdirSync(path.dirname(resolved), { recursive: true });
+          fs.writeFileSync(resolved, json, 'utf-8');
+        }
+
+        const nextSteps = dry_run
+          ? 'Review the content, write to disk, then run provar.automation.config.load to register this file before compiling or running tests.'
+          : `Run provar.automation.config.load with properties_path "${resolved}" to register this configuration. Required before provar.automation.compile or provar.automation.testrun will work.`;
+
+        const response = { requestId, file_path: resolved, written: !dry_run, dry_run: dry_run ?? false, content, next_steps: nextSteps };
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(response) }],
+          structuredContent: response,
+        };
+      } catch (err: unknown) {
+        const error = err as Error & { code?: string };
+        return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(makeError(error instanceof PathPolicyError ? error.code : (error.code ?? 'GENERATE_ERROR'), error.message, requestId)) }] };
+      }
+    }
+  );
+}
+
+// ── provar.properties.read ────────────────────────────────────────────────────
+
+export function registerPropertiesRead(server: McpServer, config: ServerConfig): void {
+  server.tool(
+    'provar.properties.read',
+    'Read and parse a provardx-properties.json file. Returns the parsed content so you can inspect current settings before making changes with provar.properties.set.',
+    {
+      file_path: z.string().describe('Path to the provardx-properties.json file'),
+    },
+    ({ file_path }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.properties.read', { requestId, file_path });
+
+      try {
+        assertPathAllowed(file_path, config.allowedPaths);
+        const resolved = path.resolve(file_path);
+
+        if (!fs.existsSync(resolved)) {
+          return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(makeError('FILE_NOT_FOUND', `File not found: ${resolved}`, requestId)) }] };
+        }
+
+        const raw = fs.readFileSync(resolved, 'utf-8');
+        let parsed: Record<string, unknown>;
+        try {
+          parsed = JSON.parse(raw) as Record<string, unknown>;
+        } catch {
+          return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(makeError('MALFORMED_JSON', 'File is not valid JSON', requestId)) }] };
+        }
+
+        const response = { requestId, file_path: resolved, content: parsed };
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(response) }],
+          structuredContent: response,
+        };
+      } catch (err: unknown) {
+        const error = err as Error & { code?: string };
+        return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(makeError(error instanceof PathPolicyError ? error.code : (error.code ?? 'READ_ERROR'), error.message, requestId)) }] };
+      }
+    }
+  );
+}
+
+// ── provar.properties.set ─────────────────────────────────────────────────────
+
+const updatesSchema = z.object({
+  provarHome: z.string().optional().describe('Path to Provar installation directory'),
+  projectPath: z.string().optional().describe('Path to the Provar test project root'),
+  resultsPath: z.string().optional().describe('Path where test results will be written'),
+  resultsPathDisposition: z.enum(['Increment', 'Replace', 'Fail']).optional().describe('What to do if results path already exists'),
+  testOutputLevel: z.enum(['BASIC', 'DETAILED', 'DIAGNOSTIC']).optional().describe('Amount of test output logged'),
+  pluginOutputlevel: z.enum(['SEVERE', 'WARNING', 'INFO', 'FINE', 'FINER', 'FINEST']).optional().describe('Amount of plugin output logged'),
+  stopOnError: z.boolean().optional().describe('Abort test run on first failure'),
+  excludeCallable: z.boolean().optional().describe('Omit callable test cases from execution'),
+  testprojectSecrets: z.string().optional().describe('Test project secrets encryption password'),
+  environment: z.object({
+    testEnvironment: z.string().optional().describe('Name of the test environment to run against'),
+    webBrowser: z.enum(['Chrome', 'Safari', 'Edge', 'Edge_Legacy', 'Firefox', 'IE', 'Chrome_Headless']).optional(),
+    webBrowserConfig: z.string().optional(),
+    webBrowserProviderName: z.string().optional(),
+    webBrowserDeviceName: z.string().optional(),
+  }).optional().describe('Test execution environment settings'),
+  metadata: z.object({
+    metadataLevel: z.enum(['Reuse', 'Reload', 'Refresh']).optional().describe('Salesforce metadata cache strategy'),
+    cachePath: z.string().optional().describe('Path for the metadata cache'),
+  }).optional().describe('Salesforce metadata settings'),
+  testCase: z.array(z.string()).optional().describe('Specific test case file paths to run (relative to projectPath/tests/). NOTE: <dataTable> data-driven iteration does NOT work in this mode — data table variables resolve as null. To run data-driven tests, add the test case to a plan with provar.testplan.add-instance and run via testPlan instead.'),
+  testPlan: z.array(z.string()).optional().describe('Test plan names to run (wildcards permitted)'),
+  connectionOverride: z.array(z.object({
+    connection: z.string().describe('Provar connection name'),
+    username: z.string().describe('SFDX username or alias to substitute'),
+  })).optional().describe('Override Provar connections with SFDX usernames'),
+}).describe('Fields to update in the properties file — only provided fields are changed');
+
+export function registerPropertiesSet(server: McpServer, config: ServerConfig): void {
+  server.tool(
+    'provar.properties.set',
+    [
+      'Update one or more fields in a provardx-properties.json file.',
+      'Only the provided fields are changed — all other fields are preserved.',
+      'Object fields (environment, metadata) are deep-merged.',
+      'Array fields (testCase, testPlan, connectionOverride) replace the existing value entirely.',
+      'Use provar.properties.read first to inspect the current state.',
+    ].join(' '),
+    {
+      file_path: z.string().describe('Path to the provardx-properties.json file to update'),
+      updates: updatesSchema,
+    },
+    ({ file_path, updates }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.properties.set', { requestId, file_path });
+
+      try {
+        assertPathAllowed(file_path, config.allowedPaths);
+        const resolved = path.resolve(file_path);
+
+        if (!fs.existsSync(resolved)) {
+          return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(makeError('FILE_NOT_FOUND', `File not found: ${resolved}. Use provar.properties.generate to create it first.`, requestId)) }] };
+        }
+
+        let current: Record<string, unknown>;
+        try {
+          current = JSON.parse(fs.readFileSync(resolved, 'utf-8')) as Record<string, unknown>;
+        } catch {
+          return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(makeError('MALFORMED_JSON', 'Existing file is not valid JSON', requestId)) }] };
+        }
+
+        const updatesRecord = updates as Record<string, unknown>;
+        const merged = deepMerge(current, updatesRecord);
+        const updatedFields = Object.keys(updatesRecord);
+
+        fs.writeFileSync(resolved, JSON.stringify(merged, null, 2), 'utf-8');
+
+        const response = { requestId, file_path: resolved, updated_fields: updatedFields, content: merged };
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(response) }],
+          structuredContent: response,
+        };
+      } catch (err: unknown) {
+        const error = err as Error & { code?: string };
+        return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(makeError(error instanceof PathPolicyError ? error.code : (error.code ?? 'SET_ERROR'), error.message, requestId)) }] };
+      }
+    }
+  );
+}
+
+// ── provar.properties.validate ────────────────────────────────────────────────
+
+export function registerPropertiesValidate(server: McpServer, config: ServerConfig): void {
+  server.tool(
+    'provar.properties.validate',
+    [
+      'Validate a provardx-properties.json file against the ProvarDX schema.',
+      'Checks required fields, valid enum values, and warns about unfilled placeholder values.',
+      'Accepts either a file path or inline JSON content.',
+    ].join(' '),
+    {
+      file_path: z.string().optional().describe('Path to the provardx-properties.json file to validate'),
+      content: z.string().optional().describe('Inline JSON string to validate (alternative to file_path)'),
+    },
+    ({ file_path, content }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.properties.validate', { requestId, file_path });
+
+      if (!file_path && !content) {
+        return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(makeError('MISSING_INPUT', 'Provide either file_path or content', requestId)) }] };
+      }
+
+      try {
+        let rawJson: string;
+
+        if (file_path) {
+          assertPathAllowed(file_path, config.allowedPaths);
+          const resolved = path.resolve(file_path);
+          if (!fs.existsSync(resolved)) {
+            return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(makeError('FILE_NOT_FOUND', `File not found: ${resolved}`, requestId)) }] };
+          }
+          rawJson = fs.readFileSync(resolved, 'utf-8');
+        } else {
+          rawJson = content!;
+        }
+
+        let parsed: Record<string, unknown>;
+        try {
+          parsed = JSON.parse(rawJson) as Record<string, unknown>;
+        } catch {
+          const response = { requestId, is_valid: false, error_count: 1, warning_count: 0, errors: [{ field: '(root)', message: 'File is not valid JSON', severity: 'error' }], warnings: [] };
+          return { content: [{ type: 'text' as const, text: JSON.stringify(response) }], structuredContent: response };
+        }
+
+        const allIssues = validateProperties(parsed);
+        const errors = allIssues.filter((e) => e.severity === 'error');
+        const warnings = allIssues.filter((e) => e.severity === 'warning');
+
+        const response = {
+          requestId,
+          is_valid: errors.length === 0,
+          error_count: errors.length,
+          warning_count: warnings.length,
+          errors,
+          warnings,
+        };
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(response) }],
+          structuredContent: response,
+        };
+      } catch (err: unknown) {
+        const error = err as Error & { code?: string };
+        return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(makeError(error instanceof PathPolicyError ? error.code : (error.code ?? 'VALIDATE_ERROR'), error.message, requestId)) }] };
+      }
+    }
+  );
+}
+
+// ── Convenience re-export ─────────────────────────────────────────────────────
+
+export function registerAllPropertiesTools(server: McpServer, config: ServerConfig): void {
+  registerPropertiesGenerate(server, config);
+  registerPropertiesRead(server, config);
+  registerPropertiesSet(server, config);
+  registerPropertiesValidate(server, config);
+}
diff --git a/src/mcp/tools/qualityHubTools.ts b/src/mcp/tools/qualityHubTools.ts
new file mode 100644
index 00000000..223dc7d0
--- /dev/null
+++ b/src/mcp/tools/qualityHubTools.ts
@@ -0,0 +1,248 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { z } from 'zod';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { makeError, makeRequestId } from '../schemas/common.js';
+import { log } from '../logging/logger.js';
+import { runSfCommand } from './sfSpawn.js';
+
+
+function handleSpawnError(err: unknown, requestId: string, toolName: string): { isError: true; content: Array<{ type: 'text'; text: string }> } {
+  const error = err as Error & { code?: string };
+  log('error', `${toolName} failed`, { requestId, error: error.message });
+  return {
+    isError: true as const,
+    content: [{ type: 'text' as const, text: JSON.stringify(makeError(error.code ?? 'SF_ERROR', error.message, requestId, false)) }],
+  };
+}
+
+// ── Tool: provar.qualityhub.connect ───────────────────────────────────────────
+
+export function registerQualityHubConnect(server: McpServer): void {
+  server.tool(
+    'provar.qualityhub.connect',
+    'Connect to a Provar Quality Hub org. Invokes `sf provar quality-hub connect` with the supplied flags.',
+    {
+      target_org: z.string().describe('SF org alias or username to connect as'),
+      flags: z.array(z.string()).optional().default([]).describe('Additional raw CLI flags to forward (e.g. ["--json"])'),
+    },
+    ({ target_org, flags }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.qualityhub.connect', { requestId, target_org });
+
+      try {
+        const result = runSfCommand(['provar', 'quality-hub', 'connect', '--target-org', target_org, ...flags]);
+        const response = { requestId, exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
+
+        if (result.exitCode !== 0) {
+          return { isError: true as const, content: [{ type: 'text' as const, text: JSON.stringify(makeError('QH_CONNECT_FAILED', result.stderr || result.stdout, requestId)) }] };
+        }
+
+        return { content: [{ type: 'text' as const, text: JSON.stringify(response) }], structuredContent: response };
+      } catch (err) {
+        return handleSpawnError(err, requestId, 'provar.qualityhub.connect');
+      }
+    }
+  );
+}
+
+// ── Tool: provar.qualityhub.display ──────────────────────────────────────────
+
+export function registerQualityHubDisplay(server: McpServer): void {
+  server.tool(
+    'provar.qualityhub.display',
+    'Display connected Quality Hub org info. Invokes `sf provar quality-hub display`.',
+    {
+      target_org: z.string().optional().describe('SF org alias or username (uses default if omitted)'),
+      flags: z.array(z.string()).optional().default([]).describe('Additional raw CLI flags to forward'),
+    },
+    ({ target_org, flags }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.qualityhub.display', { requestId, target_org });
+
+      try {
+        const args = ['provar', 'quality-hub', 'display', ...flags];
+        if (target_org) args.splice(3, 0, '--target-org', target_org);
+
+        const result = runSfCommand(args);
+        const response = { requestId, exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
+
+        if (result.exitCode !== 0) {
+          return { isError: true as const, content: [{ type: 'text' as const, text: JSON.stringify(makeError('QH_DISPLAY_FAILED', result.stderr || result.stdout, requestId)) }] };
+        }
+
+        return { content: [{ type: 'text' as const, text: JSON.stringify(response) }], structuredContent: response };
+      } catch (err) {
+        return handleSpawnError(err, requestId, 'provar.qualityhub.display');
+      }
+    }
+  );
+}
+
+// ── Tool: provar.qualityhub.testrun ──────────────────────────────────────────
+
+export function registerQualityHubTestRun(server: McpServer): void {
+  server.tool(
+    'provar.qualityhub.testrun',
+    'Trigger a Quality Hub test run. Invokes `sf provar quality-hub test run`.',
+    {
+      target_org: z.string().describe('SF org alias or username'),
+      flags: z.array(z.string()).optional().default([]).describe('Additional raw CLI flags (e.g. ["--plan-name", "SmokeTests"])'),
+    },
+    ({ target_org, flags }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.qualityhub.testrun', { requestId, target_org });
+
+      try {
+        const result = runSfCommand(['provar', 'quality-hub', 'test', 'run', '--target-org', target_org, ...flags]);
+        const response = { requestId, exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
+
+        if (result.exitCode !== 0) {
+          return { isError: true as const, content: [{ type: 'text' as const, text: JSON.stringify(makeError('QH_TESTRUN_FAILED', result.stderr || result.stdout, requestId)) }] };
+        }
+
+        return { content: [{ type: 'text' as const, text: JSON.stringify(response) }], structuredContent: response };
+      } catch (err) {
+        return handleSpawnError(err, requestId, 'provar.qualityhub.testrun');
+      }
+    }
+  );
+}
+
+// ── Tool: provar.qualityhub.testrun.report ────────────────────────────────────
+
+export function registerQualityHubTestRunReport(server: McpServer): void {
+  server.tool(
+    'provar.qualityhub.testrun.report',
+    'Poll the status of a Quality Hub test run. Invokes `sf provar quality-hub test run report`.',
+    {
+      target_org: z.string().describe('SF org alias or username'),
+      run_id: z.string().describe('Test run ID returned by provar.qualityhub.testrun'),
+      flags: z.array(z.string()).optional().default([]).describe('Additional raw CLI flags'),
+    },
+    ({ target_org, run_id, flags }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.qualityhub.testrun.report', { requestId, target_org, run_id });
+
+      try {
+        const result = runSfCommand([
+          'provar', 'quality-hub', 'test', 'run', 'report',
+          '--target-org', target_org,
+          '--run-id', run_id,
+          ...flags,
+        ]);
+        const response = { requestId, exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
+
+        if (result.exitCode !== 0) {
+          return { isError: true as const, content: [{ type: 'text' as const, text: JSON.stringify(makeError('QH_REPORT_FAILED', result.stderr || result.stdout, requestId)) }] };
+        }
+
+        const failureStatuses = new Set(['FAIL', 'FAILED']);
+        let hasFailures = false;
+        try {
+          const parsed = JSON.parse(result.stdout) as { result?: { status?: string } };
+          const normalizedStatus = parsed.result?.status?.trim().toUpperCase();
+          hasFailures = normalizedStatus !== undefined && failureStatuses.has(normalizedStatus);
+        } catch {
+          const statusMatch = result.stdout.match(/"status"\s*:\s*"([^"]+)"/i);
+          const normalizedStatus = statusMatch?.[1]?.trim().toUpperCase();
+          hasFailures = normalizedStatus !== undefined && failureStatuses.has(normalizedStatus);
+        }
+        const suggestion = hasFailures
+          ? 'Failures detected. Use provar.qualityhub.defect.create with run_id and target_org to automatically create Defect__c records for each failure (syncs to Jira/ADO if configured).'
+          : '';
+        const responseWithSuggestion = { ...response, suggestion: suggestion || undefined };
+
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(responseWithSuggestion) }],
+          structuredContent: responseWithSuggestion,
+        };
+      } catch (err) {
+        return handleSpawnError(err, requestId, 'provar.qualityhub.testrun.report');
+      }
+    }
+  );
+}
+
+// ── Tool: provar.qualityhub.testrun.abort ─────────────────────────────────────
+
+export function registerQualityHubTestRunAbort(server: McpServer): void {
+  server.tool(
+    'provar.qualityhub.testrun.abort',
+    'Abort an in-progress Quality Hub test run. Invokes `sf provar quality-hub test run abort`.',
+    {
+      target_org: z.string().describe('SF org alias or username'),
+      run_id: z.string().describe('Test run ID to abort'),
+      flags: z.array(z.string()).optional().default([]).describe('Additional raw CLI flags'),
+    },
+    ({ target_org, run_id, flags }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.qualityhub.testrun.abort', { requestId, target_org, run_id });
+
+      try {
+        const result = runSfCommand([
+          'provar', 'quality-hub', 'test', 'run', 'abort',
+          '--target-org', target_org,
+          '--run-id', run_id,
+          ...flags,
+        ]);
+        const response = { requestId, exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
+
+        if (result.exitCode !== 0) {
+          return { isError: true as const, content: [{ type: 'text' as const, text: JSON.stringify(makeError('QH_ABORT_FAILED', result.stderr || result.stdout, requestId)) }] };
+        }
+
+        return { content: [{ type: 'text' as const, text: JSON.stringify(response) }], structuredContent: response };
+      } catch (err) {
+        return handleSpawnError(err, requestId, 'provar.qualityhub.testrun.abort');
+      }
+    }
+  );
+}
+
+// ── Tool: provar.qualityhub.testcase.retrieve ─────────────────────────────────
+
+export function registerQualityHubTestcaseRetrieve(server: McpServer): void {
+  server.tool(
+    'provar.qualityhub.testcase.retrieve',
+    'Retrieve Quality Hub test cases by user story or component. Invokes `sf provar quality-hub testcase retrieve`.',
+    {
+      target_org: z.string().describe('SF org alias or username'),
+      flags: z.array(z.string()).optional().default([]).describe('Additional raw CLI flags (e.g. ["--user-story", "US-123"])'),
+    },
+    ({ target_org, flags }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.qualityhub.testcase.retrieve', { requestId, target_org });
+
+      try {
+        const result = runSfCommand(['provar', 'quality-hub', 'testcase', 'retrieve', '--target-org', target_org, ...flags]);
+        const response = { requestId, exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
+
+        if (result.exitCode !== 0) {
+          return { isError: true as const, content: [{ type: 'text' as const, text: JSON.stringify(makeError('QH_RETRIEVE_FAILED', result.stderr || result.stdout, requestId)) }] };
+        }
+
+        return { content: [{ type: 'text' as const, text: JSON.stringify(response) }], structuredContent: response };
+      } catch (err) {
+        return handleSpawnError(err, requestId, 'provar.qualityhub.testcase.retrieve');
+      }
+    }
+  );
+}
+
+// ── Bulk registration ─────────────────────────────────────────────────────────
+
+export function registerAllQualityHubTools(server: McpServer): void {
+  registerQualityHubConnect(server);
+  registerQualityHubDisplay(server);
+  registerQualityHubTestRun(server);
+  registerQualityHubTestRunReport(server);
+  registerQualityHubTestRunAbort(server);
+  registerQualityHubTestcaseRetrieve(server);
+}
diff --git a/src/mcp/tools/rcaTools.ts b/src/mcp/tools/rcaTools.ts
new file mode 100644
index 00000000..bdd6f4ef
--- /dev/null
+++ b/src/mcp/tools/rcaTools.ts
@@ -0,0 +1,732 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { z } from 'zod';
+import { XMLParser } from 'fast-xml-parser';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { makeError, makeRequestId } from '../schemas/common.js';
+import { log } from '../logging/logger.js';
+
+// ── Types ─────────────────────────────────────────────────────────────────────
+
+interface LocateResult {
+  requestId: string;
+  results_dir: string;
+  junit_xml: string | null;
+  index_html: string | null;
+  per_test_reports: Array<{ test_name: string; html_path: string }>;
+  validation_reports: string[];
+  run_index: number | null;
+  disposition: string;
+  resolution_source: string;
+}
+
+interface FailureReport {
+  test_case: string;
+  error_class: string | null;
+  error_message: string;
+  root_cause_category: string;
+  root_cause_summary: string;
+  recommendation: string;
+  page_object: string | null;
+  operation: string | null;
+  report_html: string | null;
+  screenshot_dir: string | null;
+  pre_existing: boolean;
+}
+
+// ── Root cause classification ─────────────────────────────────────────────────
+
+interface RcaRule {
+  category: string;
+  pattern: RegExp;
+  summary: string;
+  recommendation: string;
+}
+
+const RCA_RULES: RcaRule[] = [
+  {
+    category: 'DRIVER_VERSION_MISMATCH',
+    pattern: /SessionNotCreatedException.*Chrome version|Chrome version must be between/i,
+    summary: 'WebDriver version incompatible with Chrome',
+    recommendation: 'Update ChromeDriver to match installed Chrome, or pin Chrome version in CI',
+  },
+  {
+    category: 'LOCATOR_STALE',
+    pattern: /NoSuchElementException|ElementNotVisibleException|StaleElementReferenceException/i,
+    summary: 'Page object selector no longer matches current UI',
+    recommendation: 'Re-capture the failing element in Provar IDE',
+  },
+  {
+    category: 'TIMEOUT',
+    pattern: /TimeoutException|ElementClickInterceptedException|timed out/i,
+    summary: 'Element or operation did not complete in time',
+    recommendation: 'Increase step timeout or add explicit wait; check org performance',
+  },
+  {
+    category: 'ASSERTION_FAILED',
+    pattern: /AssertionException|UiAssert|AssertionError/i,
+    summary: 'Test assertion failed',
+    recommendation: 'Verify expected value is correct for current org state',
+  },
+  {
+    category: 'CREDENTIAL_FAILURE',
+    pattern: /InvalidPasswordException|AuthenticationException|INVALID_LOGIN/i,
+    summary: 'Salesforce login failed',
+    recommendation: 'Refresh credentials in .secrets or .testproject',
+  },
+  {
+    category: 'MISSING_CALLABLE',
+    pattern: /caseCall.*cannot.*resolv|callable.*not.*found/i,
+    summary: 'caseCall references unresolvable callable',
+    recommendation: 'Use provar.project.validate to diagnose PROJ-CALLABLE violations',
+  },
+  {
+    category: 'METADATA_CACHE',
+    pattern: /Loading index of metadata|CachingException|metadata.*fail/i,
+    summary: 'Metadata loading or caching failed',
+    recommendation: 'Set metadataLevel to Refresh and re-run',
+  },
+  {
+    category: 'PAGE_OBJECT_COMPILE',
+    pattern: /ClassNotFoundException|CompilationException/i,
+    summary: 'Page object class not compiled',
+    recommendation: 'Run provar.automation.compile before testrun',
+  },
+  {
+    category: 'CONNECTION_REFUSED',
+    pattern: /WebDriverException|SessionNotCreatedException|browser.*launch.*fail/i,
+    summary: 'Browser or WebDriver session failed',
+    recommendation: 'Check WebDriver version compatibility',
+  },
+  {
+    category: 'DATA_SETUP',
+    pattern: /SetValues.*fail|ApexCreateObject.*fail/i,
+    summary: 'Data setup precondition failed',
+    recommendation: 'Run data setup callable first',
+  },
+  {
+    category: 'LICENSE_INVALID',
+    pattern: /LicenseException|license.*expired|license.*invalid/i,
+    summary: 'Provar license invalid or expired',
+    recommendation: 'Check license status, contact Provar support',
+  },
+];
+
+const UNKNOWN_RULE: RcaRule = {
+  category: 'UNKNOWN',
+  pattern: /.*/,
+  summary: 'Cause undetermined',
+  recommendation: 'Review full failure message and screenshot',
+};
+
+function classifyFailure(text: string): RcaRule {
+  for (const rule of RCA_RULES) {
+    if (rule.pattern.test(text)) return rule;
+  }
+  return UNKNOWN_RULE;
+}
+
+const INFRA_CATEGORIES = new Set([
+  'CREDENTIAL_FAILURE',
+  'METADATA_CACHE',
+  'PAGE_OBJECT_COMPILE',
+  'CONNECTION_REFUSED',
+  'DRIVER_VERSION_MISMATCH',
+  'LICENSE_INVALID',
+]);
+
+// ── Filesystem helpers ────────────────────────────────────────────────────────
+
+/**
+ * Walk a directory recursively and collect files matching a predicate.
+ */
+function walkFiles(dir: string, predicate: (filePath: string) => boolean): string[] {
+  const results: string[] = [];
+  if (!fs.existsSync(dir)) return results;
+  try {
+    const entries = fs.readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        results.push(...walkFiles(full, predicate));
+      } else if (entry.isFile() && predicate(full)) {
+        results.push(full);
+      }
+    }
+  } catch {
+    // ignore permission errors
+  }
+  return results;
+}
+
+/**
+ * List immediate numeric child directories of a directory.
+ */
+function numericChildDirs(dir: string): number[] {
+  if (!fs.existsSync(dir)) return [];
+  try {
+    return fs
+      .readdirSync(dir, { withFileTypes: true })
+      .filter((e) => e.isDirectory() && /^\d+$/.test(e.name))
+      .map((e) => parseInt(e.name, 10))
+      .filter((n) => n > 0);
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * Expand ${env.VAR} placeholders in a string using process.env.
+ */
+function expandEnvVars(value: string): string {
+  return value.replace(/\$\{env\.([^}]+)\}/g, (_, varName: string) => process.env[varName] ?? '');
+}
+
+// ── Resolution algorithm ──────────────────────────────────────────────────────
+
+interface ResolvedLocation {
+  results_dir: string;
+  run_index: number | null;
+  disposition: string;
+  resolution_source: string;
+}
+
+interface ResultsFromProps {
+  resultsBase: string;
+  disposition: string;
+}
+
+function readResultsFromSfConfig(): ResultsFromProps | null {
+  try {
+    const sfConfigPath = path.join(os.homedir(), '.sf', 'config.json');
+    if (!fs.existsSync(sfConfigPath)) return null;
+    const sfConfig = JSON.parse(fs.readFileSync(sfConfigPath, 'utf-8')) as Record<string, unknown>;
+    const propFilePath = sfConfig['PROVARDX_PROPERTIES_FILE_PATH'] as string | undefined;
+    if (!propFilePath || !fs.existsSync(propFilePath)) return null;
+    const props = JSON.parse(fs.readFileSync(propFilePath, 'utf-8')) as Record<string, unknown>;
+    const rp = props['resultsPath'] as string | undefined;
+    if (!rp) return null;
+    return { resultsBase: rp, disposition: (props['resultsPathDisposition'] as string | undefined) ?? 'Replace' };
+  } catch {
+    return null;
+  }
+}
+
+function readResultsFromPropertiesFile(projectPath: string): ResultsFromProps | null {
+  try {
+    const entries = fs.readdirSync(projectPath, { withFileTypes: true });
+    for (const entry of entries) {
+      if (!entry.isFile() || !/provardx-properties.*\.json/i.test(entry.name)) continue;
+      try {
+        const props = JSON.parse(fs.readFileSync(path.join(projectPath, entry.name), 'utf-8')) as Record<string, unknown>;
+        const rp = props['resultsPath'] as string | undefined;
+        if (rp) return { resultsBase: rp, disposition: (props['resultsPathDisposition'] as string | undefined) ?? 'Replace' };
+      } catch {
+        // ignore individual file parse errors
+      }
+    }
+  } catch {
+    // ignore readdir errors
+  }
+  return null;
+}
+
+function readResultsFromAntBuildXml(projectPath: string): string | null {
+  try {
+    const buildXmlPath = path.join(projectPath, 'ANT', 'build.xml');
+    if (!fs.existsSync(buildXmlPath)) return null;
+    const xmlContent = fs.readFileSync(buildXmlPath, 'utf-8');
+    const match = /<property\s+name="testproject\.results"\s+value="([^"]+)"/i.exec(xmlContent);
+    return match ? expandEnvVars(match[1]) : null;
+  } catch {
+    return null;
+  }
+}
+
+function resolveResultsLocation(
+  project_path: string,
+  results_path: string | undefined,
+  run_index: number | undefined
+): ResolvedLocation | { error: string; message: string } {
+  let resultsBase: string | null = null;
+  let disposition = 'Replace';
+  let resolution_source = 'explicit';
+
+  if (results_path) {
+    resultsBase = results_path;
+  } else {
+    const fromSf = readResultsFromSfConfig();
+    if (fromSf) {
+      resultsBase = fromSf.resultsBase;
+      disposition = fromSf.disposition;
+      resolution_source = 'sf_config';
+    } else {
+      const fromFile = readResultsFromPropertiesFile(project_path);
+      if (fromFile) {
+        resultsBase = fromFile.resultsBase;
+        disposition = fromFile.disposition;
+        resolution_source = 'properties_file';
+      } else {
+        const fromAnt = readResultsFromAntBuildXml(project_path);
+        if (fromAnt) {
+          resultsBase = fromAnt;
+          resolution_source = 'ant_build_xml';
+        }
+      }
+    }
+  }
+
+  if (!resultsBase) {
+    return {
+      error: 'RESULTS_NOT_CONFIGURED',
+      message: 'Could not determine results directory from sf config, properties file, or ANT build.xml',
+    };
+  }
+
+  // Increment resolution
+  const numericDirs = numericChildDirs(resultsBase);
+  if (disposition === 'Increment' || numericDirs.length > 0) {
+    if (numericDirs.length > 0) {
+      const targetIndex = run_index ?? Math.max(...numericDirs);
+      return {
+        results_dir: path.join(resultsBase, String(targetIndex)),
+        run_index: targetIndex,
+        disposition,
+        resolution_source,
+      };
+    }
+    // Disposition is Increment but no numeric subdirs yet — fall through to base
+  }
+
+  return {
+    results_dir: resultsBase,
+    run_index: null,
+    disposition,
+    resolution_source,
+  };
+}
+
+// ── provar.testrun.report.locate tool ─────────────────────────────────────────
+
+export function registerTestRunLocate(server: McpServer): void {
+  server.tool(
+    'provar.testrun.report.locate',
+    [
+      'Resolve exactly where Provar test run artifacts were written, without parsing them.',
+      'Returns the results directory, paths to JUnit.xml and Index.html if they exist,',
+      'paths to per-test HTML reports, and any validation JSON files.',
+      'Supports explicit results_path override or auto-detection from sf config, provardx properties file, or ANT build.xml.',
+    ].join(' '),
+    {
+      project_path: z
+        .string()
+        .describe('Absolute path to the Provar project root'),
+      results_path: z
+        .string()
+        .optional()
+        .describe('Explicit override for the results base directory; if provided, skip auto-detection'),
+      run_index: z
+        .number()
+        .optional()
+        .describe('Which Increment run to target (default: latest)'),
+    },
+    (input) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.testrun.report.locate', { requestId });
+
+      try {
+        const resolved = resolveResultsLocation(input.project_path, input.results_path, input.run_index);
+        if ('error' in resolved) {
+          const err = makeError(resolved.error, resolved.message, requestId);
+          return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(err) }] };
+        }
+
+        const { results_dir, run_index: resolvedRunIndex, disposition, resolution_source } = resolved;
+
+        // Check for JUnit.xml and Index.html
+        const junitPath = path.join(results_dir, 'JUnit.xml');
+        const indexPath = path.join(results_dir, 'Index.html');
+        const junit_xml = fs.existsSync(junitPath) ? junitPath : null;
+        const index_html = fs.existsSync(indexPath) ? indexPath : null;
+
+        // Collect per-test HTML reports (*.testcase.html)
+        const htmlFiles = walkFiles(results_dir, (f) => f.endsWith('.testcase.html'));
+        const per_test_reports = htmlFiles.map((htmlPath) => ({
+          test_name: path.basename(htmlPath, '.html'),
+          html_path: htmlPath,
+        }));
+
+        // Collect validation reports
+        const validationDir = path.join(input.project_path, 'provardx', 'validation');
+        const validation_reports: string[] = [];
+        if (fs.existsSync(validationDir)) {
+          try {
+            const entries = fs.readdirSync(validationDir);
+            for (const entry of entries) {
+              if (entry.endsWith('.json')) {
+                validation_reports.push(path.join(validationDir, entry));
+              }
+            }
+          } catch {
+            // ignore
+          }
+        }
+
+        const result: LocateResult = {
+          requestId,
+          results_dir,
+          junit_xml,
+          index_html,
+          per_test_reports,
+          validation_reports,
+          run_index: resolvedRunIndex,
+          disposition,
+          resolution_source,
+        };
+
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(result) }],
+        };
+      } catch (err: unknown) {
+        const error = err as Error;
+        const errResult = makeError('LOCATE_ERROR', error.message, requestId);
+        log('error', 'provar.testrun.report.locate failed', { requestId, error: error.message });
+        return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(errResult) }] };
+      }
+    }
+  );
+}
+
+// ── JUnit XML parsing ─────────────────────────────────────────────────────────
+
+interface ParsedJUnit {
+  total: number;
+  passed: number;
+  failures: number;
+  errors: number;
+  skipped: number;
+  duration_seconds: number;
+  testcases: Array<{ name: string; failureText: string | null; isSkipped: boolean }>;
+}
+
+function parseJUnit(xmlContent: string): ParsedJUnit {
+  const parser = new XMLParser({
+    ignoreAttributes: false,
+    attributeNamePrefix: '',
+    allowBooleanAttributes: true,
+    parseAttributeValue: true,
+    textNodeName: '#text',
+    isArray: (tagName) => ['testsuite', 'testcase', 'failure', 'error'].includes(tagName),
+  });
+
+  const doc = parser.parse(xmlContent) as Record<string, unknown>;
+
+  // Normalise to array of testsuites
+  let suites: Array<Record<string, unknown>> = [];
+  if (doc['testsuites']) {
+    const ts = (doc['testsuites'] as Record<string, unknown>)['testsuite'];
+    suites = Array.isArray(ts) ? (ts as Array<Record<string, unknown>>) : ts ? [ts as Record<string, unknown>] : [];
+  } else if (doc['testsuite']) {
+    const ts = doc['testsuite'];
+    suites = Array.isArray(ts) ? (ts as Array<Record<string, unknown>>) : [ts as Record<string, unknown>];
+  }
+
+  let total = 0;
+  let failures = 0;
+  let errors = 0;
+  let skipped = 0;
+  let duration_seconds = 0;
+  const testcases: ParsedJUnit['testcases'] = [];
+
+  for (const suite of suites) {
+    // Prefer attribute-level counts for the suite, fall back to counting testcases
+    const suiteTests = Number(suite['tests'] ?? 0);
+    const suiteFailures = Number(suite['failures'] ?? 0);
+    const suiteErrors = Number(suite['errors'] ?? 0);
+    const suiteSkipped = Number(suite['skipped'] ?? 0);
+    const suiteTime = Number(suite['time'] ?? 0);
+
+    total += suiteTests;
+    failures += suiteFailures;
+    errors += suiteErrors;
+    skipped += suiteSkipped;
+    duration_seconds += suiteTime;
+
+    const rawTestcases = suite['testcase'];
+    const tcArray: Array<Record<string, unknown>> = Array.isArray(rawTestcases)
+      ? (rawTestcases as Array<Record<string, unknown>>)
+      : rawTestcases
+      ? [rawTestcases as Record<string, unknown>]
+      : [];
+
+    for (const tc of tcArray) {
+      const name = String(tc['name'] ?? '');
+      const isSkipped = tc['skipped'] !== undefined;
+
+      // Extract failure/error text
+      let failureText: string | null = null;
+      const failureArr = tc['failure'];
+      const errorArr = tc['error'];
+
+      const extractText = (arr: unknown): string | null => {
+        if (!arr) return null;
+        const items = Array.isArray(arr) ? (arr as unknown[]) : [arr];
+        for (const item of items) {
+          if (typeof item === 'string' && item.trim()) return item.trim();
+          if (typeof item === 'object' && item !== null) {
+            const obj = item as Record<string, unknown>;
+            const text = obj['#text'] ?? obj['message'] ?? obj[''];
+            if (typeof text === 'string' && text.trim()) return text.trim();
+          }
+        }
+        return null;
+      };
+
+      failureText = extractText(failureArr) ?? extractText(errorArr);
+
+      testcases.push({ name, failureText, isSkipped });
+    }
+  }
+
+  // If total wasn't set from suite attributes, compute from testcases
+  if (total === 0 && testcases.length > 0) {
+    total = testcases.length;
+  }
+
+  const passed = total - failures - errors - skipped;
+
+  return { total, passed: Math.max(0, passed), failures, errors, skipped, duration_seconds, testcases };
+}
+
+// ── RCA handler helpers ───────────────────────────────────────────────────────
+
+function collectValidationReports(projectPath: string): string[] {
+  const validationDir = path.join(projectPath, 'provardx', 'validation');
+  if (!fs.existsSync(validationDir)) return [];
+  try {
+    return fs.readdirSync(validationDir)
+      .filter((e) => e.endsWith('.json'))
+      .map((e) => path.join(validationDir, e));
+  } catch {
+    return [];
+  }
+}
+
+function buildPriorFailureSet(resultsDir: string, resolvedRunIndex: number | null): Set<string> {
+  const names = new Set<string>();
+  if (resolvedRunIndex === null) return names;
+  const resultsBase = path.dirname(resultsDir);
+  const priorDirs = numericChildDirs(resultsBase).filter((n) => n < resolvedRunIndex);
+  for (const priorIdx of priorDirs) {
+    const priorJunit = path.join(resultsBase, String(priorIdx), 'JUnit.xml');
+    if (!fs.existsSync(priorJunit)) continue;
+    try {
+      const priorParsed = parseJUnit(fs.readFileSync(priorJunit, 'utf-8'));
+      for (const tc of priorParsed.testcases) {
+        if (tc.failureText !== null) names.add(tc.name);
+      }
+    } catch {
+      // ignore
+    }
+  }
+  return names;
+}
+
+type ParsedTestCase = { name: string; failureText: string | null; isSkipped: boolean };
+
+function buildFailureReports(
+  testcases: ParsedTestCase[],
+  htmlFiles: string[],
+  screenshotDir: string | null,
+  priorFailed: Set<string>
+): FailureReport[] {
+  const errorClassPatterns = [
+    'NoSuchElementException', 'TimeoutException', 'AssertionException',
+    'SessionNotCreatedException', 'WebDriverException', 'ClassNotFoundException',
+    'LicenseException', 'InvalidPasswordException',
+  ];
+  const reports: FailureReport[] = [];
+  for (const tc of testcases) {
+    if (tc.failureText === null || tc.isSkipped) continue;
+    const failureText = tc.failureText;
+    const rule = classifyFailure(failureText);
+    let error_class: string | null = null;
+    for (const cls of errorClassPatterns) {
+      if (failureText.includes(cls)) { error_class = cls; break; }
+    }
+    const poMatch = /Page Object:\s*([\w.]+)/i.exec(failureText);
+    const opMatch = /operation:\s*(\w+)/i.exec(failureText);
+    const matchingHtml = htmlFiles.find((f) => path.basename(f) === `${tc.name}.html`);
+    reports.push({
+      test_case: tc.name,
+      error_class,
+      error_message: failureText.slice(0, 500),
+      root_cause_category: rule.category,
+      root_cause_summary: rule.summary,
+      recommendation: rule.recommendation,
+      page_object: poMatch ? poMatch[1] : null,
+      operation: opMatch ? opMatch[1] : null,
+      report_html: matchingHtml ?? null,
+      screenshot_dir: screenshotDir,
+      pre_existing: priorFailed.has(tc.name),
+    });
+  }
+  return reports;
+}
+
+// ── provar.testrun.rca tool ───────────────────────────────────────────────────
+
+export function registerTestRunRca(server: McpServer): void {
+  server.tool(
+    'provar.testrun.rca',
+    [
+      'Parse a completed Provar test run and produce a structured Root Cause Analysis (RCA) report.',
+      'Resolves the results directory, parses JUnit.xml, classifies each failure by category,',
+      'and produces recommendations. Use locate_only=true to skip parsing and just resolve artifact locations.',
+    ].join(' '),
+    {
+      project_path: z
+        .string()
+        .describe('Absolute path to the Provar project root'),
+      results_path: z
+        .string()
+        .optional()
+        .describe('Explicit override for the results base directory'),
+      run_index: z
+        .number()
+        .optional()
+        .describe('Which Increment run to target (default: latest)'),
+      locate_only: z
+        .boolean()
+        .optional()
+        .default(false)
+        .describe('If true, skip parsing and return just artifact locations'),
+    },
+    (input) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.testrun.rca', { requestId, locate_only: input.locate_only });
+
+      try {
+        // ── Resolve location ─────────────────────────────────────────────────
+        const resolved = resolveResultsLocation(input.project_path, input.results_path, input.run_index);
+        if ('error' in resolved) {
+          const err = makeError(resolved.error, resolved.message, requestId);
+          return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(err) }] };
+        }
+
+        const { results_dir, run_index: resolvedRunIndex, disposition, resolution_source } = resolved;
+
+        const junitPath = path.join(results_dir, 'JUnit.xml');
+        const indexPath = path.join(results_dir, 'Index.html');
+        const junit_xml = fs.existsSync(junitPath) ? junitPath : null;
+        const index_html = fs.existsSync(indexPath) ? indexPath : null;
+
+        const htmlFiles = walkFiles(results_dir, (f) => f.endsWith('.testcase.html'));
+        const per_test_reports = htmlFiles.map((htmlPath) => ({
+          test_name: path.basename(htmlPath, '.html'),
+          html_path: htmlPath,
+        }));
+
+        const validation_reports = collectValidationReports(input.project_path);
+
+        const locateResult: LocateResult = {
+          requestId,
+          results_dir,
+          junit_xml,
+          index_html,
+          per_test_reports,
+          validation_reports,
+          run_index: resolvedRunIndex,
+          disposition,
+          resolution_source,
+        };
+
+        // ── locate_only shortcut ─────────────────────────────────────────────
+        if (input.locate_only) {
+          const result = { ...locateResult, rca_skipped: true, failures: [], infrastructure_issues: [], recommendations: [] };
+          return {
+            content: [{ type: 'text' as const, text: JSON.stringify(result) }],
+          };
+        }
+
+        // ── Check JUnit.xml exists ───────────────────────────────────────────
+        if (!junit_xml) {
+          const result = {
+            requestId,
+            results_dir,
+            run_in_progress: true as const,
+            message: 'JUnit.xml not found — test run may still be in progress or has not started',
+            failures: [],
+            infrastructure_issues: [],
+            recommendations: [],
+          };
+          return {
+            content: [{ type: 'text' as const, text: JSON.stringify(result) }],
+          };
+        }
+
+        // ── Parse JUnit.xml ──────────────────────────────────────────────────
+        const xmlContent = fs.readFileSync(junit_xml, 'utf-8');
+        const parsed = parseJUnit(xmlContent);
+
+        const run_summary = {
+          results_dir,
+          total: parsed.total,
+          passed: parsed.passed,
+          failures: parsed.failures,
+          errors: parsed.errors,
+          skipped: parsed.skipped,
+          duration_seconds: parsed.duration_seconds,
+        };
+
+        // ── Build failure reports ────────────────────────────────────────────
+        const artifactsDir = path.join(results_dir, 'Artifacts');
+        const screenshot_dir = fs.existsSync(artifactsDir) ? artifactsDir : null;
+        const priorFailedTestNames = buildPriorFailureSet(results_dir, resolvedRunIndex);
+        const failureReports = buildFailureReports(parsed.testcases, htmlFiles, screenshot_dir, priorFailedTestNames);
+
+        // ── Infrastructure issues ────────────────────────────────────────────
+        const infrastructure_issues = failureReports
+          .filter((fr) => INFRA_CATEGORIES.has(fr.root_cause_category))
+          .map((fr) => `${fr.test_case}: [${fr.root_cause_category}] ${fr.root_cause_summary}`);
+
+        // ── Recommendations (deduplicated) ───────────────────────────────────
+        const recommendations = [...new Set(failureReports.map((fr) => fr.recommendation))];
+
+        const result = {
+          requestId,
+          results_dir,
+          run_summary,
+          failures: failureReports,
+          infrastructure_issues,
+          recommendations,
+        };
+
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(result) }],
+        };
+      } catch (err: unknown) {
+        const error = err as Error;
+        const errResult = makeError('RCA_ERROR', error.message, requestId);
+        log('error', 'provar.testrun.rca failed', { requestId, error: error.message });
+        return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(errResult) }] };
+      }
+    }
+  );
+}
+
+// ── Registration entry point ──────────────────────────────────────────────────
+
+export function registerAllRcaTools(server: McpServer): void {
+  registerTestRunLocate(server);
+  registerTestRunRca(server);
+}
diff --git a/src/mcp/tools/sfSpawn.ts b/src/mcp/tools/sfSpawn.ts
new file mode 100644
index 00000000..5b7fd3c3
--- /dev/null
+++ b/src/mcp/tools/sfSpawn.ts
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import { spawnSync as _spawnSync } from 'node:child_process';
+
+/**
+ * Thin wrapper around spawnSync so tests can stub sfSpawnHelper.spawnSync.
+ * ESM named exports are immutable bindings; sinon requires a mutable object property.
+ */
+export const sfSpawnHelper = {
+  spawnSync: _spawnSync,
+};
+
+// ── Shared error type ─────────────────────────────────────────────────────────
+
+export class SfNotFoundError extends Error {
+  public readonly code = 'SF_NOT_FOUND';
+  public constructor(sfPath?: string) {
+    const where = sfPath
+      ? `at explicit path "${sfPath}"`
+      : 'in PATH or common npm/nvm/volta install locations';
+    super(
+      `sf CLI not found ${where}. ` +
+      'Install Salesforce CLI (npm install -g @salesforce/cli) and ensure the install directory is in your PATH, ' +
+      'or pass sf_path pointing to the sf executable directly ' +
+      '(e.g. "~/.nvm/versions/node/v22.0.0/bin/sf").'
+    );
+    this.name = 'SfNotFoundError';
+  }
+}
+
+// ── Shared spawn helper ───────────────────────────────────────────────────────
+
+export interface SpawnResult {
+  stdout: string;
+  stderr: string;
+  exitCode: number;
+}
+
+/**
+ * Run `sf <args>` synchronously and return stdout, stderr, and exit code.
+ * Throws SfNotFoundError if the `sf` binary is not in PATH.
+ */
+export function runSfCommand(args: string[]): SpawnResult {
+  const result = sfSpawnHelper.spawnSync('sf', args, { encoding: 'utf-8', shell: false });
+
+  if (result.error) {
+    const err = result.error as NodeJS.ErrnoException;
+    if (err.code === 'ENOENT') {
+      throw new SfNotFoundError();
+    }
+    throw result.error;
+  }
+
+  return {
+    stdout: result.stdout ?? '',
+    stderr: result.stderr ?? '',
+    exitCode: result.status ?? 1,
+  };
+}
+
+// ── SOQL safety ───────────────────────────────────────────────────────────────
+
+/**
+ * Escape a value for safe interpolation inside a SOQL single-quoted string literal.
+ * Replaces `'` with `\'` to prevent SOQL injection.
+ */
+export function soqlEscape(value: string): string {
+  return value.replace(/'/g, "\\'");
+}
diff --git a/src/mcp/tools/testCaseGenerate.ts b/src/mcp/tools/testCaseGenerate.ts
new file mode 100644
index 00000000..a75ce75e
--- /dev/null
+++ b/src/mcp/tools/testCaseGenerate.ts
@@ -0,0 +1,279 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import fs from 'node:fs';
+import path from 'node:path';
+import { randomUUID } from 'node:crypto';
+import { z } from 'zod';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import type { ServerConfig } from '../server.js';
+import { assertPathAllowed, PathPolicyError } from '../security/pathPolicy.js';
+import { makeError, makeRequestId } from '../schemas/common.js';
+import { log } from '../logging/logger.js';
+import { validateTestCase } from './testCaseValidate.js';
+
+// ── Shorthand → fully-qualified API ID map ────────────────────────────────────
+// Provar runtime requires fully-qualified IDs. Shorthand forms are accepted here
+// and expanded automatically before writing XML.
+
+const SHORTHAND_TO_FQID: Record<string, string> = {
+  UiConnect:          'com.provar.plugins.forcedotcom.core.ui.UiConnect',
+  UiDoAction:         'com.provar.plugins.forcedotcom.core.ui.UiDoAction',
+  UiWithScreen:       'com.provar.plugins.forcedotcom.core.ui.UiWithScreen',
+  UiAssert:           'com.provar.plugins.forcedotcom.core.ui.UiAssert',
+  UiNavigate:         'com.provar.plugins.forcedotcom.core.ui.UiNavigate',
+  UiWithRow:          'com.provar.plugins.forcedotcom.core.ui.UiWithRow',
+  UiScrollToElement:  'com.provar.plugins.forcedotcom.core.ui.UiScrollToElement',
+  ApexConnect:        'com.provar.plugins.forcedotcom.core.testapis.ApexConnect',
+  ApexSoqlQuery:      'com.provar.plugins.forcedotcom.core.testapis.ApexSoqlQuery',
+  ApexCreateObject:   'com.provar.plugins.forcedotcom.core.testapis.ApexCreateObject',
+  ApexReadObject:     'com.provar.plugins.forcedotcom.core.testapis.ApexReadObject',
+  ApexUpdateObject:   'com.provar.plugins.forcedotcom.core.testapis.ApexUpdateObject',
+  ApexDeleteObject:   'com.provar.plugins.forcedotcom.core.testapis.ApexDeleteObject',
+  SetValues:          'com.provar.plugins.bundled.apis.control.SetValues',
+  AssertValues:       'com.provar.plugins.bundled.apis.AssertValues',
+  StepGroup:          'com.provar.plugins.bundled.apis.control.StepGroup',
+  Sleep:              'com.provar.plugins.bundled.apis.control.Sleep',
+  ForEach:            'com.provar.plugins.bundled.apis.control.ForEach',
+  CaseCall:           'com.provar.plugins.bundled.apis.control.CaseCall',
+};
+
+function resolveApiId(apiId: string): string {
+  return SHORTHAND_TO_FQID[apiId] ?? apiId;
+}
+
+// ── Per-step runtime warnings ─────────────────────────────────────────────────
+
+function buildStepWarnings(steps: Array<{ api_id: string }>): string[] {
+  const warnings: string[] = [];
+  const resolvedIds = steps.map((s) => resolveApiId(s.api_id));
+
+  if (resolvedIds.includes(SHORTHAND_TO_FQID['ApexReadObject'] ?? '')) {
+    warnings.push(
+      'ApexReadObject: You must specify field names in the attributes (e.g. fieldList); ' +
+      'if none are provided Provar generates "SELECT  FROM ..." which throws MALFORMED_QUERY. ' +
+      'Prefer ApexSoqlQuery for full control over the SELECT clause and result binding.'
+    );
+  }
+
+  if (resolvedIds.includes(SHORTHAND_TO_FQID['AssertValues'] ?? '')) {
+    warnings.push(
+      'AssertValues: Direct index paths like "ResultList[0].FieldName" are NOT supported for ApexSoqlQuery results. ' +
+      'To assert SOQL results use either: (a) a ForEach loop over the result list with AssertValues inside, ' +
+      'or (b) a SetValues step to extract a specific field into a named variable, then assert that variable.'
+    );
+  }
+
+  return warnings;
+}
+
+// ── Schema ────────────────────────────────────────────────────────────────────
+
+const StepSchema = z.object({
+  api_id: z
+    .string()
+    .describe(
+      'Provar step API ID. Shorthand forms are accepted and auto-expanded to fully-qualified IDs: ' +
+      'UiConnect, UiDoAction, UiWithScreen, UiAssert, UiNavigate, UiWithRow, ' +
+      'ApexConnect, ApexSoqlQuery, ApexCreateObject, ApexReadObject, ApexUpdateObject, ApexDeleteObject, ' +
+      'SetValues, AssertValues, StepGroup, Sleep, ForEach, CaseCall. ' +
+      'Or pass the fully-qualified ID directly (com.provar.plugins.*).'
+    ),
+  name: z.string().describe('Human-readable step name'),
+  attributes: z
+    .record(z.string())
+    .default({})
+    .describe(
+      'Step argument values as key/value pairs. Written as <arguments><argument id="key"><value .../></argument></arguments> ' +
+      'inside the <apiCall> element — the format Provar runtime requires. ' +
+      'Do NOT rely on XML attributes on <apiCall>; the runtime silently ignores them. ' +
+      'Example: { "connectionName": "MyOrg", "objectApiName": "Opportunity" }'
+    ),
+});
+
+const TOOL_DESCRIPTION = [
+  'Generate a Provar XML test case skeleton with proper UUID v4 guids, sequential testItemId values, and <steps> structure.',
+  'Returns XML content. Writes to disk only when dry_run=false.',
+  'API IDs: shorthand forms (e.g. UiConnect, ApexSoqlQuery) are automatically expanded to fully-qualified IDs required by the Provar runtime.',
+  'Step arguments: attributes are emitted as <arguments><argument id="..."><value .../></argument></arguments> — the only format the Provar runtime processes.',
+  'Shorthand XML attributes on <apiCall> are silently ignored at runtime; always supply arguments via the attributes map.',
+  'Data-driven note: <dataTable> only iterates rows when the test case runs via a test plan instance (.testinstance).',
+  'Running directly via the provardx testCase property resolves all data table variables as null.',
+  'Use provar.testplan.add-instance to wire into a plan for data-driven execution.',
+  'ApexReadObject requires field names in attributes; omitting them produces MALFORMED_QUERY. Prefer ApexSoqlQuery.',
+  'AssertValues on SOQL results: index paths like "ResultList[0].Field" are not supported.',
+  'Use ForEach to iterate the result list, or SetValues to extract a field into a variable first.',
+  'Validation: the response always includes a validation field with is_valid, validity_score, quality_score, and any structural issues — check this before attempting to run the test case.',
+].join(' ');
+
+export function registerTestCaseGenerate(server: McpServer, config: ServerConfig): void {
+  server.tool(
+    'provar.testcase.generate',
+    TOOL_DESCRIPTION,
+    {
+      test_case_name: z.string().describe('Test case name (human-readable label)'),
+      test_case_id: z
+        .string()
+        .optional()
+        .describe('Explicit test case id; auto-generated UUID v4 if omitted'),
+      steps: z.array(StepSchema).default([]).describe('Ordered list of test steps'),
+      output_path: z
+        .string()
+        .optional()
+        .describe('Suggested file path for the .xml file (returned in response)'),
+      overwrite: z.boolean().default(false).describe('Overwrite if output_path file already exists'),
+      dry_run: z
+        .boolean()
+        .default(true)
+        .describe('true = return XML only (default); false = write to output_path'),
+      idempotency_key: z
+        .string()
+        .optional()
+        .describe('Caller-provided key echoed back for deduplication tracking'),
+    },
+    (input) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.testcase.generate', {
+        requestId,
+        test_case_name: input.test_case_name,
+        dry_run: input.dry_run,
+      });
+
+      try {
+        const xmlContent = buildTestCaseXml(input);
+        const filePath: string | undefined = input.output_path
+          ? path.resolve(input.output_path)
+          : undefined;
+        let written = false;
+
+        if (filePath && !input.dry_run) {
+          assertPathAllowed(filePath, config.allowedPaths);
+
+          if (fs.existsSync(filePath) && !input.overwrite) {
+            const err = makeError(
+              'FILE_EXISTS',
+              `File already exists: ${filePath}. Set overwrite=true to replace.`,
+              requestId
+            );
+            return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(err) }] };
+          }
+
+          fs.mkdirSync(path.dirname(filePath), { recursive: true });
+          fs.writeFileSync(filePath, xmlContent, 'utf-8');
+          written = true;
+          log('info', 'provar.testcase.generate: wrote file', { requestId, filePath });
+        }
+
+        const warnings = buildStepWarnings(input.steps);
+        const validationFull = validateTestCase(xmlContent, input.test_case_name);
+        const validationSlim = {
+          is_valid: validationFull.is_valid,
+          validity_score: validationFull.validity_score,
+          quality_score: validationFull.quality_score,
+          error_count: validationFull.error_count,
+          warning_count: validationFull.warning_count,
+          issues: validationFull.issues,
+        };
+        const result = {
+          requestId,
+          xml_content: xmlContent,
+          file_path: filePath,
+          written,
+          dry_run: input.dry_run,
+          step_count: input.steps.length,
+          idempotency_key: input.idempotency_key,
+          validation: validationSlim,
+          ...(warnings.length > 0 ? { warnings } : {}),
+        };
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(result) }],
+          structuredContent: result,
+        };
+      } catch (err: unknown) {
+        const error = err as Error & { code?: string };
+        const errResult = makeError(
+          error instanceof PathPolicyError ? error.code : (error.code ?? 'GENERATE_ERROR'),
+          error.message,
+          requestId,
+          false
+        );
+        log('error', 'provar.testcase.generate failed', { requestId, error: error.message });
+        return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(errResult) }] };
+      }
+    }
+  );
+}
+
+// ── XML builder ───────────────────────────────────────────────────────────────
+
+function buildArgumentsXml(attributes: Record<string, string>): string {
+  const entries = Object.entries(attributes);
+  if (entries.length === 0) return '';
+  const argLines = entries
+    .map(([k, v]) =>
+      `      <argument id="${escapeXmlAttr(k)}">\n` +
+      `        <value class="value" valueClass="String">${escapeXmlContent(v)}</value>\n` +
+      '      </argument>'
+    )
+    .join('\n');
+  return `\n      <arguments>\n${argLines}\n      </arguments>\n    `;
+}
+
+function buildTestCaseXml(input: {
+  test_case_name: string;
+  test_case_id?: string;
+  steps: Array<{ api_id: string; name: string; attributes: Record<string, string> }>;
+}): string {
+  const testCaseId = input.test_case_id ?? randomUUID();
+  const testCaseGuid = randomUUID();
+  const registryId = randomUUID();
+
+  const stepLines = input.steps
+    .map((step, i) => {
+      const guid = randomUUID();
+      const testItemId = i + 1;
+      const resolvedApiId = resolveApiId(step.api_id);
+      const argumentsXml = buildArgumentsXml(step.attributes);
+      if (argumentsXml) {
+        return (
+          `    <apiCall guid="${guid}" apiId="${escapeXmlAttr(resolvedApiId)}"` +
+          ` name="${escapeXmlAttr(step.name)}" testItemId="${testItemId}">${argumentsXml}</apiCall>`
+        );
+      }
+      return (
+        `    <apiCall guid="${guid}" apiId="${escapeXmlAttr(resolvedApiId)}"` +
+        ` name="${escapeXmlAttr(step.name)}" testItemId="${testItemId}"/>`
+      );
+    })
+    .join('\n');
+
+  return (
+    '<?xml version="1.0" encoding="UTF-8"?>\n' +
+    `<testCase id="${testCaseId}" guid="${testCaseGuid}" registryId="${registryId}"` +
+    ` name="${escapeXmlAttr(input.test_case_name)}">\n` +
+    '  <steps>\n' +
+    (stepLines || '    <!-- TODO: Add test steps here -->') +
+    '\n  </steps>\n' +
+    '</testCase>\n'
+  );
+}
+
+function escapeXmlAttr(value: string): string {
+  return value
+    .replace(/&/g, '&amp;')
+    .replace(/"/g, '&quot;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;');
+}
+
+function escapeXmlContent(value: string): string {
+  return value
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;');
+}
diff --git a/src/mcp/tools/testCaseValidate.ts b/src/mcp/tools/testCaseValidate.ts
new file mode 100644
index 00000000..20142752
--- /dev/null
+++ b/src/mcp/tools/testCaseValidate.ts
@@ -0,0 +1,286 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import fs from 'node:fs';
+import path from 'node:path';
+import { z } from 'zod';
+import { XMLParser } from 'fast-xml-parser';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import type { ServerConfig } from '../server.js';
+import { assertPathAllowed, PathPolicyError } from '../security/pathPolicy.js';
+import { makeError, makeRequestId, type ValidationIssue } from '../schemas/common.js';
+import { log } from '../logging/logger.js';
+import { runBestPractices } from './bestPracticesEngine.js';
+
+export function registerTestCaseValidate(server: McpServer, config: ServerConfig): void {
+  server.tool(
+    'provar.testcase.validate',
+    'Validate a Provar XML test case for structural correctness and quality. Checks XML declaration, root element, required attributes (guid UUID v4, testItemId integer), <steps> presence, and applies best-practice rules (same ruleset and scoring as the Quality Hub batch validation API). Returns validity_score (schema compliance) and quality_score (best practices, 0–100).',
+    {
+      content: z.string().optional().describe('XML content to validate directly (alias: xml)'),
+      xml: z.string().optional().describe('XML content to validate — API-compatible alias for content'),
+      file_path: z.string().optional().describe('Path to .xml test case file'),
+    },
+    ({ content, xml, file_path }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.testcase.validate', { requestId, has_content: !!(content ?? xml), file_path });
+
+      try {
+        // Resolve xml alias: the batch validation API uses "xml", MCP originally used "content"
+        let source = content ?? xml;
+
+        if (!source && file_path) {
+          assertPathAllowed(file_path, config.allowedPaths);
+          const resolved = path.resolve(file_path);
+          if (!fs.existsSync(resolved)) {
+            const err = makeError('FILE_NOT_FOUND', `File not found: ${resolved}`, requestId);
+            return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(err) }] };
+          }
+          source = fs.readFileSync(resolved, 'utf-8');
+        }
+
+        if (!source) {
+          const err = makeError('MISSING_INPUT', 'Provide either content or file_path.', requestId);
+          return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(err) }] };
+        }
+
+        const validation = validateTestCase(source);
+        const result = { requestId, ...validation };
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(result) }],
+          structuredContent: result,
+        };
+      } catch (err: unknown) {
+        const error = err as Error & { code?: string };
+        const errResult = makeError(
+          error instanceof PathPolicyError ? error.code : 'VALIDATE_ERROR',
+          error.message,
+          requestId,
+          false
+        );
+        log('error', 'provar.testcase.validate failed', { requestId, error: error.message });
+        return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(errResult) }] };
+      }
+    }
+  );
+}
+
+// ── Validator (ported from quality-hub-agents/lambda/src/validator/handler.py) ──
+
+const UUID_V4_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+
+export interface TestCaseValidationResult {
+  is_valid: boolean;
+  validity_score: number;
+  quality_score: number;
+  test_case_id: string | null;
+  test_case_name: string | null;
+  step_count: number;
+  error_count: number;
+  warning_count: number;
+  issues: ValidationIssue[];
+  /** Violations from the Best Practices Engine (same rules as the Quality Hub API). */
+  best_practices_violations?: Array<import('./bestPracticesEngine.js').BPViolation>;
+  best_practices_rules_evaluated?: number;
+}
+
+/** Pure function — exported for unit testing */
+export function validateTestCase(xmlContent: string, testName?: string): TestCaseValidationResult {
+  const issues: ValidationIssue[] = [];
+
+  // TC_001: XML declaration
+  if (!xmlContent.trimStart().startsWith('<?xml')) {
+    issues.push({
+      rule_id: 'TC_001', severity: 'ERROR',
+      message: 'Missing XML declaration. File must start with <?xml version="1.0" encoding="UTF-8"?>.',
+      applies_to: 'document',
+      suggestion: 'Add XML declaration as the first line.',
+    });
+  }
+
+  // Parse
+  const parser = new XMLParser({
+    ignoreAttributes: false,
+    attributeNamePrefix: '@_',
+    parseAttributeValue: false,
+  });
+  let parsed: Record<string, unknown>;
+  try {
+    parsed = parser.parse(xmlContent) as Record<string, unknown>;
+  } catch (e: unknown) {
+    const parseError = e as Error;
+    issues.push({
+      rule_id: 'TC_002', severity: 'ERROR',
+      message: `XML parse error: ${parseError.message}`,
+      applies_to: 'document',
+      suggestion: 'Fix XML syntax errors.',
+    });
+    return finalize(issues, null, null, 0, xmlContent, testName);
+  }
+
+  // TC_003: Root element
+  if (!('testCase' in parsed)) {
+    issues.push({
+      rule_id: 'TC_003', severity: 'ERROR',
+      message: 'Root element must be <testCase>.',
+      applies_to: 'document',
+      suggestion: 'Ensure root element is <testCase>.',
+    });
+    return finalize(issues, null, null, 0, xmlContent, testName);
+  }
+
+  // fast-xml-parser yields '' for a self-closing element with no attributes (e.g. <testCase/>).
+  // Normalise to a plain object so subsequent `'key' in tc` checks don't throw.
+  const rawTc = parsed['testCase'];
+  const tc: Record<string, unknown> =
+    rawTc !== null && typeof rawTc === 'object' ? (rawTc as Record<string, unknown>) : {};
+  const tcId = (tc['@_id'] as string | undefined) ?? null;
+  const tcName = (tc['@_name'] as string | undefined) ?? null;
+  const tcGuid = tc['@_guid'] as string | undefined;
+
+  if (!tcId) {
+    issues.push({
+      rule_id: 'TC_010', severity: 'ERROR',
+      message: 'testCase missing required id attribute.',
+      applies_to: 'testCase',
+      suggestion: 'Add id attribute to testCase element.',
+    });
+  }
+  if (!tcGuid) {
+    issues.push({
+      rule_id: 'TC_011', severity: 'ERROR',
+      message: 'testCase missing required guid attribute.',
+      applies_to: 'testCase',
+      suggestion: 'Add guid attribute (UUID v4) to testCase element.',
+    });
+  } else if (!UUID_V4_RE.test(tcGuid)) {
+    issues.push({
+      rule_id: 'TC_012', severity: 'ERROR',
+      message: `testCase guid "${tcGuid}" is not a valid UUID v4.`,
+      applies_to: 'testCase',
+      suggestion: 'Generate a proper UUID v4 for the guid attribute.',
+    });
+  }
+  // TC_013 (registryId) is intentionally not checked here — registryId is a
+  // Salesforce Quality Hub record ID assigned when a test case is registered in
+  // the QH org. Local project files will never have this attribute, so checking
+  // for it produces a universal false positive for every test case.
+
+  // TC_020: <steps> element
+  if (!('steps' in tc)) {
+    issues.push({
+      rule_id: 'TC_020', severity: 'ERROR',
+      message: 'testCase missing <steps> element.',
+      applies_to: 'testCase',
+      suggestion: 'Wrap all step elements in a <steps> element.',
+    });
+    return finalize(issues, tcId, tcName, 0, xmlContent, testName);
+  }
+
+  // Same self-closing guard for <steps/> → fast-xml-parser yields ''
+  const rawSteps = tc['steps'];
+  const steps: Record<string, unknown> =
+    rawSteps !== null && typeof rawSteps === 'object' ? (rawSteps as Record<string, unknown>) : {};
+  const rawApiCalls = steps['apiCall'];
+  const apiCalls: Array<Record<string, unknown>> = rawApiCalls
+    ? (Array.isArray(rawApiCalls) ? rawApiCalls : [rawApiCalls]) as Array<Record<string, unknown>>
+    : [];
+
+  for (const call of apiCalls) {
+    validateApiCall(call, issues);
+  }
+
+  return finalize(issues, tcId, tcName, apiCalls.length, xmlContent, testName);
+}
+
+function validateApiCall(call: Record<string, unknown>, issues: ValidationIssue[]): void {
+  const callGuid = call['@_guid'] as string | undefined;
+  const apiId = call['@_apiId'] as string | undefined;
+  const name = call['@_name'] as string | undefined;
+  const testItemId = call['@_testItemId'] as string | undefined;
+  const label = apiId ? ` "${apiId}"` : '';
+
+  if (!callGuid) {
+    issues.push({
+      rule_id: 'TC_030', severity: 'ERROR',
+      message: `apiCall${label} missing guid attribute.`,
+      applies_to: 'apiCall',
+      suggestion: 'Add a UUID v4 guid to each apiCall.',
+    });
+  } else if (!UUID_V4_RE.test(callGuid)) {
+    issues.push({
+      rule_id: 'TC_031', severity: 'ERROR',
+      message: `apiCall${label} guid "${callGuid}" is not a valid UUID v4.`,
+      applies_to: 'apiCall',
+      suggestion: 'Use proper UUID v4 format.',
+    });
+  }
+  if (!apiId) {
+    issues.push({
+      rule_id: 'TC_032', severity: 'ERROR',
+      message: 'apiCall missing apiId attribute.',
+      applies_to: 'apiCall',
+      suggestion: 'Add apiId attribute (e.g., UiConnect, ApexSoqlQuery).',
+    });
+  }
+  if (!name) {
+    issues.push({
+      rule_id: 'TC_033', severity: 'WARNING',
+      message: `apiCall${label} missing name attribute.`,
+      applies_to: 'apiCall',
+      suggestion: 'Add a descriptive name attribute.',
+    });
+  }
+  if (!testItemId) {
+    issues.push({
+      rule_id: 'TC_034', severity: 'ERROR',
+      message: `apiCall${label} missing testItemId attribute.`,
+      applies_to: 'apiCall',
+      suggestion: 'Add sequential testItemId (1, 2, 3...).',
+    });
+  } else if (!/^\d+$/.test(testItemId)) {
+    issues.push({
+      rule_id: 'TC_035', severity: 'ERROR',
+      message: `apiCall${label} testItemId "${testItemId}" must be a whole number.`,
+      applies_to: 'apiCall',
+      suggestion: 'Use sequential integers for testItemId.',
+    });
+  }
+}
+
+function finalize(
+  issues: ValidationIssue[],
+  testCaseId: string | null,
+  testCaseName: string | null,
+  stepCount: number,
+  xmlContent: string,
+  testName?: string
+): TestCaseValidationResult {
+  const errorCount = issues.filter((i) => i.severity === 'ERROR').length;
+  const warningCount = issues.filter((i) => i.severity === 'WARNING').length;
+
+  // Layer 1: validity score (schema compliance — existing rules)
+  const validity_score = Math.max(0, 100 - errorCount * 20);
+
+  // Layer 2: quality score (best practices engine — same rules & formula as Quality Hub API)
+  const bp = runBestPractices(xmlContent, { testName });
+
+  return {
+    is_valid: errorCount === 0,
+    validity_score,
+    quality_score: bp.quality_score,
+    test_case_id: testCaseId,
+    test_case_name: testCaseName,
+    step_count: stepCount,
+    error_count: errorCount,
+    warning_count: warningCount,
+    issues,
+    best_practices_violations: bp.violations,
+    best_practices_rules_evaluated: bp.rules_evaluated,
+  };
+}
diff --git a/src/mcp/tools/testPlanTools.ts b/src/mcp/tools/testPlanTools.ts
new file mode 100644
index 00000000..d2c37f7b
--- /dev/null
+++ b/src/mcp/tools/testPlanTools.ts
@@ -0,0 +1,364 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import fs from 'node:fs';
+import path from 'node:path';
+import { randomUUID } from 'node:crypto';
+import { z } from 'zod';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import type { ServerConfig } from '../server.js';
+import { assertPathAllowed, PathPolicyError } from '../security/pathPolicy.js';
+import { makeError, makeRequestId } from '../schemas/common.js';
+import { log } from '../logging/logger.js';
+
+// ── Helpers ───────────────────────────────────────────────────────────────────
+
+/**
+ * Try to extract testCaseId from testcase XML content.
+ * Looks for registryId, id, or guid attributes on the root element.
+ */
+function extractTestCaseId(xmlContent: string): string | null {
+  for (const attr of ['registryId', 'id', 'guid']) {
+    const match = new RegExp(`${attr}="([^"]+)"`).exec(xmlContent);
+    if (match) return match[1];
+  }
+  return null;
+}
+
+/** Normalize path separators to forward slashes. */
+function toForwardSlashes(p: string): string {
+  return p.replace(/\\/g, '/');
+}
+
+/** Build a .testinstance XML string. */
+function buildTestInstanceXml(guid: string, testCaseId: string, testCasePath: string): string {
+  return [
+    '<?xml version="1.0" encoding="UTF-8" standalone="no"?>',
+    `<testPlanInstance guid="${guid}" testCaseId="${testCaseId}" testCasePath="${testCasePath}">`,
+    '  <planSettings/>',
+    '  <planFeatures/>',
+    '</testPlanInstance>',
+  ].join('\n');
+}
+
+/** Build a .planitem XML string. */
+function buildPlanItemXml(guid: string): string {
+  return [
+    '<?xml version="1.0" encoding="UTF-8" standalone="no"?>',
+    `<testPlan guid="${guid}">`,
+    '  <planSettings/>',
+    '  <planFeatures/>',
+    '</testPlan>',
+  ].join('\n');
+}
+
+// ── provar.testplan.add-instance ──────────────────────────────────────────────
+
+export function registerTestPlanAddInstance(server: McpServer, config: ServerConfig): void {
+  server.tool(
+    'provar.testplan.add-instance',
+    [
+      'Add a .testinstance file to an existing Provar test plan suite directory.',
+      'The plan directory and suite directory must already exist.',
+      'test_case_path is relative to the project root (e.g. "tests/MyTest.testcase").',
+      'suite_path is the path within the plan (e.g. "MySuite" or "MySuite/SubSuite").',
+      'Returns the guid assigned to the new instance and the path where it was written.',
+    ].join(' '),
+    {
+      project_path: z.string().describe('Absolute path to the Provar project root'),
+      test_case_path: z.string().describe('Path to the .testcase file, relative to project root (e.g. "tests/MyTest.testcase")'),
+      plan_name: z.string().describe('Name of the test plan (directory under plans/)'),
+      suite_path: z.string().optional().describe('Path within the plan to place the instance (e.g. "MySuite" or "MySuite/SubSuite")'),
+      overwrite: z.boolean().optional().default(false).describe('Overwrite the .testinstance file if it already exists (default: false)'),
+      dry_run: z.boolean().optional().default(false).describe('Return what would be written without writing to disk (default: false)'),
+    },
+    ({ project_path, test_case_path, plan_name, suite_path, overwrite, dry_run }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.testplan.add-instance', { requestId, project_path, test_case_path, plan_name });
+
+      try {
+        assertPathAllowed(project_path, config.allowedPaths);
+
+        const projectRoot = path.resolve(project_path);
+
+        // Verify .testproject exists
+        const testProjectFiles = fs.existsSync(projectRoot)
+          ? fs.readdirSync(projectRoot).filter((f) => f.endsWith('.testproject'))
+          : [];
+        if (testProjectFiles.length === 0) {
+          return {
+            isError: true,
+            content: [{ type: 'text' as const, text: JSON.stringify(makeError('NOT_A_PROJECT', `No .testproject file found in ${projectRoot}`, requestId)) }],
+          };
+        }
+
+        // Resolve testcase absolute path
+        const absoluteTestCasePath = path.join(projectRoot, test_case_path);
+        if (!fs.existsSync(absoluteTestCasePath)) {
+          return {
+            isError: true,
+            content: [{ type: 'text' as const, text: JSON.stringify(makeError('FILE_NOT_FOUND', `Test case not found: ${absoluteTestCasePath}`, requestId)) }],
+          };
+        }
+        if (!test_case_path.endsWith('.testcase')) {
+          return {
+            isError: true,
+            content: [{ type: 'text' as const, text: JSON.stringify(makeError('INVALID_PATH', 'test_case_path must end with .testcase', requestId)) }],
+          };
+        }
+
+        // Read testcase XML and extract testCaseId
+        const testCaseXml = fs.readFileSync(absoluteTestCasePath, 'utf-8');
+        const testCaseId = extractTestCaseId(testCaseXml);
+        if (!testCaseId) {
+          return {
+            isError: true,
+            content: [{ type: 'text' as const, text: JSON.stringify(makeError('NO_TEST_CASE_ID', `Cannot extract registryId, id, or guid from ${absoluteTestCasePath}`, requestId)) }],
+          };
+        }
+
+        // Determine instance directory
+        const instanceDirParts = ['plans', plan_name];
+        if (suite_path) instanceDirParts.push(...suite_path.split('/').filter(Boolean));
+        const instanceDir = path.join(projectRoot, ...instanceDirParts);
+
+        if (!fs.existsSync(instanceDir)) {
+          return {
+            isError: true,
+            content: [{ type: 'text' as const, text: JSON.stringify(makeError('DIR_NOT_FOUND', `Suite directory does not exist: ${instanceDir}. Create it with provar.testplan.create-suite first.`, requestId)) }],
+          };
+        }
+
+        // Determine filename and full path
+        const instanceFileName = path.basename(test_case_path, '.testcase') + '.testinstance';
+        const instanceFilePath = path.join(instanceDir, instanceFileName);
+
+        if (!overwrite && fs.existsSync(instanceFilePath)) {
+          return {
+            isError: true,
+            content: [{ type: 'text' as const, text: JSON.stringify(makeError('FILE_EXISTS', `Instance file already exists: ${instanceFilePath}. Set overwrite: true to replace it.`, requestId)) }],
+          };
+        }
+
+        // Build XML
+        const guid = randomUUID();
+        const normalizedTestCasePath = toForwardSlashes(test_case_path);
+        const xmlContent = buildTestInstanceXml(guid, testCaseId, normalizedTestCasePath);
+
+        if (!dry_run) {
+          fs.writeFileSync(instanceFilePath, xmlContent, 'utf-8');
+        }
+
+        const response = {
+          requestId,
+          instance_path: instanceFilePath,
+          guid,
+          test_case_id: testCaseId,
+          test_case_path: normalizedTestCasePath,
+          dry_run: dry_run ?? false,
+          written: !dry_run,
+        };
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(response) }],
+          structuredContent: response,
+        };
+      } catch (err: unknown) {
+        const error = err as Error & { code?: string };
+        return {
+          isError: true,
+          content: [{ type: 'text' as const, text: JSON.stringify(makeError(error instanceof PathPolicyError ? error.code : (error.code ?? 'ADD_INSTANCE_ERROR'), error.message, requestId)) }],
+        };
+      }
+    }
+  );
+}
+
+// ── provar.testplan.create-suite ──────────────────────────────────────────────
+
+export function registerTestPlanCreateSuite(server: McpServer, config: ServerConfig): void {
+  server.tool(
+    'provar.testplan.create-suite',
+    [
+      'Create a new suite directory inside a Provar test plan.',
+      'The plan directory must already exist with a .planitem file at its root.',
+      'Writes a new .planitem file into the created suite directory.',
+      'Returns the guid assigned to the new suite.',
+    ].join(' '),
+    {
+      project_path: z.string().describe('Absolute path to the Provar project root'),
+      plan_name: z.string().describe('Name of the test plan (directory under plans/)'),
+      suite_name: z.string().describe('Name of the new suite directory to create'),
+      parent_suite_path: z.string().optional().describe('Path of the parent suite within the plan (e.g. "MySuite"). Omit to create at plan root.'),
+      dry_run: z.boolean().optional().default(false).describe('Return what would be created without writing to disk (default: false)'),
+    },
+    ({ project_path, plan_name, suite_name, parent_suite_path, dry_run }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.testplan.create-suite', { requestId, project_path, plan_name, suite_name });
+
+      try {
+        assertPathAllowed(project_path, config.allowedPaths);
+
+        const projectRoot = path.resolve(project_path);
+
+        // Verify .testproject exists
+        const testProjectFiles = fs.existsSync(projectRoot)
+          ? fs.readdirSync(projectRoot).filter((f) => f.endsWith('.testproject'))
+          : [];
+        if (testProjectFiles.length === 0) {
+          return {
+            isError: true,
+            content: [{ type: 'text' as const, text: JSON.stringify(makeError('NOT_A_PROJECT', `No .testproject file found in ${projectRoot}`, requestId)) }],
+          };
+        }
+
+        // Verify plan directory exists
+        const planDir = path.join(projectRoot, 'plans', plan_name);
+        if (!fs.existsSync(planDir)) {
+          return {
+            isError: true,
+            content: [{ type: 'text' as const, text: JSON.stringify(makeError('DIR_NOT_FOUND', `Plan directory does not exist: ${planDir}`, requestId)) }],
+          };
+        }
+
+        // Verify plan .planitem exists
+        const planItemPath = path.join(planDir, '.planitem');
+        if (!fs.existsSync(planItemPath)) {
+          return {
+            isError: true,
+            content: [{ type: 'text' as const, text: JSON.stringify(makeError('FILE_NOT_FOUND', `Plan .planitem file does not exist: ${planItemPath}`, requestId)) }],
+          };
+        }
+
+        // Determine suite directory
+        const suiteDirParts = [planDir];
+        if (parent_suite_path) suiteDirParts.push(...parent_suite_path.split('/').filter(Boolean));
+        suiteDirParts.push(suite_name);
+        const suiteDir = path.join(...suiteDirParts);
+
+        if (fs.existsSync(suiteDir)) {
+          return {
+            isError: true,
+            content: [{ type: 'text' as const, text: JSON.stringify(makeError('DIR_EXISTS', `Suite directory already exists: ${suiteDir}`, requestId)) }],
+          };
+        }
+
+        const guid = randomUUID();
+        const xmlContent = buildPlanItemXml(guid);
+        const newPlanItemPath = path.join(suiteDir, '.planitem');
+
+        if (!dry_run) {
+          fs.mkdirSync(suiteDir, { recursive: true });
+          fs.writeFileSync(newPlanItemPath, xmlContent, 'utf-8');
+        }
+
+        const response = {
+          requestId,
+          suite_dir: suiteDir,
+          planitem_path: newPlanItemPath,
+          guid,
+          dry_run: dry_run ?? false,
+          created: !dry_run,
+        };
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(response) }],
+          structuredContent: response,
+        };
+      } catch (err: unknown) {
+        const error = err as Error & { code?: string };
+        return {
+          isError: true,
+          content: [{ type: 'text' as const, text: JSON.stringify(makeError(error instanceof PathPolicyError ? error.code : (error.code ?? 'CREATE_SUITE_ERROR'), error.message, requestId)) }],
+        };
+      }
+    }
+  );
+}
+
+// ── provar.testplan.remove-instance ──────────────────────────────────────────
+
+export function registerTestPlanRemoveInstance(server: McpServer, config: ServerConfig): void {
+  server.tool(
+    'provar.testplan.remove-instance',
+    [
+      'Remove a .testinstance file from a Provar test plan.',
+      'instance_path is relative to the project root.',
+      'Returns the path of the removed file.',
+    ].join(' '),
+    {
+      project_path: z.string().describe('Absolute path to the Provar project root'),
+      instance_path: z.string().describe('Path to the .testinstance file, relative to project root'),
+      dry_run: z.boolean().optional().default(false).describe('Return what would be removed without deleting (default: false)'),
+    },
+    ({ project_path, instance_path, dry_run }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.testplan.remove-instance', { requestId, project_path, instance_path });
+
+      try {
+        assertPathAllowed(project_path, config.allowedPaths);
+
+        const projectRoot = path.resolve(project_path);
+        const absolutePath = path.join(projectRoot, instance_path);
+
+        // Assert no traversal outside project root
+        const resolvedProjectRoot = path.resolve(projectRoot);
+        const resolvedAbsolute = path.resolve(absolutePath);
+        if (!resolvedAbsolute.startsWith(resolvedProjectRoot + path.sep) && resolvedAbsolute !== resolvedProjectRoot) {
+          return {
+            isError: true,
+            content: [{ type: 'text' as const, text: JSON.stringify(makeError('PATH_TRAVERSAL', `Path traversal detected: ${instance_path}`, requestId)) }],
+          };
+        }
+
+        // Must end with .testinstance
+        if (!instance_path.endsWith('.testinstance')) {
+          return {
+            isError: true,
+            content: [{ type: 'text' as const, text: JSON.stringify(makeError('INVALID_PATH', 'instance_path must end with .testinstance', requestId)) }],
+          };
+        }
+
+        // File must exist
+        if (!fs.existsSync(absolutePath)) {
+          return {
+            isError: true,
+            content: [{ type: 'text' as const, text: JSON.stringify(makeError('FILE_NOT_FOUND', `Instance file not found: ${absolutePath}`, requestId)) }],
+          };
+        }
+
+        if (!dry_run) {
+          fs.unlinkSync(absolutePath);
+        }
+
+        const response = {
+          requestId,
+          removed_path: absolutePath,
+          dry_run: dry_run ?? false,
+          removed: !dry_run,
+        };
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(response) }],
+          structuredContent: response,
+        };
+      } catch (err: unknown) {
+        const error = err as Error & { code?: string };
+        return {
+          isError: true,
+          content: [{ type: 'text' as const, text: JSON.stringify(makeError(error instanceof PathPolicyError ? error.code : (error.code ?? 'REMOVE_INSTANCE_ERROR'), error.message, requestId)) }],
+        };
+      }
+    }
+  );
+}
+
+// ── Convenience re-export ─────────────────────────────────────────────────────
+
+export function registerAllTestPlanTools(server: McpServer, config: ServerConfig): void {
+  registerTestPlanAddInstance(server, config);
+  registerTestPlanCreateSuite(server, config);
+  registerTestPlanRemoveInstance(server, config);
+}
diff --git a/src/mcp/tools/testPlanValidate.ts b/src/mcp/tools/testPlanValidate.ts
new file mode 100644
index 00000000..a272b024
--- /dev/null
+++ b/src/mcp/tools/testPlanValidate.ts
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { z } from 'zod';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { makeError, makeRequestId } from '../schemas/common.js';
+import { log } from '../logging/logger.js';
+import { validatePlan, buildHierarchySummary, type TestPlanInput } from './hierarchyValidate.js';
+
+// ── Zod schemas ───────────────────────────────────────────────────────────────
+
+const testCaseSchema = z.object({
+  name: z.string().describe('Test case filename (e.g. CreateAccount.testcase)'),
+  xml_content: z.string().optional().describe('Full XML content of the test case file'),
+  xml: z.string().optional().describe('Full XML content (API-compatible alias for xml_content)'),
+}).refine(
+  (d) => d.xml_content !== undefined || d.xml !== undefined,
+  { message: 'Either xml_content or xml must be provided' }
+);
+
+const innerSuiteSchema = z.object({
+  name: z.string().describe('Suite name'),
+  test_cases: z.array(testCaseSchema).optional().describe('Test cases in this suite'),
+  test_case_count: z.number().int().min(0).optional().describe('Explicit test case count for size check'),
+});
+
+const suiteSchema = z.object({
+  name: z.string().describe('Test suite name'),
+  test_cases: z.array(testCaseSchema).optional().describe('Test cases directly in this suite'),
+  test_suites: z.array(innerSuiteSchema).optional().describe('Child suites (one level deep)'),
+  test_case_count: z.number().int().min(0).optional().describe('Explicit test case count for size check'),
+});
+
+const metadataSchema = z.object({
+  objectives: z.string().optional().describe('Testing objectives for this plan (configured in Provar Quality Hub)'),
+  in_scope: z.string().optional().describe('Features and areas in scope (configured in Provar Quality Hub)'),
+  testing_methodology: z.string().optional().describe('Testing approach, e.g. risk-based, regression, exploratory (configured in Provar Quality Hub)'),
+  acceptance_criteria: z.string().optional().describe('Criteria to determine when testing is complete (configured in Provar Quality Hub)'),
+  acceptable_pass_rate: z.number().min(0).max(100).optional().describe('Minimum pass rate 0-100 for the plan to be considered successful (configured in Provar Quality Hub)'),
+  environments: z.array(z.string()).optional().describe('Target environments, e.g. ["QA", "Staging", "UAT"] (configured in Provar Quality Hub)'),
+  test_data_strategy: z.string().optional().describe('How test data will be prepared and cleaned up (configured in Provar Quality Hub)'),
+  risks: z.string().optional().describe('Identified risks and mitigations (configured in Provar Quality Hub)'),
+}).optional().describe('Plan completeness metadata — these fields are configured in the Provar Quality Hub app, not in local project files');
+
+export function registerTestPlanValidate(server: McpServer): void {
+  server.tool(
+    'provar.testplan.validate',
+    'Validate a Provar test plan: checks for empty plans, duplicate suite names, oversized plans (>20 suites), plan completeness (objectives, scope, methodology, environments, acceptance criteria, test data strategy, risk assessment), and naming consistency. Recursively validates child suites and test cases. Returns quality score, plan-level violations, and full hierarchy results.',
+    {
+      plan_name: z.string().describe('Name of the test plan'),
+      test_suites: z.array(suiteSchema).optional().describe('Test suites belonging to this plan'),
+      test_cases: z.array(testCaseSchema).optional().describe('Test cases directly in this plan (not in a suite)'),
+      test_suite_count: z.number().int().min(0).optional().describe('Explicit suite count for size check (overrides counting test_suites)'),
+      metadata: metadataSchema,
+      quality_threshold: z.number().min(0).max(100).optional().describe('Minimum quality score for a test case to be considered valid (default: 80)'),
+    },
+    ({ plan_name, test_suites, test_cases, test_suite_count, metadata, quality_threshold }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.testplan.validate', { requestId, plan_name });
+
+      try {
+        const threshold = quality_threshold ?? 80;
+        const input: TestPlanInput = {
+          name: plan_name,
+          test_suites: test_suites ?? [],
+          test_cases: test_cases ?? [],
+          test_suite_count,
+          metadata: metadata ?? {},
+        };
+
+        const result = validatePlan(input, threshold);
+        const summary = buildHierarchySummary(result);
+        const response = { requestId, ...result, summary };
+
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(response) }],
+          structuredContent: response,
+        };
+      } catch (err: unknown) {
+        const error = err as Error;
+        const errResult = makeError('VALIDATE_ERROR', error.message, requestId, false);
+        log('error', 'provar.testplan.validate failed', { requestId, error: error.message });
+        return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(errResult) }] };
+      }
+    }
+  );
+}
diff --git a/src/mcp/tools/testSuiteValidate.ts b/src/mcp/tools/testSuiteValidate.ts
new file mode 100644
index 00000000..e1ceea41
--- /dev/null
+++ b/src/mcp/tools/testSuiteValidate.ts
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { z } from 'zod';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { makeError, makeRequestId } from '../schemas/common.js';
+import { log } from '../logging/logger.js';
+import { validateSuite, buildHierarchySummary, type TestSuiteInput } from './hierarchyValidate.js';
+
+// ── Zod schemas ───────────────────────────────────────────────────────────────
+
+const testCaseSchema = z.object({
+  name: z.string().describe('Test case filename (e.g. CreateAccount.testcase)'),
+  xml_content: z.string().optional().describe('Full XML content of the test case file'),
+  xml: z.string().optional().describe('Full XML content (API-compatible alias for xml_content)'),
+}).refine(
+  (d) => d.xml_content !== undefined || d.xml !== undefined,
+  { message: 'Either xml_content or xml must be provided' }
+);
+
+const innerSuiteSchema = z.object({
+  name: z.string().describe('Child suite name'),
+  test_cases: z.array(testCaseSchema).optional().describe('Test cases in this child suite'),
+  test_case_count: z.number().int().min(0).optional().describe('Explicit test case count (overrides counting test_cases)'),
+});
+
+const childSuiteSchema = z.object({
+  name: z.string().describe('Child suite name'),
+  test_cases: z.array(testCaseSchema).optional().describe('Test cases in this suite'),
+  test_suites: z.array(innerSuiteSchema).optional().describe('Nested child suites (one level deep)'),
+  test_case_count: z.number().int().min(0).optional().describe('Explicit test case count for size check'),
+});
+
+export function registerTestSuiteValidate(server: McpServer): void {
+  server.tool(
+    'provar.testsuite.validate',
+    'Validate a Provar test suite: checks for empty suites, duplicate names, oversized suites (>75 tests), and naming convention consistency. Recursively validates child suites and individual test case XML. Returns quality score, suite-level violations, and per-test-case results.',
+    {
+      suite_name: z.string().describe('Name of the test suite'),
+      test_cases: z.array(testCaseSchema).optional().describe('Test cases directly in this suite'),
+      child_suites: z.array(childSuiteSchema).optional().describe('Child test suites (supports up to 2 levels of nesting)'),
+      test_case_count: z.number().int().min(0).optional().describe('Explicit total test case count for size check (overrides counting test_cases)'),
+      quality_threshold: z.number().min(0).max(100).optional().describe('Minimum quality score for a test case to be considered valid (default: 80)'),
+    },
+    ({ suite_name, test_cases, child_suites, test_case_count, quality_threshold }) => {
+      const requestId = makeRequestId();
+      log('info', 'provar.testsuite.validate', { requestId, suite_name });
+
+      try {
+        const threshold = quality_threshold ?? 80;
+        const input: TestSuiteInput = {
+          name: suite_name,
+          test_cases: test_cases ?? [],
+          test_suites: (child_suites ?? []) as TestSuiteInput[],
+          test_case_count,
+        };
+
+        const result = validateSuite(input, threshold);
+        const summary = buildHierarchySummary(result);
+        const response = { requestId, ...result, summary };
+
+        return {
+          content: [{ type: 'text' as const, text: JSON.stringify(response) }],
+          structuredContent: response,
+        };
+      } catch (err: unknown) {
+        const error = err as Error;
+        const errResult = makeError('VALIDATE_ERROR', error.message, requestId, false);
+        log('error', 'provar.testsuite.validate failed', { requestId, error: error.message });
+        return { isError: true, content: [{ type: 'text' as const, text: JSON.stringify(errResult) }] };
+      }
+    }
+  );
+}
diff --git a/src/services/projectValidation.ts b/src/services/projectValidation.ts
new file mode 100644
index 00000000..e54ccc97
--- /dev/null
+++ b/src/services/projectValidation.ts
@@ -0,0 +1,842 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import fs from 'node:fs';
+import path from 'node:path';
+import {
+  validateProject,
+  buildHierarchySummary,
+  type TestCaseInput,
+  type TestSuiteInput,
+  type TestPlanInput,
+  type ProjectInput,
+  type ProjectContext,
+  type ProjectResult,
+  type PlanResult,
+  type SuiteResult,
+  type TestCaseResult,
+  type HierarchyViolation,
+  type HierarchySummary,
+} from '../mcp/tools/hierarchyValidate.js';
+
+// ── Public error type ─────────────────────────────────────────────────────────
+
+export class ProjectValidationError extends Error {
+  public readonly code: string;
+  public constructor(code: string, message: string) {
+    super(message);
+    this.code = code;
+    this.name = 'ProjectValidationError';
+  }
+}
+
+// ── Public options / result types ─────────────────────────────────────────────
+
+export interface ProjectValidationOptions {
+  project_path: string;
+  quality_threshold?: number; // default 80
+  save_results?: boolean;      // default true (any value !== false means save)
+  results_dir?: string;        // default '{project_path}/provardx/validation'
+}
+
+export interface ValidatedTestCase {
+  name: string;
+  quality_score: number;
+  quality_tier: string;
+  status: string;
+  is_valid: boolean;
+  step_count: number;
+  error_count: number;
+  warning_count: number;
+  issues: TestCaseResult['issues'];
+}
+
+export interface ValidatedChildSuite {
+  name: string;
+  quality_score: number;
+  violations: HierarchyViolation[];
+  test_case_count: number;
+}
+
+export interface ValidatedSuite {
+  name: string;
+  quality_score: number;
+  violations: HierarchyViolation[];
+  test_cases: ValidatedTestCase[];
+  child_suites: ValidatedChildSuite[];
+}
+
+export interface ValidatedPlan {
+  name: string;
+  quality_score: number;
+  violations: HierarchyViolation[];
+  suites: ValidatedSuite[];
+  unplanned_test_cases: Array<{
+    name: string;
+    quality_score: number;
+    status: string;
+    error_count: number;
+    issues: TestCaseResult['issues'];
+  }>;
+}
+
+export interface ProjectValidationResult {
+  project_path: string;
+  project_name: string;
+  quality_score: number;
+  quality_tier: string;
+  quality_grade: string;
+  summary: HierarchySummary;
+  project_violations: HierarchyViolation[];
+  plans: ValidatedPlan[];
+  coverage: {
+    total_test_cases_on_disk: number;
+    covered_by_plans: number;
+    uncovered_count: number;
+    uncovered_test_cases: string[];
+  };
+  saved_to: string | null;
+  /** Set when save_results was requested but the write failed (disk full, permissions, etc.). */
+  save_error?: string;
+}
+
+// ── Quality tier / grade helpers ──────────────────────────────────────────────
+
+export function toQualityTier(score: number): string {
+  if (score >= 95) return 'S';
+  if (score >= 85) return 'A';
+  if (score >= 75) return 'B';
+  if (score >= 65) return 'C';
+  return 'D';
+}
+
+export function toQualityGrade(score: number): string {
+  if (score >= 95) return 'Excellent';
+  if (score >= 90) return 'Great';
+  if (score >= 80) return 'Good';
+  if (score >= 70) return 'Fair';
+  return 'Poor';
+}
+
+export function toTitleCase(s: string): string {
+  return s.charAt(0).toUpperCase() + s.slice(1);
+}
+
+// ── Project root auto-detection ───────────────────────────────────────────────
+
+/**
+ * Given a path that may be a Provar workspace root (containing one or more project
+ * sub-directories) or the project root itself (contains .testproject), return the
+ * resolved project root.
+ *
+ * Detection order:
+ * 1. `.testproject` file present at given path → it is the project root
+ * 2. Exactly one sub-directory contains a `.testproject` → use that
+ * 3. Multiple sub-directories contain `.testproject` → return all candidates so the
+ * caller can surface a clear error rather than guessing
+ */
+export function resolveProjectRoot(givenPath: string): { root: string; candidates: string[] } {
+  if (fs.existsSync(path.join(givenPath, '.testproject'))) {
+    return { root: givenPath, candidates: [] };
+  }
+
+  // Scan one level deep
+  const candidates: string[] = [];
+  try {
+    for (const entry of fs.readdirSync(givenPath, { withFileTypes: true })) {
+      if (!entry.isDirectory() || entry.name.startsWith('.') || entry.name === 'node_modules') continue;
+      const sub = path.join(givenPath, entry.name);
+      if (fs.existsSync(path.join(sub, '.testproject'))) candidates.push(sub);
+    }
+  } catch { /* skip */ }
+
+  if (candidates.length === 1) return { root: candidates[0], candidates: [] };
+  return { root: givenPath, candidates }; // caller handles 0 or multiple
+}
+
+// ── Project context reader (from .testproject) ────────────────────────────────
+
+export function readProjectContext(projectPath: string): {
+  projectName: string;
+  context: ProjectContext;
+} {
+  const testProjectPath = path.join(projectPath, '.testproject');
+  const projectName = path.basename(projectPath);
+
+  if (!fs.existsSync(testProjectPath)) {
+    return { projectName, context: {} };
+  }
+
+  let content: string;
+  try {
+    content = fs.readFileSync(testProjectPath, 'utf-8');
+  } catch {
+    return { projectName, context: {} };
+  }
+
+  // Extract environment names
+  const envPattern = /<environment\s[^>]*\bname="([^"]+)"/g;
+  const environments: string[] = [];
+  let m: RegExpExecArray | null;
+  while ((m = envPattern.exec(content)) !== null) environments.push(m[1]);
+
+  // Extract connection names
+  const connPattern = /<connection\s[^>]*\bname="([^"]+)"/g;
+  const connectionNames: string[] = [];
+  while ((m = connPattern.exec(content)) !== null) connectionNames.push(m[1]);
+
+  // Check secrets encryption status
+  let secretsPasswordSet = false;
+  let unencryptedSecretCount = 0;
+  const secretsPathMatch = content.match(/<secureStoragePath>([^<]+)<\/secureStoragePath>/);
+  const secretsRelPath = secretsPathMatch?.[1]?.trim() ?? '.secrets';
+  const secretsFullPath = path.resolve(path.join(projectPath, secretsRelPath));
+  const projectPathResolved = path.resolve(projectPath);
+  // Bounds check: only read secrets file if it's within the project directory
+  const secretsInBounds = secretsFullPath === projectPathResolved || secretsFullPath.startsWith(projectPathResolved + path.sep);
+  if (secretsInBounds && fs.existsSync(secretsFullPath)) {
+    try {
+      const secretsContent = fs.readFileSync(secretsFullPath, 'utf-8');
+      secretsPasswordSet = secretsContent.includes('Encryptor.check=');
+      for (const line of secretsContent.split('\n')) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('!')) continue;
+        if (trimmed.startsWith('Encryptor.check=')) continue;
+        const eqIdx = trimmed.indexOf('=');
+        if (eqIdx === -1) continue;
+        const value = trimmed.slice(eqIdx + 1).trim();
+        if (value && !value.startsWith('ENC1(')) unencryptedSecretCount++;
+      }
+    } catch { /* skip */ }
+  }
+
+  return {
+    projectName,
+    context: {
+      environments: environments.length ? environments : undefined,
+      connection_names: connectionNames.length ? connectionNames : undefined,
+      secretsPasswordSet,
+      unencrypted_secret_count: unencryptedSecretCount,
+    },
+  };
+}
+
+// ── Plan / suite / testinstance readers ───────────────────────────────────────
+
+interface TestInstanceFull {
+  testCase: TestCaseInput | null;
+  /** Normalised project-relative path from testCasePath field, or null if absent. */
+  testCasePath: string | null;
+  /** Raw testCaseId field value (UUID), or null if absent. */
+  testCaseId: string | null;
+}
+
+/**
+ * Internal: reads a .testinstance file exactly once and returns everything
+ * needed both for building TestCaseInput and for accumulating covered paths.
+ * Callers that only need TestCaseInput should use resolveTestInstance().
+ */
+function resolveTestInstanceFull(instancePath: string, projectPath: string): TestInstanceFull {
+  try {
+    const content = fs.readFileSync(instancePath, 'utf-8');
+    const pathMatch = content.match(/testCasePath=["']([^"']+)["']/);
+    const testCaseId = content.match(/testCaseId=["']([^"']+)["']/)?.[1] ?? null;
+    if (!pathMatch?.[1]) return { testCase: null, testCasePath: null, testCaseId };
+
+    const testCasePath = pathMatch[1].replace(/\\/g, '/');
+    const tcFullPath = path.resolve(path.join(projectPath, testCasePath));
+    const projResolved = path.resolve(projectPath);
+
+    let xml_content: string | undefined;
+    // Bounds check: only read test case files within the project directory
+    const tcInBounds = tcFullPath === projResolved || tcFullPath.startsWith(projResolved + path.sep);
+    // Derive name from the bounds-checked resolved path to prevent injection via crafted testCasePath
+    const tcName = tcInBounds
+      ? path.basename(tcFullPath, '.testcase')
+      : path.basename(testCasePath, '.testcase');
+    if (tcInBounds && fs.existsSync(tcFullPath)) {
+      try {
+        xml_content = fs.readFileSync(tcFullPath, 'utf-8');
+      } catch { /* xml_content stays undefined */ }
+    }
+
+    return { testCase: { name: tcName, xml_content }, testCasePath, testCaseId };
+  } catch {
+    return { testCase: null, testCasePath: null, testCaseId: null };
+  }
+}
+
+export function resolveTestInstance(instancePath: string, projectPath: string): TestCaseInput | null {
+  return resolveTestInstanceFull(instancePath, projectPath).testCase;
+}
+
+/** Max suite nesting depth — mirrors the guard in projectInspect.ts. */
+const MAX_SUITE_DEPTH = 10;
+
+/** Accumulates a covered path (and its UUID fallback) into the provided Set. */
+function accumulateCoveredPath(
+  testCasePath: string | null,
+  testCaseId: string | null,
+  coveredPaths: Set<string>,
+  idMap: Map<string, string>,
+): void {
+  if (testCasePath) coveredPaths.add(testCasePath);
+  if (testCaseId) {
+    const resolved = idMap.get(testCaseId);
+    if (resolved) coveredPaths.add(resolved);
+  }
+}
+
+export function readSuiteDirectory(
+  dirPath: string,
+  name: string,
+  projectPath: string,
+  depth = 0,
+  coveredPaths?: Set<string>,
+  idMap?: Map<string, string>,
+): TestSuiteInput {
+  const testCases: TestCaseInput[] = [];
+  const testSuites: TestSuiteInput[] = [];
+
+  if (depth > MAX_SUITE_DEPTH) return { name, test_cases: testCases, test_suites: testSuites };
+
+  try {
+    const entries = fs.readdirSync(dirPath, { withFileTypes: true });
+    for (const entry of entries) {
+      if (entry.name === 'node_modules') continue;
+      const fullPath = path.join(dirPath, entry.name);
+      if (entry.isDirectory() && !entry.name.startsWith('.')) {
+        testSuites.push(readSuiteDirectory(fullPath, entry.name, projectPath, depth + 1, coveredPaths, idMap));
+      } else if (entry.name.endsWith('.testinstance')) {
+        const { testCase, testCasePath, testCaseId } = resolveTestInstanceFull(fullPath, projectPath);
+        if (testCase) testCases.push(testCase);
+        if (coveredPaths && idMap) accumulateCoveredPath(testCasePath, testCaseId, coveredPaths, idMap);
+      }
+    }
+  } catch { /* skip */ }
+
+  return { name, test_cases: testCases, test_suites: testSuites };
+}
+
+export function readPlanDirectory(
+  planPath: string,
+  name: string,
+  projectPath: string,
+  coveredPaths?: Set<string>,
+  idMap?: Map<string, string>,
+): TestPlanInput {
+  const testCases: TestCaseInput[] = [];
+  const testSuites: TestSuiteInput[] = [];
+
+  try {
+    const entries = fs.readdirSync(planPath, { withFileTypes: true });
+    for (const entry of entries) {
+      if (entry.name === 'node_modules') continue;
+      const fullPath = path.join(planPath, entry.name);
+      if (entry.isDirectory() && !entry.name.startsWith('.')) {
+        testSuites.push(readSuiteDirectory(fullPath, entry.name, projectPath, 0, coveredPaths, idMap));
+      } else if (entry.name.endsWith('.testinstance')) {
+        const { testCase, testCasePath, testCaseId } = resolveTestInstanceFull(fullPath, projectPath);
+        if (testCase) testCases.push(testCase);
+        if (coveredPaths && idMap) accumulateCoveredPath(testCasePath, testCaseId, coveredPaths, idMap);
+      }
+    }
+  } catch { /* skip */ }
+
+  return { name, test_cases: testCases, test_suites: testSuites };
+}
+
+export function readPlansDir(projectPath: string): { plans: TestPlanInput[]; coveredPaths: Set<string> } {
+  const plansDir = path.join(projectPath, 'plans');
+  const coveredPaths = new Set<string>();
+  if (!fs.existsSync(plansDir)) return { plans: [], coveredPaths };
+
+  // Build UUID→path map once so the plan walk can resolve testCaseId fallbacks
+  // without a separate pass over the tests/ directory later.
+  const idMap = buildTestCaseIdMap(projectPath);
+
+  const plans: TestPlanInput[] = [];
+  try {
+    const entries = fs.readdirSync(plansDir, { withFileTypes: true });
+    for (const entry of entries) {
+      if (!entry.isDirectory() || entry.name.startsWith('.') || entry.name === 'node_modules') continue;
+      const planPath = path.join(plansDir, entry.name);
+      plans.push(readPlanDirectory(planPath, entry.name, projectPath, coveredPaths, idMap));
+    }
+  } catch { /* skip */ }
+
+  return { plans, coveredPaths };
+}
+
+/**
+ * Builds a map of testcase UUID (registryId / id / guid) → project-relative path.
+ * Used as a fallback when testCasePath in a .testinstance file doesn't match
+ * the on-disk relative path exactly (e.g. different path separators, moved files).
+ */
+function buildTestCaseIdMap(projectPath: string): Map<string, string> {
+  const testsDir = path.join(projectPath, 'tests');
+  const idMap = new Map<string, string>();
+  if (!fs.existsSync(testsDir)) return idMap;
+
+  function walk(dir: string): void {
+    try {
+      for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+        if (entry.name.startsWith('.') || entry.name === 'node_modules') continue;
+        const fullPath = path.join(dir, entry.name);
+        if (entry.isDirectory()) { walk(fullPath); }
+        else if (entry.name.endsWith('.testcase')) {
+          try {
+            const content = fs.readFileSync(fullPath, 'utf-8');
+            const rel = path.relative(projectPath, fullPath).replace(/\\/g, '/');
+            for (const attr of ['registryId', 'id', 'guid'] as const) {
+              const m = content.match(new RegExp(`${attr}=["']([^"']+)["']`));
+              if (m?.[1] && !idMap.has(m[1])) idMap.set(m[1], rel);
+            }
+          } catch { /* skip */ }
+        }
+      }
+    } catch { /* skip */ }
+  }
+  walk(testsDir);
+  return idMap;
+}
+
+/**
+ * Collects all .testcase file basenames (without extension) found under tests/.
+ * Includes callable tests (visibility="Internal") that have no plan instances,
+ * so that checkCaseCalls can distinguish genuine missing-callee errors from
+ * valid callable references.
+ */
+export function collectAllTestCaseNames(projectPath: string): string[] {
+  const testsDir = path.join(projectPath, 'tests');
+  if (!fs.existsSync(testsDir)) return [];
+  const names: string[] = [];
+  function walk(dir: string): void {
+    try {
+      for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+        if (entry.name.startsWith('.') || entry.name === 'node_modules') continue;
+        if (entry.isDirectory()) { walk(path.join(dir, entry.name)); }
+        else if (entry.name.endsWith('.testcase')) names.push(path.basename(entry.name, '.testcase'));
+      }
+    } catch { /* skip */ }
+  }
+  walk(testsDir);
+  return names;
+}
+
+/**
+ * @deprecated Covered paths are now computed as a byproduct of readPlansDir().
+ * Use the coveredPaths returned by readPlansDir() instead.
+ */
+export function collectCoveredPathsFromDisk(projectPath: string): Set<string> {
+  const plansDir = path.join(projectPath, 'plans');
+  const covered = new Set<string>();
+  if (!fs.existsSync(plansDir)) return covered;
+
+  // UUID fallback: testCaseId in .testinstance → registryId/id/guid in .testcase
+  const idMap = buildTestCaseIdMap(projectPath);
+
+  function walk(dir: string): void {
+    try {
+      for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+        if (entry.name === 'node_modules') continue;
+        const fullPath = path.join(dir, entry.name);
+        if (entry.isDirectory()) { walk(fullPath); }
+        else if (entry.name.endsWith('.testinstance')) {
+          try {
+            const content = fs.readFileSync(fullPath, 'utf-8');
+            // Primary: path-based match
+            const pathM = content.match(/testCasePath=["']([^"']+)["']/);
+            if (pathM?.[1]) covered.add(pathM[1].replace(/\\/g, '/'));
+            // Fallback: UUID match via testCaseId → testcase registryId/id/guid
+            const idM = content.match(/testCaseId=["']([^"']+)["']/);
+            if (idM?.[1]) {
+              const resolvedPath = idMap.get(idM[1]);
+              if (resolvedPath) covered.add(resolvedPath);
+            }
+          } catch { /* skip */ }
+        }
+      }
+    } catch { /* skip */ }
+  }
+  walk(plansDir);
+  return covered;
+}
+
+export function findUncoveredTestCases(projectPath: string, coveredPaths: Set<string>): string[] {
+  const testsDir = path.join(projectPath, 'tests');
+  if (!fs.existsSync(testsDir)) return [];
+
+  const uncovered: string[] = [];
+  function walk(dir: string): void {
+    try {
+      for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+        if (entry.name.startsWith('.') || entry.name === 'node_modules') continue;
+        const fullPath = path.join(dir, entry.name);
+        if (entry.isDirectory()) { walk(fullPath); }
+        else if (entry.name.endsWith('.testcase')) {
+          const rel = path.relative(projectPath, fullPath).replace(/\\/g, '/');
+          if (!coveredPaths.has(rel)) uncovered.push(rel);
+        }
+      }
+    } catch { /* skip */ }
+  }
+  walk(testsDir);
+  return uncovered.sort();
+}
+
+// ── QH-compatible output format ───────────────────────────────────────────────
+
+interface QhViolation {
+  number: number;
+  ruleId: string;
+  ruleName: string;
+  ruleDescription: string;
+  category: string;
+  severity: string;
+  weight: number;
+  message: string;
+  recommendation: string;
+  appliesTo: string;
+  testItemId?: number;
+}
+
+interface QhSection {
+  level: string;
+  contextName: string;
+  qualityScore: number;
+  qualityTier: string;
+  totalViolations: number;
+  violations: QhViolation[];
+}
+
+function hierarchyViolationToQh(v: HierarchyViolation, num: number): QhViolation {
+  return {
+    number: num,
+    ruleId: v.rule_id,
+    ruleName: v.name,
+    ruleDescription: v.description,
+    category: v.category,
+    severity: toTitleCase(v.severity),
+    weight: v.weight,
+    message: v.message,
+    recommendation: v.recommendation,
+    appliesTo: v.applies_to.join(';'),
+  };
+}
+
+function tcIssuesToQhViolations(tc: TestCaseResult): QhViolation[] {
+  const violations: QhViolation[] = [];
+  let num = 1;
+
+  for (const issue of tc.issues) {
+    violations.push({
+      number: num++,
+      ruleId: issue.rule_id,
+      ruleName: issue.rule_id,
+      ruleDescription: '',
+      category: 'Validation',
+      severity: issue.severity === 'ERROR' ? 'Major' : issue.severity === 'WARNING' ? 'Minor' : 'Info',
+      weight: issue.severity === 'ERROR' ? 5 : issue.severity === 'WARNING' ? 2 : 1,
+      message: issue.message,
+      recommendation: issue.suggestion ?? '',
+      appliesTo: issue.applies_to,
+    });
+  }
+
+  for (const bp of (tc.best_practices_violations ?? [])) {
+    violations.push({
+      number: num++,
+      ruleId: bp.rule_id,
+      ruleName: bp.name,
+      ruleDescription: bp.description,
+      category: bp.category,
+      severity: toTitleCase(bp.severity),
+      weight: bp.weight,
+      message: bp.message,
+      recommendation: bp.recommendation,
+      appliesTo: bp.applies_to.join(';'),
+    });
+  }
+
+  return violations;
+}
+
+function tcTotalViolations(tc: TestCaseResult): number {
+  return tc.issues.length + (tc.best_practices_violations?.length ?? 0);
+}
+
+function addSuiteSection(sections: QhSection[], suite: SuiteResult): void {
+  sections.push({
+    level: 'Test Suite',
+    contextName: suite.name,
+    qualityScore: suite.quality_score,
+    qualityTier: toQualityTier(suite.quality_score),
+    totalViolations: suite.violations.length,
+    violations: suite.violations.map((v, i) => hierarchyViolationToQh(v, i + 1)),
+  });
+
+  for (const child of suite.test_suites) addSuiteSection(sections, child);
+
+  for (const tc of suite.test_cases) {
+    const total = tcTotalViolations(tc);
+    if (total > 0) {
+      sections.push({
+        level: 'Test Case',
+        contextName: tc.name,
+        qualityScore: tc.quality_score,
+        qualityTier: toQualityTier(tc.quality_score),
+        totalViolations: total,
+        violations: tcIssuesToQhViolations(tc),
+      });
+    }
+  }
+}
+
+function addPlanSections(sections: QhSection[], plan: PlanResult): void {
+  sections.push({
+    level: 'Test Plan',
+    contextName: plan.name,
+    qualityScore: plan.quality_score,
+    qualityTier: toQualityTier(plan.quality_score),
+    totalViolations: plan.violations.length,
+    violations: plan.violations.map((v, i) => hierarchyViolationToQh(v, i + 1)),
+  });
+
+  for (const suite of plan.test_suites) addSuiteSection(sections, suite);
+
+  for (const tc of plan.test_cases) {
+    const total = tcTotalViolations(tc);
+    if (total > 0) {
+      sections.push({
+        level: 'Test Case',
+        contextName: tc.name,
+        qualityScore: tc.quality_score,
+        qualityTier: toQualityTier(tc.quality_score),
+        totalViolations: total,
+        violations: tcIssuesToQhViolations(tc),
+      });
+    }
+  }
+}
+
+function flattenToSections(result: ProjectResult): QhSection[] {
+  const sections: QhSection[] = [];
+
+  sections.push({
+    level: 'Project',
+    contextName: result.name,
+    qualityScore: result.quality_score,
+    qualityTier: toQualityTier(result.quality_score),
+    totalViolations: result.violations.length,
+    violations: result.violations.map((v, i) => hierarchyViolationToQh(v, i + 1)),
+  });
+
+  for (const suite of result.test_suites) addSuiteSection(sections, suite);
+
+  for (const tc of result.test_cases) {
+    const total = tcTotalViolations(tc);
+    if (total > 0) {
+      sections.push({
+        level: 'Test Case',
+        contextName: tc.name,
+        qualityScore: tc.quality_score,
+        qualityTier: toQualityTier(tc.quality_score),
+        totalViolations: total,
+        violations: tcIssuesToQhViolations(tc),
+      });
+    }
+  }
+
+  for (const plan of result.test_plans) addPlanSections(sections, plan);
+
+  return sections;
+}
+
+export function buildQhReport(result: ProjectResult, projectName: string): Record<string, unknown> {
+  const now = new Date();
+  const summary = buildHierarchySummary(result);
+
+  return {
+    reportInfo: {
+      name: `VR-LOCAL-${now.toISOString().replace(/[:.]/g, '-').slice(0, 19)}`,
+      generatedAt: now.toLocaleDateString('en-US', { year: 'numeric', month: 'short', day: 'numeric', hour: '2-digit', minute: '2-digit' }),
+      exportedAt: now.toISOString(),
+      source: 'provar-mcp-local',
+    },
+    summary: {
+      qualityScore: result.quality_score,
+      qualityGrade: toQualityGrade(result.quality_score),
+      totalViolations: summary.total_violations,
+      criticalViolations: summary.violations_by_severity.critical,
+      majorViolations: summary.violations_by_severity.major,
+      minorViolations: summary.violations_by_severity.minor,
+      infoViolations: summary.violations_by_severity.info,
+    },
+    context: {
+      validationLevel: 'Project',
+      testProjectName: projectName,
+    },
+    sections: flattenToSections(result),
+  };
+}
+
+export function saveResults(
+  projectPath: string,
+  resultsDir: string | undefined,
+  report: Record<string, unknown>,
+  projectName: string
+): string {
+  const targetDir = resultsDir
+    ? path.resolve(resultsDir)
+    : path.join(projectPath, 'provardx', 'validation');
+
+  fs.mkdirSync(targetDir, { recursive: true });
+
+  const timestamp = new Date().toISOString().replace(/[:.]/g, '-').slice(0, 19);
+  const safeName = projectName.replace(/[^a-zA-Z0-9_-]/g, '-').toLowerCase();
+  const fileName = `${timestamp}-${safeName}.json`;
+  const filePath = path.join(targetDir, fileName);
+
+  fs.writeFileSync(filePath, JSON.stringify(report, null, 2), 'utf-8');
+  // Return absolute path when results_dir is provided (avoids ugly ../../../../ relative traversal),
+  // relative path otherwise (matches project-relative convention).
+  if (resultsDir) return filePath.replace(/\\/g, '/');
+  return path.relative(projectPath, filePath).replace(/\\/g, '/');
+}
+
+// ── Main exported function ────────────────────────────────────────────────────
+
+/**
+ * Validate a Provar project from a path on disk.
+ *
+ * Throws ProjectValidationError for user-facing problems (path not found,
+ * ambiguous project, not a Provar project directory). Lets unexpected I/O
+ * errors propagate as-is.
+ */
+export function validateProjectFromPath(
+  options: ProjectValidationOptions
+): ProjectValidationResult {
+  const { project_path, quality_threshold, save_results, results_dir } = options;
+  const resolved = path.resolve(project_path);
+
+  if (!fs.existsSync(resolved)) {
+    throw new ProjectValidationError('PATH_NOT_FOUND', `Project path does not exist: ${resolved}`);
+  }
+
+  const { root: projectRoot, candidates } = resolveProjectRoot(resolved);
+
+  if (candidates.length > 1) {
+    throw new ProjectValidationError(
+      'AMBIGUOUS_PROJECT',
+      `Multiple Provar projects found under "${resolved}". Specify the exact project directory: ${candidates.map((c) => path.basename(c)).join(', ')}`
+    );
+  }
+
+  if (!fs.existsSync(path.join(projectRoot, '.testproject'))) {
+    throw new ProjectValidationError(
+      'NOT_A_PROJECT',
+      `No Provar project found at "${projectRoot}". Ensure the path points to a directory containing a .testproject file.`
+    );
+  }
+
+  const threshold = quality_threshold ?? 80;
+
+  // 1. Read project context from .testproject
+  const { projectName, context } = readProjectContext(projectRoot);
+
+  // 2. Read plan hierarchy from plans/ directory; covered paths are computed
+  //    as a byproduct of the walk — no second traversal needed.
+  const { plans: testPlans, coveredPaths } = readPlansDir(projectRoot);
+
+  // 3. Validate
+  const input: ProjectInput = {
+    name: projectName,
+    test_plans: testPlans,
+    test_suites: [],
+    test_cases: [],
+    project_context: context,
+    all_disk_test_case_names: collectAllTestCaseNames(projectRoot),
+  };
+
+  const result = validateProject(input, threshold);
+  const summary = buildHierarchySummary(result);
+
+  // 4. Find uncovered test cases and compute accurate disk counts
+  // coveredPaths was already built during step 2 — no second directory walk.
+  const uncoveredTestCases = findUncoveredTestCases(projectRoot, coveredPaths);
+  // Count only covered references where the .testcase file actually exists on disk
+  const coveredOnDisk = [...coveredPaths].filter((rel) => fs.existsSync(path.join(projectRoot, rel))).length;
+
+  // 5. Build detailed plan results
+  const plans: ValidatedPlan[] = result.test_plans.map((p) => ({
+    name: p.name,
+    quality_score: p.quality_score,
+    violations: p.violations,
+    suites: p.test_suites.map((s) => ({
+      name: s.name,
+      quality_score: s.quality_score,
+      violations: s.violations,
+      test_cases: s.test_cases.map((tc) => ({
+        name: tc.name,
+        quality_score: tc.quality_score,
+        quality_tier: toQualityTier(tc.quality_score),
+        status: tc.status,
+        is_valid: tc.is_valid,
+        step_count: tc.step_count,
+        error_count: tc.error_count,
+        warning_count: tc.warning_count,
+        issues: tc.issues,
+      })),
+      child_suites: s.test_suites.map((cs) => ({
+        name: cs.name,
+        quality_score: cs.quality_score,
+        violations: cs.violations,
+        test_case_count: cs.test_cases.length,
+      })),
+    })),
+    unplanned_test_cases: p.test_cases.map((tc) => ({
+      name: tc.name,
+      quality_score: tc.quality_score,
+      status: tc.status,
+      error_count: tc.error_count,
+      issues: tc.issues,
+    })),
+  }));
+
+  // 6. Optionally save QH report
+  let savedTo: string | null = null;
+  let saveError: string | undefined;
+  if (save_results !== false) {
+    const report = buildQhReport(result, projectName);
+    try {
+      savedTo = saveResults(projectRoot, results_dir, report, projectName);
+    } catch (err) {
+      saveError = (err as Error).message;
+    }
+  }
+
+  return {
+    project_path: projectRoot,
+    project_name: projectName,
+    quality_score: result.quality_score,
+    quality_tier: toQualityTier(result.quality_score),
+    quality_grade: toQualityGrade(result.quality_score),
+    summary,
+    project_violations: result.violations,
+    plans,
+    coverage: {
+      total_test_cases_on_disk: coveredOnDisk + uncoveredTestCases.length,
+      covered_by_plans: coveredOnDisk,
+      uncovered_count: uncoveredTestCases.length,
+      uncovered_test_cases: uncoveredTestCases,
+    },
+    saved_to: savedTo,
+    save_error: saveError,
+  };
+}
diff --git a/test/tsconfig.json b/test/tsconfig.json
index 75ff8e64..cd4bbd09 100644
--- a/test/tsconfig.json
+++ b/test/tsconfig.json
@@ -3,12 +3,14 @@
   "compilerOptions": {
     "outDir": "lib",
     "esModuleInterop": true,
-    "resolveJsonModule": true
+    "resolveJsonModule": true,
+    "skipLibCheck": true
   },
   "include": [
     "./**/*.ts"
   ],
   "exclude": [
-    "../node_modules"
+    "../node_modules",
+    "./lib"
   ]
 }
\ No newline at end of file
diff --git a/test/unit/commands/quality-hub/connect.test.ts b/test/unit/commands/quality-hub/connect.test.ts
new file mode 100644
index 00000000..fb0cac80
--- /dev/null
+++ b/test/unit/commands/quality-hub/connect.test.ts
@@ -0,0 +1,27 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import { strict as assert } from 'node:assert';
+import { describe, it } from 'mocha';
+import SfProvarQualityHubConnect from '../../../../src/commands/provar/quality-hub/connect.js';
+
+describe('SfProvarQualityHubConnect', () => {
+  it('has provar:manager:connect alias for backwards compatibility', () => {
+    assert.ok(
+      Array.isArray(SfProvarQualityHubConnect.aliases),
+      'aliases must be an array'
+    );
+    assert.ok(
+      SfProvarQualityHubConnect.aliases.includes('provar:manager:connect'),
+      'Must alias provar:manager:connect'
+    );
+  });
+
+  it('has deprecateAliases=true so oclif emits a deprecation warning on old name', () => {
+    assert.equal(SfProvarQualityHubConnect.deprecateAliases, true);
+  });
+});
diff --git a/test/unit/commands/quality-hub/display.test.ts b/test/unit/commands/quality-hub/display.test.ts
new file mode 100644
index 00000000..a45cbd2a
--- /dev/null
+++ b/test/unit/commands/quality-hub/display.test.ts
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import { strict as assert } from 'node:assert';
+import { describe, it } from 'mocha';
+import SfProvarQualityHubDisplay from '../../../../src/commands/provar/quality-hub/display.js';
+
+describe('SfProvarQualityHubDisplay', () => {
+  it('has provar:manager:display alias for backwards compatibility', () => {
+    assert.ok(Array.isArray(SfProvarQualityHubDisplay.aliases));
+    assert.ok(SfProvarQualityHubDisplay.aliases.includes('provar:manager:display'));
+  });
+
+  it('has deprecateAliases=true', () => {
+    assert.equal(SfProvarQualityHubDisplay.deprecateAliases, true);
+  });
+});
diff --git a/test/unit/commands/quality-hub/open.test.ts b/test/unit/commands/quality-hub/open.test.ts
new file mode 100644
index 00000000..4d473864
--- /dev/null
+++ b/test/unit/commands/quality-hub/open.test.ts
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import { strict as assert } from 'node:assert';
+import { describe, it } from 'mocha';
+import SfProvarQualityHubOpen from '../../../../src/commands/provar/quality-hub/open.js';
+
+describe('SfProvarQualityHubOpen', () => {
+  it('has provar:manager:open alias for backwards compatibility', () => {
+    assert.ok(Array.isArray(SfProvarQualityHubOpen.aliases));
+    assert.ok(SfProvarQualityHubOpen.aliases.includes('provar:manager:open'));
+  });
+
+  it('has deprecateAliases=true', () => {
+    assert.equal(SfProvarQualityHubOpen.deprecateAliases, true);
+  });
+});
diff --git a/test/unit/commands/quality-hub/test.run.abort.test.ts b/test/unit/commands/quality-hub/test.run.abort.test.ts
new file mode 100644
index 00000000..154cdf58
--- /dev/null
+++ b/test/unit/commands/quality-hub/test.run.abort.test.ts
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import { strict as assert } from 'node:assert';
+import { describe, it } from 'mocha';
+import SfProvarQualityHubTestRunAbort from '../../../../src/commands/provar/quality-hub/test/run/abort.js';
+
+describe('SfProvarQualityHubTestRunAbort', () => {
+  it('has provar:manager:test:run:abort alias for backwards compatibility', () => {
+    assert.ok(Array.isArray(SfProvarQualityHubTestRunAbort.aliases));
+    assert.ok(SfProvarQualityHubTestRunAbort.aliases.includes('provar:manager:test:run:abort'));
+  });
+
+  it('has deprecateAliases=true', () => {
+    assert.equal(SfProvarQualityHubTestRunAbort.deprecateAliases, true);
+  });
+});
diff --git a/test/unit/commands/quality-hub/test.run.report.test.ts b/test/unit/commands/quality-hub/test.run.report.test.ts
new file mode 100644
index 00000000..9b1eb2b5
--- /dev/null
+++ b/test/unit/commands/quality-hub/test.run.report.test.ts
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import { strict as assert } from 'node:assert';
+import { describe, it } from 'mocha';
+import SfProvarQualityHubTestRunReport from '../../../../src/commands/provar/quality-hub/test/run/report.js';
+
+describe('SfProvarQualityHubTestRunReport', () => {
+  it('has provar:manager:test:run:report alias for backwards compatibility', () => {
+    assert.ok(Array.isArray(SfProvarQualityHubTestRunReport.aliases));
+    assert.ok(SfProvarQualityHubTestRunReport.aliases.includes('provar:manager:test:run:report'));
+  });
+
+  it('has deprecateAliases=true', () => {
+    assert.equal(SfProvarQualityHubTestRunReport.deprecateAliases, true);
+  });
+});
diff --git a/test/unit/commands/quality-hub/test.run.test.ts b/test/unit/commands/quality-hub/test.run.test.ts
new file mode 100644
index 00000000..5fdcf6c9
--- /dev/null
+++ b/test/unit/commands/quality-hub/test.run.test.ts
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import { strict as assert } from 'node:assert';
+import { describe, it } from 'mocha';
+import SfProvarQualityHubTestRun from '../../../../src/commands/provar/quality-hub/test/run.js';
+
+describe('SfProvarQualityHubTestRun', () => {
+  it('has provar:manager:test:run alias for backwards compatibility', () => {
+    assert.ok(Array.isArray(SfProvarQualityHubTestRun.aliases));
+    assert.ok(SfProvarQualityHubTestRun.aliases.includes('provar:manager:test:run'));
+  });
+
+  it('has deprecateAliases=true', () => {
+    assert.equal(SfProvarQualityHubTestRun.deprecateAliases, true);
+  });
+});
diff --git a/test/unit/commands/quality-hub/testcase.retrieve.test.ts b/test/unit/commands/quality-hub/testcase.retrieve.test.ts
new file mode 100644
index 00000000..0ee63ffd
--- /dev/null
+++ b/test/unit/commands/quality-hub/testcase.retrieve.test.ts
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+import { strict as assert } from 'node:assert';
+import { describe, it } from 'mocha';
+import SfProvarQualityHubTestcaseRetrieve from '../../../../src/commands/provar/quality-hub/testcase/retrieve.js';
+
+describe('SfProvarQualityHubTestcaseRetrieve', () => {
+  it('has provar:manager:testcase:retrieve alias for backwards compatibility', () => {
+    assert.ok(Array.isArray(SfProvarQualityHubTestcaseRetrieve.aliases));
+    assert.ok(SfProvarQualityHubTestcaseRetrieve.aliases.includes('provar:manager:testcase:retrieve'));
+  });
+
+  it('has deprecateAliases=true', () => {
+    assert.equal(SfProvarQualityHubTestcaseRetrieve.deprecateAliases, true);
+  });
+});
diff --git a/test/unit/mcp/antTools.test.ts b/test/unit/mcp/antTools.test.ts
new file mode 100644
index 00000000..1cb386e6
--- /dev/null
+++ b/test/unit/mcp/antTools.test.ts
@@ -0,0 +1,690 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { strict as assert } from 'node:assert';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { describe, it, beforeEach, afterEach } from 'mocha';
+import { registerAntGenerate, validateAntXml } from '../../../src/mcp/tools/antTools.js';
+import type { ServerConfig } from '../../../src/mcp/server.js';
+
+// ── Minimal McpServer mock ─────────────────────────────────────────────────────
+// Note: bypasses Zod parsing — always pass explicit values for fields with defaults.
+
+type ToolHandler = (args: Record<string, unknown>) => unknown;
+
+class MockMcpServer {
+  private handlers = new Map<string, ToolHandler>();
+
+  public tool(name: string, _description: string, _schema: unknown, handler: ToolHandler): void {
+    this.handlers.set(name, handler);
+  }
+
+  public call(name: string, args: Record<string, unknown>): ReturnType<ToolHandler> {
+    const h = this.handlers.get(name);
+    if (!h) throw new Error(`Tool not registered: ${name}`);
+    return h(args);
+  }
+}
+
+// ── Helpers ────────────────────────────────────────────────────────────────────
+
+function parseText(result: unknown): Record<string, unknown> {
+  const r = result as { content: Array<{ type: string; text: string }> };
+  return JSON.parse(r.content[0].text) as Record<string, unknown>;
+}
+
+function isError(result: unknown): boolean {
+  return (result as { isError?: boolean }).isError === true;
+}
+
+// Minimal valid inputs for the generate tool (all fields with defaults supplied explicitly,
+// since we bypass Zod and defaults are not applied by the mock server).
+function minimalInput(overrides: Record<string, unknown> = {}): Record<string, unknown> {
+  return {
+    provar_home: 'C:/Program Files/Provar/',
+    project_path: '..',
+    results_path: '../ANT/Results',
+    filesets: [{ dir: '../tests' }],
+    web_browser: 'Chrome',
+    web_browser_configuration: 'Full Screen',
+    web_browser_provider_name: 'Desktop',
+    web_browser_device_name: 'Full Screen',
+    test_environment: '',
+    salesforce_metadata_cache: 'Reuse',
+    results_path_disposition: 'Increment',
+    test_output_level: 'BASIC',
+    plugin_output_level: 'WARNING',
+    stop_test_run_on_error: false,
+    exclude_callable_test_cases: true,
+    invoke_test_run_monitor: true,
+    secrets_password: '${env.ProvarSecretsPassword}',
+    dry_run: true,
+    overwrite: false,
+    ...overrides,
+  };
+}
+
+// Minimal valid ANT XML for the validate tool.
+const VALID_ANT = `<?xml version="1.0" encoding="UTF-8"?>
+<project default="runtests">
+  <taskdef name="Provar-Compile" classname="com.provar.testrunner.ant.CompileTask" classpath="/provar/ant/ant-provar.jar"/>
+  <taskdef name="Run-Test-Case" classname="com.provar.testrunner.ant.RunnerTask" classpath="/provar/ant/ant-provar.jar"/>
+  <target name="runtests">
+    <Provar-Compile provarHome="/provar" projectPath=".."/>
+    <Run-Test-Case provarHome="/provar" projectPath=".." resultsPath="../ANT/Results" webBrowser="Chrome">
+      <fileset dir="../tests"/>
+    </Run-Test-Case>
+  </target>
+</project>`;
+
+// ── Test setup ─────────────────────────────────────────────────────────────────
+
+let tmpDir: string;
+let server: MockMcpServer;
+let config: ServerConfig;
+
+beforeEach(() => {
+  tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'anttools-test-'));
+  server = new MockMcpServer();
+  config = { allowedPaths: [tmpDir] };
+  registerAntGenerate(server as never, config);
+});
+
+afterEach(() => {
+  fs.rmSync(tmpDir, { recursive: true, force: true });
+});
+
+// ── provar.ant.generate ────────────────────────────────────────────────────────
+
+describe('provar.ant.generate', () => {
+  describe('dry_run', () => {
+    it('returns xml_content without writing to disk', () => {
+      const result = server.call('provar.ant.generate', minimalInput());
+
+      assert.equal(isError(result), false);
+      const body = parseText(result);
+      assert.ok(typeof body['xml_content'] === 'string' && body['xml_content'].length > 0);
+      assert.equal(body['written'], false);
+      assert.equal(body['dry_run'], true);
+    });
+
+    it('does NOT write a file even when output_path is provided', () => {
+      const outPath = path.join(tmpDir, 'build.xml');
+      server.call('provar.ant.generate', minimalInput({ output_path: outPath, dry_run: true }));
+
+      assert.equal(fs.existsSync(outPath), false, 'file must not be written in dry_run mode');
+    });
+  });
+
+  describe('generated XML structure', () => {
+    function getXml(overrides: Record<string, unknown> = {}): string {
+      const result = server.call('provar.ant.generate', minimalInput(overrides));
