feat(registries): user-added registries + provenance/trust model + registry add-source CLI (MCP-866) (#573)

* feat(registries): MCP-866 trust/provenance model foundation (config + merge)

Foundation layer for user-added registries. CLI add-source, server-add-time
stamping/enforcement, REST/MCP surface, and docs follow in subsequent commits.

- Add registry provenance trust tags (official/trusted vs custom/unverified) to
  both config and registries RegistryEntry, with IsTrusted() helpers.
- DefaultRegistries are tagged official/trusted.
- SetRegistriesFromConfig recomputes provenance AUTHORITATIVELY by ID: a
  shipped-default ID is always official; anything user-added is
  custom/unverified — a user cannot self-assert trust via config.
- ServerConfig gains SourceRegistryID + SourceRegistryProvenance so a server's
  origin is recorded for the approval/quarantine view.
- Config validation rejects skip_quarantine for servers sourced from a
  custom/unverified registry (quarantine-always; no user allowlist).
- RegistriesLocked enterprise stub knob (doc + add-source rejection only).
- Tests: provenance JSON round-trip, authoritative merge recompute (incl.
  rejecting self-asserted trust), skip_quarantine rejection/allowance. config +
  registries suites green with -race; golangci-lint 0 issues.

Refs MCP-866.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* feat(registries): add-source CLI + REST/MCP surface + quarantine enforcement (MCP-866)

Builds on the provenance foundation to let users add their own MCP registry
sources, always tagged custom/unverified so their servers can never escape
quarantine. There is no allowlist a user can add themselves into.

- `mcpproxy registry add-source <https-url> [--protocol|--id|--name]`: daemon-first
  CLI that adds a generic modelcontextprotocol/registry v0.1 endpoint. Writes
  cfg.Registries copy-on-write via UpdateConfig + persists, and rebuilds the
  effective catalog so the source is immediately searchable.
- Server keystone (add_from_registry): stamp SourceRegistryID/Provenance onto the
  derived ServerConfig from the resolved registry; a custom/unverified source
  forces Quarantined=true and SkipQuarantine=false regardless of the global
  default (CN-002 extended).
- New add-source op (add_registry_source.go): pure URL→entry derivation (https
  validation, id-from-host slug, v0.1 servers-url derivation) + guardrails
  (registries_locked, no shadowing a built-in id, no duplicate). Stable
  cross-surface error codes: invalid_registry_url / registries_locked /
  registry_shadows_builtin / duplicate_registry.
- REST POST /api/v1/registries; cliclient.AddRegistrySource; provenance + trusted
  surfaced in list_registries across runtime REST + MCP so a UI can show the
  one-time third-party-registry warning.
- Docs: docs/registries.md trust model + add-source + registries_locked stub.
- OpenAPI regenerated.

TDD: add-source derivation/validation unit tests, custom-origin quarantine-always
keystone tests, and a registries integration test proving a user-added v0.1
endpoint is searchable AND tagged custom/unverified. Local: go build ./...,
config/registries/server/httpapi/cliclient/contracts/cmd suites green (-race on
the pure-logic packages), binary API + MCP e2e green, golangci-lint 0 issues,
approval-hash stability canary green.

Related MCP-866

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* fix(storage): persist registry origin/provenance on UpstreamRecord (MCP-866)

CI caught the new ServerConfig fields tripping the storage field-coverage
canary (TestSaveServerSyncFieldCoverage) — they were unpersisted. Persist them
so a server's registry origin survives a restart; otherwise a reloaded
custom-origin server would lose its provenance and the skip_quarantine guard
plus the approval/quarantine view would silently stop working.

- Add SourceRegistryID + SourceRegistryProvenance to UpstreamRecord.
- Carry them through every config<->record conversion (async saveServerSync,
  Manager.SaveUpstreamServer, GetUpstreamServer, ListUpstreamServers,
  ListQuarantinedUpstreamServers).
- Extend the field-coverage canary's expectedFields; add a save->reload
  round-trip test (incl. via the quarantine listing).

