Discover MCP server card [warning]! The MCP server card was found only at a transitional or linked path.INFODiscover MCP server card candidateCount=5INFOBuild MCP server-card candidate list currentPath="/.well-known/mcp-server-card" transitionalPaths=["/.well-known/mcp/server-card.json","/.well-known/mcp/server-cards.json","/mcp.json","/.well-known/mcp.json"] linkedPaths=[]INFOTrying to fetch /.well-known/mcp-server-card url="https://haveibeenpwned.com/.well-known/mcp-server-card" source="current"FAIL/.well-known/mcp-server-card did not return a usable server card statusCode=404 contentType="text/html; charset=utf-8"INFOTrying to fetch /.well-known/mcp/server-card.json url="https://haveibeenpwned.com/.well-known/mcp/server-card.json" source="transitional"PASS/.well-known/mcp/server-card.json returned a successful response statusCode=200 contentType="application/json; charset=utf-8" finalUrl="https://haveibeenpwned.com/.well-known/mcp/server-card.json"INFOTrying to fetch /.well-known/mcp/server-cards.json url="https://haveibeenpwned.com/.well-known/mcp/server-cards.json" source="transitional"FAIL/.well-known/mcp/server-cards.json did not return a usable server card statusCode=404 contentType="text/html; charset=utf-8"INFOTrying to fetch /mcp.json url="https://haveibeenpwned.com/mcp.json" source="transitional"FAIL/mcp.json did not return a usable server card statusCode=404 contentType="text/html; charset=utf-8"INFOTrying to fetch /.well-known/mcp.json url="https://haveibeenpwned.com/.well-known/mcp.json" source="transitional"FAIL/.well-known/mcp.json did not return a usable server card statusCode=404 contentType="text/html; charset=utf-8"WARNCheck selected card is published at the current well-known path actual="/.well-known/mcp/server-card.json" expected="/.well-known/mcp-server-card" source="transitional" finalUrl="https://haveibeenpwned.com/.well-known/mcp/server-card.json"WARNMCP server card was discovered through a transitional or linked path path="/.well-known/mcp/server-card.json" source="transitional" reason="The MCP server card was found only at a transitional or linked path."Validate server-card shape [fail]! MCP Server Card is missing required fields: protocolVersion.INFOValidate server-card shape profile="legacy-server-card"PASSCheck response body parsed as JSON actual=true expected=truePASSCheck Content-Type is JSON-compatible actual=true expected=trueWARNCheck recognized MCP server-card profile actual="legacy-server-card" expected="sep-2127-draft" reason="Document uses the transitional serverInfo/protocolVersion/transport metadata model."FAILCheck required card fields are present actual=1 expected=0 missing=["protocolVersion"]WARNCheck MCP server-card uses the current remotes[] profile without legacy compatibility warnings actual="1 compatibility warning(s)" expected="current sep-2127-draft card shape with no legacy compatibility warnings" warnings=["Card uses the transitional serverInfo/protocolVersion/transport shape instead of the current remotes[] model."]FAILMCP server-card shape validation failed reason="MCP Server Card is missing required fields: protocolVersion."Validate MCP remotes [fail]! At least one MCP remote transport is invalid.INFOValidate MCP remotes remoteCount=1PASSCheck at least one MCP remote is declared actual=1 expected="> 0"FAILCheck invalid remote count actual=1 expected=0 invalidRemotes=[{"index":0,"source":"transport","issues":["missing url or endpoint"]}]WARNCheck same-origin remote coverage actual=0 expected=1FAILRemote #0 is invalid index=0 source="transport" type="streamable-http" authRequired=false issues=["missing url or endpoint"]FAILMCP remote validation failed reason="At least one MCP remote transport is invalid."Probe same-origin MCP endpoint [warning]! No MCP remote endpoint could be probed.INFOProbe same-origin MCP endpoint probeCount=0INFOSelecting same-origin unauthenticated MCP remotes for a bounded initialize probeWARNCheck successful initialize probe count actual=0 expected="> 0 when a safe same-origin unauthenticated remote exists" activeProbeCount=0 authBlocked=0WARNMCP endpoint probe could not fully confirm operability reason="No MCP remote endpoint could be probed."

