v0.5.0 is a narrow integration-driven release.

Author: andrey.korchemkin

CHANGELOG.md

@@ -4,6 +4,27 @@ All notable changes to this project will be documented in this file.
 
 The format is based on Keep a Changelog and this project uses Semantic Versioning.
 
+## [0.5.0] - 2026-03-31
+
+Integration-driven release.
+
+### Added
+
+- explicit `scan_timestamp` field in JSON reports for downstream temporal-decay consumers
+- matching scan timestamp metadata in SARIF run properties and invocation metadata
+- release-ready interface contract for Layer 1 style static baseline consumers
+
+### Changed
+
+- bumped report schema version to `0.5`
+- refreshed release docs and README examples for `v0.5.0`
+- regenerated sample artifacts from the current scanner output
+
+### Notes
+
+- `generated_at` is retained for backward compatibility
+- `scan_timestamp` is the canonical cross-layer timestamp field going forward
+
 ## [0.4.0] - 2026-03-29
 
 First practically useful public release.

README.md

@@ -11,7 +11,8 @@
 
 `MCP Trust Kit` scans a local MCP server over `stdio`, discovers its tools, runs deterministic
 checks for protocol and tool hygiene plus risky exposed capabilities, calculates a score from
-`0..100`, and emits terminal, JSON, and SARIF output that fits cleanly into CI.
+`0..100`, and emits terminal, JSON, and SARIF output that fits cleanly into CI. JSON and SARIF
+include an explicit `scan_timestamp` field for downstream consumers.
 
 **MCP Trust Kit scores surface risk, not business intent.**
 
@@ -122,7 +123,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Run MCP Trust Kit
-        uses: aak204/MCP-Trust-Kit@v0.4.0
+        uses: aak204/MCP-Trust-Kit@v0.5.0
         with:
           cmd: python path/to/your/server.py
           min-score: "80"
@@ -141,7 +142,7 @@ The action fails when:
 - the scan fails technically
 - the final score is below `min-score`
 
-If the `v0.4.0` tag is not published yet, use a branch name or commit SHA while testing privately.
+If the `v0.5.0` tag is not published yet, use a branch name or commit SHA while testing privately.
 
 ## Example Output
 
@@ -228,7 +229,7 @@ The scoring model is intentionally simple and predictable:
 3. clamp to `0..100`
 4. compute category scores the same way
 
-Severity mapping in `v0.4.0`:
+Severity mapping in `v0.5.0`:
 
 | Severity | Penalty |
 | --- | --- |
@@ -273,7 +274,7 @@ More detail:
 
 ## Roadmap
 
-Near-term work after `v0.4.0`:
+Near-term work after `v0.5.0`:
 
 - expand deterministic rules for `auth` and `secrets`
 - improve SARIF location mapping when source context is available

