feat: Add support for MCP Bundles (MCPB) in registry (#295)

## Motivation and Context
- Add MCPB as a new registry_name option
- Add file_hashes field to package model for integrity verification
- Implement URL validation restricting MCPB packages to GitHub/GitLab
hosts
- Require SHA-256 hash for all MCPB packages
- Add example MCPB package in documentation
- Update schemas and OpenAPI specification

See issue #260

## How Has This Been Tested?
<!-- Have you tested this in a real application? Which scenarios were
tested? -->

## Breaking Changes
N/A, registry has not yet been launched

## Types of changes
<!-- What types of changes does your code introduce? Put an `x` in all
the boxes that apply: -->
- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
- [ ] Documentation update

## Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply. -->
- [x] I have read the [MCP
Documentation](https://modelcontextprotocol.io)
- [ ] My code follows the repository's style guidelines
- [ ] New and existing tests pass locally
- [ ] I have added appropriate error handling
- [x] I have added or updated documentation as needed

---------

Co-authored-by: Adam Jones <[email protected]>

Author: joan-anthropic

data/seed.json

@@ -20,8 +20,9 @@ _These examples show the PublishRequest format used by the `/v0/publish` API end
     },
     "packages": [
       {
-        "registry_name": "npm",
-        "name": "@modelcontextprotocol/server-brave-search",
+        "registry_type": "npm",
+        "registry_base_url": "https://registry.npmjs.org",
+        "identifier": "@modelcontextprotocol/server-brave-search",
         "version": "1.0.2",
         "environment_variables": [
           {
@@ -58,8 +59,9 @@ Suppose your MCP server application requires a `mcp start` CLI arguments to star
     },
     "packages": [
       {
-        "registry_name": "nuget",
-        "name": "Knapcode.SampleMcpServer",
+        "registry_type": "nuget",
+        "registry_base_url": "https://api.nuget.org",
+        "identifier": "Knapcode.SampleMcpServer",
         "version": "0.4.0-beta",
         "package_arguments": [
           {
@@ -106,8 +108,9 @@ This will essentially instruct the MCP client to execute `dnx Knapcode.SampleMcp
     },
     "packages": [
       {
-        "registry_name": "npm",
-        "name": "@modelcontextprotocol/server-filesystem",
+        "registry_type": "npm",
+        "registry_base_url": "https://registry.npmjs.org",
+        "identifier": "@modelcontextprotocol/server-filesystem",
         "version": "1.0.2",
         "package_arguments": [
           {
@@ -128,8 +131,9 @@ This will essentially instruct the MCP client to execute `dnx Knapcode.SampleMcp
         ]
       },
       {
-        "registry_name": "docker",
-        "name": "mcp/filesystem",
+        "registry_type": "docker-hub",
+        "registry_base_url": "https://docker.io",
+        "identifier": "mcp/filesystem:1.0.2",
         "version": "1.0.2",
         "runtime_arguments": [
           {
@@ -168,7 +172,7 @@ This will essentially instruct the MCP client to execute `dnx Knapcode.SampleMcp
           }
         ]
       }
-    ]
+  ]
   },
   "x-publisher": {
     "tool": "ci-publisher",
@@ -235,8 +239,9 @@ This will essentially instruct the MCP client to execute `dnx Knapcode.SampleMcp
     },
     "packages": [
       {
-        "registry_name": "pypi",
-        "name": "weather-mcp-server",
+        "registry_type": "pypi",
+        "registry_base_url": "https://pypi.org",
+        "identifier": "weather-mcp-server",
         "version": "0.5.0",
         "runtime_hint": "uvx",