Fetch root llms.txt [fail]! /llms.txt was not found or could not be fetched.INFOFetch root llms.txt path="/llms.txt"INFOTrying to fetch /llms.txt url="https://haveibeenpwned.com/llms.txt"FAIL/llms.txt was not found or could not be fetched statusCode=404FAILFetch root llms.txt failed reason="/llms.txt is required for this check."Inspect optional llms-full.txt [informational]INFOInspect optional llms-full.txtINFOTrying to fetch /llms-full.txt url="https://haveibeenpwned.com/llms-full.txt"SKIP/llms-full.txt is not present statusCode=404

Organization entity [fail]! No Organization or Organization subtype was found in Schema.org structured data.INFOOrganization entityINFOLooking for Organization or Organization subtype in structured data observedTypes=[]FAILCheck Organization entity presence actual=false expected=true fields=[{"name":"Organization.@type","present":false},{"name":"Organization.@id","present":false},{"name":"Organization.name","present":false},{"name":"Organization.url","present":false},{"name":"Organization.logo","present":false},{"name":"Organization.sameAs","present":false}]FAILOrganization entity is missingWebSite entity [fail]! No WebSite entity was found in Schema.org structured data.INFOWebSite entityINFOLooking for WebSite entity in structured data FAILCheck WebSite entity presence actual=false expected=true fields=[{"name":"WebSite.@type","present":false},{"name":"WebSite.@id","present":false},{"name":"WebSite.name","present":false},{"name":"WebSite.url","present":false},{"name":"WebSite.publisher.@id","present":false},{"name":"WebSite.publisher.name","present":false},{"name":"WebSite.publisher.url","present":false}]FAILWebSite entity is missingIdentity fields [fail]! Missing identity field(s): Organization.name, Organization.url, WebSite.name, WebSite.url.INFOIdentity fieldsINFOChecking Organization and WebSite name/url fields FAILCheck required identity fields actual=0 expected=4 missing=["Organization.name","Organization.url","WebSite.name","WebSite.url"] organizationFields=[{"name":"Organization.@type","present":false},{"name":"Organization.@id","present":false},{"name":"Organization.name","present":false},{"name":"Organization.url","present":false},{"name":"Organization.logo","present":false},{"name":"Organization.sameAs","present":false}] websiteFields=[{"name":"WebSite.@type","present":false},{"name":"WebSite.@id","present":false},{"name":"WebSite.name","present":false},{"name":"WebSite.url","present":false},{"name":"WebSite.publisher.@id","present":false},{"name":"WebSite.publisher.name","present":false},{"name":"WebSite.publisher.url","present":false}]WARNCheck identity URLs match scanned origin actual={"organizationUrlMatchesOrigin":false,"websiteUrlMatchesOrigin":false} expected={"organizationUrlMatchesOrigin":true,"websiteUrlMatchesOrigin":true}FAILIdentity fields are missing missing=["Organization.name","Organization.url","WebSite.name","WebSite.url"]WebSite publisher linkage [fail]! WebSite.publisher is missing.INFOWebSite publisher linkageINFOChecking whether WebSite.publisher points to the Organization entity FAILCheck publisher presence actual=false expected=true publisher={"present":false,"matchesOrganization":false} website={} organization={}FAILCheck publisher matches Organization actual=false expected=trueFAILWebSite publisher is missingOrganization trust fields [fail]! Organization schema is missing logo and sameAs or public contact evidence.INFOOrganization trust fieldsINFOChecking logo, sameAs, and public contact evidence FAILCheck logo presence actual=false expected=true fields=[{"name":"Organization.logo","present":false},{"name":"Organization.sameAs","present":false},{"name":"Organization.contactPoint","present":false},{"name":"Organization.telephone","present":false},{"name":"Organization.email","present":false},{"name":"Organization.address","present":false}]FAILCheck sameAs or contact evidence actual=0 expected=">= 1" sameAsCount=0 contactSignalCount=0 fields=[{"name":"Organization.logo","present":false},{"name":"Organization.sameAs","present":false},{"name":"Organization.contactPoint","present":false},{"name":"Organization.telephone","present":false},{"name":"Organization.email","present":false},{"name":"Organization.address","present":false}]FAILOrganization trust fields are missing

Recognized structured data format [fail]! No JSON-LD, Microdata, or RDFa structured data was found.INFORecognized structured data formatINFODetecting JSON-LD, Microdata, and RDFa in the page HTMLFAILCheck recognized structured-data formats found actual=0 expected="> 0" formatsFound=[]FAILNo recognized structured-data format foundPage-relevant schema family [fail]! The page has specific visible content intent, but structured data does not include a matching primary schema family.INFOPage-relevant schema familyINFOInferring specific page intent and comparing it with detected Schema.org typesFAILCheck schema types matching specific visible page intent actual=0 expected="> 0" inferredIntents=["local-business"] expectedTypes=["LocalBusiness"] matchingTypes=[] observedTypes=[]FAILNo primary schema family matches the inferred page intent expectedTypes=["LocalBusiness"] primaryTypes=[]

