Rubric version

Measurement methodology

Every report names its scope, target MCP specification, rubric version, and measurement time.

Measurement depth

Surface

Surface checks measure liveness, transport behaviour, registry hygiene, and authorization discovery without opening an authenticated MCP session.

Depth

Depth checks open an MCP session and measure conformance, error handling, tool schemas, security indicators, and definition drift.

Dynamic

Dynamic checks execute selected tools with explicit authorization. The runner is isolated, but the target must be a staging endpoint or approved disposable tenant.

Letter grades

A letter grade is a directory summary, not a safety verdict. It requires Layer A depth, which may be anonymous or owner authorized. A surface-only server remains unverified.

A: no material failures in the measured scope
B: minor failures with bounded effect
C: material failures that require correction
D: severe failures across one or more measured areas
F: critical failure or broad failure across the measured scope

A grade records test results. It is not a guarantee that a server is safe.

Versioned rubrics

Each run stores its rubric version. Drift comparisons use runs from the same rubric version.

A rubric update starts a new baseline and records a methodology change. It does not create a server drift alert.

Security findings

Deterministic security results are labelled as lint unless a dynamic test confirms the behaviour. Public pages show category and severity without exploit detail.