docs: add MCPTrust to community projects

[dtang19]

Motivation and Context

MCPTrust is a deny-by-default security layer for MCP servers. It provides lockfiles, drift detection, artifact integrity/provenance verification, and a runtime enforcement proxy.

How Has This Been Tested?

• Go unit tests (go test ./...)
• 17-phase adversarial test suite
• Tested with Claude Desktop, Claude Code, GitHub Actions, Docker

Breaking Changes

N/A — new community project addition.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• [ x ] Documentation update

Checklist

• [ x ] I have read the MCP Documentation
• [ x ] My code follows the repository's style guidelines
• [ x ] New and existing tests pass locally
• [ x ] I have added appropriate error handling
• [ x ] I have added or updated documentation as needed

Additional context

[jonathanhefner]

Hi, @dtang19! 👋 Can you clarify how this is related to the MCP Registry?

[dtang19]

Hi @jonathanhefner 👋 Good question!

MCPTrust isn’t part of the registry itself, it complements it. The MCP Registry helps people discover/install MCP servers; MCPTrust helps teams safely consume those servers by pinning artifacts (lockfiles + hashes), verifying integrity/provenance, detecting tool/schema drift, and enforcing the reviewed surface at runtime via a deny-by-default proxy.

In practice: you pick a server you found in the registry, MCPTrust locks and verifies what you’re about to run, and blocks anything that changes or wasn’t approved. That’s why it fits under Community Projects: it’s ecosystem tooling for registry users/operators, not a registry feature. Happy to clarify anything else.

[jonathanhefner]

MCPTrust isn’t part of the registry itself, it complements it. The MCP Registry helps people discover/install MCP servers; MCPTrust helps teams safely consume those servers by pinning artifacts (lockfiles + hashes), verifying integrity/provenance, detecting tool/schema drift, and enforcing the reviewed surface at runtime via a deny-by-default proxy.

Does MCPTrust directly integrate with the MCP Registry (e.g., consume the Registry API)?

[dtang19]

Not at the moment, MCPTrust is registry-agnostic and doesn’t require consuming the Registry API. It works with any MCP server once you have its install/run details (which a user might discover via the Registry). MCPTrust then pins artifacts (lockfile + digests), verifies integrity/provenance, detects tool/schema drift, and enforces the reviewed surface at runtime.

[jonathanhefner]

MCPTrust is registry-agnostic and doesn’t require consuming the Registry API. It works with any MCP server once you have its install/run details (which a user might discover via the Registry).

Given that MCPTrust is not directly related to the MCP Registry, I think putting it in docs/community-projects.md is probably not appropriate.

[rdimitrov]

hey, @dtang19, thanks for reaching out! 👋

I agree with @jonathanhefner on this one 👍 We aim to keep the community project list scoped to projects related to the official MCP registry.

That said, feel free to open another one if the situation changes 🙏

Thanks again! 🍻