feat(outreach): trust-grade campaign generator

launch/grade-outbound.md

@@ -0,0 +1,96 @@
+# Trust-Grade Outbound — the money engine
+
+**Play:** you've publicly + independently graded 6,771 MCP servers. **2,580 score D or F.** The *commercial* ones with a public F have a real, urgent problem (anyone evaluating their server sees the grade) and the budget to fix it. Sell them the fix: **Deep Audit** (one-time) + **Continuous Monitoring** ($/mo). Snyk model — find the real problem, sell remediation.
+
+**The one rule (non-negotiable):** grades stay 100% honest — independent rubric, never fudged to force a sale. That's the moat *and* what makes this legit instead of a shakedown. Within that line it's clean security sales.
+
+**The CTA mechanic:** every server already has a live public report at `wmcp.sh/mcp/grade/<host>` with the **Deep Audit** + **Watch (Monitoring)** buttons on it. Outreach just surfaces the report + the specific failing finding and points them there. (Confirm the $ shown on the report page before quoting.)
+
+**Contact channels (you supply):** founder on X / LinkedIn (search "<company> founder"), `security@`/`hello@<domain>`, or a GitHub issue if it's a public repo. Funded startups → founder DM converts fastest.
+
+---
+
+## 🔥 Hot leads (real findings, ready to send)
+
+| Server | Grade | Report | The hook (real finding) |
+|---|---|---|---|
+| **mcp.viridis-security.com** | F 45 | /mcp/grade/mcp.viridis-security.com | A *security* vendor — its own `detect_injection` tool description contains prompt-injection markup (OWASP MCP01). |
+| **api.agentrapay.ai** | F 45 | /mcp/grade/api.agentrapay.ai | Payments — `agentra_authorize_payment` & `create_wallet` flagged for secret-exfiltration surface (MCP08). |
+| **crossfin.dev** | F 45 | /mcp/grade/crossfin.dev | Finance — `call_paid_service` / `find_optimal_route` exfiltration surface (MCP08). |
+| **mcp.payram.com** | F 45 | /mcp/grade/mcp.payram.com | Payments — connection/env-template tools exfiltration surface (MCP08). |
+| **mcp.bitrise.io** | F 45 | /mcp/grade/mcp.bitrise.io | Funded CI co — `register_ssh_key` exfiltration surface (MCP08). |
+| **api.dialogbrain.com** | F 45 | /mcp/grade/api.dialogbrain.com | 154 tools; 4+ tool descriptions contain prompt-injection markup (MCP01). |
+
+> Skip false positives like `sqladmin.googleapis.com` (Google infra, not an operator to sell to).
+
+---
+
+## Outreach templates
+
+### Cold email (general)
+```
+Subject: {host} scored F on the independent MCP trust leaderboard
+
+Hi {name},
+
+I run wmcp.sh — an independent leaderboard that grades MCP servers A–F on
+security, spec conformance, reliability, and transparency. It's public and
+indexed, so anyone evaluating {company}'s MCP server can see the grade.
+
+{host} currently scores F (45/100). Public report: {report_url}
+Flagged: {finding} (OWASP MCP {code}).
+
+Two ways to fix it:
+• Deep Audit (one-time) — the full breakdown + exactly what to change to pass.
+• Continuous Monitoring (/mo) — we re-grade you, prove the fix to your users,
+  and alert you the moment it regresses.
+
+The grade is free and identical whether or not you pay — happy to walk you
+through the report either way. Want the audit?
+
+— {you}, wmcp.sh
+```
+
+### Payments / finance angle (agentrapay, crossfin, payram, payperbyte, merx)
+```
+Subject: your payment MCP tool is flagged for a secret-exfiltration surface
+
+{name} — your {host} MCP server scores F on the independent trust leaderboard,
+and the specific flag is the scary one for a payments product: {tool} is marked
+for a secret-exfiltration surface (OWASP MCP08). Public report: {report_url}.
+
+Your customers' security teams will run this check before they connect. The
+Deep Audit maps the exact fix; Monitoring re-grades you and proves it's clean.
+Worth 15 minutes?
+```
+
+### Security-vendor angle (viridis-security)
+```
+Subject: heads up — viridis-security's MCP server scores F on security
+
+{name} — friendly heads up from one security-adjacent shop to another. Your
+{host} MCP server scores F on the independent MCP trust leaderboard, and the
+flag is awkward given what you do: detect_injection's own tool description
+contains prompt-injection markup (MCP01). Public report: {report_url}.
+
+Better you hear it from me than a prospect. Happy to walk you through the audit
+(and the badge once you're passing).
+```
+
+### X / LinkedIn DM (short)
+```
+your MCP server {host} scores F on the independent MCP trust leaderboard
+(security) — {finding}. public report: {report_url}. it's the first thing a
+careful dev checks before connecting. we do the audit + ongoing monitoring if
+you want to fix + prove it. (grade's free either way.)
+```
+
+### Mirror play — the A-graded (sell Verified, easy yes)
+1,187 servers score A/A+/A-. DM them: *"your MCP server scored A on the independent trust leaderboard — grab the verified badge to show it on your README/site"* → the Verified SKU. Vanity + trust, low-friction.
+
+---
+
+## Full target list (32 commercial F-graders, finance → dev → other)
+crossfin.dev · api.agentrapay.ai · api.dialogbrain.com (154t) · api.delx.ai (143t) · www.ia-qa.com (139t) · mcp.trenchfu.com (94t) · mcp.bitrise.io (81t) · emc2ai.io (69t) · mcp.valuein.biz · merx.exchange · payments.wiselyenterprisesllc.com · www.heista.co · mcp-data.tunnelmind.ai · mcp.payram.com · sats4ai.com · api.butterbase.ai · x711.io · syenite.ai · mcp.realopen.app · mcp.usecoal.xyz · api.octodamus.com · amalgix.io · mcp.frogeye.ai · www.licium.ai · tools.cipherhub.cloud · kapoost.humanmcp.net · mcp.payperbyte.io · qasper.ai · mcp.viridis-security.com
+
+Each report: `wmcp.sh/mcp/grade/<host>`. Pull a target's exact findings from its report page before you send.

