Rule catalog · MCP discovery posture

Server advertises an MCP protocol version

initialize_advertises_protocol_versionlowweight 3Post-handshake

Authored by Stanley Hong · AgentReserve (founder).

The MCP `initialize` response includes a `protocolVersion`. Servers that omit it make safe client fallback impossible.

When this rule runs

Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.

Why it matters

Without an advertised protocol version, clients cannot negotiate the right wire format or fall back safely if the server implements an older revision.

Pass condition

The `initialize` response carries a non-empty `protocolVersion` string.

Fail condition

The `initialize` response omits `protocolVersion`.

Evidence examples

When the rule fails, the report records evidence in roughly this shape:

```
{"protocolVersion": null}
```

Remediation

Return a known MCP protocol version string from the `initialize` handler so clients can negotiate cleanly.

Methodology

This rule belongs to the MCP discovery posture dimension. Whether the server cooperates with the MCP handshake — protocol version negotiation, capability flags, and other discovery signals clients depend on.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.

← Back to rule catalog