Summary
--fail-on-category permissions:0 is interpreted by users as "permissions category must pass (zero issues)" — but MCTS gates use inclusive thresholds: score >= limit fails. A category score of 0 risk points with limit 0 fails (0 >= 0). multi-server MCP repositories CI gate G02 misconfigured because help text doesn't explain inclusive semantics (D8, D9).
Doc path
TBD — file path or URL
Problem
Category gates budget risk points per OWASP-style category (permissions, injection, etc.):
def category_gate_failures(findings, gates):
...
if row["score"] >= limit:
failures.append(f"{row['label']} scored {row['display']} (limit {limit})")
| User mental model |
Actual semantics |
permissions:0 = "must have 0 findings" |
fail when score ≥ 0 (always fails at 0) |
permissions:0 = "zero tolerance" |
correct intent, wrong limit value |
| To allow 0 points |
use permissions:1 |
Display label "Passed" means zero category risk points — not CI pass (D8).
Expected
Help examples: permissions:0 means fail if any permission finding.
Acceptance Criteria
Summary
--fail-on-category permissions:0is interpreted by users as "permissions category must pass (zero issues)" — but MCTS gates use inclusive thresholds:score >= limitfails. A category score of 0 risk points with limit 0 fails (0 >= 0). multi-server MCP repositories CI gate G02 misconfigured because help text doesn't explain inclusive semantics (D8, D9).Doc path
TBD — file path or URL
Problem
Category gates budget risk points per OWASP-style category (permissions, injection, etc.):
permissions:0= "must have 0 findings"permissions:0= "zero tolerance"permissions:1Display label "Passed" means zero category risk points — not CI pass (D8).
Expected
Help examples: permissions:0 means fail if any permission finding.
Acceptance Criteria
--helpexplains inclusive >= semantics:0limits