docs/architecture.md

@@ -1,6 +1,6 @@
 # Architecture
 
-`MCP Trust Kit` keeps the `v0.4.0` pipeline intentionally small and deterministic.
+`MCP Trust Kit` keeps the `v0.5.0` pipeline intentionally small and deterministic.
 
 ```mermaid
 flowchart LR
@@ -18,7 +18,7 @@ flowchart LR
 
 Key properties:
 
-- one MCP transport for `v0.4.0`: local `stdio`
+- one MCP transport for `v0.5.0`: local `stdio`
 - one deterministic rule per file
 - one deterministic surface-risk scoring engine
 - output layer formats an already-built `Report`

docs/release-checklist.md

@@ -1,6 +1,6 @@
 # Release Checklist
 
-Use this list before publishing `v0.4.0`.
+Use this list before publishing `v0.5.0`.
 
 ## Repository
 
@@ -28,7 +28,7 @@ Windows note:
 - run `pip install .`
 - run `mcp-trust --help`
 - verify `import mcp_trust; print(mcp_trust.__version__)`
-- verify package metadata shows version `0.4.0`
+- verify package metadata shows version `0.5.0`
 
 ## Examples And Reports
 
@@ -47,7 +47,7 @@ Windows note:
 
 ## Release
 
-- create tag `v0.4.0`
+- create tag `v0.5.0`
 - publish GitHub Release notes from `CHANGELOG.md`
 - attach or link sample artifacts if desired
 - smoke-test the published action from a separate repository

docs/release-notes-v0.5.0.md

@@ -0,0 +1,64 @@
+# MCP Trust Kit v0.5.0
+
+`v0.5.0` is a narrow integration-driven release.
+
+The scanner contract from `v0.4.0` stays intentionally stable: local `stdio` discovery,
+deterministic rules, predictable scoring, terminal summary, JSON, SARIF, and GitHub Actions.
+The main reason for `v0.5.0` is to make Layer 1 baseline output easier to consume by downstream
+systems that care about scan freshness and temporal decay.
+
+## Highlights
+
+- explicit `scan_timestamp` field in JSON output
+- matching timestamp metadata in SARIF
+- no break to existing `generated_at` consumers
+- release-ready static baseline contract for higher-layer integrations
+
+## Included In v0.5.0
+
+- JSON reports now expose:
+  - `scan_timestamp`
+  - `generated_at`
+  - aggregate score breakdown
+  - capability-aware and hygiene-aware findings
+- SARIF runs now expose:
+  - `runs[].properties.scan_timestamp`
+  - `runs[].invocations[].endTimeUtc`
+- sample reports regenerated from the current scanner
+- release docs and README updated for `v0.5.0`
+
+## Validation Snapshot
+
+- `examples/insecure-server` -> `10/100`
+- `@modelcontextprotocol/server-memory@2026.1.26` -> `100/100`
+- `@modelcontextprotocol/server-filesystem@2026.1.14` -> `40/100`
+
+## Contract Note
+
+`generated_at` is still present for backward compatibility.
+
+`scan_timestamp` is now the canonical timestamp field for downstream integrations that need to
+reason about baseline freshness.
+
+## Quickstart
+
+Local:
+
+```bash
+python -m venv .venv
+source .venv/bin/activate
+pip install -e .[dev]
+mcp-trust scan --json-out baseline.json --cmd python examples/insecure-server/server.py
+```
+
+GitHub Actions:
+
+```yaml
+- name: Run MCP Trust Kit
+  uses: aak204/MCP-Trust-Kit@v0.5.0
+  with:
+    cmd: python path/to/your/server.py
+    min-score: "80"
+    json-out: mcp-trust-report.json
+    sarif-out: mcp-trust-report.sarif
+```

docs/validated-servers.md

@@ -7,7 +7,7 @@ The point is narrower: show that `MCP Trust Kit` works on real servers outside t
 
 **MCP Trust Kit scores surface risk, not business intent.**
 
-Validation date: `2026-03-29`
+Validation date: `2026-03-31`
 
 Reference sources for the public packages used here:
 

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "mcp-trust-kit"
-version = "0.4.0"
+version = "0.5.0"
 description = "CI-first deterministic surface-risk scoring for MCP servers."
 readme = "README.md"
 license = "Apache-2.0"

sample-reports/insecure-server.report.json

@@ -1,7 +1,8 @@
 {
-  "schema_version": "0.4",
-  "toolkit_version": "0.4.0",
-  "generated_at": "2026-03-29T13:48:58.855632+00:00",
+  "schema_version": "0.5",
+  "toolkit_version": "0.5.0",
+  "scan_timestamp": "2026-03-31T07:26:34.700338+00:00",
+  "generated_at": "2026-03-31T07:26:34.700338+00:00",
   "server": {
     "target": "stdio:[\".\\\\.venv\\\\Scripts\\\\python\",\"examples\\\\insecure-server\\\\server.py\"]",
     "name": "Insecure Demo Server",

sample-reports/insecure-server.report.sarif

@@ -6,7 +6,7 @@
       "tool": {
         "driver": {
           "name": "MCP Trust Kit",
-          "semanticVersion": "0.4.0",
+          "semanticVersion": "0.5.0",
           "rules": [
             {
               "id": "duplicate_tool_names",
@@ -490,11 +490,15 @@
       "invocations": [
         {
           "executionSuccessful": true,
+          "endTimeUtc": "2026-03-31T07:26:34.700338+00:00",
           "workingDirectory": {
             "uri": "file:///D:/Dev/MCP%20Trust%20Kit"
           }
         }
       ],
+      "properties": {
+        "scan_timestamp": "2026-03-31T07:26:34.700338+00:00"
+      },
       "results": [
         {
           "ruleId": "overly_generic_tool_name",

src/mcp_trust/__init__.py

@@ -2,4 +2,4 @@
 
 __all__ = ["__version__"]
 
-__version__ = "0.4.0"
+__version__ = "0.5.0"