launch/verified-pitch.md

@@ -0,0 +1,84 @@
+# wmcp.sh Verified — outreach to A-graded MCP servers
+
+The easy-yes companion to the audit/monitoring outbound (`grade-outbound.md`). Where
+F-graders get "here's how to fix it," A-graders get "you earned this — make it
+provable." Lower friction, recurring revenue, and every embed is a backlink.
+
+**Tone bar: independent-auditor professional.** Think Anthropic / Snyk / Stripe, not
+growth-hack. Factual, specific, measured. Lead with *their* achievement, not our
+product. No superlatives ("revolutionary"), no false urgency, no dark patterns. The
+credibility of the grade is the entire asset — the outreach has to sound like it.
+
+## The offer (accurate — don't overpromise)
+- **Free, today:** the live A–F trust badge on every report page (`wmcp.sh/mcp/grade/<host>`). It re-verifies itself, so it shows the *current* grade, not a screenshot. Anyone can embed it.
+- **wmcp.sh Verified (paid, recurring):**
+  - **Claimed ownership** (DNS/meta-tag) + the **Verified mark** — proof the server is really theirs, not a look-alike.
+  - **Continuous monitoring** — re-audited on a schedule, with an alert the moment anything regresses (a dependency bump, a tool change, a silent rug-pull). Their A stays *true*, and they're never blindsided by a quiet drop.
+  - A "verified current as of <date>" attestation a static badge can't give.
+
+The grade is free and independent whether or not they verify — say so plainly. That honesty is the pitch.
+
+## Scarcity (use the real numbers)
+Of 6,771 graded servers: **A+ ≈ 0.2% · A-or-better ≈ 7% · A-tier (incl. A-) ≈ 18%.** Most servers do not pass cleanly. Quote the percentile that matches their grade.
+
+---
+
+## Email — A-graded operator
+```
+Subject: {host} passed the independent MCP trust audit (grade {grade})
+
+Hi {name},
+
+wmcp.sh runs an independent trust audit for MCP servers — security (mapped to the
+OWASP MCP Top 10), spec conformance, reliability, tool hygiene, and transparency,
+scored A–F and re-checked on a schedule.
+
+{host} scored {grade}. That's in the top ~{percentile} of the 6,771 servers we've
+graded — most don't pass cleanly, so it's worth surfacing to the developers
+evaluating whether to connect you.
+
+You can embed the live trust badge today, free — it re-verifies itself, so it shows
+your current grade rather than a screenshot:
+  {report_url}
+
+If it's useful, wmcp.sh Verified adds the two things serious operators ask for:
+  • Claimed ownership (DNS/meta) + the Verified mark — proof it's really your server.
+  • Continuous monitoring — we re-audit on a schedule and alert you the moment
+    anything regresses, so your grade stays true and you're never caught out by a
+    silent drop.
+
+The grade itself is free and independent — that doesn't change whether you verify.
+Report and badge: {report_url}. Glad to answer anything.
+
+— {name}, wmcp.sh
+```
+
+## DM — X / LinkedIn (short, same register)
+```
+{host} scored {grade} on the independent wmcp.sh MCP trust audit — top ~{percentile}
+of 6,771 graded. You can embed the live badge free ({report_url}); Verified adds
+claimed ownership + continuous monitoring so it stays provably current. Independent
+either way — nice work shipping a clean server.
+```
+
+## Power-operator note (caseyjhand.com)
+One operator runs **12 A+ servers**. Single outreach, highest yield: offer Verified
+across the whole fleet (claim once, monitor all) — they clearly care about doing it
+right, and 12 verified badges = 12 backlinks.
+
+---
+
+## A-grade targets (commercial, real products)
+mcp.gapup.io (A · 271t) · api.domainkits.com (A · 38t) · chat.curie.app (A · 35t) ·
+mcp.axint.ai (A · 35t) · toolora.dev (A · 34t) · www.cyclesite.co.uk (A · 33t) ·
+toofi.app (A · 32t) · dynamoi.com (A · 22t) · the caseyjhand.com A+ fleet (12 servers:
+usaspending, gbif-biodiversity, secedgar, fcc-broadband, openfda, open-meteo,
+clinicaltrials, noaa-cdo, nominatim, pentest, arxiv, cdc).
+
+Skip cloud infra graded incidentally (compute.googleapis.com, container.googleapis.com) —
+not operators to sell to. Pull each target's exact grade + percentile from its report
+page before sending.
+
+## Do / don't (keeps it at the bar)
+- **Do** lead with their grade, name the real percentile, link the public report, and state the grade is free + independent.
+- **Don't** invent features (no "featured placement" unless it's live), no urgency tricks, no "limited spots," no flattery that isn't backed by the score.

