The lockfile and firewall for the agentic web.
Prevent your AI agents from executing unverified code or dangerous tool calls.
Pin what you run. Verify provenance. Deny by default.
Up and running in seconds.
Install the CLI, discover your tools, and lock them down.
Install
Get the latest version via Go install.
go install github.com/mcptrust/mcptrust/cmd/mcptrust@latestRequires Go 1.21+
Lock
Generate a secure lockfile for your server.
mcptrust lock -- "npx -y @modelcontextprotocol/server-filesystem /tmp"Spacer
Connect
Connect safely (mcptrust proxy ...)
mcptrust proxy --lock mcp-lock.json -- npx -y @modelcontextprotocol/server-filesystem /tmpSpacer
What It Blocks
MCPTrust is the firewall between your AI agent and the MCP server.
Shadow Tools
Server adds a new exec_shell tool after you approved it? Blocked.
Drift
Server changed since last CI check? Fails the build.
Supply-Chain Swaps
Tarball hash doesn't match pinned artifact? (lock --pin, verify-provenance).
Features
Everything you need to secure your MCP infrastructure.
Sigstore Signing
Keyless CI/CD signing via GitHub OIDC
Policy Presets
Baseline (warn) or strict (fail-closed) rules
GitHub Action
Native CI gate with PR comments
Runtime proxy
Deny-by-default enforcement between host and server
Lockfile v3
Allowlist tools, prompts, resources, templates
Drift detection
CI fails on critical/moderate/info changes
Artifact pinning + SLSA
SHA-512/256 integrity + provenance verification
Audit-only mode
Log everything, block nothing (training/rollout)
OTel Tracing
Enterprise SIEM integration & visibility
Works with your stack
Native integrations for the tools you already use. Drop into your existing workflow with minimal configuration.
Claude DesktopArchitecture
How MCPTrust protects your agent.
- ID translation: Anti-spoofing, server never sees host request IDs.
- List filtering: Hide dangerous tools from the host.
- Call/read blocking: Deny unauthorized actions.
- Drift preflight check: Ensure server capabilities match lockfile.
- Audit-only mode: Safe rollout, log violations without blocking.
- Audit logs/receipts: Full visibility into agent actions.
The Problem: Silent Drift
- Server code changes: An update to the server implementation changes behavior without your knowledge.
- Dependency updates: A supply-chain attack or buggy dependency update alters tool safety.
- Look-alike servers: An attacker publishes a server with the same name but malicious tools.
The Solution: Explicit Trust
MCPTrust makes MCP servers behave like pinned dependencies:Snapshot → Approve → Verify later.
- Cryptographic Identity: Tools are identified by hashes of their declared description and input schema.
- Tamper-Evident: Signed lockfiles guarantee the state hasn't changed.
Trusted Workflow
From initial discovery to production release, every step is verified.
ScanStep 01
Discover all available tools and resources in your MCP server before locking them down.
mcptrust scan -- "npx -y @modelcontextprotocol/server-filesystem /tmp"Security Guarantees
Understand exactly what MCPTrust provides—and what it doesn't.
Integrity
Signed lockfile tamper detection ensures files haven't changed.
Authenticity
Cryptographic proof that the lockfile was approved (signed) by the holder of the signing key.
ID Translation
Server never sees host request IDs, preventing spoofing attacks.
Fail-Closed
Unknown/duplicate responses dropped. Deny on saturation.
Runtime Enforcement
Proxy blocks all unapproved tools and resource access.
The Gauntlet
17-phase stress test suite run on every commit.
Internal Logic
Does not verify the internal correctness of the server code (unless pinned/verified).
Sandboxing
Does not firewall tool execution side-effects (e.g., file deletion) if authorized.
Key Security
Trust depends entirely on private key management practices.
Adoption Patterns
Flexible workflow integration for any team size.
Local Dev
Use scan to inspect servers and lock to create snapshots during development.
CI Gate
Run verify and diff in your pipelines to block unapproved or drifted changes.
Release
Use bundle export to package approved artifacts for production release.