Detect WebMCP runtime API [informational]INFODetect WebMCP runtime API status="informational"INFOProbe rendered browser for WebMCP runtime objects SKIPCheck current W3C runtime API actual="not detected" expected="document.modelContext/registerTool available"INFOWebMCP evidence was recorded for context. status="informational"Probe WebMCP operability [warning]! No WebMCP surface was found to probe.INFOProbe WebMCP operability status="warning"INFORun safe WebMCP operability checks safeProbeOnly=trueWARNCheck usable WebMCP evidence actual=0 expected="at least 1 usable runtime, declarative, annotation, or static manifest signal"WARNWebMCP operability warning warning="No WebMCP surface was found to probe."WARNWebMCP operability warning warning="Conventional WebMCP manifest paths were checked but did not return a valid manifest."WARNNo WebMCP surface was found to probe.Validate declarative WebMCP form tools [informational]! No W3C-style declarative WebMCP form attributes were found.INFOValidate declarative WebMCP form tools status="informational"INFOInspect visible forms and controls for current declarative WebMCP attributes annotatedElements=0 formsWithAttributes=0 controlsWithAttributes=0SKIPValidate declarative WebMCP attribute quality actual=0 expected=0INFONo W3C-style declarative WebMCP form attributes were found. status="informational"Validate MCP-aware HTML annotations [informational]! No data-mcp-tool or hyphenated WebMCP compatibility annotations were found.INFOValidate MCP-aware HTML annotations status="informational"INFOInspect HTML for MCP compatibility annotations compatibilityAttributeCount=0 dataMcpToolCount=0 examples=[]SKIPValidate compatibility annotation quality actual=0 expected=0INFONo data-mcp-tool or hyphenated WebMCP compatibility annotations were found. status="informational"Validate static WebMCP JSON compatibility [warning]! No static WebMCP JSON manifest or WMCP interaction graph was found.INFOValidate static WebMCP JSON compatibility status="warning"INFODiscover static WebMCP manifest candidates conventionalPaths=["/.well-known/webmcp.json","/webmcp.json"] checkedCount=2 profileCounts={}INFOWebMCP manifest candidate checked source="path" path="/.well-known/webmcp.json" url="https://haveibeenpwned.com/.well-known/webmcp.json" statusCode=404 contentType="text/html; charset=utf-8"INFOWebMCP manifest candidate checked source="path" path="/webmcp.json" url="https://haveibeenpwned.com/webmcp.json" statusCode=404 contentType="text/html; charset=utf-8"WARNValidate discovered static WebMCP metadata actual={"validManifestCount":0,"invalidManifestCount":0,"toolCount":0,"wmcpActionCount":0} expected="at least 1 valid tools[] manifest or WMCP graph when static metadata is present"WARNNo static WebMCP JSON manifest or WMCP interaction graph was found.Validate WebMCP tool metadata quality [informational]INFOValidate WebMCP tool metadata quality status="informational"INFOInspect WebMCP tool names, descriptions, schemas, and safety hints toolCount=0SKIPCheck tool metadata findings actual={"issueCount":0,"warningCount":0} expected="0 issues and 0 warnings"INFOWebMCP evidence was recorded for context. status="informational"Review WebMCP security and policy signals [informational]INFOReview WebMCP security and policy signals status="informational"INFOInspect WebMCP security and policy signals permissionsPolicy="accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()" failureCount=0 warningCount=0PASSCheck security findings actual={"failures":0,"warnings":0} expected="0 failures and 0 warnings"INFOWebMCP evidence was recorded for context. status="informational"

Classify AI crawler rules [fail]! No explicit User-agent rules were found for major AI crawler tokens.INFOClassify AI crawler rulesINFOParsing User-agent groups and Allow/Disallow records for known AI crawler tokens evaluatedPath="/"INFOEvaluating exact User-agent matches before wildcard fallback exactAiPolicyCount=0 totalCrawlerTokens=18FAILNo explicit AI crawler User-agent groups were found examplesExpected=["GPTBot","OAI-SearchBot","ClaudeBot","Google-Extended","CCBot"]FAILCompare explicit AI crawler coverage actual=0 expected="> 0 explicit non-search AI crawler policies" missingTokens=["GPTBot","OAI-SearchBot","ChatGPT-User","ClaudeBot","Claude-SearchBot","Claude-User","Google-Extended","Applebot-Extended","Amazonbot","Amzn-SearchBot","Amzn-User","PerplexityBot"]INFOResolved effective root-path policy for crawler tokens blocked=0 allowed=21 unspecified=0

