Show HN:在 4,356 个可访问的 MCP 服务器中,仅有 1 个已适配 2026-07-28 规范
Show HN: Only 1 of 4,356 reachable MCP servers is ready for the 2026-07-28 spec

原始链接: https://github.com/Roee-Tsur/mcp-spec-check

2026 年 7 月 28 日即将发布的 MCP 协议将迎来重大变更,核心机制将转向无状态架构,弃用基于会话的握手方式,改为采用 `server/discover` 和强制路由标头。虽然这不会立即导致现有服务器“停机”,但对旧版本的长期支持最终将会终止。 您可以使用 `npx mcp-spec-check` 工具来评估服务器的兼容性。该工具会对您的实时端点进行为期 30 秒的黑盒探测,以验证您是否满足以下三项核心要求:`discover` 实现、`Mcp-Method/Name` 路由标头以及会话独立性。 该工具会给出明确的“YES”、“NO”或“UNKNOWN”判定,并为强制及可选功能提供评分。它专为 CI 环境设计,无需访问代码,并通过主机串行、只读请求确保对系统的影响降至最低。近期对 4,356 个注册服务器的扫描显示,超过 90% 的服务器尚未做好过渡准备。建议开发者尽早测试服务器,以确保在新规范成为行业标准前顺利完成迁移。

Hacker News | 最新 | 过往 | 评论 | 提问 | 展示 | 招聘 | 提交 | 登录 Show HN:在 4,356 个可访问的 MCP 服务器中,仅有 1 个符合 2026-07-28 规范 (github.com/roee-tsur) 13 分,由 roee_tsur 发布于 1 小时前 | 隐藏 | 过往 | 收藏 | 1 条评论 | 帮助 _3u10 5 分钟前 | 上一条 | 下一条 [–] 通常情况下,一个无法兼容 99.995% 生态系统的产品是行不通的。 回复 指南 | 常见问题 | 列表 | API | 安全 | 法律 | 申请 YC | 联系 搜索:
相关文章

原文

npm CI

Is your remote MCP server ready for the 2026-07-28 MCP spec release? Find out in 30 seconds.

npx mcp-spec-check https://your-server.com/mcp

Nothing breaks on July 28. That date is when the spec text publishes, not a switch that flips. Version negotiation keeps working and deprecated features live for at least 12 months. This tool measures adoption of the new stateless core, not a countdown to an outage.

The MCP 2026-07-28 release is the largest revision of the protocol since launch. The initialize handshake and Mcp-Session-Id are removed in favor of a stateless core, Mcp-Method / Mcp-Name routing headers become required, SSE elicitation is replaced by Multi Round-Trip Requests, and several error codes change. SDKs and clients are already moving to the stateless core, so servers that never migrate get left behind as support windows expire. mcp-spec-check black-box-probes your live endpoint (no code access needed) and tells you where you stand, with links to the migration docs.

I probed every remote server in the official MCP registry, all 7,850 of them, on 2026-07-12. Of the 4,356 I could reach openly, exactly 1 passes all three required checks and 90.8% are not ready yet. The migration to the stateless core has barely begun, which is what you would expect before the spec is even GA. Full writeup, with every percentage next to its denominator and a host-collapsed sensitivity view: docs/scan-2026-07.md (committed aggregate: scan-2026-07.aggregates.json).

The report leads with a one-line verdict, ready for 2026-07-28: YES / NO / UNKNOWN, decided only by the three required checks below (discover, routing-headers, session-independence): all three pass gives YES, any fail gives NO, otherwise UNKNOWN. A letter grade over every check follows as a secondary signal.

Only those first three can fail a server. The rest are warn: optional or forward-looking, never counted as "not ready" on their own.

A check the server answers too ambiguously to judge is marked inconclusive and, like a skipped check, does not count toward the grade. If too many land there, the tool reports grade ? ("couldn't assess", exit 2) rather than guess.

Check What it means
discover server/discover replaces the initialize handshake; servers must implement it
routing-headers Mcp-Method / Mcp-Name are required on every request so gateways can route
session-independence Protocol-level sessions are removed; session-pinned servers cannot serve the stateless core behind load balancers
error-codes (warn) resource-not-found renumbers from -32002 to -32602
cache-metadata (warn) new ttlMs / cacheScope caching metadata on list/read results
mrtr (warn) results carry a resultType field (Multi Round-Trip Requests replace SSE elicitation)
deprecated-features (warn) reliance on deprecated Logging or removed resources/subscribe capabilities
auth-metadata (warn) OAuth protected-resource metadata (RFC 9728) discoverable at /.well-known/oauth-protected-resource

How the verdicts are validated

Probe correctness is the whole game, so every check is pinned against known-truth servers rather than just asserted:

  • Two reference servers run in CI. A real old-spec server (official SDK v1) and an RC server (the 2026-07-28 SDK beta) are spawned on every build, and mcp-spec-check must produce the exact expected verdict for all eight checks against both (npm run verify:refs). A regression in either direction fails the build.
  • A known-truth panel cross-checks live public servers whose behavior is established, including GitHub's MCP server (auth-walled, RFC 9728 passes) and servers that should read as not-ready or inconclusive.
  • The official conformance suite runs against the RC reference server as an independent co-oracle.

If the tool ever gives your server a wrong verdict, that is the top-priority bug. Open an issue with the --json output.

npx mcp-spec-check <url>                 # human-readable report + letter grade
npx mcp-spec-check <url> --json          # machine-readable, for scripting
npx mcp-spec-check <url> --verbose       # include the "why" for each check
npx mcp-spec-check <url> --timeout 30000 # per-probe timeout in ms (default 15000)
npx mcp-spec-check <url> --bearer <token>          # sends Authorization: Bearer <token>
npx mcp-spec-check <url> --header "X-Api-Key: k"   # any header; repeatable

Without credentials, mcp-spec-check can classify an auth-walled server but cannot grade it: checks report skipped and the exit code is 2 (couldn't test). The auth-metadata check still runs, because its RFC 9728 probe of /.well-known/oauth-protected-resource is origin-level and needs no token, so you get a readiness signal even behind the wall.

Exit codes are CI-friendly: 0 ready, 1 at least one failing check, 2 couldn't test (probe error; endpoint auth-walled / unreachable / not MCP; or the server answered our probes too ambiguously to grade).

- run: npx mcp-spec-check ${{ env.MCP_SERVER_URL }}

Pure black-box HTTP probes against your live endpoint. No code access, nothing installed, nothing stored. Zero runtime dependencies.

Probing ethics. The registry scan only touches endpoints voluntarily published in the official public MCP registry as connect URLs. Probes are host-serial (one request at a time per host, so no server ever sees parallel load), read-only protocol calls with no side effects, sent with a named mcp-spec-check-scan User-Agent that links back to this repo. Per-server results stay on the machine that ran the scan; only aggregate counts and percentages are published.

The official conformance suite is a spec test framework for implementers, including draft-spec scenarios, that you wire up against your own code. YawLabs/mcp-compliance grades A to F compliance against the current 2025-11-25 spec. The official Inspector is for interactive debugging. mcp-spec-check is none of those: it is a 30-second black-box verdict on a hosted URL, aimed specifically at the next release (2026-07-28).

Issues and PRs welcome, see CONTRIBUTING.md. Probe correctness is the top priority: if a verdict looks wrong, please include the --json output.

MIT

联系我们 contact @ memedata.com