Skip to content
EcoCitizenZ
HomeAgent TrustMCP Verifier
Published · npm + GitHub Action · local-first

MCP Verifier

ECZ-ID MCP Verifier performs local-first, privacy-first checks for MCP servers, agents, APIs, packages, repositories, container images and ECZ-IDs. It reports available public proof and routing guidance. It does not write authoritative truth or certify safety.

What it is

A local-first, privacy-first command-line verifier and bundled GitHub Action. It classifies a target, optionally reads the public Resolver projection, and reports a deterministic result with public-safe reason codes and routing guidance. It runs on your machine or runner; it does not write authoritative truth and does not certify safety.

Install (npm)

global install
npm install -g @ecocitizenz/ecz-id-mcp-verifier@0.7.0

Project-local install

project-local
npm install -D @ecocitizenz/ecz-id-mcp-verifier@0.7.0
npx ecz-mcp-verify --help

CLI examples

ecz-mcp-verify
# version and help
ecz-mcp-verify --version
ecz-mcp-verify --help

# parent and child ECZ-ID (offline classification, no network)
ecz-mcp-verify --target ECZ-GB-A93K7Q --offline
ecz-mcp-verify --target "ECZ-GB-A93K7Q::AGENT-4F9Q2A" --offline --json

# MCP server / repository / package targets
ecz-mcp-verify --target "https://api.example.com/.well-known/ecz-mcp.json" --policy PREFER
ecz-mcp-verify --target "github.com/org/repo"
ecz-mcp-verify --target "lodash"

# output shapes
ecz-mcp-verify --target ECZ-GB-A93K7Q --report     # human-readable
ecz-mcp-verify --target ECZ-GB-A93K7Q --json        # machine-readable (default)
ecz-mcp-verify --target ECZ-GB-A93K7Q --actions     # include local action envelope

# local policy modes
ecz-mcp-verify --target ECZ-GB-A93K7Q --policy OPEN
ecz-mcp-verify --target ECZ-GB-A93K7Q --policy PREFER
ecz-mcp-verify --target ECZ-GB-A93K7Q --policy REQUIRE

Local policy modes

  • OPEN — report and continue where the caller permits (exit 0).
  • PREFER — prefer suitable Resolver proof, but follow the caller’s local policy; warns (exit 0).
  • REQUIRE — fail closed when suitable proof is unavailable or invalid (exit 1; exit 5 on transport failure).
  • ECZ-ID does not impose a universal allow/block decision. Local policy decides.

When no public proof is found

No public resolver proof was found for this target yet. This does not mean the target is unsafe. It means the verifier could not locate suitable machine-readable public proof at the time of the check. Your local policy decides the response. Re-check before reliance.

Privacy

  • No source-code upload
  • No secret upload
  • No prompt or tool-payload upload
  • No hidden telemetry
  • Local execution; Resolver lookups only when network use is enabled

Limitations

  • Not certification, approval, or endorsement
  • Not a safety determination
  • Not confirmation of full compliance
  • Not every target has public Resolver proof
  • Re-check before reliance; Backend/Core remains the final authority

Distribution

  • npm: @ecocitizenz/ecz-id-mcp-verifier@0.7.0
  • GitHub Action (Marketplace): Ecocitizenz/ecz-id-mcp-verifier@v0.7.1
  • No hidden telemetry. No Resolver/proof clone. No truth writing.
ECZ-ID separates setup, verification state, and public proof. Developer Gateway documents setup paths and verifier guidance. TrustOps handles setup. Resolver remains the public proof surface. Re-check before reliance. Local policy decides.