fix(mcp-config-validator): remove invented trust field (verify-first)

`.mcp.json` has no per-server `trust` key — verified 2026-06-18 against
code.claude.com/docs/en/mcp + /settings. MCP server approval is
dialog/settings-based (enableAllProjectMcpServers / enabledMcpjsonServers /
disabledMcpjsonServers), never a JSON field. The scanner's "Missing trust
level" (CA-MCP-001, medium) and "Invalid trust level" (high) were false
positives flagging a field that does not exist.

- scanner: delete both trust checks + VALID_TRUST_LEVELS; drop `trust` from
  VALID_SERVER_FIELDS so a stray `trust` is now flagged as an unknown field
- humanizer: remove the two trust-level entries
- knowledge (5 files): point to the real approval mechanism, not a trust field
- fixtures: scrub `trust` (incl. the invalid "local" in optimal-setup)
- tests: flip assertions (no trust-level finding; stray trust -> unknown
  field) + add knowledge-staleness re-freeze guards
- snapshots: reseed (marketplace-medium .mcp.json -8 tokens, hermetic)
- gap-matrix: mark the trust verify-first item DONE

Suite: 853/853 green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ter3E2JSi1Khgmuf2kady8
This commit is contained in:
Kjell Tore Guttormsen 2026-06-18 14:22:56 +02:00
commit b3c572ad46
22 changed files with 110 additions and 100 deletions

View file

@ -343,7 +343,7 @@ By default, `/config-audit` auto-detects scope from your git context. Override w
| `settings-validator.mjs` | SET | Schema violations, unknown/deprecated keys, type mismatches, permission issues |
| `hook-validator.mjs` | HKV | Invalid format, missing scripts, wrong event names, timeout risks |
| `rules-validator.mjs` | RUL | Bad glob patterns, orphaned rules, deprecated fields, unscoped rules |
| `mcp-config-validator.mjs` | MCP | Invalid server types, missing trust levels, exposed env vars |
| `mcp-config-validator.mjs` | MCP | Invalid server types, exposed env vars, unknown fields |
| `import-resolver.mjs` | IMP | Broken @imports, circular references, deep chains, tilde path issues |
| `conflict-detector.mjs` | CNF | Settings contradictions across scopes, permission conflicts, hook duplicates |
| `feature-gap-scanner.mjs` | GAP | 25 feature checks — shown as opportunities, not grades |

View file

@ -51,7 +51,7 @@ Netto-nytt scanner-arbeid (DIS param-bevissthet, PLH shadow-folder-check, permis
| hook `MessageDisplay` «unknown event» | `hook-validator.mjs` | Legg i `VALID_EVENTS` + knowledge |
| hook `post-session` «unknown» | `hook-validator.mjs` | Legg i `VALID_EVENTS` (kebab, ≠ SessionEnd) |
| stale «26 total» hook-count | `hook-validator.mjs:137` + `hook-events-reference.md:3` | 26 → 28 i takt med de to nye |
| MCP `trust` oppfunnet/enforced (**VERIFISER FØRST**) | `mcp-config-validator.mjs` | Hvis feltet ikke finnes i offisiell schema: demote/fjern CA-MCP-001 + koordiner på tvers av 5 knowledge/humanizer-filer |
| ✅ MCP `trust` oppfunnet (VERIFISERT 2026-06-18: ikke i offisiell `.mcp.json`-schema) | `mcp-config-validator.mjs` | DONE — fjernet CA-MCP-001 + «Invalid trust level»; `trust` droppet fra `VALID_SERVER_FIELDS` (stray `trust` → unknown field); humanizer + 5 knowledge-filer + fixturer scrubbet. Godkjenning er dialog/settings-basert (`enableAllProjectMcpServers`/`enabledMcpjsonServers`/`disabledMcpjsonServers`), aldri et JSON-felt. |
| `feature-evolution.md`/`capabilities.md` frosset v2.1.111 | `knowledge/*` | Opus 4.8 default + Fable 5; `/simplify``/code-review` |
## Quick wins (S-effort, høy verdi)

