mcptrust

MCPtrust acts as a deny-by-default runtime proxy and CI gate for MCP servers. It sits between your host (AI agents, Claude Desktop, LangChain, AutoGen, CrewAI, etc.) and the MCP server, enforcing a lockfile that pins the exact tools, prompts, and resources that are allowed to run. By using the proxy with a pre-generated lockfile, you ensure that only approved capabilities can be exercised by the server, blocking any new or unknown tooling such as dynamic exec_shell prompts or unapproved resources. The included integrations show how to connect a server through the proxy and how to generate a lockfile that captures the server’s trusted surface. The workflow typically involves locking the server’s capabilities, then running the proxy with that lock to enforce the allowlist in production or during CI gates.

Prerequisites:

• Install Go (1.20+) and ensure GOPATH/bin is in your PATH
• Optional: a supported MCP server (e.g., server-filesystem) to test against

Install MCPtrust:

go install github.com/mcptrust/mcptrust/cmd/mcptrust@latest

Usage overview:

• Generate a lockfile capturing allowed tools/prompts/resources:

mcptrust lock -- "npx -y @modelcontextprotocol/server-filesystem /tmp"

• Run the proxy with enforcement using the lockfile:

mcptrust proxy --lock mcp-lock.json -- npx -y @modelcontextprotocol/server-filesystem /tmp

To integrate with your workflow, you can reference the proxy in Claude Desktop or as part of CI gates, as shown in the repository examples.

Tips and considerations:

• The system uses a lockfile (mcp-lock.json) to enforce which tools/prompts/resources are allowed. Use --v3 to generate a version-3 lockfile for enhanced policy features.
• There are multiple proxy modes (enforce by default, filter-only, audit-only) to fit production or testing scenarios.
• For CI integration, you can hook MCPtrust into GitHub Actions as shown in the README, pinning to a specific commit SHA for security tooling.
• Always verify artifact pinning and provenance during the lock process to prevent supply-chain substitutions.
• If you see a blocked action, check the lockfile to ensure the tool or prompt is included in the allowlist. The proxy reports blocked calls with details like method and tool.