Fixes the Unit Tests / E2E / Build Binaries CI failures on #573 (all ran
go test ./... and hit the same storage canary). storage suite green with -race;
go build ./... clean; gofmt clean.

Related MCP-866

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* fix(api): surface registry provenance + trusted in GET /api/v1/registries (MCP-866)

Add Provenance and Trusted fields to contracts.Registry so the REST API
surfaces the trust tag for each registry. Copy from the internal registry
entry in handleListRegistries.

Provenance is derived authoritatively at merge time (MCP-866):
- Built-in defaults get provenance=official/trusted, trusted=true
- User-added registries get provenance=custom/unverified, trusted=false

Regenerated swagger.yaml. Test asserts a custom registry shows
provenance=custom/unverified and trusted=false.

Related #573

---------

Co-authored-by: Paperclip <noreply@paperclip.ing>

Author: Dumbris

cmd/mcpproxy/registry_cmd.go

@@ -21,12 +21,15 @@ import (
 
 // Registry command flags (spec 070).
 var (
-	registryConfigPath string
-	registrySearchTag  string
-	registryLimit      int
-	registryAddName    string
-	registryAddEnv     []string
-	registryAddEnabled bool
+	registryConfigPath     string
+	registrySearchTag      string
+	registryLimit          int
+	registryAddName        string
+	registryAddEnv         []string
+	registryAddEnabled     bool
+	registryAddSourceProto string // MCP-866
+	registryAddSourceID    string
+	registryAddSourceName  string
 )
 
 // GetRegistryCommand builds the `registry` command group (spec 070): a single
@@ -53,12 +56,79 @@ Typical flow:
   mcpproxy registry add pulse weather-mcp       # add it (quarantined)
   mcpproxy upstream approve weather-mcp          # approve once you trust it
 
-'registry add' talks to the running mcpproxy daemon. 'list' and 'search' use the
-daemon when available and otherwise read the registries directly.`,
+Add your own registry source (any official modelcontextprotocol/registry v0.1 endpoint):
+  mcpproxy registry add-source https://registry.example.com   # custom/unverified
+
+'registry add' and 'registry add-source' talk to the running mcpproxy daemon.
+'list' and 'search' use the daemon when available and otherwise read the
+registries directly.`,
 	}
 
 	cmd.PersistentFlags().StringVarP(&registryConfigPath, "config", "c", "", "Path to MCP configuration file")
-	cmd.AddCommand(newRegistryListCmd(), newRegistrySearchCmd(), newRegistryAddCmd())
+	cmd.AddCommand(newRegistryListCmd(), newRegistrySearchCmd(), newRegistryAddCmd(), newRegistryAddSourceCmd())
+	return cmd
+}
+
+func newRegistryAddSourceCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "add-source <https-url>",
+		Short: "Add a custom MCP registry source (quarantine-always)",
+		Long: `Add your own MCP server registry — any https endpoint implementing the
+official modelcontextprotocol/registry v0.1 protocol (the same protocol shipped
+by Copilot/VS Code/Azure).
+
+The added source is ALWAYS tagged custom/unverified: there is no allowlist you
+can add yourself into. Every server you discover and add through a custom source
+lands quarantined and can never skip quarantine — review and approve it once you
+trust it:
+  mcpproxy registry search <query> -r <id>
+  mcpproxy registry add <id> <serverId>
+  mcpproxy upstream approve <name>`,
+		Args: cobra.ExactArgs(1),
+		RunE: func(_ *cobra.Command, args []string) error {
+			sourceURL := args[0]
+
+			cfg, err := loadRegistryConfig()
+			if err != nil {
+				return outputError(clioutput.NewStructuredError(clioutput.ErrCodeConfigNotFound, err.Error()).
+					WithRecoveryCommand("mcpproxy doctor"), clioutput.ErrCodeConfigNotFound)
+			}
+
+			// add-source MUST go through the daemon: the registry list lives on the
+			// runtime config snapshot and is updated copy-on-write via UpdateConfig.
+			if !shouldUseUpstreamDaemon(cfg.DataDir) {
+				return outputError(clioutput.NewStructuredError(clioutput.ErrCodeConnectionFailed,
+					"adding a registry source requires a running mcpproxy daemon").
+					WithGuidance("Start the daemon, then retry").
+					WithRecoveryCommand("mcpproxy serve"), clioutput.ErrCodeConnectionFailed)
+			}
+
+			ctx, cancel := registryContext()
+			defer cancel()
+
+			client := cliclient.NewClient(socket.DetectSocketPath(cfg.DataDir), nil)
+			reg, err := client.AddRegistrySource(ctx, sourceURL, registryAddSourceProto, registryAddSourceID, registryAddSourceName)
+			if err != nil {
+				return registryAddErrorOutput(err)
+			}
+
+			outputFormat := ResolveOutputFormat()
+			if outputFormat == "json" || outputFormat == "yaml" {
+				formatter, _ := GetOutputFormatter()
+				out, _ := formatter.Format(reg)
+				fmt.Println(out)
+				return nil
+			}
+
+			fmt.Printf("✅ Added registry source '%s' (%s)\n", reg.ID, reg.Provenance)
+			fmt.Printf("⚠️  This is a third-party, unverified registry — its servers are always quarantined until you approve them.\n")
+			fmt.Printf("   Search it with: mcpproxy registry search <query> -r %s\n", reg.ID)
+			return nil
+		},
+	}
+	cmd.Flags().StringVar(&registryAddSourceProto, "protocol", "", "Registry protocol (default: modelcontextprotocol/registry)")
+	cmd.Flags().StringVar(&registryAddSourceID, "id", "", "Override the derived registry id")
+	cmd.Flags().StringVar(&registryAddSourceName, "name", "", "Override the registry display name")
 	return cmd
 }
 