         "environment_variables": [
@@ -252,7 +257,7 @@ This will essentially instruct the MCP client to execute `dnx Knapcode.SampleMcp
             "default": "celsius"
           }
         ]
-      }
+    }
     ]
   },
   "x-publisher": {
@@ -287,8 +292,9 @@ The `dnx` tool ships with the .NET 10 SDK, starting with Preview 6.
     },
     "packages": [
       {
-        "registry_name": "nuget",
-        "name": "Knapcode.SampleMcpServer",
+        "registry_type": "nuget",
+        "registry_base_url": "https://api.nuget.org",
+        "identifier": "Knapcode.SampleMcpServer",
         "version": "0.5.0",
         "runtime_hint": "dnx",
         "environment_variables": [
@@ -299,7 +305,7 @@ The `dnx` tool ships with the .NET 10 SDK, starting with Preview 6.
             "is_secret": false
           }
         ]
-      }
+    }
     ]
   },
   "x-publisher": {
@@ -333,8 +339,9 @@ The `dnx` tool ships with the .NET 10 SDK, starting with Preview 6.
     },
     "packages": [
       {
-        "registry_name": "docker",
-        "name": "example/database-manager-mcp",
+        "registry_type": "docker-hub",
+        "registry_base_url": "https://docker.io",
+        "identifier": "example/database-manager-mcp",
         "version": "3.1.0",
         "runtime_arguments": [
           {
@@ -433,20 +440,21 @@ The `dnx` tool ships with the .NET 10 SDK, starting with Preview 6.
     },
     "packages": [
       {
-        "registry_name": "npm",
-        "name": "@example/hybrid-mcp-server",
+        "registry_type": "npm",
+        "registry_base_url": "https://registry.npmjs.org",
+        "identifier": "@example/hybrid-mcp-server",
         "version": "1.5.0",
         "runtime_hint": "npx",
-        "package_arguments": [
-          {
-            "type": "named",
-            "name": "--mode",
-            "description": "Operation mode",
-            "default": "local",
-            "choices": ["local", "cached", "proxy"]
-          }
-        ]
-      }
+      "package_arguments": [
+        {
+          "type": "named",
+          "name": "--mode",
+          "description": "Operation mode",
+          "default": "local",
+          "choices": ["local", "cached", "proxy"]
+        }
+      ]
+    }
     ],
     "remotes": [
       {
@@ -490,6 +498,46 @@ The `dnx` tool ships with the .NET 10 SDK, starting with Preview 6.
 }
 ```
 
+## MCP Bundle (MCPB) Package Example
+
+```json
+{
+  "server": {
+    "name": "io.modelcontextprotocol/text-editor",
+    "description": "MCP Bundle server for advanced text editing capabilities",
+    "repository": {
+      "url": "https://github.com/modelcontextprotocol/text-editor-mcpb",
+      "source": "github"
+    },
+    "version_detail": {
+      "version": "1.0.2"
+    },
+    "packages": [
+      {
+        "registry_type": "mcpb",
+        "registry_base_url": "https://github.com",
+        "identifier": "https://github.com/modelcontextprotocol/text-editor-mcpb/releases/download/v1.0.2/text-editor.mcpb",
+        "version": "1.0.2",
+        "file_sha256": "fe333e598595000ae021bd27117db32ec69af6987f507ba7a63c90638ff633ce"
+    }
+  ]
+  },
+  "x-publisher": {
+    "tool": "mcpb-publisher",
+    "version": "1.0.0",
+    "build_info": {
+      "timestamp": "2023-12-02T09:15:00Z",
+      "bundle_format": "mcpb-v1"
+    }
+  }
+}
+```
+
+This example shows an MCPB (MCP Bundle) package that:
+- Is hosted on GitHub Releases (an allowlisted provider)
+- Includes a SHA-256 hash for integrity verification
+- Can be downloaded and executed directly by MCP clients that support MCPB
+
 ## Deprecated Server Example
 