View file

@ -14,7 +14,7 @@ Scanner CLI: `node scanners/scan-orchestrator.mjs <path> [--global] [--full-mach
| `settings-validator.mjs` | SET | Schema, unknown/deprecated keys, type mismatches, permissions |
| `hook-validator.mjs` | HKV | Format, script existence, event validity, timeouts |
| `rules-validator.mjs` | RUL | Glob matching, orphan rules, deprecated fields, unscoped rules |
| `mcp-config-validator.mjs` | MCP | Server types, trust levels, env vars, unknown fields |
| `mcp-config-validator.mjs` | MCP | Server types, env vars, unknown fields |
| `import-resolver.mjs` | IMP | Broken @imports, circular refs, deep chains, tilde paths |
| `conflict-detector.mjs` | CNF | Settings conflicts, permission contradictions, hook duplicates |
| `feature-gap-scanner.mjs` | GAP | 25 feature checks across 4 tiers — shown as opportunities, not grades |

View file

@ -2,8 +2,7 @@
"mcpServers": {
"filesystem": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem", "."],
"trust": "local"
"args": ["-y", "@modelcontextprotocol/server-filesystem", "."]
}
}
}

View file

@ -27,11 +27,10 @@
| 21 | Rules file glob doesn't match any project files | CA-RUL-002 | low | Fix the glob pattern. `src/**/*.ts` won't match `./src/file.ts` — test actual paths. |
| 22 | Deprecated frontmatter field in rules file | CA-RUL-003 | low | Remove/replace deprecated fields. Check official docs for current frontmatter schema. |
| 23 | `.claude/rules/` directory missing entirely | CA-RUL-004 | medium | Create directory and split CLAUDE.md by domain. Path-specific rules dramatically reduce context overhead. |
| 24 | MCP server with no trust level set | CA-MCP-001 | medium | Set `"trust": "workspace"` or `"trusted"` explicitly. Default is untrusted/sandboxed; may cause unexpected failures. |
| 25 | User MCP servers in project `.mcp.json` | CA-MCP-002 | low | Move personal MCP servers to `~/.claude.json`. Project `.mcp.json` is for servers the whole team needs. |
| 26 | No custom skills when team has repeated workflows | CA-GAP-001 | medium | Create skills for `/deploy`, `/review-pr`, `/fix-issue`. Repeated multi-step workflows are the target. |
| 27 | Custom agents without `description` field | CA-GAP-002 | medium | Add a description explaining when to delegate to this agent. Without it, Claude never auto-invokes it. |
| 28 | No hooks configured at all | CA-GAP-003 | high | Add at minimum a `Stop` hook for session summaries. Zero hooks is the most common high-value gap. |
| 24 | User MCP servers in project `.mcp.json` | CA-MCP-002 | low | Move personal MCP servers to `~/.claude.json`. Project `.mcp.json` is for servers the whole team needs. |
| 25 | No custom skills when team has repeated workflows | CA-GAP-001 | medium | Create skills for `/deploy`, `/review-pr`, `/fix-issue`. Repeated multi-step workflows are the target. |
| 26 | Custom agents without `description` field | CA-GAP-002 | medium | Add a description explaining when to delegate to this agent. Without it, Claude never auto-invokes it. |
| 27 | No hooks configured at all | CA-GAP-003 | high | Add at minimum a `Stop` hook for session summaries. Zero hooks is the most common high-value gap. |
---

View file

@ -228,7 +228,7 @@ paths: ["src/**/*.ts"]
"type": "stdio|http",
"command": "...", "args": [...],
"url": "...",
"env": {}, "timeout": 30000, "trust": "workspace|trusted|untrusted"
"env": {}, "timeout": 30000
}
}
}
@ -236,7 +236,7 @@ paths: ["src/**/*.ts"]
**Fully utilizing:** Team-shared MCP servers (GitHub, Jira, DBs); MCP resources via `@server:path`; MCP prompts as slash commands; `enableAllProjectMcpServers: true` for zero-friction team onboarding.
**Common gaps:** No `.mcp.json`; MCP only configured in `~/.claude.json` (not shared); trust levels not set; MCP resources not used.
**Common gaps:** No `.mcp.json`; MCP only configured in `~/.claude.json` (not shared); project servers not approved via `enableAllProjectMcpServers`/`enabledMcpjsonServers`; MCP resources not used.
---

