Audits MCP servers for Claude Code mcp_tool hook readiness: idempotency, latency, side-effects.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"io-studiomeyer-hook-conformance": {
"args": [
"-y",
"mcp-hook-conformance"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Part of the StudioMeyer MCP Stack — Built in Mallorca 🌴 · ⭐ if you use it
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'mcp-hook-conformance' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked mcp-hook-conformance against OSV.dev.
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in ai-ml
Dynamic problem-solving through sequential thought chains
Persistent memory using a knowledge graph
An autonomous agent that conducts deep research on any data using any LLM providers
🌊 The leading agent orchestration platform for Claude. Deploy intelligent multi-agent swarms, coordinate autonomous workflows, and build conversational AI systems. Features enterprise-grade architecture, distributed swarm intelligence, RAG integration, and native Claude Code / Codex Integration
MCP Security Weekly
Get CVE alerts and security updates for io.studiomeyer/hook-conformance and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Part of the StudioMeyer MCP Stack — Built in Mallorca 🌴 · ⭐ if you use it
The third foundation pillar:
mcp-protocol-conformance says: does the server speak the protocol?mcp-server-attestation says: who signed this server?mcp-hook-conformance says: is it safe to call this tool from a Stop, PreCompact, or UserPromptSubmit hook?We have been building tools and systems for ourselves for the past two years. The fact that this repo is small and has few stars is not because it is new. It is because we only just decided to share what we have built. It is not a fresh experiment, it is a long story with a recent commit.
We love building things and sharing them. We do not love social media tactics, growth hacks, or chasing stars and followers. So this repo is small. The code is real, it gets used, issues get answered. Judge for yourself.
If it helps you, sharing, testing, and feedback help us. If it could be better, an issue is more useful. If you build something with it, tell us at hello@studiomeyer.io. That genuinely makes our day.
From a small studio in Palma de Mallorca.
npm install -g mcp-hook-conformance
Or run without install:
npx mcp-hook-conformance check ./hook-conformance.config.json
# 1. Scaffold a config
npx mcp-hook-conformance init --server-name my-mcp-server
# 2. Edit hook-conformance.config.json (point command/args at your server)
# 3. Run the audit
npx mcp-hook-conformance check ./hook-conformance.config.json
Exit codes:
0 audit passed (no FAILs)1 audit produced at least one FAIL2 config error (missing file, invalid schema, unknown suite name)| Subcommand | Args | Description |
|---|---|---|
check | <config-path> [--output=human|json|junit] [--suite=...] [--tool=<name>] [--tries=<n>] | Run audit; emits report to stdout. |
init | [--server-name=<name>] [--force] | Write example hook-conformance.config.json to cwd. |
explain | <finding-code> | Print full explanation and remediation for a finding (e.g. IDEMP-001). |
version-info | — | Print tool version and supported MCP-spec range. (Alias: version.) |
This is a CLI, not an MCP server. Do NOT run
mcp-hook-conformanceviamcp-inspector— the package declaresmcp.specVersionfor the targets it audits, not because it speaks MCP itself. Inspector will EACCES ondist/index.js(which is the library export) by design.
| Suite | What it checks | Weight |
|---|---|---|
idempotency | Same input N times produces same output, no UUIDs/timestamps unless annotated. | 30 |
side-effects | Read-only tools must not mutate server state. Requires stateProbe config. | 25 |
latency | p50 < 30s, p95 < 60s (configurable). 5 samples after 1 warmup call. | 20 |
determinism | Response shape stable across calls; no float drift. | 15 |
dsgvo | Tool d |