mcp s-registry

The MCP server registry (s-registry) provided by ARC acts as a secure, centralized registry for MCP servers within your environment. It leverages ARC’s secure container runtime and Minibridge integration to host and manage MCP server instances with built-in SBOM validation, policy enforcement, and remote connectivity. The registry itself focuses on discovery, validation, and orchestration of individual MCP servers, while each server continues to expose its capabilities (tools, call endpoints, and outputs) through the secure ARC bridge. This setup is designed to minimize operational overhead while maximizing security and traceability in enterprise deployments.

To use it, deploy the s-registry container (via Docker) and ensure ARC-enabled runtime protection is active. Once running, you can register MCP servers by providing source links and runtime configuration (environment variables or CLI args). The registry automates secure deployment, enforces the ARC-minibridge governance policies, and enables remote access (HTTP/SSE, WebSockets) to the managed MCP servers. You can then invoke tools securely through the registry-enabled layer, monitor SBOM provenance, and rely on policy checks to prevent unsafe tool usage or data leakage. The registry is designed to integrate with Kubernetes via Helm charts and provide a streamlined path to secure MCP deployments at scale.

Key capabilities you’ll interact with include: (1) SBOM validation and provenance checks during deployment, (2) Open Policy Agent (OPA) driven policy enforcement for tool usage and data handling, (3) secure remote connectivity through Minibridge for HTTP/SSE and WebSocket channels, and (4) centralized visibility into registered servers, their versions, and security posture.

Prerequisites:

• Docker installed on the host machine with sufficient privileges.
• Basic networking access to pull images from Docker Hub or your registry.
• Optional: Kubernetes cluster if you plan to deploy via Helm charts in a cluster.

Installation steps:

1. Verify prerequisites

• docker version
• network access to pull images

2. Pull and run the MCP S-Registry image

# Pull the latest registry image
docker pull acuvity/mcp-s-registry:latest

# Run the registry container (adjust environment variables as needed)
docker run -d \
  --name mcp-s-registry \
  -p 8080:8080 \
  -e ARC_RUNTIME=enabled \
  -e REGISTRY_LOG_LEVEL=info \
  acuvity/mcp-s-registry:latest

3. Validate deployment

# Check container status
docker ps | grep mcp-s-registry

# Optional: inspect logs for readiness
docker logs -f mcp-s-registry

4. Configure registry integration

• If you’re integrating with Kubernetes, use Helm charts provided by ARC (refer to ARC docs) to deploy the registry with your cluster’s security context and networking policies.
• Prepare your MCP server source links and runtime config (environment variables or CLI args) to register servers with the registry.

5. Connect and manage

• Use the registry’s exposed endpoints to discover, validate, and deploy MCP servers. Rely on ARC’s Minibridge-backed connectivity for secure remote access and policy enforcement.

Tips and common considerations:

• Ensure Docker Scout and SBOM validation are enabled if you require stricter supply chain checks.
• Use environment variables to tailor security policies, logging verbosity, and remote connectivity options for your deployment environment.
• If you are integrating with Kubernetes, prefer the Helm-based deployment pattern for consistent defaults and automatic updates.
• Regularly review policy rules and redaction configurations to avoid accidental data leakage in tool descriptions or outputs.
• When debugging, inspect Minibridge logs and ARC runtime protections to understand how remote calls are marshaled and validated.
• If you encounter connectivity issues, verify that the host firewall permits the necessary ports for remote access (e.g., 8080 for registry UI/API) and that SSL/TLS configurations align with your security requirements.