Page landmarks [fail]! Expected exactly one visible main landmark; found 0.INFOPage landmarksFAILCheck page landmarks evidence actual={"counts":{"main":0,"roleMain":0,"nav":1,"roleNavigation":0,"header":0,"roleBanner":0,"footer":1,"pageFooter":1,"roleContentinfo":0},"main":false} expected="semantic HTML evidence for this step"FAILPage landmarks failed issue="Expected exactly one visible main landmark; found 0."Heading structure [fail]! Expected one meaningful visible h1; found 0.INFOHeading structureFAILCheck heading structure evidence actual={"counts":{"h1":0,"visibleH1":0,"headings":8,"emptyHeadings":0},"meaningfulH1":false} expected="semantic HTML evidence for this step"FAILHeading structure failed issue="Expected one meaningful visible h1; found 0."Links [fail]! 7 links are missing accessible names.INFOLinksFAILCheck links evidence actual={"counts":{"links":47,"inaccessibleLinks":7,"nonCrawlableLinks":0,"genericLinks":0},"accessibleLinks":false} expected="semantic HTML evidence for this step"FAILLinks failed issue="7 links are missing accessible names."Buttons and interactive controls [fail]! 1 button controls are missing accessible names.INFOButtons and interactive controlsFAILCheck buttons and interactive controls evidence actual={"counts":{"buttons":5,"inaccessibleButtons":1},"accessibleButtons":false} expected="links, buttons, and form controls expose accessible names"FAILButtons and interactive controls failed issue="1 button controls are missing accessible names."Form labels and autocomplete [fail]! 1 user-fillable form controls are missing labels.INFOForm labels and autocompleteFAILCheck form labels and autocomplete evidence actual={"counts":{"formControls":1,"unlabeledFormControls":1,"autocompleteInputs":1,"inputsWithAutocomplete":0,"missingAutocompleteInputs":1},"formLabelCoverage":false} expected="semantic HTML evidence for this step"FAILForm labels and autocomplete failed issue="1 user-fillable form controls are missing labels."Native semantics and ARIA [warning]! 3 ARIA/native semantic conflicts or redundancies were found.INFONative semantics and ARIAWARNCheck native semantics and aria evidence actual={"counts":{"ariaIssues":3},"nativeSemanticIntegrity":false} expected="native HTML semantics are present and not replaced by conflicting ARIA"WARNNative semantics and ARIA has a warning issue="3 ARIA/native semantic conflicts or redundancies were found."

Discover RSL declarations [warning]! No RSL declarations were found.INFODiscover RSL declarationsINFOChecking robots.txt License records, HTTP Link rel=license headers, HTML license links, and inline RSL XML robotsFound=trueSKIPCount discovered RSL declarations actual=0 expected=">= 1 when RSL licensing terms are published" sources={}WARNNo RSL declarations were found on any supported discovery surface.

Fetch /.well-known/tdmrep.json [warning]! No TDMRep declaration was found at /.well-known/tdmrep.json.INFOFetch /.well-known/tdmrep.jsonINFORequesting origin-level TDMRep declaration at /.well-known/tdmrep.jsonWARNCompare TDMRep file response actual=404 expected="2xx with JSON array when origin-level TDMRep is published" contentType="text/html; charset=utf-8" length=12645WARNNo TDMRep declaration was found at /.well-known/tdmrep.json. 

Discover A2A Agent Card [warning]! No A2A Agent Card was found at the current, legacy, or fallback discovery paths.INFODiscover A2A Agent CardINFOTry A2A discovery paths in priority order paths=["/.well-known/agent-card.json","/.well-known/agent.json","/agent-card.json","/.well-known/a2a/agent-card.json"]WARNA2A candidate path did not return a usable card path="/.well-known/agent-card.json" statusCode=404 contentType="text/html; charset=utf-8"WARNA2A candidate path did not return a usable card path="/.well-known/agent.json" statusCode=404 contentType="text/html; charset=utf-8"WARNA2A candidate path did not return a usable card path="/agent-card.json" statusCode=404 contentType="text/html; charset=utf-8"WARNA2A candidate path did not return a usable card path="/.well-known/a2a/agent-card.json" statusCode=404 contentType="text/html; charset=utf-8"WARNNo A2A Agent Card candidate was selectedWARNNo A2A Agent Card was found at the current, legacy, or fallback discovery paths.

