Patch release with five correctness fixes surfaced by an audit, plus npm packaging polish.
Install
npx mcpready scan <target>Published to npm: https://www.npmjs.com/package/mcpready (rule engine: mcpready-core)
What's changed
- Auth-gated servers no longer grade A/100 off the lone surviving auth-discovery rule: when a 401 makes behavior unobservable the grade is now N/A (score null) and
--min-gradefails closed instead of certifying an unverified server. - Tool
inputSchemavalidation now supports JSON Schema 2020-12 and 2019-09 (was draft-07-only, which false-failed valid schemas and capped grades at B). - The SSE parser returns the last response-shaped message, so a notification trailing the response no longer reads as "no JSON-RPC response".
- Response bodies are read through a 4 MiB cap; a hostile or broken endpoint streaming an unbounded body cannot exhaust the scanner's memory.
mcpready diffnow exits non-zero on regressions expressed through removed rules or a score drop (not just status changes).- C8 (
http-protocol-version-400) is gated to spec revisions >= 2025-06-18, so compliant older servers are not failed for a requirement that did not exist yet. - npm packaging: full package metadata plus per-package README/LICENSE on both packages.