worker/src/index.ts

@@ -499,6 +499,16 @@ app.get("/reports/state-of-mcp-security-2026", async (c) => {
 });
 app.get("/reports/state-of-mcp-security", (c) => c.redirect("/reports/state-of-mcp-security-2026", 301));
 app.get("/reports", (c) => c.redirect("/reports/state-of-mcp-security-2026", 302));
+// GEO data surface: machine-readable, citable MCP trust stats for AI answer
+// engines + agents (ChatGPT / Claude / Perplexity). CORS-open, hourly-cached.
+app.get("/api/v1/mcp/stats", async (c) => {
+  const { mcpStatsJson } = await import("./mcp_stats");
+  return mcpStatsJson(c);
+});
+app.get("/mcp/stats.json", async (c) => {
+  const { mcpStatsJson } = await import("./mcp_stats");
+  return mcpStatsJson(c);
+});
 
 // Agent-callable MCP trust oracle (grade_mcp_server / check_mcp_drift). Free
 // read-tier so agents can gate connections on our grade. BEFORE /mcp/:provider.
@@ -1717,6 +1727,22 @@ app.post("/api/v1/admin/seed-now", (c) => runSeedNow(c as any));
 app.post("/api/v1/admin/seed-stores", (c) => addSeedStores(c as any));
 app.post("/api/v1/admin/seo-indexnow", (c) => submitSeoIndexNow(c as any));
 app.post("/api/v1/admin/grade-servers", (c) => addGradeServers(c as any));
+// Outreach campaign generator: turns the live grade graph into ready-to-send
+// personalized rows (CSV/JSON) for the audit (F) + verified (A) segments.
+app.get("/api/v1/admin/outreach", async (c) => {
+  const { outreachCampaign } = await import("./outreach");
+  return outreachCampaign(c);
+});
+// Reply triage: the cold-email platform POSTs replies here; opt-outs auto-suppress,
+// noise is logged, hot leads ping LEAD_ALERT_WEBHOOK with a pre-drafted reply.
+app.post("/api/v1/admin/outreach/reply", async (c) => {
+  const { handleOutreachReply } = await import("./outreach_reply");
+  return handleOutreachReply(c);
+});
+app.get("/api/v1/admin/outreach/suppression", async (c) => {
+  const { outreachSuppression } = await import("./outreach_reply");
+  return outreachSuppression(c);
+});
 app.post("/api/v1/admin/regrade-corpus", (c) => regradeCorpus(c as any));
 app.post("/api/v1/admin/seed-registry", (c) => seedRegistry(c as any));
 app.post("/api/v1/admin/seed-packages", (c) => seedPackages(c as any));