View file

@ -56,7 +56,7 @@
1. **Commit `.mcp.json` to git.** Team-shared MCP servers belong in `.mcp.json` at project root, not in individual `~/.claude.json` files. One commit, everyone gets the servers.
2. **Set `enableAllProjectMcpServers: true` in project settings.json** for zero-friction team onboarding. New team members don't have to manually approve each server.
3. **Set trust levels explicitly.** `"trust": "workspace"` for project-specific servers; `"trust": "trusted"` only for servers you fully control. Default is untrusted (sandboxed).
3. **Approve servers via settings, not a `trust` field.** `.mcp.json` has no per-server `trust` key — approval is recorded by the workspace-trust and MCP-approval dialogs. For non-interactive, granular control set `enabledMcpjsonServers: ["memory", "github"]` / `disabledMcpjsonServers: [...]` in settings.json instead of approving each server by hand.
4. **Use `@server:resource/path` for dynamic data.** `@github:repos/owner/repo/issues` pulls live data into context. More reliable than asking Claude to fetch and parse.
5. **Deny MCP tools you don't want Claude to invoke.** `{"permissions": {"deny": ["mcp__filesystem__write_file"]}}` — even with a server connected, specific tools can be blocked.

View file

@ -73,8 +73,7 @@ Create `.mcp.json` at project root:
"memory": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-memory"],
"trust": "workspace"
"args": ["-y", "@modelcontextprotocol/server-memory"]
}
}
}

View file

@ -273,16 +273,6 @@ export const TRANSLATIONS = {
description: 'The `type` field doesn\'t match one Claude Code knows how to start (typically `stdio`, `sse`, or `http`).',
recommendation: 'Change the `type` to one of the supported values shown in the details.',
},
'Invalid trust level': {
title: 'A connected service has an unrecognized trust setting',
description: 'Trust controls whether Claude can use the service\'s tools without asking.',
recommendation: 'Set the trust value to one of the accepted ones (see details).',
},
'Missing trust level': {
title: 'A connected service has no trust setting',
description: 'Without an explicit trust value, Claude has to ask before each tool use, which slows your work.',
recommendation: 'Add a trust value to the entry. The details show the accepted values.',
},
'Unknown MCP server field': {
title: 'A connected service has an unrecognized setting',
description: 'The setting isn\'t one Claude Code reads, so it will be ignored.',

View file

@ -1,6 +1,6 @@
/**
* MCP Scanner MCP Configuration Validator
* Validates .mcp.json files: server types, trust levels, env vars, unknown fields.
* Validates .mcp.json files: server types, env vars, unknown fields.
* Finding IDs: CA-MCP-NNN
*/
@ -13,9 +13,11 @@ import { truncate } from './lib/string-utils.mjs';
const SCANNER = 'MCP';
const VALID_SERVER_TYPES = new Set(['stdio', 'http', 'sse']);
const VALID_TRUST_LEVELS = new Set(['workspace', 'trusted', 'untrusted']);
// No `trust` field: MCP server approval is dialog/settings-based
// (enableAllProjectMcpServers / enabledMcpjsonServers / disabledMcpjsonServers),
// not a per-server .mcp.json field. Verified against code.claude.com/docs 2026-06-18.
const VALID_SERVER_FIELDS = new Set([
'type', 'command', 'args', 'env', 'url', 'headers', 'timeout', 'trust',
'type', 'command', 'args', 'env', 'url', 'headers', 'timeout',
]);
// Match only bare ${IDENTIFIER} references. POSIX expansions like ${VAR%pattern}
@ -92,28 +94,6 @@ export async function scan(targetPath, discovery) {
}));
}
// Check trust level
if (!config.trust) {
findings.push(finding({
scanner: SCANNER,
severity: SEVERITY.medium,
title: 'Missing trust level',
description: `${file.relPath}: Server "${name}" has no trust level configured.`,
file: file.absPath,
recommendation: 'Add "trust": "workspace"|"trusted"|"untrusted" to explicitly set the trust level.',
}));
} else if (!VALID_TRUST_LEVELS.has(config.trust)) {
findings.push(finding({
scanner: SCANNER,
severity: SEVERITY.high,
title: 'Invalid trust level',
description: `${file.relPath}: Server "${name}" has invalid trust level "${config.trust}".`,
file: file.absPath,
evidence: `trust: "${config.trust}"`,
recommendation: 'Use one of: workspace, trusted, untrusted.',
}));
}
// Check for env var references in args without env block
if (Array.isArray(config.args)) {
for (const arg of config.args) {