@@ -270,6 +340,18 @@ func registryAddErrorOutput(err error) error {
 	case "registry_not_found", "server_not_found":
 		return outputError(clioutput.NewStructuredError(clioutput.ErrCodeServerNotFound, addErr.Message).
 			WithGuidance("Check the ids with 'mcpproxy registry list' and 'mcpproxy registry search'"), clioutput.ErrCodeServerNotFound)
+	case "invalid_registry_url":
+		return outputError(clioutput.NewStructuredError(clioutput.ErrCodeInvalidInput, addErr.Message).
+			WithGuidance("Provide an https URL, e.g. https://registry.example.com"), clioutput.ErrCodeInvalidInput)
+	case "registries_locked":
+		return outputError(clioutput.NewStructuredError(clioutput.ErrCodeOperationFailed, addErr.Message).
+			WithGuidance("Registry additions are disabled by policy (registries_locked)"), clioutput.ErrCodeOperationFailed)
+	case "registry_shadows_builtin":
+		return outputError(clioutput.NewStructuredError(clioutput.ErrCodeInvalidInput, addErr.Message).
+			WithGuidance("Choose a different --id; built-in registry ids cannot be replaced"), clioutput.ErrCodeInvalidInput)
+	case "duplicate_registry":
+		return outputError(clioutput.NewStructuredError(clioutput.ErrCodeOperationFailed, addErr.Message).
+			WithGuidance("A registry with that id already exists; pass a different --id"), clioutput.ErrCodeOperationFailed)
 	default:
 		return outputError(clioutput.NewStructuredError(clioutput.ErrCodeOperationFailed, addErr.Message), clioutput.ErrCodeOperationFailed)
 	}

docs/registries.md

@@ -23,6 +23,61 @@ key is configured it is sent on every request to that registry as an
 User-configured registries in `mcp_config.json` (`registries: [...]`) are **merged**
 with these defaults (keyed by ID); a custom entry never drops the shipped set.
 
