Summary
Category gates use inclusive thresholds (score >= limit fails), but failure messages read like success: "Permissions scored Passed (limit 0)" while exiting code 1. multi-server MCP repositories CI gate G02 hit this — operators thought permissions passed when the gate actually failed at the boundary.
Problem
Category gates budget risk points per category (injection, permissions, etc.):
mcts scan --fail-on-category permissions:0 .
# Fail if permissions category score >= 0
Semantics:
| Category score |
Limit |
Result |
| 0 (display: "Passed") |
0 |
FAIL (0 >= 0) |
| 0 |
1 |
pass |
| 5 |
0 |
FAIL |
The word "Passed" in category display means zero risk points in category — not "CI gate passed."
Proposed solution
Error: 'category score N exceeds limit M (inclusive)'.
Acceptance Criteria
Summary
Category gates use inclusive thresholds (
score >= limitfails), but failure messages read like success: "Permissions scored Passed (limit 0)" while exiting code 1. multi-server MCP repositories CI gate G02 hit this — operators thought permissions passed when the gate actually failed at the boundary.Problem
Category gates budget risk points per category (injection, permissions, etc.):
Semantics:
The word "Passed" in category display means zero risk points in category — not "CI gate passed."
Proposed solution
Error: 'category score N exceeds limit M (inclusive)'.
Acceptance Criteria
permissions:0fails when score is 0