Server advertises a version string
Authored by Stanley Hong · AgentReserve (founder).
The `initialize` response includes a `serverInfo.version` so operators can pin known-good builds and cross-reference upstream advisories.
When this rule runs
Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.
Why it matters
An identifier without a version is half a signal — operators cannot tell whether the build they're trusting today is the same one they reviewed yesterday.
Pass condition
The `initialize` response carries a non-empty `serverInfo.version` string.
Fail condition
The `initialize` response omits `serverInfo.version` or returns an empty string.
Evidence examples
When the rule fails, the report records evidence in roughly this shape:
{"serverInfo": {"name": "X", "version": null}}
Remediation
Include `version` alongside `name` in the `serverInfo` block returned by `initialize`.
Methodology
This rule belongs to the Metadata transparency dimension. Whether the server identifies itself and documents its tools — and whether the advertised identity matches the wire identity (cert CN/SAN, hostname). Operators need a stable name, a version, and an internally consistent identity claim to perform any kind of audit.
Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.