mcptrust lock
Create a lockfile from a running MCP server
Synopsis
mcptrust lock -- <command> [flags]Connects to the specified MCP server, discovers all tools, and writes a deterministic mcp-lock.json file to the current directory.
Options
| Flag | Default | Description |
|---|---|---|
-f, --force | false | Overwrite lockfile even if drift is detected |
-o, --output | mcp-lock.json | Output path for the lockfile |
-t, --timeout | 10s | Timeout for MCP operations |
--pin | false | Resolve and pin artifact coordinates for supply chain security |
--verify-provenance | false | Verify SLSA/Sigstore provenance attestations |
--expected-source | "" | Expected source repository pattern (regex) for provenance verification |
--v3 | false | Generate lockfile v3 format. This locks Prompts and Resource Templates (with hashes) in addition to Tools, and supports msg_template signing. |
Examples
Lock a local server:
mcptrust lock -- "npx -y @modelcontextprotocol/server-filesystem /tmp"This will generate mcp-lock.json containing hashes of all exposed tools.