opena2a mcp
MCP server identity management. Audit, sign, and verify MCP server configurations.
Usage
opena2a mcp [subcommand] [server] [options]Subcommands
| Subcommand | Description |
|---|---|
audit | Discover and list MCP server configurations across all tools. This is the default when no subcommand is given. |
sign <server> | Create an Ed25519 identity for a named MCP server. Generates a keypair and stores it in .opena2a/mcp-identities/. |
verify <server> | Verify an MCP server identity signature and display trust score. |
Options
| Flag | Description |
|---|---|
--dir <path> | Target directory. Default: current working directory. |
--format <text|json> | Output format. |
--ci | CI mode. Non-interactive output. |
--verbose | Show identity file paths and full commands when truncated. |
Config File Locations
The audit subcommand scans these locations for MCP server configurations:
| Tool | Config Path |
|---|---|
| Claude Code | ~/.claude/mcp_servers.json |
| Cursor | ~/.cursor/mcp.json |
| Windsurf | ~/.config/windsurf/mcp.json |
| VSCode extensions | ~/.vscode/extensions/*/mcp.json |
| Project-local | ./mcp.json, ./.mcp.json |
Identity Signing
When you sign an MCP server, the CLI generates an Ed25519 keypair and stores it in.opena2a/mcp-identities/<server>.json. The identity file contains:
- Server name and creation timestamp
- Ed25519 public key (hex-encoded)
- Signature over the server configuration
- Algorithm identifier
Examples
opena2a mcpopena2a mcp sign filesystemopena2a mcp verify filesystemopena2a mcp audit --verboseopena2a mcp audit --ci --format jsonExample Workflow
# 1. Discover what MCP servers are configured opena2a mcp # 2. Sign servers you want to track opena2a mcp sign filesystem opena2a mcp sign playwright # 3. Verify signatures later opena2a mcp verify filesystem # 4. Run detect to see full picture (signed servers show as verified) opena2a detect
Trust Scores
When verifying a signed MCP server, the command calculates a trust score based on several factors:
- Signature validity -- Whether the Ed25519 signature matches the current configuration
- Configuration drift -- Whether the server config has changed since signing
- Registry lookup -- Whether the server is known in the OpenA2A Trust Registry
- Identity age -- Older, stable identities receive a slight trust bonus
Use the --registry flag to point to a custom Trust Registry instance for private or enterprise environments.
Expected Audit Output
$ opena2a mcp audit --verbose MCP Server Audit ================= Claude Code (~/.claude/mcp_servers.json): filesystem npx @anthropic/mcp-filesystem /home/user playwright npx @anthropic/mcp-playwright Cursor (~/.cursor/mcp.json): github npx @modelcontextprotocol/server-github Project-local (./mcp.json): custom-api node ./servers/api-server.js Summary: 4 servers across 3 config files Signed: 1 (filesystem) Unsigned: 3
Error Handling
If no MCP configuration files are found, the audit subcommand reports "No MCP servers configured" and exits with code 0. When signing a server that does not exist in any configuration, the command lists discovered servers and exits with code 1. If the identity directory (.opena2a/mcp-identities/) is not writable, the sign subcommand reports a permission error. Verification of a server that has never been signed reports "No identity found" with instructions to sign it first.