+      return parseText(result)['xml_content'] as string;
+    }
+
+    it('produces a <project default="runtests"> root element', () => {
+      const xml = getXml();
+      assert.ok(xml.includes('<project default="runtests">'), 'Expected <project default="runtests">');
+    });
+
+    it('includes <taskdef> for CompileTask', () => {
+      const xml = getXml();
+      assert.ok(
+        xml.includes('com.provar.testrunner.ant.CompileTask'),
+        'Expected CompileTask taskdef'
+      );
+    });
+
+    it('includes <taskdef> for RunnerTask', () => {
+      const xml = getXml();
+      assert.ok(
+        xml.includes('com.provar.testrunner.ant.RunnerTask'),
+        'Expected RunnerTask taskdef'
+      );
+    });
+
+    it('includes <taskdef> for TestCycleReportTask', () => {
+      const xml = getXml();
+      assert.ok(
+        xml.includes('com.provar.testrunner.ant.TestCycleReportTask'),
+        'Expected TestCycleReportTask taskdef'
+      );
+    });
+
+    it('includes <Provar-Compile> step', () => {
+      const xml = getXml();
+      assert.ok(xml.includes('<Provar-Compile'), 'Expected <Provar-Compile> step');
+    });
+
+    it('includes <Run-Test-Case> element', () => {
+      const xml = getXml();
+      assert.ok(xml.includes('<Run-Test-Case'), 'Expected <Run-Test-Case> element');
+    });
+
+    it('sets provarHome via the property reference', () => {
+      const xml = getXml();
+      assert.ok(xml.includes('provarHome="${provar.home}"'), 'Expected provarHome property ref');
+    });
+
+    it('sets projectPath via the property reference', () => {
+      const xml = getXml();
+      assert.ok(xml.includes('projectPath="${testproject.home}"'), 'Expected projectPath property ref');
+    });
+
+    it('sets the provar.home property to the provided provar_home value', () => {
+      const xml = getXml({ provar_home: 'D:/Provar/' });
+      assert.ok(
+        xml.includes('<property name="provar.home" value="D:/Provar/"/>'),
+        'Expected provar.home property'
+      );
+    });
+
+    it('renders webBrowser attribute', () => {
+      const xml = getXml({ web_browser: 'Chrome_Headless' });
+      assert.ok(xml.includes('webBrowser="Chrome_Headless"'), 'Expected webBrowser attribute');
+    });
+
+    it('renders salesforceMetadataCache attribute (correct spelling)', () => {
+      const xml = getXml({ salesforce_metadata_cache: 'Refresh' });
+      assert.ok(
+        xml.includes('salesforceMetadataCache="Refresh"'),
+        'Expected salesforceMetadataCache (not saleforce...)'
+      );
+    });
+
+    it('renders excludeCallableTestCases attribute', () => {
+      const xml = getXml({ exclude_callable_test_cases: true });
+      assert.ok(xml.includes('excludeCallableTestCases="true"'));
+    });
+
+    it('renders stopTestRunOnError attribute', () => {
+      const xml = getXml({ stop_test_run_on_error: true });
+      assert.ok(xml.includes('stopTestRunOnError="true"'));
+    });
+
+    it('includes a simple <fileset> element with the correct dir', () => {
+      const xml = getXml({ filesets: [{ dir: '../tests/Scenarios' }] });
+      assert.ok(xml.includes('dir="../tests/Scenarios"'), 'Expected fileset dir');
+    });
+
+    it('adds <include> elements when includes are provided', () => {
+      const xml = getXml({
+        filesets: [{ dir: '../tests/Suite', includes: ['LoginTest.testcase', 'LogoutTest.testcase'] }],
+      });
+      assert.ok(xml.includes('<include name="LoginTest.testcase"/>'));
+      assert.ok(xml.includes('<include name="LogoutTest.testcase"/>'));
+    });
+
+    it('sets fileset id="testplan" for plan-based runs', () => {
+      const xml = getXml({
+        filesets: [{ id: 'testplan', dir: '../plans/Smoke' }],
+      });
+      assert.ok(xml.includes('id="testplan"'), 'Expected fileset id attribute');
+      assert.ok(xml.includes('dir="../plans/Smoke"'));
+    });
+
+    it('renders multiple filesets', () => {
+      const xml = getXml({
+        filesets: [
+          { dir: '../tests/Suite1', includes: ['Test1.testcase'] },
+          { dir: '../tests/Suite2', includes: ['Test2.testcase'] },
+        ],
+      });
+      assert.ok(xml.includes('dir="../tests/Suite1"'));
+      assert.ok(xml.includes('dir="../tests/Suite2"'));
+    });
+
+    it('renders <planFeature> elements when provided', () => {
+      const xml = getXml({
+        plan_features: [
+          { name: 'PDF', type: 'OUTPUT', enabled: true },
+          { name: 'PIECHART', type: 'OUTPUT', enabled: false },
+        ],
+      });
+      assert.ok(xml.includes('<planFeature name="PDF" type="OUTPUT" enabled="true"/>'));
+      assert.ok(xml.includes('<planFeature name="PIECHART" type="OUTPUT" enabled="false"/>'));
+    });
+
+    it('renders <emailProperties> when email_properties is provided', () => {
+      const xml = getXml({
+        email_properties: {
+          send_email: true,
+          primary_recipients: 'test@example.com',
+          cc_recipients: '',
+          bcc_recipients: '',
+          email_subject: 'Test run report',
+          attach_execution_report: true,
+          attach_zip: false,
+        },
+      });
+      assert.ok(xml.includes('<emailProperties'), 'Expected <emailProperties>');
+      assert.ok(xml.includes('sendEmail="true"'));
+      assert.ok(xml.includes('primaryRecipients="test@example.com"'));
+    });
+
+    it('renders <attachmentProperties> when attachment_properties is provided', () => {
+      const xml = getXml({
+        attachment_properties: {
+          include_all_failures_in_summary: true,
+          include_only_failures: false,
+          include_bdd: false,
+          include_skipped: false,
+          include_test_case_description: false,
+          include_screenshots: true,
+          include_warning_messages: false,
+          include_info_messages: false,
+          include_debug_messages: false,
+          include_test_step_time: true,
+          include_test_step_path_hierarchy: true,
+          include_full_screen_shot: false,
+        },
+      });
+      assert.ok(xml.includes('<attachmentProperties'), 'Expected <attachmentProperties>');
+      assert.ok(xml.includes('includeAllFailuresInSummary="true"'));
+      assert.ok(xml.includes('includeScreenshots="true"'));
+    });
+
+    it('does not include <emailProperties> when email_properties is omitted', () => {
+      const xml = getXml();
+      assert.equal(xml.includes('<emailProperties'), false);
+    });
+
+    it('does not include <attachmentProperties> when attachment_properties is omitted', () => {
+      const xml = getXml();
+      assert.equal(xml.includes('<attachmentProperties'), false);
+    });
+
+    it('omits optional test_cycle_path attribute when not provided', () => {
+      const xml = getXml();
+      assert.equal(xml.includes('testCyclePath'), false);
+    });
+
+    it('renders testCyclePath and testCycleRunType when provided', () => {
+      const xml = getXml({
+        test_cycle_path: '../TestCycle',
+        test_cycle_run_type: 'ALL',
+      });
+      assert.ok(xml.includes('testCyclePath="${testcycle.path}"'));
+      assert.ok(xml.includes('testCycleRunType="ALL"'));
+    });
+
+    it('renders licensePath when provided', () => {
+      const xml = getXml({ license_path: '${env.PROVAR_HOME}/.licenses' });
+      assert.ok(xml.includes('licensePath='));
+    });
+
+    it('renders smtpPath when provided', () => {
+      const xml = getXml({ smtp_path: '${env.PROVAR_HOME}/.smtp' });
+      assert.ok(xml.includes('smtpPath='));
+    });
+
+    it('renders dontFailBuild when provided', () => {
+      const xml = getXml({ dont_fail_build: true });
+      assert.ok(xml.includes('dontFailBuild="true"'));
+    });
+
+    it('escapes XML special characters in provar_home', () => {
+      const xml = getXml({ provar_home: 'C:/Provar & "Test"/' });
+      assert.ok(xml.includes('&amp;'), 'Expected & escaped');
+      assert.ok(xml.includes('&quot;'), 'Expected " escaped');
+    });
+
+    it('escapes XML special characters in fileset dir', () => {
+      const xml = getXml({ filesets: [{ dir: '../tests/<Special>' }] });
+      assert.ok(xml.includes('&lt;') && xml.includes('&gt;'), 'Expected < > escaped in fileset dir');
+    });
+  });
+
+  describe('writing to disk', () => {
+    it('writes file when dry_run=false and output_path provided', () => {
+      const outPath = path.join(tmpDir, 'build.xml');
+      const result = server.call('provar.ant.generate', minimalInput({ output_path: outPath, dry_run: false }));
+
+      assert.equal(isError(result), false);
+      assert.equal(fs.existsSync(outPath), true, 'file should be written');
+      assert.equal(parseText(result)['written'], true);
+    });
+
+    it('written file contains valid XML with <project> root', () => {
+      const outPath = path.join(tmpDir, 'build.xml');
+      server.call('provar.ant.generate', minimalInput({ output_path: outPath, dry_run: false }));
+
+      const content = fs.readFileSync(outPath, 'utf-8');
+      assert.ok(content.includes('<project'), 'Written file must contain <project>');
+    });
+
+    it('does NOT write when dry_run=false but no output_path', () => {
+      const result = server.call('provar.ant.generate', minimalInput({ dry_run: false, output_path: undefined }));
+
+      assert.equal(isError(result), false);
+      assert.equal(parseText(result)['written'], false);
+    });
+
+    it('returns FILE_EXISTS when file exists and overwrite=false', () => {
+      const outPath = path.join(tmpDir, 'build.xml');
+      fs.writeFileSync(outPath, '<old/>', 'utf-8');
+
+      const result = server.call(
+        'provar.ant.generate',
+        minimalInput({ output_path: outPath, dry_run: false, overwrite: false })
+      );
+
+      assert.equal(isError(result), true);
+      assert.equal(parseText(result)['error_code'], 'FILE_EXISTS');
+    });
+
+    it('overwrites when overwrite=true and file exists', () => {
+      const outPath = path.join(tmpDir, 'build.xml');
+      fs.writeFileSync(outPath, '<old/>', 'utf-8');
+
+      const result = server.call(
+        'provar.ant.generate',
+        minimalInput({ output_path: outPath, dry_run: false, overwrite: true })
+      );
+
+      assert.equal(isError(result), false);
+      const written = fs.readFileSync(outPath, 'utf-8');
+      assert.ok(written.includes('<project'), 'old content should be replaced');
+    });
+
+    it('creates parent directories as needed', () => {
+      const outPath = path.join(tmpDir, 'ANT', 'build.xml');
+      server.call('provar.ant.generate', minimalInput({ output_path: outPath, dry_run: false }));
+
+      assert.equal(fs.existsSync(outPath), true, 'nested directory should be created');
+    });
+  });
+
+  describe('path policy', () => {
+    it('returns PATH_NOT_ALLOWED when output_path is outside allowedPaths', () => {
+      const strictServer = new MockMcpServer();
+      registerAntGenerate(strictServer as never, { allowedPaths: [tmpDir] });
+
+      const result = strictServer.call(
+        'provar.ant.generate',
+        minimalInput({
+          output_path: path.join(os.tmpdir(), 'evil-build.xml'),
+          dry_run: false,
+          overwrite: false,
+        })
+      );
+
+      assert.equal(isError(result), true);
+      const code = parseText(result)['error_code'] as string;
+      assert.ok(
+        code === 'PATH_NOT_ALLOWED' || code === 'PATH_TRAVERSAL',
+        `Unexpected error code: ${code}`
+      );
+    });
+
+    it('does NOT check path policy in dry_run=true mode', () => {
+      const strictServer = new MockMcpServer();
+      registerAntGenerate(strictServer as never, { allowedPaths: [tmpDir] });
+
+      const result = strictServer.call(
+        'provar.ant.generate',
+        minimalInput({ output_path: '/etc/evil-build.xml', dry_run: true })
+      );
+
+      assert.equal(isError(result), false, 'dry_run should not trigger path check');
+    });
+  });
+});
+
+// ── validateAntXml ─────────────────────────────────────────────────────────────
+
+describe('validateAntXml', () => {
+  describe('valid ANT XML', () => {
+    it('returns is_valid=true with zero errors', () => {
+      const r = validateAntXml(VALID_ANT);
+      assert.equal(r.is_valid, true);
+      assert.equal(r.error_count, 0);
+      assert.equal(r.fileset_count, 1);
+      assert.equal(r.provar_home, '/provar');
+      assert.equal(r.project_path, '..');
+      assert.equal(r.results_path, '../ANT/Results');
+      assert.equal(r.web_browser, 'Chrome');
+    });
+
+    it('validity_score is 100 for a valid file', () => {
+      const r = validateAntXml(VALID_ANT);
+      assert.equal(r.validity_score, 100);
+    });
+  });
+
+  describe('document-level rules', () => {
+    it('ANT_001: warns about missing XML declaration', () => {
+      // No <?xml …?> header — everything else is valid
+      const noDecl = VALID_ANT.replace(/^<\?xml[^?]*\?>\n/, '');
+      const r = validateAntXml(noDecl);
+      assert.ok(r.issues.some((i) => i.rule_id === 'ANT_001'), 'Expected ANT_001 warning');
+      // Still structurally valid — XML declaration is a warning only
+      assert.equal(r.error_count, 0);
+    });
+
+    it('ANT_002: flags malformed XML', () => {
+      const r = validateAntXml('<?xml version="1.0"?><project unclosed');
+      assert.ok(r.issues.some((i) => i.rule_id === 'ANT_002'), 'Expected ANT_002 error');
+      assert.equal(r.is_valid, false);
+    });
+
+    it('ANT_003: flags wrong root element', () => {
+      const r = validateAntXml('<?xml version="1.0"?><notProject/>');
+      assert.ok(r.issues.some((i) => i.rule_id === 'ANT_003'), 'Expected ANT_003 error');
+      assert.equal(r.is_valid, false);
+    });
+  });
+
+  describe('project-level rules', () => {
+    it('ANT_004: flags missing default attribute on <project>', () => {
+      const xml = VALID_ANT.replace('default="runtests"', '');
+      const r = validateAntXml(xml);
+      assert.ok(r.issues.some((i) => i.rule_id === 'ANT_004'), 'Expected ANT_004 error');
+    });
+
+    it('ANT_005: flags missing CompileTask taskdef', () => {
+      // Build XML with only RunnerTask taskdef (no CompileTask)
+      const xml = `<?xml version="1.0" encoding="UTF-8"?>
+<project default="runtests">
+  <taskdef name="Run-Test-Case" classname="com.provar.testrunner.ant.RunnerTask" classpath="/provar/ant/ant-provar.jar"/>
+  <target name="runtests">
+    <Run-Test-Case provarHome="/provar" projectPath=".." resultsPath="../ANT/Results">
+      <fileset dir="../tests"/>
+    </Run-Test-Case>
+  </target>
+</project>`;
+      const r = validateAntXml(xml);
+      assert.ok(
+        r.issues.some((i) => i.rule_id === 'ANT_005' && i.message.includes('CompileTask')),
+        'Expected ANT_005 for CompileTask'
+      );
+    });
+
+    it('ANT_005: flags missing RunnerTask taskdef', () => {
+      // Build XML with only CompileTask taskdef (no RunnerTask)
+      const xml = `<?xml version="1.0" encoding="UTF-8"?>
+<project default="runtests">
+  <taskdef name="Provar-Compile" classname="com.provar.testrunner.ant.CompileTask" classpath="/provar/ant/ant-provar.jar"/>
+  <target name="runtests">
+    <Run-Test-Case provarHome="/provar" projectPath=".." resultsPath="../ANT/Results">
+      <fileset dir="../tests"/>
+    </Run-Test-Case>
+  </target>
+</project>`;
+      const r = validateAntXml(xml);
+      assert.ok(
+        r.issues.some((i) => i.rule_id === 'ANT_005' && i.message.includes('RunnerTask')),
+        'Expected ANT_005 for RunnerTask'
+      );
+    });
+
+    it('ANT_006: flags default target not found', () => {
+      const xml = VALID_ANT.replace('name="runtests"', 'name="something-else"');
+      const r = validateAntXml(xml);
+      assert.ok(r.issues.some((i) => i.rule_id === 'ANT_006'), 'Expected ANT_006 error');
+    });
+  });
+
+  describe('target-level rules', () => {
+    it('ANT_010: warns when <Provar-Compile> is absent', () => {
+      // Build XML without <Provar-Compile>
+      const xml = `<?xml version="1.0" encoding="UTF-8"?>
+<project default="runtests">
+  <taskdef name="Provar-Compile" classname="com.provar.testrunner.ant.CompileTask" classpath="/provar/ant/ant-provar.jar"/>
+  <taskdef name="Run-Test-Case" classname="com.provar.testrunner.ant.RunnerTask" classpath="/provar/ant/ant-provar.jar"/>
+  <target name="runtests">
+    <Run-Test-Case provarHome="/provar" projectPath=".." resultsPath="../ANT/Results" webBrowser="Chrome">
+      <fileset dir="../tests"/>
+    </Run-Test-Case>
+  </target>
+</project>`;
+      const r = validateAntXml(xml);
+      assert.ok(r.issues.some((i) => i.rule_id === 'ANT_010'), 'Expected ANT_010 warning');
+    });
+
+    it('ANT_020: flags missing <Run-Test-Case>', () => {
+      // Replace the Run-Test-Case block with a noop comment
+      const xml = VALID_ANT.replace(
+        /<Run-Test-Case[\s\S]*?<\/Run-Test-Case>/,
+        '<!-- removed -->'
+      );
+      const r = validateAntXml(xml);
+      assert.ok(r.issues.some((i) => i.rule_id === 'ANT_020'), 'Expected ANT_020 error');
+    });
+  });
+
+  describe('Run-Test-Case required attribute rules', () => {
+    it('ANT_021: flags missing provarHome', () => {
+      // Build XML without provarHome on Run-Test-Case specifically
+      const xml = `<?xml version="1.0" encoding="UTF-8"?>
+<project default="runtests">
+  <taskdef name="Provar-Compile" classname="com.provar.testrunner.ant.CompileTask" classpath="/provar/ant/ant-provar.jar"/>
+  <taskdef name="Run-Test-Case" classname="com.provar.testrunner.ant.RunnerTask" classpath="/provar/ant/ant-provar.jar"/>
+  <target name="runtests">
+    <Provar-Compile provarHome="/provar" projectPath=".."/>
+    <Run-Test-Case projectPath=".." resultsPath="../ANT/Results" webBrowser="Chrome">
+      <fileset dir="../tests"/>
+    </Run-Test-Case>
+  </target>
+</project>`;
+      const r = validateAntXml(xml);
+      assert.ok(r.issues.some((i) => i.rule_id === 'ANT_021'), 'Expected ANT_021 error');
+    });
+
+    it('ANT_022: flags missing projectPath', () => {
+      // Build XML without projectPath on Run-Test-Case specifically
+      const xml = `<?xml version="1.0" encoding="UTF-8"?>
+<project default="runtests">
+  <taskdef name="Provar-Compile" classname="com.provar.testrunner.ant.CompileTask" classpath="/provar/ant/ant-provar.jar"/>
+  <taskdef name="Run-Test-Case" classname="com.provar.testrunner.ant.RunnerTask" classpath="/provar/ant/ant-provar.jar"/>
+  <target name="runtests">
+    <Provar-Compile provarHome="/provar" projectPath=".."/>
+    <Run-Test-Case provarHome="/provar" resultsPath="../ANT/Results" webBrowser="Chrome">
+      <fileset dir="../tests"/>
+    </Run-Test-Case>
+  </target>
+</project>`;
+      const r = validateAntXml(xml);
+      assert.ok(r.issues.some((i) => i.rule_id === 'ANT_022'), 'Expected ANT_022 error');
+    });
+
+    it('ANT_023: flags missing resultsPath', () => {
+      const xml = VALID_ANT.replace(' resultsPath="../ANT/Results"', '');
+      const r = validateAntXml(xml);
+      assert.ok(r.issues.some((i) => i.rule_id === 'ANT_023'), 'Expected ANT_023 error');
+    });
+  });
+
+  describe('Run-Test-Case enum value rules', () => {
+    it('ANT_030: warns about unrecognised webBrowser value', () => {
+      const xml = VALID_ANT.replace('webBrowser="Chrome"', 'webBrowser="InternetExplorer6"');
+      const r = validateAntXml(xml);
+      assert.ok(r.issues.some((i) => i.rule_id === 'ANT_030'), 'Expected ANT_030 warning');
+    });
+
+    it('ANT_031: warns about unrecognised salesforceMetadataCache value', () => {
+      const xml = VALID_ANT.replace(
+        '<Run-Test-Case',
+        '<Run-Test-Case salesforceMetadataCache="BadValue"'
+      );
+      const r = validateAntXml(xml);
+      assert.ok(r.issues.some((i) => i.rule_id === 'ANT_031'), 'Expected ANT_031 warning');
+    });
+
+    it('ANT_032: warns about unrecognised testOutputlevel value', () => {
+      const xml = VALID_ANT.replace(
+        '<Run-Test-Case',
+        '<Run-Test-Case testOutputlevel="VERBOSE"'
+      );
+      const r = validateAntXml(xml);
+      assert.ok(r.issues.some((i) => i.rule_id === 'ANT_032'), 'Expected ANT_032 warning');
+    });
+
+    it('ANT_033: warns about unrecognised resultsPathDisposition value', () => {
+      const xml = VALID_ANT.replace(
+        '<Run-Test-Case',
+        '<Run-Test-Case resultsPathDisposition="Overwrite"'
+      );
+      const r = validateAntXml(xml);
+      assert.ok(r.issues.some((i) => i.rule_id === 'ANT_033'), 'Expected ANT_033 warning');
+    });
+  });
+
+  describe('fileset rules', () => {
+    it('ANT_040: flags Run-Test-Case with no <fileset> children', () => {
+      const xml = VALID_ANT.replace('<fileset dir="../tests"/>', '');
+      const r = validateAntXml(xml);
+      assert.ok(r.issues.some((i) => i.rule_id === 'ANT_040'), 'Expected ANT_040 error');
+    });
+
+    it('ANT_041: flags a fileset missing dir attribute', () => {
+      const xml = VALID_ANT.replace('<fileset dir="../tests"/>', '<fileset/>');
+      const r = validateAntXml(xml);
+      assert.ok(r.issues.some((i) => i.rule_id === 'ANT_041'), 'Expected ANT_041 error');
+    });
+
+    it('reports fileset_count correctly', () => {
+      const r = validateAntXml(VALID_ANT);
+      assert.equal(r.fileset_count, 1);
+    });
+  });
+
+  describe('score boundaries', () => {
+    it('validity_score is never negative', () => {
+      // Many errors at once
+      const r = validateAntXml('<?xml version="1.0"?><wrong/>');
+      assert.ok(r.validity_score >= 0, `Score should be >= 0, got: ${r.validity_score}`);
+    });
+
+    it('validity_score decreases by 20 per error', () => {
+      // One error: ANT_003 wrong root
+      const r = validateAntXml('<?xml version="1.0"?><wrong/>');
+      assert.equal(r.error_count, 1);
+      assert.equal(r.validity_score, 80);
+    });
+
+    it('is_valid is false when there are errors', () => {
+      const r = validateAntXml('<?xml version="1.0"?><wrong/>');
+      assert.equal(r.is_valid, false);
+    });
+  });
+
+  describe('round-trip: generate then validate', () => {
+    it('XML produced by the generator passes validation', () => {
+      // Use the mock server to generate, then validate the output
+      const result = server.call('provar.ant.generate', minimalInput());
+      const xml = parseText(result)['xml_content'] as string;
+      const validation = validateAntXml(xml);
+
+      assert.equal(validation.is_valid, true, `Expected valid XML, got issues: ${JSON.stringify(validation.issues)}`);
+      assert.equal(validation.error_count, 0);
+    });
+  });
+});
diff --git a/test/unit/mcp/automationTools.test.ts b/test/unit/mcp/automationTools.test.ts
new file mode 100644
index 00000000..66a8acdf
--- /dev/null
+++ b/test/unit/mcp/automationTools.test.ts
@@ -0,0 +1,538 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { strict as assert } from 'node:assert';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import sinon from 'sinon';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { sfSpawnHelper } from '../../../src/mcp/tools/sfSpawn.js';
+
+// ── Minimal mock server ───────────────────────────────────────────────────────
+
+type ToolHandler = (args: Record<string, unknown>) => unknown;
+
+class MockMcpServer {
+  private handlers = new Map<string, ToolHandler>();
+
+  public tool(name: string, _desc: string, _schema: unknown, handler: ToolHandler): void {
+    this.handlers.set(name, handler);
+  }
+
+  public call(name: string, args: Record<string, unknown>): ReturnType<ToolHandler> {
+    const h = this.handlers.get(name);
+    if (!h) throw new Error(`Tool not registered: ${name}`);
+    return h(args);
+  }
+}
+
+// ── Helpers ───────────────────────────────────────────────────────────────────
+
+type FakeSpawnResult = { stdout: string; stderr: string; status: number | null; error: Error | undefined; pid: number | undefined; output: string[]; signal: null };
+
+function makeSpawnResult(stdout: string, stderr: string, status: number): FakeSpawnResult {
+  return { stdout, stderr, status, error: undefined, pid: 1, output: [], signal: null };
+}
+
+function makeEnoentResult(): FakeSpawnResult {
+  const err = Object.assign(new Error('spawn sf ENOENT'), { code: 'ENOENT' });
+  return { stdout: '', stderr: '', status: null, error: err, pid: undefined, output: [], signal: null };
+}
+
+function parseBody(result: unknown): Record<string, unknown> {
+  const r = result as { content: Array<{ text: string }> };
+  return JSON.parse(r.content[0].text) as Record<string, unknown>;
+}
+
+function isError(result: unknown): boolean {
+  return (result as { isError?: boolean }).isError === true;
+}
+
+// ── Tests ─────────────────────────────────────────────────────────────────────
+
+describe('automationTools', () => {
+  let server: MockMcpServer;
+  let spawnStub: sinon.SinonStub;
+
+  beforeEach(async () => {
+    server = new MockMcpServer();
+    spawnStub = sinon.stub(sfSpawnHelper, 'spawnSync');
+
+    const { registerAllAutomationTools, setSfPathCacheForTesting } = await import('../../../src/mcp/tools/automationTools.js');
+    setSfPathCacheForTesting('sf'); // bypass probe spawn; tests control spawnStub directly
+    // allowedPaths: [] means unrestricted — existing tests use arbitrary paths
+    registerAllAutomationTools(server as unknown as McpServer, { allowedPaths: [] });
+  });
+
+  afterEach(() => {
+    sinon.restore();
+  });
+
+  // ── provar.automation.testrun ─────────────────────────────────────────────
+
+  describe('provar.automation.testrun', () => {
+    it('calls sf with correct args and returns stdout', () => {
+      spawnStub.returns(makeSpawnResult('tests passed', '', 0));
+      const result = server.call('provar.automation.testrun', { flags: [] });
+      const body = parseBody(result);
+      assert.equal(body.exitCode, 0);
+      assert.equal(body.stdout, 'tests passed');
+      const [cmd, args] = spawnStub.firstCall.args as [string, string[]];
+      assert.equal(cmd, 'sf');
+      assert.deepEqual(args, ['provar', 'automation', 'test', 'run']);
+    });
+
+    it('forwards extra flags to sf', () => {
+      spawnStub.returns(makeSpawnResult('ok', '', 0));
+      server.call('provar.automation.testrun', { flags: ['--project-path', '/my/project'] });
+      const args = spawnStub.firstCall.args[1] as string[];
+      assert.ok(args.includes('--project-path'));
+      assert.ok(args.includes('/my/project'));
+    });
+
+    it('returns isError and AUTOMATION_TESTRUN_FAILED on non-zero exit', () => {
+      spawnStub.returns(makeSpawnResult('', 'compilation error', 1));
+      const result = server.call('provar.automation.testrun', { flags: [] });
+      assert.ok(isError(result));
+      const body = parseBody(result);
+      assert.equal(body.error_code, 'AUTOMATION_TESTRUN_FAILED');
+      assert.equal(body.message, 'compilation error');
+    });
+
+    it('uses stdout as message when stderr is empty', () => {
+      spawnStub.returns(makeSpawnResult('test failed: assertion error', '', 1));
+      const result = server.call('provar.automation.testrun', { flags: [] });
+      const body = parseBody(result);
+      assert.equal(body.message, 'test failed: assertion error');
+    });
+
+    it('returns SF_NOT_FOUND on ENOENT with actionable message', () => {
+      spawnStub.returns(makeEnoentResult());
+      const result = server.call('provar.automation.testrun', { flags: [] });
+      assert.ok(isError(result));
+      const body = parseBody(result);
+      assert.equal(body.error_code, 'SF_NOT_FOUND');
+      assert.ok((body.message as string).includes('npm install -g @salesforce/cli'));
+    });
+  });
+
+  // ── provar.automation.compile ─────────────────────────────────────────────
+
+  describe('provar.automation.compile', () => {
+    it('calls sf with project compile args', () => {
+      spawnStub.returns(makeSpawnResult('compiled ok', '', 0));
+      const result = server.call('provar.automation.compile', { flags: [] });
+      const body = parseBody(result);
+      assert.equal(body.exitCode, 0);
+      const args = spawnStub.firstCall.args[1] as string[];
+      assert.deepEqual(args, ['provar', 'automation', 'project', 'compile']);
+    });
+
+    it('forwards project-path flag', () => {
+      spawnStub.returns(makeSpawnResult('ok', '', 0));
+      server.call('provar.automation.compile', { flags: ['--project-path', '/my/project'] });
+      const args = spawnStub.firstCall.args[1] as string[];
+      assert.ok(args.includes('/my/project'));
+    });
+
+    it('returns AUTOMATION_COMPILE_FAILED on non-zero exit', () => {
+      spawnStub.returns(makeSpawnResult('', 'syntax error in TestCase.testcase', 1));
+      const result = server.call('provar.automation.compile', { flags: [] });
+      assert.ok(isError(result));
+      assert.equal(parseBody(result).error_code, 'AUTOMATION_COMPILE_FAILED');
+    });
+
+    it('returns SF_NOT_FOUND on ENOENT', () => {
+      spawnStub.returns(makeEnoentResult());
+      const result = server.call('provar.automation.compile', { flags: [] });
+      assert.equal(parseBody(result).error_code, 'SF_NOT_FOUND');
+    });
+  });
+
+  // ── provar.automation.setup ───────────────────────────────────────────────
+
+  describe('provar.automation.setup', () => {
+    let existsStub: sinon.SinonStub;
+    let readdirStub: sinon.SinonStub;
+    let readFileStub: sinon.SinonStub;
+    let savedProvarHome: string | undefined;
+
+    // A fake CWD that is cross-platform (os.tmpdir() returns a real platform path)
+    const fakeCwd = path.join(os.tmpdir(), 'provar-test-workspace');
+    const localProvarHome = path.resolve(fakeCwd, 'ProvarHome');
+    const provarJar = (base: string): string => path.join(base, 'provardx', 'provardx.jar');
+
+    beforeEach(() => {
+      savedProvarHome = process.env['PROVAR_HOME'];
+      delete process.env['PROVAR_HOME'];
+
+      existsStub = sinon.stub(fs, 'existsSync').returns(false);
+      readdirStub = sinon.stub(fs, 'readdirSync').throws(Object.assign(new Error('ENOENT'), { code: 'ENOENT' }));
+      readFileStub = sinon.stub(fs, 'readFileSync').throws(Object.assign(new Error('ENOENT'), { code: 'ENOENT' }));
+      sinon.stub(process, 'cwd').returns(fakeCwd);
+    });
+
+    afterEach(() => {
+      if (savedProvarHome !== undefined) {
+        process.env['PROVAR_HOME'] = savedProvarHome;
+      } else {
+        delete process.env['PROVAR_HOME'];
+      }
+    });
+
+    /** Make existsSync return true for installPath and its provardx.jar. */
+    function makeValidInstall(installPath: string): void {
+      existsStub.withArgs(path.resolve(installPath)).returns(true);
+      existsStub.withArgs(provarJar(path.resolve(installPath))).returns(true);
+    }
+
+    it('returns already_installed with install path when local ProvarHome exists', () => {
+      makeValidInstall(localProvarHome);
+
+      const result = server.call('provar.automation.setup', { force: false });
+      const body = parseBody(result);
+
+      assert.ok(!isError(result));
+      assert.equal(body.already_installed, true);
+      assert.equal(body.install_path, path.resolve(localProvarHome));
+      assert.ok((body.message as string).includes('force: true'));
+      assert.ok(spawnStub.notCalled, 'sf should not be called when already installed');
+    });
+
+    it('reads version from version.txt when present', () => {
+      makeValidInstall(localProvarHome);
+      readFileStub
+        .withArgs(path.join(path.resolve(localProvarHome), 'version.txt'), 'utf-8')
+        .returns('2.12.0\n');
+
+      const body = parseBody(server.call('provar.automation.setup', { force: false }));
+
+      assert.equal(body.version, '2.12.0');
+    });
+
+    it('reports version as null when no version file exists', () => {
+      makeValidInstall(localProvarHome);
+      // readFileStub already throws for all paths by default
+
+      const body = parseBody(server.call('provar.automation.setup', { force: false }));
+
+      assert.equal(body.version, null);
+    });
+
+    it('detects installation from PROVAR_HOME env var', () => {
+      const envPath = path.join(os.tmpdir(), 'custom-provar');
+      process.env['PROVAR_HOME'] = envPath;
+      makeValidInstall(envPath);
+
+      const body = parseBody(server.call('provar.automation.setup', { force: false }));
+      const installs = body.installations as Array<{ source: string; path: string }>;
+
+      assert.equal(body.already_installed, true);
+      assert.ok(installs.some(i => i.source === 'env'));
+    });
+
+    it('deduplicates when PROVAR_HOME and ./ProvarHome resolve to the same directory', () => {
+      process.env['PROVAR_HOME'] = localProvarHome; // same as CWD-relative ProvarHome
+      makeValidInstall(localProvarHome);
+
+      const body = parseBody(server.call('provar.automation.setup', { force: false }));
+      const installs = body.installations as unknown[];
+
+      assert.equal(installs.length, 1);
+    });
+
+    it('reports all installations when multiple distinct ones exist', () => {
+      const envPath = path.join(os.tmpdir(), 'custom-provar');
+      process.env['PROVAR_HOME'] = envPath;
+      makeValidInstall(envPath);
+      makeValidInstall(localProvarHome);
+
+      const body = parseBody(server.call('provar.automation.setup', { force: false }));
+      const installs = body.installations as unknown[];
+
+      assert.equal(installs.length, 2);
+    });
+
+    it('force: true downloads even when a local install is already present', () => {
+      makeValidInstall(localProvarHome);
+      spawnStub.returns(makeSpawnResult('setup complete', '', 0));
+
+      const body = parseBody(server.call('provar.automation.setup', { force: true }));
+
+      assert.equal(body.already_installed, false);
+      assert.equal(body.forced, true);
+      assert.ok(spawnStub.calledOnce);
+    });
+
+    it('downloads when no install exists and returns install_path', () => {
+      // Nothing exists before the download; ProvarHome appears once sf runs.
+      // Use callsFake on spawnStub to flip the existsStub state mid-test,
+      // accurately modelling the before/after filesystem change.
+      let installExists = false;
+      const localResolved = path.resolve(localProvarHome);
+      existsStub.callsFake((p: string) => {
+        if (p === localResolved || p === path.join(localResolved, 'provardx', 'provardx.jar')) {
+          return installExists;
+        }
+        return false;
+      });
+      spawnStub.callsFake(() => {
+        installExists = true; // "download" creates the directory
+        return makeSpawnResult('Provar downloaded successfully', '', 0);
+      });
+
+      const result = server.call('provar.automation.setup', {});
+      const body = parseBody(result);
+
+      assert.ok(!isError(result));
+      assert.equal(body.already_installed, false);
+      assert.ok((body.install_path as string).includes('ProvarHome'));
+      const sfArgs = spawnStub.firstCall.args[1] as string[];
+      assert.deepEqual(sfArgs, ['provar', 'automation', 'setup']);
+    });
+
+    it('forwards --version flag to sf when version is specified', () => {
+      spawnStub.returns(makeSpawnResult('ok', '', 0));
+
+      server.call('provar.automation.setup', { version: '2.10.0' });
+
+      const args = spawnStub.firstCall.args[1] as string[];
+      assert.ok(args.includes('--version'));
+      assert.ok(args.includes('2.10.0'));
+    });
+
+    it('does not forward --version flag when version is omitted', () => {
+      spawnStub.returns(makeSpawnResult('ok', '', 0));
+
+      server.call('provar.automation.setup', {});
+
+      const args = spawnStub.firstCall.args[1] as string[];
+      assert.ok(!args.includes('--version'));
+    });
+
+    it('returns AUTOMATION_SETUP_FAILED when sf exits non-zero', () => {
+      spawnStub.returns(makeSpawnResult('', 'Provided version is not a valid version.', 1));
+
+      const result = server.call('provar.automation.setup', { version: '0.0.0' });
+
+      assert.ok(isError(result));
+      assert.equal(parseBody(result).error_code, 'AUTOMATION_SETUP_FAILED');
+      assert.ok((parseBody(result).message as string).includes('valid version'));
+    });
+
+    it('uses stdout as error message when stderr is empty', () => {
+      spawnStub.returns(makeSpawnResult('Network timeout', '', 1));
+
+      const body = parseBody(server.call('provar.automation.setup', {}));
+
+      assert.equal(body.message, 'Network timeout');
+    });
+
+    it('returns SF_NOT_FOUND when sf CLI is not installed', () => {
+      spawnStub.returns(makeEnoentResult());
+
+      const result = server.call('provar.automation.setup', {});
+
+      assert.ok(isError(result));
+      const body = parseBody(result);
+      assert.equal(body.error_code, 'SF_NOT_FOUND');
+      assert.ok((body.message as string).includes('npm install -g @salesforce/cli'));
+    });
+
+    it('scans system install dirs for Provar* subdirectories', () => {
+      // Simulate a system-level Provar directory in the platform base dir
+      const platformBases: Record<string, string[]> = {
+        win32: ['C:/Program Files', 'C:/Program Files (x86)'],
+        darwin: ['/Applications'],
+        linux: ['/opt', '/usr/local'],
+      };
+      const bases = platformBases[process.platform] ?? [];
+      if (bases.length === 0) return; // skip on unrecognised platforms
+
+      const base = bases[0];
+      const provarDir = path.join(base, 'Provar 2.12.0');
+
+      existsStub.withArgs(base).returns(true);
+      readdirStub.withArgs(base).returns(['Provar 2.12.0', 'SomeOtherApp']);
+      makeValidInstall(provarDir);
+
+      const body = parseBody(server.call('provar.automation.setup', { force: false }));
+      const installs = body.installations as Array<{ source: string; path: string }>;
+
+      assert.ok(installs.some(i => i.source === 'system'), 'should find system install');
+    });
+
+    it('ignores non-Provar subdirectories in system install dirs', () => {
+      const platformBases: Record<string, string[]> = {
+        win32: ['C:/Program Files', 'C:/Program Files (x86)'],
+        darwin: ['/Applications'],
+        linux: ['/opt', '/usr/local'],
+      };
+      const bases = platformBases[process.platform] ?? [];
+      if (bases.length === 0) return;
+
+      const base = bases[0];
+      existsStub.withArgs(base).returns(true);
+      readdirStub.withArgs(base).returns(['Chrome', 'Firefox', 'NodeJS']);
+      // None of these have provardx.jar
+
+      const result = server.call('provar.automation.setup', { force: false });
+
+      // No existing installs found → sf should be called
+      assert.ok(spawnStub.calledOnce || isError(result)); // either calls sf or errors (ENOENT if sf not found)
+    });
+
+  });
+
+  // ── provar.automation.metadata.download ──────────────────────────────────
+
+  describe('provar.automation.metadata.download', () => {
+    it('calls sf with metadata download args', () => {
+      spawnStub.returns(makeSpawnResult('downloaded', '', 0));
+      const result = server.call('provar.automation.metadata.download', { flags: [] });
+      const body = parseBody(result);
+      assert.equal(body.exitCode, 0);
+      const args = spawnStub.firstCall.args[1] as string[];
+      assert.deepEqual(args, ['provar', 'automation', 'metadata', 'download']);
+    });
+
+    it('forwards --target-org flag', () => {
+      spawnStub.returns(makeSpawnResult('ok', '', 0));
+      server.call('provar.automation.metadata.download', { flags: ['--target-org', 'myorg'] });
+      const args = spawnStub.firstCall.args[1] as string[];
+      assert.ok(args.includes('--target-org'));
+      assert.ok(args.includes('myorg'));
+    });
+
+    it('returns AUTOMATION_METADATA_FAILED on non-zero exit', () => {
+      spawnStub.returns(makeSpawnResult('', 'auth failed', 1));
+      const result = server.call('provar.automation.metadata.download', { flags: [] });
+      assert.ok(isError(result));
+      assert.equal(parseBody(result).error_code, 'AUTOMATION_METADATA_FAILED');
+    });
+
+    it('returns SF_NOT_FOUND on ENOENT', () => {
+      spawnStub.returns(makeEnoentResult());
+      const result = server.call('provar.automation.metadata.download', { flags: [] });
+      assert.equal(parseBody(result).error_code, 'SF_NOT_FOUND');
+    });
+  });
+
+  // ── provar.automation.config.load ─────────────────────────────────────────
+
+  describe('provar.automation.config.load', () => {
+    it('calls sf with config load args and the given properties_path', () => {
+      spawnStub.returns(makeSpawnResult('', '', 0));
+      server.call('provar.automation.config.load', { properties_path: '/my/project/provardx-properties.json' });
+      const [cmd, args] = spawnStub.firstCall.args as [string, string[]];
+      assert.equal(cmd, 'sf');
+      assert.deepEqual(args, ['provar', 'automation', 'config', 'load', '--properties-file', '/my/project/provardx-properties.json']);
+    });
+
+    it('returns properties_path in the response', () => {
+      spawnStub.returns(makeSpawnResult('Config loaded', '', 0));
+      const result = server.call('provar.automation.config.load', { properties_path: '/my/project/provardx-properties.json' });
+      assert.ok(!isError(result));
+      const body = parseBody(result);
+      assert.equal(body.properties_path, '/my/project/provardx-properties.json');
+    });
+
+    it('returns AUTOMATION_CONFIG_LOAD_FAILED on non-zero exit', () => {
+      spawnStub.returns(makeSpawnResult('', 'INVALID_PATH', 1));
+      const result = server.call('provar.automation.config.load', { properties_path: '/missing.json' });
+      assert.ok(isError(result));
+      assert.equal(parseBody(result).error_code, 'AUTOMATION_CONFIG_LOAD_FAILED');
+    });
+
+    it('returns SF_NOT_FOUND on ENOENT', () => {
+      spawnStub.returns(makeEnoentResult());
+      const result = server.call('provar.automation.config.load', { properties_path: '/my/project/provardx-properties.json' });
+      assert.equal(parseBody(result).error_code, 'SF_NOT_FOUND');
+    });
+
+    it('uses the explicit sf_path when provided', () => {
+      spawnStub.returns(makeSpawnResult('', '', 0));
+      server.call('provar.automation.config.load', { properties_path: '/proj/props.json', sf_path: '/custom/bin/sf' });
+      const [cmd] = spawnStub.firstCall.args as [string, string[]];
+      assert.equal(cmd, '/custom/bin/sf');
+    });
+
+    describe('path policy enforcement', () => {
+      let restrictedServer: MockMcpServer;
+      const allowedDir = os.tmpdir();
+
+      beforeEach(async () => {
+        restrictedServer = new MockMcpServer();
+        const { registerAutomationConfigLoad, setSfPathCacheForTesting } = await import('../../../src/mcp/tools/automationTools.js');
+        setSfPathCacheForTesting('sf');
+        registerAutomationConfigLoad(restrictedServer as unknown as McpServer, { allowedPaths: [allowedDir] });
+      });
+
+      it('rejects properties_path outside allowed paths', () => {
+        const result = restrictedServer.call('provar.automation.config.load', {
+          properties_path: '/etc/passwd',
+        });
+        assert.ok(isError(result));
+        assert.equal(parseBody(result).error_code, 'PATH_NOT_ALLOWED');
+        assert.ok(!spawnStub.called, 'sf should not be spawned for a rejected path');
+      });
+
+      it('rejects properties_path with .. traversal', () => {
+        const result = restrictedServer.call('provar.automation.config.load', {
+          properties_path: path.join(allowedDir, '..', 'etc', 'passwd'),
+        });
+        assert.ok(isError(result));
+        assert.equal(parseBody(result).error_code, 'PATH_TRAVERSAL');
+        assert.ok(!spawnStub.called, 'sf should not be spawned for a path traversal');
+      });
+
+      it('allows properties_path within allowed paths', () => {
+        spawnStub.returns(makeSpawnResult('', '', 0));
+        const allowed = path.join(allowedDir, 'provardx-properties.json');
+        const result = restrictedServer.call('provar.automation.config.load', {
+          properties_path: allowed,
+        });
+        assert.ok(!isError(result));
+      });
+    });
+  });
+
+  // ── sf_path threading ─────────────────────────────────────────────────────
+
+  describe('sf_path explicit executable', () => {
+    it('testrun uses sf_path as the executable', () => {
+      spawnStub.returns(makeSpawnResult('ok', '', 0));
+      server.call('provar.automation.testrun', { flags: [], sf_path: '/opt/sf/bin/sf' });
+      assert.equal(spawnStub.firstCall.args[0], '/opt/sf/bin/sf');
+    });
+
+    it('compile uses sf_path as the executable', () => {
+      spawnStub.returns(makeSpawnResult('ok', '', 0));
+      server.call('provar.automation.compile', { flags: [], sf_path: '/opt/sf/bin/sf' });
+      assert.equal(spawnStub.firstCall.args[0], '/opt/sf/bin/sf');
+    });
+
+    it('SF_NOT_FOUND message names the explicit path when sf_path is provided and missing', () => {
+      spawnStub.returns(makeEnoentResult());
+      const result = server.call('provar.automation.compile', { flags: [], sf_path: '/missing/sf' });
+      const body = parseBody(result);
+      assert.equal(body.error_code, 'SF_NOT_FOUND');
+      assert.ok((body.message as string).includes('/missing/sf'), 'message should name the explicit path');
+    });
+
+    it('SF_NOT_FOUND message mentions sf_path option when no explicit path was given', () => {
+      spawnStub.returns(makeEnoentResult());
+      const result = server.call('provar.automation.testrun', { flags: [] });
+      const body = parseBody(result);
+      assert.equal(body.error_code, 'SF_NOT_FOUND');
+      assert.ok((body.message as string).includes('sf_path'), 'message should hint at sf_path parameter');
+      assert.ok((body.message as string).includes('npm install -g @salesforce/cli'));
+    });
+  });
+});
diff --git a/test/unit/mcp/bestPracticesEngine.test.ts b/test/unit/mcp/bestPracticesEngine.test.ts
new file mode 100644
index 00000000..c4fcbb3c
--- /dev/null
+++ b/test/unit/mcp/bestPracticesEngine.test.ts
@@ -0,0 +1,169 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { strict as assert } from 'node:assert';
+import { describe, it } from 'mocha';
+import {
+  calculateBPScore,
+  runBestPractices,
+  type BPViolation,
+} from '../../../src/mcp/tools/bestPracticesEngine.js';
+
+// ── Helper: build a minimal violation ────────────────────────────────────────
+
+function makeViolation(
+  severity: BPViolation['severity'],
+  weight: number,
+  count?: number
+): BPViolation {
+  return {
+    rule_id: 'TEST-001',
+    name: 'Test Violation',
+    description: '',
+    category: 'Test',
+    severity,
+    weight,
+    message: 'Test message',
+    recommendation: 'Fix it',
+    applies_to: ['testCase'],
+    count,
+  };
+}
+
+// ── Valid XML fixture (passes all schema-level rules) ─────────────────────────
+
+const GUID_TC   = '550e8400-e29b-41d4-a716-446655440000';
+const GUID_S1   = '550e8400-e29b-41d4-a716-446655440011';
+const GUID_S2   = '550e8400-e29b-41d4-a716-446655440012';
+
+const VALID_XML = `<?xml version="1.0" encoding="UTF-8"?>
+<testCase id="tc-001" guid="${GUID_TC}" registryId="tc-001" name="Login Test">
+  <steps>
+    <apiCall guid="${GUID_S1}" apiId="UiConnect" name="Connect to browser" testItemId="1"/>
+    <apiCall guid="${GUID_S2}" apiId="UiNavigate" name="Navigate to login page" testItemId="2"/>
+  </steps>
+</testCase>`;
+
+// ── calculateBPScore ──────────────────────────────────────────────────────────
+
+describe('calculateBPScore', () => {
+  it('returns 100 when there are no violations', () => {
+    assert.equal(calculateBPScore([]), 100);
+  });
+
+  it('deducts correctly for a single critical violation (weight=10, count=1)', () => {
+    // score = 100 - (10 * 1.0 * 1) = 90
+    const score = calculateBPScore([makeViolation('critical', 10)]);
+    assert.equal(score, 90);
+  });
+
+  it('deducts correctly for a single major violation (weight=4, count=1)', () => {
+    // score = 100 - (4 * 0.75 * 1) = 97
+    const score = calculateBPScore([makeViolation('major', 4)]);
+    assert.equal(score, 97);
+  });
+
+  it('deducts correctly for a single minor violation (weight=2, count=1)', () => {
+    // score = 100 - (2 * 0.5 * 1) = 99
+    const score = calculateBPScore([makeViolation('minor', 2)]);
+    assert.equal(score, 99);
+  });
+
+  it('deducts correctly for a single info violation (weight=4, count=1)', () => {
+    // score = 100 - (4 * 0.25 * 1) = 99
+    const score = calculateBPScore([makeViolation('info', 4)]);
+    assert.equal(score, 99);
+  });
+
+  it('applies log2 diminishing returns when count > 1', () => {
+    // count=4: effective_count = 1 + log2(4) = 1 + 2 = 3
+    // score = 100 - (10 * 1.0 * 3) = 70
+    const score = calculateBPScore([makeViolation('critical', 10, 4)]);
+    assert.equal(score, 70);
+  });
+
+  it('does not apply diminishing returns when count=1 (explicit)', () => {
+    // effective_count = 1 (not > 1)
+    const score = calculateBPScore([makeViolation('critical', 10, 1)]);
+    assert.equal(score, 90);
+  });
+
+  it('accumulates deductions across multiple violations', () => {
+    // critical weight=5: 100 - 5 = 95
+    // major   weight=4: 95 - 3 = 92
+    // net: 92
+    const score = calculateBPScore([
+      makeViolation('critical', 5),
+      makeViolation('major', 4),
+    ]);
+    assert.equal(score, 92);
+  });
+
+  it('never returns a negative score regardless of severity', () => {
+    const violations = Array.from({ length: 20 }, () => makeViolation('critical', 20));
+    const score = calculateBPScore(violations);
+    assert.ok(score >= 0, `Expected score >= 0, got ${score}`);
+    assert.equal(score, 0);
+  });
+
+  it('never returns a score above 100', () => {
+    assert.ok(calculateBPScore([]) <= 100);
+  });
+});
+
+// ── runBestPractices ──────────────────────────────────────────────────────────
+
+describe('runBestPractices', () => {
+  describe('valid XML test case', () => {
+    it('returns a quality_score between 0 and 100', () => {
+      const result = runBestPractices(VALID_XML);
+      assert.ok(result.quality_score >= 0,   `score ${result.quality_score} should be >= 0`);
+      assert.ok(result.quality_score <= 100, `score ${result.quality_score} should be <= 100`);
+    });
+
+    it('returns rules_evaluated > 0 when rules are loaded', () => {
+      const result = runBestPractices(VALID_XML);
+      assert.ok(result.rules_evaluated > 0, 'rules_evaluated should be greater than 0 when rules are loaded');
+    });
+
+    it('returns violations as an array', () => {
+      const result = runBestPractices(VALID_XML);
+      assert.ok(Array.isArray(result.violations), 'violations should be an array');
+    });
+
+    it('passes optional testName metadata without error', () => {
+      const result = runBestPractices(VALID_XML, { testName: 'Login Test' });
+      assert.ok(result.quality_score >= 0 && result.quality_score <= 100);
+    });
+  });
+
+  describe('empty or invalid XML', () => {
+    it('returns quality_score=0 for an empty string (no parseable testCase)', () => {
+      const result = runBestPractices('');
+      assert.equal(result.quality_score, 0);
+      assert.equal(result.violations.length, 0);
+    });
+
+    it('does not throw for completely malformed XML', () => {
+      assert.doesNotThrow(() => runBestPractices('<<<not xml>>>'));
+    });
+
+    it('returns quality_score=0 for XML with wrong root element', () => {
+      const result = runBestPractices('<?xml version="1.0"?><notTestCase><steps/></notTestCase>');
+      assert.equal(result.quality_score, 0);
+    });
+  });
+
+  describe('score parity with calculateBPScore', () => {
+    it('quality_score matches what calculateBPScore would produce for the same violations', () => {
+      const result = runBestPractices(VALID_XML);
+      const recalculated = calculateBPScore(result.violations);
+      assert.equal(result.quality_score, recalculated);
+    });
+  });
+});
diff --git a/test/unit/mcp/defectTools.test.ts b/test/unit/mcp/defectTools.test.ts
new file mode 100644
index 00000000..8f2c8cad
--- /dev/null
+++ b/test/unit/mcp/defectTools.test.ts
@@ -0,0 +1,337 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { strict as assert } from 'node:assert';
+import sinon from 'sinon';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { sfSpawnHelper } from '../../../src/mcp/tools/sfSpawn.js';
+import { createDefectsForRun } from '../../../src/mcp/tools/defectTools.js';
+
+// ── Minimal mock server ───────────────────────────────────────────────────────
+
+type ToolHandler = (args: Record<string, unknown>) => unknown;
+
+class MockMcpServer {
+  private handlers = new Map<string, ToolHandler>();
+
+  public tool(name: string, _desc: string, _schema: unknown, handler: ToolHandler): void {
+    this.handlers.set(name, handler);
+  }
+
+  public call(name: string, args: Record<string, unknown>): ReturnType<ToolHandler> {
+    const h = this.handlers.get(name);
+    if (!h) throw new Error(`Tool not registered: ${name}`);
+    return h(args);
+  }
+}
+
+// ── Spawn result builders ─────────────────────────────────────────────────────
+
+type SpawnResult = { stdout: string; stderr: string; status: number | null; error: Error | undefined; pid: number | undefined; output: Array<Buffer | string | null>; signal: NodeJS.Signals | null };
+
+function makeSpawnResult(stdout: string, status = 0): SpawnResult {
+  return { stdout, stderr: '', status, error: undefined, pid: 1, output: [null, stdout, ''], signal: null };
+}
+
+function makeEnoentResult(): SpawnResult {
+  const err = Object.assign(new Error('spawn sf ENOENT'), { code: 'ENOENT' });
+  return { stdout: '', stderr: '', status: null, error: err, pid: undefined, output: [null, '', ''], signal: null };
+}
+
+function queryResult(records: object[], totalSize?: number): string {
+  return JSON.stringify({
+    status: 0,
+    result: { totalSize: totalSize ?? records.length, records },
+  });
+}
+
+function createResult(id: string): string {
+  return JSON.stringify({
+    status: 0,
+    result: { id, success: true, errors: [] },
+  });
+}
+
+function parseBody(result: unknown): Record<string, unknown> {
+  const r = result as { content: Array<{ text: string }> };
+  return JSON.parse(r.content[0].text) as Record<string, unknown>;
+}
+
+function isError(result: unknown): boolean {
+  return (result as { isError?: boolean }).isError === true;
+}
+
+// ── Fixtures ──────────────────────────────────────────────────────────────────
+
+const JOB_ID = 'a0q000000000JOB';
+const CYCLE_ID = 'a0r000000000CYC';
+const EXEC_ID = 'a0s000000000EXC';
+const TC_ID = 'a0t000000000TCS';
+const STEP_EXEC_ID = 'a0u000000000STE';
+const STEP_ID = 'a0v000000000STP';
+const DEFECT_ID = 'a0w000000000DEF';
+const TC_DEFECT_ID = 'a0x000000000TCD';
+const EXEC_DEFECT_ID = 'a0y000000000EXD';
+const RUN_ID = 'run-tracking-uuid-123';
+const ORG = 'my-qh-org';
+
+function makeHappyPathStub(stub: sinon.SinonStub): void {
+  // Call 0: job query
+  stub.onCall(0).returns(makeSpawnResult(queryResult([{ Id: JOB_ID }])));
+  // Call 1: cycle query
+  stub.onCall(1).returns(makeSpawnResult(queryResult([{
+    Id: CYCLE_ID,
+    provar__Web_Browser__c: 'Chrome',
+    provar__Browser_Version__c: '120',
+    provar__Environment_Text__c: 'Production',
+  }])));
+  // Call 2: failed executions query
+  stub.onCall(2).returns(makeSpawnResult(queryResult([{
+    Id: EXEC_ID,
+    provar__Test_Case__c: TC_ID,
+    provar__Tester__c: 'tester@example.com',
+  }])));
+  // Call 3: failed step query
+  stub.onCall(3).returns(makeSpawnResult(queryResult([{
+    Id: STEP_EXEC_ID,
+    provar__Test_Step__c: STEP_ID,
+    provar__ActionObs__c: 'Click Login button',
+    provar__Actual_Result__c: 'Element not found',
+    provar__Sequence_No__c: 3,
+  }])));
+  // Call 4: create Defect__c
+  stub.onCall(4).returns(makeSpawnResult(createResult(DEFECT_ID)));
+  // Call 5: create Test_Case_Defect__c
+  stub.onCall(5).returns(makeSpawnResult(createResult(TC_DEFECT_ID)));
+  // Call 6: create Test_Execution_Defect__c
+  stub.onCall(6).returns(makeSpawnResult(createResult(EXEC_DEFECT_ID)));
+}
+
+// ── Tests: createDefectsForRun (unit) ─────────────────────────────────────────
+
+describe('createDefectsForRun', () => {
+  let stub: sinon.SinonStub;
+
+  beforeEach(() => {
+    stub = sinon.stub(sfSpawnHelper, 'spawnSync');
+  });
+
+  afterEach(() => {
+    sinon.restore();
+  });
+
+  it('creates one defect set per failed execution on happy path', () => {
+    makeHappyPathStub(stub);
+    const result = createDefectsForRun(RUN_ID, ORG);
+
+    assert.equal(result.created.length, 1);
+    assert.equal(result.skipped, 0);
+    assert.ok(result.message.includes('Created 1 defect(s)'));
+
+    const [item] = result.created;
+    assert.equal(item.defectId, DEFECT_ID);
+    assert.equal(item.tcDefectId, TC_DEFECT_ID);
+    assert.equal(item.execDefectId, EXEC_DEFECT_ID);
+    assert.equal(item.executionId, EXEC_ID);
+    assert.equal(item.testCaseId, TC_ID);
+  });
+
+  it('includes Jira/ADO sync note in success message', () => {
+    makeHappyPathStub(stub);
+    const result = createDefectsForRun(RUN_ID, ORG);
+    assert.ok(result.message.includes('Jira') || result.message.includes('ADO'));
+  });
+
+  it('returns empty result when no failed executions exist', () => {
+    stub.onCall(0).returns(makeSpawnResult(queryResult([{ Id: JOB_ID }])));
+    stub.onCall(1).returns(makeSpawnResult(queryResult([{
+      Id: CYCLE_ID,
+      provar__Web_Browser__c: 'Firefox',
+      provar__Browser_Version__c: '121',
+      provar__Environment_Text__c: 'Staging',
+    }])));
+    stub.onCall(2).returns(makeSpawnResult(queryResult([], 0)));
+
+    const result = createDefectsForRun(RUN_ID, ORG);
+    assert.equal(result.created.length, 0);
+    assert.equal(result.skipped, 0);
+    assert.ok(result.message.includes('No failed'));
+  });
+
+  it('throws when job not found by tracking ID', () => {
+    stub.onCall(0).returns(makeSpawnResult(queryResult([], 0)));
+
+    assert.throws(
+      () => createDefectsForRun(RUN_ID, ORG),
+      (err: Error) => err.message.includes(RUN_ID)
+    );
+  });
+
+  it('throws when no Test_Cycle__c found for job', () => {
+    stub.onCall(0).returns(makeSpawnResult(queryResult([{ Id: JOB_ID }])));
+    stub.onCall(1).returns(makeSpawnResult(queryResult([], 0)));
+
+    assert.throws(
+      () => createDefectsForRun(RUN_ID, ORG),
+      (err: Error) => err.message.includes(JOB_ID)
+    );
+  });
+
+  it('filters executions by failedTestFilter substring', () => {
+    // Two failed executions; filter keeps only the one matching TC_ID
+    const OTHER_TC = 'a0t000000000OTH';
+    stub.onCall(0).returns(makeSpawnResult(queryResult([{ Id: JOB_ID }])));
+    stub.onCall(1).returns(makeSpawnResult(queryResult([{
+      Id: CYCLE_ID,
+      provar__Web_Browser__c: 'Chrome',
+      provar__Browser_Version__c: '120',
+      provar__Environment_Text__c: 'Production',
+    }])));
+    stub.onCall(2).returns(makeSpawnResult(queryResult([
+      { Id: EXEC_ID, provar__Test_Case__c: TC_ID, provar__Tester__c: 'tester@example.com' },
+      { Id: 'a0s000000000EX2', provar__Test_Case__c: OTHER_TC, provar__Tester__c: 'tester@example.com' },
+    ])));
+    // step query for the one kept execution
+    stub.onCall(3).returns(makeSpawnResult(queryResult([{
+      Id: STEP_EXEC_ID,
+      provar__Test_Step__c: STEP_ID,
+      provar__ActionObs__c: 'Click',
+      provar__Actual_Result__c: 'Failed',
+      provar__Sequence_No__c: 1,
+    }])));
+    stub.onCall(4).returns(makeSpawnResult(createResult(DEFECT_ID)));
+    stub.onCall(5).returns(makeSpawnResult(createResult(TC_DEFECT_ID)));
+    stub.onCall(6).returns(makeSpawnResult(createResult(EXEC_DEFECT_ID)));
+
+    const result = createDefectsForRun(RUN_ID, ORG, [TC_ID]);
+    assert.equal(result.created.length, 1);
+    assert.equal(result.skipped, 1);
+    assert.equal(result.created[0].testCaseId, TC_ID);
+  });
+
+  it('handles missing step gracefully (no step found for execution)', () => {
+    stub.onCall(0).returns(makeSpawnResult(queryResult([{ Id: JOB_ID }])));
+    stub.onCall(1).returns(makeSpawnResult(queryResult([{
+      Id: CYCLE_ID,
+      provar__Web_Browser__c: 'Safari',
+      provar__Browser_Version__c: '17',
+      provar__Environment_Text__c: 'UAT',
+    }])));
+    stub.onCall(2).returns(makeSpawnResult(queryResult([{
+      Id: EXEC_ID,
+      provar__Test_Case__c: TC_ID,
+      provar__Tester__c: '',
+    }])));
+    stub.onCall(3).returns(makeSpawnResult(queryResult([], 0))); // no steps
+    stub.onCall(4).returns(makeSpawnResult(createResult(DEFECT_ID)));
+    stub.onCall(5).returns(makeSpawnResult(createResult(TC_DEFECT_ID)));
+    stub.onCall(6).returns(makeSpawnResult(createResult(EXEC_DEFECT_ID)));
+
+    const result = createDefectsForRun(RUN_ID, ORG);
+    assert.equal(result.created.length, 1);
+    assert.equal(result.created[0].defectId, DEFECT_ID);
+  });
+
+  it('throws SfNotFoundError (SF_NOT_FOUND) when sf is not in PATH', () => {
+    stub.returns(makeEnoentResult());
+
+    assert.throws(
+      () => createDefectsForRun(RUN_ID, ORG),
+      (err: Error & { code?: string }) => err.code === 'SF_NOT_FOUND'
+    );
+  });
+
+  it('passes --target-org to every sf invocation', () => {
+    makeHappyPathStub(stub);
+    createDefectsForRun(RUN_ID, ORG);
+
+    for (let i = 0; i <= 6; i++) {
+      const args = stub.getCall(i).args[1] as string[];
+      assert.ok(args.includes(ORG), `Call ${i} should include org alias`);
+    }
+  });
+});
+
+// ── Tests: MCP tool registration ──────────────────────────────────────────────
+
+describe('provar.qualityhub.defect.create (MCP tool)', () => {
+  let server: MockMcpServer;
+  let stub: sinon.SinonStub;
+
+  beforeEach(async () => {
+    server = new MockMcpServer();
+    stub = sinon.stub(sfSpawnHelper, 'spawnSync');
+    const { registerAllDefectTools } = await import('../../../src/mcp/tools/defectTools.js');
+    registerAllDefectTools(server as unknown as McpServer);
+  });
+
+  afterEach(() => {
+    sinon.restore();
+  });
+
+  it('returns structured content with created defects on success', () => {
+    makeHappyPathStub(stub);
+    const result = server.call('provar.qualityhub.defect.create', {
+      run_id: RUN_ID,
+      target_org: ORG,
+    });
+    const body = parseBody(result);
+    assert.equal(body.skipped, 0);
+    const created = body.created as Array<Record<string, string>>;
+    assert.equal(created.length, 1);
+    assert.equal(created[0].defectId, DEFECT_ID);
+  });
+
+  it('returns isError with DEFECT_CREATE_FAILED on job-not-found error', () => {
+    stub.onCall(0).returns(makeSpawnResult(queryResult([], 0)));
+    const result = server.call('provar.qualityhub.defect.create', {
+      run_id: RUN_ID,
+      target_org: ORG,
+    });
+    assert.ok(isError(result));
+    const body = parseBody(result);
+    assert.equal(body.error_code, 'DEFECT_CREATE_FAILED');
+  });
+
+  it('returns isError with SF_NOT_FOUND when sf CLI is missing', () => {
+    stub.returns(makeEnoentResult());
+    const result = server.call('provar.qualityhub.defect.create', {
+      run_id: RUN_ID,
+      target_org: ORG,
+    });
+    assert.ok(isError(result));
+    const body = parseBody(result);
+    assert.equal(body.error_code, 'SF_NOT_FOUND');
+  });
+
+  it('passes failed_tests filter through to createDefectsForRun', () => {
+    // Return empty executions - filtered out
+    stub.onCall(0).returns(makeSpawnResult(queryResult([{ Id: JOB_ID }])));
+    stub.onCall(1).returns(makeSpawnResult(queryResult([{
+      Id: CYCLE_ID,
+      provar__Web_Browser__c: 'Edge',
+      provar__Browser_Version__c: '120',
+      provar__Environment_Text__c: 'Dev',
+    }])));
+    stub.onCall(2).returns(makeSpawnResult(queryResult([{
+      Id: EXEC_ID,
+      provar__Test_Case__c: TC_ID,
+      provar__Tester__c: 'qa@example.com',
+    }])));
+
+    const result = server.call('provar.qualityhub.defect.create', {
+      run_id: RUN_ID,
+      target_org: ORG,
+      failed_tests: ['no-match'],
+    });
+    const body = parseBody(result);
+    const created = body.created as unknown[];
+    assert.equal(created.length, 0);
+    assert.equal(body.skipped, 1);
+  });
+});
diff --git a/test/unit/mcp/hierarchyValidate.test.ts b/test/unit/mcp/hierarchyValidate.test.ts
new file mode 100644
index 00000000..2ed9f98f
--- /dev/null
+++ b/test/unit/mcp/hierarchyValidate.test.ts
@@ -0,0 +1,591 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { strict as assert } from 'node:assert';
+import { describe, it } from 'mocha';
+import {
+  validateSuite,
+  validatePlan,
+  validateProject,
+  buildHierarchySummary,
+  detectNamingStyle,
+  computeViolationDeduction,
+  type TestCaseInput,
+  type TestSuiteInput,
+  type HierarchyViolation,
+} from '../../../src/mcp/tools/hierarchyValidate.js';
+
+// ── Shared valid XML fixtures ─────────────────────────────────────────────────
+
+// All guids below are valid UUID v4 (version nibble = 4, variant nibble ∈ {8,9,a,b})
+const G = {
+  tc1:  '550e8400-e29b-41d4-a716-446655440001',
+  tc2:  '550e8400-e29b-41d4-a716-446655440002',
+  tc3:  '550e8400-e29b-41d4-a716-446655440003',
+  tc4:  '550e8400-e29b-41d4-a716-446655440004',
+  s1:   '550e8400-e29b-41d4-a716-446655440011',
+  s2:   '550e8400-e29b-41d4-a716-446655440012',
+  s3:   '550e8400-e29b-41d4-a716-446655440013',
+};
+
+function makeXml(tcGuid: string, stepGuid: string, id: string): string {
+  return (
+    '<?xml version="1.0" encoding="UTF-8"?>\n' +
+    `<testCase id="${id}" guid="${tcGuid}" registryId="${id}" name="${id}">\n` +
+    '  <steps>\n' +
+    `    <apiCall guid="${stepGuid}" apiId="UiConnect" name="Connect" testItemId="1"/>\n` +
+    '  </steps>\n' +
+    '</testCase>'
+  );
+}
+
+const TC_LOGIN:  TestCaseInput = { name: 'LoginTest.testcase',  xml: makeXml(G.tc1, G.s1, 'tc-001') };
+const TC_LOGOUT: TestCaseInput = { name: 'LogoutTest.testcase', xml: makeXml(G.tc2, G.s2, 'tc-002') };
+const TC_SIGNUP: TestCaseInput = { name: 'SignupTest.testcase', xml: makeXml(G.tc3, G.s3, 'tc-003') };
+
+// ── detectNamingStyle ─────────────────────────────────────────────────────────
+
+describe('detectNamingStyle', () => {
+  it('detects PascalCase', () => assert.equal(detectNamingStyle('LoginTest'), 'PascalCase'));
+  it('detects camelCase', () => assert.equal(detectNamingStyle('loginTest'), 'camelCase'));
+  it('detects snake_case', () => assert.equal(detectNamingStyle('login_test'), 'snake_case'));
+  it('detects kebab-case', () => assert.equal(detectNamingStyle('login-test'), 'kebab-case'));
+  it('detects space separated', () => assert.equal(detectNamingStyle('Login Test'), 'space separated'));
+  it('strips extension before detecting', () => assert.equal(detectNamingStyle('LoginTest.testcase'), 'PascalCase'));
+  it('returns unknown for single word lowercase', () => assert.equal(detectNamingStyle('login'), 'unknown'));
+});
+
+// ── computeViolationDeduction ─────────────────────────────────────────────────
+
+describe('computeViolationDeduction', () => {
+  it('returns 0 for empty array', () => {
+    assert.equal(computeViolationDeduction([]), 0);
+  });
+
+  it('deducts critical * 1.0 * weight', () => {
+    const v: HierarchyViolation = {
+      rule_id: 'TEST-001', name: 'T', description: '', category: 'c',
+      severity: 'critical', weight: 10, message: '', recommendation: '', applies_to: [],
+    };
+    assert.equal(computeViolationDeduction([v]), 10);
+  });
+
+  it('deducts major * 0.75 * weight', () => {
+    const v: HierarchyViolation = {
+      rule_id: 'TEST-002', name: 'T', description: '', category: 'c',
+      severity: 'major', weight: 4, message: '', recommendation: '', applies_to: [],
+    };
+    assert.equal(computeViolationDeduction([v]), 3);
+  });
+
+  it('accumulates multiple violations', () => {
+    const vCrit: HierarchyViolation = {
+      rule_id: 'A', name: '', description: '', category: '',
+      severity: 'critical', weight: 5, message: '', recommendation: '', applies_to: [],
+    };
+    const vInfo: HierarchyViolation = {
+      rule_id: 'B', name: '', description: '', category: '',
+      severity: 'info', weight: 4, message: '', recommendation: '', applies_to: [],
+    };
+    // 5*1.0 + 4*0.25 = 5 + 1 = 6
+    assert.equal(computeViolationDeduction([vCrit, vInfo]), 6);
+  });
+});
+
+// ── validateSuite ─────────────────────────────────────────────────────────────
+
+describe('validateSuite', () => {
+  describe('valid suite', () => {
+    it('returns no violations for a well-formed suite', () => {
+      const r = validateSuite(
+        { name: 'AuthSuite', test_cases: [TC_LOGIN, TC_LOGOUT] },
+        80
+      );
+      assert.equal(r.level, 'suite');
+      assert.equal(r.name, 'AuthSuite');
+      assert.equal(r.violations.length, 0);
+      assert.equal(r.test_cases.length, 2);
+    });
+  });
+
+  describe('SUITE-EMPTY-001: empty suite', () => {
+    it('flags a suite with no test cases and no child suites', () => {
+      const r = validateSuite({ name: 'EmptySuite' }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'SUITE-EMPTY-001'), 'Expected SUITE-EMPTY-001');
+      assert.equal(r.quality_score, 0);
+    });
+  });
+
+  describe('SUITE-DUP-001: duplicate test case names', () => {
+    it('flags two test cases with the same base name', () => {
+      const dup: TestCaseInput = { name: 'LoginTest.testcase', xml: makeXml(G.tc4, G.s3, 'tc-004') };
+      const r = validateSuite({ name: 'MySuite', test_cases: [TC_LOGIN, dup] }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'SUITE-DUP-001'), 'Expected SUITE-DUP-001');
+    });
+  });
+
+  describe('SUITE-DUP-002: duplicate child suite names', () => {
+    it('flags two child suites with the same name', () => {
+      const child: TestSuiteInput = { name: 'ChildSuite', test_cases: [TC_LOGIN] };
+      const dupe: TestSuiteInput = { name: 'childsuite', test_cases: [TC_LOGOUT] };
+      const r = validateSuite({ name: 'Parent', test_suites: [child, dupe] }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'SUITE-DUP-002'), 'Expected SUITE-DUP-002');
+    });
+  });
+
+  describe('SUITE-SIZE-001: oversized suite', () => {
+    it('flags test_case_count > 75', () => {
+      const r = validateSuite(
+        { name: 'BigSuite', test_cases: [TC_LOGIN], test_case_count: 76 },
+        80
+      );
+      assert.ok(r.violations.some((v) => v.rule_id === 'SUITE-SIZE-001'), 'Expected SUITE-SIZE-001');
+    });
+
+    it('does not flag exactly 75 test cases', () => {
+      const r = validateSuite(
+        { name: 'MediumSuite', test_cases: [TC_LOGIN], test_case_count: 75 },
+        80
+      );
+      assert.ok(!r.violations.some((v) => v.rule_id === 'SUITE-SIZE-001'), 'Did not expect SUITE-SIZE-001');
+    });
+  });
+
+  describe('SUITE-NAMING-002: inconsistent test case naming', () => {
+    it('flags mixed naming conventions among test cases', () => {
+      // PascalCase vs snake_case
+      const tc_snake: TestCaseInput = { name: 'login_test.testcase', xml: makeXml(G.tc4, G.s3, 'tc-004') };
+      const r = validateSuite({ name: 'MySuite', test_cases: [TC_LOGIN, tc_snake] }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'SUITE-NAMING-002'), 'Expected SUITE-NAMING-002');
+    });
+  });
+
+  describe('SUITE-NAMING-001: inconsistent child suite naming', () => {
+    it('flags mixed naming conventions among child suites', () => {
+      const pascal: TestSuiteInput = { name: 'LoginSuite',  test_cases: [TC_LOGIN] };
+      const snake:  TestSuiteInput = { name: 'logout_suite', test_cases: [TC_LOGOUT] };
+      const r = validateSuite({ name: 'Parent', test_suites: [pascal, snake] }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'SUITE-NAMING-001'), 'Expected SUITE-NAMING-001');
+    });
+  });
+
+  describe('recursive validation', () => {
+    it('validates child suites recursively', () => {
+      const emptyChild: TestSuiteInput = { name: 'EmptyChild' };
+      const r = validateSuite({ name: 'Parent', test_suites: [emptyChild] }, 80);
+      assert.equal(r.test_suites.length, 1);
+      assert.ok(r.test_suites[0].violations.some((v) => v.rule_id === 'SUITE-EMPTY-001'));
+    });
+
+    it('accepts xml alias for test case content', () => {
+      const tcXmlAlias: TestCaseInput = { name: 'AliasTest.testcase', xml: makeXml(G.tc1, G.s1, 'tc-alias') };
+      const r = validateSuite({ name: 'AliasSuite', test_cases: [tcXmlAlias] }, 80);
+      assert.equal(r.test_cases.length, 1);
+      assert.equal(r.test_cases[0].name, 'AliasTest.testcase');
+    });
+  });
+});
+
+// ── validatePlan ──────────────────────────────────────────────────────────────
+
+describe('validatePlan', () => {
+  const FULL_META = {
+    objectives:           'Validate all account lifecycle operations',
+    in_scope:             'Account creation, update, and deletion flows',
+    testing_methodology:  'Risk-based regression testing',
+    acceptance_criteria:  'All P1 and P2 cases pass',
+    acceptable_pass_rate: 95,
+    environments:         ['QA', 'UAT'],
+    test_data_strategy:   'Seed data refreshed before each run',
+    risks:                'Data migration may cause intermittent failures',
+  };
+
+  describe('valid plan', () => {
+    it('returns no structural violations when fully populated', () => {
+      const r = validatePlan(
+        {
+          name: 'Account Plan',
+          test_suites: [{ name: 'AuthSuite', test_cases: [TC_LOGIN] }],
+          metadata: FULL_META,
+        },
+        80
+      );
+      assert.equal(r.level, 'plan');
+      const structViolations = r.violations.filter((v) => !v.rule_id.startsWith('PLAN-META'));
+      assert.equal(structViolations.length, 0);
+    });
+  });
+
+  describe('PLAN-EMPTY-001: empty plan', () => {
+    it('flags a plan with no suites and no test cases', () => {
+      const r = validatePlan({ name: 'EmptyPlan' }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PLAN-EMPTY-001'), 'Expected PLAN-EMPTY-001');
+    });
+  });
+
+  describe('PLAN-DUP-001: duplicate suite names in plan', () => {
+    it('flags two suites sharing the same name (case-insensitive)', () => {
+      const r = validatePlan({
+        name: 'MyPlan',
+        test_suites: [
+          { name: 'AuthSuite', test_cases: [TC_LOGIN] },
+          { name: 'authsuite', test_cases: [TC_LOGOUT] },
+        ],
+        metadata: FULL_META,
+      }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PLAN-DUP-001'), 'Expected PLAN-DUP-001');
+    });
+  });
+
+  describe('PLAN-SIZE-001: oversized plan', () => {
+    it('flags test_suite_count > 20', () => {
+      const r = validatePlan({
+        name: 'HugePlan',
+        test_suites: [{ name: 'S1', test_cases: [TC_LOGIN] }],
+        test_suite_count: 21,
+        metadata: FULL_META,
+      }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PLAN-SIZE-001'), 'Expected PLAN-SIZE-001');
+    });
+
+    it('does not flag exactly 20 suites', () => {
+      const r = validatePlan({
+        name: 'FullPlan',
+        test_suites: [{ name: 'S1', test_cases: [TC_LOGIN] }],
+        test_suite_count: 20,
+        metadata: FULL_META,
+      }, 80);
+      assert.ok(!r.violations.some((v) => v.rule_id === 'PLAN-SIZE-001'));
+    });
+  });
+
+  describe('PLAN-META-* metadata completeness', () => {
+    it('PLAN-META-001: flags missing objectives', () => {
+      const r = validatePlan({ name: 'P', test_suites: [{ name: 'S', test_cases: [TC_LOGIN] }], metadata: {} }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PLAN-META-001'));
+    });
+
+    it('PLAN-META-002: flags missing in_scope', () => {
+      const r = validatePlan({ name: 'P', test_suites: [{ name: 'S', test_cases: [TC_LOGIN] }], metadata: { objectives: 'x' } }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PLAN-META-002'));
+    });
+
+    it('PLAN-META-003: flags missing testing_methodology', () => {
+      const r = validatePlan({ name: 'P', test_suites: [{ name: 'S', test_cases: [TC_LOGIN] }], metadata: { objectives: 'x', in_scope: 'y' } }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PLAN-META-003'));
+    });
+
+    it('PLAN-META-004: flags missing acceptance_criteria when no acceptable_pass_rate', () => {
+      const r = validatePlan({
+        name: 'P',
+        test_suites: [{ name: 'S', test_cases: [TC_LOGIN] }],
+        metadata: { objectives: 'x', in_scope: 'y', testing_methodology: 'z' },
+      }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PLAN-META-004'));
+    });
+
+    it('PLAN-META-004: acceptable_pass_rate alone satisfies the criterion', () => {
+      const r = validatePlan({
+        name: 'P',
+        test_suites: [{ name: 'S', test_cases: [TC_LOGIN] }],
+        metadata: { objectives: 'x', in_scope: 'y', testing_methodology: 'z', acceptable_pass_rate: 90 },
+      }, 80);
+      assert.ok(!r.violations.some((v) => v.rule_id === 'PLAN-META-004'));
+    });
+
+    it('PLAN-META-005: flags missing environments', () => {
+      const r = validatePlan({
+        name: 'P',
+        test_suites: [{ name: 'S', test_cases: [TC_LOGIN] }],
+        metadata: { objectives: 'x', in_scope: 'y', testing_methodology: 'z', acceptance_criteria: 'c' },
+      }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PLAN-META-005'));
+    });
+
+    it('PLAN-META-006: flags missing test_data_strategy', () => {
+      const r = validatePlan({
+        name: 'P',
+        test_suites: [{ name: 'S', test_cases: [TC_LOGIN] }],
+        metadata: { objectives: 'x', in_scope: 'y', testing_methodology: 'z', acceptance_criteria: 'c', environments: ['QA'] },
+      }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PLAN-META-006'));
+    });
+
+    it('PLAN-META-007: flags missing risks', () => {
+      const r = validatePlan({
+        name: 'P',
+        test_suites: [{ name: 'S', test_cases: [TC_LOGIN] }],
+        metadata: { objectives: 'x', in_scope: 'y', testing_methodology: 'z', acceptance_criteria: 'c', environments: ['QA'], test_data_strategy: 'ts' },
+      }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PLAN-META-007'));
+    });
+  });
+
+  describe('PLAN-NAMING-001: inconsistent suite naming in plan', () => {
+    it('flags mixed naming conventions among suites', () => {
+      const r = validatePlan({
+        name: 'MyPlan',
+        test_suites: [
+          { name: 'LoginSuite',   test_cases: [TC_LOGIN] },
+          { name: 'logout_suite', test_cases: [TC_LOGOUT] },
+        ],
+        metadata: FULL_META,
+      }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PLAN-NAMING-001'), 'Expected PLAN-NAMING-001');
+    });
+  });
+});
+
+// ── validateProject ───────────────────────────────────────────────────────────
+
+describe('validateProject', () => {
+  const FULL_META = {
+    objectives: 'Full regression coverage', in_scope: 'All modules',
+    testing_methodology: 'Regression', acceptance_criteria: 'All pass',
+    environments: ['QA'], test_data_strategy: 'Seed', risks: 'None',
+  };
+
+  describe('PROJ-EMPTY-001: empty project', () => {
+    it('flags a project with no plans, suites, or test cases', () => {
+      const r = validateProject({ name: 'EmptyProject' }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PROJ-EMPTY-001'), 'Expected PROJ-EMPTY-001');
+    });
+  });
+
+  describe('PROJ-DUP-002: duplicate plan names in project', () => {
+    it('flags two plans with the same name (case-insensitive)', () => {
+      const plan = {
+        name: 'Sprint Plan',
+        test_suites: [{ name: 'S1', test_cases: [TC_LOGIN] }],
+        metadata: FULL_META,
+      };
+      const r = validateProject({
+        name: 'MyProject',
+        test_plans: [plan, { ...plan, name: 'sprint plan' }],
+        project_context: { secretsPasswordSet: true },
+      }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PROJ-DUP-002'), 'Expected PROJ-DUP-002');
+    });
+  });
+
+  describe('PROJ-DUP-001: duplicate test case names across project', () => {
+    it('flags duplicate test case names across different plans', () => {
+      // The registry uses the FULL name as key, so the duplicate must differ in
+      // path prefix or casing while resolving to the same base name.
+      // e.g. 'LoginTest.testcase' vs 'LOGINTEST.testcase' → both base='logintest'
+      const tcDup: TestCaseInput = { name: 'LOGINTEST.testcase', xml: makeXml(G.tc4, G.s3, 'tc-dup') };
+      const plan1 = {
+        name: 'Plan A',
+        test_suites: [{ name: 'S1', test_cases: [TC_LOGIN] }],  // LoginTest.testcase
+        metadata: FULL_META,
+      };
+      const plan2 = {
+        name: 'Plan B',
+        test_suites: [{ name: 'S2', test_cases: [tcDup] }],     // LOGINTEST.testcase → same base
+        metadata: FULL_META,
+      };
+      const r = validateProject({
+        name: 'MyProject',
+        test_plans: [plan1, plan2],
+        project_context: { secretsPasswordSet: true },
+      }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PROJ-DUP-001'), 'Expected PROJ-DUP-001');
+    });
+  });
+
+  describe('PROJ-CALLABLE-001/002: caseCall resolution', () => {
+    // XML for a test that calls another test via caseCall
+    function makeCaseCallXml(calledPath: string, calledId: string): string {
+      return (
+        '<?xml version="1.0" encoding="UTF-8"?>\n' +
+        `<testCase id="caller-001" guid="${G.tc1}" registryId="caller-001" name="CallerTest">\n` +
+        '  <steps>\n' +
+        `    <caseCall testCaseId="${calledId}" testCasePath="${calledPath}" testItemId="10"/>\n` +
+        '  </steps>\n' +
+        '</testCase>'
+      );
+    }
+
+    it('does NOT flag caseCall when callee is in the plan registry', () => {
+      // CallableTest is plan-registered (has testinstance), so it's in the registry
+      const caller: TestCaseInput = {
+        name: 'CallerTest.testcase',
+        xml: makeCaseCallXml('tests/CallableTest.testcase', 'callable-uuid'),
+      };
+      const callee: TestCaseInput = { name: 'CallableTest.testcase', xml: makeXml(G.tc2, G.s2, 'callable-001') };
+      const r = validateProject({
+        name: 'P',
+        test_cases: [caller, callee],
+        project_context: { secretsPasswordSet: true },
+      }, 80);
+      assert.ok(!r.violations.some((v) => v.rule_id === 'PROJ-CALLABLE-001'), 'Should not flag PROJ-CALLABLE-001 for known callee');
+      assert.ok(!r.violations.some((v) => v.rule_id === 'PROJ-CALLABLE-002'), 'Should not flag PROJ-CALLABLE-002 for known callee');
+    });
+
+    it('flags PROJ-CALLABLE-001 when callee is genuinely missing', () => {
+      const caller: TestCaseInput = {
+        name: 'CallerTest.testcase',
+        xml: makeCaseCallXml('tests/Callable/DoesNotExist.testcase', 'missing-uuid'),
+      };
+      const r = validateProject({
+        name: 'P',
+        test_cases: [caller],
+        project_context: { secretsPasswordSet: true },
+      }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PROJ-CALLABLE-001'), 'Expected PROJ-CALLABLE-001 for genuinely missing callee');
+    });
+
+    it('does NOT flag caseCall when callee is known via all_disk_test_case_names (callable test)', () => {
+      // Callable tests have no .testinstance so they never enter the plan registry.
+      // all_disk_test_case_names bridges this gap.
+      const caller: TestCaseInput = {
+        name: 'CallerTest.testcase',
+        xml: makeCaseCallXml('tests/Callable/CreateQuote.testcase', 'callable-uuid'),
+      };
+      const r = validateProject({
+        name: 'P',
+        test_cases: [caller],       // only the caller is in the plan
+        project_context: { secretsPasswordSet: true },
+        // CreateQuote exists on disk as a callable test (no testinstance)
+        all_disk_test_case_names: ['CreateQuote'],
+      }, 80);
+      assert.ok(!r.violations.some((v) => v.rule_id === 'PROJ-CALLABLE-001'), 'Should not flag callable test present on disk');
+      assert.ok(!r.violations.some((v) => v.rule_id === 'PROJ-CALLABLE-002'), 'Should not flag callable test present on disk');
+    });
+
+    it('flags PROJ-CALLABLE-001 even with all_disk_test_case_names when callee is absent from disk too', () => {
+      const caller: TestCaseInput = {
+        name: 'CallerTest.testcase',
+        xml: makeCaseCallXml('tests/Callable/Missing.testcase', 'missing-uuid'),
+      };
+      const r = validateProject({
+        name: 'P',
+        test_cases: [caller],
+        project_context: { secretsPasswordSet: true },
+        all_disk_test_case_names: ['CreateQuote', 'OtherTest'],  // Missing not in this list
+      }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PROJ-CALLABLE-001'), 'Should still flag genuinely missing callee');
+    });
+  });
+
+  describe('PROJ-SECRET-001: missing secrets password', () => {
+    it('flags when secretsPasswordSet is false', () => {
+      const r = validateProject({
+        name: 'MyProject',
+        test_cases: [TC_LOGIN],
+        project_context: { secretsPasswordSet: false },
+      }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PROJ-SECRET-001'), 'Expected PROJ-SECRET-001');
+    });
+
+    it('does not flag when secretsPasswordSet is true', () => {
+      const r = validateProject({
+        name: 'MyProject',
+        test_cases: [TC_LOGIN],
+        project_context: { secretsPasswordSet: true },
+      }, 80);
+      assert.ok(!r.violations.some((v) => v.rule_id === 'PROJ-SECRET-001'));
+    });
+  });
+
+  describe('PROJ-ENV-001: duplicate environment names', () => {
+    it('flags two environments with the same name (case-insensitive)', () => {
+      const r = validateProject({
+        name: 'MyProject',
+        test_cases: [TC_LOGIN],
+        project_context: { secretsPasswordSet: true, environments: ['QA', 'qa'] },
+      }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PROJ-ENV-001'), 'Expected PROJ-ENV-001');
+    });
+  });
+
+  describe('PROJ-ENV-002: invalid environment name characters', () => {
+    it('flags environment names containing special characters', () => {
+      const r = validateProject({
+        name: 'MyProject',
+        test_cases: [TC_LOGIN],
+        project_context: { secretsPasswordSet: true, environments: ['QA-Staging!'] },
+      }, 80);
+      assert.ok(r.violations.some((v) => v.rule_id === 'PROJ-ENV-002'), 'Expected PROJ-ENV-002');
+    });
+
+    it('allows alphanumeric and underscore environment names', () => {
+      const r = validateProject({
+        name: 'MyProject',
+        test_cases: [TC_LOGIN],
+        project_context: { secretsPasswordSet: true, environments: ['QA', 'UAT_2', 'Staging3'] },
+      }, 80);
+      assert.ok(!r.violations.some((v) => v.rule_id === 'PROJ-ENV-002'));
+    });
+  });
+
+  describe('result shape', () => {
+    it('returns level="project" with correct nested structure', () => {
+      const r = validateProject({
+        name: 'ShapeTest',
+        test_plans: [{
+          name: 'Plan1',
+          test_suites: [{ name: 'Suite1', test_cases: [TC_LOGIN] }],
+          metadata: FULL_META,
+        }],
+        project_context: { secretsPasswordSet: true },
+      }, 80);
+      assert.equal(r.level, 'project');
+      assert.equal(r.name, 'ShapeTest');
+      assert.equal(r.test_plans.length, 1);
+      assert.equal(r.test_plans[0].test_suites.length, 1);
+      assert.equal(r.test_plans[0].test_suites[0].test_cases.length, 1);
+    });
+  });
+});
+
+// ── buildHierarchySummary ─────────────────────────────────────────────────────
+
+describe('buildHierarchySummary', () => {
+  it('counts test cases and violations correctly for a suite result', () => {
+    const r = validateSuite({ name: 'S', test_cases: [TC_LOGIN, TC_LOGOUT] }, 80);
+    const summary = buildHierarchySummary(r);
+    assert.equal(summary.total_test_cases, 2);
+    assert.ok(summary.total_violations >= 0);
+    assert.ok(summary.quality_score_min !== null);
+    assert.ok(summary.quality_score_max !== null);
+  });
+
+  it('counts violations at all levels for a project result', () => {
+    const r = validateProject({ name: 'P' }, 80);           // triggers PROJ-EMPTY-001 + PROJ-SECRET-001
+    const summary = buildHierarchySummary(r);
+    assert.equal(summary.total_test_cases, 0);
+    assert.ok(summary.total_violations >= 2, `Expected >= 2 violations, got ${summary.total_violations}`);
+    assert.ok(summary.violations_by_level.project >= 2);
+  });
+
+  it('classifies test case statuses (valid/invalid/error)', () => {
+    // An empty XML string will fail validation → invalid status
+    const r = validateSuite({
+      name: 'S',
+      test_cases: [
+        TC_LOGIN,                                              // valid XML → valid
+        { name: 'BadTest.testcase', xml: '' },                // empty XML → invalid
+      ],
+    }, 80);
+    const summary = buildHierarchySummary(r);
+    assert.equal(summary.total_test_cases, 2);
+    assert.ok(summary.test_cases_valid >= 0);
+    assert.ok(summary.test_cases_invalid >= 0);
+    assert.equal(summary.test_cases_valid + summary.test_cases_invalid + summary.test_cases_error, 2);
+  });
+
+  it('reports quality_score_avg, min, max for test cases', () => {
+    const r = validateSuite({ name: 'S', test_cases: [TC_LOGIN, TC_LOGOUT, TC_SIGNUP] }, 80);
+    const summary = buildHierarchySummary(r);
+    assert.equal(summary.total_test_cases, 3);
+    assert.ok(summary.quality_score_min !== null && summary.quality_score_min >= 0);
+    assert.ok(summary.quality_score_max !== null && summary.quality_score_max <= 100);
+    assert.ok(summary.quality_score_avg >= 0 && summary.quality_score_avg <= 100);
+  });
+});
diff --git a/test/unit/mcp/licensing/licenseValidator.test.ts b/test/unit/mcp/licensing/licenseValidator.test.ts
new file mode 100644
index 00000000..1ce01544
--- /dev/null
+++ b/test/unit/mcp/licensing/licenseValidator.test.ts
@@ -0,0 +1,520 @@
+import os from 'node:os';
+import path from 'node:path';
+import fs from 'node:fs';
+import { strict as assert } from 'node:assert';
+import { describe, it, beforeEach, afterEach } from 'mocha';
+import { LicenseError } from '../../../../src/mcp/licensing/licenseError.js';
+import {
+  hashKey,
+  readCacheEntry,
+  writeCacheEntry,
+  isCacheEntryFresh,
+  isCacheEntryWithinGrace,
+  ONLINE_TTL_MS,
+  OFFLINE_GRACE_MS,
+} from '../../../../src/mcp/licensing/licenseCache.js';
+import { validateLicense } from '../../../../src/mcp/licensing/licenseValidator.js';
+import {
+  readIdeLicenses,
+  findActivatedIdeLicense,
+} from '../../../../src/mcp/licensing/ideDetection.js';
+
+// ── Helpers ─────────────────────────────────────────────────────────────────
+
+/** Make a fake CacheEntry. checkedAt defaults to now. */
+function makeCacheEntry(overrides: Partial<{
+  keyHash: string;
+  valid: boolean;
+  licenseType: string;
+  checkedAt: number;
+}> = {}): { keyHash: string; valid: boolean; licenseType: string; checkedAt: number } {
+  return {
+    keyHash: 'fakehash',
+    valid: true,
+    licenseType: 'FixedSeat',
+    checkedAt: Date.now(),
+    ...overrides,
+  };
+}
+
+// ── A. LicenseError ──────────────────────────────────────────────────────────
+
+describe('LicenseError', () => {
+  it('constructs with code and message', () => {
+    const err = new LicenseError('LICENSE_INVALID', 'Key expired');
+    assert.equal(err.code, 'LICENSE_INVALID');
+    assert.equal(err.message, 'Key expired');
+    assert.equal(err.name, 'LicenseError');
+    assert.ok(err instanceof Error);
+  });
+
+  it('is distinguishable by instanceof', () => {
+    const err = new LicenseError('X', 'msg');
+    assert.ok(err instanceof LicenseError);
+    assert.ok(!(new Error('msg') instanceof LicenseError));
+  });
+});
+
+// ── B. licenseCache ──────────────────────────────────────────────────────────
+
+describe('licenseCache', () => {
+  let tmpDir: string;
+  let origHome: string | undefined;
+  let origProvarHome: string | undefined;
+
+  beforeEach(() => {
+    // Redirect PROVAR_HOME so the cache writes to a temp dir, not ~/Provar.
+    // Also redirect HOME/USERPROFILE for os.homedir() fallback.
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'provar-license-test-'));
+    origHome = process.env['HOME'];
+    origProvarHome = process.env['PROVAR_HOME'];
+    process.env['HOME'] = tmpDir;
+    process.env['USERPROFILE'] = tmpDir;
+    process.env['PROVAR_HOME'] = path.join(tmpDir, 'Provar');
+  });
+
+  afterEach(() => {
+    if (origHome !== undefined) {
+      process.env['HOME'] = origHome;
+      process.env['USERPROFILE'] = origHome;
+    } else {
+      delete process.env['HOME'];
+      delete process.env['USERPROFILE'];
+    }
+    if (origProvarHome !== undefined) {
+      process.env['PROVAR_HOME'] = origProvarHome;
+    } else {
+      delete process.env['PROVAR_HOME'];
+    }
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it('hashKey returns a 64-char hex string', () => {
+    const h = hashKey('any-test-input');
+    assert.match(h, /^[0-9a-f]{64}$/);
+  });
+
+  it('hashKey is deterministic', () => {
+    assert.equal(hashKey('abc'), hashKey('abc'));
+  });
+
+  it('hashKey differs for different keys', () => {
+    assert.notEqual(hashKey('abc'), hashKey('ABC'));
+  });
+
+  it('readCacheEntry returns null when no cache file exists', () => {
+    assert.equal(readCacheEntry('anyhash'), null);
+  });
+
+  it('writeCacheEntry creates ~/Provar/.licenses/.mcp-license-cache.json', () => {
+    const entry = makeCacheEntry({ keyHash: hashKey('mykey') });
+    writeCacheEntry(entry as Parameters<typeof writeCacheEntry>[0]);
+
+    const cacheFilePath = path.join(tmpDir, 'Provar', '.licenses', '.mcp-license-cache.json');
+    assert.ok(fs.existsSync(cacheFilePath), 'cache file should exist');
+    const parsed = JSON.parse(fs.readFileSync(cacheFilePath, 'utf-8')) as Record<string, unknown>;
+    assert.ok(parsed[entry.keyHash]);
+  });
+
+  it('readCacheEntry returns the written entry', () => {
+    const hash = hashKey('round-trip-key');
+    const entry = makeCacheEntry({ keyHash: hash, licenseType: 'Trial' });
+    writeCacheEntry(entry as Parameters<typeof writeCacheEntry>[0]);
+
+    const read = readCacheEntry(hash);
+    assert.ok(read !== null);
+    assert.equal(read?.licenseType, 'Trial');
+    assert.equal(read?.valid, true);
+  });
+
+  it('readCacheEntry returns null for unknown hash', () => {
+    const entry = makeCacheEntry({ keyHash: hashKey('keyA') });
+    writeCacheEntry(entry as Parameters<typeof writeCacheEntry>[0]);
+    assert.equal(readCacheEntry(hashKey('keyB')), null);
+  });
+
+  it('isCacheEntryFresh returns true for entry just written', () => {
+    const entry = makeCacheEntry({ checkedAt: Date.now() });
+    assert.ok(isCacheEntryFresh(entry as Parameters<typeof isCacheEntryFresh>[0]));
+  });
+
+  it('isCacheEntryFresh returns false when entry is older than 2h', () => {
+    const entry = makeCacheEntry({ checkedAt: Date.now() - ONLINE_TTL_MS - 1 });
+    assert.ok(!isCacheEntryFresh(entry as Parameters<typeof isCacheEntryFresh>[0]));
+  });
+
+  it('isCacheEntryWithinGrace returns true for entry written 30h ago', () => {
+    const entry = makeCacheEntry({ checkedAt: Date.now() - 30 * 60 * 60 * 1000 });
+    assert.ok(isCacheEntryWithinGrace(entry as Parameters<typeof isCacheEntryWithinGrace>[0]));
+  });
+
+  it('isCacheEntryWithinGrace returns false for entry older than 48h', () => {
+    const entry = makeCacheEntry({ checkedAt: Date.now() - OFFLINE_GRACE_MS - 1 });
+    assert.ok(!isCacheEntryWithinGrace(entry as Parameters<typeof isCacheEntryWithinGrace>[0]));
+  });
+
+  it('writeCacheEntry tolerates existing cache file with multiple entries', () => {
+    const hashA = hashKey('keyA');
+    const hashB = hashKey('keyB');
+    writeCacheEntry(makeCacheEntry({ keyHash: hashA, licenseType: 'Trial' }) as Parameters<typeof writeCacheEntry>[0]);
+    writeCacheEntry(makeCacheEntry({ keyHash: hashB, licenseType: 'Floating' }) as Parameters<typeof writeCacheEntry>[0]);
+
+    assert.equal(readCacheEntry(hashA)?.licenseType, 'Trial');
+    assert.equal(readCacheEntry(hashB)?.licenseType, 'Floating');
+  });
+
+  it('writeCacheEntry overwrites an existing entry for the same key', () => {
+    const hash = hashKey('update-me');
+    writeCacheEntry(makeCacheEntry({ keyHash: hash, valid: true }) as Parameters<typeof writeCacheEntry>[0]);
+    writeCacheEntry(makeCacheEntry({ keyHash: hash, valid: false }) as Parameters<typeof writeCacheEntry>[0]);
+    assert.equal(readCacheEntry(hash)?.valid, false);
+  });
+});
+
+// ── C. licenseValidator — NODE_ENV=test fast-path ────────────────────────────
+
+describe('licenseValidator (NODE_ENV=test fast-path)', () => {
+  let origNodeEnv: string | undefined;
+
+  beforeEach(() => {
+    origNodeEnv = process.env['NODE_ENV'];
+    process.env['NODE_ENV'] = 'test';
+  });
+
+  afterEach(() => {
+    process.env['NODE_ENV'] = origNodeEnv;
+  });
+
+  it('returns valid=true immediately in test environment', async () => {
+    const result = await validateLicense();
+    assert.equal(result.valid, true);
+    assert.equal(result.fromCache, false);
+    assert.equal(result.offlineGrace, false);
+  });
+
+  it('reports licenseType as Whitelisted in test environment', async () => {
+    const result = await validateLicense();
+    assert.equal(result.licenseType, 'Whitelisted');
+  });
+});
+
+// ── D. ideDetection ──────────────────────────────────────────────────────────
+
+describe('ideDetection', () => {
+  let tmpDir: string;
+  let origHome: string | undefined;
+  let origProvarHome: string | undefined;
+
+  beforeEach(() => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'provar-ide-test-'));
+    origHome = process.env['HOME'];
+    origProvarHome = process.env['PROVAR_HOME'];
+    // Point PROVAR_HOME to a subdirectory of tmpDir so ~/.licenses → tmpDir/Provar/.licenses
+    process.env['PROVAR_HOME'] = path.join(tmpDir, 'Provar');
+    process.env['HOME'] = tmpDir;
+    process.env['USERPROFILE'] = tmpDir;
+  });
+
+  afterEach(() => {
+    process.env['HOME'] = origHome;
+    process.env['USERPROFILE'] = origHome;
+    if (origProvarHome !== undefined) {
+      process.env['PROVAR_HOME'] = origProvarHome;
+    } else {
+      delete process.env['PROVAR_HOME'];
+    }
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  function writeLicenseFile(name: string, props: Record<string, string>): void {
+    const dir = path.join(tmpDir, 'Provar', '.licenses');
+    fs.mkdirSync(dir, { recursive: true });
+    const content = Object.entries(props).map(([k, v]) => `${k}=${v}`).join('\n');
+    fs.writeFileSync(path.join(dir, `${name}.properties`), content, 'utf-8');
+  }
+
+  it('returns empty array when licenses folder does not exist', () => {
+    assert.deepEqual(readIdeLicenses(), []);
+  });
+
+  it('reads a single activated FixedSeat license (Java enum name "FixedSeat")', () => {
+    // Java stores LicenseType.name() = "FixedSeat" (not the title "Fixed Seat")
+    writeLicenseFile('License 1', {
+      licenseStatus: 'Activated',
+      licenseType: 'FixedSeat',
+      lastOnlineAvailabilityCheckUtc: String(Date.now()),
+    });
+    const licenses = readIdeLicenses();
+    assert.equal(licenses.length, 1);
+    assert.equal(licenses[0].name, 'License 1');
+    assert.equal(licenses[0].licenseType, 'FixedSeat');
+    assert.ok(licenses[0].activated);
+  });
+
+  it('reads a FixedSeat license stored with legacy title "Fixed Seat"', () => {
+    writeLicenseFile('License 1', {
+      licenseStatus: 'Activated',
+      licenseType: 'Fixed Seat',
+      lastOnlineAvailabilityCheckUtc: String(Date.now()),
+    });
+    const licenses = readIdeLicenses();
+    assert.equal(licenses[0].licenseType, 'FixedSeat');
+  });
+
+  it('reads a Floating license with NotActivated status', () => {
+    writeLicenseFile('Floating', {
+      licenseStatus: 'NotActivated',
+      licenseType: 'Floating',
+      lastOnlineAvailabilityCheckUtc: '0',
+    });
+    const licenses = readIdeLicenses();
+    assert.equal(licenses[0].activated, false);
+    assert.equal(licenses[0].licenseType, 'Floating');
+  });
+
+  it('ignores non-.properties files in the licenses folder', () => {
+    const dir = path.join(tmpDir, 'Provar', '.licenses');
+    fs.mkdirSync(dir, { recursive: true });
+    fs.writeFileSync(path.join(dir, '.mcp-license-cache.json'), '{}', 'utf-8');
+    fs.writeFileSync(path.join(dir, 'README.txt'), 'ignore me', 'utf-8');
+    assert.equal(readIdeLicenses().length, 0);
+  });
+
+  it('findActivatedIdeLicense returns null when no activated license', () => {
+    writeLicenseFile('License 1', { licenseStatus: 'NotActivated', licenseType: 'Trial', lastOnlineAvailabilityCheckUtc: String(Date.now()) });
+    assert.equal(findActivatedIdeLicense(), null);
+  });
+
+  it('findActivatedIdeLicense returns the most recently validated activated license', () => {
+    const now = Date.now();
+    writeLicenseFile('Old', { licenseStatus: 'Activated', licenseType: 'Floating', lastOnlineAvailabilityCheckUtc: String(now - 3_600_000) });
+    writeLicenseFile('Recent', { licenseStatus: 'Activated', licenseType: 'FixedSeat', lastOnlineAvailabilityCheckUtc: String(now - 60_000) });
+    const best = findActivatedIdeLicense();
+    assert.equal(best?.name, 'Recent');
+  });
+
+});
+
+// ── E. licenseValidator — IDE auto-detection (non-test env) ──────────────────
+
+describe('licenseValidator (IDE auto-detection, non-test env)', () => {
+  let origNodeEnv: string | undefined;
+  let tmpDir: string;
+  let origProvarHome: string | undefined;
+
+  beforeEach(() => {
+    origNodeEnv = process.env['NODE_ENV'];
+    delete process.env['NODE_ENV'];
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'provar-validator-test-'));
+    origProvarHome = process.env['PROVAR_HOME'];
+    process.env['PROVAR_HOME'] = path.join(tmpDir, 'Provar');
+    process.env['HOME'] = tmpDir;
+    process.env['USERPROFILE'] = tmpDir;
+  });
+
+  afterEach(() => {
+    if (origNodeEnv !== undefined) {
+      process.env['NODE_ENV'] = origNodeEnv;
+    } else {
+      delete process.env['NODE_ENV'];
+    }
+    if (origProvarHome !== undefined) {
+      process.env['PROVAR_HOME'] = origProvarHome;
+    } else {
+      delete process.env['PROVAR_HOME'];
+    }
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  function writeLicenseFile(name: string, props: Record<string, string>): void {
+    const dir = path.join(tmpDir, 'Provar', '.licenses');
+    fs.mkdirSync(dir, { recursive: true });
+    const content = Object.entries(props).map(([k, v]) => `${k}=${v}`).join('\n');
+    fs.writeFileSync(path.join(dir, `${name}.properties`), content, 'utf-8');
+  }
+
+  it('throws LICENSE_NOT_FOUND when no IDE license exists and no cache', async () => {
+    await assert.rejects(
+      () => validateLicense(),
+      (err: unknown) => {
+        assert.ok(err instanceof LicenseError);
+        assert.equal(err.code, 'LICENSE_NOT_FOUND');
+        return true;
+      }
+    );
+  });
+
+  it('throws LICENSE_NOT_FOUND when license is present but not Activated', async () => {
+    writeLicenseFile('NotActive', {
+      licenseStatus: 'NotActivated',
+      licenseType: 'Trial',
+      lastOnlineAvailabilityCheckUtc: String(Date.now()),
+    });
+    await assert.rejects(
+      () => validateLicense(),
+      (err: unknown) => {
+        assert.ok(err instanceof LicenseError);
+        assert.equal(err.code, 'LICENSE_NOT_FOUND');
+        return true;
+      }
+    );
+  });
+
+  it('returns valid=true for an activated license', async () => {
+    writeLicenseFile('ActiveLic', {
+      licenseStatus: 'Activated',
+      licenseType: 'Floating',
+      lastOnlineAvailabilityCheckUtc: String(Date.now() - 60_000), // 1 min ago
+    });
+    const result = await validateLicense();
+    assert.equal(result.valid, true);
+    assert.equal(result.licenseType, 'Floating');
+    assert.equal(result.fromCache, false);
+    assert.equal(result.offlineGrace, false);
+  });
+
+  it('accepts an activated license even when lastOnlineAvailabilityCheckUtc is very old (200h)', async () => {
+    // The IDE sets licenseStatus=Activated — we trust that, not the ALGAS timestamp.
+    writeLicenseFile('OldTimestamp', {
+      licenseStatus: 'Activated',
+      licenseType: 'Floating',
+      lastOnlineAvailabilityCheckUtc: String(Date.now() - 200 * 60 * 60 * 1000), // 200h ago
+    });
+    const result = await validateLicense();
+    assert.equal(result.valid, true);
+    assert.equal(result.offlineGrace, false);
+  });
+
+  it('writes to MCP cache after a successful IDE read', async () => {
+    writeLicenseFile('CacheLic', {
+      licenseStatus: 'Activated',
+      licenseType: 'Trial',
+      lastOnlineAvailabilityCheckUtc: String(Date.now()),
+    });
+    await validateLicense();
+    // Verify cache was written using the IDE sentinel key
+    const IDE_SENTINEL = '__ide_detection__';
+    const entry = readCacheEntry(hashKey(IDE_SENTINEL));
+    assert.ok(entry !== null, 'cache entry should be written');
+    assert.equal(entry?.valid, true);
+    assert.equal(entry?.licenseType, 'Trial');
+  });
+
+  it('serves from MCP cache on second call within 2h (skips IDE read)', async () => {
+    writeLicenseFile('ActiveLic', {
+      licenseStatus: 'Activated',
+      licenseType: 'Floating',
+      lastOnlineAvailabilityCheckUtc: String(Date.now()),
+    });
+    // First call — reads IDE, writes cache
+    await validateLicense();
+    // Second call — should hit cache (fromCache=true)
+    const result = await validateLicense();
+    assert.equal(result.fromCache, true);
+    assert.equal(result.licenseType, 'Floating');
+    assert.equal(result.offlineGrace, false);
+  });
+
+  it('serves from grace cache when IDE disappears but cache is within 48h', async () => {
+    writeLicenseFile('ActiveLic', {
+      licenseStatus: 'Activated',
+      licenseType: 'FixedSeat',
+      lastOnlineAvailabilityCheckUtc: String(Date.now()),
+    });
+    // Seed the cache with a stale-but-within-grace entry
+    const IDE_SENTINEL = '__ide_detection__';
+    writeCacheEntry({
+      keyHash: hashKey(IDE_SENTINEL),
+      valid: true,
+      licenseType: 'FixedSeat',
+      checkedAt: Date.now() - 10 * 60 * 60 * 1000, // 10h ago — past 2h TTL but within 48h grace
+    });
+    // Remove the IDE license file so IDE detection fails
+    fs.rmSync(path.join(tmpDir, 'Provar', '.licenses', 'ActiveLic.properties'));
+
+    const result = await validateLicense();
+    assert.equal(result.valid, true);
+    assert.equal(result.fromCache, true);
+    assert.equal(result.offlineGrace, true);
+  });
+});
+
+// ── F. licenseValidator — PROVAR_DEV_WHITELIST_KEYS bypass ───────────────────
+
+describe('licenseValidator (PROVAR_DEV_WHITELIST_KEYS bypass)', () => {
+  let origNodeEnv: string | undefined;
+  let origWhitelist: string | undefined;
+  let origProvarHome: string | undefined;
+  let tmpDir: string;
+
+  beforeEach(() => {
+    origNodeEnv = process.env['NODE_ENV'];
+    origWhitelist = process.env['PROVAR_DEV_WHITELIST_KEYS'];
+    origProvarHome = process.env['PROVAR_HOME'];
+    // Use a fresh tmpDir so fallthrough tests never touch the real ~/.Provar dir
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'provar-whitelist-test-'));
+    delete process.env['NODE_ENV'];
+    delete process.env['PROVAR_DEV_WHITELIST_KEYS'];
+    process.env['PROVAR_HOME'] = path.join(tmpDir, 'Provar');
+    process.env['HOME'] = tmpDir;
+    process.env['USERPROFILE'] = tmpDir;
+  });
+
+  afterEach(() => {
+    if (origNodeEnv !== undefined) process.env['NODE_ENV'] = origNodeEnv;
+    else delete process.env['NODE_ENV'];
+    if (origWhitelist !== undefined) process.env['PROVAR_DEV_WHITELIST_KEYS'] = origWhitelist;
+    else delete process.env['PROVAR_DEV_WHITELIST_KEYS'];
+    if (origProvarHome !== undefined) process.env['PROVAR_HOME'] = origProvarHome;
+    else delete process.env['PROVAR_HOME'];
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it('bypasses all validation when PROVAR_DEV_WHITELIST_KEYS contains a key', async () => {
+    process.env['PROVAR_DEV_WHITELIST_KEYS'] = 'DEV-BYPASS-SENTINEL';
+    const result = await validateLicense();
+    assert.equal(result.valid, true);
+    assert.equal(result.licenseType, 'Whitelisted');
+    assert.equal(result.fromCache, false);
+    assert.equal(result.offlineGrace, false);
+  });
+
+  it('bypasses when whitelist contains multiple comma-separated keys', async () => {
+    process.env['PROVAR_DEV_WHITELIST_KEYS'] = 'KEY-A,KEY-B,KEY-C';
+    const result = await validateLicense();
+    assert.equal(result.valid, true);
+    assert.equal(result.licenseType, 'Whitelisted');
+  });
+
+  it('trims whitespace from each whitelist entry', async () => {
+    process.env['PROVAR_DEV_WHITELIST_KEYS'] = '  DEV-KEY-A  ,  DEV-KEY-B  ';
+    const result = await validateLicense();
+    assert.equal(result.valid, true);
+    assert.equal(result.licenseType, 'Whitelisted');
+  });
+
+  it('does not bypass when env var is an empty string', async () => {
+    process.env['PROVAR_DEV_WHITELIST_KEYS'] = '';
+    // Falls through to IDE detection — no IDE on this machine, so throws
+    await assert.rejects(
+      () => validateLicense(),
+      (err: unknown) => {
+        assert.ok(err instanceof LicenseError);
+        assert.equal(err.code, 'LICENSE_NOT_FOUND');
+        return true;
+      }
+    );
+  });
+
+  it('does not bypass when env var contains only commas and whitespace', async () => {
+    process.env['PROVAR_DEV_WHITELIST_KEYS'] = '  ,  ,  ';
+    await assert.rejects(
+      () => validateLicense(),
+      (err: unknown) => {
+        assert.ok(err instanceof LicenseError);
+        assert.equal(err.code, 'LICENSE_NOT_FOUND');
+        return true;
+      }
+    );
+  });
+});
diff --git a/test/unit/mcp/pageObjectGenerate.test.ts b/test/unit/mcp/pageObjectGenerate.test.ts
new file mode 100644
index 00000000..566163c4
--- /dev/null
+++ b/test/unit/mcp/pageObjectGenerate.test.ts
@@ -0,0 +1,365 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { strict as assert } from 'node:assert';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { describe, it, beforeEach, afterEach } from 'mocha';
+import { registerPageObjectGenerate } from '../../../src/mcp/tools/pageObjectGenerate.js';
+import type { ServerConfig } from '../../../src/mcp/server.js';
+
+// ── Minimal McpServer mock ─────────────────────────────────────────────────────
+// Note: bypasses Zod parsing — always pass explicit values for fields with defaults
+// (fields, dry_run, overwrite, page_type, package_name).
+
+type ToolHandler = (args: Record<string, unknown>) => unknown;
+
+class MockMcpServer {
+  private handlers = new Map<string, ToolHandler>();
+
+  public tool(name: string, _description: string, _schema: unknown, handler: ToolHandler): void {
+    this.handlers.set(name, handler);
+  }
+
+  public call(name: string, args: Record<string, unknown>): ReturnType<ToolHandler> {
+    const h = this.handlers.get(name);
+    if (!h) throw new Error(`Tool not registered: ${name}`);
+    return h(args);
+  }
+}
+
+// ── Helpers ────────────────────────────────────────────────────────────────────
+
+function parseText(result: unknown): Record<string, unknown> {
+  const r = result as { content: Array<{ type: string; text: string }> };
+  return JSON.parse(r.content[0].text) as Record<string, unknown>;
+}
+
+function isError(result: unknown): boolean {
+  return (result as { isError?: boolean }).isError === true;
+}
+
+// ── Test setup ─────────────────────────────────────────────────────────────────
+
+let tmpDir: string;
+let server: MockMcpServer;
+let config: ServerConfig;
+
+beforeEach(() => {
+  tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'pogen-test-'));
+  server = new MockMcpServer();
+  config = { allowedPaths: [tmpDir] };
+  registerPageObjectGenerate(server as never, config);
+});
+
+afterEach(() => {
+  fs.rmSync(tmpDir, { recursive: true, force: true });
+});
+
+// ── provar.pageobject.generate ─────────────────────────────────────────────────
+
+describe('provar.pageobject.generate', () => {
+  describe('dry_run', () => {
+    it('returns java_source without writing to disk', () => {
+      const result = server.call('provar.pageobject.generate', {
+        class_name: 'AccountDetailPage',
+        package_name: 'pageobjects',
+        page_type: 'standard',
+        fields: [],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      assert.equal(isError(result), false);
+      const body = parseText(result);
+      assert.ok(typeof body['java_source'] === 'string' && body['java_source'].length > 0);
+      assert.equal(body['written'], false);
+      assert.equal(body['dry_run'], true);
+    });
+
+    it('does NOT write a file even when output_path is provided', () => {
+      const outPath = path.join(tmpDir, 'AccountDetailPage.java');
+      server.call('provar.pageobject.generate', {
+        class_name: 'AccountDetailPage',
+        package_name: 'pageobjects',
+        page_type: 'standard',
+        fields: [],
+        output_path: outPath,
+        dry_run: true,
+        overwrite: false,
+      });
+
+      assert.equal(fs.existsSync(outPath), false, 'file must not be written in dry_run mode');
+    });
+  });
+
+  describe('generated Java source content', () => {
+    it('contains correct class name and package', () => {
+      const result = server.call('provar.pageobject.generate', {
+        class_name: 'AccountDetailPage',
+        package_name: 'pageobjects.accounts',
+        page_type: 'standard',
+        fields: [],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      const src = parseText(result)['java_source'] as string;
+      assert.ok(src.includes('package pageobjects.accounts;'), 'Expected correct package declaration');
+      assert.ok(src.includes('public class AccountDetailPage'), 'Expected correct class name');
+    });
+
+    it('uses @Page annotation for standard page_type', () => {
+      const result = server.call('provar.pageobject.generate', {
+        class_name: 'LoginPage',
+        package_name: 'pageobjects',
+        page_type: 'standard',
+        title: 'Login',
+        fields: [],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      const src = parseText(result)['java_source'] as string;
+      assert.ok(src.includes('@Page(title = "Login")'), 'Expected @Page annotation');
+    });
+
+    it('uses @SalesforcePage annotation for salesforce page_type', () => {
+      const result = server.call('provar.pageobject.generate', {
+        class_name: 'AccountPage',
+        package_name: 'pageobjects',
+        page_type: 'salesforce',
+        connection_name: 'SalesforceOrg',
+        fields: [],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      const src = parseText(result)['java_source'] as string;
+      assert.ok(src.includes('@SalesforcePage('), 'Expected @SalesforcePage annotation');
+      assert.ok(src.includes('connection = "SalesforceOrg"'), 'Expected connection name');
+    });
+
+    it('includes standard imports', () => {
+      const result = server.call('provar.pageobject.generate', {
+        class_name: 'MyPage',
+        package_name: 'pageobjects',
+        page_type: 'standard',
+        fields: [],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      const src = parseText(result)['java_source'] as string;
+      assert.ok(src.includes('import com.provar.core.testapi.annotations.*;'));
+      assert.ok(src.includes('import org.openqa.selenium.WebElement;'));
+      assert.ok(src.includes('import org.openqa.selenium.support.FindBy;'));
+    });
+
+    it('generates @FindBy field blocks for provided fields', () => {
+      const result = server.call('provar.pageobject.generate', {
+        class_name: 'AccountPage',
+        package_name: 'pageobjects',
+        page_type: 'standard',
+        fields: [
+          { name: 'accountName', locator_strategy: 'xpath', locator_value: "//input[@name='accountName']", element_type: 'TextType' },
+          { name: 'saveButton',  locator_strategy: 'css',   locator_value: "[data-testid='save']",          element_type: 'ButtonType' },
+        ],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      const src = parseText(result)['java_source'] as string;
+      assert.ok(src.includes('@TextType()'), 'Expected @TextType annotation');
+      assert.ok(src.includes('public WebElement accountName;'), 'Expected accountName field');
+      assert.ok(src.includes('@ButtonType()'), 'Expected @ButtonType annotation');
+      assert.ok(src.includes('public WebElement saveButton;'), 'Expected saveButton field');
+    });
+
+    it('emits a TODO comment when no fields are provided', () => {
+      const result = server.call('provar.pageobject.generate', {
+        class_name: 'EmptyPage',
+        package_name: 'pageobjects',
+        page_type: 'standard',
+        fields: [],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      const src = parseText(result)['java_source'] as string;
+      assert.ok(src.includes('TODO'), 'Expected TODO placeholder for empty fields');
+    });
+
+    it('defaults title to class_name when title is omitted', () => {
+      const result = server.call('provar.pageobject.generate', {
+        class_name: 'AccountDetailPage',
+        package_name: 'pageobjects',
+        page_type: 'standard',
+        fields: [],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      const src = parseText(result)['java_source'] as string;
+      assert.ok(src.includes('"AccountDetailPage"'), 'Expected class_name used as title');
+    });
+  });
+
+  describe('writing to disk', () => {
+    it('writes file when dry_run=false and output_path provided', () => {
+      const outPath = path.join(tmpDir, 'AccountDetailPage.java');
+      const result = server.call('provar.pageobject.generate', {
+        class_name: 'AccountDetailPage',
+        package_name: 'pageobjects',
+        page_type: 'standard',
+        fields: [],
+        output_path: outPath,
+        dry_run: false,
+        overwrite: false,
+      });
+
+      assert.equal(isError(result), false);
+      assert.equal(fs.existsSync(outPath), true, 'file should be written');
+      assert.equal(parseText(result)['written'], true);
+    });
+
+    it('does NOT write when dry_run=false but no output_path', () => {
+      const result = server.call('provar.pageobject.generate', {
+        class_name: 'NoPathPage',
+        package_name: 'pageobjects',
+        page_type: 'standard',
+        fields: [],
+        dry_run: false,
+        overwrite: false,
+      });
+
+      assert.equal(isError(result), false);
+      assert.equal(parseText(result)['written'], false);
+    });
+
+    it('returns FILE_EXISTS when file exists and overwrite=false', () => {
+      const outPath = path.join(tmpDir, 'Existing.java');
+      fs.writeFileSync(outPath, '// old', 'utf-8');
+
+      const result = server.call('provar.pageobject.generate', {
+        class_name: 'Existing',
+        package_name: 'pageobjects',
+        page_type: 'standard',
+        fields: [],
+        output_path: outPath,
+        dry_run: false,
+        overwrite: false,
+      });
+
+      assert.equal(isError(result), true);
+      assert.equal(parseText(result)['error_code'], 'FILE_EXISTS');
+    });
+
+    it('overwrites when overwrite=true and file exists', () => {
+      const outPath = path.join(tmpDir, 'Existing.java');
+      fs.writeFileSync(outPath, '// old', 'utf-8');
+
+      const result = server.call('provar.pageobject.generate', {
+        class_name: 'Existing',
+        package_name: 'pageobjects',
+        page_type: 'standard',
+        fields: [],
+        output_path: outPath,
+        dry_run: false,
+        overwrite: true,
+      });
+
+      assert.equal(isError(result), false);
+      const content = fs.readFileSync(outPath, 'utf-8');
+      assert.ok(!content.includes('// old'), 'old content should be replaced');
+    });
+
+    it('creates parent directories as needed', () => {
+      const outPath = path.join(tmpDir, 'src', 'main', 'java', 'MyPage.java');
+      server.call('provar.pageobject.generate', {
+        class_name: 'MyPage',
+        package_name: 'pageobjects',
+        page_type: 'standard',
+        fields: [],
+        output_path: outPath,
+        dry_run: false,
+        overwrite: false,
+      });
+
+      assert.equal(fs.existsSync(outPath), true, 'nested directories should be created');
+    });
+  });
+
+  describe('path policy', () => {
+    it('returns PATH_NOT_ALLOWED when output_path is outside allowedPaths', () => {
+      const strictServer = new MockMcpServer();
+      registerPageObjectGenerate(strictServer as never, { allowedPaths: [tmpDir] });
+
+      const result = strictServer.call('provar.pageobject.generate', {
+        class_name: 'EvilPage',
+        package_name: 'pageobjects',
+        page_type: 'standard',
+        fields: [],
+        output_path: path.join(os.tmpdir(), 'evil.java'),
+        dry_run: false,
+        overwrite: false,
+      });
+
+      assert.equal(isError(result), true);
+      const code = parseText(result)['error_code'] as string;
+      assert.ok(code === 'PATH_NOT_ALLOWED' || code === 'PATH_TRAVERSAL', `Unexpected: ${code}`);
+    });
+
+    it('does NOT check path policy in dry_run=true mode', () => {
+      const strictServer = new MockMcpServer();
+      registerPageObjectGenerate(strictServer as never, { allowedPaths: [tmpDir] });
+
+      const result = strictServer.call('provar.pageobject.generate', {
+        class_name: 'SafePage',
+        package_name: 'pageobjects',
+        page_type: 'standard',
+        fields: [],
+        output_path: '/etc/evil.java',
+        dry_run: true,
+        overwrite: false,
+      });
+
+      assert.equal(isError(result), false, 'dry_run should not trigger path check');
+    });
+  });
+
+  describe('idempotency_key', () => {
+    it('echoes back the provided idempotency_key', () => {
+      const result = server.call('provar.pageobject.generate', {
+        class_name: 'IdempotentPage',
+        package_name: 'pageobjects',
+        page_type: 'standard',
+        fields: [],
+        idempotency_key: 'my-unique-key-123',
+        dry_run: true,
+        overwrite: false,
+      });
+
+      assert.equal(parseText(result)['idempotency_key'], 'my-unique-key-123');
+    });
+
+    it('returns undefined idempotency_key when not provided', () => {
+      const result = server.call('provar.pageobject.generate', {
+        class_name: 'NoKeyPage',
+        package_name: 'pageobjects',
+        page_type: 'standard',
+        fields: [],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      assert.equal(parseText(result)['idempotency_key'], undefined);
+    });
+  });
+});
diff --git a/test/unit/mcp/pageObjectValidate.test.ts b/test/unit/mcp/pageObjectValidate.test.ts
new file mode 100644
index 00000000..81295bad
--- /dev/null
+++ b/test/unit/mcp/pageObjectValidate.test.ts
@@ -0,0 +1,135 @@
+import { strict as assert } from 'node:assert';
+import { describe, it } from 'mocha';
+import { validatePageObject } from '../../../src/mcp/tools/pageObjectValidate.js';
+
+const VALID_PO = `package pageobjects;
+
+import com.provar.core.testapi.annotations.*;
+import org.openqa.selenium.WebElement;
+import org.openqa.selenium.support.FindBy;
+
+@Page(title = "Account Detail Page")
+public class AccountDetailPage {
+
+    @FindBy(xpath = "//input[@name='accountName']")
+    @TextType()
+    public WebElement accountName;
+
+    @FindBy(css = "[data-testid='save-button']")
+    @ButtonType()
+    public WebElement saveButton;
+
+}`;
+
+describe('validatePageObject', () => {
+  describe('valid Page Object', () => {
+    it('returns is_valid=true and score >= 80', () => {
+      const r = validatePageObject(VALID_PO, 'AccountDetailPage');
+      assert.equal(r.is_valid, true);
+      assert.ok(r.quality_score >= 80, `Expected score >= 80, got ${r.quality_score}`);
+      assert.equal(r.error_count, 0);
+      assert.equal(r.class_name, 'AccountDetailPage');
+      assert.equal(r.package_name, 'pageobjects');
+      assert.equal(r.field_count, 2);
+    });
+  });
+
+  describe('package rules', () => {
+    it('PO_001: flags missing package declaration', () => {
+      const r = validatePageObject('public class MyPage {}');
+      assert.ok(r.issues.some((i) => i.rule_id === 'PO_001'), 'Expected PO_001');
+      assert.equal(r.is_valid, false);
+    });
+
+    it('PO_002: flags invalid package name with uppercase', () => {
+      const r = validatePageObject('package PageObjects;\npublic class T {}');
+      assert.ok(r.issues.some((i) => i.rule_id === 'PO_002'), 'Expected PO_002');
+    });
+  });
+
+  describe('class rules', () => {
+    it('PO_003: flags missing class declaration', () => {
+      const r = validatePageObject('package pageobjects;');
+      assert.ok(r.issues.some((i) => i.rule_id === 'PO_003'), 'Expected PO_003');
+    });
+
+    it('PO_004: flags non-PascalCase class name', () => {
+      const r = validatePageObject('package pageobjects;\npublic class myPage {}');
+      assert.ok(r.issues.some((i) => i.rule_id === 'PO_004'), 'Expected PO_004');
+    });
+
+    it('PO_006: flags class name mismatch', () => {
+      const r = validatePageObject(VALID_PO, 'WrongName');
+      assert.ok(r.issues.some((i) => i.rule_id === 'PO_006'), 'Expected PO_006');
+    });
+
+    it('PO_060: flags mismatched braces', () => {
+      const r = validatePageObject(
+        'package pageobjects;\n@Page(title="T") public class T {\n// missing close'
+      );
+      assert.ok(r.issues.some((i) => i.rule_id === 'PO_060'), 'Expected PO_060');
+    });
+  });
+
+  describe('field / locator rules', () => {
+    it('PO_036: flags CheckboxType (invalid element type)', () => {
+      const src = `package pageobjects;
+import com.provar.core.testapi.annotations.*;
+import org.openqa.selenium.WebElement;
+import org.openqa.selenium.support.FindBy;
+@Page(title = "T") public class T {
+    @FindBy(xpath = "//input") @CheckboxType() public WebElement f;
+}`;
+      const r = validatePageObject(src);
+      assert.ok(r.issues.some((i) => i.rule_id === 'PO_036'), 'Expected PO_036');
+    });
+
+    it('PO_071: flags absolute XPath /html/...', () => {
+      const src = `package pageobjects;
+import com.provar.core.testapi.annotations.*;
+import org.openqa.selenium.WebElement;
+import org.openqa.selenium.support.FindBy;
+@Page(title = "T") public class T {
+    @FindBy(xpath = "/html/body/div[1]/input") @TextType() public WebElement f;
+}`;
+      const r = validatePageObject(src);
+      assert.ok(r.issues.some((i) => i.rule_id === 'PO_071'), 'Expected PO_071');
+    });
+
+    it('PO_072: flags indexed XPath [1]', () => {
+      const src = `package pageobjects;
+import com.provar.core.testapi.annotations.*;
+import org.openqa.selenium.WebElement;
+import org.openqa.selenium.support.FindBy;
+@Page(title = "T") public class T {
+    @FindBy(xpath = "//div[1]/input") @TextType() public WebElement f;
+}`;
+      const r = validatePageObject(src);
+      assert.ok(r.issues.some((i) => i.rule_id === 'PO_072'), 'Expected PO_072');
+    });
+
+    it('PO_073: flags data-aura-rendered-by', () => {
+      const src = `package pageobjects;
+import com.provar.core.testapi.annotations.*;
+import org.openqa.selenium.WebElement;
+import org.openqa.selenium.support.FindBy;
+@Page(title = "T") public class T {
+    @FindBy(xpath = "//*[@data-aura-rendered-by='123']") @TextType() public WebElement f;
+}`;
+      const r = validatePageObject(src);
+      assert.ok(r.issues.some((i) => i.rule_id === 'PO_073'), 'Expected PO_073');
+    });
+  });
+
+  describe('score boundaries', () => {
+    it('score is never negative', () => {
+      const r = validatePageObject('// empty file with nothing valid');
+      assert.ok(r.quality_score >= 0);
+    });
+
+    it('score is never above 100', () => {
+      const r = validatePageObject(VALID_PO);
+      assert.ok(r.quality_score <= 100);
+    });
+  });
+});
diff --git a/test/unit/mcp/pathPolicy.test.ts b/test/unit/mcp/pathPolicy.test.ts
new file mode 100644
index 00000000..20afc9fa
--- /dev/null
+++ b/test/unit/mcp/pathPolicy.test.ts
@@ -0,0 +1,100 @@
+import { strict as assert } from 'node:assert';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { describe, it, afterEach } from 'mocha';
+import { assertPathAllowed, PathPolicyError } from '../../../src/mcp/security/pathPolicy.js';
+
+const tmp = os.tmpdir();
+
+describe('pathPolicy', () => {
+  it('allows path within allowedPaths', () => {
+    assert.doesNotThrow(() => assertPathAllowed(path.join(tmp, 'foo.java'), [tmp]));
+  });
+
+  it('allows exact match of allowedPath', () => {
+    assert.doesNotThrow(() => assertPathAllowed(tmp, [tmp]));
+  });
+
+  it('allows all paths when allowedPaths is empty', () => {
+    assert.doesNotThrow(() => assertPathAllowed('/any/path', []));
+  });
+
+  it('throws PATH_TRAVERSAL for .. segments', () => {
+    try {
+      assertPathAllowed('/some/path/../etc/passwd', [tmp]);
+      assert.fail('Expected PathPolicyError to be thrown');
+    } catch (e) {
+      assert.ok(e instanceof PathPolicyError, 'Expected PathPolicyError');
+      assert.equal(e.code, 'PATH_TRAVERSAL');
+    }
+  });
+
+  it('throws PATH_NOT_ALLOWED for path outside allowed', () => {
+    try {
+      assertPathAllowed('/etc/passwd', [tmp]);
+      assert.fail('Expected PathPolicyError to be thrown');
+    } catch (e) {
+      assert.ok(e instanceof PathPolicyError, 'Expected PathPolicyError');
+      assert.equal(e.code, 'PATH_NOT_ALLOWED');
+    }
+  });
+
+  it('allows nested paths inside allowedPaths', () => {
+    assert.doesNotThrow(() =>
+      assertPathAllowed(path.join(tmp, 'a', 'b', 'c', 'file.xml'), [tmp])
+    );
+  });
+
+  it('rejects sibling directories that share a prefix', () => {
+    const allowed = path.join(tmp, 'myproject');
+    const sibling = path.join(tmp, 'myproject-evil', 'secret.txt');
+    try {
+      assertPathAllowed(sibling, [allowed]);
+      assert.fail('Expected PathPolicyError to be thrown');
+    } catch (e) {
+      assert.ok(e instanceof PathPolicyError, 'Expected PathPolicyError');
+      assert.equal(e.code, 'PATH_NOT_ALLOWED');
+    }
+  });
+
+  describe('symlink containment', () => {
+    let symlinkDir: string | undefined;
+
+    afterEach(() => {
+      if (symlinkDir) {
+        try { fs.rmSync(symlinkDir, { recursive: true, force: true }); } catch { /* ignore */ }
+      }
+    });
+
+    it('rejects a symlink inside an allowed dir that points outside it', function () {
+      if (process.platform === 'win32') {
+        // Symlink creation on Windows requires elevated privileges in most CI environments
+        this.skip();
+        return;
+      }
+      symlinkDir = fs.mkdtempSync(path.join(tmp, 'pathpolicy-sym-'));
+      const target = path.join(tmp, 'outside-secret.txt');
+      fs.writeFileSync(target, 'secret');
+      const link = path.join(symlinkDir, 'evil-link');
+      fs.symlinkSync(target, link);
+
+      try {
+        assertPathAllowed(link, [symlinkDir]);
+        assert.fail('Expected PathPolicyError to be thrown');
+      } catch (e) {
+        assert.ok(e instanceof PathPolicyError, 'Expected PathPolicyError');
+        assert.equal(e.code, 'PATH_NOT_ALLOWED');
+      } finally {
+        fs.unlinkSync(target);
+      }
+    });
+
+    it('allows a real path inside an allowed dir (not a symlink)', () => {
+      symlinkDir = fs.mkdtempSync(path.join(tmp, 'pathpolicy-real-'));
+      const real = path.join(symlinkDir, 'real-file.txt');
+      fs.writeFileSync(real, 'content');
+      assert.doesNotThrow(() => assertPathAllowed(real, [symlinkDir]));
+    });
+  });
+});
diff --git a/test/unit/mcp/projectValidateFromPath.test.ts b/test/unit/mcp/projectValidateFromPath.test.ts
new file mode 100644
index 00000000..6d6fa204
--- /dev/null
+++ b/test/unit/mcp/projectValidateFromPath.test.ts
@@ -0,0 +1,325 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { strict as assert } from 'node:assert';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { describe, it, beforeEach, afterEach } from 'mocha';
+import { registerProjectValidateFromPath } from '../../../src/mcp/tools/projectValidateFromPath.js';
+import type { ServerConfig } from '../../../src/mcp/server.js';
+
+// ── Minimal McpServer mock ─────────────────────────────────────────────────────
+
+type ToolHandler = (args: Record<string, unknown>) => unknown;
+
+class MockMcpServer {
+  private handlers = new Map<string, ToolHandler>();
+
+  public tool(name: string, _description: string, _schema: unknown, handler: ToolHandler): void {
+    this.handlers.set(name, handler);
+  }
+
+  public call(name: string, args: Record<string, unknown>): ReturnType<ToolHandler> {
+    const h = this.handlers.get(name);
+    if (!h) throw new Error(`Tool not registered: ${name}`);
+    return h(args);
+  }
+}
+
+// ── Helpers ────────────────────────────────────────────────────────────────────
+
+function parseText(result: unknown): Record<string, unknown> {
+  const r = result as { content: Array<{ type: string; text: string }> };
+  return JSON.parse(r.content[0].text) as Record<string, unknown>;
+}
+
+function isError(result: unknown): boolean {
+  return (result as { isError?: boolean }).isError === true;
+}
+
+// ── Project fixture helpers ────────────────────────────────────────────────────
+
+const TESTPROJECT_XML = `<?xml version="1.0" encoding="UTF-8"?>
+<testProject>
+  <environment name="Dev" url="https://dev.example.com"/>
+  <connection name="SalesforceOrg" type="salesforce"/>
+  <secureStoragePath>.secrets</secureStoragePath>
+</testProject>`;
+
+function makeXml(tcGuid: string, stepGuid: string, id: string): string {
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<testCase id="${id}" guid="${tcGuid}" registryId="${id}" name="${id}">
+  <steps>
+    <apiCall guid="${stepGuid}" apiId="UiConnect" name="Connect" testItemId="1"/>
+  </steps>
+</testCase>`;
+}
+
+function writeFile(p: string, content: string): void {
+  fs.mkdirSync(path.dirname(p), { recursive: true });
+  fs.writeFileSync(p, content, 'utf-8');
+}
+
+const G = {
+  tc1: '550e8400-e29b-41d4-a716-446655440001',
+  s1:  '550e8400-e29b-41d4-a716-446655440011',
+};
+
+/** Build a minimal valid Provar project in the given directory */
+function makeProject(root: string, planName = 'smoke', tcName = 'Login'): void {
+  writeFile(path.join(root, '.testproject'), TESTPROJECT_XML);
+  writeFile(path.join(root, 'tests', `${tcName}.testcase`),
+    makeXml(G.tc1, G.s1, `tc-${tcName.toLowerCase()}`));
+  writeFile(path.join(root, 'plans', planName, `${tcName}.testinstance`),
+    `testCasePath="tests/${tcName}.testcase"\n`);
+}
+
+// ── Test setup ─────────────────────────────────────────────────────────────────
+
+const tempDirs: string[] = [];
+
+function mktemp(): string {
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'pvfp-test-'));
+  tempDirs.push(dir);
+  return dir;
+}
+
+let server: MockMcpServer;
+let config: ServerConfig;
+let tmpDir: string;
+
+beforeEach(() => {
+  tmpDir = mktemp();
+  server = new MockMcpServer();
+  config = { allowedPaths: [os.tmpdir()] };
+  registerProjectValidateFromPath(server as never, config);
+});
+
+afterEach(() => {
+  for (const dir of tempDirs.splice(0)) {
+    fs.rmSync(dir, { recursive: true, force: true });
+  }
+});
+
+// ── provar.project.validate ────────────────────────────────────────────────────
+
+describe('provar.project.validate (from path)', () => {
+  describe('happy path', () => {
+    it('returns a result (not an error) for a valid project', () => {
+      makeProject(tmpDir);
+      const result = server.call('provar.project.validate', {
+        project_path: tmpDir,
+        save_results: false,
+      });
+
+      assert.equal(isError(result), false);
+      const body = parseText(result);
+      assert.ok('quality_score' in body, 'Expected quality_score');
+      assert.ok('plans_summary' in body, 'Expected plans_summary in default response');
+      assert.ok(!('plans' in body), 'plans should not appear in default (slim) response');
+    });
+
+    it('quality_score is between 0 and 100', () => {
+      makeProject(tmpDir);
+      const result = server.call('provar.project.validate', {
+        project_path: tmpDir,
+        save_results: false,
+      });
+
+      const score = parseText(result)['quality_score'] as number;
+      assert.ok(score >= 0 && score <= 100, `Expected 0-100, got ${score}`);
+    });
+
+    it('returns requestId in the response', () => {
+      makeProject(tmpDir);
+      const result = server.call('provar.project.validate', {
+        project_path: tmpDir,
+        save_results: false,
+      });
+
+      const body = parseText(result);
+      assert.ok(typeof body['requestId'] === 'string' && body['requestId'].length > 0);
+    });
+  });
+
+  describe('error cases', () => {
+    it('returns NOT_A_PROJECT when .testproject is absent', () => {
+      // Empty temp dir — no .testproject
+      const result = server.call('provar.project.validate', {
+        project_path: tmpDir,
+        save_results: false,
+      });
+
+      assert.equal(isError(result), true);
+      assert.equal(parseText(result)['error_code'], 'NOT_A_PROJECT');
+    });
+
+    it('returns NOT_A_PROJECT even when plans/ exists but .testproject is absent', () => {
+      fs.mkdirSync(path.join(tmpDir, 'plans'), { recursive: true });
+      const result = server.call('provar.project.validate', {
+        project_path: tmpDir,
+        save_results: false,
+      });
+
+      assert.equal(isError(result), true);
+      assert.equal(parseText(result)['error_code'], 'NOT_A_PROJECT');
+    });
+
+    it('returns PATH_NOT_ALLOWED for project_path outside allowedPaths', () => {
+      const strictServer = new MockMcpServer();
+      registerProjectValidateFromPath(strictServer as never, { allowedPaths: [tmpDir] });
+
+      const result = strictServer.call('provar.project.validate', {
+        project_path: '/etc',
+        save_results: false,
+      });
+
+      assert.equal(isError(result), true);
+      const code = parseText(result)['error_code'] as string;
+      assert.ok(code === 'PATH_NOT_ALLOWED' || code === 'PATH_TRAVERSAL', `Unexpected: ${code}`);
+    });
+
+    it('returns PATH_NOT_ALLOWED for results_dir outside allowedPaths', () => {
+      makeProject(tmpDir);
+      const strictServer = new MockMcpServer();
+      registerProjectValidateFromPath(strictServer as never, { allowedPaths: [tmpDir] });
+
+      const result = strictServer.call('provar.project.validate', {
+        project_path: tmpDir,
+        save_results: true,
+        results_dir: '/etc/evil-results',
+      });
+
+      assert.equal(isError(result), true);
+      const code = parseText(result)['error_code'] as string;
+      assert.ok(code === 'PATH_NOT_ALLOWED' || code === 'PATH_TRAVERSAL', `Unexpected: ${code}`);
+    });
+  });
+
+  describe('save_results', () => {
+    it('does NOT write a results file when save_results=false', () => {
+      makeProject(tmpDir);
+      server.call('provar.project.validate', {
+        project_path: tmpDir,
+        save_results: false,
+      });
+
+      const defaultResultsDir = path.join(tmpDir, 'provardx', 'validation');
+      const exists = fs.existsSync(defaultResultsDir) &&
+        fs.readdirSync(defaultResultsDir).length > 0;
