Inspects MCP server manifests for ECZ-ID configuration and public evidence posture.
Project description
ECZ-ID MCP Server Inspection
ecz-id-mcp statically inspects MCP server manifests for ECZ-ID
configuration posture, transport posture and identity. Part of the ECZ-ID
PyPI family. It inspects, explains and routes only.
It never starts an MCP server, never executes a configured command, never connects to a transport, and never creates another MCP identity or Official MCP Registry entry. It never issues or activates an ECZ-ID, never prices or carts, and never certifies. It is not a safety/compliance/insurance/premium decision and not a security, capability or behavioural proof. Missing public proof is neutral. Local policy decides. Re-check before reliance.
One-command first run
$ ecz-id-mcp inspect ./my-mcp-server
ECZ-ID inspection: ./my-mcp-server [ecz-id-mcp]
A. configuration posture : PRESENT
B. public proof posture : NOT_CHECKED (neutral)
...
local policy decides; re-check before reliance
Supported inputs
- A directory or manifest file. Recognised names:
server.json,mcp_server_manifest.json,mcp.json,.mcp.json(static JSON only). - Observes server name, declared tools (and read-only markers), declared stdio / remote transport posture, invocation command and args (never executed), remote endpoints (never connected), and registry / package / repository identity.
- Observes pinned-vs-floating invocation (version pin present or not) and
compares declared package identity with a co-located
pyproject.toml.
On Python < 3.11, the pyproject.toml comparison needs a TOML backport:
pip install ecz-id-mcp[toml]. Without it, that one observation degrades to
a neutral note instead of failing.
Privacy boundaries
Static JSON inspection; never starts, connects to or executes anything.
Bounded, symlink-refusing enumeration. No telemetry, no uploads. Secrets
redacted on every export. Offline mode (--offline / ECZ_ID_OFFLINE=1)
skips all network.
Explicit non-claims
Not a safety / certification / compliance / insurance / premium decision. Not a security, capability or behavioural proof. Does not start, connect to or execute any MCP server. Does not create another MCP identity or registry entry. Does not price or cart.
Python API
from ecz_id_mcp import inspect
result = inspect("./my-mcp-server")
print(result.configuration_evidence.posture.value) # PRESENT / PARTIAL / ABSENT / INVALID
CI / test example
$ ecz-id-mcp inspect . --json > ecz-id-mcp.json # exit 0 for any completed inspection
$ ecz-id-mcp doctor --json
Routes
- Resolver: https://resolver.ecocitizenz.org
- TrustOps: https://trustops.ecocitizenz.com/start
- Developer Gateway: https://developers.ecocitizenz.com
- Central Machine Interface: https://machine.ecocitizenz.org/.well-known/ecz-machine.json
Re-check
$ ecz-id-mcp recheck ./my-mcp-server --json
Machine-readable integration
Machine Interface · Manifest · Resolver · Operator setup · Developer guidance
Each installation includes structured machine-readable metadata for automation,
CI and supported integrations. Every JSON report embeds a compact
machine_interface object with the canonical roots and safe, read-only actions.
The package runs locally to inspect, explain and route. It does not issue an ECZ-ID, write canonical truth, create public proof, price a cart, or replace Resolver proof.
$ ecz-id-mcp manifest --json
$ ecz-id-mcp compare ./old ./new --json # neutral drift
$ ecz-id-mcp inspect . --sarif # SARIF for code scanning
$ uvx ecz-id-mcp inspect . # or: pipx run ecz-id-mcp inspect .
- Central Machine Interface: https://machine.ecocitizenz.org/.well-known/ecz-machine.json
- Resolver (read-only public proof): https://resolver.ecocitizenz.org
- Operator setup (TrustOps): https://trustops.ecocitizenz.com/start
- Developer Gateway: https://developers.ecocitizenz.com
Continue with ECZ-ID
- Operator setup: https://trustops.ecocitizenz.com/start
- Developer guidance: https://developers.ecocitizenz.com
- Public Resolver proof: https://resolver.ecocitizenz.org
- Central Machine Interface: https://machine.ecocitizenz.org/.well-known/ecz-machine.json
- EcoCitizenz: https://www.ecocitizenz.com
- Specifications and governance: https://www.ecocitizenz.org
- ECZ-ID on Visual Studio Marketplace: https://marketplace.visualstudio.com/publishers/ecocitizenz
- ECZ-ID on Open VSX: https://open-vsx.org/namespace/ecocitizenz
- Explore the ECZ-ID Python tool family: https://pypi.org/search/?q=ecz-id
Licence and trademarks
Apache-2.0 (see LICENSE, NOTICE). The code licence grants no trademark
rights; “ECZ-ID” and “EcoCitizenz” are trademarks of their owner(s) — see
TRADEMARKS.md. Changelog: CHANGELOG.md. Security: SECURITY.md.
CLI: ecz-id-mcp | Import: ecz_id_mcp | Plugin group: ecz_id.plugins
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ecz_id_mcp-0.1.1.tar.gz.
File metadata
- Download URL: ecz_id_mcp-0.1.1.tar.gz
- Upload date:
- Size: 13.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1c3e84648c31774cfebf1a73712889ae1ae03a7743308b9ef2c5e6742e968794
|
|
| MD5 |
859b0fc1fc473986a120af8cd3e42d2c
|
|
| BLAKE2b-256 |
87a4d617274036843b9eb6ede88f3456fb2dcbfe6ff8f897ac2ec2d4d594682e
|
Provenance
The following attestation bundles were made for ecz_id_mcp-0.1.1.tar.gz:
Publisher:
publish-ecz-id-mcp.yml on Ecocitizenz/ecz-id-python
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ecz_id_mcp-0.1.1.tar.gz -
Subject digest:
1c3e84648c31774cfebf1a73712889ae1ae03a7743308b9ef2c5e6742e968794 - Sigstore transparency entry: 2085182036
- Sigstore integration time:
-
Permalink:
Ecocitizenz/ecz-id-python@6f3dee174371df77e454bc7321b263cc5c04c0a6 -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/Ecocitizenz
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-ecz-id-mcp.yml@6f3dee174371df77e454bc7321b263cc5c04c0a6 -
Trigger Event:
workflow_dispatch
-
Statement type:
File details
Details for the file ecz_id_mcp-0.1.1-py3-none-any.whl.
File metadata
- Download URL: ecz_id_mcp-0.1.1-py3-none-any.whl
- Upload date:
- Size: 14.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4034c8acc01b2d0d979fd9e107ea10aa32b93298fdb5b12b838b1f6e94ff5cf5
|
|
| MD5 |
b37869699b85a61423dc69fb168e3b6a
|
|
| BLAKE2b-256 |
9d14c27a46f257ea8f6395ac0a8b381709238f2120bd11aebc266cf4ec091a87
|
Provenance
The following attestation bundles were made for ecz_id_mcp-0.1.1-py3-none-any.whl:
Publisher:
publish-ecz-id-mcp.yml on Ecocitizenz/ecz-id-python
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ecz_id_mcp-0.1.1-py3-none-any.whl -
Subject digest:
4034c8acc01b2d0d979fd9e107ea10aa32b93298fdb5b12b838b1f6e94ff5cf5 - Sigstore transparency entry: 2085182137
- Sigstore integration time:
-
Permalink:
Ecocitizenz/ecz-id-python@6f3dee174371df77e454bc7321b263cc5c04c0a6 -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/Ecocitizenz
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-ecz-id-mcp.yml@6f3dee174371df77e454bc7321b263cc5c04c0a6 -
Trigger Event:
workflow_dispatch
-
Statement type: