Skip to main content
Version: 0.1.109

MCP quality (verifier wedge)

Official MCP conformance is the baseline. Hardproof (hardproof) layers additional verification on top of that baseline so you can review and gate MCP servers with machine-readable evidence.

What Hardproof does:

  • Scan: run deterministic verification across five dimensions (conformance, reliability, performance, security, trust) and emit a stable scan report (scan.json) plus an event stream (scan.events.jsonl).
  • CI gating: run hardproof ci to enforce policies (minimum score, zero critical findings, per-dimension minimums, usage limits).
  • Replay: record a small session cassette and replay it to detect behavior drift with deterministic diffs.
  • Trust + bundle: verify registry metadata (server.json) and bundle integrity (.mcpb) as part of a scan (when inputs are provided) or via explicit subcommands.
  • Report export: render a scan summary or export SARIF/HTML from an existing scan report.

What it does not do (yet):

  • It does not replace the official MCP SDKs, Inspector, or Registry story.
  • It does not make strong security claims from checks alone; it emits evidence you can review and enforce in your own workflows.

Quickstart

  1. Install hardproof: see MCP quality: install.

  2. Run diagnostics:

hardproof doctor
hardproof doctor --machine json
  1. Conformance:
hardproof scan --url "http://127.0.0.1:3000/mcp" --out out/scan --format json

Artifacts are written under out/scan/:

  • scan.json
  • scan.events.jsonl
  1. Replay:
hardproof replay record --url "http://127.0.0.1:3000/mcp" --out out/replay.session.json --machine json
hardproof replay verify --session out/replay.session.json --url "http://127.0.0.1:3000/mcp" --out out/replay-verify --machine json
  1. Trust and bundle verification (registry artifacts):
hardproof trust verify --server-json ./server.json --machine json
hardproof bundle verify --server-json ./server.json --mcpb ./bundle.mcpb --machine json

If you have both server.json and .mcpb, you can also include trust checks in the scan:

hardproof scan \
  --url "http://127.0.0.1:3000/mcp" \
  --server-json ./server.json \
  --mcpb ./bundle.mcpb \
  --out out/scan \
  --format json

x07-native path (optional)

If you want to build an MCP server in X07 (not just verify one), use x07lang/x07-mcp.

The shortest zero-install path is Codespaces: see MCP quality: Codespaces.

Hardproof as a reference x07 application

Hardproof is intentionally built as a pure x07 application (CLI + contracts + deterministic evidence). If you want a concrete example of the “one whole system” primitives working together, Hardproof exercises:

  • Streaming composition: std.stream.pipe_v1
  • Structured concurrency: task.scope_v1
  • Record/replay as first-class evidence (std.rr + replay cassettes)
  • Deterministic contracts/tooling: x07 arch check, x07 schema derive, x07 sm gen
  • Property-based tests: x07 test --pbt and deterministic regressions
  • Verification + review artifacts: x07 verify, x07 prove check, x07 trust certify, x07 trust report