Approval Workflow

How to review and approve server changes

The approval workflow is the human element of MCPTrust.

  1. Developer makes changes: Modifies server code.
  2. Developer runs lock: `mcptrust lock -- "npx -y @modelcontextprotocol/server-filesystem /tmp"` updates the lockfile.
  3. Developer commits: Pushes code + lockfile to a Pull Request.
  4. Approver reviews:
    • Checks the code changes.
    • Checks `git diff mcp-lock.json` to see capability changes.
  5. Approver signs:
    • `mcptrust sign` (using the private key).
    • Commits `mcp-lock.json.sig`.
  6. Merge: The PR is merged.

In this model, the signature is the proof that a human review occurred.