Rubric version
Measurement methodology
Every report names its scope, target MCP specification, rubric version, and measurement time.
Measurement depth
Surface
Surface checks measure liveness, transport behaviour, registry hygiene, and authorization discovery without opening an authenticated MCP session.
Depth
Depth checks open an MCP session and measure conformance, error handling, tool schemas, security indicators, and definition drift.
Dynamic
Dynamic checks execute selected tools with explicit authorization. The runner is isolated, but the target must be a staging endpoint or approved disposable tenant.
Letter grades
A letter grade is a directory summary, not a safety verdict. It requires Layer A depth, which may be anonymous or owner authorized. A surface-only server remains unverified.
A: no material failures in the measured scope
B: minor failures with bounded effect
C: material failures that require correction
D: severe failures across one or more measured areas
F: critical failure or broad failure across the measured scope
A grade records test results. It is not a guarantee that a server is safe.
Versioned rubrics
Each run stores its rubric version. Drift comparisons use runs from the same rubric version.
A rubric update starts a new baseline and records a methodology change. It does not create a server drift alert.
Security findings
Deterministic security results are labelled as lint unless a dynamic test confirms the behaviour. Public pages show category and severity without exploit detail.