View file

@ -3,8 +3,7 @@
"memory": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-memory"],
"trust": "workspace"
"args": ["-y", "@modelcontextprotocol/server-memory"]
}
}
}

View file

@ -3,14 +3,12 @@
"memory": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-memory"],
"trust": "workspace"
"args": ["-y", "@modelcontextprotocol/server-memory"]
},
"filesystem": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem", "./docs"],
"trust": "trusted"
"args": ["-y", "@modelcontextprotocol/server-filesystem", "./docs"]
}
}
}

View file

@ -3,20 +3,17 @@
"memory": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-memory"],
"trust": "workspace"
"args": ["-y", "@modelcontextprotocol/server-memory"]
},
"filesystem": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem", "./docs"],
"trust": "trusted"
"args": ["-y", "@modelcontextprotocol/server-filesystem", "./docs"]
},
"github": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"trust": "trusted"
"args": ["-y", "@modelcontextprotocol/server-github"]
}
}
}

View file

@ -3,8 +3,7 @@
"memory": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-memory"],
"trust": "workspace"
"args": ["-y", "@modelcontextprotocol/server-memory"]
}
}
}

View file

@ -73,3 +73,22 @@ test('claude-code-capabilities.md documents /config key=value', () => {
const md = read('claude-code-capabilities.md');
assert.match(md, /\/config/, '/config key=value in-session settings (2.1.181)');
});
// MCP `trust` is NOT a real .mcp.json field (verified 2026-06-18 against
// code.claude.com/docs/en/mcp + /settings). Approval is dialog/settings-based.
// These guards stop the corpus from re-fabricating the field.
test('claude-code-capabilities.md does not resurrect the invented MCP `trust` field', () => {
const md = read('claude-code-capabilities.md');
assert.doesNotMatch(md, /"trust":\s*"workspace/,
'the fabricated `trust` field must not return to the .mcp.json schema example');
assert.match(md, /enableAllProjectMcpServers|enabledMcpjsonServers/,
'must document the real MCP approval mechanism');
});
test('configuration-best-practices.md recommends real MCP approval, not a `trust` field', () => {
const md = read('configuration-best-practices.md');
assert.match(md, /enabledMcpjsonServers|enableAllProjectMcpServers/,
'must point to the real settings-based approval mechanism');
assert.doesNotMatch(md, /Set trust levels explicitly/,
'the invented "set trust levels" advice must be gone');
});

View file

@ -81,13 +81,9 @@ describe('MCP scanner — broken project', () => {
assert.equal(unknown.severity, 'high');
});
it('detects missing trust level', () => {
assert.ok(result.findings.some(f => f.title.includes('Missing trust level')));
});
it('missing trust is medium severity', () => {
const trust = result.findings.find(f => f.title.includes('Missing trust level'));
assert.equal(trust.severity, 'medium');
it('does NOT flag any trust level — `trust` is not a real .mcp.json field (CC docs verified 2026-06-18)', () => {
assert.ok(!result.findings.some(f => /trust level/i.test(f.title)),
'no "Missing trust level"/"Invalid trust level" findings: the field does not exist in the official schema');
});
it('detects unreferenced env vars in args', () => {
@ -103,6 +99,43 @@ describe('MCP scanner — broken project', () => {
});
});
describe('MCP scanner — stray `trust` field is an unknown field (verify-first, 2026-06-18)', () => {
let result;
let tmpRoot;
beforeEach(async () => {
resetCounter();
tmpRoot = await mkdtemp(join(tmpdir(), 'ca-mcp-trust-'));
// `trust` is NOT a field in the official .mcp.json schema (verified against
// code.claude.com/docs/en/mcp + /settings, 2026-06-18). Approval is
// dialog/settings-based (enableAllProjectMcpServers / enabledMcpjsonServers /
// disabledMcpjsonServers), never a per-server JSON field.
const mcp = {
mcpServers: {
legacy: { type: 'stdio', command: 'node', args: ['server.mjs'], trust: 'workspace' },
},
};
await writeFile(join(tmpRoot, '.mcp.json'), JSON.stringify(mcp, null, 2) + '\n', 'utf8');
const discovery = await discoverConfigFiles(tmpRoot);
result = await scan(tmpRoot, discovery);
});
afterEach(async () => {
if (tmpRoot) await rm(tmpRoot, { recursive: true, force: true });
});
it('flags `trust` as an unknown MCP server field', () => {
const f = result.findings.find(x => x.title.includes('Unknown MCP server field')
&& /trust/.test(x.description || ''));
assert.ok(f, 'a `trust` field must now be reported as an unknown field');
});
it('emits no "trust level" findings at all', () => {
assert.ok(!result.findings.some(x => /trust level/i.test(x.title)),
'the invented trust-level checks must be gone');
});
});
describe('MCP scanner — env-var false positives (CC 2.1.139/2.1.142, Batch 1)', () => {
let tmpRoot;
let envFindings;
@ -118,13 +151,11 @@ describe('MCP scanner — env-var false positives (CC 2.1.139/2.1.142, Batch 1)'
// CLAUDE_PROJECT_DIR is auto-injected (CC 2.1.139); ${VAR%…}/${VAR:-…}
// are POSIX expansions CC resolves (2.1.142) — none need an env block.
args: ['${CLAUDE_PROJECT_DIR}/server.mjs', '--root', '${HOME%/}', '--cfg', '${CONFIG_DIR:-/etc}'],
trust: 'workspace',
},
legacy: {
type: 'stdio',
command: 'node',
args: ['${REAL_MISSING}'],
trust: 'workspace',
},
},
};