Discover agents.json [warning]! No Wildcard-style agents.json file was found.INFODiscover agents.jsonINFOTry agents.json discovery paths in priority order paths=["/.well-known/agents.json","/agents.json"]WARNagents.json candidate path did not return a usable contract path="/.well-known/agents.json" statusCode=404 contentType="text/html; charset=utf-8"WARNagents.json candidate path did not return a usable contract path="/agents.json" statusCode=404 contentType="text/html; charset=utf-8"WARNNo agents.json candidate was selectedWARNNo Wildcard-style agents.json file was found.

Validate metadata profile [warning]! revocation_endpoint is omitted.INFOValidate metadata profileINFOParsing and validating OAuth/OIDC metadata profile valid=true compatibleContentType=true profile="hybrid" missingCount=0 warningsCount=2 endpointIssuesCount=0 issuer="https://haveibeenpwned.com/" authorizationEndpoint="https://haveibeenpwned.com/connect/authorize" tokenEndpoint="https://haveibeenpwned.com/connect/token"PASSCheck metadata profile was recognized actual="hybrid" expected="oauth-authorization-server, oidc, or hybrid"PASSCheck required metadata fields are present actual=0 expected=0 missing=[]WARNCheck OAuth metadata is fully usable by browser and agent clients actual="2 client-usage warning(s)" expected="no CORS, endpoint, or compatibility warnings" warnings=["revocation_endpoint is omitted.","introspection_endpoint is omitted."]WARNOAuth metadata client-usage warning warning="revocation_endpoint is omitted."WARNOAuth metadata client-usage warning warning="introspection_endpoint is omitted."WARNValidate metadata profile completed with warnings issue="revocation_endpoint is omitted."Probe authorization endpoint [fail]! authorization_endpoint did not behave like an operational OAuth authorization endpoint.INFOProbe authorization endpointINFOSafely probing advertised authorization endpoint shape url="https://haveibeenpwned.com/connect/authorize?response_type=code&client_id=can-agent-use-scanner&redirect_uri=https%3A%2F%2Fcan-agent-use.invalid%2Foauth%2Fcallback&scope=openid&state=can-agent-use-probe" method="GET" statusCode=400 location=null contentType="text/plain;charset=UTF-8" excerpt="error:invalid_request\r\nerror_description:The specified 'client_id' is invalid.\r\nerror_uri:https://documentation.openiddict.com/errors/ID2052\r\n"FAILCheck authorization endpoint responds with protocol-shaped result actual=400 expected="redirect or OAuth error response"FAILProbe authorization endpoint failed issue="authorization_endpoint did not behave like an operational OAuth authorization endpoint."

Query DNS-AID records [warning]! No DNS-AID HTTPS/SVCB records were found under _agents.INFOQuery DNS-AID recordsINFOBuild DNS-AID query names from hostname hostname="haveibeenpwned.com" labels=["_index._agents.haveibeenpwned.com","_a2a._agents.haveibeenpwned.com"] claimedOnPage=falseWARNDNS query returned no DNS-AID answers name="_index._agents.haveibeenpwned.com" rrtype="HTTPS" resolver="cloudflare-doh-json" rcode=0 ad=true answerCount=0WARNDNS query returned no DNS-AID answers name="_index._agents.haveibeenpwned.com" rrtype="SVCB" resolver="cloudflare-doh-json" rcode=0 ad=true answerCount=0WARNDNS query returned no DNS-AID answers name="_index._agents.haveibeenpwned.com" rrtype="ANY" resolver="node-resolveAny-fallback" answerCount=0 error="queryAny ETIMEOUT _index._agents.haveibeenpwned.com"WARNDNS query returned no DNS-AID answers name="_a2a._agents.haveibeenpwned.com" rrtype="HTTPS" resolver="cloudflare-doh-json" rcode=0 ad=true answerCount=0WARNDNS query returned no DNS-AID answers name="_a2a._agents.haveibeenpwned.com" rrtype="SVCB" resolver="cloudflare-doh-json" rcode=0 ad=true answerCount=0WARNDNS query returned no DNS-AID answers name="_a2a._agents.haveibeenpwned.com" rrtype="ANY" resolver="node-resolveAny-fallback" answerCount=0 error="queryAny ETIMEOUT _a2a._agents.haveibeenpwned.com"WARNCompare total DNS-AID answer count actual=0 expected="> 0"WARNNo DNS-AID HTTPS/SVCB records were found under _agents.

