Skip to main content

Inspects MCP server manifests for ECZ-ID configuration and public evidence posture.

Project description

ECZ-ID MCP Server Inspection

ecz-id-mcp statically inspects MCP server manifests for ECZ-ID configuration posture, transport posture and identity. Part of the ECZ-ID PyPI family. It inspects, explains and routes only.

It never starts an MCP server, never executes a configured command, never connects to a transport, and never creates another MCP identity or Official MCP Registry entry. It never issues or activates an ECZ-ID, never prices or carts, and never certifies. It is not a safety/compliance/insurance/premium decision and not a security, capability or behavioural proof. Missing public proof is neutral. Local policy decides. Re-check before reliance.

One-command first run

$ ecz-id-mcp inspect ./my-mcp-server
ECZ-ID inspection: ./my-mcp-server [ecz-id-mcp]
A. configuration posture : PRESENT
B. public proof posture  : NOT_CHECKED  (neutral)
...
local policy decides; re-check before reliance

Supported inputs

  • A directory or manifest file. Recognised names: server.json, mcp_server_manifest.json, mcp.json, .mcp.json (static JSON only).
  • Observes server name, declared tools (and read-only markers), declared stdio / remote transport posture, invocation command and args (never executed), remote endpoints (never connected), and registry / package / repository identity.
  • Observes pinned-vs-floating invocation (version pin present or not) and compares declared package identity with a co-located pyproject.toml.

On Python < 3.11, the pyproject.toml comparison needs a TOML backport: pip install ecz-id-mcp[toml]. Without it, that one observation degrades to a neutral note instead of failing.

Privacy boundaries

Static JSON inspection; never starts, connects to or executes anything. Bounded, symlink-refusing enumeration. No telemetry, no uploads. Secrets redacted on every export. Offline mode (--offline / ECZ_ID_OFFLINE=1) skips all network.

Explicit non-claims

Not a safety / certification / compliance / insurance / premium decision. Not a security, capability or behavioural proof. Does not start, connect to or execute any MCP server. Does not create another MCP identity or registry entry. Does not price or cart.

Python API

from ecz_id_mcp import inspect

result = inspect("./my-mcp-server")
print(result.configuration_evidence.posture.value)   # PRESENT / PARTIAL / ABSENT / INVALID

CI / test example

$ ecz-id-mcp inspect . --json > ecz-id-mcp.json   # exit 0 for any completed inspection
$ ecz-id-mcp doctor --json

Routes

Re-check

$ ecz-id-mcp recheck ./my-mcp-server --json

Machine-readable integration

Machine Interface · Manifest · Resolver · Operator setup · Developer guidance

Each installation includes structured machine-readable metadata for automation, CI and supported integrations. Every JSON report embeds a compact machine_interface object with the canonical roots and safe, read-only actions.

The package runs locally to inspect, explain and route. It does not issue an ECZ-ID, write canonical truth, create public proof, price a cart, or replace Resolver proof.

$ ecz-id-mcp manifest --json
$ ecz-id-mcp compare ./old ./new --json    # neutral drift
$ ecz-id-mcp inspect . --sarif             # SARIF for code scanning
$ uvx ecz-id-mcp inspect .                 # or: pipx run ecz-id-mcp inspect .

Continue with ECZ-ID

Licence and trademarks

Apache-2.0 (see LICENSE, NOTICE). The code licence grants no trademark rights; “ECZ-ID” and “EcoCitizenz” are trademarks of their owner(s) — see TRADEMARKS.md. Changelog: CHANGELOG.md. Security: SECURITY.md.

CLI: ecz-id-mcp  |  Import: ecz_id_mcp  |  Plugin group: ecz_id.plugins

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ecz_id_mcp-0.1.1.tar.gz (13.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ecz_id_mcp-0.1.1-py3-none-any.whl (14.1 kB view details)

Uploaded Python 3

File details

Details for the file ecz_id_mcp-0.1.1.tar.gz.

File metadata

  • Download URL: ecz_id_mcp-0.1.1.tar.gz
  • Upload date:
  • Size: 13.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for ecz_id_mcp-0.1.1.tar.gz
Algorithm Hash digest
SHA256 1c3e84648c31774cfebf1a73712889ae1ae03a7743308b9ef2c5e6742e968794
MD5 859b0fc1fc473986a120af8cd3e42d2c
BLAKE2b-256 87a4d617274036843b9eb6ede88f3456fb2dcbfe6ff8f897ac2ec2d4d594682e

See more details on using hashes here.

Provenance

The following attestation bundles were made for ecz_id_mcp-0.1.1.tar.gz:

Publisher: publish-ecz-id-mcp.yml on Ecocitizenz/ecz-id-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ecz_id_mcp-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: ecz_id_mcp-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 14.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for ecz_id_mcp-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 4034c8acc01b2d0d979fd9e107ea10aa32b93298fdb5b12b838b1f6e94ff5cf5
MD5 b37869699b85a61423dc69fb168e3b6a
BLAKE2b-256 9d14c27a46f257ea8f6395ac0a8b381709238f2120bd11aebc266cf4ec091a87

See more details on using hashes here.

Provenance

The following attestation bundles were made for ecz_id_mcp-0.1.1-py3-none-any.whl:

Publisher: publish-ecz-id-mcp.yml on Ecocitizenz/ecz-id-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page