feat: Add support for MCP Bundles (MCPB) in registry

- Add MCPB as a new registry_name option
- Add file_hashes field to Package model for integrity verification
- Implement URL validation restricting MCPB packages to GitHub/GitLab hosts
- Require SHA-256 hash for all MCPB packages
- Add example MCPB package in documentation
- Update schemas and OpenAPI specification

Implements Option 1 from issue #260 - MCPB as an additional package type
pointing to hosted .mcpb files with cryptographic verification.

Author: joan-anthropic

docs/server-json/examples.md

@@ -389,6 +389,38 @@ The `dnx` tool ships with the .NET 10 SDK, starting with Preview 6.
 }
 ```
 
+## MCP Bundle (MCPB) Package Example
+
+```json
+{
+  "name": "io.modelcontextprotocol/text-editor",
+  "description": "MCP Bundle server for advanced text editing capabilities",
+  "repository": {
+    "url": "https://github.com/modelcontextprotocol/text-editor-mcpb",
+    "source": "github",
+    "id": "mcpb-123ab-cdef4-56789-012ghi-jklmnopqrstu"
+  },
+  "version_detail": {
+    "version": "1.0.2"
+  },
+  "packages": [
+    {
+      "registry_name": "mcpb",
+      "name": "https://github.com/modelcontextprotocol/text-editor-mcpb/releases/download/v1.0.2/text-editor.mcpb",
+      "version": "1.0.2",
+      "file_hashes": {
+        "sha-256": "fe333e598595000ae021bd27117db32ec69af6987f507ba7a63c90638ff633ce"
+      }
+    }
+  ]
+}
+```
+
+This example shows an MCPB (MCP Bundle) package that:
+- Is hosted on GitHub Releases (an allowlisted provider)
+- Includes a SHA-256 hash for integrity verification
+- Can be downloaded and executed directly by MCP clients that support MCPB
+
 ## Deprecated Server Example
 
 ```json

docs/server-json/registry-schema.json

@@ -22,7 +22,8 @@
               "npm",
               "pypi",
               "docker",
-              "nuget"
+              "nuget",
+              "mcpb"
             ]
           },
           "runtime_hint": {

docs/server-json/schema.json

@@ -97,6 +97,16 @@
           "description": "Package version",
           "example": "1.0.2"
         },
+        "file_hashes": {
+          "type": "object",
+          "description": "Cryptographic hashes of the package file for integrity verification. Keys are hash algorithm names (e.g., 'sha-256'), values are the hash strings.",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "example": {
+            "sha-256": "fe333e598595000ae021bd27117db32ec69af6987f507ba7a63c90638ff633ce"
+          }
+        },
         "runtime_hint": {
           "type": "string",
           "description": "A hint to help clients determine the appropriate runtime for the package. This field should be provided when `runtime_arguments` are present.",

docs/server-registry-api/openapi.yaml

@@ -185,6 +185,13 @@ components:
           type: string
           description: Package version
           example: "1.0.2"
+        file_hashes:
+          type: object
+          description: Cryptographic hashes of the package file for integrity verification. Keys are hash algorithm names (e.g., 'sha-256'), values are the hash strings.
+          additionalProperties:
+            type: string
+          example:
+            sha-256: "fe333e598595000ae021bd27117db32ec69af6987f507ba7a63c90638ff633ce"
         runtime_hint:
           type: string
           description: A hint to help clients determine the appropriate runtime for the package. This field should be provided when `runtime_arguments` are present.