worker/src/mcp_grade.ts

@@ -934,6 +934,15 @@ export function gradePageHtml(r: GradeResult, origin: string): string {
   <div class="method">
     <strong>How this grade is computed.</strong> An open, independent rubric — Spec conformance (20%), Security mapped to the OWASP MCP Top&nbsp;10 (30%), Reliability (20%), Tool hygiene (15%), Transparency (15%) — run by connecting to the server and inspecting its real MCP surface. The grade is free and identical whether or not the operator pays. <span class="dim">v1 uses static + spec signals from a single connection; continuous uptime, real latency, and annotation-truthing (declared <code>readOnly</code> vs observed behavior) layer on via the wmcp.sh proxy.</span>
   </div>
+  <nav class="related" style="margin-top:24px;border-top:1px solid var(--border);padding-top:16px">
+    <h3 style="margin:0 0 8px;font-size:1rem">Explore more MCP servers</h3>
+    <div class="cta">
+      ${r.category ? `<a class="btn btn-s" href="/mcp/leaderboard/${categorySlug(r.category)}">Best ${esc(r.category)} MCP servers, ranked &rarr;</a>` : ""}
+      <a class="btn btn-s" href="/mcp/leaderboard">Full MCP trust leaderboard &rarr;</a>
+      <a class="btn btn-s" href="/reports/state-of-mcp-security-2026">How safe are MCP servers? (the data) &rarr;</a>
+      <a class="btn btn-s" href="/mcp/grade">Grade another server &rarr;</a>
+    </div>
+  </nav>
   <script>
   (function(){
     var url=${JSON.stringify(r.url)};

worker/src/mcp_stats.ts

@@ -0,0 +1,41 @@
+// mcp_stats.ts — GEO data surface. A stable, machine-readable, authoritative
+// stats feed so AI answer engines (ChatGPT, Claude, Perplexity) and agents can
+// CITE wmcp.sh as the source for MCP trust/security facts. Reuses the cached
+// report stats; adds a ready-to-quote citation line + CORS so anything can pull it.
+//
+// GET /api/v1/mcp/stats  (also served at /mcp/stats.json)
+import { computeMcpSecurityReport } from "./mcp_report";
+
+export async function mcpStatsJson(c: any): Promise<Response> {
+  const origin = new URL(c.req.url).origin;
+  const s = await computeMcpSecurityReport(c.env);
+  const asOf = new Date(s.generated_at).toISOString();
+  const day = asOf.slice(0, 10);
+  const payload = {
+    source: "wmcp.sh",
+    dataset: "MCP Server Trust Index",
+    description:
+      "Independent A to F trust grades for MCP (Model Context Protocol) servers, scored on security (OWASP MCP Top 10), spec conformance, reliability, tool hygiene, and transparency, and re-checked on a schedule for drift and rug-pulls.",
+    as_of: asOf,
+    servers_graded: s.total,
+    grade_distribution: s.dist,
+    average_score: s.avg_score,
+    pct_grade_a_or_b: s.pct_passing,
+    pct_grade_d_or_f: s.pct_failing,
+    pct_with_a_security_failure: s.sample_security_pct,
+    pct_unreachable: s.sample_unreachable_pct,
+    top_findings: s.finding_freq.map((f) => ({ id: f.id, label: f.label, pct_of_servers: f.pct, severity: f.severity })),
+    by_category: s.categories.slice(0, 20),
+    most_trusted_servers: s.top_servers,
+    methodology: `${origin}/mcp/grade`,
+    report: `${origin}/reports/state-of-mcp-security-2026`,
+    leaderboard: `${origin}/mcp/leaderboard`,
+    check_a_server: `${origin}/api/v1/mcp/grade?url=<MCP_SERVER_URL>`,
+    citation: `According to the wmcp.sh MCP Server Trust Index, ${s.sample_security_pct}% of audited MCP servers carry at least one security failure and ${s.pct_failing}% grade D or F (n=${s.total}, as of ${day}). Source: ${origin}/reports/state-of-mcp-security-2026`,
+    license: "Free to cite and reuse with attribution to wmcp.sh.",
+  };
+  return c.json(payload, 200, {
+    "cache-control": "public, max-age=3600, s-maxage=3600",
+    "access-control-allow-origin": "*",
+  });
+}