JSON Schemas

Version 0.1

Machine-readable schemas for validating MTF-compliant manifests, verification reports, and VEX statements.

manifest.json

https://mpaktrust.org/schemas/v0.1/manifest.json

MCPB bundle manifest with MTF security extensions. Defines tool declarations, permission scopes, credential requirements, provenance, and signatures.

Download View Raw
Schema Preview 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://mpaktrust.org/schemas/v0.1/manifest.json",
  "properties": {
    "schemaVersion": { "const": "0.1.0" },
    "name": { "type": "string" },
    "version": { "type": "string" },
    "mcp_config": { ... },
    "tools": [ ... ],
    "permissions": { ... },
    "credentials": { ... },
    "signature": { ... }
  }
}

report.json

https://mpaktrust.org/schemas/v0.1/report.json

Verification report format from MTF scanners. Includes compliance level, risk score, per-control results, and detailed findings with remediation.

Download View Raw
Schema Preview 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://mpaktrust.org/schemas/v0.1/report.json",
  "properties": {
    "schemaVersion": { "const": "0.1.0" },
    "bundle": { ... },
    "compliance": {
      "level": 1-4,
      "level_name": "Basic|Standard|Verified|Attested"
    },
    "risk_score": "NONE|LOW|MEDIUM|HIGH|CRITICAL",
    "domains": { ... },
    "findings": [ ... ]
  }
}

vex.json

https://mpaktrust.org/schemas/v0.1/vex.json

Vulnerability Exploitability eXchange (VEX) statements for documenting why CVEs are not exploitable in a specific bundle context.

Download View Raw
Schema Preview 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://mpaktrust.org/schemas/v0.1/vex.json",
  "properties": {
    "schemaVersion": { "const": "0.1.0" },
    "bundle": { "name", "version" },
    "vulnerabilities": [{
      "cve": "CVE-2024-...",
      "status": "not_affected|affected|fixed",
      "justification": "...",
      "detail": "..."
    }]
  }
}

Usage

Reference schemas in your documents:

{
  "$schema": "https://mpaktrust.org/schemas/v0.1/manifest.json",
  "schemaVersion": "0.1.0",
  "name": "@myorg/my-mcp-server",
  "version": "1.0.0",
  ...
}

Validate with any JSON Schema validator:

# Using ajv-cli
npx ajv validate -s https://mpaktrust.org/schemas/v0.1/manifest.json -d manifest.json

# Using Python jsonschema
python -m jsonschema -i manifest.json https://mpaktrust.org/schemas/v0.1/manifest.json