THRONE
See report Verify server

Resources

Everything behind a Throne verdict.

How to run Throne, how a verdict is made, the security checks it applies, a real report, and why the tools your agents call need to be vetted. One place, in the order you would read it.

Quickstart

Run a public package, repo, or local config. The first run returns the client matrix, security findings, verdict, and a report link.

npx throne run @modelcontextprotocol/server-everything
npx throne run github.com/acme/files-mcp
npx throne run ./mcp.config.json

Accepted targets

TypeExampleBest for
npm@scope/serverpublished Node MCP servers
uvxuvx mcp-serverPython packages
GitHubgithub.com/acme/serversource scans before publish
config./mcp.config.jsoncustom launch commands

Minimal config

{
  "name": "files-mcp",
  "command": "node",
  "args": ["dist/server.js"],
  "cwd": ".",
  "security": {
    "root": "./fixtures/workspace",
    "failOn": ["high"]
  }
}

CI gate

Use the GitHub Action to block merges when the verdict regresses.

- uses: usethrone/throne-ci@v1
  with:
    target: ./mcp.config.json
    api-key: ${{ secrets.THRONE_API_KEY }}

Replay a failing cell

npx throne replay run_4821 \
  --client cursor \
  --step streaming \
  --trace traces/cursor-streaming-timeout.json

Exit codes

CodeVerdictMeaning
0passAll requested release gates passed.
1reviewWarnings were found and strict mode is enabled.
2failA client failure, blocked launch, or high security finding exists.

how it works

Every verdict comes from a run you can inspect.

Throne does not grade README claims. It starts the artifact, replays calibrated client behavior, records raw traces, scans risk, and seals the evidence. Vendor neutral: no hosting, no IDE, no framework lock-in.

01Resolve target

GitHub repo, npm package, uvx command, or JSON config.

02Boot microVM

Install and launch the server in a single-use sandbox.

03Replay clients

Claude Code and Cursor run live today with recorded behavior profiles.

04Run nine checks

Connect, discover, schema, tools, errors, streaming, resources, parallel, reconnect.

05Scan security

Path, shell, prompt, secret, rate, dependency, and launch heuristics.

06Seal evidence

Publish scan id, raw trace, timestamp, verdict, and evidence hash.

Client coverage

Throne only shows verdicts from emulators that exist. Planned clients are visible so you understand the roadmap, but they never produce a false pass or fail.

liveClaude Code

nine compatibility checks

liveCursor

nine compatibility checks

coming soonChatGPT Desktop

profile pending real-traffic capture

plannedCodex CLI

emulation profile not yet calibrated

plannedZed

emulation profile not yet calibrated

Verdict model

Compatibility and security stay separate until the release call. They are never blended into one number.

FIT

Ship

Live client checks pass and no release-blocking security finding is present.

REVIEW

Fix or approve

The server runs, but needs credentials, launch arguments, or security review before trust.

BLOCK

Do not release

A real client fails, the server never launches, or a high severity finding is present.

security

The nine checks.

Each scan runs in a disposable Firecracker microVM created for your server and destroyed after the verdict. Heuristic rules are labeled as heuristics; high severity findings are treated as release-blocking until reviewed.

HIGH

Path traversal

Tool inputs escape declared roots through traversal, symlink, or normalization gaps.

THR-PATH-01
HIGH

Shell boundary

User input reaches spawned processes as shell strings instead of isolated arguments.

THR-EXEC-04
MEDIUM

Prompt sink

Untrusted tool output enters model context without delimiters or provenance.

THR-PROMPT-07
MEDIUM

Secret exposure

Tokens or environment values leak into descriptions, logs, traces, or outputs.

THR-SECRET-02
LOW

Mutation rate

Write, delete, browser, or network tools can be called repeatedly without guardrails.

THR-RATE-09
LOW

Dependency risk

Shipped packages include known advisories or unsupported dependency majors.

THR-VER-11
HIGH

Handshake failure

The server starts but never completes MCP initialization inside the sandbox.

THR-HS-03
MEDIUM

Package launch heuristic

Package metadata points to a command unlikely to expose an MCP server entrypoint.

THR-PKG-05
MEDIUM

Capability scope heuristic

Tool names imply write, shell, or network access without confirmation boundaries.

THR-SCOPE-08

Anatomy of a finding

Each finding ships with the offending surface, a reproduction, the observed result, and the fix pattern. Enough evidence to fix it, not just fear it.

ruleTHR-PATH-01 / HIGH
input{ "path": "../.ssh/id_rsa" }
resultescaped declared root
fixresolve, normalize, compare root, deny symlinks

evidence

A sample report.

One artifact for engineering, security, and release: client matrix, raw trace, security findings, and a sealed receipt. Open the live, interactive sample to click through the matrix, trace, security, and receipt tabs.

Open the sample report Run one on your server

The public registry

Every server Throne executes is recorded publicly: verdict, security state, sealed date, and evidence hash. Browse the records, filter by verdict, and open any one to inspect the proof.

Browse the registry

Why this matters

AI agents now act through MCP servers that can read files, call APIs, move data, and touch credentials, and almost none of them have been independently run before someone trusted them. A broken server fails silently for everyone who installed it; an unsafe one becomes a breach vector the moment an agent drives it.

Read: the tools your agents use are unvetted Governance for teams