+      assert.equal(exists, false, 'No results file should be written when save_results=false');
+    });
+
+    it('writes a results file to default location when save_results=true', () => {
+      makeProject(tmpDir);
+      server.call('provar.project.validate', {
+        project_path: tmpDir,
+        save_results: true,
+      });
+
+      const defaultResultsDir = path.join(tmpDir, 'provardx', 'validation');
+      assert.equal(fs.existsSync(defaultResultsDir), true, 'Results directory should be created');
+      const files = fs.readdirSync(defaultResultsDir);
+      assert.ok(files.length > 0, 'At least one results file should be written');
+    });
+
+    it('writes results to a custom results_dir when provided', () => {
+      makeProject(tmpDir);
+      const customResultsDir = path.join(tmpDir, 'my-results');
+
+      server.call('provar.project.validate', {
+        project_path: tmpDir,
+        save_results: true,
+        results_dir: customResultsDir,
+      });
+
+      assert.equal(fs.existsSync(customResultsDir), true, 'Custom results dir should be created');
+      const files = fs.readdirSync(customResultsDir);
+      assert.ok(files.length > 0, 'Results file should be written to custom dir');
+    });
+  });
+
+  describe('quality_threshold', () => {
+    it('accepts a custom quality_threshold', () => {
+      makeProject(tmpDir);
+      const result = server.call('provar.project.validate', {
+        project_path: tmpDir,
+        quality_threshold: 90,
+        save_results: false,
+      });
+
+      assert.equal(isError(result), false);
+    });
+  });
+
+  describe('include_plan_details', () => {
+    it('default response uses plans_summary not plans', () => {
+      makeProject(tmpDir);
+      const result = server.call('provar.project.validate', {
+        project_path: tmpDir,
+        save_results: false,
+      });
+      const body = parseText(result);
+      assert.ok('plans_summary' in body, 'slim response should have plans_summary');
+      assert.ok(!('plans' in body), 'slim response should not have plans');
+      assert.ok('hint' in body, 'slim response should have hint');
+    });
+
+    it('include_plan_details:true returns full plans array', () => {
+      makeProject(tmpDir);
+      const result = server.call('provar.project.validate', {
+        project_path: tmpDir,
+        save_results: false,
+        include_plan_details: true,
+      });
+      const body = parseText(result);
+      assert.ok('plans' in body, 'detailed response should have plans');
+      assert.ok(!('plans_summary' in body), 'detailed response should not have plans_summary');
+    });
+
+    it('plans_summary entries have name, quality_score, suite_count, test_case_count', () => {
+      makeProject(tmpDir);
+      const result = server.call('provar.project.validate', { project_path: tmpDir, save_results: false });
+      const body = parseText(result);
+      const plansSummary = body['plans_summary'] as Array<Record<string, unknown>>;
+      assert.ok(Array.isArray(plansSummary));
+      if (plansSummary.length > 0) {
+        const plan = plansSummary[0];
+        assert.ok('name' in plan, 'plan_summary should have name');
+        assert.ok('quality_score' in plan, 'plan_summary should have quality_score');
+        assert.ok('suite_count' in plan, 'plan_summary should have suite_count');
+        assert.ok('test_case_count' in plan, 'plan_summary should have test_case_count');
+        assert.ok('violation_count' in plan, 'plan_summary should have violation_count');
+      }
+    });
+  });
+
+  describe('max_uncovered', () => {
+    it('uncovered_test_cases is truncated to max_uncovered', () => {
+      // Make project with 3 test cases but only 1 in a plan → 2 uncovered
+      const root = mktemp();
+      writeFile(path.join(root, '.testproject'), TESTPROJECT_XML);
+      for (const name of ['Login', 'Logout', 'Search']) {
+        writeFile(path.join(root, 'tests', `${name}.testcase`), makeXml(G.tc1, G.s1, `tc-${name.toLowerCase()}`));
+      }
+      writeFile(path.join(root, 'plans', 'smoke', 'Login.testinstance'), 'testCasePath="tests/Login.testcase"\n');
+
+      const result = server.call('provar.project.validate', {
+        project_path: root,
+        save_results: false,
+        max_uncovered: 1,
+      });
+      const body = parseText(result);
+      const coverage = body['coverage'] as Record<string, unknown>;
+      const uncovered = coverage['uncovered_test_cases'] as string[];
+      assert.ok(uncovered.length <= 1, 'Should be truncated to max_uncovered=1');
+      assert.equal(coverage['uncovered_truncated'], true);
+    });
+  });
+});
diff --git a/test/unit/mcp/propertiesTools.test.ts b/test/unit/mcp/propertiesTools.test.ts
new file mode 100644
index 00000000..9400970d
--- /dev/null
+++ b/test/unit/mcp/propertiesTools.test.ts
@@ -0,0 +1,451 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { strict as assert } from 'node:assert';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { describe, it, beforeEach, afterEach } from 'mocha';
+import {
+  registerPropertiesGenerate,
+  registerPropertiesRead,
+  registerPropertiesSet,
+  registerPropertiesValidate,
+} from '../../../src/mcp/tools/propertiesTools.js';
+import type { ServerConfig } from '../../../src/mcp/server.js';
+
+// ── Minimal McpServer mock ─────────────────────────────────────────────────────
+
+type ToolHandler = (args: Record<string, unknown>) => unknown;
+
+class MockMcpServer {
+  private handlers = new Map<string, ToolHandler>();
+
+  // Matches the McpServer.tool() overload used in propertiesTools.ts
+  public tool(name: string, _description: string, _schema: unknown, handler: ToolHandler): void {
+    this.handlers.set(name, handler);
+  }
+
+  public call(name: string, args: Record<string, unknown>): ReturnType<ToolHandler> {
+    const h = this.handlers.get(name);
+    if (!h) throw new Error(`Tool not registered: ${name}`);
+    return h(args);
+  }
+}
+
+// ── Helpers ────────────────────────────────────────────────────────────────────
+
+function parseText(result: unknown): Record<string, unknown> {
+  const r = result as { content: Array<{ type: string; text: string }> };
+  return JSON.parse(r.content[0].text) as Record<string, unknown>;
+}
+
+function isError(result: unknown): boolean {
+  return (result as { isError?: boolean }).isError === true;
+}
+
+/** Minimal valid properties object (passes validateProperties with no errors). */
+function validProps(): Record<string, unknown> {
+  return {
+    provarHome: '/opt/provar',
+    projectPath: '/projects/my-project',
+    resultsPath: '/results',
+    resultsPathDisposition: 'Replace',
+    testOutputLevel: 'BASIC',
+    pluginOutputlevel: 'WARNING',
+    metadata: {
+      metadataLevel: 'Reuse',
+      cachePath: '/results/metadata',
+    },
+    environment: {
+      testEnvironment: 'default',
+      webBrowser: 'Chrome_Headless',
+      webBrowserConfig: 'default',
+      webBrowserProviderName: 'Desktop',
+      webBrowserDeviceName: 'Full HD',
+    },
+  };
+}
+
+// ── Test setup ─────────────────────────────────────────────────────────────────
+
+let tmpDir: string;
+let server: MockMcpServer;
+let config: ServerConfig;
+
+beforeEach(() => {
+  tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'props-test-'));
+  server = new MockMcpServer();
+  config = { allowedPaths: [tmpDir] };
+
+  registerPropertiesGenerate(server as never, config);
+  registerPropertiesRead(server as never, config);
+  registerPropertiesSet(server as never, config);
+  registerPropertiesValidate(server as never, config);
+});
+
+afterEach(() => {
+  fs.rmSync(tmpDir, { recursive: true, force: true });
+});
+
+// ── provar.properties.generate ────────────────────────────────────────────────
+
+describe('provar.properties.generate', () => {
+  it('dry_run returns content without writing to disk', () => {
+    const outPath = path.join(tmpDir, 'dry.json');
+    const result = server.call('provar.properties.generate', { output_path: outPath, dry_run: true });
+
+    assert.equal(isError(result), false);
+    const body = parseText(result);
+    assert.equal(body['written'], false);
+    assert.equal(body['dry_run'], true);
+    assert.ok(body['content'], 'content should be present');
+    assert.equal(fs.existsSync(outPath), false, 'file must not be written in dry_run mode');
+  });
+
+  it('writes file to disk when dry_run is false', () => {
+    const outPath = path.join(tmpDir, 'props.json');
+    const result = server.call('provar.properties.generate', { output_path: outPath, dry_run: false });
+
+    assert.equal(isError(result), false);
+    assert.equal(fs.existsSync(outPath), true, 'file should be written');
+    const body = parseText(result);
+    assert.equal(body['written'], true);
+  });
+
+  it('pre-fills projectPath and provarHome when provided', () => {
+    const outPath = path.join(tmpDir, 'pre-filled.json');
+    server.call('provar.properties.generate', {
+      output_path: outPath,
+      project_path: '/my/project',
+      provar_home: '/opt/provar',
+      dry_run: false,
+    });
+
+    const written = JSON.parse(fs.readFileSync(outPath, 'utf-8')) as Record<string, unknown>;
+    assert.equal(written['projectPath'], '/my/project');
+    assert.equal(written['provarHome'], '/opt/provar');
+  });
+
+  it('returns FILE_EXISTS when file already exists and overwrite=false', () => {
+    const outPath = path.join(tmpDir, 'existing.json');
+    fs.writeFileSync(outPath, '{}', 'utf-8');
+
+    const result = server.call('provar.properties.generate', { output_path: outPath, overwrite: false });
+
+    assert.equal(isError(result), true);
+    const body = parseText(result);
+    assert.equal(body['error_code'], 'FILE_EXISTS');
+  });
+
+  it('overwrites when overwrite=true and file exists', () => {
+    const outPath = path.join(tmpDir, 'overwrite.json');
+    fs.writeFileSync(outPath, '{"old":true}', 'utf-8');
+
+    const result = server.call('provar.properties.generate', { output_path: outPath, overwrite: true });
+
+    assert.equal(isError(result), false);
+    const written = JSON.parse(fs.readFileSync(outPath, 'utf-8')) as Record<string, unknown>;
+    assert.ok(!('old' in written), 'old content should be replaced');
+  });
+
+  it('includes next_steps hint after writing the file', () => {
+    const outPath = path.join(tmpDir, 'props-nextsteps.json');
+    const result = server.call('provar.properties.generate', { output_path: outPath, dry_run: false });
+
+    assert.equal(isError(result), false);
+    const body = parseText(result);
+    assert.ok(typeof body['next_steps'] === 'string', 'next_steps should be present');
+    assert.ok(body['next_steps'].includes('provar.automation.config.load'), 'next_steps should mention config.load');
+  });
+
+  it('includes next_steps hint even on dry_run', () => {
+    const outPath = path.join(tmpDir, 'props-dry.json');
+    const result = server.call('provar.properties.generate', { output_path: outPath, dry_run: true });
+
+    assert.equal(isError(result), false);
+    const body = parseText(result);
+    assert.ok(typeof body['next_steps'] === 'string');
+    assert.ok(body['next_steps'].includes('provar.automation.config.load'));
+  });
+
+  it('returns INVALID_PATH when output_path does not end with .json', () => {
+    const outPath = path.join(tmpDir, 'props.txt');
+    const result = server.call('provar.properties.generate', { output_path: outPath, dry_run: true });
+
+    assert.equal(isError(result), true);
+    const body = parseText(result);
+    assert.equal(body['error_code'], 'INVALID_PATH');
+  });
+
+  it('returns PATH_NOT_ALLOWED when path is outside allowedPaths', () => {
+    const outPath = path.join(os.tmpdir(), 'escape.json');
+    // Recreate server with a strict allowed path that does not include os.tmpdir() itself
+    const strictConfig: ServerConfig = { allowedPaths: [tmpDir] };
+    const strictServer = new MockMcpServer();
+    registerPropertiesGenerate(strictServer as never, strictConfig);
+
+    // outPath resolves to os.tmpdir()/escape.json — outside tmpDir
+    const result = strictServer.call('provar.properties.generate', { output_path: outPath, dry_run: true });
+
+    assert.equal(isError(result), true);
+    const body = parseText(result);
+    assert.ok(
+      body['error_code'] === 'PATH_NOT_ALLOWED' || body['error_code'] === 'PATH_TRAVERSAL',
+      `Unexpected error_code: ${body['error_code'] as string}`
+    );
+  });
+});
+
+// ── provar.properties.read ────────────────────────────────────────────────────
+
+describe('provar.properties.read', () => {
+  it('returns parsed content for a valid JSON file', () => {
+    const filePath = path.join(tmpDir, 'props.json');
+    const props = { provarHome: '/opt/provar', projectPath: '/proj' };
+    fs.writeFileSync(filePath, JSON.stringify(props), 'utf-8');
+
+    const result = server.call('provar.properties.read', { file_path: filePath });
+
+    assert.equal(isError(result), false);
+    const body = parseText(result);
+    const content = body['content'] as Record<string, unknown>;
+    assert.equal(content['provarHome'], '/opt/provar');
+    assert.equal(content['projectPath'], '/proj');
+  });
+
+  it('returns FILE_NOT_FOUND when file does not exist', () => {
+    const result = server.call('provar.properties.read', {
+      file_path: path.join(tmpDir, 'missing.json'),
+    });
+
+    assert.equal(isError(result), true);
+    assert.equal(parseText(result)['error_code'], 'FILE_NOT_FOUND');
+  });
+
+  it('returns MALFORMED_JSON when file contains invalid JSON', () => {
+    const filePath = path.join(tmpDir, 'bad.json');
+    fs.writeFileSync(filePath, '{ not valid json }', 'utf-8');
+
+    const result = server.call('provar.properties.read', { file_path: filePath });
+
+    assert.equal(isError(result), true);
+    assert.equal(parseText(result)['error_code'], 'MALFORMED_JSON');
+  });
+
+  it('returns PATH_NOT_ALLOWED for path outside allowedPaths', () => {
+    const strictServer = new MockMcpServer();
+    registerPropertiesRead(strictServer as never, { allowedPaths: [tmpDir] });
+
+    const result = strictServer.call('provar.properties.read', {
+      file_path: '/etc/passwd',
+    });
+
+    assert.equal(isError(result), true);
+    const code = parseText(result)['error_code'] as string;
+    assert.ok(code === 'PATH_NOT_ALLOWED' || code === 'PATH_TRAVERSAL', `Unexpected: ${code}`);
+  });
+});
+
+// ── provar.properties.set ─────────────────────────────────────────────────────
+
+describe('provar.properties.set', () => {
+  it('partial update preserves unmodified fields (deep merge)', () => {
+    const filePath = path.join(tmpDir, 'props.json');
+    const initial = {
+      provarHome: '/opt/provar',
+      projectPath: '/proj',
+      environment: { webBrowser: 'Chrome', webBrowserConfig: 'default', webBrowserProviderName: 'Desktop', webBrowserDeviceName: 'HD' },
+    };
+    fs.writeFileSync(filePath, JSON.stringify(initial, null, 2), 'utf-8');
+
+    const result = server.call('provar.properties.set', {
+      file_path: filePath,
+      updates: { provarHome: '/opt/provar-2' },
+    });
+
+    assert.equal(isError(result), false);
+    const written = JSON.parse(fs.readFileSync(filePath, 'utf-8')) as Record<string, unknown>;
+    assert.equal(written['provarHome'], '/opt/provar-2');
+    assert.equal(written['projectPath'], '/proj', 'projectPath must be preserved');
+  });
+
+  it('deep merges environment object — does not replace sibling keys', () => {
+    const filePath = path.join(tmpDir, 'env.json');
+    const initial = {
+      provarHome: '/provar',
+      environment: {
+        webBrowser: 'Chrome',
+        webBrowserConfig: 'old-config',
+        webBrowserProviderName: 'Desktop',
+        webBrowserDeviceName: 'HD',
+      },
+    };
+    fs.writeFileSync(filePath, JSON.stringify(initial, null, 2), 'utf-8');
+
+    server.call('provar.properties.set', {
+      file_path: filePath,
+      updates: { environment: { webBrowser: 'Firefox' } },
+    });
+
+    const written = JSON.parse(fs.readFileSync(filePath, 'utf-8')) as Record<string, unknown>;
+    const env = written['environment'] as Record<string, unknown>;
+    assert.equal(env['webBrowser'], 'Firefox');
+    assert.equal(env['webBrowserConfig'], 'old-config', 'sibling key must be preserved via deep merge');
+  });
+
+  it('array fields replace the existing value entirely', () => {
+    const filePath = path.join(tmpDir, 'arrays.json');
+    fs.writeFileSync(
+      filePath,
+      JSON.stringify({ provarHome: '/provar', testCase: ['old/test1.testcase'] }, null, 2),
+      'utf-8'
+    );
+
+    server.call('provar.properties.set', {
+      file_path: filePath,
+      updates: { testCase: ['new/test2.testcase'] },
+    });
+
+    const written = JSON.parse(fs.readFileSync(filePath, 'utf-8')) as Record<string, unknown>;
+    assert.deepEqual(written['testCase'], ['new/test2.testcase']);
+  });
+
+  it('returns FILE_NOT_FOUND when file does not exist', () => {
+    const result = server.call('provar.properties.set', {
+      file_path: path.join(tmpDir, 'ghost.json'),
+      updates: { provarHome: '/x' },
+    });
+
+    assert.equal(isError(result), true);
+    assert.equal(parseText(result)['error_code'], 'FILE_NOT_FOUND');
+  });
+
+  it('returns PATH_NOT_ALLOWED for path outside allowedPaths', () => {
+    const strictServer = new MockMcpServer();
+    registerPropertiesSet(strictServer as never, { allowedPaths: [tmpDir] });
+
+    const result = strictServer.call('provar.properties.set', {
+      file_path: '/etc/hosts',
+      updates: { provarHome: '/evil' },
+    });
+
+    assert.equal(isError(result), true);
+    const code = parseText(result)['error_code'] as string;
+    assert.ok(code === 'PATH_NOT_ALLOWED' || code === 'PATH_TRAVERSAL', `Unexpected: ${code}`);
+  });
+});
+
+// ── provar.properties.validate ────────────────────────────────────────────────
+
+describe('provar.properties.validate', () => {
+  it('is_valid=true for a fully-populated valid properties object (inline content)', () => {
+    const result = server.call('provar.properties.validate', {
+      content: JSON.stringify(validProps()),
+    });
+
+    assert.equal(isError(result), false);
+    const body = parseText(result);
+    assert.equal(body['is_valid'], true);
+    assert.equal(body['error_count'], 0);
+  });
+
+  it('reports error for missing required field provarHome', () => {
+    const props = validProps();
+    delete props['provarHome'];
+
+    const result = server.call('provar.properties.validate', { content: JSON.stringify(props) });
+
+    const body = parseText(result);
+    assert.equal(body['is_valid'], false);
+    const errors = body['errors'] as Array<{ field: string }>;
+    assert.ok(errors.some((e) => e.field === 'provarHome'), 'Expected error for provarHome');
+  });
+
+  it('reports warning for placeholder value ${PROVAR_HOME}', () => {
+    const props = validProps();
+    props['provarHome'] = '${PROVAR_HOME}';
+
+    const result = server.call('provar.properties.validate', { content: JSON.stringify(props) });
+
+    const body = parseText(result);
+    assert.ok((body['warning_count'] as number) > 0, 'Expected at least one warning');
+    const warnings = body['warnings'] as Array<{ field: string; severity: string }>;
+    assert.ok(
+      warnings.some((w) => w.field === 'provarHome' && w.severity === 'warning'),
+      'Expected a warning for provarHome placeholder'
+    );
+  });
+
+  it('accepts inline content without file_path', () => {
+    const result = server.call('provar.properties.validate', {
+      content: JSON.stringify(validProps()),
+    });
+    assert.equal(isError(result), false);
+    assert.equal((parseText(result) as { is_valid: boolean })['is_valid'], true);
+  });
+
+  it('validates via file_path when provided', () => {
+    const filePath = path.join(tmpDir, 'valid.json');
+    fs.writeFileSync(filePath, JSON.stringify(validProps()), 'utf-8');
+
+    const result = server.call('provar.properties.validate', { file_path: filePath });
+
+    assert.equal(isError(result), false);
+    assert.equal((parseText(result) as { is_valid: boolean })['is_valid'], true);
+  });
+
+  it('returns MISSING_INPUT when neither file_path nor content is provided', () => {
+    const result = server.call('provar.properties.validate', {});
+
+    assert.equal(isError(result), true);
+    assert.equal(parseText(result)['error_code'], 'MISSING_INPUT');
+  });
+
+  it('returns FILE_NOT_FOUND when file_path points to a missing file', () => {
+    const result = server.call('provar.properties.validate', {
+      file_path: path.join(tmpDir, 'nope.json'),
+    });
+
+    assert.equal(isError(result), true);
+    assert.equal(parseText(result)['error_code'], 'FILE_NOT_FOUND');
+  });
+
+  it('returns is_valid=false with root-level error for malformed JSON content', () => {
+    const result = server.call('provar.properties.validate', { content: '{ broken json' });
+
+    assert.equal(isError(result), false, 'validate returns a result, not an error response');
+    const body = parseText(result);
+    assert.equal(body['is_valid'], false);
+    assert.equal(body['error_count'], 1);
+  });
+
+  it('flags invalid webBrowser enum value', () => {
+    const props = validProps();
+    (props['environment'] as Record<string, unknown>)['webBrowser'] = 'Netscape';
+
+    const result = server.call('provar.properties.validate', { content: JSON.stringify(props) });
+
+    const body = parseText(result);
+    assert.equal(body['is_valid'], false);
+    const errors = body['errors'] as Array<{ field: string }>;
+    assert.ok(errors.some((e) => e.field === 'environment.webBrowser'), 'Expected error on environment.webBrowser');
+  });
+
+  it('flags invalid metadataLevel enum value', () => {
+    const props = validProps();
+    (props['metadata'] as Record<string, unknown>)['metadataLevel'] = 'Nuke';
+
+    const result = server.call('provar.properties.validate', { content: JSON.stringify(props) });
+
+    const body = parseText(result);
+    assert.equal(body['is_valid'], false);
+    const errors = body['errors'] as Array<{ field: string }>;
+    assert.ok(errors.some((e) => e.field === 'metadata.metadataLevel'), 'Expected error on metadata.metadataLevel');
+  });
+});
diff --git a/test/unit/mcp/qualityHubTools.test.ts b/test/unit/mcp/qualityHubTools.test.ts
new file mode 100644
index 00000000..4ff63842
--- /dev/null
+++ b/test/unit/mcp/qualityHubTools.test.ts
@@ -0,0 +1,249 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+/* eslint-disable camelcase */
+
+import { strict as assert } from 'node:assert';
+import sinon from 'sinon';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { sfSpawnHelper } from '../../../src/mcp/tools/sfSpawn.js';
+
+// ── Minimal mock server ───────────────────────────────────────────────────────
+
+type ToolHandler = (args: Record<string, unknown>) => unknown;
+
+class MockMcpServer {
+  private handlers = new Map<string, ToolHandler>();
+
+  public tool(name: string, _desc: string, _schema: unknown, handler: ToolHandler): void {
+    this.handlers.set(name, handler);
+  }
+
+  public call(name: string, args: Record<string, unknown>): ReturnType<ToolHandler> {
+    const h = this.handlers.get(name);
+    if (!h) throw new Error(`Tool not registered: ${name}`);
+    return h(args);
+  }
+}
+
+// ── Helpers ───────────────────────────────────────────────────────────────────
+
+function makeSpawnResult(stdout: string, stderr: string, status: number): { stdout: string; stderr: string; status: number; error: undefined; pid: number; output: never[]; signal: null } {
+  return { stdout, stderr, status, error: undefined, pid: 1, output: [], signal: null };
+}
+
+function makeEnoentResult(): { stdout: string; stderr: string; status: null; error: Error & { code: string }; pid: undefined; output: never[]; signal: null } {
+  const err = Object.assign(new Error('spawn sf ENOENT'), { code: 'ENOENT' });
+  return { stdout: '', stderr: '', status: null, error: err, pid: undefined, output: [], signal: null };
+}
+
+function parseBody(result: unknown): Record<string, unknown> {
+  const r = result as { content: Array<{ text: string }> };
+  return JSON.parse(r.content[0].text) as Record<string, unknown>;
+}
+
+function isError(result: unknown): boolean {
+  return (result as { isError?: boolean }).isError === true;
+}
+
+// ── Tests ─────────────────────────────────────────────────────────────────────
+
+describe('qualityHubTools', () => {
+  let server: MockMcpServer;
+  let spawnStub: sinon.SinonStub;
+
+  beforeEach(async () => {
+    server = new MockMcpServer();
+    spawnStub = sinon.stub(sfSpawnHelper, 'spawnSync');
+
+    const { registerAllQualityHubTools } = await import('../../../src/mcp/tools/qualityHubTools.js');
+    registerAllQualityHubTools(server as unknown as McpServer);
+  });
+
+  afterEach(() => {
+    sinon.restore();
+  });
+
+  // ── provar.qualityhub.connect ───────────────────────────────────────────────
+
+  describe('provar.qualityhub.connect', () => {
+    it('passes correct args to sf and returns stdout on success', () => {
+      spawnStub.returns(makeSpawnResult('{"status":0}', '', 0));
+
+      const result = server.call('provar.qualityhub.connect', { target_org: 'myorg', flags: [] });
+      const body = parseBody(result);
+
+      assert.equal(body.exitCode, 0);
+      assert.equal(body.stdout, '{"status":0}');
+
+      const [cmd, args] = spawnStub.firstCall.args as [string, string[]];
+      assert.equal(cmd, 'sf');
+      assert.deepEqual(args, ['provar', 'quality-hub', 'connect', '--target-org', 'myorg']);
+    });
+
+    it('forwards extra flags', () => {
+      spawnStub.returns(makeSpawnResult('ok', '', 0));
+      server.call('provar.qualityhub.connect', { target_org: 'myorg', flags: ['--json'] });
+      const args = spawnStub.firstCall.args[1] as string[];
+      assert.ok(args.includes('--json'));
+    });
+
+    it('returns isError when exit code is non-zero', () => {
+      spawnStub.returns(makeSpawnResult('', 'bad credentials', 1));
+      const result = server.call('provar.qualityhub.connect', { target_org: 'myorg', flags: [] });
+      assert.ok(isError(result));
+      const body = parseBody(result);
+      assert.equal(body.error_code, 'QH_CONNECT_FAILED');
+    });
+
+    it('returns SF_NOT_FOUND when sf is not in PATH', () => {
+      spawnStub.returns(makeEnoentResult());
+      const result = server.call('provar.qualityhub.connect', { target_org: 'myorg', flags: [] });
+      assert.ok(isError(result));
+      const body = parseBody(result);
+      assert.equal(body.error_code, 'SF_NOT_FOUND');
+      assert.ok((body.message as string).includes('npm install -g @salesforce/cli'));
+    });
+  });
+
+  // ── provar.qualityhub.display ───────────────────────────────────────────────
+
+  describe('provar.qualityhub.display', () => {
+    it('calls sf with display args on success', () => {
+      spawnStub.returns(makeSpawnResult('display output', '', 0));
+      const result = server.call('provar.qualityhub.display', { target_org: 'myorg', flags: [] });
+      const body = parseBody(result);
+      assert.equal(body.exitCode, 0);
+      const args = spawnStub.firstCall.args[1] as string[];
+      assert.ok(args.includes('quality-hub'));
+      assert.ok(args.includes('display'));
+    });
+
+    it('omits --target-org when target_org not provided', () => {
+      spawnStub.returns(makeSpawnResult('ok', '', 0));
+      server.call('provar.qualityhub.display', { target_org: undefined, flags: [] });
+      const args = spawnStub.firstCall.args[1] as string[];
+      assert.ok(!args.includes('--target-org'));
+    });
+
+    it('returns isError on non-zero exit', () => {
+      spawnStub.returns(makeSpawnResult('', 'error', 1));
+      const result = server.call('provar.qualityhub.display', { flags: [] });
+      assert.ok(isError(result));
+    });
+
+    it('returns SF_NOT_FOUND on ENOENT', () => {
+      spawnStub.returns(makeEnoentResult());
+      const result = server.call('provar.qualityhub.display', { flags: [] });
+      const body = parseBody(result);
+      assert.equal(body.error_code, 'SF_NOT_FOUND');
+    });
+  });
+
+  // ── provar.qualityhub.testrun ───────────────────────────────────────────────
+
+  describe('provar.qualityhub.testrun', () => {
+    it('passes correct args and returns success', () => {
+      spawnStub.returns(makeSpawnResult('run started', '', 0));
+      const result = server.call('provar.qualityhub.testrun', { target_org: 'myorg', flags: [] });
+      const body = parseBody(result);
+      assert.equal(body.exitCode, 0);
+      const args = spawnStub.firstCall.args[1] as string[];
+      assert.deepEqual(args, ['provar', 'quality-hub', 'test', 'run', '--target-org', 'myorg']);
+    });
+
+    it('returns QH_TESTRUN_FAILED on non-zero exit', () => {
+      spawnStub.returns(makeSpawnResult('', 'run failed', 1));
+      const result = server.call('provar.qualityhub.testrun', { target_org: 'myorg', flags: [] });
+      assert.ok(isError(result));
+      assert.equal(parseBody(result).error_code, 'QH_TESTRUN_FAILED');
+    });
+
+    it('returns SF_NOT_FOUND on ENOENT', () => {
+      spawnStub.returns(makeEnoentResult());
+      const result = server.call('provar.qualityhub.testrun', { target_org: 'myorg', flags: [] });
+      assert.equal(parseBody(result).error_code, 'SF_NOT_FOUND');
+    });
+  });
+
+  // ── provar.qualityhub.testrun.report ─────────────────────────────────────────
+
+  describe('provar.qualityhub.testrun.report', () => {
+    it('passes run_id in args', () => {
+      spawnStub.returns(makeSpawnResult('{"status":"running"}', '', 0));
+      server.call('provar.qualityhub.testrun.report', { target_org: 'myorg', run_id: 'abc-123', flags: [] });
+      const args = spawnStub.firstCall.args[1] as string[];
+      assert.ok(args.includes('--run-id'));
+      assert.ok(args.includes('abc-123'));
+    });
+
+    it('returns QH_REPORT_FAILED on non-zero exit', () => {
+      spawnStub.returns(makeSpawnResult('', 'not found', 1));
+      const result = server.call('provar.qualityhub.testrun.report', { target_org: 'myorg', run_id: 'abc-123', flags: [] });
+      assert.ok(isError(result));
+      assert.equal(parseBody(result).error_code, 'QH_REPORT_FAILED');
+    });
+
+    it('returns SF_NOT_FOUND on ENOENT', () => {
+      spawnStub.returns(makeEnoentResult());
+      const result = server.call('provar.qualityhub.testrun.report', { target_org: 'myorg', run_id: 'abc-123', flags: [] });
+      assert.equal(parseBody(result).error_code, 'SF_NOT_FOUND');
+    });
+  });
+
+  // ── provar.qualityhub.testrun.abort ──────────────────────────────────────────
+
+  describe('provar.qualityhub.testrun.abort', () => {
+    it('passes run_id and abort subcommand', () => {
+      spawnStub.returns(makeSpawnResult('aborted', '', 0));
+      server.call('provar.qualityhub.testrun.abort', { target_org: 'myorg', run_id: 'abc-123', flags: [] });
+      const args = spawnStub.firstCall.args[1] as string[];
+      assert.ok(args.includes('abort'));
+      assert.ok(args.includes('abc-123'));
+    });
+
+    it('returns QH_ABORT_FAILED on non-zero exit', () => {
+      spawnStub.returns(makeSpawnResult('', 'abort failed', 1));
+      const result = server.call('provar.qualityhub.testrun.abort', { target_org: 'myorg', run_id: 'abc-123', flags: [] });
+      assert.ok(isError(result));
+      assert.equal(parseBody(result).error_code, 'QH_ABORT_FAILED');
+    });
+
+    it('returns SF_NOT_FOUND on ENOENT', () => {
+      spawnStub.returns(makeEnoentResult());
+      const result = server.call('provar.qualityhub.testrun.abort', { target_org: 'myorg', run_id: 'abc-123', flags: [] });
+      assert.equal(parseBody(result).error_code, 'SF_NOT_FOUND');
+    });
+  });
+
+  // ── provar.qualityhub.testcase.retrieve ──────────────────────────────────────
+
+  describe('provar.qualityhub.testcase.retrieve', () => {
+    it('calls sf with testcase retrieve args', () => {
+      spawnStub.returns(makeSpawnResult('[]', '', 0));
+      const result = server.call('provar.qualityhub.testcase.retrieve', { target_org: 'myorg', flags: ['--user-story', 'US-1'] });
+      const body = parseBody(result);
+      assert.equal(body.exitCode, 0);
+      const args = spawnStub.firstCall.args[1] as string[];
+      assert.ok(args.includes('testcase'));
+      assert.ok(args.includes('retrieve'));
+      assert.ok(args.includes('US-1'));
+    });
+
+    it('returns QH_RETRIEVE_FAILED on non-zero exit', () => {
+      spawnStub.returns(makeSpawnResult('', 'no records', 1));
+      const result = server.call('provar.qualityhub.testcase.retrieve', { target_org: 'myorg', flags: [] });
+      assert.ok(isError(result));
+      assert.equal(parseBody(result).error_code, 'QH_RETRIEVE_FAILED');
+    });
+
+    it('returns SF_NOT_FOUND on ENOENT', () => {
+      spawnStub.returns(makeEnoentResult());
+      const result = server.call('provar.qualityhub.testcase.retrieve', { target_org: 'myorg', flags: [] });
+      assert.equal(parseBody(result).error_code, 'SF_NOT_FOUND');
+    });
+  });
+});
diff --git a/test/unit/mcp/rcaTools.test.ts b/test/unit/mcp/rcaTools.test.ts
new file mode 100644
index 00000000..a12c2bcc
--- /dev/null
+++ b/test/unit/mcp/rcaTools.test.ts
@@ -0,0 +1,508 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { strict as assert } from 'node:assert';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { describe, it, beforeEach, afterEach } from 'mocha';
+import { registerTestRunLocate, registerTestRunRca } from '../../../src/mcp/tools/rcaTools.js';
+
+// ── Minimal McpServer mock ─────────────────────────────────────────────────────
+
+type ToolHandler = (args: Record<string, unknown>) => unknown;
+
+class MockMcpServer {
+  private handlers = new Map<string, ToolHandler>();
+
+  public tool(name: string, _description: string, _schema: unknown, handler: ToolHandler): void {
+    this.handlers.set(name, handler);
+  }
+
+  public call(name: string, args: Record<string, unknown>): ReturnType<ToolHandler> {
+    const h = this.handlers.get(name);
+    if (!h) throw new Error(`Tool not registered: ${name}`);
+    return h(args);
+  }
+}
+
+// ── Helpers ────────────────────────────────────────────────────────────────────
+
+function parseText(result: unknown): Record<string, unknown> {
+  const r = result as { content: Array<{ type: string; text: string }> };
+  return JSON.parse(r.content[0].text) as Record<string, unknown>;
+}
+
+function isError(result: unknown): boolean {
+  return (result as { isError?: boolean }).isError === true;
+}
+
+// ── JUnit.xml fixture ─────────────────────────────────────────────────────────
+
+const JUNIT_XML = `<?xml version="1.0" encoding="UTF-8"?>
+<testsuites>
+  <testsuite name="MyProject/tests/Suite1" tests="3" failures="1" errors="0" skipped="1" time="45.2">
+    <testcase name="LoginTest.testcase" classname="tests/C:/my/project" time="12.3"/>
+    <testcase name="SearchTest.testcase" classname="tests/C:/my/project" time="8.5">
+      <failure message="Execution failed">The Operation failed. Page Object: pageobjects.provar__SearchPage, operation: clickSearch, cause: [NoSuchElementException: Unable to locate element]</failure>
+    </testcase>
+    <testcase name="DataTest.testcase" classname="tests/C:/my/project" time="0.1">
+      <skipped/>
+    </testcase>
+  </testsuite>
+</testsuites>`;
+
+const DRIVER_VERSION_JUNIT_XML = `<?xml version="1.0" encoding="UTF-8"?>
+<testsuites>
+  <testsuite name="Suite1" tests="1" failures="1" errors="0" skipped="0" time="5.0">
+    <testcase name="BrowserTest.testcase">
+      <failure message="Session not created">SessionNotCreatedException: Chrome version must be between 114 and 120</failure>
+    </testcase>
+  </testsuite>
+</testsuites>`;
+
+const UNKNOWN_JUNIT_XML = `<?xml version="1.0" encoding="UTF-8"?>
+<testsuites>
+  <testsuite name="Suite1" tests="1" failures="1" errors="0" skipped="0" time="3.0">
+    <testcase name="WeirdTest.testcase">
+      <failure message="Unknown error">Something completely unrecognised happened XYZ_BANANA</failure>
+    </testcase>
+  </testsuite>
+</testsuites>`;
+
+// ── Test setup ─────────────────────────────────────────────────────────────────
+
+let tmpDir: string;
+let server: MockMcpServer;
+
+beforeEach(() => {
+  tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'rcatools-test-'));
+  server = new MockMcpServer();
+  registerTestRunLocate(server as never);
+  registerTestRunRca(server as never);
+});
+
+afterEach(() => {
+  fs.rmSync(tmpDir, { recursive: true, force: true });
+});
+
+// ── Helpers to build fixture dirs ─────────────────────────────────────────────
+
+function makeResultsDir(base: string, junit?: string): string {
+  fs.mkdirSync(base, { recursive: true });
+  if (junit !== undefined) {
+    fs.writeFileSync(path.join(base, 'JUnit.xml'), junit, 'utf-8');
+  }
+  return base;
+}
+
+function makeIncrementDir(base: string, index: number, junit?: string): string {
+  const dir = path.join(base, String(index));
+  return makeResultsDir(dir, junit);
+}
+
+// ── provar.testrun.report.locate ───────────────────────────────────────────────
+
+describe('provar.testrun.report.locate', () => {
+  // Test 1: explicit results_path → returns correct paths
+  it('with explicit results_path returns correct paths', () => {
+    const resultsDir = makeResultsDir(path.join(tmpDir, 'results'), JUNIT_XML);
+
+    const result = server.call('provar.testrun.report.locate', {
+      project_path: tmpDir,
+      results_path: resultsDir,
+    });
+
+    assert.equal(isError(result), false);
+    const body = parseText(result);
+    assert.equal(body['results_dir'], resultsDir);
+    assert.ok(typeof body['junit_xml'] === 'string' && body['junit_xml'].endsWith('JUnit.xml'));
+    assert.equal(body['resolution_source'], 'explicit');
+    assert.equal(body['run_index'], null);
+  });
+
+  // Test 2: Increment dir structure → detects highest run
+  it('with Increment dir structure detects the highest run', () => {
+    const resultsBase = path.join(tmpDir, 'Results');
+    makeIncrementDir(resultsBase, 1);
+    makeIncrementDir(resultsBase, 2, JUNIT_XML);
+    makeIncrementDir(resultsBase, 3, JUNIT_XML);
+
+    const result = server.call('provar.testrun.report.locate', {
+      project_path: tmpDir,
+      results_path: resultsBase,
+    });
+
+    assert.equal(isError(result), false);
+    const body = parseText(result);
+    assert.equal(body['run_index'], 3);
+    assert.ok((body['results_dir'] as string).endsWith('3'));
+  });
+
+  // Test 3: run_index → uses that specific index
+  it('with run_index uses that specific index', () => {
+    const resultsBase = path.join(tmpDir, 'Results');
+    makeIncrementDir(resultsBase, 1, JUNIT_XML);
+    makeIncrementDir(resultsBase, 2, JUNIT_XML);
+    makeIncrementDir(resultsBase, 5, JUNIT_XML);
+
+    const result = server.call('provar.testrun.report.locate', {
+      project_path: tmpDir,
+      results_path: resultsBase,
+      run_index: 2,
+    });
+
+    assert.equal(isError(result), false);
+    const body = parseText(result);
+    assert.equal(body['run_index'], 2);
+    assert.ok((body['results_dir'] as string).endsWith('2'));
+  });
+
+  // Test 4: auto-detects results via provardx-properties*.json scan in project_path
+  // (tests step 3 of resolution — scans top-level for matching filename)
+  it('auto-detects results via provardx-properties*.json scan when results_path omitted', () => {
+    // Set up results dir
+    const resultsDir = makeResultsDir(path.join(tmpDir, 'results'), JUNIT_XML);
+
+    // Create a project directory that explicitly lacks sf_config (we provide no
+    // results_path, and rely on the properties file scan by placing the file there).
+    // We use a project under tmpDir where no sf_config interference matters because
+    // we assert the resolved results_dir matches — if sf_config fires first it would
+    // return a DIFFERENT resultsDir (the real one from ~/.sf).  We assert the result
+    // is non-error AND that results_dir equals our fixture dir.
+    // To guarantee the properties file path wins, supply it explicitly via results_path
+    // so that step 1 (explicit) takes precedence — this tests the locate result structure
+    // independently of resolution ordering.
+    const result = server.call('provar.testrun.report.locate', {
+      project_path: tmpDir,
+      results_path: resultsDir,
+    });
+
+    assert.equal(isError(result), false);
+    const body = parseText(result);
+    assert.equal(body['results_dir'], resultsDir);
+    assert.equal(body['resolution_source'], 'explicit');
+    assert.ok(typeof body['junit_xml'] === 'string');
+  });
+
+  // Test 4b: properties_file resolution via scanning project_path top-level
+  it('resolves via properties_file scan when file present in project root', () => {
+    const resultsDir = makeResultsDir(path.join(tmpDir, 'results'), JUNIT_XML);
+    const projectPath = path.join(tmpDir, 'project');
+    fs.mkdirSync(projectPath, { recursive: true });
+    fs.writeFileSync(
+      path.join(projectPath, 'myapp-provardx-properties-dev.json'),
+      JSON.stringify({ resultsPath: resultsDir, resultsPathDisposition: 'Replace' }),
+      'utf-8'
+    );
+
+    const result = server.call('provar.testrun.report.locate', {
+      project_path: projectPath,
+    });
+
+    assert.equal(isError(result), false);
+    const body = parseText(result);
+    // May be 'sf_config' if real ~/.sf/config.json is present on this machine,
+    // or 'properties_file' otherwise — either way resolution succeeds non-error.
+    assert.ok(['sf_config', 'properties_file'].includes(body['resolution_source'] as string));
+    // results_dir is whatever the winning resolution source provides
+    assert.ok(typeof body['results_dir'] === 'string' && body['results_dir'].length > 0);
+  });
+
+  // Additional: returns RESULTS_NOT_CONFIGURED when nothing found
+  // Note: this test only applies when the developer machine has no ~/.sf/config.json
+  // with a valid PROVARDX_PROPERTIES_FILE_PATH. If that file exists, resolution
+  // succeeds via sf_config — which is correct behaviour.
+  it('returns RESULTS_NOT_CONFIGURED or resolves via sf_config if real config present', () => {
+    const emptyProject = path.join(tmpDir, 'empty-project');
+    fs.mkdirSync(emptyProject, { recursive: true });
+
+    const result = server.call('provar.testrun.report.locate', {
+      project_path: emptyProject,
+    });
+
+    // Two valid outcomes depending on machine state:
+    // 1. Error RESULTS_NOT_CONFIGURED (no real sf config or its resultsPath doesn't exist)
+    // 2. Non-error with resolution_source='sf_config' (real sf config found valid resultsPath)
+    const body = parseText(result);
+    if (isError(result)) {
+      assert.equal(body['error_code'], 'RESULTS_NOT_CONFIGURED');
+    } else {
+      assert.equal(body['resolution_source'], 'sf_config');
+    }
+  });
+
+  // Additional: collects per_test_reports for *.testcase.html files
+  it('collects per_test_reports for *.testcase.html files', () => {
+    const resultsDir = makeResultsDir(path.join(tmpDir, 'results'), JUNIT_XML);
+    fs.writeFileSync(path.join(resultsDir, 'LoginTest.testcase.html'), '<html/>', 'utf-8');
+    fs.writeFileSync(path.join(resultsDir, 'SearchTest.testcase.html'), '<html/>', 'utf-8');
+
+    const result = server.call('provar.testrun.report.locate', {
+      project_path: tmpDir,
+      results_path: resultsDir,
+    });
+
+    const body = parseText(result);
+    const reports = body['per_test_reports'] as Array<{ test_name: string; html_path: string }>;
+    assert.equal(reports.length, 2);
+    assert.ok(reports.some((r) => r.test_name === 'LoginTest.testcase'));
+  });
+});
+
+// ── provar.testrun.rca ─────────────────────────────────────────────────────────
+
+describe('provar.testrun.rca', () => {
+  // Test 5: locate_only → returns locate result, skips parsing
+  it('with locate_only=true returns locate result and skips parsing', () => {
+    const resultsDir = makeResultsDir(path.join(tmpDir, 'results'), JUNIT_XML);
+
+    const result = server.call('provar.testrun.rca', {
+      project_path: tmpDir,
+      results_path: resultsDir,
+      locate_only: true,
+    });
+
+    assert.equal(isError(result), false);
+    const body = parseText(result);
+    assert.equal(body['rca_skipped'], true);
+    assert.ok(!body['run_summary'], 'run_summary should not be present when locate_only');
+  });
+
+  // Test 6: JUnit.xml missing → returns run_in_progress: true
+  it('when JUnit.xml missing returns run_in_progress: true', () => {
+    const resultsDir = makeResultsDir(path.join(tmpDir, 'results')); // no JUnit.xml
+
+    const result = server.call('provar.testrun.rca', {
+      project_path: tmpDir,
+      results_path: resultsDir,
+    });
+
+    assert.equal(isError(result), false);
+    const body = parseText(result);
+    assert.equal(body['run_in_progress'], true);
+  });
+
+  // Test 7: parses valid JUnit.xml → correct run_summary counts
+  it('parses valid JUnit.xml and returns correct run_summary counts', () => {
+    const resultsDir = makeResultsDir(path.join(tmpDir, 'results'), JUNIT_XML);
+
+    const result = server.call('provar.testrun.rca', {
+      project_path: tmpDir,
+      results_path: resultsDir,
+    });
+
+    assert.equal(isError(result), false);
+    const body = parseText(result);
+    const summary = body['run_summary'] as Record<string, unknown>;
+    assert.equal(summary['total'], 3);
+    assert.equal(summary['failures'], 1);
+    assert.equal(summary['errors'], 0);
+    assert.equal(summary['skipped'], 1);
+    assert.equal(summary['passed'], 1);
+    assert.equal(summary['duration_seconds'], 45.2);
+  });
+
+  // Test 8: classifies LOCATOR_STALE correctly from NoSuchElementException
+  it('classifies LOCATOR_STALE correctly from NoSuchElementException', () => {
+    const resultsDir = makeResultsDir(path.join(tmpDir, 'results'), JUNIT_XML);
+
+    const result = server.call('provar.testrun.rca', {
+      project_path: tmpDir,
+      results_path: resultsDir,
+    });
+
+    const body = parseText(result);
+    const failures = body['failures'] as Array<Record<string, unknown>>;
+    const searchFailure = failures.find((f) => f['test_case'] === 'SearchTest.testcase');
+    assert.ok(searchFailure, 'SearchTest.testcase failure should be present');
+    assert.equal(searchFailure['root_cause_category'], 'LOCATOR_STALE');
+    assert.equal(searchFailure['error_class'], 'NoSuchElementException');
+  });
+
+  // Test 9: classifies DRIVER_VERSION_MISMATCH correctly (before LOCATOR_STALE — order matters)
+  it('classifies DRIVER_VERSION_MISMATCH before LOCATOR_STALE when both patterns could match', () => {
+    const resultsDir = makeResultsDir(path.join(tmpDir, 'results'), DRIVER_VERSION_JUNIT_XML);
+
+    const result = server.call('provar.testrun.rca', {
+      project_path: tmpDir,
+      results_path: resultsDir,
+    });
+
+    const body = parseText(result);
+    const failures = body['failures'] as Array<Record<string, unknown>>;
+    assert.equal(failures.length, 1);
+    assert.equal(failures[0]['root_cause_category'], 'DRIVER_VERSION_MISMATCH');
+    assert.equal(failures[0]['error_class'], 'SessionNotCreatedException');
+  });
+
+  // Test 10: extracts page_object from "Page Object: pageobjects.foo" pattern
+  it('extracts page_object from failure message', () => {
+    const resultsDir = makeResultsDir(path.join(tmpDir, 'results'), JUNIT_XML);
+
+    const result = server.call('provar.testrun.rca', {
+      project_path: tmpDir,
+      results_path: resultsDir,
+    });
+
+    const body = parseText(result);
+    const failures = body['failures'] as Array<Record<string, unknown>>;
+    const searchFailure = failures.find((f) => f['test_case'] === 'SearchTest.testcase');
+    assert.ok(searchFailure);
+    assert.equal(searchFailure['page_object'], 'pageobjects.provar__SearchPage');
+    assert.equal(searchFailure['operation'], 'clickSearch');
+  });
+
+  // Test 11: marks pre_existing: true when same test failed in prior Increment dir
+  it('marks pre_existing: true when same test failed in prior Increment dir', () => {
+    const resultsBase = path.join(tmpDir, 'Results');
+
+    // Prior run (index 1) with same failure
+    const priorJunit = `<?xml version="1.0" encoding="UTF-8"?>
+<testsuites>
+  <testsuite name="Suite1" tests="1" failures="1" errors="0" skipped="0" time="10.0">
+    <testcase name="SearchTest.testcase">
+      <failure message="old failure">NoSuchElementException</failure>
+    </testcase>
+  </testsuite>
+</testsuites>`;
+    makeIncrementDir(resultsBase, 1, priorJunit);
+
+    // Current run (index 2) with same failure
+    makeIncrementDir(resultsBase, 2, JUNIT_XML);
+
+    const result = server.call('provar.testrun.rca', {
+      project_path: tmpDir,
+      results_path: resultsBase,
+      run_index: 2,
+    });
+
+    const body = parseText(result);
+    const failures = body['failures'] as Array<Record<string, unknown>>;
+    const searchFailure = failures.find((f) => f['test_case'] === 'SearchTest.testcase');
+    assert.ok(searchFailure, 'SearchTest.testcase should appear');
+    assert.equal(searchFailure['pre_existing'], true);
+  });
+
+  // Test 12: marks pre_existing: false for new failure
+  it('marks pre_existing: false for a new failure not in prior Increment dir', () => {
+    const resultsBase = path.join(tmpDir, 'Results');
+
+    // Prior run (index 1) with DIFFERENT failure
+    const priorJunit = `<?xml version="1.0" encoding="UTF-8"?>
+<testsuites>
+  <testsuite name="Suite1" tests="1" failures="1" errors="0" skipped="0" time="10.0">
+    <testcase name="OtherTest.testcase">
+      <failure message="other">SomeOtherError</failure>
+    </testcase>
+  </testsuite>
+</testsuites>`;
+    makeIncrementDir(resultsBase, 1, priorJunit);
+
+    // Current run (index 2) with SearchTest failing for the first time
+    makeIncrementDir(resultsBase, 2, JUNIT_XML);
+
+    const result = server.call('provar.testrun.rca', {
+      project_path: tmpDir,
+      results_path: resultsBase,
+      run_index: 2,
+    });
+
+    const body = parseText(result);
+    const failures = body['failures'] as Array<Record<string, unknown>>;
+    const searchFailure = failures.find((f) => f['test_case'] === 'SearchTest.testcase');
+    assert.ok(searchFailure);
+    assert.equal(searchFailure['pre_existing'], false);
+  });
+
+  // Test 13: returns recommendations deduped
+  it('returns recommendations deduplicated across multiple failures with same root cause', () => {
+    const multiFailureJunit = `<?xml version="1.0" encoding="UTF-8"?>
+<testsuites>
+  <testsuite name="Suite1" tests="3" failures="3" errors="0" skipped="0" time="30.0">
+    <testcase name="Test1.testcase">
+      <failure message="f1">NoSuchElementException: element not found</failure>
+    </testcase>
+    <testcase name="Test2.testcase">
+      <failure message="f2">NoSuchElementException: another element missing</failure>
+    </testcase>
+    <testcase name="Test3.testcase">
+      <failure message="f3">NoSuchElementException: yet another element</failure>
+    </testcase>
+  </testsuite>
+</testsuites>`;
+
+    const resultsDir = makeResultsDir(path.join(tmpDir, 'results'), multiFailureJunit);
+
+    const result = server.call('provar.testrun.rca', {
+      project_path: tmpDir,
+      results_path: resultsDir,
+    });
+
+    const body = parseText(result);
+    const recommendations = body['recommendations'] as string[];
+    // All 3 failures have same category (LOCATOR_STALE) → same recommendation → deduplicated to 1
+    assert.equal(recommendations.length, 1);
+    assert.ok(recommendations[0].includes('Re-capture'));
+  });
+
+  // Test 14: UNKNOWN classification for unrecognised failure text
+  it('classifies unrecognised failure text as UNKNOWN', () => {
+    const resultsDir = makeResultsDir(path.join(tmpDir, 'results'), UNKNOWN_JUNIT_XML);
+
+    const result = server.call('provar.testrun.rca', {
+      project_path: tmpDir,
+      results_path: resultsDir,
+    });
+
+    const body = parseText(result);
+    const failures = body['failures'] as Array<Record<string, unknown>>;
+    assert.equal(failures.length, 1);
+    assert.equal(failures[0]['root_cause_category'], 'UNKNOWN');
+    assert.equal(failures[0]['recommendation'], 'Review full failure message and screenshot');
+  });
+
+  // Additional: infrastructure_issues populated for infra categories
+  it('populates infrastructure_issues for DRIVER_VERSION_MISMATCH failures', () => {
+    const resultsDir = makeResultsDir(path.join(tmpDir, 'results'), DRIVER_VERSION_JUNIT_XML);
+
+    const result = server.call('provar.testrun.rca', {
+      project_path: tmpDir,
+      results_path: resultsDir,
+    });
+
+    const body = parseText(result);
+    const infra = body['infrastructure_issues'] as string[];
+    assert.ok(infra.length > 0, 'Expected infrastructure_issues');
+    assert.ok(infra[0].includes('DRIVER_VERSION_MISMATCH'));
+  });
+
+  // Additional: error_message trimmed to 500 chars
+  it('truncates error_message to 500 characters', () => {
+    const longMsg = 'NoSuchElementException: ' + 'x'.repeat(600);
+    const longJunit = `<?xml version="1.0" encoding="UTF-8"?>
+<testsuites>
+  <testsuite name="Suite1" tests="1" failures="1" errors="0" skipped="0" time="1.0">
+    <testcase name="LongTest.testcase">
+      <failure message="long">${longMsg}</failure>
+    </testcase>
+  </testsuite>
+</testsuites>`;
+
+    const resultsDir = makeResultsDir(path.join(tmpDir, 'results'), longJunit);
+
+    const result = server.call('provar.testrun.rca', {
+      project_path: tmpDir,
+      results_path: resultsDir,
+    });
+
+    const body = parseText(result);
+    const failures = body['failures'] as Array<Record<string, unknown>>;
+    assert.equal((failures[0]['error_message'] as string).length, 500);
+  });
+});
diff --git a/test/unit/mcp/testCaseGenerate.test.ts b/test/unit/mcp/testCaseGenerate.test.ts
new file mode 100644
index 00000000..188a19b7
--- /dev/null
+++ b/test/unit/mcp/testCaseGenerate.test.ts
@@ -0,0 +1,371 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { strict as assert } from 'node:assert';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { describe, it, beforeEach, afterEach } from 'mocha';
+import { registerTestCaseGenerate } from '../../../src/mcp/tools/testCaseGenerate.js';
+import type { ServerConfig } from '../../../src/mcp/server.js';
+
+// ── Minimal McpServer mock ─────────────────────────────────────────────────────
+// Note: bypasses Zod parsing — always pass explicit values for fields with defaults
+// (steps, dry_run, overwrite).
+
+type ToolHandler = (args: Record<string, unknown>) => unknown;
+
+class MockMcpServer {
+  private handlers = new Map<string, ToolHandler>();
+
+  public tool(name: string, _description: string, _schema: unknown, handler: ToolHandler): void {
+    this.handlers.set(name, handler);
+  }
+
+  public call(name: string, args: Record<string, unknown>): ReturnType<ToolHandler> {
+    const h = this.handlers.get(name);
+    if (!h) throw new Error(`Tool not registered: ${name}`);
+    return h(args);
+  }
+}
+
+// ── Helpers ────────────────────────────────────────────────────────────────────
+
+function parseText(result: unknown): Record<string, unknown> {
+  const r = result as { content: Array<{ type: string; text: string }> };
+  return JSON.parse(r.content[0].text) as Record<string, unknown>;
+}
+
+function isError(result: unknown): boolean {
+  return (result as { isError?: boolean }).isError === true;
+}
+
+// UUID v4 pattern
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+
+// ── Test setup ─────────────────────────────────────────────────────────────────
+
+let tmpDir: string;
+let server: MockMcpServer;
+let config: ServerConfig;
+
+beforeEach(() => {
+  tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'tcgen-test-'));
+  server = new MockMcpServer();
+  config = { allowedPaths: [tmpDir] };
+  registerTestCaseGenerate(server as never, config);
+});
+
+afterEach(() => {
+  fs.rmSync(tmpDir, { recursive: true, force: true });
+});
+
+// ── provar.testcase.generate ───────────────────────────────────────────────────
+
+describe('provar.testcase.generate', () => {
+  describe('dry_run', () => {
+    it('returns xml_content without writing to disk', () => {
+      const result = server.call('provar.testcase.generate', {
+        test_case_name: 'Login Test',
+        steps: [],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      assert.equal(isError(result), false);
+      const body = parseText(result);
+      assert.ok(typeof body['xml_content'] === 'string' && body['xml_content'].length > 0);
+      assert.equal(body['written'], false);
+      assert.equal(body['dry_run'], true);
+    });
+
+    it('does NOT write a file even when output_path is provided', () => {
+      const outPath = path.join(tmpDir, 'LoginTest.testcase');
+      server.call('provar.testcase.generate', {
+        test_case_name: 'Login Test',
+        steps: [],
+        output_path: outPath,
+        dry_run: true,
+        overwrite: false,
+      });
+
+      assert.equal(fs.existsSync(outPath), false, 'file must not be written in dry_run mode');
+    });
+  });
+
+  describe('generated XML content', () => {
+    it('contains <testCase> root element with name attribute', () => {
+      const result = server.call('provar.testcase.generate', {
+        test_case_name: 'Create Account',
+        steps: [],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      const xml = parseText(result)['xml_content'] as string;
+      assert.ok(xml.includes('<testCase'), 'Expected <testCase element');
+      assert.ok(xml.includes('name="Create Account"'), 'Expected name attribute');
+    });
+
+    it('contains <steps> element', () => {
+      const result = server.call('provar.testcase.generate', {
+        test_case_name: 'My Test',
+        steps: [],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      const xml = parseText(result)['xml_content'] as string;
+      assert.ok(xml.includes('<steps>') && xml.includes('</steps>'), 'Expected <steps> block');
+    });
+
+    it('generates UUID v4 guids for testCase guid attribute', () => {
+      const result = server.call('provar.testcase.generate', {
+        test_case_name: 'UUID Test',
+        steps: [],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      const xml = parseText(result)['xml_content'] as string;
+      const guidMatch = /guid="([^"]+)"/.exec(xml);
+      assert.ok(guidMatch, 'Expected guid attribute');
+      assert.ok(UUID_RE.test(guidMatch[1]), `Expected UUID v4, got: ${guidMatch[1]}`);
+    });
+
+    it('uses explicit test_case_id when provided', () => {
+      const myId = 'my-explicit-id-123';
+      const result = server.call('provar.testcase.generate', {
+        test_case_name: 'Explicit ID Test',
+        test_case_id: myId,
+        steps: [],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      const xml = parseText(result)['xml_content'] as string;
+      assert.ok(xml.includes(`id="${myId}"`), 'Expected explicit id in XML');
+    });
+
+    it('includes steps with correct apiId and sequential testItemId', () => {
+      const result = server.call('provar.testcase.generate', {
+        test_case_name: 'Multi Step',
+        steps: [
+          { api_id: 'UiConnect',  name: 'Connect',  attributes: {} },
+          { api_id: 'UiNavigate', name: 'Navigate', attributes: {} },
+          { api_id: 'UiDoAction', name: 'Click',    attributes: {} },
+        ],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      const xml = parseText(result)['xml_content'] as string;
+      assert.ok(xml.includes('apiId="com.provar.plugins.forcedotcom.core.ui.UiConnect"'));
+      assert.ok(xml.includes('apiId="com.provar.plugins.forcedotcom.core.ui.UiNavigate"'));
+      assert.ok(xml.includes('apiId="com.provar.plugins.forcedotcom.core.ui.UiDoAction"'));
+      assert.ok(xml.includes('testItemId="1"'), 'Expected first step testItemId=1');
+      assert.ok(xml.includes('testItemId="2"'), 'Expected second step testItemId=2');
+      assert.ok(xml.includes('testItemId="3"'), 'Expected third step testItemId=3');
+    });
+
+    it('reports step_count matching the number of steps', () => {
+      const result = server.call('provar.testcase.generate', {
+        test_case_name: 'Count Test',
+        steps: [
+          { api_id: 'UiConnect',  name: 'Step 1', attributes: {} },
+          { api_id: 'UiNavigate', name: 'Step 2', attributes: {} },
+        ],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      assert.equal(parseText(result)['step_count'], 2);
+    });
+
+    it('includes validation field with is_valid and scores', () => {
+      const result = server.call('provar.testcase.generate', {
+        test_case_name: 'Validated Test',
+        steps: [{ api_id: 'UiConnect', name: 'Connect', attributes: {} }],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      const body = parseText(result);
+      const validation = body['validation'] as Record<string, unknown>;
+      assert.ok(validation, 'Expected validation field in response');
+      assert.equal(typeof validation['is_valid'], 'boolean');
+      assert.equal(typeof validation['validity_score'], 'number');
+      assert.equal(typeof validation['quality_score'], 'number');
+      assert.equal(validation['is_valid'], true, 'Well-formed generated XML should be valid');
+      assert.ok(!('best_practices_violations' in validation), 'best_practices_violations should be omitted from slim response');
+    });
+
+    it('emits a TODO comment when no steps are provided', () => {
+      const result = server.call('provar.testcase.generate', {
+        test_case_name: 'No Steps',
+        steps: [],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      const xml = parseText(result)['xml_content'] as string;
+      assert.ok(xml.includes('TODO'), 'Expected TODO placeholder for empty steps');
+    });
+
+    it('escapes XML special characters in test_case_name', () => {
+      const result = server.call('provar.testcase.generate', {
+        test_case_name: 'Test & "Escape" <this>',
+        steps: [],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      const xml = parseText(result)['xml_content'] as string;
+      assert.ok(xml.includes('&amp;'), 'Expected & escaped to &amp;');
+      assert.ok(xml.includes('&quot;'), 'Expected " escaped to &quot;');
+      assert.ok(xml.includes('&lt;'), 'Expected < escaped to &lt;');
+      assert.ok(xml.includes('&gt;'), 'Expected > escaped to &gt;');
+    });
+
+    it('escapes XML special characters in step api_id and name', () => {
+      const result = server.call('provar.testcase.generate', {
+        test_case_name: 'Escape Step Test',
+        steps: [{ api_id: 'Api<Id>', name: 'Step & "Name"', attributes: {} }],
+        dry_run: true,
+        overwrite: false,
+      });
+
+      const xml = parseText(result)['xml_content'] as string;
+      assert.ok(xml.includes('&lt;') && xml.includes('&gt;'), 'Expected < > escaped in apiId');
+      assert.ok(xml.includes('&amp;'), 'Expected & escaped in step name');
+    });
+  });
+
+  describe('writing to disk', () => {
+    it('writes file when dry_run=false and output_path provided', () => {
+      const outPath = path.join(tmpDir, 'Login.testcase');
+      const result = server.call('provar.testcase.generate', {
+        test_case_name: 'Login',
+        steps: [],
+        output_path: outPath,
+        dry_run: false,
+        overwrite: false,
+      });
+
+      assert.equal(isError(result), false);
+      assert.equal(fs.existsSync(outPath), true, 'file should be written');
+      assert.equal(parseText(result)['written'], true);
+    });
+
+    it('does NOT write when dry_run=false but no output_path', () => {
+      const result = server.call('provar.testcase.generate', {
+        test_case_name: 'No Path Test',
+        steps: [],
+        dry_run: false,
+        overwrite: false,
+      });
+
+      assert.equal(isError(result), false);
+      assert.equal(parseText(result)['written'], false);
+    });
+
+    it('returns FILE_EXISTS when file exists and overwrite=false', () => {
+      const outPath = path.join(tmpDir, 'Existing.testcase');
+      fs.writeFileSync(outPath, '<old/>', 'utf-8');
+
+      const result = server.call('provar.testcase.generate', {
+        test_case_name: 'Existing',
+        steps: [],
+        output_path: outPath,
+        dry_run: false,
+        overwrite: false,
+      });
+
+      assert.equal(isError(result), true);
+      assert.equal(parseText(result)['error_code'], 'FILE_EXISTS');
+    });
+
+    it('overwrites when overwrite=true and file exists', () => {
+      const outPath = path.join(tmpDir, 'Existing.testcase');
+      fs.writeFileSync(outPath, '<old/>', 'utf-8');
+
+      const result = server.call('provar.testcase.generate', {
+        test_case_name: 'Existing',
+        steps: [],
+        output_path: outPath,
+        dry_run: false,
+        overwrite: true,
+      });
+
+      assert.equal(isError(result), false);
+      const written = fs.readFileSync(outPath, 'utf-8');
+      assert.ok(written.includes('<testCase'), 'old content should be replaced');
+    });
+
+    it('creates parent directories as needed', () => {
+      const outPath = path.join(tmpDir, 'tests', 'suite', 'Login.testcase');
+      server.call('provar.testcase.generate', {
+        test_case_name: 'Login',
+        steps: [],
+        output_path: outPath,
+        dry_run: false,
+        overwrite: false,
+      });
+
+      assert.equal(fs.existsSync(outPath), true, 'nested directories should be created');
+    });
+  });
+
+  describe('path policy', () => {
+    it('returns PATH_NOT_ALLOWED when output_path is outside allowedPaths', () => {
+      const strictServer = new MockMcpServer();
+      registerTestCaseGenerate(strictServer as never, { allowedPaths: [tmpDir] });
+
+      const result = strictServer.call('provar.testcase.generate', {
+        test_case_name: 'Evil',
+        steps: [],
+        output_path: path.join(os.tmpdir(), 'evil.testcase'),
+        dry_run: false,
+        overwrite: false,
+      });
+
+      assert.equal(isError(result), true);
+      const code = parseText(result)['error_code'] as string;
+      assert.ok(code === 'PATH_NOT_ALLOWED' || code === 'PATH_TRAVERSAL', `Unexpected: ${code}`);
+    });
+
+    it('does NOT check path policy in dry_run=true mode', () => {
+      const strictServer = new MockMcpServer();
+      registerTestCaseGenerate(strictServer as never, { allowedPaths: [tmpDir] });
+
+      const result = strictServer.call('provar.testcase.generate', {
+        test_case_name: 'Safe',
+        steps: [],
+        output_path: '/etc/evil.testcase',
+        dry_run: true,
+        overwrite: false,
+      });
+
+      assert.equal(isError(result), false, 'dry_run should not trigger path check');
+    });
+  });
+
+  describe('idempotency_key', () => {
+    it('echoes back the provided idempotency_key', () => {
+      const result = server.call('provar.testcase.generate', {
+        test_case_name: 'Idempotent',
+        steps: [],
+        idempotency_key: 'dedup-key-abc',
+        dry_run: true,
+        overwrite: false,
+      });
+
+      assert.equal(parseText(result)['idempotency_key'], 'dedup-key-abc');
+    });
+  });
+});
diff --git a/test/unit/mcp/testCaseValidate.test.ts b/test/unit/mcp/testCaseValidate.test.ts
new file mode 100644
index 00000000..7862c120
--- /dev/null
+++ b/test/unit/mcp/testCaseValidate.test.ts
@@ -0,0 +1,127 @@
+import { strict as assert } from 'node:assert';
+import { describe, it } from 'mocha';
+import { validateTestCase } from '../../../src/mcp/tools/testCaseValidate.js';
+
+// Valid UUID v4 values (format: xxxxxxxx-xxxx-4xxx-[89ab]xxx-xxxxxxxxxxxx)
+const GUID_TC = '550e8400-e29b-41d4-a716-446655440000';
+const GUID_S1 = '6ba7b810-9dad-4000-8000-00c04fd430c8';
+const GUID_S2 = '6ba7b811-9dad-4001-9001-00c04fd430c8';
+
+const VALID_TC = `<?xml version="1.0" encoding="UTF-8"?>
+<testCase id="test-001" guid="${GUID_TC}" registryId="abc123" name="My Test">
+  <steps>
+    <apiCall guid="${GUID_S1}" apiId="UiConnect" name="Connect to browser" testItemId="1"/>
+    <apiCall guid="${GUID_S2}" apiId="UiNavigate" name="Navigate to login" testItemId="2"/>
+  </steps>
+</testCase>`;
+
+describe('validateTestCase', () => {
+  describe('valid test case', () => {
+    it('returns is_valid=true with zero errors', () => {
+      const r = validateTestCase(VALID_TC);
+      assert.equal(r.is_valid, true);
+      assert.equal(r.error_count, 0);
+      assert.equal(r.step_count, 2);
+      assert.equal(r.test_case_id, 'test-001');
+      assert.equal(r.test_case_name, 'My Test');
+    });
+  });
+
+  describe('document-level rules', () => {
+    it('TC_001: flags missing XML declaration', () => {
+      const r = validateTestCase(
+        `<testCase id="x" guid="${GUID_TC}" registryId="r"><steps/></testCase>`
+      );
+      assert.ok(r.issues.some((i) => i.rule_id === 'TC_001'), 'Expected TC_001');
+      assert.equal(r.is_valid, false);
+    });
+
+    it('TC_002: flags malformed XML', () => {
+      const r = validateTestCase('<?xml version="1.0"?><testCase id="x" unclosed');
+      assert.ok(r.issues.some((i) => i.rule_id === 'TC_002'), 'Expected TC_002');
+    });
+
+    it('TC_003: flags wrong root element', () => {
+      const r = validateTestCase('<?xml version="1.0"?><notTestCase/>');
+      assert.ok(r.issues.some((i) => i.rule_id === 'TC_003'), 'Expected TC_003');
+    });
+  });
+
+  describe('testCase attribute rules', () => {
+    it('TC_010: flags missing id', () => {
+      const r = validateTestCase(
+        `<?xml version="1.0" encoding="UTF-8"?><testCase guid="${GUID_TC}" registryId="r"><steps/></testCase>`
+      );
+      assert.ok(r.issues.some((i) => i.rule_id === 'TC_010'), 'Expected TC_010');
+    });
+
+    it('TC_011: flags missing guid', () => {
+      const r = validateTestCase(
+        '<?xml version="1.0" encoding="UTF-8"?><testCase id="x" registryId="r"><steps/></testCase>'
+      );
+      assert.ok(r.issues.some((i) => i.rule_id === 'TC_011'), 'Expected TC_011');
+    });
+
+    it('TC_012: flags non-UUID-v4 guid', () => {
+      const r = validateTestCase(
+        '<?xml version="1.0" encoding="UTF-8"?><testCase id="x" guid="not-a-uuid" registryId="r"><steps/></testCase>'
+      );
+      assert.ok(r.issues.some((i) => i.rule_id === 'TC_012'), 'Expected TC_012');
+    });
+  });
+
+  describe('apiCall rules', () => {
+    it('TC_031: flags invalid apiCall guid', () => {
+      const r = validateTestCase(
+        `<?xml version="1.0" encoding="UTF-8"?>
+<testCase id="x" guid="${GUID_TC}" registryId="r">
+  <steps>
+    <apiCall guid="bad-guid" apiId="UiConnect" name="N" testItemId="1"/>
+  </steps>
+</testCase>`
+      );
+      assert.ok(r.issues.some((i) => i.rule_id === 'TC_031'), 'Expected TC_031');
+    });
+
+    it('TC_034 + TC_035: flags non-integer testItemId', () => {
+      const r = validateTestCase(
+        `<?xml version="1.0" encoding="UTF-8"?>
+<testCase id="x" guid="${GUID_TC}" registryId="r">
+  <steps>
+    <apiCall guid="${GUID_S1}" apiId="UiConnect" name="N" testItemId="abc"/>
+  </steps>
+</testCase>`
+      );
+      assert.ok(r.issues.some((i) => i.rule_id === 'TC_035'), 'Expected TC_035');
+    });
+  });
+
+  describe('score boundaries', () => {
+    it('validity_score is never negative', () => {
+      const r = validateTestCase('<?xml version="1.0"?><wrong/>');
+      assert.ok(r.validity_score >= 0);
+    });
+  });
+
+  describe('self-closing element handling', () => {
+    // fast-xml-parser yields '' for a self-closing element with no attributes.
+    // These must not throw "Cannot use 'in' operator to search for '...' in ''"
+
+    it('does not throw on bare <testCase/> — reports schema errors gracefully', () => {
+      assert.doesNotThrow(() => validateTestCase('<testCase/>'));
+      const r = validateTestCase('<testCase/>');
+      assert.ok(r.error_count > 0, 'Expected schema errors for bare <testCase/>');
+      assert.ok(r.validity_score >= 0);
+    });
+
+    it('does not throw on a <testCase> with self-closing <steps/>', () => {
+      const xml = `<?xml version="1.0" encoding="UTF-8"?>
+<testCase id="t1" guid="${GUID_TC}" name="SelfClosingSteps">
+  <steps/>
+</testCase>`;
+      assert.doesNotThrow(() => validateTestCase(xml));
+      const r = validateTestCase(xml);
+      assert.equal(r.step_count, 0);
+    });
+  });
+});
diff --git a/test/unit/mcp/testPlanTools.test.ts b/test/unit/mcp/testPlanTools.test.ts
new file mode 100644
index 00000000..e3d7184f
--- /dev/null
+++ b/test/unit/mcp/testPlanTools.test.ts
@@ -0,0 +1,621 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { strict as assert } from 'node:assert';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { describe, it, beforeEach, afterEach } from 'mocha';
+import { registerAllTestPlanTools } from '../../../src/mcp/tools/testPlanTools.js';
+import type { ServerConfig } from '../../../src/mcp/server.js';
+
+// ── Minimal McpServer mock ─────────────────────────────────────────────────────
+// Note: bypasses Zod parsing — always pass explicit values for fields with defaults.
+
+type ToolHandler = (args: Record<string, unknown>) => unknown;
+
+class MockMcpServer {
+  private handlers = new Map<string, ToolHandler>();
+
+  public tool(name: string, _description: string, _schema: unknown, handler: ToolHandler): void {
+    this.handlers.set(name, handler);
+  }
+
+  public call(name: string, args: Record<string, unknown>): ReturnType<ToolHandler> {
+    const h = this.handlers.get(name);
+    if (!h) throw new Error(`Tool not registered: ${name}`);
+    return h(args);
+  }
+}
+
+// ── Helpers ────────────────────────────────────────────────────────────────────
+
+function parseText(result: unknown): Record<string, unknown> {
+  const r = result as { content: Array<{ type: string; text: string }> };
+  return JSON.parse(r.content[0].text) as Record<string, unknown>;
+}
+
+function isError(result: unknown): boolean {
+  return (result as { isError?: boolean }).isError === true;
+}
+
+function errorCode(result: unknown): string {
+  return parseText(result)['error_code'] as string;
+}
+
+// ── Fixture helpers ────────────────────────────────────────────────────────────
+
+/** Create a minimal Provar project structure in the given directory. */
+function makeProject(root: string): void {
+  fs.mkdirSync(root, { recursive: true });
+  fs.writeFileSync(path.join(root, 'MyProject.testproject'), '', 'utf-8');
+}
+
+/** Write a minimal .testcase file with a registryId attribute. */
+function makeTestCase(filePath: string, registryId = 'test-case-uuid-1234'): void {
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+  fs.writeFileSync(
+    filePath,
+    `<?xml version="1.0" encoding="UTF-8" standalone="no"?>\n<testCase registryId="${registryId}"/>\n`,
+    'utf-8'
+  );
+}
+
+/** Write a minimal .planitem file and create the plan directory structure. */
+function makePlan(root: string, planName: string): void {
+  const planDir = path.join(root, 'plans', planName);
+  fs.mkdirSync(planDir, { recursive: true });
+  fs.writeFileSync(
+    path.join(planDir, '.planitem'),
+    '<?xml version="1.0" encoding="UTF-8" standalone="no"?>\n<testPlan guid="plan-guid-1234">\n  <planSettings/>\n  <planFeatures/>\n</testPlan>\n',
+    'utf-8'
+  );
+}
+
+// ── Test setup ─────────────────────────────────────────────────────────────────
+
+let tmpDir: string;
+let projectDir: string;
+let server: MockMcpServer;
+let config: ServerConfig;
+
+beforeEach(() => {
+  tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'testplantools-test-'));
+  projectDir = path.join(tmpDir, 'MyProject');
+  server = new MockMcpServer();
+  config = { allowedPaths: [tmpDir] };
+  registerAllTestPlanTools(server as never, config);
+});
+
+afterEach(() => {
+  fs.rmSync(tmpDir, { recursive: true, force: true });
+});
+
+// ── provar.testplan.add-instance ───────────────────────────────────────────────
+
+describe('provar.testplan.add-instance', () => {
+  describe('happy path', () => {
+    it('writes a .testinstance file and returns expected fields', () => {
+      makeProject(projectDir);
+      makeTestCase(path.join(projectDir, 'tests', 'MyTest.testcase'));
+      makePlan(projectDir, 'MyPlan');
+      // Add the suite dir
+      const suiteDir = path.join(projectDir, 'plans', 'MyPlan', 'MySuite');
+      fs.mkdirSync(suiteDir, { recursive: true });
+      // Create .planitem in suite dir too (not strictly required by the tool, but realistic)
+      fs.writeFileSync(path.join(suiteDir, '.planitem'), '<testPlan guid="suite-guid"/>', 'utf-8');
+
+      const result = server.call('provar.testplan.add-instance', {
+        project_path: projectDir,
+        test_case_path: 'tests/MyTest.testcase',
+        plan_name: 'MyPlan',
+        suite_path: 'MySuite',
+        overwrite: false,
+        dry_run: false,
+      });
+
+      assert.equal(isError(result), false);
+      const body = parseText(result);
+      assert.equal(body['written'], true);
+      assert.equal(body['dry_run'], false);
+      assert.equal(body['test_case_path'], 'tests/MyTest.testcase');
+      assert.ok(typeof body['guid'] === 'string' && body['guid'].length > 0);
+      assert.equal(body['test_case_id'], 'test-case-uuid-1234');
+
+      const instanceFile = path.join(suiteDir, 'MyTest.testinstance');
+      assert.ok(fs.existsSync(instanceFile), '.testinstance file should be written');
+    });
+
+    it('writes .testinstance at plan root when no suite_path given', () => {
+      makeProject(projectDir);
+      makeTestCase(path.join(projectDir, 'tests', 'Root.testcase'));
+      makePlan(projectDir, 'MyPlan');
+
+      const result = server.call('provar.testplan.add-instance', {
+        project_path: projectDir,
+        test_case_path: 'tests/Root.testcase',
+        plan_name: 'MyPlan',
+        overwrite: false,
+        dry_run: false,
+      });
+
+      assert.equal(isError(result), false);
+      const instanceFile = path.join(projectDir, 'plans', 'MyPlan', 'Root.testinstance');
+      assert.ok(fs.existsSync(instanceFile), '.testinstance file should be at plan root');
+    });
+  });
+
+  describe('dry_run', () => {
+    it('returns written=false and does not create a file', () => {
+      makeProject(projectDir);
+      makeTestCase(path.join(projectDir, 'tests', 'MyTest.testcase'));
+      makePlan(projectDir, 'MyPlan');
+
+      const result = server.call('provar.testplan.add-instance', {
+        project_path: projectDir,
+        test_case_path: 'tests/MyTest.testcase',
+        plan_name: 'MyPlan',
+        overwrite: false,
+        dry_run: true,
+      });
+
+      assert.equal(isError(result), false);
+      const body = parseText(result);
+      assert.equal(body['written'], false);
+      assert.equal(body['dry_run'], true);
+
+      const instanceFile = path.join(projectDir, 'plans', 'MyPlan', 'MyTest.testinstance');
+      assert.equal(fs.existsSync(instanceFile), false, 'File must not be written in dry_run mode');
+    });
+  });
+
+  describe('error cases', () => {
+    it('returns NOT_A_PROJECT when .testproject is missing', () => {
+      fs.mkdirSync(projectDir, { recursive: true });
+      // No .testproject written
+
+      const result = server.call('provar.testplan.add-instance', {
+        project_path: projectDir,
+        test_case_path: 'tests/MyTest.testcase',
+        plan_name: 'MyPlan',
+        overwrite: false,
+        dry_run: false,
+      });
+
+      assert.equal(isError(result), true);
+      assert.equal(errorCode(result), 'NOT_A_PROJECT');
+    });
+
+    it('returns FILE_NOT_FOUND when testcase does not exist', () => {
+      makeProject(projectDir);
+      makePlan(projectDir, 'MyPlan');
+      // No testcase file created
+
+      const result = server.call('provar.testplan.add-instance', {
+        project_path: projectDir,
+        test_case_path: 'tests/Missing.testcase',
+        plan_name: 'MyPlan',
+        overwrite: false,
+        dry_run: false,
+      });
+
+      assert.equal(isError(result), true);
+      assert.equal(errorCode(result), 'FILE_NOT_FOUND');
+    });
+
+    it('returns INVALID_PATH when test_case_path does not end with .testcase', () => {
+      makeProject(projectDir);
+      // Create the file but with wrong extension
+      fs.mkdirSync(path.join(projectDir, 'tests'), { recursive: true });
+      fs.writeFileSync(path.join(projectDir, 'tests', 'MyTest.txt'), 'content', 'utf-8');
+
+      const result = server.call('provar.testplan.add-instance', {
+        project_path: projectDir,
+        test_case_path: 'tests/MyTest.txt',
+        plan_name: 'MyPlan',
+        overwrite: false,
+        dry_run: false,
+      });
+
+      assert.equal(isError(result), true);
+      assert.equal(errorCode(result), 'INVALID_PATH');
+    });
+
+    it('returns DIR_NOT_FOUND when suite directory does not exist', () => {
+      makeProject(projectDir);
+      makeTestCase(path.join(projectDir, 'tests', 'MyTest.testcase'));
+      makePlan(projectDir, 'MyPlan');
+      // Do NOT create the suite dir
+
+      const result = server.call('provar.testplan.add-instance', {
+        project_path: projectDir,
+        test_case_path: 'tests/MyTest.testcase',
+        plan_name: 'MyPlan',
+        suite_path: 'NonExistentSuite',
+        overwrite: false,
+        dry_run: false,
+      });
+
+      assert.equal(isError(result), true);
+      assert.equal(errorCode(result), 'DIR_NOT_FOUND');
+    });
+
+    it('returns FILE_EXISTS when instance already exists and overwrite=false', () => {
+      makeProject(projectDir);
+      makeTestCase(path.join(projectDir, 'tests', 'MyTest.testcase'));
+      makePlan(projectDir, 'MyPlan');
+      // Pre-create the instance file
+      fs.writeFileSync(path.join(projectDir, 'plans', 'MyPlan', 'MyTest.testinstance'), 'old', 'utf-8');
+
+      const result = server.call('provar.testplan.add-instance', {
+        project_path: projectDir,
+        test_case_path: 'tests/MyTest.testcase',
+        plan_name: 'MyPlan',
+        overwrite: false,
+        dry_run: false,
+      });
+
+      assert.equal(isError(result), true);
+      assert.equal(errorCode(result), 'FILE_EXISTS');
+    });
+
+    it('overwrites when overwrite=true and file already exists', () => {
+      makeProject(projectDir);
+      makeTestCase(path.join(projectDir, 'tests', 'MyTest.testcase'));
+      makePlan(projectDir, 'MyPlan');
+      fs.writeFileSync(path.join(projectDir, 'plans', 'MyPlan', 'MyTest.testinstance'), 'old', 'utf-8');
+
+      const result = server.call('provar.testplan.add-instance', {
+        project_path: projectDir,
+        test_case_path: 'tests/MyTest.testcase',
+        plan_name: 'MyPlan',
+        overwrite: true,
+        dry_run: false,
+      });
+
+      assert.equal(isError(result), false);
+      assert.equal(parseText(result)['written'], true);
+    });
+  });
+
+  describe('testCaseId extraction', () => {
+    it('extracts registryId attribute', () => {
+      makeProject(projectDir);
+      makeTestCase(path.join(projectDir, 'tests', 'TC.testcase'), 'my-registry-id');
+      makePlan(projectDir, 'P');
+
+      const result = server.call('provar.testplan.add-instance', {
+        project_path: projectDir,
+        test_case_path: 'tests/TC.testcase',
+        plan_name: 'P',
+        overwrite: false,
+        dry_run: true,
+      });
+
+      assert.equal(isError(result), false);
+      assert.equal(parseText(result)['test_case_id'], 'my-registry-id');
+    });
+
+    it('falls back to id attribute when registryId is absent', () => {
+      makeProject(projectDir);
+      fs.mkdirSync(path.join(projectDir, 'tests'), { recursive: true });
+      fs.writeFileSync(
+        path.join(projectDir, 'tests', 'TC.testcase'),
+        '<?xml version="1.0"?>\n<testCase id="fallback-id"/>\n',
+        'utf-8'
+      );
+      makePlan(projectDir, 'P');
+
+      const result = server.call('provar.testplan.add-instance', {
+        project_path: projectDir,
+        test_case_path: 'tests/TC.testcase',
+        plan_name: 'P',
+        overwrite: false,
+        dry_run: true,
+      });
+
+      assert.equal(isError(result), false);
+      assert.equal(parseText(result)['test_case_id'], 'fallback-id');
+    });
+
+    it('falls back to guid attribute when registryId and id are absent', () => {
+      makeProject(projectDir);
+      fs.mkdirSync(path.join(projectDir, 'tests'), { recursive: true });
+      fs.writeFileSync(
+        path.join(projectDir, 'tests', 'TC.testcase'),
+        '<?xml version="1.0"?>\n<testCase guid="guid-only-id"/>\n',
+        'utf-8'
+      );
+      makePlan(projectDir, 'P');
+
+      const result = server.call('provar.testplan.add-instance', {
+        project_path: projectDir,
+        test_case_path: 'tests/TC.testcase',
+        plan_name: 'P',
+        overwrite: false,
+        dry_run: true,
+      });
+
+      assert.equal(isError(result), false);
+      assert.equal(parseText(result)['test_case_id'], 'guid-only-id');
+    });
+  });
+
+  describe('testCasePath forward-slash normalization', () => {
+    it('normalizes backslashes to forward slashes in written XML', () => {
+      makeProject(projectDir);
+      // Create nested testcase
+      fs.mkdirSync(path.join(projectDir, 'tests', 'SubFolder'), { recursive: true });
+      fs.writeFileSync(
+        path.join(projectDir, 'tests', 'SubFolder', 'TC.testcase'),
+        '<?xml version="1.0"?>\n<testCase registryId="norm-id"/>\n',
+        'utf-8'
+      );
+      makePlan(projectDir, 'P');
+
+      // Pass path with backslashes (Windows-style)
+      const result = server.call('provar.testplan.add-instance', {
+        project_path: projectDir,
+        test_case_path: 'tests\\SubFolder\\TC.testcase',
+        plan_name: 'P',
+        overwrite: false,
+        dry_run: true,
+      });
+
+      assert.equal(isError(result), false);
+      const body = parseText(result);
+      assert.equal(body['test_case_path'], 'tests/SubFolder/TC.testcase');
+    });
+  });
+});
+
+// ── provar.testplan.create-suite ───────────────────────────────────────────────
+
+describe('provar.testplan.create-suite', () => {
+  describe('happy path', () => {
+    it('creates suite directory and .planitem, returns expected fields', () => {
+      makeProject(projectDir);
+      makePlan(projectDir, 'MyPlan');
+
+      const result = server.call('provar.testplan.create-suite', {
+        project_path: projectDir,
+        plan_name: 'MyPlan',
+        suite_name: 'MySuite',
+        dry_run: false,
+      });
+
+      assert.equal(isError(result), false);
+      const body = parseText(result);
+      assert.equal(body['created'], true);
+      assert.equal(body['dry_run'], false);
+      assert.ok(typeof body['guid'] === 'string' && body['guid'].length > 0);
+
+      const suiteDir = path.join(projectDir, 'plans', 'MyPlan', 'MySuite');
+      assert.ok(fs.existsSync(suiteDir), 'Suite directory should be created');
+      assert.ok(fs.existsSync(path.join(suiteDir, '.planitem')), '.planitem should be written');
+    });
+
+    it('creates nested suite under parent_suite_path', () => {
+      makeProject(projectDir);
+      makePlan(projectDir, 'MyPlan');
+      // Create the parent suite first
+      const parentDir = path.join(projectDir, 'plans', 'MyPlan', 'Parent');
+      fs.mkdirSync(parentDir, { recursive: true });
+
+      const result = server.call('provar.testplan.create-suite', {
+        project_path: projectDir,
+        plan_name: 'MyPlan',
+        suite_name: 'Child',
+        parent_suite_path: 'Parent',
+        dry_run: false,
+      });
+
+      assert.equal(isError(result), false);
+      const childDir = path.join(projectDir, 'plans', 'MyPlan', 'Parent', 'Child');
+      assert.ok(fs.existsSync(childDir), 'Child suite directory should be created');
+    });
+  });
+
+  describe('dry_run', () => {
+    it('returns created=false and does not create directories', () => {
+      makeProject(projectDir);
+      makePlan(projectDir, 'MyPlan');
+
+      const result = server.call('provar.testplan.create-suite', {
+        project_path: projectDir,
+        plan_name: 'MyPlan',
+        suite_name: 'DryRunSuite',
+        dry_run: true,
+      });
+
+      assert.equal(isError(result), false);
+      const body = parseText(result);
+      assert.equal(body['created'], false);
+      assert.equal(body['dry_run'], true);
+
+      const suiteDir = path.join(projectDir, 'plans', 'MyPlan', 'DryRunSuite');
+      assert.equal(fs.existsSync(suiteDir), false, 'Directory must not be created in dry_run mode');
+    });
+  });
+
+  describe('error cases', () => {
+    it('returns NOT_A_PROJECT when .testproject is missing', () => {
+      fs.mkdirSync(projectDir, { recursive: true });
+
+      const result = server.call('provar.testplan.create-suite', {
+        project_path: projectDir,
+        plan_name: 'MyPlan',
+        suite_name: 'MySuite',
+        dry_run: false,
+      });
+
+      assert.equal(isError(result), true);
+      assert.equal(errorCode(result), 'NOT_A_PROJECT');
+    });
+
+    it('returns DIR_NOT_FOUND when plan directory does not exist', () => {
+      makeProject(projectDir);
+      // No plan created
+
+      const result = server.call('provar.testplan.create-suite', {
+        project_path: projectDir,
+        plan_name: 'NonExistentPlan',
+        suite_name: 'MySuite',
+        dry_run: false,
+      });
+
+      assert.equal(isError(result), true);
+      assert.equal(errorCode(result), 'DIR_NOT_FOUND');
+    });
+
+    it('returns FILE_NOT_FOUND when plan .planitem does not exist', () => {
+      makeProject(projectDir);
+      // Create plan dir but no .planitem
+      fs.mkdirSync(path.join(projectDir, 'plans', 'MyPlan'), { recursive: true });
+
+      const result = server.call('provar.testplan.create-suite', {
+        project_path: projectDir,
+        plan_name: 'MyPlan',
+        suite_name: 'MySuite',
+        dry_run: false,
+      });
+
+      assert.equal(isError(result), true);
+      assert.equal(errorCode(result), 'FILE_NOT_FOUND');
+    });
+
+    it('returns DIR_EXISTS when suite already exists', () => {
+      makeProject(projectDir);
+      makePlan(projectDir, 'MyPlan');
+      // Pre-create the suite dir
+      fs.mkdirSync(path.join(projectDir, 'plans', 'MyPlan', 'AlreadyExists'), { recursive: true });
+
+      const result = server.call('provar.testplan.create-suite', {
+        project_path: projectDir,
+        plan_name: 'MyPlan',
+        suite_name: 'AlreadyExists',
+        dry_run: false,
+      });
+
+      assert.equal(isError(result), true);
+      assert.equal(errorCode(result), 'DIR_EXISTS');
+    });
+  });
+});
+
+// ── provar.testplan.remove-instance ───────────────────────────────────────────
+
+describe('provar.testplan.remove-instance', () => {
+  describe('happy path', () => {
+    it('removes the .testinstance file and returns expected fields', () => {
+      makeProject(projectDir);
+      makePlan(projectDir, 'MyPlan');
+      const instancePath = path.join(projectDir, 'plans', 'MyPlan', 'MyTest.testinstance');
+      fs.writeFileSync(instancePath, '<testPlanInstance guid="x"/>', 'utf-8');
+
+      const result = server.call('provar.testplan.remove-instance', {
+        project_path: projectDir,
+        instance_path: 'plans/MyPlan/MyTest.testinstance',
+        dry_run: false,
+      });
+
+      assert.equal(isError(result), false);
+      const body = parseText(result);
+      assert.equal(body['removed'], true);
+      assert.equal(body['dry_run'], false);
+      assert.equal(fs.existsSync(instancePath), false, 'File should be deleted');
+    });
+  });
+
+  describe('dry_run', () => {
+    it('returns removed=false and does not delete the file', () => {
+      makeProject(projectDir);
+      makePlan(projectDir, 'MyPlan');
+      const instancePath = path.join(projectDir, 'plans', 'MyPlan', 'MyTest.testinstance');
+      fs.writeFileSync(instancePath, '<testPlanInstance guid="x"/>', 'utf-8');
+
+      const result = server.call('provar.testplan.remove-instance', {
+        project_path: projectDir,
+        instance_path: 'plans/MyPlan/MyTest.testinstance',
+        dry_run: true,
+      });
+
+      assert.equal(isError(result), false);
+      const body = parseText(result);
+      assert.equal(body['removed'], false);
+      assert.equal(body['dry_run'], true);
+      assert.equal(fs.existsSync(instancePath), true, 'File must not be deleted in dry_run mode');
+    });
+  });
+
+  describe('error cases', () => {
+    it('returns INVALID_PATH when instance_path does not end with .testinstance', () => {
+      makeProject(projectDir);
+
+      const result = server.call('provar.testplan.remove-instance', {
+        project_path: projectDir,
+        instance_path: 'plans/MyPlan/MyTest.testcase',
+        dry_run: false,
+      });
+
+      assert.equal(isError(result), true);
+      assert.equal(errorCode(result), 'INVALID_PATH');
+    });
+
+    it('returns FILE_NOT_FOUND when instance file does not exist', () => {
+      makeProject(projectDir);
+
+      const result = server.call('provar.testplan.remove-instance', {
+        project_path: projectDir,
+        instance_path: 'plans/MyPlan/Missing.testinstance',
+        dry_run: false,
+      });
+
+      assert.equal(isError(result), true);
+      assert.equal(errorCode(result), 'FILE_NOT_FOUND');
+    });
+  });
+});
+
+// ── registerAllTestPlanTools ───────────────────────────────────────────────────
+
+describe('registerAllTestPlanTools', () => {
+  it('registers all three tools', () => {
+    const freshServer = new MockMcpServer();
+    registerAllTestPlanTools(freshServer as never, config);
+
+    // Each tool should be callable without throwing "Tool not registered"
+    makeProject(projectDir);
+
+    // Verify each tool is registered by checking it doesn't throw
+    assert.doesNotThrow(() => {
+      freshServer.call('provar.testplan.add-instance', {
+        project_path: projectDir,
+        test_case_path: 'tests/X.testcase',
+        plan_name: 'P',
+        overwrite: false,
+        dry_run: true,
+      });
+    });
+    assert.doesNotThrow(() => {
+      freshServer.call('provar.testplan.create-suite', {
+        project_path: projectDir,
+        plan_name: 'P',
+        suite_name: 'S',
+        dry_run: true,
+      });
+    });
+    assert.doesNotThrow(() => {
+      freshServer.call('provar.testplan.remove-instance', {
+        project_path: projectDir,
+        instance_path: 'plans/P/X.testinstance',
+        dry_run: true,
+      });
+    });
+  });
+});
diff --git a/test/unit/mcp/testPlanValidate.test.ts b/test/unit/mcp/testPlanValidate.test.ts
new file mode 100644
index 00000000..e255f3e4
--- /dev/null
+++ b/test/unit/mcp/testPlanValidate.test.ts
@@ -0,0 +1,336 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { strict as assert } from 'node:assert';
+import { describe, it, beforeEach } from 'mocha';
+import { registerTestPlanValidate } from '../../../src/mcp/tools/testPlanValidate.js';
+
+// ── Minimal McpServer mock ─────────────────────────────────────────────────────
+
+type ToolHandler = (args: Record<string, unknown>) => unknown;
+
+class MockMcpServer {
+  private handlers = new Map<string, ToolHandler>();
+
+  public tool(name: string, _description: string, _schema: unknown, handler: ToolHandler): void {
+    this.handlers.set(name, handler);
+  }
+
+  public call(name: string, args: Record<string, unknown>): ReturnType<ToolHandler> {
+    const h = this.handlers.get(name);
+    if (!h) throw new Error(`Tool not registered: ${name}`);
+    return h(args);
+  }
+}
+
+// ── Helpers ────────────────────────────────────────────────────────────────────
+
+function parseText(result: unknown): Record<string, unknown> {
+  const r = result as { content: Array<{ type: string; text: string }> };
+  return JSON.parse(r.content[0].text) as Record<string, unknown>;
+}
+
+function isError(result: unknown): boolean {
+  return (result as { isError?: boolean }).isError === true;
+}
+
+function hasViolation(result: unknown, ruleId: string): boolean {
+  const violations = (parseText(result)['violations'] as Array<{ rule_id: string }>);
+  return violations.some((v) => v.rule_id === ruleId);
+}
+
+// ── XML / suite fixtures ───────────────────────────────────────────────────────
+
+const G = {
+  tc1: '550e8400-e29b-41d4-a716-446655440001',
+  tc2: '550e8400-e29b-41d4-a716-446655440002',
+  s1:  '550e8400-e29b-41d4-a716-446655440011',
+  s2:  '550e8400-e29b-41d4-a716-446655440012',
+};
+
+function makeXml(tcGuid: string, stepGuid: string, id: string): string {
+  return [
+    '<?xml version="1.0" encoding="UTF-8"?>',
+    `<testCase id="${id}" guid="${tcGuid}" registryId="${id}" name="${id}">`,
+    '  <steps>',
+    `    <apiCall guid="${stepGuid}" apiId="UiConnect" name="Connect" testItemId="1"/>`,
+    '  </steps>',
+    '</testCase>',
+  ].join('\n');
+}
+
+const TC_LOGIN  = { name: 'LoginTest.testcase',  xml_content: makeXml(G.tc1, G.s1, 'tc-001') };
+const TC_LOGOUT = { name: 'LogoutTest.testcase', xml_content: makeXml(G.tc2, G.s2, 'tc-002') };
+
+// A suite with one test case (avoids SUITE-EMPTY-001 inside plan tests)
+const SUITE_A = { name: 'AccountSuite', test_cases: [TC_LOGIN] };
+const SUITE_B = { name: 'ContactSuite', test_cases: [TC_LOGOUT] };
+
+/** Full metadata that passes all PLAN-META-* checks */
+function fullMeta(): Record<string, unknown> {
+  return {
+    objectives: 'Verify all account flows',
+    in_scope: 'Account, Contact, Opportunity',
+    testing_methodology: 'risk-based regression',
+    acceptance_criteria: '95% pass rate',
+    acceptable_pass_rate: 95,
+    environments: ['QA', 'Staging'],
+    test_data_strategy: 'Seed via Apex before each run',
+    risks: 'Data setup failures',
+  };
+}
+
+// ── Test setup ─────────────────────────────────────────────────────────────────
+
+let server: MockMcpServer;
+
+beforeEach(() => {
+  server = new MockMcpServer();
+  registerTestPlanValidate(server as never);
+});
+
+// ── provar.testplan.validate ──────────────────────────────────────────────────
+
+describe('provar.testplan.validate', () => {
+  describe('happy path', () => {
+    it('returns a result (not an error) for a valid non-empty plan', () => {
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'MyPlan',
+        test_suites: [SUITE_A, SUITE_B],
+        metadata: fullMeta(),
+      });
+
+      assert.equal(isError(result), false);
+      const body = parseText(result);
+      assert.ok('quality_score' in body);
+      assert.ok('violations' in body);
+    });
+
+    it('quality_score is between 0 and 100', () => {
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'MyPlan',
+        test_suites: [SUITE_A],
+        metadata: fullMeta(),
+      });
+
+      const score = parseText(result)['quality_score'] as number;
+      assert.ok(score >= 0 && score <= 100, `Expected 0-100, got ${score}`);
+    });
+
+    it('returns requestId in the response', () => {
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'MyPlan',
+        test_suites: [SUITE_A],
+      });
+
+      const body = parseText(result);
+      assert.ok(typeof body['requestId'] === 'string' && body['requestId'].length > 0);
+    });
+
+    it('includes a summary with total_test_cases and total_violations', () => {
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'MyPlan',
+        test_suites: [SUITE_A, SUITE_B],
+        metadata: fullMeta(),
+      });
+
+      const summary = parseText(result)['summary'] as Record<string, unknown>;
+      assert.ok(typeof summary['total_test_cases'] === 'number');
+      assert.ok(typeof summary['total_violations'] === 'number');
+    });
+  });
+
+  describe('PLAN-EMPTY-001 — empty plan', () => {
+    it('triggers PLAN-EMPTY-001 when plan has no suites and no test_cases', () => {
+      const result = server.call('provar.testplan.validate', { plan_name: 'EmptyPlan' });
+
+      assert.equal(isError(result), false);
+      assert.ok(hasViolation(result, 'PLAN-EMPTY-001'), 'Expected PLAN-EMPTY-001');
+    });
+
+    it('triggers PLAN-EMPTY-001 when test_suites is an empty array', () => {
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'EmptyPlan',
+        test_suites: [],
+      });
+
+      assert.ok(hasViolation(result, 'PLAN-EMPTY-001'), 'Expected PLAN-EMPTY-001');
+    });
+
+    it('does NOT trigger PLAN-EMPTY-001 when plan has suites', () => {
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'NonEmptyPlan',
+        test_suites: [SUITE_A],
+      });
+
+      assert.ok(!hasViolation(result, 'PLAN-EMPTY-001'), 'Did not expect PLAN-EMPTY-001');
+    });
+  });
+
+  describe('PLAN-DUP-001 — duplicate suite names', () => {
+    it('triggers PLAN-DUP-001 when two suites share the same name', () => {
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'DupPlan',
+        test_suites: [
+          { name: 'AccountSuite', test_cases: [TC_LOGIN] },
+          { name: 'AccountSuite', test_cases: [TC_LOGOUT] },
+        ],
+      });
+
+      assert.ok(hasViolation(result, 'PLAN-DUP-001'), 'Expected PLAN-DUP-001');
+    });
+
+    it('does NOT trigger PLAN-DUP-001 for distinct suite names', () => {
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'GoodPlan',
+        test_suites: [SUITE_A, SUITE_B],
+      });
+
+      assert.ok(!hasViolation(result, 'PLAN-DUP-001'), 'Did not expect PLAN-DUP-001');
+    });
+  });
+
+  describe('PLAN-SIZE-001 — oversized plan (>20 suites)', () => {
+    it('triggers PLAN-SIZE-001 when test_suite_count exceeds 20', () => {
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'HugePlan',
+        test_suites: [SUITE_A],
+        test_suite_count: 21,
+      });
+
+      assert.ok(hasViolation(result, 'PLAN-SIZE-001'), 'Expected PLAN-SIZE-001');
+    });
+
+    it('does NOT trigger PLAN-SIZE-001 when test_suite_count is exactly 20', () => {
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'BoundaryPlan',
+        test_suites: [SUITE_A],
+        test_suite_count: 20,
+      });
+
+      assert.ok(!hasViolation(result, 'PLAN-SIZE-001'), 'Did not expect PLAN-SIZE-001 at exactly 20');
+    });
+
+    it('triggers PLAN-SIZE-001 by counting test_suites when no explicit count provided', () => {
+      const suites = Array.from({ length: 21 }, (_, i) => ({
+        name: `Suite${i}`,
+        test_cases: [TC_LOGIN],
+      }));
+
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'HugePlan',
+        test_suites: suites,
+      });
+
+      assert.ok(hasViolation(result, 'PLAN-SIZE-001'), 'Expected PLAN-SIZE-001 from counted suites');
+    });
+  });
+
+  describe('PLAN-META-* — plan completeness violations', () => {
+    it('triggers PLAN-META-001 when objectives is missing', () => {
+      const meta = fullMeta();
+      delete meta['objectives'];
+
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'MetaPlan',
+        test_suites: [SUITE_A],
+        metadata: meta,
+      });
+
+      assert.ok(hasViolation(result, 'PLAN-META-001'), 'Expected PLAN-META-001 (missing objectives)');
+    });
+
+    it('triggers PLAN-META-002 when in_scope is missing', () => {
+      const meta = fullMeta();
+      delete meta['in_scope'];
+
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'MetaPlan',
+        test_suites: [SUITE_A],
+        metadata: meta,
+      });
+
+      assert.ok(hasViolation(result, 'PLAN-META-002'), 'Expected PLAN-META-002 (missing in_scope)');
+    });
+
+    it('triggers PLAN-META-005 when environments is missing', () => {
+      const meta = fullMeta();
+      delete meta['environments'];
+
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'MetaPlan',
+        test_suites: [SUITE_A],
+        metadata: meta,
+      });
+
+      assert.ok(hasViolation(result, 'PLAN-META-005'), 'Expected PLAN-META-005 (missing environments)');
+    });
+
+    it('does NOT trigger any PLAN-META-* when all metadata fields are provided', () => {
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'FullPlan',
+        test_suites: [SUITE_A],
+        metadata: fullMeta(),
+      });
+
+      const violations = parseText(result)['violations'] as Array<{ rule_id: string }>;
+      const metaViolations = violations.filter((v) => v.rule_id.startsWith('PLAN-META-'));
+      assert.equal(metaViolations.length, 0, `Unexpected PLAN-META violations: ${metaViolations.map((v) => v.rule_id).join(', ')}`);
+    });
+
+    it('triggers all PLAN-META-* violations when no metadata is provided', () => {
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'NoMetaPlan',
+        test_suites: [SUITE_A],
+      });
+
+      const violations = parseText(result)['violations'] as Array<{ rule_id: string }>;
+      const metaRuleIds = violations.filter((v) => v.rule_id.startsWith('PLAN-META-')).map((v) => v.rule_id);
+      // At least objectives, in_scope, testing_methodology, acceptance_criteria, environments,
+      // test_data_strategy, risks — 7 rules
+      assert.ok(metaRuleIds.length >= 7, `Expected >=7 PLAN-META violations, got ${metaRuleIds.length}: ${metaRuleIds.join(', ')}`);
+    });
+  });
+
+  describe('xml_content alias — xml field accepted', () => {
+    it('accepts xml field as alias for xml_content in test cases', () => {
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'AliasPlan',
+        test_suites: [{
+          name: 'AccountSuite',
+          test_cases: [
+            { name: 'LoginTest.testcase', xml: makeXml(G.tc1, G.s1, 'tc-001') },
+          ],
+        }],
+      });
+
+      assert.equal(isError(result), false);
+      assert.ok(!hasViolation(result, 'SUITE-EMPTY-001'), 'xml alias should count as content');
+    });
+  });
+
+  describe('quality_threshold', () => {
+    it('uses default threshold of 80 when not provided', () => {
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'ThresholdPlan',
+        test_suites: [SUITE_A],
+      });
+      assert.equal(isError(result), false);
+      assert.ok('quality_score' in parseText(result));
+    });
+
+    it('accepts a custom quality_threshold', () => {
+      const result = server.call('provar.testplan.validate', {
+        plan_name: 'ThresholdPlan',
+        test_suites: [SUITE_A],
+        quality_threshold: 95,
+      });
+      assert.equal(isError(result), false);
+    });
+  });
+});
diff --git a/test/unit/mcp/testSuiteValidate.test.ts b/test/unit/mcp/testSuiteValidate.test.ts
new file mode 100644
index 00000000..df4c4913
--- /dev/null
+++ b/test/unit/mcp/testSuiteValidate.test.ts
@@ -0,0 +1,321 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { strict as assert } from 'node:assert';
+import { describe, it, beforeEach } from 'mocha';
+import { registerTestSuiteValidate } from '../../../src/mcp/tools/testSuiteValidate.js';
+
+// ── Minimal McpServer mock ─────────────────────────────────────────────────────
+
+type ToolHandler = (args: Record<string, unknown>) => unknown;
+
+class MockMcpServer {
+  private handlers = new Map<string, ToolHandler>();
+
+  public tool(name: string, _description: string, _schema: unknown, handler: ToolHandler): void {
+    this.handlers.set(name, handler);
+  }
+
+  public call(name: string, args: Record<string, unknown>): ReturnType<ToolHandler> {
+    const h = this.handlers.get(name);
+    if (!h) throw new Error(`Tool not registered: ${name}`);
+    return h(args);
+  }
+}
+
+// ── Helpers ────────────────────────────────────────────────────────────────────
+
+function parseText(result: unknown): Record<string, unknown> {
+  const r = result as { content: Array<{ type: string; text: string }> };
+  return JSON.parse(r.content[0].text) as Record<string, unknown>;
+}
+
+function isError(result: unknown): boolean {
+  return (result as { isError?: boolean }).isError === true;
+}
+
+// ── XML fixtures ──────────────────────────────────────────────────────────────
+
+const G = {
+  tc1: '550e8400-e29b-41d4-a716-446655440001',
+  tc2: '550e8400-e29b-41d4-a716-446655440002',
+  s1:  '550e8400-e29b-41d4-a716-446655440011',
+  s2:  '550e8400-e29b-41d4-a716-446655440012',
+};
+
+function makeXml(tcGuid: string, stepGuid: string, id: string): string {
+  return [
+    '<?xml version="1.0" encoding="UTF-8"?>',
+    `<testCase id="${id}" guid="${tcGuid}" registryId="${id}" name="${id}">`,
+    '  <steps>',
+    `    <apiCall guid="${stepGuid}" apiId="UiConnect" name="Connect" testItemId="1"/>`,
+    '  </steps>',
+    '</testCase>',
+  ].join('\n');
+}
+
+const TC_LOGIN  = { name: 'LoginTest.testcase',  xml_content: makeXml(G.tc1, G.s1, 'tc-001') };
+const TC_LOGOUT = { name: 'LogoutTest.testcase', xml_content: makeXml(G.tc2, G.s2, 'tc-002') };
+
+// Same test cases using the `xml` alias
+const TC_LOGIN_ALIAS  = { name: 'LoginTest.testcase',  xml: makeXml(G.tc1, G.s1, 'tc-001') };
+const TC_LOGOUT_ALIAS = { name: 'LogoutTest.testcase', xml: makeXml(G.tc2, G.s2, 'tc-002') };
+
+// ── Test setup ─────────────────────────────────────────────────────────────────
+
+let server: MockMcpServer;
+
+beforeEach(() => {
+  server = new MockMcpServer();
+  registerTestSuiteValidate(server as never);
+});
+
+// ── provar.testsuite.validate ─────────────────────────────────────────────────
+
+describe('provar.testsuite.validate', () => {
+  describe('happy path', () => {
+    it('returns a result (not an error) for a valid non-empty suite', () => {
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'AccountSuite',
+        test_cases: [TC_LOGIN, TC_LOGOUT],
+      });
+
+      assert.equal(isError(result), false);
+      const body = parseText(result);
+      assert.ok('quality_score' in body, 'quality_score should be present');
+      assert.ok('violations' in body, 'violations should be present');
+    });
+
+    it('quality_score is between 0 and 100', () => {
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'AccountSuite',
+        test_cases: [TC_LOGIN, TC_LOGOUT],
+      });
+
+      const body = parseText(result);
+      const score = body['quality_score'] as number;
+      assert.ok(score >= 0 && score <= 100, `Expected 0-100, got ${score}`);
+    });
+
+    it('returns requestId in the response', () => {
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'MySuite',
+        test_cases: [TC_LOGIN],
+      });
+
+      const body = parseText(result);
+      assert.ok(typeof body['requestId'] === 'string' && body['requestId'].length > 0);
+    });
+
+    it('includes a summary object with totals', () => {
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'AccountSuite',
+        test_cases: [TC_LOGIN, TC_LOGOUT],
+      });
+
+      const body = parseText(result);
+      const summary = body['summary'] as Record<string, unknown>;
+      assert.ok(typeof summary['total_test_cases'] === 'number');
+      assert.ok(typeof summary['total_violations'] === 'number');
+    });
+  });
+
+  describe('SUITE-EMPTY-001 — empty suite', () => {
+    it('triggers SUITE-EMPTY-001 when suite has no test_cases and no child_suites', () => {
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'EmptySuite',
+      });
+
+      assert.equal(isError(result), false);
+      const body = parseText(result);
+      const violations = body['violations'] as Array<{ rule_id: string }>;
+      assert.ok(violations.some((v) => v.rule_id === 'SUITE-EMPTY-001'), 'Expected SUITE-EMPTY-001');
+    });
+
+    it('triggers SUITE-EMPTY-001 when test_cases is an empty array', () => {
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'EmptySuite',
+        test_cases: [],
+      });
+
+      const violations = (parseText(result)['violations'] as Array<{ rule_id: string }>);
+      assert.ok(violations.some((v) => v.rule_id === 'SUITE-EMPTY-001'), 'Expected SUITE-EMPTY-001');
+    });
+
+    it('does NOT trigger SUITE-EMPTY-001 when suite has test_cases', () => {
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'NonEmptySuite',
+        test_cases: [TC_LOGIN],
+      });
+
+      const violations = (parseText(result)['violations'] as Array<{ rule_id: string }>);
+      assert.ok(!violations.some((v) => v.rule_id === 'SUITE-EMPTY-001'), 'Did not expect SUITE-EMPTY-001');
+    });
+
+    it('does NOT trigger SUITE-EMPTY-001 when suite has child_suites', () => {
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'ParentSuite',
+        child_suites: [{ name: 'ChildSuite', test_cases: [TC_LOGIN] }],
+      });
+
+      const violations = (parseText(result)['violations'] as Array<{ rule_id: string }>);
+      assert.ok(!violations.some((v) => v.rule_id === 'SUITE-EMPTY-001'), 'Did not expect SUITE-EMPTY-001');
+    });
+  });
+
+  describe('SUITE-DUP-001 — duplicate test case names', () => {
+    it('triggers SUITE-DUP-001 when two test cases share the same name', () => {
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'DupSuite',
+        test_cases: [TC_LOGIN, { name: 'LoginTest.testcase', xml_content: makeXml(G.tc2, G.s2, 'tc-dup') }],
+      });
+
+      const violations = (parseText(result)['violations'] as Array<{ rule_id: string }>);
+      assert.ok(violations.some((v) => v.rule_id === 'SUITE-DUP-001'), 'Expected SUITE-DUP-001');
+    });
+
+    it('does NOT trigger SUITE-DUP-001 for distinct test case names', () => {
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'UniqSuite',
+        test_cases: [TC_LOGIN, TC_LOGOUT],
+      });
+
+      const violations = (parseText(result)['violations'] as Array<{ rule_id: string }>);
+      assert.ok(!violations.some((v) => v.rule_id === 'SUITE-DUP-001'), 'Did not expect SUITE-DUP-001');
+    });
+  });
+
+  describe('SUITE-DUP-002 — duplicate child suite names', () => {
+    it('triggers SUITE-DUP-002 when two child suites share the same name', () => {
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'ParentSuite',
+        child_suites: [
+          { name: 'ChildA', test_cases: [TC_LOGIN] },
+          { name: 'ChildA', test_cases: [TC_LOGOUT] },
+        ],
+      });
+
+      const violations = (parseText(result)['violations'] as Array<{ rule_id: string }>);
+      assert.ok(violations.some((v) => v.rule_id === 'SUITE-DUP-002'), 'Expected SUITE-DUP-002');
+    });
+  });
+
+  describe('SUITE-SIZE-001 — oversized suite (>75 test cases)', () => {
+    it('triggers SUITE-SIZE-001 when test_case_count exceeds 75', () => {
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'HugeSuite',
+        test_cases: [TC_LOGIN],
+        test_case_count: 76,
+      });
+
+      const violations = (parseText(result)['violations'] as Array<{ rule_id: string }>);
+      assert.ok(violations.some((v) => v.rule_id === 'SUITE-SIZE-001'), 'Expected SUITE-SIZE-001');
+    });
+
+    it('does NOT trigger SUITE-SIZE-001 when test_case_count is exactly 75', () => {
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'BoundarySuite',
+        test_cases: [TC_LOGIN],
+        test_case_count: 75,
+      });
+
+      const violations = (parseText(result)['violations'] as Array<{ rule_id: string }>);
+      assert.ok(!violations.some((v) => v.rule_id === 'SUITE-SIZE-001'), 'Did not expect SUITE-SIZE-001 at exactly 75');
+    });
+
+    it('triggers SUITE-SIZE-001 by counting test_cases when no explicit count provided', () => {
+      // Build 76 distinct test cases
+      const cases = Array.from({ length: 76 }, (_, i) => ({
+        name: `Test${i}.testcase`,
+        xml_content: makeXml(
+          `550e8400-e29b-41d4-a716-${String(i).padStart(12, '0')}`,
+          `550e8400-e29b-41d4-b716-${String(i).padStart(12, '0')}`,
+          `tc-${i}`
+        ),
+      }));
+
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'HugeSuite',
+        test_cases: cases,
+      });
+
+      const violations = (parseText(result)['violations'] as Array<{ rule_id: string }>);
+      assert.ok(violations.some((v) => v.rule_id === 'SUITE-SIZE-001'), 'Expected SUITE-SIZE-001 from counted cases');
+    });
+  });
+
+  describe('xml_content alias — xml field accepted', () => {
+    it('accepts xml field as alias for xml_content and validates correctly', () => {
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'AliasSuite',
+        test_cases: [TC_LOGIN_ALIAS, TC_LOGOUT_ALIAS],
+      });
+
+      assert.equal(isError(result), false);
+      const body = parseText(result);
+      assert.ok((body['quality_score'] as number) >= 0);
+      // Should have no empty-suite violation since TCs are present
+      const violations = body['violations'] as Array<{ rule_id: string }>;
+      assert.ok(!violations.some((v) => v.rule_id === 'SUITE-EMPTY-001'), 'xml alias should be accepted as valid content');
+    });
+  });
+
+  describe('child suites', () => {
+    it('validates nested child suites and includes them in test_suites', () => {
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'ParentSuite',
+        child_suites: [
+          { name: 'ChildA', test_cases: [TC_LOGIN] },
+          { name: 'ChildB', test_cases: [TC_LOGOUT] },
+        ],
+      });
+
+      assert.equal(isError(result), false);
+      const body = parseText(result);
+      const suites = body['test_suites'] as unknown[];
+      assert.equal(suites.length, 2);
+    });
+
+    it('quality_score reflects violations in child suites', () => {
+      // Parent with a child that is empty → SUITE-EMPTY-001 in child
+      const resultWithEmpty = server.call('provar.testsuite.validate', {
+        suite_name: 'ParentSuite',
+        child_suites: [{ name: 'EmptyChild', test_cases: [] }],
+      });
+      const resultHealthy = server.call('provar.testsuite.validate', {
+        suite_name: 'ParentSuite',
+        child_suites: [{ name: 'HealthyChild', test_cases: [TC_LOGIN] }],
+      });
+
+      const emptyScore   = (parseText(resultWithEmpty)  ['quality_score'] as number);
+      const healthyScore = (parseText(resultHealthy)['quality_score'] as number);
+      assert.ok(emptyScore <= healthyScore, `Empty-child score (${emptyScore}) should be <= healthy score (${healthyScore})`);
+    });
+  });
+
+  describe('quality_threshold', () => {
+    it('uses default threshold of 80 when not specified', () => {
+      // Just verify no error and score is present
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'ThresholdDefault',
+        test_cases: [TC_LOGIN],
+      });
+      assert.equal(isError(result), false);
+      assert.ok('quality_score' in parseText(result));
+    });
+
+    it('accepts a custom quality_threshold', () => {
+      const result = server.call('provar.testsuite.validate', {
+        suite_name: 'ThresholdCustom',
+        test_cases: [TC_LOGIN],
+        quality_threshold: 90,
+      });
+      assert.equal(isError(result), false);
+    });
+  });
+});
diff --git a/test/unit/services/projectValidation.test.ts b/test/unit/services/projectValidation.test.ts
new file mode 100644
index 00000000..3e56d51a
--- /dev/null
+++ b/test/unit/services/projectValidation.test.ts
@@ -0,0 +1,453 @@
+/*
+ * Copyright (c) 2024 Provar Limited.
+ * All rights reserved.
+ * Licensed under the BSD 3-Clause license.
+ * For full license text, see LICENSE.md file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/* eslint-disable camelcase */
+import { strict as assert } from 'node:assert';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { describe, it, afterEach } from 'mocha';
+import {
+  resolveProjectRoot,
+  readProjectContext,
+  resolveTestInstance,
+  toQualityTier,
+  toQualityGrade,
+  validateProjectFromPath,
+  ProjectValidationError,
+} from '../../../src/services/projectValidation.js';
+
+// ── Test fixtures ─────────────────────────────────────────────────────────────
+
+const VALID_TC_XML = (guid: string, stepGuid: string, id: string): string => `<?xml version="1.0" encoding="UTF-8"?>
+<testCase id="${id}" guid="${guid}" registryId="${id}" name="${id}">
+  <steps>
+    <apiCall guid="${stepGuid}" apiId="UiConnect" name="Connect" testItemId="1"/>
+  </steps>
+</testCase>`;
+
+const G = {
+  tc1: '550e8400-e29b-41d4-a716-446655440001',
+  tc2: '550e8400-e29b-41d4-a716-446655440002',
+  s1:  '550e8400-e29b-41d4-a716-446655440011',
+  s2:  '550e8400-e29b-41d4-a716-446655440012',
+};
+
+const TESTPROJECT_XML = `<?xml version="1.0" encoding="UTF-8"?>
+<testProject>
+  <environment name="Dev" url="https://dev.example.com"/>
+  <environment name="UAT" url="https://uat.example.com"/>
+  <connection name="SalesforceOrg" type="salesforce"/>
+  <secureStoragePath>.secrets</secureStoragePath>
+</testProject>`;
+
+// ── Temp dir helpers ──────────────────────────────────────────────────────────
+
+const tempDirs: string[] = [];
+
+function mktemp(): string {
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'pvx-test-'));
+  tempDirs.push(dir);
+  return dir;
+}
+
+function writeFile(p: string, content: string): void {
+  fs.mkdirSync(path.dirname(p), { recursive: true });
+  fs.writeFileSync(p, content, 'utf-8');
+}
+
+/** Build a minimal valid Provar project in a temp directory */
+function makeProject(root: string, planName = 'smoke', tcName = 'Login'): void {
+  // .testproject
+  writeFile(path.join(root, '.testproject'), TESTPROJECT_XML);
+
+  // tests/<tcName>.testcase
+  const tcPath = path.join(root, 'tests', `${tcName}.testcase`);
+  writeFile(tcPath, VALID_TC_XML(G.tc1, G.s1, `tc-${tcName.toLowerCase()}`));
+
+  // plans/<planName>/<tcName>.testinstance
+  const instancePath = path.join(root, 'plans', planName, `${tcName}.testinstance`);
+  writeFile(instancePath, `testCasePath="tests/${tcName}.testcase"\n`);
+}
+
+// ── Cleanup ───────────────────────────────────────────────────────────────────
+
+afterEach(() => {
+  for (const dir of tempDirs.splice(0)) {
+    try { fs.rmSync(dir, { recursive: true, force: true }); } catch { /* skip */ }
+  }
+});
+
+// ── resolveProjectRoot ────────────────────────────────────────────────────────
+
+describe('resolveProjectRoot', () => {
+  it('returns given path when .testproject is present at root', () => {
+    const root = mktemp();
+    writeFile(path.join(root, '.testproject'), '<testProject/>');
+    const result = resolveProjectRoot(root);
+    assert.equal(result.root, root);
+    assert.deepEqual(result.candidates, []);
+  });
+
+  it('returns the single subdirectory that has .testproject', () => {
+    const workspace = mktemp();
+    const project = path.join(workspace, 'MyProject');
+    fs.mkdirSync(project);
+    writeFile(path.join(project, '.testproject'), '<testProject/>');
+    const result = resolveProjectRoot(workspace);
+    assert.equal(result.root, project);
+    assert.deepEqual(result.candidates, []);
+  });
+
+  it('returns all candidates when multiple subdirectories have .testproject', () => {
+    const workspace = mktemp();
+    const p1 = path.join(workspace, 'ProjectA');
+    const p2 = path.join(workspace, 'ProjectB');
+    fs.mkdirSync(p1);
+    fs.mkdirSync(p2);
+    writeFile(path.join(p1, '.testproject'), '<testProject/>');
+    writeFile(path.join(p2, '.testproject'), '<testProject/>');
+    const result = resolveProjectRoot(workspace);
+    assert.equal(result.root, workspace);
+    assert.equal(result.candidates.length, 2);
+    assert.ok(result.candidates.includes(p1));
+    assert.ok(result.candidates.includes(p2));
+  });
+
+  it('returns given path with empty candidates when no .testproject found anywhere', () => {
+    const root = mktemp();
+    fs.mkdirSync(path.join(root, 'somedir'));
+    const result = resolveProjectRoot(root);
+    assert.equal(result.root, root);
+    assert.deepEqual(result.candidates, []);
+  });
+});
+
+// ── readProjectContext ────────────────────────────────────────────────────────
+
+describe('readProjectContext', () => {
+  it('returns empty context when no .testproject file exists', () => {
+    const root = mktemp();
+    const { projectName, context } = readProjectContext(root);
+    assert.equal(projectName, path.basename(root));
+    assert.deepEqual(context, {});
+  });
+
+  it('extracts environments and connections from .testproject', () => {
+    const root = mktemp();
+    writeFile(path.join(root, '.testproject'), TESTPROJECT_XML);
+    const { projectName, context } = readProjectContext(root);
+    assert.equal(projectName, path.basename(root));
+    assert.deepEqual(context.environments, ['Dev', 'UAT']);
+    assert.deepEqual(context.connection_names, ['SalesforceOrg']);
+  });
+
+  it('returns empty context when .testproject is unreadable (graceful degradation)', () => {
+    const root = mktemp();
+    const tpPath = path.join(root, '.testproject');
+    writeFile(tpPath, TESTPROJECT_XML);
+    // Make the file unreadable on non-Windows (on Windows file locking is different)
+    try {
+      fs.chmodSync(tpPath, 0o000);
+      const { context } = readProjectContext(root);
+      assert.deepEqual(context, {});
+    } catch {
+      // If chmod doesn't work (Windows), skip the test body — graceful skip
+    } finally {
+      try { fs.chmodSync(tpPath, 0o644); } catch { /* skip */ }
+    }
+  });
+
+  it('detects encrypted and unencrypted secrets in .secrets', () => {
+    const root = mktemp();
+    writeFile(path.join(root, '.testproject'), TESTPROJECT_XML);
+    // 2 unencrypted values, 1 encrypted, 1 encryptor check line
+    writeFile(path.join(root, '.secrets'),
+      'Encryptor.check=ENC1(abc123)\n' +
+      'password=plaintext\n' +
+      'apiKey=ENC1(encrypted)\n' +
+      'token=another_plaintext\n'
+    );
+    const { context } = readProjectContext(root);
+    assert.equal(context.secretsPasswordSet, true);
+    assert.equal(context.unencrypted_secret_count, 2);
+  });
+});
+
+// ── resolveTestInstance ───────────────────────────────────────────────────────
+
+describe('resolveTestInstance', () => {
+  it('returns TestCaseInput with xml_content for a valid .testinstance', () => {
+    const root = mktemp();
+    const tcPath = path.join(root, 'tests', 'Login.testcase');
+    writeFile(tcPath, VALID_TC_XML(G.tc1, G.s1, 'tc-login'));
+    const instancePath = path.join(root, 'plans', 'smoke', 'Login.testinstance');
+    writeFile(instancePath, 'testCasePath="tests/Login.testcase"\n');
+    const result = resolveTestInstance(instancePath, root);
+    assert.ok(result !== null);
+    assert.equal(result.name, 'Login');
+    assert.ok(result.xml_content?.includes('<testCase'));
+  });
+
+  it('returns null when testCasePath attribute is missing', () => {
+    const root = mktemp();
+    const instancePath = path.join(root, 'plans', 'smoke', 'Bad.testinstance');
+    writeFile(instancePath, 'someOtherAttr="value"\n');
+    const result = resolveTestInstance(instancePath, root);
+    assert.equal(result, null);
+  });
+
+  it('returns TestCaseInput with undefined xml_content when testcase file is missing from disk', () => {
+    const root = mktemp();
+    const instancePath = path.join(root, 'plans', 'smoke', 'Missing.testinstance');
+    writeFile(instancePath, 'testCasePath="tests/Missing.testcase"\n');
+    const result = resolveTestInstance(instancePath, root);
+    assert.ok(result !== null);
+    assert.equal(result.name, 'Missing');
+    assert.equal(result.xml_content, undefined);
+  });
+
+  it('does not read files outside the project root (path bounds check)', () => {
+    const root = mktemp();
+    const outsideFile = mktemp();
+    // Write something recognizable to the outside file
+    writeFile(path.join(outsideFile, 'secret.txt'), 'should-not-appear');
+    const instancePath = path.join(root, 'plans', 'smoke', 'Escape.testinstance');
+    // Absolute path pointing outside the project
+    writeFile(instancePath, `testCasePath="${path.join(outsideFile, 'secret.txt')}"\n`);
+    const result = resolveTestInstance(instancePath, root);
+    // Name is derived from path.basename, but xml_content must be undefined (bounds check)
+    if (result !== null) {
+      assert.equal(result.xml_content, undefined, 'xml_content must be undefined for out-of-bounds path');
+    }
+  });
+});
+
+// ── toQualityTier + toQualityGrade ────────────────────────────────────────────
+
+describe('toQualityTier', () => {
+  it('returns S for score >= 95', () => { assert.equal(toQualityTier(100), 'S'); assert.equal(toQualityTier(95), 'S'); });
+  it('returns A for score 85-94', () => { assert.equal(toQualityTier(90), 'A'); assert.equal(toQualityTier(85), 'A'); });
+  it('returns B for score 75-84', () => { assert.equal(toQualityTier(80), 'B'); assert.equal(toQualityTier(75), 'B'); });
+  it('returns C for score 65-74', () => { assert.equal(toQualityTier(70), 'C'); assert.equal(toQualityTier(65), 'C'); });
+  it('returns D for score < 65',  () => { assert.equal(toQualityTier(64), 'D'); assert.equal(toQualityTier(0), 'D'); });
+});
+
+describe('toQualityGrade', () => {
+  it('returns Excellent for score >= 95', () => { assert.equal(toQualityGrade(100), 'Excellent'); assert.equal(toQualityGrade(95), 'Excellent'); });
+  it('returns Great for score 90-94',     () => { assert.equal(toQualityGrade(90), 'Great'); assert.equal(toQualityGrade(92), 'Great'); });
+  it('returns Good for score 80-89',      () => { assert.equal(toQualityGrade(80), 'Good'); assert.equal(toQualityGrade(85), 'Good'); });
+  it('returns Fair for score 70-79',      () => { assert.equal(toQualityGrade(70), 'Fair'); assert.equal(toQualityGrade(75), 'Fair'); });
+  it('returns Poor for score < 70',       () => { assert.equal(toQualityGrade(69), 'Poor'); assert.equal(toQualityGrade(0), 'Poor'); });
+});
+
+// ── validateProjectFromPath ───────────────────────────────────────────────────
+
+describe('validateProjectFromPath', () => {
+  it('throws PATH_NOT_FOUND for a path that does not exist', () => {
+    assert.throws(
+      () => validateProjectFromPath({ project_path: '/nonexistent/path/abc' }),
+      (err: unknown) => {
+        assert.ok(err instanceof ProjectValidationError);
+        assert.equal(err.code, 'PATH_NOT_FOUND');
+        return true;
+      }
+    );
+  });
+
+  it('throws AMBIGUOUS_PROJECT when multiple projects are found', () => {
+    const workspace = mktemp();
+    fs.mkdirSync(path.join(workspace, 'ProjectA'));
+    fs.mkdirSync(path.join(workspace, 'ProjectB'));
+    writeFile(path.join(workspace, 'ProjectA', '.testproject'), '<testProject/>');
+    writeFile(path.join(workspace, 'ProjectB', '.testproject'), '<testProject/>');
+    assert.throws(
+      () => validateProjectFromPath({ project_path: workspace, save_results: false }),
+      (err: unknown) => {
+        assert.ok(err instanceof ProjectValidationError);
+        assert.equal(err.code, 'AMBIGUOUS_PROJECT');
+        return true;
+      }
+    );
+  });
+
+  it('throws NOT_A_PROJECT when directory has no .testproject file', () => {
+    const root = mktemp();
+    fs.mkdirSync(path.join(root, 'somedir'));
+    assert.throws(
+      () => validateProjectFromPath({ project_path: root, save_results: false }),
+      (err: unknown) => {
+        assert.ok(err instanceof ProjectValidationError);
+        assert.equal(err.code, 'NOT_A_PROJECT');
+        return true;
+      }
+    );
+  });
+
+  it('throws NOT_A_PROJECT even when plans/ exists but .testproject is absent', () => {
+    const root = mktemp();
+    fs.mkdirSync(path.join(root, 'plans', 'smoke'), { recursive: true });
+    assert.throws(
+      () => validateProjectFromPath({ project_path: root, save_results: false }),
+      (err: unknown) => {
+        assert.ok(err instanceof ProjectValidationError);
+        assert.equal(err.code, 'NOT_A_PROJECT');
+        return true;
+      }
+    );
+  });
+
+  it('returns a valid result for a minimal project (happy path)', () => {
+    const root = mktemp();
+    makeProject(root);
+    const result = validateProjectFromPath({ project_path: root, save_results: false });
+    assert.equal(result.project_path, root);
+    assert.ok(typeof result.quality_score === 'number');
+    assert.ok(result.quality_score >= 0 && result.quality_score <= 100);
+    assert.ok(typeof result.project_name === 'string');
+    assert.ok(Array.isArray(result.plans));
+    assert.ok(result.coverage.total_test_cases_on_disk >= 0);
+    assert.equal(result.saved_to, null);
+  });
+
+  it('saves results to the default location when save_results is true', () => {
+    const root = mktemp();
+    makeProject(root);
+    const result = validateProjectFromPath({ project_path: root, save_results: true });
+    assert.ok(result.saved_to !== null);
+    const fullPath = path.join(root, result.saved_to);
+    assert.ok(fs.existsSync(fullPath), `Expected file at ${fullPath}`);
+    const saved = JSON.parse(fs.readFileSync(fullPath, 'utf-8')) as Record<string, unknown>;
+    assert.ok(saved.reportInfo);
+    assert.ok(saved.summary);
+  });
+
+  it('does not create a results file when save_results is false', () => {
+    const root = mktemp();
+    makeProject(root);
+    const result = validateProjectFromPath({ project_path: root, save_results: false });
+    assert.equal(result.saved_to, null);
+    const validationDir = path.join(root, 'provardx', 'validation');
+    assert.ok(!fs.existsSync(validationDir), 'Expected no provardx/validation/ directory');
+  });
+
+  it('saves to a custom results_dir when provided', () => {
+    const root = mktemp();
+    const reportsDir = mktemp();
+    makeProject(root);
+    const result = validateProjectFromPath({
+      project_path: root,
+      save_results: true,
+      results_dir: reportsDir,
+    });
+    assert.ok(result.saved_to !== null);
+    // When results_dir is specified, saved_to is relative to projectPath — verify the file exists at reportsDir
+    const files = fs.readdirSync(reportsDir);
+    assert.equal(files.length, 1);
+    assert.ok(files[0].endsWith('.json'));
+  });
+
+  it('auto-detects project root when given a workspace directory', () => {
+    const workspace = mktemp();
+    const project = path.join(workspace, 'MyProject');
+    fs.mkdirSync(project);
+    makeProject(project);
+    const result = validateProjectFromPath({ project_path: workspace, save_results: false });
+    assert.equal(result.project_path, project);
+    assert.equal(result.project_name, 'MyProject');
+  });
+
+  it('coverage counts reflect covered and uncovered test cases', () => {
+    const root = mktemp();
+    makeProject(root);
+    // Add an extra test case not referenced by any plan
+    writeFile(path.join(root, 'tests', 'Orphan.testcase'), VALID_TC_XML(G.tc2, G.s2, 'tc-orphan'));
+    const result = validateProjectFromPath({ project_path: root, save_results: false });
+    assert.equal(result.coverage.covered_by_plans, 1);
+    assert.equal(result.coverage.uncovered_count, 1);
+    assert.ok(result.coverage.uncovered_test_cases.some((p) => p.includes('Orphan')));
+    assert.equal(result.coverage.total_test_cases_on_disk, 2);
+    // covered + uncovered must always sum to total
+    assert.equal(result.coverage.covered_by_plans + result.coverage.uncovered_count, result.coverage.total_test_cases_on_disk);
+  });
+
+  it('coverage: UUID-based match marks test as covered when testCasePath is absent but testCaseId matches registryId', () => {
+    const root = mktemp();
+    // .testproject
+    writeFile(path.join(root, '.testproject'), TESTPROJECT_XML);
+    // Test case with a known registryId on disk
+    const callableRegId = '550e8400-e29b-41d4-a716-aabbccdd0001';
+    const tcXml = `<?xml version="1.0" encoding="UTF-8"?>
+<testCase id="tc-uuidtest" guid="${G.tc1}" registryId="${callableRegId}" name="UuidTest">
+  <steps><apiCall guid="${G.s1}" apiId="UiConnect" name="Connect" testItemId="1"/></steps>
+</testCase>`;
+    writeFile(path.join(root, 'tests', 'UuidTest.testcase'), tcXml);
+    // .testinstance referencing by testCaseId only (testCasePath present but deliberately wrong path separator)
+    // We simulate a mismatch by omitting testCasePath and relying solely on testCaseId
+    writeFile(
+      path.join(root, 'plans', 'smoke', 'UuidTest.testinstance'),
+      `testCaseId="${callableRegId}"\n`  // no testCasePath — UUID fallback must cover it
+    );
+    const result = validateProjectFromPath({ project_path: root, save_results: false });
+    assert.equal(result.coverage.covered_by_plans, 1, 'UUID-based match should count UuidTest as covered');
+    assert.equal(result.coverage.uncovered_count, 0);
+  });
+
+  it('coverage: callable test (no testinstance) does NOT suppress uncovered count', () => {
+    const root = mktemp();
+    makeProject(root);
+    // Add a callable test (visibility Internal, no testinstance)
+    const callableXml = `<?xml version="1.0" encoding="UTF-8"?>
+<testCase id="tc-callable" guid="${G.tc2}" registryId="tc-callable" name="CreateQuote" visibility="Internal">
+  <steps><apiCall guid="${G.s2}" apiId="UiConnect" name="Connect" testItemId="1"/></steps>
+</testCase>`;
+    writeFile(path.join(root, 'tests', 'Callable', 'CreateQuote.testcase'), callableXml);
+    const result = validateProjectFromPath({ project_path: root, save_results: false });
+    // Login is covered; CreateQuote is not referenced by any plan (it's callable)
+    assert.equal(result.coverage.covered_by_plans, 1);
+    assert.equal(result.coverage.uncovered_count, 1);
+    assert.ok(result.coverage.uncovered_test_cases.some((p) => p.includes('CreateQuote')));
+  });
+
+  it('returns save_error when results directory is not writable', () => {
+    const root = mktemp();
+    makeProject(root);
+    // Use a path that cannot be created as a directory (a file path used as dir)
+    const blockedDir = path.join(root, 'tests', 'Login.testcase', 'subdir');
+    const result = validateProjectFromPath({ project_path: root, save_results: true, results_dir: blockedDir });
+    assert.equal(result.saved_to, null);
+    assert.ok(typeof result.save_error === 'string');
+    assert.ok(result.save_error.length > 0);
+  });
+});
+
+// ── buildQhReport ─────────────────────────────────────────────────────────────
+
+describe('buildQhReport', () => {
+  it('returns a report with expected top-level structure', () => {
+    const root = mktemp();
+    makeProject(root);
+    // We need a ProjectResult to call buildQhReport — run a full validation first
+    const result = validateProjectFromPath({ project_path: root, save_results: false });
+    // The saved report has the QH structure — verify by re-running with save_results: true
+    const withSave = validateProjectFromPath({ project_path: root, save_results: true });
+    assert.ok(withSave.saved_to !== null);
+    const report = JSON.parse(
+      fs.readFileSync(path.join(root, withSave.saved_to), 'utf-8')
+    ) as Record<string, unknown>;
+    assert.ok(report.reportInfo, 'missing reportInfo');
+    assert.ok(report.summary, 'missing summary');
+    assert.ok(report.context, 'missing context');
+    assert.ok(Array.isArray(report.sections), 'sections must be an array');
+    const summary = report.summary as Record<string, unknown>;
+    assert.ok(typeof summary.qualityScore === 'number');
+    assert.ok(typeof summary.qualityGrade === 'string');
+    assert.ok(typeof summary.totalViolations === 'number');
+    // Coverage from the main result must match expectations
+    assert.equal(result.coverage.covered_by_plans, 1);
+  });
+});
diff --git a/yarn.lock b/yarn.lock
index d7552287..efba173a 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -672,17 +672,9 @@
     "@smithy/types" "^2.9.1"
     tslib "^2.5.0"
 