internal/model/model.go

@@ -87,13 +87,14 @@ type Argument struct {
 }
 
 type Package struct {
-	RegistryName         string          `json:"registry_name" bson:"registry_name"`
-	Name                 string          `json:"name" bson:"name"`
-	Version              string          `json:"version" bson:"version"`
-	RunTimeHint          string          `json:"runtime_hint,omitempty" bson:"runtime_hint,omitempty"`
-	RuntimeArguments     []Argument      `json:"runtime_arguments,omitempty" bson:"runtime_arguments,omitempty"`
-	PackageArguments     []Argument      `json:"package_arguments,omitempty" bson:"package_arguments,omitempty"`
-	EnvironmentVariables []KeyValueInput `json:"environment_variables,omitempty" bson:"environment_variables,omitempty"`
+	RegistryName         string            `json:"registry_name" bson:"registry_name"`
+	Name                 string            `json:"name" bson:"name"`
+	Version              string            `json:"version" bson:"version"`
+	FileHashes           map[string]string `json:"file_hashes,omitempty" bson:"file_hashes,omitempty"`
+	RunTimeHint          string            `json:"runtime_hint,omitempty" bson:"runtime_hint,omitempty"`
+	RuntimeArguments     []Argument        `json:"runtime_arguments,omitempty" bson:"runtime_arguments,omitempty"`
+	PackageArguments     []Argument        `json:"package_arguments,omitempty" bson:"package_arguments,omitempty"`
+	EnvironmentVariables []KeyValueInput   `json:"environment_variables,omitempty" bson:"environment_variables,omitempty"`
 }
 
 // Remote represents a remote connection endpoint

internal/service/registry_service.go

@@ -2,6 +2,9 @@ package service
 
 import (
 	"context"
+	"fmt"
+	"net/url"
+	"strings"
 	"time"
 
 	"github.com/modelcontextprotocol/registry/internal/database"
@@ -84,6 +87,51 @@ func (s *registryServiceImpl) GetByID(id string) (*model.ServerDetail, error) {
 	return serverDetail, nil
 }
 
+// validateMCPBPackage validates MCPB packages to ensure they meet requirements
+func validateMCPBPackage(pkg *model.Package) error {
+	// Validate that the URL is from an allowlisted host
+	parsedURL, err := url.Parse(pkg.Name)
+	if err != nil {
+		return fmt.Errorf("invalid MCPB package URL: %w", err)
+	}
+
+	// Allowlist of trusted hosts for MCPB packages
+	allowedHosts := []string{
+		"github.com",
+		"www.github.com",
+		"raw.githubusercontent.com",
+		"gitlab.com",
+		"www.gitlab.com",
+	}
+
+	host := strings.ToLower(parsedURL.Host)
+	isAllowed := false
+	for _, allowed := range allowedHosts {
+		if host == allowed {
+			isAllowed = true
+			break
+		}
+	}
+
+	if !isAllowed {
+		return fmt.Errorf("MCPB packages must be hosted on allowlisted providers (GitHub or GitLab). Host '%s' is not allowed", host)
+	}
+
+	// Validate that file_hashes is provided for MCPB packages
+	if len(pkg.FileHashes) == 0 {
+		return fmt.Errorf("MCPB packages must include file_hashes for integrity verification")
+	}
+
+	// Validate that at least SHA-256 is provided
+	if _, hasSHA256 := pkg.FileHashes["sha-256"]; !hasSHA256 {
+		if _, hasSHA256Alt := pkg.FileHashes["sha256"]; !hasSHA256Alt {
+			return fmt.Errorf("MCPB packages must include a SHA-256 hash")
+		}
+	}
+
+	return nil
+}
+
 // Publish adds a new server detail to the registry
 func (s *registryServiceImpl) Publish(serverDetail *model.ServerDetail) error {
 	// Create a timeout context for the database operation
@@ -94,6 +142,15 @@ func (s *registryServiceImpl) Publish(serverDetail *model.ServerDetail) error {
 		return database.ErrInvalidInput
 	}
 
+	// Validate MCPB packages
+	for _, pkg := range serverDetail.Packages {
+		if strings.ToLower(pkg.RegistryName) == "mcpb" {
+			if err := validateMCPBPackage(&pkg); err != nil {
+				return fmt.Errorf("validation failed: %w", err)
+			}
+		}
+	}
+
 	err := s.db.Publish(ctx, serverDetail)
 	if err != nil {
 		return err

tools/validate-examples/main.go

@@ -22,7 +22,7 @@ const (
 	// IMPORTANT: Only change this count if you have intentionally added or removed examples
 	// from the examples.md file. This check prevents accidental formatting changes from
 	// causing examples to be skipped during validation.
-	expectedExampleCount = 9
+	expectedExampleCount = 10
 )
 
 func main() {