 ```json
@@ -508,8 +556,9 @@ The `dnx` tool ships with the .NET 10 SDK, starting with Preview 6.
     },
     "packages": [
       {
-        "registry_name": "npm",
-        "name": "@legacy/old-weather-server",
+        "registry_type": "npm",
+        "registry_base_url": "https://registry.npmjs.org",
+        "identifier": "@legacy/old-weather-server",
         "version": "0.9.5",
         "environment_variables": [
           {

docs/server-json/examples.md

@@ -17,12 +17,23 @@
     "packages": {
       "items": {
         "properties": {
-          "registry_name": {
+          "registry_type": {
             "enum": [
               "npm",
-              "pypi",
-              "docker",
-              "nuget"
+              "pypi", 
+              "docker-hub",
+              "nuget",
+              "mcpb"
+            ]
+          },
+          "registry_base_url": {
+            "enum": [
+              "https://registry.npmjs.org",
+              "https://pypi.org",
+              "https://docker.io", 
+              "https://api.nuget.org",
+              "https://github.com",
+              "https://gitlab.com"
             ]
           },
           "runtime_hint": {

docs/server-json/registry-schema.json

@@ -80,28 +80,34 @@
     },
     "Package": {
       "type": "object",
-      "required": [
-        "registry_name",
-        "name",
-        "version"
-      ],
       "properties": {
-        "registry_name": {
+        "registry_type": {
           "type": "string",
-          "description": "Package registry type",
-          "example": "npm"
+          "description": "Registry type indicating how to download packages (e.g., 'npm', 'pypi', 'docker-hub', 'nuget', 'mcpb')",
+          "examples": ["npm", "pypi", "docker-hub", "nuget", "mcpb"]
         },
-        "name": {
+        "registry_base_url": {
           "type": "string",
-          "description": "Package name in the registry",
-          "example": "io.modelcontextprotocol/filesystem"
+          "format": "uri",
+          "description": "Base URL of the package registry",
+          "examples": ["https://registry.npmjs.org", "https://pypi.org", "https://docker.io", "https://api.nuget.org", "https://github.com", "https://gitlab.com"]
+        },
+        "identifier": {
+          "type": "string",
+          "description": "Package identifier - either a package name (for registries) or URL (for direct downloads)",
+          "examples": ["@modelcontextprotocol/server-brave-search", "https://github.com/example/releases/download/v1.0.0/package.mcpb"]
         },
         "version": {
           "type": "string",
           "description": "Package version",
           "example": "1.0.2",
           "minLength": 1
         },
+        "file_sha256": {
+          "type": "string",
+          "description": "SHA-256 hash of the package file for integrity verification.",
+          "example": "fe333e598595000ae021bd27117db32ec69af6987f507ba7a63c90638ff633ce"
+        },
         "runtime_hint": {
           "type": "string",
           "description": "A hint to help clients determine the appropriate runtime for the package. This field should be provided when `runtime_arguments` are present.",

docs/server-json/server.schema.json

@@ -95,8 +95,9 @@ paths:
                     version_detail:
                       version: "1.0.2"
                     packages:
-                      - registry_name: "npm"
-                        name: "@modelcontextprotocol/server-filesystem"
+                      - registry_type: "npm"
+                        registry_base_url: "https://registry.npmjs.org"
+                        identifier: "@modelcontextprotocol/server-filesystem"
                         version: "1.0.2"
                   x-publisher:
                     tool: "publisher-cli"
@@ -117,8 +118,9 @@ paths:
                     version_detail:
                       version: "1.0.0"
                     packages:
-                      - registry_name: "npm"
-                        name: "@example/mcp-demo-server"
+                      - registry_type: "npm"
+                        registry_base_url: "https://registry.npmjs.org"
+                        identifier: "@example/mcp-demo-server"
                         version: "1.0.0"
                   x-publisher:
                     contact_email: "[email protected]"
@@ -272,23 +274,41 @@ components:
 
     Package:
       type: object
-      required:
-        - registry_name
-        - name
-        - version
       properties:
-        registry_name:
+        registry_type:
           type: string
-          description: Package registry type
-          example: "npm"
-        name:
+          description: Registry type indicating how to download packages (e.g., 'npm', 'pypi', 'docker-hub', 'nuget', 'mcpb')
+          examples:
+            - "npm"
+            - "pypi"
+            - "docker-hub"
+            - "nuget"
+            - "mcpb"
+        registry_base_url:
           type: string
-          description: Package name in the registry
-          example: "io.modelcontextprotocol/filesystem"
+          format: uri
+          description: Base URL of the package registry
+          examples:
+            - "https://registry.npmjs.org"
+            - "https://pypi.org"
+            - "https://docker.io"
+            - "https://api.nuget.org"
+            - "https://github.com"
+            - "https://gitlab.com"
+        identifier:
+          type: string
+          description: Package identifier - either a package name (for registries) or URL (for direct downloads)
+          examples:
+            - "@modelcontextprotocol/server-brave-search"
+            - "https://github.com/example/releases/download/v1.0.0/package.mcpb"
         version:
           type: string
           description: Package version
           example: "1.0.2"
+        file_sha256:
+          type: string
+          description: SHA-256 hash of the package file for integrity verification.
+          example: "fe333e598595000ae021bd27117db32ec69af6987f507ba7a63c90638ff633ce"
         runtime_hint:
           type: string
           description: A hint to help clients determine the appropriate runtime for the package. This field should be provided when `runtime_arguments` are present.