The dependency model
Gated does not run its checks as a flat list. They form a dependency graph: most checks need facts about your server before they can say anything useful, and those facts come from other checks that ran first. That graph is what decides which checks run, which sit out, and what every outcome in your report means.
Overview
Three ideas carry the whole model, and each one shows up in your scan report:
- Order. Discovery comes before judgment. A check can only run once the facts it relies on have been established.
- Applicability. A check that does not fit your server’s shape is set aside on purpose — not failed. OAuth checks do not run on a static-key server.
- Foundations. A handful of checks everything else rests on. When one of them cannot complete, the report tells you which, and why, rather than burying it.
The dependency graph
A scan begins by establishing facts about the target: whether it is reachable, what transport it speaks, whether it completes an MCP handshake, which tools, prompts, and resources it exposes, and what authentication it requires. Each of those facts is the output of a check, and other checks depend on them.
Because of that, checks run in dependency order, not catalog order. A check that inspects a tool’s input schema cannot run until the tool list has been retrieved; a check on your TLS certificate cannot run until the handshake has succeeded. The graph has a single root — reachability and transport — that every other check descends from. When the root cannot be established, nothing downstream has anything to run against.
What a check can see
Every check declares exactly which facts it needs and receives only those. A check that examines tool schemas asks for the tool list and nothing else; a check on certificate validity asks for the handshake result. It drills down to its specific inputs rather than reading from a shared pool of everything the scan discovered.
This scoping is deliberate, and it changes how a missing fact is handled. If the input a check needs was never established, the check is held back— it does not run against missing data. That matters because a check run against nothing tends to do one of two things: error, or silently report “no problem found” when the truth is “we never looked.” Gated treats a silent pass on data it never saw as a defect. A check with no inputs does not pass. It does not run.
Gates and applicability
Many checks only make sense for a particular kind of server. OAuth hardening checks are meaningless on a server that authenticates with a static API key. TLS certificate checks are meaningless on a plaintext endpoint. Resource-subscription checks are meaningless on a server that exposes no resources.
Rather than run these and report a misleading pass or fail, Gated gates them: the check activates only when its precondition holds. When it does not, the check is marked not applicable. In your report you will see Not applicable — gated by …, naming the precondition that did not match. This is not a failure and it does not count against your scan grade. It is an honest record that the check did not apply to your server.
Outcomes in your report
Beyond a plain pass or fail, every check resolves to one of these states. The distinction between the last two is the one worth internalising.
The check ran and reported — either a pass backed by evidence, or one or more findings.
A precondition did not match your server, so the check did not apply. Shown as Not applicable — gated by …. By design, and never counted against you.
The check errored — or a foundational check it depends on errored, so it could not run. A check blocked by an upstream failure is marked failed, with its error naming the upstream that failed. Lost coverageworth investigating — it means something was not measured, not that your server is fine.
Irrelevant is the scan working as intended; Failedis the scan telling you something could not be measured — the check itself errored, or a foundational check it depends on did. They can read similarly in a list, which is why Gated labels them distinctly.
In practice you will see Irrelevant far more often than a blocked failure. Irrelevant is routine — most checks do not apply to most servers. A check fails as blocked only when a foundational check errors outright, which is uncommon. When coverage is lost for a more ordinary reason — the surface could not be loaded, credentials were missing — the foundational check still completes and reports that fact, so its dependants are marked not applicable and the loss surfaces as the partial-scan banner below.
Foundational checks and partial scans
A small number of checks are foundational — whole branches of the catalog depend on them. Reaching the server and classifying its transport. Completing the MCP handshake. Listing the tools, prompts, and resources. When one of these cannot complete, an entire branch has nothing to run against, so the report says so directly instead of leaving you to count failed rows.
This takes one of two shapes:
One branch of coverage was lost, but the rest of the scan is valid. For example: the server required authentication and the scan had no working identity, so its surface could not be loaded — add an identity for that server and re-scan. Or the tool list could not be retrieved, so tool-dependent checks did not run while transport, TLS, and OAuth checks still ran. The banner names the reason and what to do.
A root foundation could not be established — the transport could not be classified, or the MCP handshake failed for every identity — so almost nothing could run. The banner names the reason; the fix is usually reachability or credentials rather than anything about your server’s posture.
Each case carries a plain-language reason, so a partial or failed scan tells you whether to act — add an identity, fix reachability — or accept it. From here, browse the check catalog to see every check and the family it belongs to.