What's broken?
The spec doesn't cover a case it clearly should
Where in the spec or docs?
https://modelcontextprotocol.io/specification/draft/basic/lifecycle#protocol-version-negotiation
What should happen?
Server identity information should be carried in server response messages similar to how client identity information is carried in the requests within _meta.
What actually happens?
Servers MUST implement server/discover. Clients MAY call it before sending any other requests to learn the server’s supported versions up front, but are not required to — a client is free to invoke any RPC inline and handle UnsupportedProtocolVersionError if its preferred version is not supported.
Client may NEVER invoke server/discover to retrieve the server identity information. This is especially true for enterprise AI workloads where the list of exercised capabilities is hard-coded in the agent.
Network security monitoring tools (e.g. IDPS) cannot reliably build server SBOM entries.
Similarly, passive inventory systems cannot enumerate deployed MCP servers reliably.
Anything else?
No response
What's broken?
The spec doesn't cover a case it clearly should
Where in the spec or docs?
https://modelcontextprotocol.io/specification/draft/basic/lifecycle#protocol-version-negotiation
What should happen?
Server identity information should be carried in server response messages similar to how client identity information is carried in the requests within
_meta.What actually happens?
Client may NEVER invoke
server/discoverto retrieve the server identity information. This is especially true for enterprise AI workloads where the list of exercised capabilities is hard-coded in the agent.Network security monitoring tools (e.g. IDPS) cannot reliably build server SBOM entries.
Similarly, passive inventory systems cannot enumerate deployed MCP servers reliably.
Anything else?
No response