Probe response size is within the safe bound
Authored by Stanley Hong · AgentReserve (founder).
The probe response stayed under the 1 MB cap enforced by `safeFetch`. Servers that return multi-megabyte JSON-RPC responses can exhaust client memory and indicate something is wrong with their tools/list output.
When this rule runs
Evaluated on every scan — observable from the URL, TLS handshake, or HTTP response headers, even when the MCP layer is auth-walled or unresponsive.
Why it matters
Unbounded responses are a denial-of-service hazard for the client. The 1 MB cap is what stops a misbehaving (or hostile) server from filling client memory before it can decide what to do with the response.
Pass condition
Probe completed without tripping the 1 MB response cap.
Fail condition
Probe was aborted by the 1 MB cap (`RESPONSE_TOO_LARGE`).
Evidence examples
When the rule fails, the report records evidence in roughly this shape:
{"sizeCapBytes": 1048576}
Remediation
Trim the `tools/list` and `initialize` responses to the minimum metadata clients need.
Methodology
This rule belongs to the Transport security dimension. How the server is reached on the wire. Covers TLS and protocol-level confidentiality of probe traffic.
Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.