View file

@ -481,7 +481,7 @@
},
{
"source": ".mcp.json",
"estimated_tokens": 53,
"estimated_tokens": 45,
"rank": 5,
"recommendations": [
"Deduplicate overlapping entries — each duplicate inflates the per-turn schema payload.",
@ -490,7 +490,7 @@
"path": "/Users/ktg/repos/ktg-plugin-marketplace/config-audit/tests/fixtures/marketplace-medium/.mcp.json"
}
],
"total_estimated_tokens": 809,
"total_estimated_tokens": 801,
"activeConfig": {
"claudeMdEstimatedTokens": "<ANCESTOR_DERIVED>",
"mcpServerCount": 1,

View file

@ -5,7 +5,7 @@
"status": "ok",
"files_scanned": 2,
"duration_ms": 0,
"total_estimated_tokens": 809,
"total_estimated_tokens": 801,
"hotspots": [
{
"source": "mcp:memory (.mcp.json)",
@ -47,7 +47,7 @@
},
{
"source": ".mcp.json",
"estimated_tokens": 53,
"estimated_tokens": 45,
"rank": 5,
"recommendations": [
"Deduplicate overlapping entries — each duplicate inflates the per-turn schema payload.",

View file

@ -1,15 +1,15 @@
[CML] CLAUDE.md Linter: 1 finding(s) (14ms)
[SET] Settings Validator: 0 finding(s) (1ms)
[SET] Settings Validator: 0 finding(s) (2ms)
[HKV] Hook Validator: 0 finding(s) (1ms)
[RUL] Rules Validator: 0 finding(s) (1ms)
[RUL] Rules Validator: 0 finding(s) (0ms)
[MCP] MCP Config Validator: 0 finding(s) (0ms)
[IMP] Import Resolver: 0 finding(s) (1ms)
[IMP] Import Resolver: 0 finding(s) (2ms)
[CNF] Conflict Detector: 0 finding(s) (1ms)
[GAP] Feature Gap Scanner: 17 finding(s) (2ms)
[TOK] Token Hotspots: 1 finding(s) (8ms)
[CPS] Cache-Prefix Stability: 0 finding(s) (1ms)
[DIS] Disabled-In-Schema: 0 finding(s) (0ms)
[COL] Plugin Skill Collision: 0 finding(s) (1ms)
[CPS] Cache-Prefix Stability: 0 finding(s) (0ms)
[DIS] Disabled-In-Schema: 0 finding(s) (1ms)
[COL] Plugin Skill Collision: 0 finding(s) (0ms)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Config-Audit Health Score