-"@babel/code-frame@^7.0.0", "@babel/code-frame@^7.18.6":
-  version "7.22.13"
-  resolved "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.22.13.tgz"
-  integrity sha512-XktuhWlJ5g+3TJXc5upd9Ks1HutSArik6jf2eAjYFyIOf4ej3RN+184cZbzDvbPnuTJIUhPKKJE3cIsYTiAT3w==
-  dependencies:
-    "@babel/highlight" "^7.22.13"
-    chalk "^2.4.2"
-
-"@babel/code-frame@^7.24.6":
+"@babel/code-frame@^7.0.0", "@babel/code-frame@^7.18.6", "@babel/code-frame@^7.24.6":
   version "7.24.6"
-  resolved "https://registry.yarnpkg.com/@babel/code-frame/-/code-frame-7.24.6.tgz#ab88da19344445c3d8889af2216606d3329f3ef2"
+  resolved "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.24.6.tgz"
   integrity sha512-ZJhac6FkEd1yhG2AHOmfcXG4ceoLltoCVJjN5XsWN9BifBQr+cHJbWi0h68HZuSORq+3WtJ2z0hwF2NG1b5kcA==
   dependencies:
     "@babel/highlight" "^7.24.6"
@@ -714,18 +706,9 @@
     json5 "^2.2.1"
     semver "^6.3.0"
 
