|
| 1 | +--- |
| 2 | +title: 'Registry criteria' |
| 3 | +description: Criteria for adding MCP servers to the ToolHive registry |
| 4 | +sidebar_position: 50 |
| 5 | +--- |
| 6 | + |
| 7 | +The ToolHive registry maintains a curated list of MCP servers that meet specific |
| 8 | +criteria. We aim to establish a curated, community-auditable list of |
| 9 | +high-quality MCP servers through clear, observable, and objective criteria. Here |
| 10 | +are the criteria for adding an MCP server to the ToolHive registry: |
| 11 | + |
| 12 | +## Heuristics |
| 13 | + |
| 14 | +### Open source requirements |
| 15 | + |
| 16 | +- Must be fully open source with no exceptions |
| 17 | +- Source code must be publicly accessible |
| 18 | +- Must use an acceptable open source license (see |
| 19 | + [Acceptable licenses](#acceptable-licenses) below) |
| 20 | + |
| 21 | +### Security |
| 22 | + |
| 23 | +- Software provenance verification (Sigstore, GitHub Attestations) |
| 24 | +- SLSA compliance level assessment |
| 25 | +- Pinned dependencies and GitHub Actions |
| 26 | +- Published Software Bill of Materials (SBOMs) |
| 27 | + |
| 28 | +### Continuous integration |
| 29 | + |
| 30 | +- Automated dependency updates (Dependabot, Renovate, etc.) |
| 31 | +- Automated security scanning |
| 32 | +- CVE monitoring |
| 33 | +- Code linting and quality checks |
| 34 | + |
| 35 | +### Repository metrics |
| 36 | + |
| 37 | +- Repository stars and forks |
| 38 | +- Commit frequency and recency |
| 39 | +- Contributor activity |
| 40 | +- Issue and pull request statistics |
| 41 | + |
| 42 | +### API compliance |
| 43 | + |
| 44 | +- Full MCP API specification support |
| 45 | +- Implementation of all required endpoints (tools, resources, etc.) |
| 46 | +- Protocol version compatibility |
| 47 | + |
| 48 | +### Tool stability |
| 49 | + |
| 50 | +- Version consistency |
| 51 | +- Breaking change frequency |
| 52 | +- Backward compatibility maintenance |
| 53 | + |
| 54 | +### Code quality |
| 55 | + |
| 56 | +- Presence of automated tests |
| 57 | +- Test coverage percentage |
| 58 | +- Quality CI/CD implementation |
| 59 | +- Code review practices |
| 60 | + |
| 61 | +### Documentation |
| 62 | + |
| 63 | +- Basic project documentation |
| 64 | +- API documentation |
| 65 | +- Deployment and operation guides |
| 66 | +- Regular documentation updates |
| 67 | + |
| 68 | +### Release process |
| 69 | + |
| 70 | +- Established CI-based release process |
| 71 | +- Regular release cadence |
| 72 | +- Semantic versioning compliance |
| 73 | +- Maintained changelog |
| 74 | + |
| 75 | +### Community health |
| 76 | + |
| 77 | +#### Responsiveness |
| 78 | + |
| 79 | +- Active maintainer engagement |
| 80 | +- Regular commit activity |
| 81 | +- Timely issue and pull request responses (issues open 3-4 weeks without |
| 82 | + response is a red flag) |
| 83 | +- Bug resolution rate |
| 84 | +- User support quality |
| 85 | + |
| 86 | +#### Community strength |
| 87 | + |
| 88 | +- Project backing (individual vs. organizational) |
| 89 | +- Number of active maintainers |
| 90 | +- Contributor diversity |
| 91 | +- Corporate or foundation support |
| 92 | +- Governance model maturity |
| 93 | + |
| 94 | +### Security requirements |
| 95 | + |
| 96 | +#### Authentication and authorization |
| 97 | + |
| 98 | +- Secure authentication mechanisms |
| 99 | +- Proper authorization controls |
| 100 | +- Standard security protocol support (OAuth, TLS) |
| 101 | + |
| 102 | +#### Data protection |
| 103 | + |
| 104 | +- Encryption for data in transit and at rest |
| 105 | +- Proper sensitive information handling |
| 106 | + |
| 107 | +#### Security practices |
| 108 | + |
| 109 | +- Clear incident response channels |
| 110 | +- Security issue reporting mechanisms (email, GHSA, etc.) |
| 111 | + |
| 112 | +## Future considerations |
| 113 | + |
| 114 | +### Automated vs manual checks |
| 115 | + |
| 116 | +- Balance between automated checks (e.g., CI/CD, security scans) and manual |
| 117 | + reviews (e.g., community health, documentation quality) |
| 118 | +- Automated checks for basic compliance (e.g., license, API support) |
| 119 | +- Manual reviews for nuanced aspects (e.g., community strength, documentation |
| 120 | + quality) |
| 121 | + |
| 122 | +### Scoring system |
| 123 | + |
| 124 | +- **Required**: Essential attributes (significant penalty if missing) |
| 125 | +- **Expected**: Typical well-executed project attributes (moderate score impact) |
| 126 | +- **Recommended**: Good practice indicators (positive contribution) |
| 127 | +- **Bonus**: Excellence demonstrators (pure positive, no penalty for absence) |
| 128 | + |
| 129 | +### Tiered classifications |
| 130 | + |
| 131 | +- "Verified" vs "Experimental/Community" designations |
| 132 | +- Minimum threshold requirements (stars, maintainers, community indicators) |
| 133 | +- Regular re-evaluation frequency for automated checks |
| 134 | + |
| 135 | +## Acceptable licenses |
| 136 | + |
| 137 | +The following open source licenses are accepted for MCP servers in the ToolHive |
| 138 | +registry: |
| 139 | + |
| 140 | +### Permissive licenses |
| 141 | + |
| 142 | +Licenses such as Apache-2.0, MIT, BSD-2-Clause, and BSD-3-Clause allow maximum |
| 143 | +flexibility for integration, modification, and redistribution with minimal |
| 144 | +restrictions, making MCP servers accessible across all project types and |
| 145 | +commercial applications. |
| 146 | + |
| 147 | +### Excluded licenses |
| 148 | + |
| 149 | +We exclude copyleft and restrictive licenses such as AGPL, GPL2, and GPL3 to |
| 150 | +ensure MCP servers can be freely integrated into various commercial and open |
| 151 | +source projects without legal complications or viral licensing requirements. |
0 commit comments