π¦
Mcptrust
Runtime security proxy for MCP: lockfile enforcement, drift detection, artifact pinning, Sigstore/Ed25519 signing, CEL policy, OpenTelemetry tracing. Works with Claude Desktop, LangChain, AutoGen, CrewAI.
0 installs
6 stars
2 forks
Trust: 59 β Fair
Ai
Installation
npx mcptrustAsk AI about Mcptrust
Powered by Claude Β· Grounded in docs
I know everything about Mcptrust. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Loading tools...
Reviews
Documentation
MCPTrust
Deny-by-default runtime proxy + CI gate for MCP servers.
Pin what you run. Verify provenance. Enforce what tools/prompts/resources are allowed.
For: Teams running MCP servers in Claude Desktop, LangChain, AutoGen, CrewAI, or internal AI agents.
What It Blocks
MCPTrust is the firewall between your AI agent and the MCP server.
- π« Shadow tools at runtime β Server adds a new
exec_shelltool after you approved it? Blocked. - π« Drift after lockfile β Server changed since last CI check? Fails the build.
- π« Supply-chain swaps β Tarball hash doesn't match pinned artifact? Execution denied.
Without MCPTrust, any MCP server can silently add dangerous capabilities. With MCPTrust, it's deny-by-default.
2-Minute Quickstart
# 1. Install
go install github.com/mcptrust/mcptrust/cmd/mcptrust@latest
# 2. Lock the server's capabilities
mcptrust lock -- "npx -y @modelcontextprotocol/server-filesystem /tmp"
# 3. Run with enforcement (blocks anything not in lockfile)
mcptrust proxy --lock mcp-lock.json -- npx -y @modelcontextprotocol/server-filesystem /tmp
That's it. The proxy now sits between your host and the server, blocking any tool/prompt/resource not in your lockfile.
Try the "Fail Closed" Demo
See MCPTrust block a rogue tool in real-time:
# Lock a server
mcptrust lock -- "npx -y @modelcontextprotocol/server-filesystem /tmp"
# Now imagine the server adds a new tool after you locked it...
# The proxy blocks unknown tools and logs:
mcptrust proxy --lock mcp-lock.json -- npx -y @modelcontextprotocol/server-filesystem /tmp
# β [BLOCKED] tools/call: unknown tool "exec_shell" not in allowlist
Expected output when a tool is blocked:
mcptrust: action=blocked method=tools/call tool=exec_shell reason="not in allowlist"
How It Works
ββββββββββββ βββββββββββββββββββββββ ββββββββββββββ
β Host β ββββ β mcptrust proxy β ββββ β MCP Server β
β (Claude) β β β β β
ββββββββββββ βββββββββββββββββββββββ ββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββ
β β’ ID translation (anti- β
β spoofing, server never β
β sees host request IDs) β
β β’ List filtering β
β β’ Call/read blocking β
β β’ Drift preflight check β
β β’ Audit logs/receipts β
βββββββββββββββββββββββββββββββ
Feature Grid
| Feature | What It Does |
|---|---|
| Runtime proxy | Deny-by-default enforcement between host and server |
| Lockfile v3 | Allowlist tools, prompts, resources, templates |
| Drift detection | CI fails on critical/moderate/info changes |
| Policy presets | baseline (warn) or strict (fail-closed) |
| Artifact pinning | SHA-512/256 integrity + provenance verification |
| ID translation | Anti-spoofing: server never sees real host IDs |
| Audit-only mode | Log everything, block nothing (training/rollout) |
| Filter-only mode | Filter lists, don't block calls (visibility) |
Trust & Security Guarantees
MCPTrust makes explicit guarantees that other tools don't:
| Invariant | Mechanism |
|---|---|
| Server never sees host request IDs | Proxy-generated IDs; host IDs never forwarded |
| Unknown/duplicate responses dropped | Anti-spoofing: responses must match pending requests |
| Fail-closed on pending saturation | If tracking table is full, deny (no silent pass) |
| Fail-closed on RNG failure | If ID generation fails, deny the request |
| Fail-closed on checksum mismatch | Artifact hash must match or execution denied |
| NDJSON line limits | Lines > 10MB dropped (OOM defense) |
| HTTPS-only tarball downloads | HTTP blocked; private IPs blocked (SSRF defense) |
| CI action pinned to SHA | Composite action uses pinned dependencies |
See SECURITY_GUARANTEES.md for full details.
Integrations
MCPTrust works with your existing stack:
| Platform | Status | Notes |
|---|---|---|
| Claude Desktop | β Works | Point mcpServers to mcptrust proxy -- <server> |
| Claude Code | β Works | Use claude mcp add with mcptrust proxy |
| Node MCP servers | β Works | Any stdio-based server (npx, node, etc.) |
| Python agents | β Works | LangChain, AutoGen, CrewAI β use proxy as subprocess |
| GitHub Actions | β Native | Composite action for CI gates |
| Docker | β Works | mcptrust run supports docker run IMAGE |
Claude Desktop Example
{
"mcpServers": {
"filesystem": {
"command": "mcptrust",
"args": ["proxy", "--lock", "/path/to/mcp-lock.json", "--", "npx", "-y", "@modelcontextprotocol/server-filesystem", "/tmp"]
}
}
}
Claude Code Example
# Generate lockfile
mcptrust lock --v3 -- npx @modelcontextprotocol/server-filesystem /tmp
# Add MCP server with MCPTrust proxy
claude mcp add my-server -- mcptrust proxy --lock mcp-lock.json -- npx @modelcontextprotocol/server-filesystem /tmp
GitHub Action (CI Gate)
Add MCPTrust to your CI in 30 seconds:
- uses: mcptrust/mcptrust/.github/actions/mcptrust@<SHA>
with:
mode: check
lockfile: mcp-lock.json
fail_on: critical
policy: baseline
server_command: 'npx -y @modelcontextprotocol/server-filesystem /tmp'
| Mode | Purpose |
|---|---|
lock | Generate lockfile from server |
check | Fail if drift detected |
policy | Enforce CEL governance rules |
[!TIP] Pin to a commit SHA for security tooling. See Action README.
