MCP quality: GitHub Actions

You can run Hardproof (hardproof) in CI by downloading a prebuilt binary or using the Hardproof Scan GitHub Action.

At a minimum, a CI run usually does:

1. install hardproof
2. run hardproof doctor to validate prerequisites
3. start your MCP server (HTTP)
4. run hardproof ci and upload the scan report artifacts (scan.json, scan.events.jsonl)

Hardproof reports score truth explicitly:

• score_mode=full means overall_score is present and eligible as a full score.
• score_mode=partial means the scan is not publishable (score_truth_status=partial). overall_score is still computed as the effective score (matching partial_score), and gating_reasons explain what evidence is missing (commonly because Trust inputs were not provided).

Token/context usage truth is explicit under scan.json.usage_metrics (requested_usage_mode, usage_status, plus the effective usage_mode):

• estimate (deterministic estimates)
• tokenizer_exact (exact counts under a chosen tokenizer profile)
• trace_observed (observed counts from a real trace)
• mixed (per-metric mix of exact + observed)

Minimal workflow sketch

This is intentionally a sketch (public beta). Wire the install and server start steps to match your repo.

name: mcp-quality
on: [push, pull_request]
jobs:
  conformance:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Start server
        run: |
          echo "Start your MCP server here"
      - name: Hardproof Scan (beta)
        uses: x07lang/hardproof/hardproof-scan@latest-beta
        with:
          url: http://127.0.0.1:3000/mcp
          version: latest-beta
          threshold: "80"
          full-suite: "false"
          sarif: "true"
      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: conformance
          path: out/scan/