Registry Overview
The Gig'MCP registry is a curated, signed catalog of community MCP servers. Each server is packaged as a digest-pinned OCI image with an author-declared entitlements manifest: its egress allowlist, credential schema, tool subset, and security tier. The gateway installs servers from the signed index.json release artifact — never from the repo directly.
The registry follows an aggregator policy: the repository holds manifests and build recipes only. Server source code always lives in the author's own repo; it is never committed to the registry.
:::note Current status
The registry tracks 221 manifests mirroring Composio's toolkit list. All entries are planned: the manifests are hand-curated and pass lint CI, but image digests are placeholders (sha256:0000…) and are not installable until CI builds the images and the real digests are pinned. See the server catalog.
:::
Trust chain
Every entry that reaches a gateway has passed through four gates:
- PR-gated manifests. Every manifest lands via pull request. Lint CI blocks invalid schemas, broad wildcards (
*.com-style suffixes), and egress to denylisted exfiltration domains (denylist/exfil-domains.txt). The pathmanifests/<name>/<version>.yamlmust match the manifest's declared name and version. - Digest-pinned images built from tagged source. CI builds each image from the author's tagged source repo and the manifest pins the resulting linux/amd64 image-manifest digest. What was approved in review is exactly what runs.
- Signed index. On merge to main, CI compiles all manifests into
index.json, signs it with ed25519, and publishes bothindex.jsonandindex.json.sigas the rollinglatestrelease. - Gateway verification. The gateway verifies the ed25519 signature over the exact published bytes — before parsing any entry. The same Go schema module (
schema/, Apache-2.0) runs byte-for-byte in registry CI and inside the gateway, so the validator can never drift between the two.
Sealed-tier servers only ever see a placeholder token inside the sandbox; the gateway's egress proxy injects the real credential, and only for the manifest's allowlisted hosts. See the security model for the full threat model.
Repository layout
| Path | Purpose |
|---|---|
manifests/<name>/<version>.yaml | One entitlements manifest per server version — see the manifest reference |
toolspecs/<name>/<version>.yaml | Declarative tool→HTTP mapping for the generic toolpack engine, paired 1:1 with a manifest version — see toolspecs |
schema/ | Go module (Apache-2.0): the authoritative parser/validator used by CI and the gateway |
denylist/exfil-domains.txt | Egress domains lint CI rejects (request-capture services, internal names) |
images/<builder>/Dockerfile | Generic builder recipes — see builders |
cmd/registryctl | CLI: lint, lint-toolspecs, build-index, sign, verify, keygen, build-args — see registryctl |
CATALOG.md | The full table of all 221 entries |
Signing key bootstrap
The index signing key is generated once:
go run ./cmd/registryctl keygen
- The private key (64-byte ed25519, hex-encoded) goes into the repo secret
GIG_INDEX_SIGNING_KEY. CI uses it to signindex.jsonon every push to main. - The public key (32-byte, hex-encoded) is configured on the gateway as
GIG_REGISTRY_PUBKEY. The gateway refuses to parse an index whose signature does not verify.
Pointing a gateway at the registry
GIG_REGISTRY_INDEX_URL=<release asset URL> # the signed index.json
GIG_REGISTRY_PUBKEY=<hex public key> # from keygen
GIG_INSTALL=<name> # e.g. "linear", "linear@0.1.0", or "sha256:<digest>"
The installer ref grammar resolves name (latest version), name@version, or sha256:<digest> (exact image-digest lookup). See configuration for the rest of the gateway environment.
Making a catalog entry installable
Placeholder digests are not installable. The bootstrap path for an entry is:
- Publish the server's source repo and tag it.
- Dispatch the
build-imagesworkflow with the server's name (version optional, defaults to latest). It builds, pushes the image, and prints the digest. - Pin the printed digest in
manifests/<name>/<version>.yamland merge. - The next
publish-indexrun includes the entry in the signed index.
To contribute a new server end to end, see submitting a server.
Licensing
The registry's schema/ module is Apache-2.0 so the gateway (AGPL-3.0) and any third-party tooling can embed the exact same validator.