MEOK Methodology

What we count. What we don't. Our fail rules.

This is the MEOK methodology — the rules that gate our scores, the things we explicitly do not count, and the questions you should ask before trusting any compliance vendor (including us).

Scoring (90+ is production-grade)

90–100

Production-grade

EU AI Act + ISO 42001 + ISO 42005 evidence chain. All 9 in-scope articles covered. HMAC-signed. Auditor-verifiable.

80–89

Reference-grade

Substantial coverage. Missing 1-2 controls or has soft gaps. Still suitable for advisory work.

65–79

Beta

Useful for early adopters. Not yet suitable for regulated-organisation use. Watch the changelog for upgrades.

<65

Quarantined

Fails one or more fail rules. Held out of the public scorecard. Cited as 'experimental' in any output.

How we count

How do you count 340+ MCP packages?

Counted at the GitHub-repo level under CSOAI-ORG (340+ public repos, all MIT-licensed). The 295 LIVE-PyPI count is a stricter subset (visible on PyPI under the MEOK-AI-Labs publisher). The 294 unique servers on the official MCP Registry is a third count, after server-name dedup. The three numbers are not interchangeable.

Why does the scorecard say '84.6 average'?

Mean across the 337 scorecarded packages, weighted equally (not by downloads or by revenue). The score is a public static calculation — see https://meok.ai/scorecard — and is recomputed on every release.

What do you NOT count?

We do not count GitHub stars as a quality signal (we use them only for distribution noise). We do not count PyPI downloads as adoption (downloads are bots, mirrors, and tests; only ~14K/day are organic and ~0 are buyers). We do not count registry views. We do count (a) unique organisations issuing signed certs through the API, (b) HMAC verifications on the /verify endpoint, and (c) HMAC-anchored audit logs.

How do you handle phantom packages?

A 'phantom package' is a name that exists in our internal tree but is not on PyPI, not on the MCP Registry, and not on a public GitHub release. We mark them 'experimental' in any output, and we publish a phantom-corrected list at /_TABS/_inventory/.

Fail rules (the 7 that gate 90+)

A package is capped at 79 if it fails any of the rules below. Fail rules are non-negotiable; we do not sell exemptions. The full list is in the public scorecard.

FR-01: EU AI Act Article 50 watermarking requires ≥2 layers.
A package that ships SynthID-only or C2PA-only fails FR-01 and is capped at 79 until both layers are present. We do not exempt 'small models' or 'open weights' from this rule — the EU Code of Practice is non-negotiable.
FR-02: HMAC signatures must include the canonical timestamp.
A signature that omits `issued_at` is considered replayable and is auto-failed. We caught 2 packages shipping such signatures in Q1 2026; both were patched within 14 days of disclosure.
FR-03: Audit-log claims require Merkle anchor.
A package that claims 'hash-chained audit log' must publish a Merkle root at a frequency ≤ 24h. Daily-only is fine. Weekly-only fails FR-03.
FR-04: GDPR DPIA outputs must include Art 35(7) checklist.
A DPIA that omits any of the 7 mandatory contents in Art 35(7) is auto-failed. We test this with a synthetic DPIA against each release.
FR-05: DORA ICT third-party register must be machine-readable.
PDF-only or HTML-only is auto-failed. Must be JSON-LD, CycloneDX, or SBOM. Reasoning: the EBA RTS 2023/04 requires the register to be auditable by supervisors, which means structured data.
FR-06: 'makes money' claims are not allowed in the public corpus.
Any package that claims '$X revenue' or '£Y ARR' in its README or docs is auto-quarantined. We do not publish revenue numbers; we publish regulatory-evidence numbers (signed certs, anchored audits, attestations).
FR-07: Witness can never be principal.
A package that signs its own audit certificate with a key that also signs the package is auto-failed. The witness (signing the audit) must be a different principal from the actor (shipping the package).

What we explicitly exclude

We do not reference, cite, or co-publish with the following. If you see a MEOK artifact that mentions any of these, it is a phantom and should be flagged to security@meok.ai.

CSGA (Council for the Sovereign Governance of AI)

Severed 2026-01; IP dispute; do not reference.

James Castle / Grant Carter Osborne

Severed 2026-01-31; resigned 2026-03-31; do not engage.

Terranova Holdings

Counter-party in the IP dispute; do not reference.

£79/mo pricing

Retired 2026-06-10. The current starter is £29/mo.

Stripe links ending in 8k90x or 8k83x

Dead accounts. Replaced 2026-06-13 with new payment links — all 10 verified live.

Challenge the methodology

Methodology is only useful if you can challenge it. Email methodology@meok.ai with a counter-rule, a missed fail case, or a count discrepancy. We log every challenge and respond within 7 days. If a challenge is valid, the methodology version is bumped and the changelog is signed.

CSOAI

Initializing...

Scoring (90+ is production-grade)

90–100

Production-grade

EU AI Act + ISO 42001 + ISO 42005 evidence chain. All 9 in-scope articles covered. HMAC-signed. Auditor-verifiable.

80–89

Reference-grade

Substantial coverage. Missing 1-2 controls or has soft gaps. Still suitable for advisory work.

65–79

Beta

Useful for early adopters. Not yet suitable for regulated-organisation use. Watch the changelog for upgrades.

<65

Quarantined

Fails one or more fail rules. Held out of the public scorecard. Cited as 'experimental' in any output.

How we count

How do you count 340+ MCP packages?

Why does the scorecard say '84.6 average'?

What do you NOT count?

How do you handle phantom packages?

Fail rules (the 7 that gate 90+)

A package is capped at 79 if it fails any of the rules below. Fail rules are non-negotiable; we do not sell exemptions. The full list is in the public scorecard.

FR-01: EU AI Act Article 50 watermarking requires ≥2 layers.

A package that ships SynthID-only or C2PA-only fails FR-01 and is capped at 79 until both layers are present. We do not exempt 'small models' or 'open weights' from this rule — the EU Code of Practice is non-negotiable.

FR-02: HMAC signatures must include the canonical timestamp.

A signature that omits `issued_at` is considered replayable and is auto-failed. We caught 2 packages shipping such signatures in Q1 2026; both were patched within 14 days of disclosure.

FR-03: Audit-log claims require Merkle anchor.

A package that claims 'hash-chained audit log' must publish a Merkle root at a frequency ≤ 24h. Daily-only is fine. Weekly-only fails FR-03.

FR-04: GDPR DPIA outputs must include Art 35(7) checklist.

A DPIA that omits any of the 7 mandatory contents in Art 35(7) is auto-failed. We test this with a synthetic DPIA against each release.

FR-05: DORA ICT third-party register must be machine-readable.

PDF-only or HTML-only is auto-failed. Must be JSON-LD, CycloneDX, or SBOM. Reasoning: the EBA RTS 2023/04 requires the register to be auditable by supervisors, which means structured data.

FR-06: 'makes money' claims are not allowed in the public corpus.

Any package that claims '$X revenue' or '£Y ARR' in its README or docs is auto-quarantined. We do not publish revenue numbers; we publish regulatory-evidence numbers (signed certs, anchored audits, attestations).

FR-07: Witness can never be principal.

A package that signs its own audit certificate with a key that also signs the package is auto-failed. The witness (signing the audit) must be a different principal from the actor (shipping the package).