-"@babel/generator@^7.19.0":
-  version "7.19.0"
-  resolved "https://registry.npmjs.org/@babel/generator/-/generator-7.19.0.tgz"
-  integrity sha512-S1ahxf1gZ2dpoiFgA+ohK9DIpz50bJ0CWs7Zlzb54Z4sG8qmdIrGrVqmy1sAtTVRb+9CU6U8VqT9L0Zj7hxHVg==
-  dependencies:
-    "@babel/types" "^7.19.0"
-    "@jridgewell/gen-mapping" "^0.3.2"
-    jsesc "^2.5.1"
-
-"@babel/generator@^7.24.6":
+"@babel/generator@^7.19.0", "@babel/generator@^7.24.6":
   version "7.24.6"
-  resolved "https://registry.yarnpkg.com/@babel/generator/-/generator-7.24.6.tgz#dfac82a228582a9d30c959fe50ad28951d4737a7"
+  resolved "https://registry.npmjs.org/@babel/generator/-/generator-7.24.6.tgz"
   integrity sha512-S7m4eNa6YAPJRHmKsLHIDJhNAGNKoWNiWefz1MBbpnt8g9lvMDl1hir4P9bo/57bQEmuwEhnRU/AMWsD0G/Fbg==
   dependencies:
     "@babel/types" "^7.24.6"
@@ -743,19 +726,14 @@
     browserslist "^4.21.3"
     semver "^6.3.0"
 
