HVTracker MCP Server Trust Specification

Version: v0.1 Status: Draft Published: 2026-06-18 Authors: HVTracker

Permalink: https://hvtracker.net/spec/mcp-server-trust/v0.1

1. Abstract

This document defines a pre-connect trust verdict for Model Context Protocol (MCP) servers. A client SHOULD query the verdict before connecting and use it to decide whether to proceed. The verdict is a reputation signal layered on the server's existing identity (URL + TLS, package, or repository); HVTracker does not issue identity.

2. Lookup

Query GET /api/v1/mcp/verify?server=<id> where id is a GitHub repository (owner/name or URL) or an npm/PyPI package name. The server is resolved to its HVTracker trust record; an unresolved server returns tracked:false and MUST be treated as unverified.

3. Verdict Format

{
  "server": "owner/name",
  "resolved": "owner/name",
  "tracked": true,
  "trusted": true,
  "grade": "A|B|C|D",
  "trust_score": 0-100,
  "confidence": 0.0-1.0,
  "reasons": [ "..." ],
  "mcp_server_support": "declared|verified|...",
  "tool_permissions": [ "search", "code", ... ],
  "attestation": { ...signed Trust Credential, subject = the MCP server... }
}

A consumer SHOULD surface tool_permissions to the user before granting access, and MUST treat confidence as first-class.

4. Policy

The default verdict is trusted = true when the server's listing is not delisted, warning, or legacy; its evidence grade is A, B, or C; and its trust score is at least 40. A consumer MAY apply a stricter policy (e.g. require build provenance, or grade ≥ B) using the fields in the verdict.

5. Verification

The attestation is an Ed25519-signed credential (see Trust Credential v0.2) whose subject is the MCP server. It is verified offline against the issuer key in /.well-known/hvtracker.json, exactly as for agent credentials.