Validate resource identity [fail]! Protected resource metadata `resource` did not match the resource identifier used to retrieve it.INFOValidate resource identityINFOComparing metadata resource identifier with the candidate resource resource="https://haveibeenpwned.com/mcp" expectedResource="https://haveibeenpwned.com" candidatePresent=trueFAILCheck protected resource identity matches actual="https://haveibeenpwned.com/mcp" expected="https://haveibeenpwned.com"FAILValidate resource identity failed issue="Protected resource metadata `resource` did not match the resource identifier used to retrieve it."Validate protected resource challenge [warning]! No protected route with a 401 resource_metadata challenge was detected; metadata shape is valid but route linkage was not proven.INFOValidate protected resource challengeINFOProbing protected routes for WWW-Authenticate resource_metadata linkage checkedCount=6INFOChecked protected route challenge url="https://haveibeenpwned.com/API/v3" statusCode=200 wwwAuthenticate={"valid":false,"present":false,"params":{}} expectedMetadataUrl="https://haveibeenpwned.com/.well-known/oauth-protected-resource" metadataUrlMatches=true expectedResource="https://haveibeenpwned.com" metadataResource="https://haveibeenpwned.com/mcp" resourceMatches=false scopePresent=falseINFOChecked protected route challenge url="https://haveibeenpwned.com/Docs/MCP" statusCode=200 wwwAuthenticate={"valid":false,"present":false,"params":{}} expectedMetadataUrl="https://haveibeenpwned.com/.well-known/oauth-protected-resource" metadataUrlMatches=true expectedResource="https://haveibeenpwned.com" metadataResource="https://haveibeenpwned.com/mcp" resourceMatches=false scopePresent=falseINFOChecked protected route challenge url="https://haveibeenpwned.com/api/scans" statusCode=404 wwwAuthenticate={"valid":false,"present":false,"params":{}} expectedMetadataUrl="https://haveibeenpwned.com/.well-known/oauth-protected-resource" metadataUrlMatches=true expectedResource="https://haveibeenpwned.com" metadataResource="https://haveibeenpwned.com/mcp" resourceMatches=false scopePresent=falseINFOChecked protected route challenge url="https://haveibeenpwned.com/api/admin/scans" statusCode=404 wwwAuthenticate={"valid":false,"present":false,"params":{}} expectedMetadataUrl="https://haveibeenpwned.com/.well-known/oauth-protected-resource" metadataUrlMatches=true expectedResource="https://haveibeenpwned.com" metadataResource="https://haveibeenpwned.com/mcp" resourceMatches=false scopePresent=falseINFOChecked protected route challenge url="https://haveibeenpwned.com/api/admin/summary" statusCode=404 wwwAuthenticate={"valid":false,"present":false,"params":{}} expectedMetadataUrl="https://haveibeenpwned.com/.well-known/oauth-protected-resource" metadataUrlMatches=true expectedResource="https://haveibeenpwned.com" metadataResource="https://haveibeenpwned.com/mcp" resourceMatches=false scopePresent=falseINFOChecked protected route challenge url="https://haveibeenpwned.com/mcp" statusCode=405 wwwAuthenticate={"valid":false,"present":false,"params":{}} expectedMetadataUrl="https://haveibeenpwned.com/.well-known/oauth-protected-resource" metadataUrlMatches=true expectedResource="https://haveibeenpwned.com" metadataResource="https://haveibeenpwned.com/mcp" resourceMatches=true scopePresent=falseWARNCheck challenge includes resource_metadata linkage actual=1 expected="> 0 matching protected route challenges"WARNValidate protected resource challenge completed with warnings issue="No protected route with a 401 resource_metadata challenge was detected; metadata shape is valid but route linkage was not proven."