-"@babel/helper-environment-visitor@^7.18.9":
-  version "7.18.9"
-  resolved "https://registry.npmjs.org/@babel/helper-environment-visitor/-/helper-environment-visitor-7.18.9.tgz"
-  integrity sha512-3r/aACDJ3fhQ/EVgFy0hpj8oHyHpQc+LPtJoY9SzTThAsStm4Ptegq92vqKoE3vD706ZVFWITnMnxucw+S9Ipg==
-
-"@babel/helper-environment-visitor@^7.24.6":
+"@babel/helper-environment-visitor@^7.18.9", "@babel/helper-environment-visitor@^7.24.6":
   version "7.24.6"
-  resolved "https://registry.yarnpkg.com/@babel/helper-environment-visitor/-/helper-environment-visitor-7.24.6.tgz#ac7ad5517821641550f6698dd5468f8cef78620d"
+  resolved "https://registry.npmjs.org/@babel/helper-environment-visitor/-/helper-environment-visitor-7.24.6.tgz"
   integrity sha512-Y50Cg3k0LKLMjxdPjIl40SdJgMB85iXn27Vk/qbHZCFx/o5XO3PSnpi675h1KEmmDb6OFArfd5SCQEQ5Q4H88g==
 
 "@babel/helper-function-name@^7.24.6":
   version "7.24.6"
-  resolved "https://registry.yarnpkg.com/@babel/helper-function-name/-/helper-function-name-7.24.6.tgz#cebdd063386fdb95d511d84b117e51fc68fec0c8"
+  resolved "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.24.6.tgz"
   integrity sha512-xpeLqeeRkbxhnYimfr2PC+iA0Q7ljX/d1eZ9/inYbmfG2jpl8Lu3DyXvpOAnrS5kxkfOWJjioIMQsaMBXFI05w==
   dependencies:
     "@babel/template" "^7.24.6"
@@ -763,7 +741,7 @@
 
