diff --git a/README.md b/README.md
index e85023b..f4dc6ff 100644
--- a/README.md
+++ b/README.md
@@ -10,9 +10,11 @@ Code review for AI agent permission drift.
 ScopeTrail is a free OSS CLI and GitHub Action that reviews pull requests for risky changes to AI-agent configuration files.
 
 - `.mcp.json`
+- `.mcp.json.sample`, `.mcp.json.template`, `.mcp.json.disabled`, and `.mcp.json.example`
 - `.cursor/mcp.json`
 - `.vscode/mcp.json`
 - `.codeium/windsurf/mcp_config.json`
+- `mcp_config.json.sample`, `mcp_config.json.template`, `mcp_config.json.disabled`, and `mcp_config.json.example`
 - `.claude/settings.json`
 - `.codex/config.toml`
 - Terminal, Markdown, JSON, and line-level GitHub annotation output
@@ -117,6 +119,8 @@ ScopeTrail v0 detects:
 - Unpinned MCP launch commands such as `@latest`.
 - Cursor, VS Code, and Windsurf MCP config files using `mcpServers` or `servers` where supported.
 - Windsurf remote MCP endpoint changes through `serverUrl`.
+- Sample/template/disabled MCP config drift as a separate advisory category, not active server drift.
+- Risky copied MCP examples such as `.mcp.json.sample`, `.mcp.json.template`, `.mcp.json.disabled`, and nested `mcp_config.json.example` files with unpinned commands or remote endpoints.
 - Broad Claude Code allow rules such as `Bash(npm *)` and `Read(~/**)`. Scoped grants (`WebFetch(domain:example.com)`, `mcp__github__get_issue`) are recognized as narrow and not flagged.
 - Removed Claude Code deny rules for sensitive files such as `.env`.
 - Claude Code hook changes: **removed**, **added**, and **command-changed** (a strict `PreToolUse` swapped for a no-op script is the same risk as a removal — both are now caught).
diff --git a/docs/PILOT.md b/docs/PILOT.md
index 3c22ade..0ec83ef 100644
--- a/docs/PILOT.md
+++ b/docs/PILOT.md
@@ -36,6 +36,7 @@ Useful checks during the trial:
 
 - Did ScopeTrail catch real permission drift?
 - Did any warning feel noisy or too broad?
+- Did sample/template/disabled MCP config findings correctly stay separate from active MCP server drift?
 - Did it miss an agent config surface your repository uses?
 - Would a team workflow need cross-repo visibility, policy ownership, exception workflow, or reporting?
 
diff --git a/docs/TRUST.md b/docs/TRUST.md
index 4d36e23..8369620 100644
--- a/docs/TRUST.md
+++ b/docs/TRUST.md
@@ -4,7 +4,9 @@ ScopeTrail is a local-only GitHub Action and CLI for reviewing AI-agent permissi
 
 ## What It Reads
 
-ScopeTrail reads the checked-out repository and compares supported agent configuration files between the pull request base and head refs. Supported files include `.mcp.json`, `.cursor/mcp.json`, `.vscode/mcp.json`, `.codeium/windsurf/mcp_config.json`, `.claude/settings.json`, and `.codex/config.toml`.
+ScopeTrail reads the checked-out repository and compares supported agent configuration files between the pull request base and head refs. Supported active files include `.mcp.json`, `.cursor/mcp.json`, `.vscode/mcp.json`, `.codeium/windsurf/mcp_config.json`, `.claude/settings.json`, and `.codex/config.toml`.
+
+ScopeTrail also reviews sample/template/disabled MCP config files such as `.mcp.json.sample`, `.mcp.json.template`, `.mcp.json.disabled`, `.mcp.json.example`, and nested `mcp_config.json.example` variants. Those findings are reported separately from active MCP server drift so copied examples can be reviewed without implying they are live configuration.
 
 In GitHub Actions, `fetch-depth: 0` is required so ScopeTrail can compare the pull request base and head commits instead of only seeing the latest checkout.
 
diff --git a/test/public-docs.test.mjs b/test/public-docs.test.mjs
index e39a3df..6118fa0 100644
--- a/test/public-docs.test.mjs
+++ b/test/public-docs.test.mjs
@@ -31,6 +31,18 @@ test('trust doc describes local-only advisory GitHub Action behavior', async ()
   assert.match(trust, /does not provide a security guarantee/i);
 });
 
+test('public docs describe active and sample MCP config coverage', async () => {
+  const readme = await readProjectFile('README.md');
+  const trust = await readProjectFile('docs', 'TRUST.md');
+  const pilot = await readProjectFile('docs', 'PILOT.md');
+
+  assert.match(readme, /sample\/template\/disabled MCP config drift/i);
+  assert.match(readme, /\.mcp\.json\.sample/);
+  assert.match(readme, /mcp_config\.json\.example/);
+  assert.match(trust, /sample\/template\/disabled MCP config files/i);
+  assert.match(pilot, /sample\/template\/disabled MCP config findings/i);
+});
+
 test('adoption checklist defines advisory-first rollout and feedback path', async () => {
   const adoption = await readProjectFile('docs', 'ADOPTION.md');