View file

@ -94,7 +94,7 @@
"scannerEnvelope": {
"meta": {
"target": "/Users/ktg/repos/ktg-plugin-marketplace/config-audit/tests/fixtures/marketplace-medium",
"timestamp": "2026-06-18T11:03:14.339Z",
"timestamp": "2026-06-18T12:19:30.125Z",
"version": "2.2.0",
"tool": "config-audit"
},
@ -145,7 +145,7 @@
"scanner": "HKV",
"status": "ok",
"files_scanned": 1,
"duration_ms": 1,
"duration_ms": 2,
"findings": [],
"counts": {
"critical": 0,
@ -187,7 +187,7 @@
"scanner": "IMP",
"status": "ok",
"files_scanned": 1,
"duration_ms": 1,
"duration_ms": 2,
"findings": [],
"counts": {
"critical": 0,
@ -201,7 +201,7 @@
"scanner": "CNF",
"status": "ok",
"files_scanned": 2,
"duration_ms": 0,
"duration_ms": 1,
"findings": [],
"counts": {
"critical": 0,
@ -451,7 +451,7 @@
"scanner": "TOK",
"status": "ok",
"files_scanned": 2,
"duration_ms": 8,
"duration_ms": 7,
"findings": [
{
"id": "CA-TOK-001",
@ -515,7 +515,7 @@
},
{
"source": ".mcp.json",
"estimated_tokens": 53,
"estimated_tokens": 45,
"rank": 5,
"recommendations": [
"Deduplicate overlapping entries — each duplicate inflates the per-turn schema payload.",
@ -524,7 +524,7 @@
"path": "/Users/ktg/repos/ktg-plugin-marketplace/config-audit/tests/fixtures/marketplace-medium/.mcp.json"
}
],
"total_estimated_tokens": 809,
"total_estimated_tokens": 801,
"activeConfig": {
"claudeMdEstimatedTokens": 1639,
"mcpServerCount": 1,
@ -536,20 +536,6 @@
"scanner": "CPS",
"status": "ok",
"files_scanned": 1,
"duration_ms": 1,
"findings": [],
"counts": {
"critical": 0,
"high": 0,
"medium": 0,
"low": 0,
"info": 0
}
},
{
"scanner": "DIS",
"status": "ok",
"files_scanned": 1,
"duration_ms": 0,
"findings": [],
"counts": {
@ -560,11 +546,25 @@
"info": 0
}
},
{
"scanner": "DIS",
"status": "ok",
"files_scanned": 1,
"duration_ms": 1,
"findings": [],
"counts": {
"critical": 0,
"high": 0,
"medium": 0,
"low": 0,
"info": 0
}
},
{
"scanner": "COL",
"status": "ok",
"files_scanned": 0,
"duration_ms": 1,
"duration_ms": 0,
"findings": [],
"counts": {
"critical": 0,

View file

@ -1,7 +1,7 @@
{
"meta": {
"target": "/Users/ktg/repos/ktg-plugin-marketplace/config-audit/tests/fixtures/marketplace-medium",
"timestamp": "2026-06-18T11:03:14.159Z",
"timestamp": "2026-06-18T12:19:29.934Z",
"version": "2.2.0",
"tool": "config-audit"
},
@ -422,7 +422,7 @@
},
{
"source": ".mcp.json",
"estimated_tokens": 53,
"estimated_tokens": 45,
"rank": 5,
"recommendations": [
"Deduplicate overlapping entries — each duplicate inflates the per-turn schema payload.",
@ -431,7 +431,7 @@
"path": "/Users/ktg/repos/ktg-plugin-marketplace/config-audit/tests/fixtures/marketplace-medium/.mcp.json"
}
],
"total_estimated_tokens": 809,
"total_estimated_tokens": 801,
"activeConfig": {
"claudeMdEstimatedTokens": 1639,
"mcpServerCount": 1,
@ -457,7 +457,7 @@
"scanner": "DIS",
"status": "ok",
"files_scanned": 1,
"duration_ms": 0,
"duration_ms": 1,
"findings": [],
"counts": {
"critical": 0,
@ -471,7 +471,7 @@
"scanner": "COL",
"status": "ok",
"files_scanned": 0,
"duration_ms": 1,
"duration_ms": 0,
"findings": [],
"counts": {
"critical": 0,

View file

@ -3,7 +3,7 @@
"status": "ok",
"files_scanned": 2,
"duration_ms": 9,
"total_estimated_tokens": 809,
"total_estimated_tokens": 801,
"hotspots": [
{
"source": "mcp:memory (.mcp.json)",
@ -45,7 +45,7 @@
},
{
"source": ".mcp.json",
"estimated_tokens": 53,
"estimated_tokens": 45,
"rank": 5,
"recommendations": [
"Deduplicate overlapping entries — each duplicate inflates the per-turn schema payload.",