Tool input schemas are structurally well-formed

Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.

A malformed `inputSchema` is invisible to every other rule: the structural-shape walker uses WeakSets to avoid hangs and the capability classifier reads only the surface fields. Oversized, deeply-nested, cyclic, or unresolvable-`$ref` schemas slip past review and crash strict client validators. They are also the canonical shape of generated dump-the-protobuf code that wasn't meant for an agent surface.

Every advertised tool's `inputSchema` is ≤ 64 KB serialized, ≤ 32 levels deep, contains no `$ref` outside the schema document, and contains no `$ref` cycles.

At least one tool's `inputSchema` exceeds the size cap, exceeds the depth cap, contains an unresolvable or non-local `$ref`, or contains a cycle through `$ref`.

When the rule fails, the report records evidence in roughly this shape:

• {"hits": [{"toolName": "do_thing", "kind": "ref_cycle", "path": "(root)", "detail": "Cycle through $ref #/definitions/Node."}]}

• {"hits": [{"toolName": "ingest", "kind": "oversized", "path": "(root)", "detail": "Serialized inputSchema is 131072 bytes (limit 65536)."}]}

Treat `inputSchema` as a contract. Keep it small (the agent reads it on every call), keep `$ref` targets local and resolvable, and break recursive shapes with an explicit terminator. A schema your validator can't traverse is a contract you can't enforce.

This rule belongs to the Schema quality dimension. Whether the tool surface is reviewable without invoking it. Tools without input schemas force agents to guess argument shapes; tool names that aren't plain ASCII identifiers confuse logging and allow-listing.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.