Skip to main content

Inspects MCP server manifests for ECZ-ID configuration and public evidence posture.

Project description

ECZ-ID MCP Server Inspection

ecz-id-mcp statically inspects MCP server manifests for ECZ-ID configuration posture, transport posture and identity. Part of the ECZ-ID PyPI family. It inspects, explains and routes only.

It never starts an MCP server, never executes a configured command, never connects to a transport, and never creates another MCP identity or Official MCP Registry entry. It never issues or activates an ECZ-ID, never prices or carts, and never certifies. It is not a safety/compliance/insurance/premium decision and not a security, capability or behavioural proof. Missing public proof is neutral. Local policy decides. Re-check before reliance.

One-command first run

$ ecz-id-mcp inspect ./my-mcp-server
ECZ-ID inspection: ./my-mcp-server [ecz-id-mcp]
A. configuration posture : PRESENT
B. public proof posture  : NOT_CHECKED  (neutral)
...
local policy decides; re-check before reliance

Supported inputs

  • A directory or manifest file. Recognised names: server.json, mcp_server_manifest.json, mcp.json, .mcp.json (static JSON only).
  • Observes server name, declared tools (and read-only markers), declared stdio / remote transport posture, invocation command and args (never executed), remote endpoints (never connected), and registry / package / repository identity.
  • Observes pinned-vs-floating invocation (version pin present or not) and compares declared package identity with a co-located pyproject.toml.

On Python < 3.11, the pyproject.toml comparison needs a TOML backport: pip install ecz-id-mcp[toml]. Without it, that one observation degrades to a neutral note instead of failing.

Privacy boundaries

Static JSON inspection; never starts, connects to or executes anything. Bounded, symlink-refusing enumeration. No telemetry, no uploads. Secrets redacted on every export. Offline mode (--offline / ECZ_ID_OFFLINE=1) skips all network.

Explicit non-claims

Not a safety / certification / compliance / insurance / premium decision. Not a security, capability or behavioural proof. Does not start, connect to or execute any MCP server. Does not create another MCP identity or registry entry. Does not price or cart.

Python API

from ecz_id_mcp import inspect

result = inspect("./my-mcp-server")
print(result.configuration_evidence.posture.value)   # PRESENT / PARTIAL / ABSENT / INVALID

CI / test example

$ ecz-id-mcp inspect . --json > ecz-id-mcp.json   # exit 0 for any completed inspection
$ ecz-id-mcp doctor --json

Routes

Re-check

$ ecz-id-mcp recheck ./my-mcp-server --json

Machine Interface & Quiet manifest

Machine Interface · Manifest · Resolve · Operator Setup · Developer Guidance

Every install ships a public-safe ecz_quiet_machine_interface.json, and every JSON report embeds a compact machine_interface object with the canonical roots and safe actions (it exposes the interface and protects the playbook).

$ ecz-id-mcp manifest --json
$ ecz-id-mcp compare ./old ./new --json    # neutral drift
$ ecz-id-mcp inspect . --sarif             # SARIF for code scanning
$ uvx ecz-id-mcp inspect .                 # or: pipx run ecz-id-mcp inspect .

Licence and trademarks

Apache-2.0 (see LICENSE, NOTICE). The code licence grants no trademark rights; “ECZ-ID” and “EcoCitizenz” are trademarks of their owner(s) — see TRADEMARKS.md. Changelog: CHANGELOG.md. Security: SECURITY.md.

CLI: ecz-id-mcp  |  Import: ecz_id_mcp  |  Plugin group: ecz_id.plugins

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ecz_id_mcp-0.1.0.tar.gz (12.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ecz_id_mcp-0.1.0-py3-none-any.whl (13.9 kB view details)

Uploaded Python 3

File details

Details for the file ecz_id_mcp-0.1.0.tar.gz.

File metadata

  • Download URL: ecz_id_mcp-0.1.0.tar.gz
  • Upload date:
  • Size: 12.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for ecz_id_mcp-0.1.0.tar.gz
Algorithm Hash digest
SHA256 81924e551f13d0a87bdae6bf3cd5482f58a531d5d1fafd5c1e339da2f02c9dac
MD5 d5f496c1e057956ba308431adebe2572
BLAKE2b-256 0dce333aff3ab6c22d9d19f8c12b812f810f0bfb3dca0c719fbde15f9fa50b5e

See more details on using hashes here.

Provenance

The following attestation bundles were made for ecz_id_mcp-0.1.0.tar.gz:

Publisher: publish-ecz-id-mcp.yml on Ecocitizenz/ecz-id-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ecz_id_mcp-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: ecz_id_mcp-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 13.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for ecz_id_mcp-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 88fd36611c97326848f2930d08dddd85f2c468d12cfa9c96b852b7f36f0d8937
MD5 7619a81ccc5856fa4f2cd19fb25da02d
BLAKE2b-256 df81e9ae628c0e0545e625c908dae92800646baf20714297c58001e0b15286ae

See more details on using hashes here.

Provenance

The following attestation bundles were made for ecz_id_mcp-0.1.0-py3-none-any.whl:

Publisher: publish-ecz-id-mcp.yml on Ecocitizenz/ecz-id-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page