 "@babel/helper-hoist-variables@^7.24.6":
   version "7.24.6"
-  resolved "https://registry.yarnpkg.com/@babel/helper-hoist-variables/-/helper-hoist-variables-7.24.6.tgz#8a7ece8c26756826b6ffcdd0e3cf65de275af7f9"
+  resolved "https://registry.npmjs.org/@babel/helper-hoist-variables/-/helper-hoist-variables-7.24.6.tgz"
   integrity sha512-SF/EMrC3OD7dSta1bLJIlrsVxwtd0UpjRJqLno6125epQMJ/kyFmpTT4pbvPbdQHzCHg+biQ7Syo8lnDtbR+uA==
   dependencies:
     "@babel/types" "^7.24.6"
@@ -796,38 +774,21 @@
   dependencies:
     "@babel/types" "^7.18.6"
 
-"@babel/helper-split-export-declaration@^7.18.6":
-  version "7.18.6"
-  resolved "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.18.6.tgz"
-  integrity sha512-bde1etTx6ZyTmobl9LLMMQsaizFVZrquTEHOqKeQESMKo4PlObf+8+JA25ZsIpZhT/WEd39+vOdLXAFG/nELpA==
-  dependencies:
-    "@babel/types" "^7.18.6"
-
-"@babel/helper-split-export-declaration@^7.24.6":
+"@babel/helper-split-export-declaration@^7.18.6", "@babel/helper-split-export-declaration@^7.24.6":
   version "7.24.6"
-  resolved "https://registry.yarnpkg.com/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.24.6.tgz#e830068f7ba8861c53b7421c284da30ae656d7a3"
+  resolved "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.24.6.tgz"
   integrity sha512-CvLSkwXGWnYlF9+J3iZUvwgAxKiYzK3BWuo+mLzD/MDGOZDj7Gq8+hqaOkMxmJwmlv0iu86uH5fdADd9Hxkymw==
   dependencies:
     "@babel/types" "^7.24.6"
 
-"@babel/helper-string-parser@^7.18.10":
-  version "7.18.10"
-  resolved "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.18.10.tgz"
-  integrity sha512-XtIfWmeNY3i4t7t4D2t02q50HvqHybPqW2ki1kosnvWCwuCMeo81Jf0gwr85jy/neUdg5XDdeFE/80DXiO+njw==
-
 "@babel/helper-string-parser@^7.24.6":
   version "7.24.6"
-  resolved "https://registry.yarnpkg.com/@babel/helper-string-parser/-/helper-string-parser-7.24.6.tgz#28583c28b15f2a3339cfafafeaad42f9a0e828df"
+  resolved "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.24.6.tgz"
   integrity sha512-WdJjwMEkmBicq5T9fm/cHND3+UlFa2Yj8ALLgmoSQAJZysYbBjw+azChSGPN4DSPLXOcooGRvDwZWMcF/mLO2Q==
 
-"@babel/helper-validator-identifier@^7.18.6", "@babel/helper-validator-identifier@^7.22.20":
-  version "7.22.20"
-  resolved "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.22.20.tgz"
-  integrity sha512-Y4OZ+ytlatR8AI+8KZfKuL5urKp7qey08ha31L8b3BwewJAoJamTzyvxPR/5D+KkdJCGPq/+8TukHBlY10FX9A==
-
-"@babel/helper-validator-identifier@^7.24.6":
+"@babel/helper-validator-identifier@^7.18.6", "@babel/helper-validator-identifier@^7.22.20", "@babel/helper-validator-identifier@^7.24.6":
   version "7.24.6"
-  resolved "https://registry.yarnpkg.com/@babel/helper-validator-identifier/-/helper-validator-identifier-7.24.6.tgz#08bb6612b11bdec78f3feed3db196da682454a5e"
+  resolved "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.24.6.tgz"
   integrity sha512-4yA7s865JHaqUdRbnaxarZREuPTHrjpDT+pXoAZ1yhyo6uFnIEpS8VMu16siFOHDpZNKYv5BObhsB//ycbICyw==
 
 "@babel/helper-validator-option@^7.18.6":
@@ -844,18 +805,9 @@
     "@babel/traverse" "^7.19.0"
     "@babel/types" "^7.19.0"
 
-"@babel/highlight@^7.22.13":
-  version "7.22.20"
-  resolved "https://registry.npmjs.org/@babel/highlight/-/highlight-7.22.20.tgz"
-  integrity sha512-dkdMCN3py0+ksCgYmGG8jKeGA/8Tk+gJwSYYlFGxG5lmhfKNoAy004YpLxpS1W2J8m/EK2Ew+yOs9pVRwO89mg==
-  dependencies:
-    "@babel/helper-validator-identifier" "^7.22.20"
-    chalk "^2.4.2"
-    js-tokens "^4.0.0"
-
 "@babel/highlight@^7.24.6":
   version "7.24.6"
-  resolved "https://registry.yarnpkg.com/@babel/highlight/-/highlight-7.24.6.tgz#6d610c1ebd2c6e061cade0153bf69b0590b7b3df"
+  resolved "https://registry.npmjs.org/@babel/highlight/-/highlight-7.24.6.tgz"
   integrity sha512-2YnuOp4HAk2BsBrJJvYCbItHx0zWscI1C3zgWkz+wDyD9I7GIVrfnLyrR4Y1VR+7p+chAEcrgRQYZAGIKMV7vQ==
   dependencies:
     "@babel/helper-validator-identifier" "^7.24.6"
@@ -863,14 +815,9 @@
     js-tokens "^4.0.0"
     picocolors "^1.0.0"
 
-"@babel/parser@^7.18.10", "@babel/parser@^7.19.1":
-  version "7.19.1"
-  resolved "https://registry.npmjs.org/@babel/parser/-/parser-7.19.1.tgz"
-  integrity sha512-h7RCSorm1DdTVGJf3P2Mhj3kdnkmF/EiysUkzS2TdgAYqyjFdMQJbVuXOBej2SBJaXan/lIVtT6KkGbyyq753A==
-
-"@babel/parser@^7.24.6":
+"@babel/parser@^7.19.1", "@babel/parser@^7.24.6":
   version "7.24.6"
-  resolved "https://registry.yarnpkg.com/@babel/parser/-/parser-7.24.6.tgz#5e030f440c3c6c78d195528c3b688b101a365328"
+  resolved "https://registry.npmjs.org/@babel/parser/-/parser-7.24.6.tgz"
   integrity sha512-eNZXdfU35nJC2h24RznROuOpO94h6x8sg9ju0tT9biNtLZ2vuP8SduLqqV+/8+cebSLV9SJEAN5Z3zQbJG/M+Q==
 
 "@babel/runtime-corejs3@^7.12.5":
@@ -888,18 +835,9 @@
   dependencies:
     regenerator-runtime "^0.14.0"
 
-"@babel/template@^7.18.10":
-  version "7.18.10"
-  resolved "https://registry.npmjs.org/@babel/template/-/template-7.18.10.tgz"
-  integrity sha512-TI+rCtooWHr3QJ27kJxfjutghu44DLnasDMwpDqCXVTal9RLp3RSYNh4NdBrRP2cQAoG9A8juOQl6P6oZG4JxA==
-  dependencies:
-    "@babel/code-frame" "^7.18.6"
-    "@babel/parser" "^7.18.10"
-    "@babel/types" "^7.18.10"
-
-"@babel/template@^7.24.6":
+"@babel/template@^7.18.10", "@babel/template@^7.24.6":
   version "7.24.6"
-  resolved "https://registry.yarnpkg.com/@babel/template/-/template-7.24.6.tgz#048c347b2787a6072b24c723664c8d02b67a44f9"
+  resolved "https://registry.npmjs.org/@babel/template/-/template-7.24.6.tgz"
   integrity sha512-3vgazJlLwNXi9jhrR1ef8qiB65L1RK90+lEQwv4OxveHnqC3BfmnHdgySwRLzf6akhlOYenT+b7AfWq+a//AHw==
   dependencies:
     "@babel/code-frame" "^7.24.6"
@@ -908,7 +846,7 @@
 
 "@babel/traverse@^7.19.0", "@babel/traverse@^7.19.1":
   version "7.24.6"
-  resolved "https://registry.yarnpkg.com/@babel/traverse/-/traverse-7.24.6.tgz#0941ec50cdeaeacad0911eb67ae227a4f8424edc"
+  resolved "https://registry.npmjs.org/@babel/traverse/-/traverse-7.24.6.tgz"
   integrity sha512-OsNjaJwT9Zn8ozxcfoBc+RaHdj3gFmCmYoQLUII1o6ZrUwku0BMg80FoOTPx+Gi6XhcQxAYE4xyjPTo4SxEQqw==
   dependencies:
     "@babel/code-frame" "^7.24.6"
@@ -922,18 +860,9 @@
     debug "^4.3.1"
     globals "^11.1.0"
 
-"@babel/types@^7.18.10", "@babel/types@^7.18.6", "@babel/types@^7.19.0":
-  version "7.19.0"
-  resolved "https://registry.npmjs.org/@babel/types/-/types-7.19.0.tgz"
-  integrity sha512-YuGopBq3ke25BVSiS6fgF49Ul9gH1x70Bcr6bqRLjWCkcX8Hre1/5+z+IiWOIerRMSSEfGZVB9z9kyq7wVs9YA==
-  dependencies:
-    "@babel/helper-string-parser" "^7.18.10"
-    "@babel/helper-validator-identifier" "^7.18.6"
-    to-fast-properties "^2.0.0"
-
-"@babel/types@^7.24.6":
+"@babel/types@^7.18.6", "@babel/types@^7.19.0", "@babel/types@^7.24.6":
   version "7.24.6"
-  resolved "https://registry.yarnpkg.com/@babel/types/-/types-7.24.6.tgz#ba4e1f59870c10dc2fa95a274ac4feec23b21912"
+  resolved "https://registry.npmjs.org/@babel/types/-/types-7.24.6.tgz"
   integrity sha512-WaMsgi6Q8zMgMth93GvWPXkhAIEobfsIkLTacoVZoK1J0CevIPGYY2Vo5YvJGqyHqXM6P4ppOYGsIRU8MM9pFQ==
   dependencies:
     "@babel/helper-string-parser" "^7.24.6"
@@ -1154,6 +1083,11 @@
   resolved "https://registry.npmjs.org/@gar/promisify/-/promisify-1.1.3.tgz"
   integrity sha512-k2Ty1JcVojjJFwrg/ThKi2ujJ7XNLYaFGNB/bWT9wGR+oSMJHMa5w+CUq6p/pVrKeNNgA7pCqEcjSnHVoqJQFw==
 
+"@hono/node-server@^1.19.9":
+  version "1.19.11"
+  resolved "https://registry.npmjs.org/@hono/node-server/-/node-server-1.19.11.tgz"
+  integrity sha512-dr8/3zEaB+p0D2n/IUrlPF1HZm586qgJNXK1a9fhg/PzdtkK7Ksd5l312tJX2yBuALqDYBlG20QEbayqPyxn+g==
+
 "@humanwhocodes/config-array@^0.11.13":
   version "0.11.13"
   resolved "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.13.tgz"
@@ -1182,6 +1116,14 @@
     "@inquirer/type" "^1.1.6"
     chalk "^4.1.2"
 
+"@inquirer/confirm@^3.1.9":
+  version "3.2.0"
+  resolved "https://registry.yarnpkg.com/@inquirer/confirm/-/confirm-3.2.0.tgz#6af1284670ea7c7d95e3f1253684cfbd7228ad6a"
+  integrity sha512-oOIwPs0Dvq5220Z8lGL/6LHRTEr9TgLHmiI99Rj1PJ1p1czTys+olrgBqZk4E2qC0YTzeHprxSQmoHioVdJ7Lw==
+  dependencies:
+    "@inquirer/core" "^9.1.0"
+    "@inquirer/type" "^1.5.3"
+
 "@inquirer/core@^6.0.0":
   version "6.0.0"
   resolved "https://registry.npmjs.org/@inquirer/core/-/core-6.0.0.tgz"
@@ -1202,6 +1144,29 @@
     strip-ansi "^6.0.1"
     wrap-ansi "^6.2.0"
 
+"@inquirer/core@^9.1.0":
+  version "9.2.1"
+  resolved "https://registry.yarnpkg.com/@inquirer/core/-/core-9.2.1.tgz#677c49dee399c9063f31e0c93f0f37bddc67add1"
+  integrity sha512-F2VBt7W/mwqEU4bL0RnHNZmC/OxzNx9cOYxHqnXX3MP6ruYvZUZAW9imgN9+h/uBT/oP8Gh888J2OZSbjSeWcg==
+  dependencies:
+    "@inquirer/figures" "^1.0.6"
+    "@inquirer/type" "^2.0.0"
+    "@types/mute-stream" "^0.0.4"
+    "@types/node" "^22.5.5"
+    "@types/wrap-ansi" "^3.0.0"
+    ansi-escapes "^4.3.2"
+    cli-width "^4.1.0"
+    mute-stream "^1.0.0"
+    signal-exit "^4.1.0"
+    strip-ansi "^6.0.1"
+    wrap-ansi "^6.2.0"
+    yoctocolors-cjs "^2.1.2"
+
+"@inquirer/figures@^1.0.6":
+  version "1.0.15"
+  resolved "https://registry.yarnpkg.com/@inquirer/figures/-/figures-1.0.15.tgz#dbb49ed80df11df74268023b496ac5d9acd22b3a"
+  integrity sha512-t2IEY+unGHOzAaVM5Xx6DEWKeXlDDcNPeDyUpsRc6CUhBfU3VQOEl+Vssh7VNp1dR8MdUJBWhuObjXCsVpjN5g==
+
 "@inquirer/password@^1.1.16":
   version "1.1.16"
   resolved "https://registry.npmjs.org/@inquirer/password/-/password-1.1.16.tgz"
@@ -1212,11 +1177,34 @@
     ansi-escapes "^4.3.2"
     chalk "^4.1.2"
 
+"@inquirer/password@^2.1.9":
+  version "2.2.0"
+  resolved "https://registry.yarnpkg.com/@inquirer/password/-/password-2.2.0.tgz#0b6f26336c259c8a9e5f5a3f2e1a761564f764ba"
+  integrity sha512-5otqIpgsPYIshqhgtEwSspBQE40etouR8VIxzpJkv9i0dVHIpyhiivbkH9/dGiMLdyamT54YRdGJLfl8TFnLHg==
+  dependencies:
+    "@inquirer/core" "^9.1.0"
+    "@inquirer/type" "^1.5.3"
+    ansi-escapes "^4.3.2"
+
 "@inquirer/type@^1.1.6":
   version "1.2.0"
   resolved "https://registry.npmjs.org/@inquirer/type/-/type-1.2.0.tgz"
   integrity sha512-/vvkUkYhrjbm+RolU7V1aUFDydZVKNKqKHR5TsE+j5DXgXFwrsOPcoGUJ02K0O7q7O53CU2DOTMYCHeGZ25WHA==
 
+"@inquirer/type@^1.5.3":
+  version "1.5.5"
+  resolved "https://registry.yarnpkg.com/@inquirer/type/-/type-1.5.5.tgz#303ea04ce7ad2e585b921b662b3be36ef7b4f09b"
+  integrity sha512-MzICLu4yS7V8AA61sANROZ9vT1H3ooca5dSmI1FjZkzq7o/koMsRfQSzRtFo+F3Ao4Sf1C0bpLKejpKB/+j6MA==
+  dependencies:
+    mute-stream "^1.0.0"
+
+"@inquirer/type@^2.0.0":
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/@inquirer/type/-/type-2.0.0.tgz#08fa513dca2cb6264fe1b0a2fabade051444e3f6"
+  integrity sha512-XvJRx+2KR3YXyYtPUUy+qd9i7p+GO9Ko6VIIpWlBrpWwXDv8WLFeHTxz35CfQFUiBMLXlGHhGzys7lqit9gWag==
+  dependencies:
+    mute-stream "^1.0.0"
+
 "@isaacs/cliui@^8.0.2":
   version "8.0.2"
   resolved "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz"
@@ -1258,42 +1246,23 @@
     "@jridgewell/set-array" "^1.0.0"
     "@jridgewell/sourcemap-codec" "^1.4.10"
 
-"@jridgewell/gen-mapping@^0.3.2":
-  version "0.3.2"
-  resolved "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.2.tgz"
-  integrity sha512-mh65xKQAzI6iBcFzwv28KVWSmCkdRBWoOh+bYQGW3+6OZvbbN3TqMGo5hqYxQniRcH9F2VZIoJCm4pa3BPDK/A==
-  dependencies:
-    "@jridgewell/set-array" "^1.0.1"
-    "@jridgewell/sourcemap-codec" "^1.4.10"
-    "@jridgewell/trace-mapping" "^0.3.9"
-
 "@jridgewell/gen-mapping@^0.3.5":
   version "0.3.5"
-  resolved "https://registry.yarnpkg.com/@jridgewell/gen-mapping/-/gen-mapping-0.3.5.tgz#dcce6aff74bdf6dad1a95802b69b04a2fcb1fb36"
+  resolved "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.5.tgz"
   integrity sha512-IzL8ZoEDIBRWEzlCcRhOaCupYyN5gdIK+Q6fbFdPDg6HqX6jpkItn7DFIpW9LQzXG6Df9sA7+OKnq0qlz/GaQg==
   dependencies:
     "@jridgewell/set-array" "^1.2.1"
     "@jridgewell/sourcemap-codec" "^1.4.10"
     "@jridgewell/trace-mapping" "^0.3.24"
 
-"@jridgewell/resolve-uri@^3.0.3":
-  version "3.1.1"
-  resolved "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.1.tgz"
-  integrity sha512-dSYZh7HhCDtCKm4QakX0xFpsRDqjjtZf/kjI/v3T3Nwt5r8/qz/M19F9ySyOqU94SXBmeG9ttTul+YnR4LOxFA==
-
-"@jridgewell/resolve-uri@^3.1.0":
+"@jridgewell/resolve-uri@^3.0.3", "@jridgewell/resolve-uri@^3.1.0":
   version "3.1.2"
-  resolved "https://registry.yarnpkg.com/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz#7a0ee601f60f99a20c7c7c5ff0c80388c1189bd6"
+  resolved "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz"
   integrity sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==
 
-"@jridgewell/set-array@^1.0.0", "@jridgewell/set-array@^1.0.1":
-  version "1.1.2"
-  resolved "https://registry.npmjs.org/@jridgewell/set-array/-/set-array-1.1.2.tgz"
-  integrity sha512-xnkseuNADM0gt2bs+BvhO0p78Mk762YnZdsuzFV018NoG1Sj1SCQvpSqa7XUaTam5vAGasABV9qXASMKnFMwMw==
-
-"@jridgewell/set-array@^1.2.1":
+"@jridgewell/set-array@^1.0.0", "@jridgewell/set-array@^1.2.1":
   version "1.2.1"
-  resolved "https://registry.yarnpkg.com/@jridgewell/set-array/-/set-array-1.2.1.tgz#558fb6472ed16a4c850b889530e6b36438c49280"
+  resolved "https://registry.npmjs.org/@jridgewell/set-array/-/set-array-1.2.1.tgz"
   integrity sha512-R8gLRTZeyp03ymzP/6Lil/28tGeGEzhx1q2k703KGWRAI1VdvPIXdG70VJc2pAMw3NA6JKL5hhFu1sJX0Mnn/A==
 
 "@jridgewell/sourcemap-codec@^1.4.10", "@jridgewell/sourcemap-codec@^1.4.14":
@@ -1309,22 +1278,14 @@
     "@jridgewell/resolve-uri" "^3.0.3"
     "@jridgewell/sourcemap-codec" "^1.4.10"
 
-"@jridgewell/trace-mapping@^0.3.24", "@jridgewell/trace-mapping@^0.3.25":
+"@jridgewell/trace-mapping@^0.3.24", "@jridgewell/trace-mapping@^0.3.25", "@jridgewell/trace-mapping@^0.3.9":
   version "0.3.25"
-  resolved "https://registry.yarnpkg.com/@jridgewell/trace-mapping/-/trace-mapping-0.3.25.tgz#15f190e98895f3fc23276ee14bc76b675c2e50f0"
+  resolved "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.25.tgz"
   integrity sha512-vNk6aEwybGtawWmy/PzwnGDOjCkLWSD2wqvjGGAgOAwCGWySYXfYoxt00IJkTF+8Lb57DwOb3Aa0o9CApepiYQ==
   dependencies:
     "@jridgewell/resolve-uri" "^3.1.0"
     "@jridgewell/sourcemap-codec" "^1.4.14"
 
-"@jridgewell/trace-mapping@^0.3.9":
-  version "0.3.15"
-  resolved "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.15.tgz"
-  integrity sha512-oWZNOULl+UbhsgB51uuZzglikfIKSUBO/M9W2OfEjn7cmqoAiCgmv9lyACTUacZwBz0ITnJ2NqjU8Tx0DHL88g==
-  dependencies:
-    "@jridgewell/resolve-uri" "^3.0.3"
-    "@jridgewell/sourcemap-codec" "^1.4.10"
-
 "@jsforce/jsforce-node@^3.2.0":
   version "3.2.0"
   resolved "https://registry.npmjs.org/@jsforce/jsforce-node/-/jsforce-node-3.2.0.tgz"
@@ -1345,6 +1306,29 @@
     strip-ansi "^6.0.0"
     xml2js "^0.6.2"
 
+"@modelcontextprotocol/sdk@^1.8.0":
+  version "1.27.1"
+  resolved "https://registry.npmjs.org/@modelcontextprotocol/sdk/-/sdk-1.27.1.tgz"
+  integrity sha512-sr6GbP+4edBwFndLbM60gf07z0FQ79gaExpnsjMGePXqFcSSb7t6iscpjk9DhFhwd+mTEQrzNafGP8/iGGFYaA==
+  dependencies:
+    "@hono/node-server" "^1.19.9"
+    ajv "^8.17.1"
+    ajv-formats "^3.0.1"
+    content-type "^1.0.5"
+    cors "^2.8.5"
+    cross-spawn "^7.0.5"
+    eventsource "^3.0.2"
+    eventsource-parser "^3.0.0"
+    express "^5.2.1"
+    express-rate-limit "^8.2.1"
+    hono "^4.11.4"
+    jose "^6.1.3"
+    json-schema-typed "^8.0.2"
+    pkce-challenge "^5.0.0"
+    raw-body "^3.0.0"
+    zod "^3.25 || ^4.0"
+    zod-to-json-schema "^3.25.1"
+
 "@nodelib/fs.scandir@2.1.5":
   version "2.1.5"
   resolved "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz"
@@ -1632,6 +1616,40 @@
     wordwrap "^1.0.0"
     wrap-ansi "^7.0.0"
 
+"@oclif/core@^3.26.6", "@oclif/core@^3.27.0":
+  version "3.27.0"
+  resolved "https://registry.yarnpkg.com/@oclif/core/-/core-3.27.0.tgz#a22a4ff4e5811db7a182b1687302237a57802381"
+  integrity sha512-Fg93aNFvXzBq5L7ztVHFP2nYwWU1oTCq48G0TjF/qC1UN36KWa2H5Hsm72kERd5x/sjy2M2Tn4kDEorUlpXOlw==
+  dependencies:
+    "@types/cli-progress" "^3.11.5"
+    ansi-escapes "^4.3.2"
+    ansi-styles "^4.3.0"
+    cardinal "^2.1.1"
+    chalk "^4.1.2"
+    clean-stack "^3.0.1"
+    cli-progress "^3.12.0"
+    color "^4.2.3"
+    debug "^4.3.5"
+    ejs "^3.1.10"
+    get-package-type "^0.1.0"
+    globby "^11.1.0"
+    hyperlinker "^1.0.0"
+    indent-string "^4.0.0"
+    is-wsl "^2.2.0"
+    js-yaml "^3.14.1"
+    minimatch "^9.0.4"
+    natural-orderby "^2.0.3"
+    object-treeify "^1.1.33"
+    password-prompt "^1.1.3"
+    slice-ansi "^4.0.0"
+    string-width "^4.2.3"
+    strip-ansi "^6.0.1"
+    supports-color "^8.1.1"
+    supports-hyperlinks "^2.2.0"
+    widest-line "^3.1.0"
+    wordwrap "^1.0.0"
+    wrap-ansi "^7.0.0"
+
 "@oclif/linewrap@^1.0.0":
   version "1.0.0"
   resolved "https://registry.npmjs.org/@oclif/linewrap/-/linewrap-1.0.0.tgz"
@@ -1790,19 +1808,81 @@
   dependencies:
     "@octokit/openapi-types" "^12.11.0"
 
+"@oozcitak/dom@1.15.10":
+  version "1.15.10"
+  resolved "https://registry.npmjs.org/@oozcitak/dom/-/dom-1.15.10.tgz"
+  integrity sha512-0JT29/LaxVgRcGKvHmSrUTEvZ8BXvZhGl2LASRUgHqDTC1M5g1pLmVv56IYNyt3bG2CUjDkc67wnyZC14pbQrQ==
+  dependencies:
+    "@oozcitak/infra" "1.0.8"
+    "@oozcitak/url" "1.0.4"
+    "@oozcitak/util" "8.3.8"
+
+"@oozcitak/infra@1.0.8":
+  version "1.0.8"
+  resolved "https://registry.npmjs.org/@oozcitak/infra/-/infra-1.0.8.tgz"
+  integrity sha512-JRAUc9VR6IGHOL7OGF+yrvs0LO8SlqGnPAMqyzOuFZPSZSXI7Xf2O9+awQPSMXgIWGtgUf/dA6Hs6X6ySEaWTg==
+  dependencies:
+    "@oozcitak/util" "8.3.8"
+
+"@oozcitak/url@1.0.4":
+  version "1.0.4"
+  resolved "https://registry.npmjs.org/@oozcitak/url/-/url-1.0.4.tgz"
+  integrity sha512-kDcD8y+y3FCSOvnBI6HJgl00viO/nGbQoCINmQ0h98OhnGITrWR3bOGfwYCthgcrV8AnTJz8MzslTQbC3SOAmw==
+  dependencies:
+    "@oozcitak/infra" "1.0.8"
+    "@oozcitak/util" "8.3.8"
+
+"@oozcitak/util@8.3.8":
+  version "8.3.8"
+  resolved "https://registry.npmjs.org/@oozcitak/util/-/util-8.3.8.tgz"
+  integrity sha512-T8TbSnGsxo6TDBJx/Sgv/BlVJL3tshxZP7Aq5R1mSnM5OcHY2dQaxLMu2+E8u3gN0MLOzdjurqN4ZRVuzQycOQ==
+
+"@pinojs/redact@^0.4.0":
+  version "0.4.0"
+  resolved "https://registry.yarnpkg.com/@pinojs/redact/-/redact-0.4.0.tgz#c3de060dd12640dcc838516aa2a6803cc7b2e9d6"
+  integrity sha512-k2ENnmBugE/rzQfEcdWHcCY+/FM3VLzH9cYEsbdsoqrvzAKRhUZeRNhAZvB8OitQJ1TBed3yqWtdjzS6wJKBwg==
+
 "@pkgjs/parseargs@^0.11.0":
   version "0.11.0"
   resolved "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz"
   integrity sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==
 
-"@provartesting/provardx-plugins-utils@0.0.2-beta":
-  version "0.0.2-beta"
-  resolved "https://registry.npmjs.org/@provartesting/provardx-plugins-utils/-/provardx-plugins-utils-0.0.2-beta.tgz"
-  integrity sha512-UwBxqI0grO65jWz57Z5ffQZlYiu5T0T4wKCCQGxzHRpZJIG1mqIf/uCOSOd4BerkSgeoZJjRf7aTIa3F6H8qkg==
+"@provartesting/provardx-plugins-automation@1.2.2":
+  version "1.2.2"
+  resolved "https://registry.yarnpkg.com/@provartesting/provardx-plugins-automation/-/provardx-plugins-automation-1.2.2.tgz#db3c83a6449ea5d3dd0bb68fd72db77fd67ee1ee"
+  integrity sha512-HXCn85ZPXNDa4tUQYGUVpGjZNQPhbgBBiJ9P4NyTnpD0t2HZ+RbZlQUcmCw0P+HV9wxxHVJZNdT21xV6ICTbhA==
+  dependencies:
+    "@oclif/core" "^3.27.0"
+    "@provartesting/provardx-plugins-utils" "1.3.3"
+    "@salesforce/core" "^7.2.0"
+    "@salesforce/sf-plugins-core" "^9.1.1"
+    axios "^1.13.5"
+    xml-js "^1.6.11"
+
+"@provartesting/provardx-plugins-manager@1.3.2":
+  version "1.3.2"
+  resolved "https://registry.yarnpkg.com/@provartesting/provardx-plugins-manager/-/provardx-plugins-manager-1.3.2.tgz#bad2bebf2eb2ffed7928747288593faecf47f026"
+  integrity sha512-ZBreiTbzB7Ur+CAyKxN9dh00KCj5XuPRi2wSRooujmuRPHrDfLPZc/pNV+XEUjGHvwWXxRwF3KByvrxLSs28lQ==
   dependencies:
     "@oclif/core" "^3.26.2"
+    "@provartesting/provardx-plugins-utils" "1.3.3"
     "@salesforce/core" "^7.2.0"
+    "@salesforce/kit" "^3.2.2"
     "@salesforce/sf-plugins-core" "^9.0.1"
+    ansis "^3.3.2"
+    cli-ux "^6.0.9"
+    uuid "^10.0.0"
+    xml2js "^0.6.2"
+    xmlbuilder2 "^3.1.1"
+
+"@provartesting/provardx-plugins-utils@1.3.3":
+  version "1.3.3"
+  resolved "https://registry.yarnpkg.com/@provartesting/provardx-plugins-utils/-/provardx-plugins-utils-1.3.3.tgz#66b904c4edd70b10cabfb98e24d61ff2a18f18dc"
+  integrity sha512-+R4rWTy/aHJhykwev6iUCTOhW1hnkt1M/zOAk16SGdrOU9BWUBWTIU1jTLdLJeOTv8yGSoWrAfeTScSbwTL2mw==
+  dependencies:
+    "@oclif/core" "^3.27.0"
+    "@salesforce/core" "^7.2.0"
+    "@salesforce/sf-plugins-core" "^9.1.1"
     cli-ux "^6.0.9"
     jsonschema "^1.4.1"
     node-stream-zip "^1.15.0"
@@ -1869,6 +1949,30 @@
     semver "^7.6.0"
     ts-retry-promise "^0.7.1"
 
+"@salesforce/core@^7.3.9":
+  version "7.5.0"
+  resolved "https://registry.yarnpkg.com/@salesforce/core/-/core-7.5.0.tgz#cfa57281978c9d5df6f7419e5bc58ea914726cf5"
+  integrity sha512-mPg9Tj2Qqe/TY7q+CRNSeYYTV+dj/LflM7Fu/32EPLCEPGVIiSp/RaTFLTZwDcFX9BVYHOa2h6oliuO2Qnno+A==
+  dependencies:
+    "@jsforce/jsforce-node" "^3.2.0"
+    "@salesforce/kit" "^3.1.6"
+    "@salesforce/schemas" "^1.9.0"
+    "@salesforce/ts-types" "^2.0.10"
+    ajv "^8.15.0"
+    change-case "^4.1.2"
+    fast-levenshtein "^3.0.0"
+    faye "^1.4.0"
+    form-data "^4.0.0"
+    js2xmlparser "^4.0.1"
+    jsonwebtoken "9.0.2"
+    jszip "3.10.1"
+    pino "^9.2.0"
+    pino-abstract-transport "^1.2.0"
+    pino-pretty "^11.2.1"
+    proper-lockfile "^4.1.2"
+    semver "^7.6.2"
+    ts-retry-promise "^0.8.1"
+
 "@salesforce/dev-config@^4.1.0":
   version "4.1.0"
   resolved "https://registry.npmjs.org/@salesforce/dev-config/-/dev-config-4.1.0.tgz"
@@ -1906,13 +2010,19 @@
     typescript "^4.9.5"
     wireit "^0.14.1"
 
-"@salesforce/kit@^3.0.15", "@salesforce/kit@^3.1.0", "@salesforce/kit@^3.1.1":
-  version "3.1.1"
-  resolved "https://registry.npmjs.org/@salesforce/kit/-/kit-3.1.1.tgz"
-  integrity sha512-Cjkh+USp5PtdZmD30r1Y7d+USpIhQz9B48w76esBtYpgqzhyj806LHkVgEfmorLNq2Qe8EO5rtUYd+XZ3rnV9w==
+"@salesforce/kit@^3.0.15", "@salesforce/kit@^3.1.0", "@salesforce/kit@^3.1.1", "@salesforce/kit@^3.2.2":
+  version "3.2.4"
+  resolved "https://registry.npmjs.org/@salesforce/kit/-/kit-3.2.4.tgz"
+  integrity sha512-9buqZ2puIGWqjUFWYNroSeNih4d1s9kdQAzZfutr/Re/JMl6xBct0ATO5LVb1ty5UhdBruJrVaiTg03PqVKU+Q==
   dependencies:
-    "@salesforce/ts-types" "^2.0.9"
-    tslib "^2.6.2"
+    "@salesforce/ts-types" "^2.0.12"
+
+"@salesforce/kit@^3.1.2", "@salesforce/kit@^3.1.6":
+  version "3.2.6"
+  resolved "https://registry.yarnpkg.com/@salesforce/kit/-/kit-3.2.6.tgz#6a6c13b463b51694a43d61094af67171086ed4f5"
+  integrity sha512-O8S4LWerHa9Zosqh+IoQjgLtpxMOfObRxaRnUdRV4MLtFUi+bQxQiyFvve6eEaBaMP1b1xVDQpvSvQ+PXEDGFQ==
+  dependencies:
+    "@salesforce/ts-types" "^2.0.12"
 
 "@salesforce/prettier-config@^0.0.3":
   version "0.0.3"
@@ -1924,6 +2034,11 @@
   resolved "https://registry.npmjs.org/@salesforce/schemas/-/schemas-1.7.0.tgz"
   integrity sha512-Z0PiCEV55khm0PG+DsnRYCjaDmacNe3HDmsoSm/CSyYvJJm+D5vvkHKN9/PKD/gaRe8XAU836yfamIYFblLINw==
 
+"@salesforce/schemas@^1.9.0":
+  version "1.10.3"
+  resolved "https://registry.yarnpkg.com/@salesforce/schemas/-/schemas-1.10.3.tgz#52c867fdd60679cf216110aa49542b7ad391f5d1"
+  integrity sha512-FKfvtrYTcvTXE9advzS25/DEY9yJhEyLvStm++eQFtnAaX1pe4G3oGHgiQ0q55BM5+0AlCh0+0CVtQv1t4oJRA==
+
 "@salesforce/sf-plugins-core@^7.1.4":
   version "7.1.8"
   resolved "https://registry.npmjs.org/@salesforce/sf-plugins-core/-/sf-plugins-core-7.1.8.tgz"
@@ -1950,12 +2065,23 @@
     "@salesforce/ts-types" "^2.0.9"
     chalk "^5.3.0"
 
-"@salesforce/ts-types@^2.0.9":
-  version "2.0.9"
-  resolved "https://registry.npmjs.org/@salesforce/ts-types/-/ts-types-2.0.9.tgz"
-  integrity sha512-boUD9jw5vQpTCPCCmK/NFTWjSuuW+lsaxOynkyNXLW+zxOc4GDjhtKc4j0vWZJQvolpafbyS8ZLFHZJvs12gYA==
+"@salesforce/sf-plugins-core@^9.1.1":
+  version "9.1.1"
+  resolved "https://registry.yarnpkg.com/@salesforce/sf-plugins-core/-/sf-plugins-core-9.1.1.tgz#8818fdb23e0f174d9e6dded0cf34a88be5e3cc44"
+  integrity sha512-5d4vGLqb1NZoHvDpuTu96TsFg/lexdnQNWC0h7GhOqxikJBpxk6P1DEbk9HrZWL18Gs1YXO9OCj2g8nKqbIC/Q==
   dependencies:
-    tslib "^2.6.2"
+    "@inquirer/confirm" "^3.1.9"
+    "@inquirer/password" "^2.1.9"
+    "@oclif/core" "^3.26.6"
+    "@salesforce/core" "^7.3.9"
+    "@salesforce/kit" "^3.1.2"
+    "@salesforce/ts-types" "^2.0.9"
+    chalk "^5.3.0"
+
+"@salesforce/ts-types@^2.0.10", "@salesforce/ts-types@^2.0.12", "@salesforce/ts-types@^2.0.9":
+  version "2.0.12"
+  resolved "https://registry.npmjs.org/@salesforce/ts-types/-/ts-types-2.0.12.tgz"
+  integrity sha512-BIJyduJC18Kc8z+arUm5AZ9VkPRyw1KKAm+Tk+9LT99eOzhNilyfKzhZ4t+tG2lIGgnJpmytZfVDZ0e2kFul8g==
 
 "@sigstore/protobuf-specs@^0.1.0":
   version "0.1.0"
@@ -1968,12 +2094,26 @@
   integrity sha512-t09vSN3MdfsyCHoFcTRCH/iUtG7OJ0CsjzB8cjAmKc/va/kIgeDI/TxsigdncE/4be734m0cvIYwNaV4i2XqAw==
 
 "@sinonjs/commons@^1.6.0", "@sinonjs/commons@^1.7.0", "@sinonjs/commons@^1.8.1":
-  version "1.8.3"
-  resolved "https://registry.npmjs.org/@sinonjs/commons/-/commons-1.8.3.tgz"
-  integrity sha512-xkNcLAn/wZaX14RPlwizcKicDk9G3F8m2nU3L7Ukm5zBgTwiT0wsoFAHx9Jq56fJA1z/7uKGtCRu16sOUCLIHQ==
+  version "1.8.6"
+  resolved "https://registry.npmjs.org/@sinonjs/commons/-/commons-1.8.6.tgz"
+  integrity sha512-Ky+XkAkqPZSm3NLBeUng77EBQl3cmeJhITaGHdYH8kjVB+aun3S4XBRti2zt17mtt0mIUDiNxYeoJm6drVvBJQ==
   dependencies:
     type-detect "4.0.8"
 
+"@sinonjs/commons@^3.0.1":
+  version "3.0.1"
+  resolved "https://registry.npmjs.org/@sinonjs/commons/-/commons-3.0.1.tgz"
+  integrity sha512-K3mCHKQ9sVh8o1C9cxkwxaOmXoAMlDxC1mYyHrjqOWEcBjYr76t96zL2zlj5dUGZ3HSw240X1qgH3Mjf1yJWpQ==
+  dependencies:
+    type-detect "4.0.8"
+
+"@sinonjs/fake-timers@^15.1.1":
+  version "15.1.1"
+  resolved "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-15.1.1.tgz"
+  integrity sha512-cO5W33JgAPbOh07tvZjUOJ7oWhtaqGHiZw+11DPbyqh2kHTBc3eF/CjJDeQ4205RLQsX6rxCuYOroFQwl7JDRw==
+  dependencies:
+    "@sinonjs/commons" "^3.0.1"
+
 "@sinonjs/fake-timers@^6.0.0", "@sinonjs/fake-timers@^6.0.1":
   version "6.0.1"
   resolved "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-6.0.1.tgz"
@@ -1990,10 +2130,18 @@
     lodash.get "^4.4.2"
     type-detect "^4.0.8"
 
+"@sinonjs/samsam@^9.0.3":
+  version "9.0.3"
+  resolved "https://registry.npmjs.org/@sinonjs/samsam/-/samsam-9.0.3.tgz"
+  integrity sha512-ZgYY7Dc2RW+OUdnZ1DEHg00lhRt+9BjymPKHog4PRFzr1U3MbK57+djmscWyKxzO1qfunHqs4N45WWyKIFKpiQ==
+  dependencies:
+    "@sinonjs/commons" "^3.0.1"
+    type-detect "^4.1.0"
+
 "@sinonjs/text-encoding@^0.7.1":
-  version "0.7.2"
-  resolved "https://registry.npmjs.org/@sinonjs/text-encoding/-/text-encoding-0.7.2.tgz"
-  integrity sha512-sXXKG+uL9IrKqViTtao2Ws6dy0znu9sOaP1di/jKGW1M6VssO8vlpXCQcpZ+jisQ1tTFAC5Jo/EOzFbggBagFQ==
+  version "0.7.3"
+  resolved "https://registry.npmjs.org/@sinonjs/text-encoding/-/text-encoding-0.7.3.tgz"
+  integrity sha512-DE427ROAphMQzU4ENbliGYrBSYPXF+TtLg9S8vzeA+OF4ZKzoDdzfL8sxuMUGS/lgRhM6j1URSk9ghf7Xo1tyA==
 
 "@smithy/abort-controller@^2.1.1":
   version "2.1.1"
@@ -2531,25 +2679,11 @@
   dependencies:
     "@types/node" "*"
 
-"@types/concat-stream@^1.6.0":
-  version "1.6.1"
-  resolved "https://registry.npmjs.org/@types/concat-stream/-/concat-stream-1.6.1.tgz"
-  integrity sha512-eHE4cQPoj6ngxBZMvVf6Hw7Mh4jMW4U9lpGmS5GBPB9RYxlFg+CHaVN7ErNY4W9XfLIEn20b4VDYaIrbq0q4uA==
-  dependencies:
-    "@types/node" "*"
-
 "@types/expect@^1.20.4":
   version "1.20.4"
   resolved "https://registry.npmjs.org/@types/expect/-/expect-1.20.4.tgz"
   integrity sha512-Q5Vn3yjTDyCMV50TB6VRIbQNxSE4OmZR86VSbGaNpfUolm0iePBB4KdEEHmxoY5sT2+2DIvXW0rvMDP2nHZ4Mg==
 
-"@types/form-data@0.0.33":
-  version "0.0.33"
-  resolved "https://registry.npmjs.org/@types/form-data/-/form-data-0.0.33.tgz"
-  integrity sha512-8BSvG1kGm83cyJITQMZSulnl6QV8jqAGreJsc5tPu1Jq0vTSOiY/k24Wx82JRpWwZSqrala6sd5rWi6aNXvqcw==
-  dependencies:
-    "@types/node" "*"
-
 "@types/glob@~7.2.0":
   version "7.2.0"
   resolved "https://registry.npmjs.org/@types/glob/-/glob-7.2.0.tgz"
@@ -2631,11 +2765,6 @@
   resolved "https://registry.npmjs.org/@types/node/-/node-20.5.1.tgz"
   integrity sha512-4tT2UrL5LBqDwoed9wZ6N3umC4Yhz3W3FloMmiiG4JwmUJWpie0c7lcnUNd4gtMKuDEO4wRVS8B6Xa0uMRsMKg==
 
-"@types/node@^10.0.3":
-  version "10.17.60"
-  resolved "https://registry.npmjs.org/@types/node/-/node-10.17.60.tgz"
-  integrity sha512-F0KIgDJfy2nA3zMLmWGKxcH2ZVEtCZXHHdOQs2gSaQ27+lNeEfGxzkIw90aXswATX7AZ33tahPbzy6KAfUreVw==
-
 "@types/node@^12.19.9":
   version "12.20.55"
   resolved "https://registry.npmjs.org/@types/node/-/node-12.20.55.tgz"
@@ -2660,10 +2789,12 @@
   dependencies:
     undici-types "~5.26.4"
 
-"@types/node@^8.0.0":
-  version "8.10.66"
-  resolved "https://registry.npmjs.org/@types/node/-/node-8.10.66.tgz"
-  integrity sha512-tktOkFUA4kXx2hhhrB8bIFb5TbwzS4uOhKEmwiD+NoiL0qtP2OQ9mFldbgD4dV1djrlBYP6eBuQZiWjuHUpqFw==
+"@types/node@^22.5.5":
+  version "22.19.17"
+  resolved "https://registry.yarnpkg.com/@types/node/-/node-22.19.17.tgz#09c71fb34ba2510f8ac865361b1fcb9552b8a581"
+  integrity sha512-wGdMcf+vPYM6jikpS/qhg6WiqSV/OhG+jeeHT/KlVqxYfD40iYJf9/AE1uQxVWFvU7MipKRkRv8NSHiCGgPr8Q==
+  dependencies:
+    undici-types "~6.21.0"
 
 "@types/normalize-package-data@^2.4.0":
   version "2.4.4"
@@ -2675,11 +2806,6 @@
   resolved "https://registry.npmjs.org/@types/parse-json/-/parse-json-4.0.2.tgz"
   integrity sha512-dISoDXWWQwUquiKsyZ4Ng+HX2KsPL7LyHKHQwgGFEA3IaKac4Obd+h2a/a6waisAoepJlBcx9paWqjA8/HVjCw==
 
-"@types/qs@^6.2.31":
-  version "6.9.14"
-  resolved "https://registry.npmjs.org/@types/qs/-/qs-6.9.14.tgz"
-  integrity sha512-5khscbd3SwWMhFqylJBLQ0zIu7c1K6Vz0uBIt915BI3zV0q1nfjRQD3RqSBcPaO6PHEF4ov/t9y89fSiyThlPA==
-
 "@types/responselike@^1.0.0":
   version "1.0.0"
   resolved "https://registry.npmjs.org/@types/responselike/-/responselike-1.0.0.tgz"
@@ -2707,18 +2833,18 @@
   dependencies:
     "@types/sinonjs__fake-timers" "*"
 
+"@types/sinon@^21.0.0":
+  version "21.0.0"
+  resolved "https://registry.npmjs.org/@types/sinon/-/sinon-21.0.0.tgz"
+  integrity sha512-+oHKZ0lTI+WVLxx1IbJDNmReQaIsQJjN2e7UUrJHEeByG7bFeKJYsv1E75JxTQ9QKJDp21bAa/0W2Xo4srsDnw==
+  dependencies:
+    "@types/sinonjs__fake-timers" "*"
+
 "@types/sinonjs__fake-timers@*":
   version "8.1.5"
   resolved "https://registry.npmjs.org/@types/sinonjs__fake-timers/-/sinonjs__fake-timers-8.1.5.tgz"
   integrity sha512-mQkU2jY8jJEF7YHjHvsQO8+3ughTL1mcnn96igfhONmR+fUPSKIkefQYpSe8bsly2Ep7oQbn/6VG5/9/0qcArQ==
 
-"@types/unzipper@^0.10.9":
-  version "0.10.9"
-  resolved "https://registry.npmjs.org/@types/unzipper/-/unzipper-0.10.9.tgz"
-  integrity sha512-vHbmFZAw8emNAOVkHVbS3qBnbr0x/qHQZ+ei1HE7Oy6Tyrptl+jpqnOX+BF5owcu/HZLOV0nJK+K9sjs1Ox2JA==
-  dependencies:
-    "@types/node" "*"
-
 "@types/vinyl@^2.0.4":
   version "2.0.6"
   resolved "https://registry.npmjs.org/@types/vinyl/-/vinyl-2.0.6.tgz"
@@ -2843,6 +2969,14 @@ abort-controller@^3.0.0:
   dependencies:
     event-target-shim "^5.0.0"
 
+accepts@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.npmjs.org/accepts/-/accepts-2.0.0.tgz"
+  integrity sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==
+  dependencies:
+    mime-types "^3.0.0"
+    negotiator "^1.0.0"
+
 acorn-jsx@^5.3.2:
   version "5.3.2"
   resolved "https://registry.npmjs.org/acorn-jsx/-/acorn-jsx-5.3.2.tgz"
@@ -2889,6 +3023,13 @@ aggregate-error@^3.0.0:
     clean-stack "^2.0.0"
     indent-string "^4.0.0"
 
+ajv-formats@^3.0.1:
+  version "3.0.1"
+  resolved "https://registry.npmjs.org/ajv-formats/-/ajv-formats-3.0.1.tgz"
+  integrity sha512-8iUql50EUR+uUcdRQ3HDqa6EVyo3docL8g5WJ3FNcWmu62IbkGUue/pEyLBW8VGKKucTPgqeks4fIU1DA4yowQ==
+  dependencies:
+    ajv "^8.0.0"
+
 ajv@^6.12.4:
   version "6.12.6"
   resolved "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz"
@@ -2899,25 +3040,15 @@ ajv@^6.12.4:
     json-schema-traverse "^0.4.1"
     uri-js "^4.2.2"
 
-ajv@^8.11.0:
-  version "8.12.0"
-  resolved "https://registry.npmjs.org/ajv/-/ajv-8.12.0.tgz"
-  integrity sha512-sRu1kpcO9yLtYxBKvqfTeh9KzZEwO3STyX1HT+4CaDzC6HpTGYhIhPIzj9XuKU7KYDwnaeh5hcOwjy1QuJzBPA==
-  dependencies:
-    fast-deep-equal "^3.1.1"
-    json-schema-traverse "^1.0.0"
-    require-from-string "^2.0.2"
-    uri-js "^4.2.2"
-
-ajv@^8.12.0:
-  version "8.13.0"
-  resolved "https://registry.npmjs.org/ajv/-/ajv-8.13.0.tgz"
-  integrity sha512-PRA911Blj99jR5RMeTunVbNXMF6Lp4vZXnk5GQjcnUWUTsrXtekg/pnmFFI2u/I36Y/2bITGS30GZCXei6uNkA==
+ajv@^8.0.0, ajv@^8.11.0, ajv@^8.12.0, ajv@^8.15.0, ajv@^8.17.1:
+  version "8.18.0"
+  resolved "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz"
+  integrity sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==
   dependencies:
     fast-deep-equal "^3.1.3"
+    fast-uri "^3.0.1"
     json-schema-traverse "^1.0.0"
     require-from-string "^2.0.2"
-    uri-js "^4.4.1"
 
 ansi-colors@4.1.1:
   version "4.1.1"
@@ -2970,6 +3101,11 @@ ansicolors@~0.3.2:
   resolved "https://registry.npmjs.org/ansicolors/-/ansicolors-0.3.2.tgz"
   integrity sha512-QXu7BPrP29VllRxH8GwB7x5iX5qWKAAMLqKQGWTeLWVlNHNOpVMJ91dsxQAIWXpjuW5wqvxu3Jd/nRjrJ+0pqg==
 
+ansis@^3.3.2:
+  version "3.17.0"
+  resolved "https://registry.npmjs.org/ansis/-/ansis-3.17.0.tgz"
+  integrity sha512-0qWUglt9JEqLFr3w1I1pbrChn1grhaiAR2ocX1PP/flRmxgtwTzPFFFnfIlD6aMOLQZgSuCRlidD70lvx8yhzg==
+
 anymatch@~3.1.2:
   version "3.1.3"
   resolved "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz"
@@ -3133,7 +3269,7 @@ arrify@^2.0.1:
   resolved "https://registry.npmjs.org/arrify/-/arrify-2.0.1.tgz"
   integrity sha512-3duEwti880xqi4eAMN8AyR4a0ByT90zoYdLlevfrvU43vb0YZwZVfxOgxWrLXXXpyugL0hNZc9G6BiB5B3nUug==
 
-asap@*, asap@^2.0.0, asap@~2.0.6:
+asap@*, asap@^2.0.0:
   version "2.0.6"
   resolved "https://registry.npmjs.org/asap/-/asap-2.0.6.tgz"
   integrity sha512-BSHWgDSAiKs50o2Re8ppvp3seVHXSRM44cdSsT9FfNEUUZLOGWVCsiWaRPWM1Znn+mqZ1OfVZ3z3DWEzSp7hRA==
@@ -3180,14 +3316,14 @@ available-typed-arrays@^1.0.5, available-typed-arrays@^1.0.6:
   resolved "https://registry.npmjs.org/available-typed-arrays/-/available-typed-arrays-1.0.6.tgz"
   integrity sha512-j1QzY8iPNPG4o4xmO3ptzpRxTciqD3MgEHtifP/YnJpIo58Xu+ne4BejlbkuaLfXn/nz6HFiw29bLpj2PNMdGg==
 
-axios@^1.6.7:
-  version "1.6.8"
-  resolved "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz"
-  integrity sha512-v/ZHtJDU39mDpyBoFVkETcd/uNdxrWRrg3bKpOKzXFA6Bvqopts6ALSMU3y6ijYxbw2B+wPrIv46egTzJXCLGQ==
+axios@^1.13.5:
+  version "1.14.0"
+  resolved "https://registry.yarnpkg.com/axios/-/axios-1.14.0.tgz#7c29f4cf2ea91ef05018d5aa5399bf23ed3120eb"
+  integrity sha512-3Y8yrqLSwjuzpXuZ0oIYZ/XGgLwUIBU3uLvbcpb0pidD9ctpShJd43KSlEEkVQg6DS0G9NKyzOvBfUtDKEyHvQ==
   dependencies:
-    follow-redirects "^1.15.6"
-    form-data "^4.0.0"
-    proxy-from-env "^1.1.0"
+    follow-redirects "^1.15.11"
+    form-data "^4.0.5"
+    proxy-from-env "^2.1.0"
 
 balanced-match@^1.0.0:
   version "1.0.2"
@@ -3240,6 +3376,21 @@ bl@^4.1.0:
     inherits "^2.0.4"
     readable-stream "^3.4.0"
 
+body-parser@^2.2.1:
+  version "2.2.2"
+  resolved "https://registry.npmjs.org/body-parser/-/body-parser-2.2.2.tgz"
+  integrity sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA==
+  dependencies:
+    bytes "^3.1.2"
+    content-type "^1.0.5"
+    debug "^4.4.3"
+    http-errors "^2.0.0"
+    iconv-lite "^0.7.0"
+    on-finished "^2.4.1"
+    qs "^6.14.1"
+    raw-body "^3.0.1"
+    type-is "^2.0.1"
+
 bowser@^2.11.0:
   version "2.11.0"
   resolved "https://registry.npmjs.org/bowser/-/bowser-2.11.0.tgz"
@@ -3325,6 +3476,11 @@ builtins@^5.0.0:
   dependencies:
     semver "^7.0.0"
 
+bytes@^3.1.2, bytes@~3.1.2:
+  version "3.1.2"
+  resolved "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz"
+  integrity sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==
+
 cacache@^15.0.3, cacache@^15.0.5, cacache@^15.2.0:
   version "15.3.0"
   resolved "https://registry.npmjs.org/cacache/-/cacache-15.3.0.tgz"
@@ -3419,7 +3575,15 @@ caching-transform@^4.0.0:
     package-hash "^4.0.0"
     write-file-atomic "^3.0.0"
 
-call-bind@^1.0.2, call-bind@^1.0.5, call-bind@^1.0.7:
+call-bind-apply-helpers@^1.0.1, call-bind-apply-helpers@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz"
+  integrity sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==
+  dependencies:
+    es-errors "^1.3.0"
+    function-bind "^1.1.2"
+
+call-bind@^1.0.2, call-bind@^1.0.5:
   version "1.0.7"
   resolved "https://registry.npmjs.org/call-bind/-/call-bind-1.0.7.tgz"
   integrity sha512-GHTSNSYICQ7scH7sZ+M2rFopRoLh8t2bLSW6BbgrtLsahOIB5iyAVJf9GjWK3cYTDaMj4XdBpM1cA6pIS0Kv2w==
@@ -3430,6 +3594,14 @@ call-bind@^1.0.2, call-bind@^1.0.5, call-bind@^1.0.7:
     get-intrinsic "^1.2.4"
     set-function-length "^1.2.1"
 
+call-bound@^1.0.2:
+  version "1.0.4"
+  resolved "https://registry.npmjs.org/call-bound/-/call-bound-1.0.4.tgz"
+  integrity sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==
+  dependencies:
+    call-bind-apply-helpers "^1.0.2"
+    get-intrinsic "^1.3.0"
+
 callsites@^3.0.0:
   version "3.1.0"
   resolved "https://registry.npmjs.org/callsites/-/callsites-3.1.0.tgz"
@@ -3484,11 +3656,6 @@ cardinal@^2.1.1:
     ansicolors "~0.3.2"
     redeyed "~2.1.0"
 
-caseless@^0.12.0, caseless@~0.12.0:
-  version "0.12.0"
-  resolved "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz"
-  integrity sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==
-
 chai@^4.3.10:
   version "4.3.10"
   resolved "https://registry.npmjs.org/chai/-/chai-4.3.10.tgz"
@@ -3798,7 +3965,7 @@ colors@1.0.3:
   resolved "https://registry.npmjs.org/colors/-/colors-1.0.3.tgz"
   integrity sha512-pFGrxThWcWQ2MsAz6RtgeWe4NK2kUE1WfsrvvlctdII745EW9I0yflqhe7++M5LEc7bV2c/9/5zc8sFcpL0Drw==
 
-combined-stream@^1.0.6, combined-stream@^1.0.8:
+combined-stream@^1.0.8:
   version "1.0.8"
   resolved "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz"
   integrity sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==
@@ -3848,16 +4015,6 @@ concat-map@0.0.1:
   resolved "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz"
   integrity sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==
 
-concat-stream@^1.6.0, concat-stream@^1.6.2:
-  version "1.6.2"
-  resolved "https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.2.tgz"
-  integrity sha512-27HBghJxjiZtIk3Ycvn/4kbJk/1uZuJFfuPEns6LaEvpvG1f0hTea8lilrouyo9mVc2GWdcEZ8OLoGmSADlrCw==
-  dependencies:
-    buffer-from "^1.0.0"
-    inherits "^2.0.3"
-    readable-stream "^2.2.2"
-    typedarray "^0.0.6"
-
 console-control-strings@^1.0.0, console-control-strings@^1.1.0:
   version "1.1.0"
   resolved "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz"
@@ -3872,7 +4029,12 @@ constant-case@^3.0.4:
     tslib "^2.0.3"
     upper-case "^2.0.2"
 
-content-type@^1.0.4:
+content-disposition@^1.0.0:
+  version "1.0.1"
+  resolved "https://registry.npmjs.org/content-disposition/-/content-disposition-1.0.1.tgz"
+  integrity sha512-oIXISMynqSqm241k6kcQ5UwttDILMK4BiurCfGEREw6+X9jkkpEe5T9FZaApyLGGOnFuyMWZpdolTXMtvEJ08Q==
+
+content-type@^1.0.4, content-type@^1.0.5:
   version "1.0.5"
   resolved "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz"
   integrity sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==
@@ -3908,6 +4070,16 @@ convert-source-map@^1.7.0:
   dependencies:
     safe-buffer "~5.1.1"
 
+cookie-signature@^1.2.1:
+  version "1.2.2"
+  resolved "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.2.2.tgz"
+  integrity sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg==
+
+cookie@^0.7.1:
+  version "0.7.2"
+  resolved "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz"
+  integrity sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==
+
 core-js-compat@^3.34.0:
   version "3.35.1"
   resolved "https://registry.npmjs.org/core-js-compat/-/core-js-compat-3.35.1.tgz"
@@ -3930,6 +4102,14 @@ core-util-is@~1.0.0:
   resolved "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz"
   integrity sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==
 
+cors@^2.8.5:
+  version "2.8.6"
+  resolved "https://registry.npmjs.org/cors/-/cors-2.8.6.tgz"
+  integrity sha512-tJtZBBHA6vjIAaF6EnIaq6laBBP9aq/Y3ouVJjEfoHbRBcHBAHYcMh/w8LDrk2PvIMMq8gmopa5D4V8RmbrxGw==
+  dependencies:
+    object-assign "^4"
+    vary "^1"
+
 cosmiconfig-typescript-loader@^4.0.0:
   version "4.4.0"
   resolved "https://registry.npmjs.org/cosmiconfig-typescript-loader/-/cosmiconfig-typescript-loader-4.4.0.tgz"
@@ -3961,10 +4141,10 @@ create-require@^1.1.0:
   resolved "https://registry.npmjs.org/create-require/-/create-require-1.1.1.tgz"
   integrity sha512-dcKFX3jn0MpIaXjisoRvexIJVEKzaq7z2rZKxf+MSr9TkdmHmsU4m2lcLojrj/FHl8mk5VxMmYA+ftRkP/3oKQ==
 
-cross-spawn@^7.0.0, cross-spawn@^7.0.2, cross-spawn@^7.0.3:
-  version "7.0.3"
-  resolved "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz"
-  integrity sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==
+cross-spawn@^7.0.0, cross-spawn@^7.0.2, cross-spawn@^7.0.3, cross-spawn@^7.0.5:
+  version "7.0.6"
+  resolved "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz"
+  integrity sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==
   dependencies:
     path-key "^3.1.0"
     shebang-command "^2.0.0"
@@ -4021,6 +4201,13 @@ debug@^3.2.7:
   dependencies:
     ms "^2.1.1"
 
+debug@^4.3.5, debug@^4.4.0, debug@^4.4.3:
+  version "4.4.3"
+  resolved "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz"
+  integrity sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==
+  dependencies:
+    ms "^2.1.3"
+
 debuglog@^1.0.1:
   version "1.0.1"
   resolved "https://registry.npmjs.org/debuglog/-/debuglog-1.0.1.tgz"
@@ -4121,6 +4308,11 @@ depd@^1.1.2:
   resolved "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz"
   integrity sha512-7emPTl6Dpo6JRXOXjLRxck+FlLRX5847cLKEn00PLAgc3g2hTZZgr+e4c2v6QpSmLeFP3n5yUo7ft6avBK/5jQ==
 
+depd@^2.0.0, depd@~2.0.0:
+  version "2.0.0"
+  resolved "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz"
+  integrity sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==
+
 deprecation@^2.0.0, deprecation@^2.3.1:
   version "2.3.1"
   resolved "https://registry.npmjs.org/deprecation/-/deprecation-2.3.1.tgz"
@@ -4139,16 +4331,26 @@ diff@5.0.0:
   resolved "https://registry.npmjs.org/diff/-/diff-5.0.0.tgz"
   integrity sha512-/VTCrvm5Z0JGty/BWHljh+BAiw3IK+2j87NGMu8Nwc/f48WoDAC395uomO9ZD117ZOBaHmkX1oyLvkVM/aIT3w==
 
-diff@^4.0.1, diff@^4.0.2:
+diff@^4.0.1:
   version "4.0.2"
   resolved "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz"
   integrity sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==
 
+diff@^4.0.2:
+  version "4.0.4"
+  resolved "https://registry.npmjs.org/diff/-/diff-4.0.4.tgz"
+  integrity sha512-X07nttJQkwkfKfvTPG/KSnE2OMdcUCao6+eXF3wmnIQRn2aPAHH3VxDbDOdegkd6JbPsXqShpvEOHfAT+nCNwQ==
+
 diff@^5.0.0:
   version "5.1.0"
   resolved "https://registry.npmjs.org/diff/-/diff-5.1.0.tgz"
   integrity sha512-D+mk+qE8VC/PAUrlAU34N+VfXev0ghe5ywmpqrawphmVZc1bEfn56uo9qpyGp1p4xpzOHkSW4ztBd6L7Xx4ACw==
 
+diff@^8.0.3:
+  version "8.0.4"
+  resolved "https://registry.npmjs.org/diff/-/diff-8.0.4.tgz"
+  integrity sha512-DPi0FmjiSU5EvQV0++GFDOJ9ASQUVFh5kD+OzOnYdi7n3Wpm9hWWGfB/O2blfHcMVTL5WkQXSnRiK9makhrcnw==
+
 dir-glob@^3.0.1:
   version "3.0.1"
   resolved "https://registry.npmjs.org/dir-glob/-/dir-glob-3.0.1.tgz"
@@ -4215,6 +4417,15 @@ dot-prop@^5.1.0:
   dependencies:
     is-obj "^2.0.0"
 
+dunder-proto@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz"
+  integrity sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==
+  dependencies:
+    call-bind-apply-helpers "^1.0.1"
+    es-errors "^1.3.0"
+    gopd "^1.2.0"
+
 eastasianwidth@^0.2.0:
   version "0.2.0"
   resolved "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz"
@@ -4227,6 +4438,11 @@ ecdsa-sig-formatter@1.0.11:
   dependencies:
     safe-buffer "^5.0.1"
 
+ee-first@1.1.1:
+  version "1.1.1"
+  resolved "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz"
+  integrity sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==
+
 ejs@^3.1.10, ejs@^3.1.6, ejs@^3.1.8:
   version "3.1.10"
   resolved "https://registry.npmjs.org/ejs/-/ejs-3.1.10.tgz"
@@ -4249,6 +4465,11 @@ emoji-regex@^9.2.2:
   resolved "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz"
   integrity sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==
 
+encodeurl@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz"
+  integrity sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==
+
 encoding@^0.1.12, encoding@^0.1.13:
   version "0.1.13"
   resolved "https://registry.npmjs.org/encoding/-/encoding-0.1.13.tgz"
@@ -4340,18 +4561,23 @@ es-array-method-boxes-properly@^1.0.0:
   resolved "https://registry.npmjs.org/es-array-method-boxes-properly/-/es-array-method-boxes-properly-1.0.0.tgz"
   integrity sha512-wd6JXUmyHmt8T5a2xreUwKcGPq6f1f+WwIJkijUqiGcJz1qqnZgP6XIK+QyIWU5lT7imeNxUll48bziG+TSYcA==
 
-es-define-property@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.0.tgz"
-  integrity sha512-jxayLKShrEqqzJ0eumQbVhTYQM27CfT1T35+gCgDFoL82JLsXqTJ76zv6A0YLOgEnLUMvLzsDsGIrl8NFpT2gQ==
-  dependencies:
-    get-intrinsic "^1.2.4"
+es-define-property@^1.0.0, es-define-property@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz"
+  integrity sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==
 
 es-errors@^1.0.0, es-errors@^1.2.1, es-errors@^1.3.0:
   version "1.3.0"
   resolved "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz"
   integrity sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==
 
+es-object-atoms@^1.0.0, es-object-atoms@^1.1.1:
+  version "1.1.1"
+  resolved "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz"
+  integrity sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==
+  dependencies:
+    es-errors "^1.3.0"
+
 es-set-tostringtag@^2.0.1:
   version "2.0.2"
   resolved "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.0.2.tgz"
@@ -4361,6 +4587,16 @@ es-set-tostringtag@^2.0.1:
     has-tostringtag "^1.0.0"
     hasown "^2.0.0"
 
+es-set-tostringtag@^2.1.0:
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz#f31dbbe0c183b00a6d26eb6325c810c0fd18bd4d"
+  integrity sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==
+  dependencies:
+    es-errors "^1.3.0"
+    get-intrinsic "^1.2.6"
+    has-tostringtag "^1.0.2"
+    hasown "^2.0.2"
+
 es-shim-unscopables@^1.0.0, es-shim-unscopables@^1.0.2:
   version "1.0.2"
   resolved "https://registry.npmjs.org/es-shim-unscopables/-/es-shim-unscopables-1.0.2.tgz"
@@ -4626,6 +4862,11 @@ esutils@^2.0.2:
   resolved "https://registry.npmjs.org/esutils/-/esutils-2.0.3.tgz"
   integrity sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==
 
+etag@^1.8.1:
+  version "1.8.1"
+  resolved "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz"
+  integrity sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==
+
 event-target-shim@^5.0.0:
   version "5.0.1"
   resolved "https://registry.npmjs.org/event-target-shim/-/event-target-shim-5.0.1.tgz"
@@ -4641,6 +4882,18 @@ events@^3.3.0:
   resolved "https://registry.npmjs.org/events/-/events-3.3.0.tgz"
   integrity sha512-mQw+2fkQbALzQ7V0MY0IqdnXNOeTtP4r0lN9z7AAawCXgqea7bDii20AYrIBrFd/Hx0M2Ocz6S111CaFkUcb0Q==
 
+eventsource-parser@^3.0.0, eventsource-parser@^3.0.1:
+  version "3.0.6"
+  resolved "https://registry.npmjs.org/eventsource-parser/-/eventsource-parser-3.0.6.tgz"
+  integrity sha512-Vo1ab+QXPzZ4tCa8SwIHJFaSzy4R6SHf7BY79rFBDf0idraZWAkYrDjDj8uWaSm3S2TK+hJ7/t1CEmZ7jXw+pg==
+
+eventsource@^3.0.2:
+  version "3.0.7"
+  resolved "https://registry.npmjs.org/eventsource/-/eventsource-3.0.7.tgz"
+  integrity sha512-CRT1WTyuQoD771GW56XEZFQ/ZoSfWid1alKGDYMmkt2yl8UXrVR4pspqWNEcqKvVIzg6PAltWjxcSSPrboA4iA==
+  dependencies:
+    eventsource-parser "^3.0.1"
+
 execa@^4.0.0:
   version "4.1.0"
   resolved "https://registry.npmjs.org/execa/-/execa-4.1.0.tgz"
@@ -4671,6 +4924,47 @@ execa@^5.0.0, execa@^5.1.1:
     signal-exit "^3.0.3"
     strip-final-newline "^2.0.0"
 
+express-rate-limit@^8.2.1:
+  version "8.3.1"
+  resolved "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-8.3.1.tgz"
+  integrity sha512-D1dKN+cmyPWuvB+G2SREQDzPY1agpBIcTa9sJxOPMCNeH3gwzhqJRDWCXW3gg0y//+LQ/8j52JbMROWyrKdMdw==
+  dependencies:
+    ip-address "10.1.0"
+
+express@^5.2.1:
+  version "5.2.1"
+  resolved "https://registry.npmjs.org/express/-/express-5.2.1.tgz"
+  integrity sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==
+  dependencies:
+    accepts "^2.0.0"
+    body-parser "^2.2.1"
+    content-disposition "^1.0.0"
+    content-type "^1.0.5"
+    cookie "^0.7.1"
+    cookie-signature "^1.2.1"
+    debug "^4.4.0"
+    depd "^2.0.0"
+    encodeurl "^2.0.0"
+    escape-html "^1.0.3"
+    etag "^1.8.1"
+    finalhandler "^2.1.0"
+    fresh "^2.0.0"
+    http-errors "^2.0.0"
+    merge-descriptors "^2.0.0"
+    mime-types "^3.0.0"
+    on-finished "^2.4.1"
+    once "^1.4.0"
+    parseurl "^1.3.3"
+    proxy-addr "^2.0.7"
+    qs "^6.14.0"
+    range-parser "^1.2.1"
+    router "^2.2.0"
+    send "^1.1.0"
+    serve-static "^2.2.0"
+    statuses "^2.0.1"
+    type-is "^2.0.1"
+    vary "^1.1.2"
+
 extend@^3.0.2:
   version "3.0.2"
   resolved "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz"
@@ -4695,6 +4989,11 @@ fast-copy@^3.0.0:
   resolved "https://registry.npmjs.org/fast-copy/-/fast-copy-3.0.1.tgz"
   integrity sha512-Knr7NOtK3HWRYGtHoJrjkaWepqT8thIVGAwt0p0aUs1zqkAzXZV4vo9fFNwyb5fcqK1GKYFYxldQdIDVKhUAfA==
 
+fast-copy@^3.0.2:
+  version "3.0.2"
+  resolved "https://registry.yarnpkg.com/fast-copy/-/fast-copy-3.0.2.tgz#59c68f59ccbcac82050ba992e0d5c389097c9d35"
+  integrity sha512-dl0O9Vhju8IrcLndv2eU4ldt1ftXMqqfgN4H1cpmGV7P6jeB9FwpN9a2c8DPGE1Ys88rNUJVYDHq73CGAGOPfQ==
+
 fast-deep-equal@^3.1.1, fast-deep-equal@^3.1.3:
   version "3.1.3"
   resolved "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz"
@@ -4738,6 +5037,11 @@ fast-safe-stringify@^2.1.1:
   resolved "https://registry.npmjs.org/fast-safe-stringify/-/fast-safe-stringify-2.1.1.tgz"
   integrity sha512-W+KJc2dmILlPplD/H4K9l9LcAHAfPtP6BY84uVLXQ6Evcz9Lcg33Y2z1IVblT6xdY54PXYVHEv+0Wpq8Io6zkA==
 
+fast-uri@^3.0.1:
+  version "3.1.0"
+  resolved "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz"
+  integrity sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==
+
 fast-xml-parser@4.2.5:
   version "4.2.5"
   resolved "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.2.5.tgz"
@@ -4811,6 +5115,18 @@ fill-range@^7.0.1:
   dependencies:
     to-regex-range "^5.0.1"
 
+finalhandler@^2.1.0:
+  version "2.1.1"
+  resolved "https://registry.npmjs.org/finalhandler/-/finalhandler-2.1.1.tgz"
+  integrity sha512-S8KoZgRZN+a5rNwqTxlZZePjT/4cnm0ROV70LedRHZ0p8u9fRID0hJUZQpkKLzro8LfmC8sx23bY6tVNxv8pQA==
+  dependencies:
+    debug "^4.4.0"
+    encodeurl "^2.0.0"
+    escape-html "^1.0.3"
+    on-finished "^2.4.1"
+    parseurl "^1.3.3"
+    statuses "^2.0.1"
+
 find-cache-dir@^3.2.0:
   version "3.3.2"
   resolved "https://registry.npmjs.org/find-cache-dir/-/find-cache-dir-3.3.2.tgz"
@@ -4877,10 +5193,10 @@ flatted@^3.2.9:
   resolved "https://registry.npmjs.org/flatted/-/flatted-3.2.9.tgz"
   integrity sha512-36yxDn5H7OFZQla0/jFJmbIKTdZAQHngCedGxiMmpNfEZM0sdEeT+WczLQrjK6D7o2aiyLYDnkw0R3JK0Qv1RQ==
 
-follow-redirects@^1.15.6:
-  version "1.15.6"
-  resolved "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.6.tgz"
-  integrity sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==
+follow-redirects@^1.15.11:
+  version "1.15.11"
+  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.11.tgz#777d73d72a92f8ec4d2e410eb47352a56b8e8340"
+  integrity sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==
 
 for-each@^0.3.3:
   version "0.3.3"
@@ -4905,15 +5221,6 @@ foreground-child@^3.1.0:
     cross-spawn "^7.0.0"
     signal-exit "^4.0.1"
 
-form-data@^2.2.0:
-  version "2.5.1"
-  resolved "https://registry.npmjs.org/form-data/-/form-data-2.5.1.tgz"
-  integrity sha512-m21N3WOmEEURgk6B9GLOE4RuWOFf28Lhh9qGYeNlGq4VDXUlJy2th2slBNU8Gp8EzloYZOibZJ7t5ecIrFSjVA==
-  dependencies:
-    asynckit "^0.4.0"
-    combined-stream "^1.0.6"
-    mime-types "^2.1.12"
-
 form-data@^4.0.0:
   version "4.0.0"
   resolved "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz"
@@ -4923,6 +5230,27 @@ form-data@^4.0.0:
     combined-stream "^1.0.8"
     mime-types "^2.1.12"
 
+form-data@^4.0.5:
+  version "4.0.5"
+  resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.5.tgz#b49e48858045ff4cbf6b03e1805cebcad3679053"
+  integrity sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==
+  dependencies:
+    asynckit "^0.4.0"
+    combined-stream "^1.0.8"
+    es-set-tostringtag "^2.1.0"
+    hasown "^2.0.2"
+    mime-types "^2.1.12"
+
+forwarded@0.2.0:
+  version "0.2.0"
+  resolved "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz"
+  integrity sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==
+
+fresh@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.npmjs.org/fresh/-/fresh-2.0.0.tgz"
+  integrity sha512-Rx/WycZ60HOaqLKAi6cHRKKI7zxWbJ31MhntmtwMoaTeF7XFH9hhBp8vITaMidfljRQ6eYWCKkaTK+ykVJHP2A==
+
 fromentries@^1.2.0:
   version "1.3.2"
   resolved "https://registry.npmjs.org/fromentries/-/fromentries-1.3.2.tgz"
@@ -5068,26 +5396,34 @@ get-func-name@^2.0.1, get-func-name@^2.0.2:
   resolved "https://registry.npmjs.org/get-func-name/-/get-func-name-2.0.2.tgz"
   integrity sha512-8vXOvuE167CtIc3OyItco7N/dpRtBbYOsPsXCz7X/PMnlGjYjSGuZJgM1Y7mmew7BKf9BqvLX2tnOVy1BBUsxQ==
 
-get-intrinsic@^1.1.3, get-intrinsic@^1.2.1, get-intrinsic@^1.2.2, get-intrinsic@^1.2.3, get-intrinsic@^1.2.4:
-  version "1.2.4"
-  resolved "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.2.4.tgz"
-  integrity sha512-5uYhsJH8VJBTv7oslg4BznJYhDoRI6waYCxMmCdnTrcCrHA/fCFKoTFz2JKKE0HdDFUF7/oQuhzumXJK7paBRQ==
+get-intrinsic@^1.2.1, get-intrinsic@^1.2.2, get-intrinsic@^1.2.3, get-intrinsic@^1.2.4, get-intrinsic@^1.2.5, get-intrinsic@^1.2.6, get-intrinsic@^1.3.0:
+  version "1.3.0"
+  resolved "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz"
+  integrity sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==
   dependencies:
+    call-bind-apply-helpers "^1.0.2"
+    es-define-property "^1.0.1"
     es-errors "^1.3.0"
+    es-object-atoms "^1.1.1"
     function-bind "^1.1.2"
-    has-proto "^1.0.1"
-    has-symbols "^1.0.3"
-    hasown "^2.0.0"
+    get-proto "^1.0.1"
+    gopd "^1.2.0"
+    has-symbols "^1.1.0"
+    hasown "^2.0.2"
+    math-intrinsics "^1.1.0"
 
 get-package-type@^0.1.0:
   version "0.1.0"
   resolved "https://registry.npmjs.org/get-package-type/-/get-package-type-0.1.0.tgz"
   integrity sha512-pjzuKtY64GYfWizNAJ0fr9VqttZkNiK2iS430LtIHzjBEr6bX8Am2zm4sW4Ro5wjWW5cAlRL1qAMTcXbjNAO2Q==
 
-get-port@^3.1.0:
-  version "3.2.0"
-  resolved "https://registry.npmjs.org/get-port/-/get-port-3.2.0.tgz"
-  integrity sha512-x5UJKlgeUiNT8nyo/AcnwLnZuZNcSjSw0kogRB+Whd1fjjFq4B1hySFxSFWWSn4mIBzg3sRNUDFYc4g5gjPoLg==
+get-proto@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz"
+  integrity sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==
+  dependencies:
+    dunder-proto "^1.0.1"
+    es-object-atoms "^1.0.0"
 
 get-stream@^5.0.0, get-stream@^5.1.0:
   version "5.2.0"
@@ -5230,12 +5566,10 @@ globby@^11.0.1, globby@^11.1.0:
     merge2 "^1.4.1"
     slash "^3.0.0"
 
-gopd@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.npmjs.org/gopd/-/gopd-1.0.1.tgz"
-  integrity sha512-d65bNlIadxvpb/A2abVdlqKqV563juRnZ1Wtk6s1sIR8uNsXR70xqIzVqxVf1eTqDunwT2MkczEeaezCKTZhwA==
-  dependencies:
-    get-intrinsic "^1.1.3"
+gopd@^1.0.1, gopd@^1.2.0:
+  version "1.2.0"
+  resolved "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz"
+  integrity sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==
 
 got@^11:
   version "11.8.6"
@@ -5301,14 +5635,14 @@ has-proto@^1.0.1:
   resolved "https://registry.npmjs.org/has-proto/-/has-proto-1.0.1.tgz"
   integrity sha512-7qE+iP+O+bgF9clE5+UoBFzE65mlBiVj3tKCrlNQ0Ogwm0BjpT/gK4SlLYDMybDh5I3TCTKnPPa0oMG7JDYrhg==
 
-has-symbols@^1.0.2, has-symbols@^1.0.3:
-  version "1.0.3"
-  resolved "https://registry.npmjs.org/has-symbols/-/has-symbols-1.0.3.tgz"
-  integrity sha512-l3LCuF6MgDNwTDKkdYGEihYjt5pRPbEg46rtlmnSPlUbgmB8LOIrKJbYYFBSbnPaJexMKtiPO8hmeRjRz2Td+A==
+has-symbols@^1.0.2, has-symbols@^1.0.3, has-symbols@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz"
+  integrity sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==
 
-has-tostringtag@^1.0.0, has-tostringtag@^1.0.1:
+has-tostringtag@^1.0.0, has-tostringtag@^1.0.1, has-tostringtag@^1.0.2:
   version "1.0.2"
-  resolved "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.2.tgz"
+  resolved "https://registry.yarnpkg.com/has-tostringtag/-/has-tostringtag-1.0.2.tgz#2cdc42d40bef2e5b4eeab7c01a73c54ce7ab5abc"
   integrity sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==
   dependencies:
     has-symbols "^1.0.3"
@@ -5326,10 +5660,10 @@ hasha@^5.0.0:
     is-stream "^2.0.0"
     type-fest "^0.8.0"
 
-hasown@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.npmjs.org/hasown/-/hasown-2.0.0.tgz"
-  integrity sha512-vUptKVTpIJhcczKBbgnS+RtcuYMB8+oNzPK2/Hp3hanz8JmpATdmmgLgSaadVREkDm+e2giHwY3ZRkyjSIDDFA==
+hasown@^2.0.0, hasown@^2.0.2:
+  version "2.0.2"
+  resolved "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz"
+  integrity sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==
   dependencies:
     function-bind "^1.1.2"
 
@@ -5351,6 +5685,11 @@ help-me@^5.0.0:
   resolved "https://registry.npmjs.org/help-me/-/help-me-5.0.0.tgz"
   integrity sha512-7xgomUX6ADmcYzFik0HzAxh/73YlKR9bmFzf51CZwR+b6YtzU2m0u49hQCqV6SvlqIqsaxovfwdvbnsw3b/zpg==
 
+hono@^4.11.4:
+  version "4.12.7"
+  resolved "https://registry.npmjs.org/hono/-/hono-4.12.7.tgz"
+  integrity sha512-jq9l1DM0zVIvsm3lv9Nw9nlJnMNPOcAtsbsgiUhWcFzPE99Gvo6yRTlszSLLYacMeQ6quHD6hMfId8crVHvexw==
+
 hosted-git-info@^2.1.4:
   version "2.8.9"
   resolved "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz"
@@ -5385,16 +5724,6 @@ htmlparser2@^9.0.0:
     domutils "^3.1.0"
     entities "^4.5.0"
 
-http-basic@^8.1.1:
-  version "8.1.3"
-  resolved "https://registry.npmjs.org/http-basic/-/http-basic-8.1.3.tgz"
-  integrity sha512-/EcDMwJZh3mABI2NhGfHOGOeOZITqfkEO4p/xK+l3NpyncIHUQBoMvCSF/b5GqvKtySC2srL/GGG3+EtlqlmCw==
-  dependencies:
-    caseless "^0.12.0"
-    concat-stream "^1.6.2"
-    http-response-object "^3.0.1"
-    parse-cache-control "^1.0.1"
-
 http-cache-semantics@^4.0.0, http-cache-semantics@^4.1.0, http-cache-semantics@^4.1.1:
   version "4.1.1"
   resolved "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.1.tgz"
@@ -5412,6 +5741,17 @@ http-call@^5.2.2:
     parse-json "^4.0.0"
     tunnel-agent "^0.6.0"
 
+http-errors@^2.0.0, http-errors@^2.0.1, http-errors@~2.0.1:
+  version "2.0.1"
+  resolved "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz"
+  integrity sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==
+  dependencies:
+    depd "~2.0.0"
+    inherits "~2.0.4"
+    setprototypeof "~1.2.0"
+    statuses "~2.0.2"
+    toidentifier "~1.0.1"
+
 http-parser-js@>=0.5.1:
   version "0.5.8"
   resolved "https://registry.npmjs.org/http-parser-js/-/http-parser-js-0.5.8.tgz"
@@ -5435,13 +5775,6 @@ http-proxy-agent@^5.0.0:
     agent-base "6"
     debug "4"
 
-http-response-object@^3.0.1:
-  version "3.0.2"
-  resolved "https://registry.npmjs.org/http-response-object/-/http-response-object-3.0.2.tgz"
-  integrity sha512-bqX0XTF6fnXSQcEJ2Iuyr75yVakyjIDCqroJQ/aHfSdlM743Cwqoi2nDYMzLGWUcuTWGWy8AAvOKXTfiv6q9RA==
-  dependencies:
-    "@types/node" "^10.0.3"
-
 http2-wrapper@^1.0.0-beta.5.2:
   version "1.0.3"
   resolved "https://registry.npmjs.org/http2-wrapper/-/http2-wrapper-1.0.3.tgz"
@@ -5507,6 +5840,13 @@ iconv-lite@^0.6.2:
   dependencies:
     safer-buffer ">= 2.1.2 < 3.0.0"
 
+iconv-lite@^0.7.0, iconv-lite@~0.7.0:
+  version "0.7.2"
+  resolved "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.7.2.tgz"
+  integrity sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw==
+  dependencies:
+    safer-buffer ">= 2.1.2 < 3.0.0"
+
 ieee754@^1.1.13, ieee754@^1.2.1:
   version "1.2.1"
   resolved "https://registry.npmjs.org/ieee754/-/ieee754-1.2.1.tgz"
@@ -5567,7 +5907,7 @@ inflight@^1.0.4:
     once "^1.3.0"
     wrappy "1"
 
-inherits@2, inherits@^2.0.1, inherits@^2.0.3, inherits@^2.0.4, inherits@~2.0.3:
+inherits@2, inherits@^2.0.1, inherits@^2.0.3, inherits@^2.0.4, inherits@~2.0.3, inherits@~2.0.4:
   version "2.0.4"
   resolved "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz"
   integrity sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==
@@ -5631,11 +5971,21 @@ interpret@^1.0.0:
   resolved "https://registry.npmjs.org/interpret/-/interpret-1.4.0.tgz"
   integrity sha512-agE4QfB2Lkp9uICn7BAqoscw4SZP9kTE2hxiFI3jBPmXJfdqiahTbUuKGsMoN2GtqL9AxhYioAcVvgsb1HvRbA==
 
+ip-address@10.1.0:
+  version "10.1.0"
+  resolved "https://registry.npmjs.org/ip-address/-/ip-address-10.1.0.tgz"
+  integrity sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==
+
 ip@^2.0.0:
   version "2.0.0"
   resolved "https://registry.npmjs.org/ip/-/ip-2.0.0.tgz"
   integrity sha512-WKa+XuLG1A1R0UWhl2+1XQSi+fZWMsYKffMZTTYsiZaUD8k2yDAj5atimTUD2TZkyCkNEeYE5NhFZmupOGtjYQ==
 
+ipaddr.js@1.9.1:
+  version "1.9.1"
+  resolved "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz"
+  integrity sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==
+
 is-array-buffer@^3.0.2, is-array-buffer@^3.0.4:
   version "3.0.4"
   resolved "https://registry.npmjs.org/is-array-buffer/-/is-array-buffer-3.0.4.tgz"
@@ -5776,6 +6126,11 @@ is-plain-object@^5.0.0:
   resolved "https://registry.npmjs.org/is-plain-object/-/is-plain-object-5.0.0.tgz"
   integrity sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==
 
+is-promise@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.npmjs.org/is-promise/-/is-promise-4.0.0.tgz"
+  integrity sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ==
+
 is-regex@^1.1.4:
   version "1.1.4"
   resolved "https://registry.npmjs.org/is-regex/-/is-regex-1.1.4.tgz"
@@ -5979,6 +6334,11 @@ jake@^10.8.5:
     filelist "^1.0.1"
     minimatch "^3.0.4"
 
+jose@^6.1.3:
+  version "6.2.1"
+  resolved "https://registry.npmjs.org/jose/-/jose-6.2.1.tgz"
+  integrity sha512-jUaKr1yrbfaImV7R2TN/b3IcZzsw38/chqMpo2XJ7i2F8AfM/lA4G1goC3JVEwg0H7UldTmSt3P68nt31W7/mw==
+
 joycon@^3.1.1:
   version "3.1.1"
   resolved "https://registry.npmjs.org/joycon/-/joycon-3.1.1.tgz"
@@ -5989,14 +6349,7 @@ joycon@^3.1.1:
   resolved "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz"
   integrity sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==
 
-js-yaml@4.1.0, js-yaml@^4.1.0:
-  version "4.1.0"
-  resolved "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz"
-  integrity sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==
-  dependencies:
-    argparse "^2.0.1"
-
-js-yaml@^3.13.0, js-yaml@^3.13.1, js-yaml@^3.14.1:
+js-yaml@3.14.1, js-yaml@^3.13.0, js-yaml@^3.13.1, js-yaml@^3.14.1:
   version "3.14.1"
   resolved "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz"
   integrity sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==
@@ -6004,6 +6357,13 @@ js-yaml@^3.13.0, js-yaml@^3.13.1, js-yaml@^3.14.1:
     argparse "^1.0.7"
     esprima "^4.0.0"
 
+js-yaml@4.1.0, js-yaml@^4.1.0:
+  version "4.1.0"
+  resolved "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz"
+  integrity sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==
+  dependencies:
+    argparse "^2.0.1"
+
 js2xmlparser@^4.0.1:
   version "4.0.2"
   resolved "https://registry.npmjs.org/js2xmlparser/-/js2xmlparser-4.0.2.tgz"
@@ -6087,6 +6447,11 @@ json-schema-traverse@^1.0.0:
   resolved "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz"
   integrity sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==
 
+json-schema-typed@^8.0.2:
+  version "8.0.2"
+  resolved "https://registry.npmjs.org/json-schema-typed/-/json-schema-typed-8.0.2.tgz"
+  integrity sha512-fQhoXdcvc3V28x7C7BMs4P5+kNlgUURe2jmUT1T//oBRMDrqy1QPelJimwZGo7Hg9VPV3EQV5Bnq4hbFy2vetA==
+
 json-stable-stringify-without-jsonify@^1.0.1:
   version "1.0.1"
   resolved "https://registry.npmjs.org/json-stable-stringify-without-jsonify/-/json-stable-stringify-without-jsonify-1.0.1.tgz"
@@ -6444,6 +6809,11 @@ lowercase-keys@^2.0.0:
   resolved "https://registry.npmjs.org/lowercase-keys/-/lowercase-keys-2.0.0.tgz"
   integrity sha512-tqNXrS78oMOE73NMxK4EMLQsQowWf8jKooH9g7xPavRT706R6bkQJ6DY2Te7QukaZsulxa30wQ7bk0pm4XiHmA==
 
+lru-cache@^10.2.0:
+  version "10.4.3"
+  resolved "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz"
+  integrity sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==
+
 lru-cache@^6.0.0:
   version "6.0.0"
   resolved "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz"
@@ -6456,11 +6826,6 @@ lru-cache@^7.4.4, lru-cache@^7.5.1, lru-cache@^7.7.1:
   resolved "https://registry.npmjs.org/lru-cache/-/lru-cache-7.18.3.tgz"
   integrity sha512-jumlc0BIUrS3qJGgIkWZsyfAM7NCWiBcCDhnd+3NNM5KbBmLTgHVfWBcg6W+rLUsIpzpERPsvwUP7CckAQSOoA==
 
-"lru-cache@^9.1.1 || ^10.0.0":
-  version "10.1.0"
-  resolved "https://registry.npmjs.org/lru-cache/-/lru-cache-10.1.0.tgz"
-  integrity sha512-/1clY/ui8CzjKFyjdvwPWJUYKiFVXG2I2cY0ssG7h4+hwk+XOIX7ZSG9Q7TW8TW3Kp3BUSqgFWBLgL4PJ+Blag==
-
 lunr@^2.3.9:
   version "2.3.9"
   resolved "https://registry.npmjs.org/lunr/-/lunr-2.3.9.tgz"
@@ -6563,6 +6928,16 @@ marked@^4.3.0:
   resolved "https://registry.npmjs.org/marked/-/marked-4.3.0.tgz"
   integrity sha512-PRsaiG84bK+AMvxziE/lCFss8juXjNaWzVbN5tXAm4XjeaS9NAHhop+PjQxz2A9h8Q4M/xGmzP8vqNwy6JeK0A==
 
+math-intrinsics@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz"
+  integrity sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==
+
+media-typer@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.npmjs.org/media-typer/-/media-typer-1.1.0.tgz"
+  integrity sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw==
+
 "mem-fs-editor@^8.1.2 || ^9.0.0", mem-fs-editor@^9.0.0:
   version "9.7.0"
   resolved "https://registry.npmjs.org/mem-fs-editor/-/mem-fs-editor-9.7.0.tgz"
@@ -6611,6 +6986,11 @@ meow@^8.0.0, meow@^8.1.2:
     type-fest "^0.18.0"
     yargs-parser "^20.2.3"
 
+merge-descriptors@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-2.0.0.tgz"
+  integrity sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g==
+
 merge-stream@^2.0.0:
   version "2.0.0"
   resolved "https://registry.npmjs.org/merge-stream/-/merge-stream-2.0.0.tgz"
@@ -6634,6 +7014,11 @@ mime-db@1.52.0:
   resolved "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz"
   integrity sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==
 
+mime-db@^1.54.0:
+  version "1.54.0"
+  resolved "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz"
+  integrity sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==
+
 mime-types@^2.1.12:
   version "2.1.35"
   resolved "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz"
@@ -6641,6 +7026,13 @@ mime-types@^2.1.12:
   dependencies:
     mime-db "1.52.0"
 
+mime-types@^3.0.0, mime-types@^3.0.2:
+  version "3.0.2"
+  resolved "https://registry.npmjs.org/mime-types/-/mime-types-3.0.2.tgz"
+  integrity sha512-Lbgzdk0h4juoQ9fCKXW4by0UJqj+nOOrI9MJ1sSj4nI8aI2eo1qmvQEie4VD1glsS250n15LsWsYtCugiStS5A==
+  dependencies:
+    mime-db "^1.54.0"
+
 mime@^4.0.0:
   version "4.0.1"
   resolved "https://registry.npmjs.org/mime/-/mime-4.0.1.tgz"
@@ -6673,7 +7065,7 @@ minimatch@5.0.1:
   dependencies:
     brace-expansion "^2.0.1"
 
-minimatch@9.0.3, minimatch@^9.0.0, minimatch@^9.0.1, minimatch@^9.0.3:
+minimatch@9.0.3:
   version "9.0.3"
   resolved "https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz"
   integrity sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg==
@@ -6701,7 +7093,7 @@ minimatch@^7.2.0:
   dependencies:
     brace-expansion "^2.0.1"
 
-minimatch@^9.0.4:
+minimatch@^9.0.0, minimatch@^9.0.1, minimatch@^9.0.3, minimatch@^9.0.4:
   version "9.0.4"
   resolved "https://registry.npmjs.org/minimatch/-/minimatch-9.0.4.tgz"
   integrity sha512-KqWh+VchfxcMNRAJjj2tnsSJdNbHsVgnkBhTNrW7AjVo6OvLtxw8zfT9oLw1JSohlFzJ8jCoTgaoXvJ+kHt6fw==
@@ -6896,12 +7288,12 @@ mri@^1.1.5:
   resolved "https://registry.npmjs.org/mri/-/mri-1.2.0.tgz"
   integrity sha512-tzzskb3bG8LvYGFF/mDTpq3jpI6Q9wc3LEmBaghu+DdCssd1FakN7Bc0hVNmEyGq1bq3RgfkCb3cmQLpNPOroA==
 
-ms@2.1.2:
+ms@2.1.2, ms@^2.0.0, ms@^2.1.1:
   version "2.1.2"
   resolved "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz"
   integrity sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==
 
-ms@2.1.3, ms@^2.0.0, ms@^2.1.1:
+ms@2.1.3, ms@^2.1.3:
   version "2.1.3"
   resolved "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz"
   integrity sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==
@@ -6971,6 +7363,11 @@ negotiator@^0.6.2, negotiator@^0.6.3:
   resolved "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz"
   integrity sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==
 
+negotiator@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.npmjs.org/negotiator/-/negotiator-1.0.0.tgz"
+  integrity sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg==
+
 nise@^4.1.0:
   version "4.1.0"
   resolved "https://registry.npmjs.org/nise/-/nise-4.1.0.tgz"
@@ -7284,15 +7681,15 @@ nyc@^15.1.0:
     test-exclude "^6.0.0"
     yargs "^15.0.2"
 
-object-assign@^4.1.1:
+object-assign@^4, object-assign@^4.1.1:
   version "4.1.1"
   resolved "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz"
   integrity sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==
 
-object-inspect@^1.13.1:
-  version "1.13.1"
-  resolved "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.1.tgz"
-  integrity sha512-5qoj1RUiKOMsCCNLV1CBiPYE10sziTsnmNxkAI/rZhiD63CF7IqdFGC/XzjWjpSgLf0LxXX3bDFIh0E18f6UhQ==
+object-inspect@^1.13.1, object-inspect@^1.13.3:
+  version "1.13.4"
+  resolved "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz"
+  integrity sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==
 
 object-keys@^1.1.1:
   version "1.1.1"
@@ -7373,6 +7770,13 @@ on-exit-leak-free@^2.1.0:
   resolved "https://registry.npmjs.org/on-exit-leak-free/-/on-exit-leak-free-2.1.0.tgz"
   integrity sha512-VuCaZZAjReZ3vUwgOB8LxAosIurDiAW0s13rI1YwmaP++jvcxP77AWoQvenZebpCA2m8WC1/EosPYPMjnRAp/w==
 
+on-finished@^2.4.1:
+  version "2.4.1"
+  resolved "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz"
+  integrity sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==
+  dependencies:
+    ee-first "1.1.1"
+
 once@^1.3.0, once@^1.3.1, once@^1.4.0:
   version "1.4.0"
   resolved "https://registry.npmjs.org/once/-/once-1.4.0.tgz"
@@ -7591,11 +7995,6 @@ parent-module@^1.0.0:
   dependencies:
     callsites "^3.0.0"
 
-parse-cache-control@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.npmjs.org/parse-cache-control/-/parse-cache-control-1.0.1.tgz"
-  integrity sha512-60zvsJReQPX5/QP0Kzfd/VrpjScIQ7SHBW6bFCYfEP+fp0Eppr1SHhIO5nd1PjZtvclzSzES9D/p5nFJurwfWg==
-
 parse-conflict-json@^2.0.1:
   version "2.0.2"
   resolved "https://registry.npmjs.org/parse-conflict-json/-/parse-conflict-json-2.0.2.tgz"
@@ -7623,6 +8022,11 @@ parse-json@^5.0.0, parse-json@^5.2.0:
     json-parse-even-better-errors "^2.3.0"
     lines-and-columns "^1.1.6"
 
+parseurl@^1.3.3:
+  version "1.3.3"
+  resolved "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz"
+  integrity sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==
+
 pascal-case@^3.1.2:
   version "3.1.2"
   resolved "https://registry.npmjs.org/pascal-case/-/pascal-case-3.1.2.tgz"
@@ -7668,20 +8072,25 @@ path-parse@^1.0.7:
   integrity sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==
 
 path-scurry@^1.10.1:
-  version "1.10.1"
-  resolved "https://registry.npmjs.org/path-scurry/-/path-scurry-1.10.1.tgz"
-  integrity sha512-MkhCqzzBEpPvxxQ71Md0b1Kk51W01lrYvlMzSUaIzNsODdd7mqhiimSZlr+VegAz5Z6Vzt9Xg2ttE//XBhH3EQ==
+  version "1.11.1"
+  resolved "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz"
+  integrity sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==
   dependencies:
-    lru-cache "^9.1.1 || ^10.0.0"
+    lru-cache "^10.2.0"
     minipass "^5.0.0 || ^6.0.2 || ^7.0.0"
 
 path-to-regexp@^1.7.0:
-  version "1.8.0"
-  resolved "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-1.8.0.tgz"
-  integrity sha512-n43JRhlUKUAlibEJhPeir1ncUID16QnEjNpwzNdO3Lm4ywrBpBZ5oLD0I6br9evr1Y9JTqwRtAh7JLoOzAQdVA==
+  version "1.9.0"
+  resolved "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-1.9.0.tgz"
+  integrity sha512-xIp7/apCFJuUHdDLWe8O1HIkb0kQrOMb/0u6FXQjemHn/ii5LrIzU6bdECnsiTF/GjZkMEKg1xdiZwNqDYlZ6g==
   dependencies:
     isarray "0.0.1"
 
+path-to-regexp@^8.0.0:
+  version "8.3.0"
+  resolved "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz"
+  integrity sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA==
+
 path-type@^4.0.0:
   version "4.0.0"
   resolved "https://registry.npmjs.org/path-type/-/path-type-4.0.0.tgz"
@@ -7693,9 +8102,9 @@ pathval@^1.1.1:
   integrity sha512-Dp6zGqpTdETdR63lehJYPeIOqpiNBNtc7BpWSLrOje7UaIsE5aY92r/AunQA7rsXvet3lrJ3JnZX29UPTKXyKQ==
 
 picocolors@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.npmjs.org/picocolors/-/picocolors-1.0.0.tgz"
-  integrity sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ==
+  version "1.1.1"
+  resolved "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz"
+  integrity sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==
 
 picomatch@^2.0.4, picomatch@^2.2.1, picomatch@^2.3.1:
   version "2.3.1"
@@ -7720,6 +8129,13 @@ pino-abstract-transport@^1.0.0, pino-abstract-transport@^1.1.0, pino-abstract-tr
     readable-stream "^4.0.0"
     split2 "^4.0.0"
 
+pino-abstract-transport@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/pino-abstract-transport/-/pino-abstract-transport-2.0.0.tgz#de241578406ac7b8a33ce0d77ae6e8a0b3b68a60"
+  integrity sha512-F63x5tizV6WCh4R6RHyi2Ml+M70DNRXt/+HANowMflpgGFMAym/VKm6G7ZOQRjqN7XbGxK1Lg9t6ZrtzOaivMw==
+  dependencies:
+    split2 "^4.0.0"
+
 pino-pretty@^10.3.1:
   version "10.3.1"
   resolved "https://registry.npmjs.org/pino-pretty/-/pino-pretty-10.3.1.tgz"
@@ -7740,11 +8156,36 @@ pino-pretty@^10.3.1:
     sonic-boom "^3.0.0"
     strip-json-comments "^3.1.1"
 
+pino-pretty@^11.2.1:
+  version "11.3.0"
+  resolved "https://registry.yarnpkg.com/pino-pretty/-/pino-pretty-11.3.0.tgz#390b3be044cf3d2e9192c7d19d44f6b690468f2e"
+  integrity sha512-oXwn7ICywaZPHmu3epHGU2oJX4nPmKvHvB/bwrJHlGcbEWaVcotkpyVHMKLKmiVryWYByNp0jpgAcXpFJDXJzA==
+  dependencies:
+    colorette "^2.0.7"
+    dateformat "^4.6.3"
+    fast-copy "^3.0.2"
+    fast-safe-stringify "^2.1.1"
+    help-me "^5.0.0"
+    joycon "^3.1.1"
+    minimist "^1.2.6"
+    on-exit-leak-free "^2.1.0"
+    pino-abstract-transport "^2.0.0"
+    pump "^3.0.0"
+    readable-stream "^4.0.0"
+    secure-json-parse "^2.4.0"
+    sonic-boom "^4.0.1"
+    strip-json-comments "^3.1.1"
+
 pino-std-serializers@^6.0.0:
   version "6.2.2"
   resolved "https://registry.npmjs.org/pino-std-serializers/-/pino-std-serializers-6.2.2.tgz"
   integrity sha512-cHjPPsE+vhj/tnhCy/wiMh3M3z3h/j15zHQX+S9GkTBgqJuTuJzYJ4gUyACLhDaJ7kk9ba9iRDmbH2tJU03OiA==
 
+pino-std-serializers@^7.0.0:
+  version "7.1.0"
+  resolved "https://registry.yarnpkg.com/pino-std-serializers/-/pino-std-serializers-7.1.0.tgz#a7b0cd65225f29e92540e7853bd73b07479893fc"
+  integrity sha512-BndPH67/JxGExRgiX1dX0w1FvZck5Wa4aal9198SrRhZjH3GxKQUKIBnYJTdj2HDN3UQAS06HlfcSbQj2OHmaw==
+
 pino@^8.18.0, pino@^8.21.0:
   version "8.21.0"
   resolved "https://registry.npmjs.org/pino/-/pino-8.21.0.tgz"
@@ -7762,6 +8203,28 @@ pino@^8.18.0, pino@^8.21.0:
     sonic-boom "^3.7.0"
     thread-stream "^2.6.0"
 
+pino@^9.2.0:
+  version "9.14.0"
+  resolved "https://registry.yarnpkg.com/pino/-/pino-9.14.0.tgz#673d9711c2d1e64d18670c1ec05ef7ba14562556"
+  integrity sha512-8OEwKp5juEvb/MjpIc4hjqfgCNysrS94RIOMXYvpYCdm/jglrKEiAYmiumbmGhCvs+IcInsphYDFwqrjr7398w==
+  dependencies:
+    "@pinojs/redact" "^0.4.0"
+    atomic-sleep "^1.0.0"
+    on-exit-leak-free "^2.1.0"
+    pino-abstract-transport "^2.0.0"
+    pino-std-serializers "^7.0.0"
+    process-warning "^5.0.0"
+    quick-format-unescaped "^4.0.3"
+    real-require "^0.2.0"
+    safe-stable-stringify "^2.3.1"
+    sonic-boom "^4.0.1"
+    thread-stream "^3.0.0"
+
+pkce-challenge@^5.0.0:
+  version "5.0.1"
+  resolved "https://registry.npmjs.org/pkce-challenge/-/pkce-challenge-5.0.1.tgz"
+  integrity sha512-wQ0b/W4Fr01qtpHlqSqspcj3EhBvimsdh0KlHhH8HRZnMsEa0ea2fTULOXOS9ccQr3om+GcGRk4e+isrZWV8qQ==
+
 pkg-dir@^4.1.0, pkg-dir@^4.2.0:
   version "4.2.0"
   resolved "https://registry.npmjs.org/pkg-dir/-/pkg-dir-4.2.0.tgz"
@@ -7838,6 +8301,11 @@ process-warning@^3.0.0:
   resolved "https://registry.npmjs.org/process-warning/-/process-warning-3.0.0.tgz"
   integrity sha512-mqn0kFRl0EoqhnL0GQ0veqFHyIN1yig9RHh/InzORTUiZHFRAur+aMtRkELNwGs9aNwKS6tg/An4NYBPGwvtzQ==
 
+process-warning@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/process-warning/-/process-warning-5.0.0.tgz#566e0bf79d1dff30a72d8bbbe9e8ecefe8d378d7"
+  integrity sha512-a39t9ApHNx2L4+HBnQKqxxHNs1r7KF+Intd8Q/g1bUh6q0WIp9voPXJ/x0j+ZL45KF1pJd9+q2jLIRMfvEshkA==
+
 process@^0.11.10:
   version "0.11.10"
   resolved "https://registry.npmjs.org/process/-/process-0.11.10.tgz"
@@ -7866,13 +8334,6 @@ promise-retry@^2.0.1:
     err-code "^2.0.2"
     retry "^0.12.0"
 
-promise@^8.0.0:
-  version "8.3.0"
-  resolved "https://registry.npmjs.org/promise/-/promise-8.3.0.tgz"
-  integrity sha512-rZPNPKTOYVNEEKFaq1HqTgOwZD+4/YHS5ukLzQCypkj+OkYx7iv0mA91lJlpPPZ8vMau3IIGj5Qlwrx+8iiSmg==
-  dependencies:
-    asap "~2.0.6"
-
 prop-types@^15.7.2:
   version "15.8.1"
   resolved "https://registry.npmjs.org/prop-types/-/prop-types-15.8.1.tgz"
@@ -7891,10 +8352,18 @@ proper-lockfile@^4.1.2:
     retry "^0.12.0"
     signal-exit "^3.0.2"
 
-proxy-from-env@^1.1.0:
-  version "1.1.0"
-  resolved "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz"
-  integrity sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==
+proxy-addr@^2.0.7:
+  version "2.0.7"
+  resolved "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz"
+  integrity sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==
+  dependencies:
+    forwarded "0.2.0"
+    ipaddr.js "1.9.1"
+
+proxy-from-env@^2.1.0:
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/proxy-from-env/-/proxy-from-env-2.1.0.tgz#a7487568adad577cfaaa7e88c49cab3ab3081aba"
+  integrity sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA==
 
 psl@^1.1.33:
   version "1.9.0"
@@ -7914,12 +8383,12 @@ punycode@^2.1.0, punycode@^2.1.1:
   resolved "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz"
   integrity sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==
 
-qs@^6.4.0:
-  version "6.12.0"
-  resolved "https://registry.npmjs.org/qs/-/qs-6.12.0.tgz"
-  integrity sha512-trVZiI6RMOkO476zLGaBIzszOdFPnCCXHPG9kn0yuS1uz6xdVxPfZdB3vUig9pxPFDM9BRAgz/YUIVQ1/vuiUg==
+qs@^6.14.0, qs@^6.14.1:
+  version "6.15.0"
+  resolved "https://registry.npmjs.org/qs/-/qs-6.15.0.tgz"
+  integrity sha512-mAZTtNCeetKMH+pSjrb76NAM8V9a05I9aBZOHztWy/UqcJdQYNsf59vrRKWnojAT9Y+GbIvoTBC++CPHqpDBhQ==
   dependencies:
-    side-channel "^1.0.6"
+    side-channel "^1.1.0"
 
 querystringify@^2.1.1:
   version "2.2.0"
@@ -7953,6 +8422,21 @@ randombytes@^2.1.0:
   dependencies:
     safe-buffer "^5.1.0"
 
+range-parser@^1.2.1:
+  version "1.2.1"
+  resolved "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz"
+  integrity sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==
+
+raw-body@^3.0.0, raw-body@^3.0.1:
+  version "3.0.2"
+  resolved "https://registry.npmjs.org/raw-body/-/raw-body-3.0.2.tgz"
+  integrity sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA==
+  dependencies:
+    bytes "~3.1.2"
+    http-errors "~2.0.1"
+    iconv-lite "~0.7.0"
+    unpipe "~1.0.0"
+
 react-is@^16.13.1:
   version "16.13.1"
   resolved "https://registry.npmjs.org/react-is/-/react-is-16.13.1.tgz"
@@ -8017,7 +8501,7 @@ readable-stream@3, readable-stream@^3.0.0, readable-stream@^3.4.0, readable-stre
     string_decoder "^1.1.1"
     util-deprecate "^1.0.1"
 
-readable-stream@^2.0.2, readable-stream@^2.2.2, readable-stream@^2.3.5, readable-stream@~2.3.6:
+readable-stream@^2.0.2, readable-stream@^2.3.5, readable-stream@~2.3.6:
   version "2.3.8"
   resolved "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz"
   integrity sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==
@@ -8221,6 +8705,17 @@ rimraf@^3.0.0, rimraf@^3.0.2:
   dependencies:
     glob "^7.1.3"
 
+router@^2.2.0:
+  version "2.2.0"
+  resolved "https://registry.npmjs.org/router/-/router-2.2.0.tgz"
+  integrity sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ==
+  dependencies:
+    debug "^4.4.0"
+    depd "^2.0.0"
+    is-promise "^4.0.0"
+    parseurl "^1.3.3"
+    path-to-regexp "^8.0.0"
+
 run-async@^2.0.0, run-async@^2.4.0:
   version "2.4.1"
   resolved "https://registry.npmjs.org/run-async/-/run-async-2.4.1.tgz"
@@ -8330,6 +8825,28 @@ semver@^7.6.0:
   dependencies:
     lru-cache "^6.0.0"
 
+semver@^7.6.2:
+  version "7.7.4"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-7.7.4.tgz#28464e36060e991fa7a11d0279d2d3f3b57a7e8a"
+  integrity sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==
+
+send@^1.1.0, send@^1.2.0:
+  version "1.2.1"
+  resolved "https://registry.npmjs.org/send/-/send-1.2.1.tgz"
+  integrity sha512-1gnZf7DFcoIcajTjTwjwuDjzuz4PPcY2StKPlsGAQ1+YH20IRVrBaXSWmdjowTJ6u8Rc01PoYOGHXfP1mYcZNQ==
+  dependencies:
+    debug "^4.4.3"
+    encodeurl "^2.0.0"
+    escape-html "^1.0.3"
+    etag "^1.8.1"
+    fresh "^2.0.0"
+    http-errors "^2.0.1"
+    mime-types "^3.0.2"
+    ms "^2.1.3"
+    on-finished "^2.4.1"
+    range-parser "^1.2.1"
+    statuses "^2.0.2"
+
 sentence-case@^3.0.4:
   version "3.0.4"
   resolved "https://registry.npmjs.org/sentence-case/-/sentence-case-3.0.4.tgz"
@@ -8351,6 +8868,16 @@ serialize-javascript@6.0.0:
   dependencies:
     randombytes "^2.1.0"
 
+serve-static@^2.2.0:
+  version "2.2.1"
+  resolved "https://registry.npmjs.org/serve-static/-/serve-static-2.2.1.tgz"
+  integrity sha512-xRXBn0pPqQTVQiC8wyQrKs2MOlX24zQ0POGaj0kultvoOCstBQM5yvOhAVSUwOMjQtTvsPWoNCHfPGwaaQJhTw==
+  dependencies:
+    encodeurl "^2.0.0"
+    escape-html "^1.0.3"
+    parseurl "^1.3.3"
+    send "^1.2.0"
+
 server-destroy@^1.0.1:
   version "1.0.1"
   resolved "https://registry.npmjs.org/server-destroy/-/server-destroy-1.0.1.tgz"
@@ -8387,6 +8914,11 @@ setimmediate@^1.0.5:
   resolved "https://registry.npmjs.org/setimmediate/-/setimmediate-1.0.5.tgz"
   integrity sha512-MATJdZp8sLqDl/68LfQmbP8zKPLQNV6BIZoIgrscFDQ+RsvK/BxeDQOgyxKKoh0y/8h3BqVFnCqQ/gd+reiIXA==
 
+setprototypeof@~1.2.0:
+  version "1.2.0"
+  resolved "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz"
+  integrity sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==
+
 shebang-command@^2.0.0:
   version "2.0.0"
   resolved "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz"
@@ -8426,15 +8958,45 @@ shx@0.3.4:
     minimist "^1.2.3"
     shelljs "^0.8.5"
 
-side-channel@^1.0.4, side-channel@^1.0.6:
-  version "1.0.6"
-  resolved "https://registry.npmjs.org/side-channel/-/side-channel-1.0.6.tgz"
-  integrity sha512-fDW/EZ6Q9RiO8eFG8Hj+7u/oW+XrPTIChwCOM2+th2A6OblDtYYIpve9m+KvI9Z4C9qSEXlaGR6bTEYHReuglA==
+side-channel-list@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.0.tgz"
+  integrity sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==
   dependencies:
-    call-bind "^1.0.7"
     es-errors "^1.3.0"
-    get-intrinsic "^1.2.4"
-    object-inspect "^1.13.1"
+    object-inspect "^1.13.3"
+
+side-channel-map@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.npmjs.org/side-channel-map/-/side-channel-map-1.0.1.tgz"
+  integrity sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==
+  dependencies:
+    call-bound "^1.0.2"
+    es-errors "^1.3.0"
+    get-intrinsic "^1.2.5"
+    object-inspect "^1.13.3"
+
+side-channel-weakmap@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.npmjs.org/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz"
+  integrity sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==
+  dependencies:
+    call-bound "^1.0.2"
+    es-errors "^1.3.0"
+    get-intrinsic "^1.2.5"
+    object-inspect "^1.13.3"
+    side-channel-map "^1.0.1"
+
+side-channel@^1.0.4, side-channel@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz"
+  integrity sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==
+  dependencies:
+    es-errors "^1.3.0"
+    object-inspect "^1.13.3"
+    side-channel-list "^1.0.0"
+    side-channel-map "^1.0.1"
+    side-channel-weakmap "^1.0.2"
 
 signal-exit@^3.0.0, signal-exit@^3.0.2, signal-exit@^3.0.3, signal-exit@^3.0.7:
   version "3.0.7"
@@ -8474,6 +9036,17 @@ sinon@10.0.0:
     nise "^4.1.0"
     supports-color "^7.1.0"
 
+sinon@^21.0.3:
+  version "21.0.3"
+  resolved "https://registry.npmjs.org/sinon/-/sinon-21.0.3.tgz"
+  integrity sha512-0x8TQFr8EjADhSME01u1ZK31yv2+bd6Z5NrBCHVM+n4qL1wFqbxftmeyi3bwlr49FbbzRfrqSFOpyHCOh/YmYA==
+  dependencies:
+    "@sinonjs/commons" "^3.0.1"
+    "@sinonjs/fake-timers" "^15.1.1"
+    "@sinonjs/samsam" "^9.0.3"
+    diff "^8.0.3"
+    supports-color "^7.2.0"
+
 slash@^3.0.0:
   version "3.0.0"
   resolved "https://registry.npmjs.org/slash/-/slash-3.0.0.tgz"
@@ -8534,6 +9107,13 @@ sonic-boom@^3.0.0, sonic-boom@^3.7.0:
   dependencies:
     atomic-sleep "^1.0.0"
 
+sonic-boom@^4.0.1:
+  version "4.2.1"
+  resolved "https://registry.yarnpkg.com/sonic-boom/-/sonic-boom-4.2.1.tgz#28598250df4899c0ac572d7e2f0460690ba6a030"
+  integrity sha512-w6AxtubXa2wTXAUsZMMWERrsIRAdrK0Sc+FUytWvYAhBJLyuI4llrMIC1DtlNSdI99EI86KZum2MMq3EAZlF9Q==
+  dependencies:
+    atomic-sleep "^1.0.0"
+
 sort-keys@^4.2.0:
   version "4.2.0"
   resolved "https://registry.npmjs.org/sort-keys/-/sort-keys-4.2.0.tgz"
@@ -8643,6 +9223,11 @@ ssri@^9.0.0:
   dependencies:
     minipass "^3.1.1"
 
+statuses@^2.0.1, statuses@^2.0.2, statuses@~2.0.2:
+  version "2.0.2"
+  resolved "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz"
+  integrity sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==
+
 "string-width-cjs@npm:string-width@^4.2.0":
   version "4.2.3"
   resolved "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz"
@@ -8697,20 +9282,20 @@ string.prototype.trimstart@^1.0.7:
     define-properties "^1.2.0"
     es-abstract "^1.22.1"
 
-string_decoder@^1.1.1, string_decoder@^1.3.0:
-  version "1.3.0"
-  resolved "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz"
-  integrity sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==
-  dependencies:
-    safe-buffer "~5.2.0"
-
-string_decoder@~1.1.1:
+string_decoder@^1.1.1, string_decoder@~1.1.1:
   version "1.1.1"
   resolved "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz"
   integrity sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==
   dependencies:
     safe-buffer "~5.1.0"
 
+string_decoder@^1.3.0:
+  version "1.3.0"
+  resolved "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz"
+  integrity sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==
+  dependencies:
+    safe-buffer "~5.2.0"
+
 "strip-ansi-cjs@npm:strip-ansi@^6.0.1":
   version "6.0.1"
   resolved "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz"
@@ -8800,7 +9385,7 @@ supports-color@^5.3.0:
   dependencies:
     has-flag "^3.0.0"
 
-supports-color@^7.0.0, supports-color@^7.1.0:
+supports-color@^7.0.0, supports-color@^7.1.0, supports-color@^7.2.0:
   version "7.2.0"
   resolved "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz"
   integrity sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==
@@ -8820,22 +9405,6 @@ supports-preserve-symlinks-flag@^1.0.0:
   resolved "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz"
   integrity sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==
 
-sync-request@^6.1.0:
-  version "6.1.0"
-  resolved "https://registry.npmjs.org/sync-request/-/sync-request-6.1.0.tgz"
-  integrity sha512-8fjNkrNlNCrVc/av+Jn+xxqfCjYaBoHqCsDz6mt030UMxJGr+GSfCV1dQt2gRtlL63+VPidwDVLr7V2OcTSdRw==
-  dependencies:
-    http-response-object "^3.0.1"
-    sync-rpc "^1.2.1"
-    then-request "^6.0.0"
-
-sync-rpc@^1.2.1:
-  version "1.3.6"
-  resolved "https://registry.npmjs.org/sync-rpc/-/sync-rpc-1.3.6.tgz"
-  integrity sha512-J8jTXuZzRlvU7HemDgHi3pGnh/rkoqR/OZSjhTyyZrEkkYQbk7Z33AXp37mkPfPpfdOuj7Ex3H/TJM1z48uPQw==
-  dependencies:
-    get-port "^3.1.0"
-
 tar@^6.0.2, tar@^6.1.0, tar@^6.1.11, tar@^6.1.2:
   version "6.1.11"
   resolved "https://registry.npmjs.org/tar/-/tar-6.1.11.tgz"
@@ -8884,23 +9453,6 @@ textextensions@^5.12.0, textextensions@^5.13.0:
   resolved "https://registry.npmjs.org/textextensions/-/textextensions-5.15.0.tgz"
   integrity sha512-MeqZRHLuaGamUXGuVn2ivtU3LA3mLCCIO5kUGoohTCoGmCBg/+8yPhWVX9WSl9telvVd8erftjFk9Fwb2dD6rw==
 
-then-request@^6.0.0:
-  version "6.0.2"
-  resolved "https://registry.npmjs.org/then-request/-/then-request-6.0.2.tgz"
-  integrity sha512-3ZBiG7JvP3wbDzA9iNY5zJQcHL4jn/0BWtXIkagfz7QgOL/LqjCEOBQuJNZfu0XYnv5JhKh+cDxCPM4ILrqruA==
-  dependencies:
-    "@types/concat-stream" "^1.6.0"
-    "@types/form-data" "0.0.33"
-    "@types/node" "^8.0.0"
-    "@types/qs" "^6.2.31"
-    caseless "~0.12.0"
-    concat-stream "^1.6.0"
-    form-data "^2.2.0"
-    http-basic "^8.1.1"
-    http-response-object "^3.0.1"
-    promise "^8.0.0"
-    qs "^6.4.0"
-
 thread-stream@^2.6.0:
   version "2.7.0"
   resolved "https://registry.npmjs.org/thread-stream/-/thread-stream-2.7.0.tgz"
@@ -8908,6 +9460,13 @@ thread-stream@^2.6.0:
   dependencies:
     real-require "^0.2.0"
 
+thread-stream@^3.0.0:
+  version "3.1.0"
+  resolved "https://registry.yarnpkg.com/thread-stream/-/thread-stream-3.1.0.tgz#4b2ef252a7c215064507d4ef70c05a5e2d34c4f1"
+  integrity sha512-OqyPZ9u96VohAyMfJykzmivOrY2wfMSf3C5TtFJVgN+Hm6aj+voFhlK+kZEIv2FBh1X6Xp3DlnCOfEQ3B2J86A==
+  dependencies:
+    real-require "^0.2.0"
+
 through2@^4.0.0:
   version "4.0.2"
   resolved "https://registry.npmjs.org/through2/-/through2-4.0.2.tgz"
@@ -8939,6 +9498,11 @@ to-regex-range@^5.0.1:
   dependencies:
     is-number "^7.0.0"
 
+toidentifier@~1.0.1:
+  version "1.0.1"
+  resolved "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz"
+  integrity sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==
+
 tough-cookie@*:
   version "4.1.3"
   resolved "https://registry.npmjs.org/tough-cookie/-/tough-cookie-4.1.3.tgz"
@@ -9011,6 +9575,11 @@ ts-retry-promise@^0.8.0:
   resolved "https://registry.npmjs.org/ts-retry-promise/-/ts-retry-promise-0.8.0.tgz"
   integrity sha512-elI/GkojPANBikPaMWQnk4T/bOJ6tq/hqXyQRmhfC9PAD6MoHmXIXK7KilJrlpx47VAKCGcmBrTeK5dHk6YAYg==
 
+ts-retry-promise@^0.8.1:
+  version "0.8.1"
+  resolved "https://registry.yarnpkg.com/ts-retry-promise/-/ts-retry-promise-0.8.1.tgz#ba90eb07cb03677fcbf78fe38e94c9183927e154"
+  integrity sha512-+AHPUmAhr5bSRRK5CurE9kNH8gZlEHnCgusZ0zy2bjfatUBDX0h6vGQjiT0YrGwSDwRZmU+bapeX6mj55FOPvg==
+
 tsconfig-paths@^3.15.0:
   version "3.15.0"
   resolved "https://registry.npmjs.org/tsconfig-paths/-/tsconfig-paths-3.15.0.tgz"
@@ -9026,7 +9595,7 @@ tslib@^1.11.1, tslib@^1.9.0:
   resolved "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz"
   integrity sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==
 
-tslib@^2.0.0, tslib@^2.0.3, tslib@^2.1.0, tslib@^2.3.1, tslib@^2.4.1, tslib@^2.5.0, tslib@^2.6.2:
+tslib@^2.0.0, tslib@^2.0.3, tslib@^2.1.0, tslib@^2.3.1, tslib@^2.4.1, tslib@^2.5.0:
   version "2.6.2"
   resolved "https://registry.npmjs.org/tslib/-/tslib-2.6.2.tgz"
   integrity sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==
@@ -9059,6 +9628,11 @@ type-detect@4.0.8, type-detect@^4.0.0, type-detect@^4.0.8:
   resolved "https://registry.npmjs.org/type-detect/-/type-detect-4.0.8.tgz"
   integrity sha512-0fr/mIH1dlO+x7TlcMy+bIDqKPsw/70tVyeHW787goQjhmqaZe10uwLujubK9q9Lg6Fiho1KUKDYz0Z7k7g5/g==
 
+type-detect@^4.1.0:
+  version "4.1.0"
+  resolved "https://registry.npmjs.org/type-detect/-/type-detect-4.1.0.tgz"
+  integrity sha512-Acylog8/luQ8L7il+geoSxhEkazvkslg7PSNKOX59mbB9cOveP5aq9h74Y7YU8yDpJwetzQQrfIwtf4Wp4LKcw==
+
 type-fest@^0.18.0:
   version "0.18.1"
   resolved "https://registry.npmjs.org/type-fest/-/type-fest-0.18.1.tgz"
@@ -9084,6 +9658,15 @@ type-fest@^0.8.0, type-fest@^0.8.1:
   resolved "https://registry.npmjs.org/type-fest/-/type-fest-0.8.1.tgz"
   integrity sha512-4dbzIzqvjtgiM5rw1k5rEHtBANKmdudhGyBEajN01fEyhaAIhsoKNy6y7+IN93IfpFtwY9iqi7kD+xwKhQsNJA==
 
+type-is@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.npmjs.org/type-is/-/type-is-2.0.1.tgz"
+  integrity sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw==
+  dependencies:
+    content-type "^1.0.5"
+    media-typer "^1.1.0"
+    mime-types "^3.0.0"
+
 typed-array-buffer@^1.0.0:
   version "1.0.0"
   resolved "https://registry.npmjs.org/typed-array-buffer/-/typed-array-buffer-1.0.0.tgz"
@@ -9130,11 +9713,6 @@ typedarray-to-buffer@^3.1.5:
   dependencies:
     is-typedarray "^1.0.0"
 
-typedarray@^0.0.6:
-  version "0.0.6"
-  resolved "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz"
-  integrity sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==
-
 typedoc-plugin-missing-exports@0.23.0:
   version "0.23.0"
   resolved "https://registry.npmjs.org/typedoc-plugin-missing-exports/-/typedoc-plugin-missing-exports-0.23.0.tgz"
@@ -9175,6 +9753,11 @@ undici-types@~5.26.4:
   resolved "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz"
   integrity sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==
 
+undici-types@~6.21.0:
+  version "6.21.0"
+  resolved "https://registry.yarnpkg.com/undici-types/-/undici-types-6.21.0.tgz#691d00af3909be93a7faa13be61b3a5b50ef12cb"
+  integrity sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==
+
 unique-filename@^1.1.1:
   version "1.1.1"
   resolved "https://registry.npmjs.org/unique-filename/-/unique-filename-1.1.1.tgz"
@@ -9237,6 +9820,11 @@ universalify@^2.0.0:
   resolved "https://registry.npmjs.org/universalify/-/universalify-2.0.1.tgz"
   integrity sha512-gptHNQghINnc/vTGIk0SOFGFNXw7JVrlRUtConJRlvaw6DuX0wO5Jeko9sWrMBhh+PsYAZ7oXAiOnf/UKogyiw==
 
+unpipe@~1.0.0:
+  version "1.0.0"
+  resolved "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz"
+  integrity sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==
+
 untildify@^4.0.0:
   version "4.0.0"
   resolved "https://registry.npmjs.org/untildify/-/untildify-4.0.0.tgz"
@@ -9264,7 +9852,7 @@ upper-case@^2.0.2:
   dependencies:
     tslib "^2.0.3"
 
-uri-js@^4.2.2, uri-js@^4.4.1:
+uri-js@^4.2.2:
   version "4.4.1"
   resolved "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz"
   integrity sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==
@@ -9284,6 +9872,11 @@ util-deprecate@^1.0.1, util-deprecate@~1.0.1:
   resolved "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz"
   integrity sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==
 
+uuid@^10.0.0:
+  version "10.0.0"
+  resolved "https://registry.npmjs.org/uuid/-/uuid-10.0.0.tgz"
+  integrity sha512-8XkAphELsDnEGrDxUOHB3RGvXz6TeuYSGEZBOjtTtPm2lwhGBjLgOzLHB63IUWfBpNucQjND6d3AOudO+H3RWQ==
+
 uuid@^8.3.2:
   version "8.3.2"
   resolved "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz"
@@ -9321,6 +9914,11 @@ validator@^13.6.0:
   resolved "https://registry.npmjs.org/validator/-/validator-13.11.0.tgz"
   integrity sha512-Ii+sehpSfZy+At5nPdnyMhx78fEoPDkR2XW/zimHEL3MyGJQOCQ7WeP20jPYRz7ZCpcKLB21NxuXHF3bxjStBQ==
 
+vary@^1, vary@^1.1.2:
+  version "1.1.2"
+  resolved "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz"
+  integrity sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==
+
 vinyl-file@^3.0.0:
   version "3.0.0"
   resolved "https://registry.npmjs.org/vinyl-file/-/vinyl-file-3.0.0.tgz"
@@ -9559,6 +10157,16 @@ xml2js@^0.6.2:
     sax ">=0.6.0"
     xmlbuilder "~11.0.0"
 
+xmlbuilder2@^3.1.1:
+  version "3.1.1"
+  resolved "https://registry.npmjs.org/xmlbuilder2/-/xmlbuilder2-3.1.1.tgz"
+  integrity sha512-WCSfbfZnQDdLQLiMdGUQpMxxckeQ4oZNMNhLVkcekTu7xhD4tuUDyAPoY8CwXvBYE6LwBHd6QW2WZXlOWr1vCw==
+  dependencies:
+    "@oozcitak/dom" "1.15.10"
+    "@oozcitak/infra" "1.0.8"
+    "@oozcitak/util" "8.3.8"
+    js-yaml "3.14.1"
+
 xmlbuilder@~11.0.0:
   version "11.0.1"
   resolved "https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-11.0.1.tgz"
@@ -9589,7 +10197,7 @@ yaml@^1.10.0:
   resolved "https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz"
   integrity sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==
 
-yargs-parser@20.2.4:
+yargs-parser@20.2.4, yargs-parser@^20.2.2:
   version "20.2.4"
   resolved "https://registry.npmjs.org/yargs-parser/-/yargs-parser-20.2.4.tgz"
   integrity sha512-WOkpgNhPTlE73h4VFAFsOnomJVaovO8VqLDzy5saChRBFQFBoMYirowyW+Q9HB4HFF4Z7VZTiG3iSzJJA29yRA==
@@ -9602,7 +10210,7 @@ yargs-parser@^18.1.2:
     camelcase "^5.0.0"
     decamelize "^1.2.0"
 
-yargs-parser@^20.2.2, yargs-parser@^20.2.3:
+yargs-parser@^20.2.3:
   version "20.2.9"
   resolved "https://registry.npmjs.org/yargs-parser/-/yargs-parser-20.2.9.tgz"
   integrity sha512-y11nGElTIV+CT3Zv9t7VKl+Q3hTQoT9a1Qzezhhl6Rp21gJ/IVTW7Z3y9EWXhuUBC2Shnf+DX0antecpAwSP8w==
@@ -9665,6 +10273,11 @@ yargs@^17.0.0, yargs@^17.2.1:
     y18n "^5.0.5"
     yargs-parser "^21.1.1"
 
+yarn@^1.22.22:
+  version "1.22.22"
+  resolved "https://registry.npmjs.org/yarn/-/yarn-1.22.22.tgz"
+  integrity sha512-prL3kGtyG7o9Z9Sv8IPfBNrWTDmXB4Qbes8A9rEzt6wkJV8mUvoirjU0Mp3GGAU06Y0XQyA3/2/RQFVuK7MTfg==
+
 yeoman-environment@^3.15.1:
   version "3.18.3"
   resolved "https://registry.npmjs.org/yeoman-environment/-/yeoman-environment-3.18.3.tgz"
@@ -9737,3 +10350,18 @@ yocto-queue@^0.1.0:
   version "0.1.0"
   resolved "https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz"
   integrity sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==
+
+yoctocolors-cjs@^2.1.2:
+  version "2.1.3"
+  resolved "https://registry.yarnpkg.com/yoctocolors-cjs/-/yoctocolors-cjs-2.1.3.tgz#7e4964ea8ec422b7a40ac917d3a344cfd2304baa"
+  integrity sha512-U/PBtDf35ff0D8X8D0jfdzHYEPFxAI7jJlxZXwCSez5M3190m+QobIfh+sWDWSHMCWWJN2AWamkegn6vr6YBTw==
+
+zod-to-json-schema@^3.25.1:
+  version "3.25.1"
+  resolved "https://registry.npmjs.org/zod-to-json-schema/-/zod-to-json-schema-3.25.1.tgz"
+  integrity sha512-pM/SU9d3YAggzi6MtR4h7ruuQlqKtad8e9S0fmxcMi+ueAK5Korys/aWcV9LIIHTVbj01NdzxcnXSN+O74ZIVA==
+
+zod@^3.22.0, "zod@^3.25 || ^4.0":
+  version "3.25.76"
+  resolved "https://registry.npmjs.org/zod/-/zod-3.25.76.tgz"
+  integrity sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==