Validate Auth.md authorization metadata [warning]! OAuth authorization-server metadata did not include usable Auth.md v1 fields. agent_registration_endpoint issues: [{"field":"agent_registration_endpoint","issue":"Expected an absolute HTTPS URL."}]; missing credential_types_supported.INFOValidate Auth.md authorization metadataINFOFetch Auth.md-related resource path="/.well-known/oauth-authorization-server" statusCode=200 contentType="application/json;charset=UTF-8" bytes=1708WARNCompare response Content-Type with expected Auth.md media type actual=true expected=trueWARNCompare Auth.md/OAuth metadata validation result actual=false expected=trueWARNCompare supported credential type count actual=0 expected="> 0"WARNAuth.md validation issue issue="OAuth authorization-server metadata did not include usable Auth.md v1 fields. agent_registration_endpoint issues: [{\"field\":\"agent_registration_endpoint\",\"issue\":\"Expected an absolute HTTPS URL.\"}]; missing credential_types_supported."WARNOAuth authorization-server metadata did not include usable Auth.md v1 fields. agent_registration_endpoint issues: [{"field":"agent_registration_endpoint","issue":"Expected an absolute HTTPS URL."}]; missing credential_types_supported.

Review policy strength [warning]! no-referrer-when-downgrade is weaker than the modern baseline and can send full URLs cross-origin.INFOReview policy strengthINFOClassify effective referrer policy effectivePolicy="no-referrer-when-downgrade" classification="weak" strongPolicies=["no-referrer","same-origin","strict-origin","strict-origin-when-cross-origin"] weakPolicies=["no-referrer-when-downgrade","origin","origin-when-cross-origin"] unsafePolicy="unsafe-url"WARNCompare policy privacy strength actual="weak" expected="strong or modern-baseline" issue="no-referrer-when-downgrade is weaker than the modern baseline and can send full URLs cross-origin."WARNno-referrer-when-downgrade is weaker than the modern baseline and can send full URLs cross-origin.Review observed browser responses [warning]! One or more same-origin HTML documents observed by Chrome emitted a weaker Referrer-Policy.INFOReview observed browser responsesINFOSample Chrome-observed same-origin responses observedResponseCount=21 sameOriginCount=11 htmlDocumentCount=1WARNCompare observed Referrer-Policy coverage actual={"missingPolicyCount":0,"unsafeOrInvalidPolicyCount":0,"weakPolicyCount":1,"affected":[{"url":"https://haveibeenpwned.com/","status":200,"resourceType":"document","contentType":"text/html; charset=utf-8","referrerPolicy":"no-referrer-when-downgrade","effectivePolicy":"no-referrer-when-downgrade","classification":"weak"}]} expected="0 missing, unsafe, invalid, or weak same-origin HTML responses" issue="One or more same-origin HTML documents observed by Chrome emitted a weaker Referrer-Policy."WARNOne or more same-origin HTML documents observed by Chrome emitted a weaker Referrer-Policy.

Validate skill content [warning]! description is short; stronger skills describe both task scope and when to use the skill.INFOValidate skill contentWARNCompare skill artifact content failures actual=0 expected=0 name="hibp-mcp" type="skill-md" url="https://haveibeenpwned.com/.well-known/agent-skills/hibp-mcp/SKILL.md"WARNSkill content validation warning name="hibp-mcp" warning="description is short; stronger skills describe both task scope and when to use the skill."WARNSkill content validation warning name="hibp-mcp" warning="description does not clearly state when an agent should activate the skill."WARNdescription is short; stronger skills describe both task scope and when to use the skill.Review skill artifact security [warning]! SKILL.md references external URLs; fetched content is an additional trust boundary (https://haveibeenpwned.com/mcp`, https://haveibeenpwned.com/.well-known/oauth-protected-resource`, https://haveibeenpwned.com/auth.md`).INFOReview skill artifact securityFAILCompare security finding count actual=1 expected=0WARNAgent Skills artifact security warning finding="SKILL.md references external URLs; fetched content is an additional trust boundary (https://haveibeenpwned.com/mcp`, https://haveibeenpwned.com/.well-known/oauth-protected-resource`, https://haveibeenpwned.com/auth.md`)."WARNSKILL.md references external URLs; fetched content is an additional trust boundary (https://haveibeenpwned.com/mcp`, https://haveibeenpwned.com/.well-known/oauth-protected-resource`, https://haveibeenpwned.com/auth.md`).

Check machine-usable details [warning]! OpenAPI is valid, but missing schemas, parameters, servers, auth, operation IDs, tags, or examples reduces machine usability.INFOCheck machine-usable details status="warning"INFOInspect machine-usable operation details hasServers=true hasSecuritySchemes=true hasExplicitNoAuth=true requestBodyOperationCount=3 parameterOperationCount=17 responseSchemaOperationCount=17 operationIdCount=0 taggedOperationCount=0 exampleOperationCount=11WARNCheck OpenAPI operations include enough detail for agents to call them safely actual="3 machine-usability warning(s)" expected="servers, auth/no-auth signals, operationIds, parameters, request bodies, responses, tags, and examples where relevant"WARNMachine-usability warning warning="One or more operations are missing operationId."WARNMachine-usability warning warning="One or more operations are missing tags."WARNMachine-usability warning warning="One or more operations do not include examples."WARNOpenAPI is valid, but missing schemas, parameters, servers, auth, operation IDs, tags, or examples reduces machine usability.