Proxy Modes
βββββββββββββββββββββββββββββββ
β Proxy Modes β
βββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββ
β β β
βΌ βΌ βΌ
βββββββββββββββββ βββββββββββββββββ ββββββββββββββββββ
β ENFORCE β β FILTER-ONLY β β AUDIT-ONLY β
β (default) β β β β β
βββββββββββββββββ€ βββββββββββββββββ€ ββββββββββββββββββ€
β β
Filter listsβ β β
Filter listsβ β β No filteringβ
β β
Block calls β β β Allow calls β β β Allow calls β
βββββββββββββββββ€ βββββββββββββββββ€ ββββββββββββββ βββ€
β Production β β Rollout β β Training β
βββββββββββββββββ βββββββββββββββββ ββββββββββββββββββ
| Mode | Lists Filtered | Calls Blocked | Use Case |
|---|---|---|---|
enforce (default) | β | β | Production |
--filter-only | β | β | Visibility rollout |
--audit-only | β | β | Training/logging |
# Enforce mode (default) β blocks unknown tools
mcptrust proxy --lock mcp-lock.json -- npx -y ...
# Audit-only β log but don't block (safe for rollout)
mcptrust proxy --audit-only --lock mcp-lock.json -- npx -y ...
# Filter-only β filter lists, don't block calls
mcptrust proxy --filter-only --lock mcp-lock.json -- npx -y ...
Supply Chain Security
MCPTrust pins and verifies the exact artifact you run:
# Lock with artifact pinning + provenance
mcptrust lock --pin --verify-provenance -- "npx -y @modelcontextprotocol/server-filesystem /tmp"
# Enforced execution (verifies everything, then runs)
mcptrust run --lock mcp-lock.json
| Guarantee | Mechanism |
|---|---|
| Tarball SHA-512 matches | lockfile.artifact.integrity |
| Tarball SHA-256 matches | lockfile.artifact.tarball_sha256 |
| SLSA provenance verified | cosign attestation validation |
| No postinstall scripts | --ignore-scripts enforced |
| Local execution only | Binary from verified node_modules/.bin/ |
Security Posture
MCPTrust's own supply chain is hardened:
- β GitHub Actions pinned to SHAs β All action dependencies use commit SHAs
- β Dependabot enabled β Automated updates for GitHub Actions
- β Release checksums fail-closed β Binary verification required
- β HTTPS-only downloads β HTTP and private IPs blocked
- β Responsible disclosure β See SECURITY.md
CLI Reference
| Command | Purpose |
|---|---|
scan | Inspect MCP server capabilities |
lock | Create mcp-lock.json from server state |
diff | Detect drift between lockfile and live server |
proxy | Run as stdio enforcement proxy |
run | Verified execution from pinned artifact |
sign / verify | Ed25519 or Sigstore signatures |
policy check | Enforce CEL governance rules |
bundle export | Create deterministic ZIP for distribution |
See docs/CLI.md for full reference.
Signing & Verification
Ed25519 (Local)
mcptrust keygen # Generate keypair
mcptrust sign --key private.key mcp-lock.json
mcptrust verify --key public.key mcp-lock.json
Sigstore (CI/CD, Keyless)
mcptrust sign --sigstore mcp-lock.json
mcptrust verify mcp-lock.json \
--issuer https://token.actions.githubusercontent.com \
--identity "https://github.com/org/repo/.github/workflows/sign.yml@refs/heads/main"
See docs/SIGSTORE.md for GitHub Actions examples.
Observability
Structured Logging
mcptrust lock --log-format jsonl --log-output /var/log/mcptrust.jsonl -- "..."
Receipts (Audit Trail)
mcptrust lock --receipt /var/log/mcptrust/receipt.json -- "..."
OpenTelemetry
mcptrust lock --otel --otel-endpoint localhost:4318 -- "..."
See docs/observability-otel.md for full options.
Documentation
- CLI Reference β Commands, flags, examples
- Claude Code Guide β Full integration walkthrough
- LangChain Guide β Python adapter for agents
- Sigstore Guide β Keyless signing for CI/CD
- Security Guarantees β Explicit security properties
- Threat Model β What we protect against
- Policy Guide β Writing CEL rules
- Migration Guide β Version compatibility
Roadmap
- π Policy packs β Shareable governance rule sets
- π Receipts schema v2 β Stable schema for SIEM integration
- π Resource/prompt template locking β Full MCP surface coverage
Limitations
MCPTrust secures the interface, not the implementation:
| Out of Scope | Why |
|---|---|
| Malicious logic | A tool named read_file that runs rm -rf looks identical via schema |
| Runtime prompt injection | MCPTrust doesn't monitor agent β tool conversations |
| Key compromise | If private.key is stolen, attacker can sign malicious lockfiles |
| Development overhead | For quick prototyping, the lockfile workflow may be overkill |
See THREAT_MODEL.md for full details.
Development
go test ./... # Unit tests
bash tests/gauntlet.sh # Integration suite
MCPTRUST_BIN=./mcptrust bash scripts/smoke.sh # Smoke test
Contributing
Issues and PRs welcome. See SECURITY.md for vulnerability reporting.