Dvar can inspect and enforce Model Context Protocol tool boundaries without trusting server descriptions blindly. The review workflow is based on inventories, semantic diffs, and explicit lockfiles.
Scan an MCP server
npx dvar scan https://mcp.example.com/mcp \
--server-id production-crm \
--out dvar.inventory.jsonThe inventory records observed server metadata, tool names, descriptions, schemas, annotations, inferred capabilities, destinations, risk, and canonical hashes.
Review and lock
npx dvar diff dvar.inventory.json --lockfile dvar.lock.json
npx dvar lock dvar.inventory.json --out dvar.lock.jsonScanning does not mutate dvar.lock.json. A lockfile is an approval record. Treat changes to schemas, descriptions, annotations, destinations, or capabilities as review events.
Enforce MCP calls
npx dvar proxy \
--upstream https://mcp.example.com/mcp \
--server-id production-crm \
--policy dvar.yaml \
--lockfile dvar.lock.json \
--listen 127.0.0.1:4319Point the MCP client at the local proxy. Dvar evaluates tools/call before forwarding the request upstream.
Integrity policy
integrity:
requireLockfile: true
onUnknownServer: deny
onUnknownTool: require_approval
onDescriptionChange: require_approval
onSchemaChange: deny
onCapabilityExpansion: denyIn strict mode, undeclared integrity failures fail closed. In monitor mode, Dvar forwards the call but records would_deny or would_require_approval.
Security boundary
A lockfile proves reviewed inventory continuity. It does not prove that a remote server implementation is benign. Keep application authorization, tenant checks, OAuth scopes, network controls, and secrets management in place.