CLI Reference¶
MCPKernel provides 22+ commands for managing the security gateway. All commands are invoked via mcpkernel <command>.
Core Commands¶
serve¶
Start the MCPKernel proxy gateway.
| Option | Type | Default | Description |
|---|---|---|---|
--host |
str | 127.0.0.1 |
Bind address |
--port |
int | 8080 |
Bind port |
--config, -c |
path | None | Config YAML path |
--log-level |
str | info |
Log level |
--transport |
str | http |
Transport: http or stdio |
# Start with defaults
mcpkernel serve
# Start with config file
mcpkernel serve -c .mcpkernel/config.yaml --log-level debug
# Start in stdio mode (for IDE integration)
mcpkernel serve --transport stdio
init¶
Initialize MCPKernel in a project directory.
| Option | Type | Default | Description |
|---|---|---|---|
DIRECTORY |
path | . |
Project directory |
--preset, -p |
str | standard |
Policy preset: permissive, standard, strict |
status¶
Show current MCPKernel status.
version¶
Print the MCPKernel version.
Server Management¶
add-server¶
Add an upstream MCP server to the configuration.
| Option | Type | Default | Description |
|---|---|---|---|
NAME |
str | required | Server name (e.g., filesystem) |
URL |
str | required | Server URL |
--transport |
str | streamable_http |
Transport type |
-c, --config |
path | .mcpkernel/config.yaml |
Config file |
mcpkernel add-server filesystem http://localhost:3000/mcp
mcpkernel add-server github http://localhost:3001/mcp --transport sse
test-connection¶
Test connectivity to all configured upstream servers.
Policy Commands¶
validate-policy¶
Validate a policy YAML file or directory.
presets¶
List available policy presets and their rules.
quickstart¶
One-command demo — initialize, show config, and verify the pipeline.
Trace & Audit Commands¶
trace-list¶
List recent execution traces.
| Option | Type | Default | Description |
|---|---|---|---|
--db |
str | mcpkernel_traces.db |
Trace DB path |
--limit |
int | 20 |
Max entries |
trace-export¶
Export traces to a file.
| Option | Type | Default | Description |
|---|---|---|---|
--db |
str | mcpkernel_traces.db |
Trace DB path |
--format |
str | json |
Format: json, csv |
--output |
str | required | Output file path |
replay¶
Replay a specific trace to verify determinism.
audit-query¶
Query the audit log.
audit-verify¶
Verify the integrity of audit log entries.
Security Scanning¶
scan¶
Scan MCP tool definitions for security issues.
poison-scan¶
Scan tool descriptions for poisoning attacks (hidden instructions, encoding tricks, etc.).
scan-skill¶
Scan a skill file for security issues.
agent-scan¶
Run a Snyk agent security scan.
IDE Integration¶
install¶
Install MCPKernel as an MCP server in an IDE.
Targets: claude, cursor, vscode, windsurf, zed, openclaw, goose
uninstall¶
Remove MCPKernel from an IDE.
discover¶
Find all MCP servers installed across all IDEs.
doctor¶
Run health checks on the MCPKernel installation.
mcp-serve¶
Start MCPKernel as an MCP server (for IDE integration).
Registry Commands¶
registry-search¶
Search the MCP Server Registry.
registry-list¶
List servers from the MCP Server Registry.
Configuration Commands¶
config-show¶
Show the effective configuration (all sources merged).
Observability¶
langfuse-export¶
Export traces to Langfuse for LLM observability.
Manifest Commands¶
manifest-import¶
Import an agent.yaml manifest file.
manifest-validate¶
Validate an agent.yaml manifest.