mcptrust policy
Evaluate CEL policies against server capabilities
Synopsis
mcptrust policy check -- <command> [flags]Scans the live server and evaluates a CEL (Common Expression Language) policy file against it.
Flags
| Flag | Default | Description |
|---|---|---|
-P, --policy | (empty) | Path to policy YAML file (uses default if not provided) |
--preset | (empty) | Use built-in policy preset: baseline (warn-only) or strict (fail-closed) |
-l, --lockfile | (empty) | Path to lockfile for artifact-based policies (enables input.artifact and input.provenance) |
-t, --timeout | 10s | Timeout for MCP operations |
Examples
# Check with custom policy
mcptrust policy check --policy ./policy.yaml -- "npx -y @scope/server /tmp"
# Use built-in strict preset
mcptrust policy check --preset strict -- "python mcp_server.py"
# Include artifact metadata in policy evaluation
mcptrust policy check --policy ./policy.yaml --lockfile mcp-lock.json -- "npx -y @scope/server"Policy File Format
rules:
- name: "No write operations"
expr: "!input.tools.exists(t, t.name.contains('write'))"
- name: "Must have description"
expr: "input.tools.all(t, t.description != '')"Exit Codes
0: All policy rules passed.1: One or more rules failed.