CLI — MCPTrust

Synopsis

mcptrust artifact <command> [flags]

Utilities for verifying artifact integrity and provenance attestations.

Commands

`verify`

Verify artifact integrity against lockfile pin.

mcptrust artifact verify [lockfile] [flags]

Flag	Default	Description
`-l, --lockfile`	`mcp-lock.json`	Path to lockfile
`-t, --timeout`	`30s`	Timeout for registry operations
`--deep`	`false`	Download tarball and verify SHA256/SRI
`--unsafe-allow-private-tarball-hosts`	`false`	Allow tarball downloads from private networks (requires `--deep`)

Examples:

# Verify integrity against registry
mcptrust artifact verify
 
# Deep verification (download and hash tarball)
mcptrust artifact verify --deep
 
# Specify lockfile path
mcptrust artifact verify --lockfile ./my-lock.json

`provenance`

Verify SLSA/Sigstore provenance attestations.

mcptrust artifact provenance [lockfile] [flags]

Flag	Default	Description
`-l, --lockfile`	`mcp-lock.json`	Path to lockfile
`--expected-source`	(empty)	Expected source repository pattern (regex)
`--json`	`false`	Output as JSON
`-t, --timeout`	`60s`	Timeout for verification operations

Examples:

# Verify provenance
mcptrust artifact provenance
 
# Enforce source repository
mcptrust artifact provenance --expected-source "github.com/myorg/.*"
 
# JSON output for CI
mcptrust artifact provenance --json

Exit Codes

0: Verification passed
1: Verification failed or artifact not pinned