About

The MCP Provenance Monitor is a web dashboard for monitoring the software supply chain provenance of local MCP (Model Context Protocol) server packages.

FAQ

Why is MCP server xyz missing?

Currently, only servers published on npm or PyPI are supported.
Server data is sourced from the MCP registry at https://github.com/modelcontextprotocol/registry, which is still under development and not updated regularly. Manual additions are not supported yet.

How can I add provenance to my MCP server?

For NPM packages, see Generating provenance statements.
For PyPI packages, see Producing attestations.

How can I add provenance to dependencies?

Help improve the ecosystem by contributing to dependency packages: ensure they are built in CI and publish provenance. You can also consider submitting a pull request to those projects.

I just released a new version with provenance, but it still says provenance is missing. Why?

Data is refreshed daily. If you just published a new version, please allow up to one day for the update to appear.

Do MCP clients check provenance?

Not yet. For updates, see this issue.