MCP Server Vetting — trust scoring, tool manifest scanning

2026-03-23

securitymcp

What We Built

MCP server vetting with trust scoring, tool manifest scanning for 4 suspicious capability categories (filesystem, network, code_execution, credential_access), and per-tenant server registry.

3 trust levels: known_good (allowlisted), unknown (first-seen with elevated logging), blocked (rejected).

Lockstep Checklist

[x] API: 3 registry endpoints
[x] MCP: Integration in gateway proxy
[x] Tests: 17 tests
[x] Docs: Ship log