Bundle Export

Distributing approved artifacts

When distributing an MCP server to an air-gapped environment or a customer, you need to ensure they get the exact same configuration you approved.

Creating a Bundle

mcptrust bundle export --out release-v1.zip

This creates a ZIP file containing:

  • `mcp-lock.json`
  • `mcp-lock.json.sig`
  • `policy.yaml` (if present)
  • `README.txt` (manifest of approved tools)

Determinism

The ZIP file creation is deterministic. File timestamps are zeroed, and file ordering is fixed. This means if you run `bundle export` twice on the same inputs, you get the exact same SHA-256 hash for the ZIP file.

Docs — MCPTrust