Evaluate script execution [warning]! script-src allows wildcard script hosts.INFOEvaluate script executionINFOInspect effective script directive effectiveDirective="script-src" sources=["'self'","cdnjs.cloudflare.com","az416426.vo.msecnd.net","ajax.cloudflare.com","challenges.cloudflare.com","static.cloudflareinsights.com","*.monitor.azure.com","*.applicationinsights.io","'report-sample'","'sha256-cj00wrTvlrj8ekHe2A9FqhDO5X0mvSr/lzIuvFKuMmA='","'nonce-fjdaQzZaHbjDGWa/2S9DxQqM8ZeIG8aYSxeHZCNEas8='"]WARNCompare script execution posture actual={"hasNonce":true,"hasHash":true,"hasStrictDynamic":false,"hasUnsafeInline":false,"hasUnsafeEval":false,"hasWildcardHost":true,"hasBroadScheme":false,"dangerousSchemes":[]} expected="constrained script sources without unsafe execution allowances" issue="script-src allows wildcard script hosts."WARNscript-src allows wildcard script hosts.

Check API catalog HEAD Link header [warning]! HEAD /.well-known/api-catalog did not return a 2xx/3xx response.INFOCheck API catalog HEAD Link headerINFOSend HEAD request to API catalog path attempted=true statusCode=405 contentType="text/html; charset=utf-8"WARNCompare HEAD Link rel=api-catalog count actual=0 expected="> 0"WARNHEAD /.well-known/api-catalog did not return a 2xx/3xx response. status="warning"

Review observed browser responses [warning]! One or more same-origin active resources observed by Chrome did not emit X-Content-Type-Options: nosniff.INFOReview observed browser responsesINFOSample Chrome-observed same-origin resources observedResponseCount=21 sameOriginCount=11 eligibleCount=10WARNCompare observed nosniff coverage actual={"missingNosniffCount":1,"malformedNosniffCount":0,"activeResourceMissingNosniffCount":1,"affected":[{"url":"https://haveibeenpwned.com/cdn-cgi/challenge-platform/h/g/jsd/oneshot/8fc8ed1d8752/0.5145735158300376:1781532331:Cydia7NGSqYtvzImzXMhYr37hKehjru96v3qb5lPxio/a0c267fb08f4c174","status":200,"resourceType":"xhr","contentType":"text/plain; charset=UTF-8"}]} expected="0 missing or malformed eligible same-origin responses" issue="One or more same-origin active resources observed by Chrome did not emit X-Content-Type-Options: nosniff."WARNOne or more same-origin active resources observed by Chrome did not emit X-Content-Type-Options: nosniff.

Review preload opt-in [warning]! preload is present; verify hstspreload.org operational requirements before submission.INFOReview preload opt-inINFOInspect preload opt-in preload=true includeSubDomains=true maxAge=31536000WARNCompare header-level preload requirements actual="eligible by header" expected="preload + includeSubDomains + max-age >= 31536000" issue="preload is present; verify hstspreload.org operational requirements before submission."WARNpreload is present; verify hstspreload.org operational requirements before submission.

Find advertised IndexNow key location [informational]! No IndexNow key location was advertised in HTML, Link headers, or robots.txt.INFOFind advertised IndexNow key locationINFOLook for IndexNow key hints in HTML, Link headers, and robots.txt supportedHints=["robots.txt IndexNow-Key","rel=indexnow-key","meta name=indexnow-key-location"]PASSCompare advertised key location count actual=0 expected="> 0"WARNNo IndexNow key location was advertised in HTML, Link headers, or robots.txt.Fetch and validate IndexNow key file [informational]! No discoverable IndexNow key file was found.INFOFetch and validate IndexNow key fileINFOLook for IndexNow key hints in HTML, Link headers, and robots.txt supportedHints=["robots.txt IndexNow-Key","rel=indexnow-key","meta name=indexnow-key-location"]PASSCompare advertised key location count actual=0 expected="> 0"INFOFetch each advertised same-origin key file and validate filename/body matchFAILCompare valid IndexNow key file count actual=0 expected="> 0"WARNNo discoverable IndexNow key file was found.