+## Trust model & user-added registries
+
+Every registry carries a **provenance** tag:
+
+| Provenance | Meaning |
+|---|---|
+| `official/trusted` | A shipped, built-in default (the five above). |
+| `custom/unverified` | Any registry the user added at runtime, or any non-default ID in `mcp_config.json`. |
+
+Trust is **derived, not asserted** — it comes solely from whether the registry ID
+is one of the shipped defaults. Writing `"provenance": "official/trusted"` into a
+custom `mcp_config.json` entry has no effect; mcpproxy recomputes provenance on
+every merge. **There is no allowlist a user can add themselves into.**
+
+Consequences for `custom/unverified` registries:
+
+- Servers discovered through them are **always quarantined** on add, regardless of
+  the global quarantine default — and they can **never** set `skip_quarantine`
+  (enforced in config validation *and* at server-add time). A server's origin is
+  recorded on its config as `source_registry_id` / `source_registry_provenance`
+  and surfaced in the approval/quarantine view.
+- The `list_registries` output (MCP, REST, CLI) includes `provenance` and a
+  `trusted` boolean so a UI can show a one-time third-party-registry warning.
+
+### Adding your own registry source
+
+`mcpproxy registry add-source` adds any https endpoint that implements the official
+`modelcontextprotocol/registry` v0.1 protocol (the same protocol Copilot / VS Code /
+Azure ship):
+
+```bash
+mcpproxy registry add-source https://registry.example.com
+mcpproxy registry add-source https://registry.example.com --id acme --name "Acme Corp"
+```
+
+The ID is derived from the host when omitted; `--protocol` defaults to
+`modelcontextprotocol/registry`. The source is always tagged `custom/unverified`.
+This requires a running daemon — the registry list is updated copy-on-write on the
+runtime config snapshot and persisted to `mcp_config.json`.
+
+Equivalent surfaces:
+
+- **REST:** `POST /api/v1/registries` with `{ "url": "https://…", "protocol": "…", "id": "…", "name": "…" }`.
+- **CLI:** `mcpproxy registry add-source <https-url>`.
+
+Errors share a stable code across surfaces: `invalid_registry_url` (400),
+`registries_locked` (403), `registry_shadows_builtin` / `duplicate_registry` (409).
+
+### Enterprise: `registries_locked` (stub)
+
+Setting `"registries_locked": true` in `mcp_config.json` disables runtime registry
+additions (`registry add-source` and the REST/MCP add-source surface return
+`registries_locked`). Built-in defaults are unaffected. This is a forward-looking
+stub for enterprise policy pinning.
+
 ## Official v0.1 protocol
 
 The official registry returns a cursor-paginated list of wrapped entries:

internal/cliclient/client.go

@@ -1862,3 +1862,56 @@ func (c *Client) AddFromRegistry(ctx context.Context, registryID, serverID, name
 	}
 	return &apiResp.Data.Server, nil
 }
+
+// AddRegistrySource adds a user-supplied registry source via the daemon
+// (MCP-866). POST /api/v1/registries → data.registry. On failure it returns a
+// *RegistryAddError carrying the stable cross-surface code.
+func (c *Client) AddRegistrySource(ctx context.Context, sourceURL, protocol, id, name string) (*contracts.RegistrySummary, error) {
+	body := contracts.AddRegistrySourceRequest{URL: sourceURL, Protocol: protocol, ID: id, Name: name}
+	bodyBytes, err := json.Marshal(body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal request: %w", err)
+	}
+
+	u := c.baseURL + "/api/v1/registries"
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, u, bytes.NewReader(bodyBytes))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/json")
+	c.prepareRequest(ctx, req)
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to call add-registry-source API: %w", err)
+	}
+	defer resp.Body.Close()
+
+	respBytes, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response: %w", err)
+	}
+
+	var apiResp struct {
+		Success   bool                             `json:"success"`
+		Data      *contracts.AddRegistrySourceData `json:"data"`
+		Error     string                           `json:"error"`
+		Code      string                           `json:"code"`
+		RequestID string                           `json:"request_id"`
+	}
+	if err := json.Unmarshal(respBytes, &apiResp); err != nil {
+		return nil, fmt.Errorf("failed to parse response (status %d): %s", resp.StatusCode, string(respBytes))
+	}
+
+	if !apiResp.Success || resp.StatusCode != http.StatusOK {
+		msg := apiResp.Error
+		if msg == "" {
+			msg = fmt.Sprintf("API returned status %d", resp.StatusCode)
+		}
+		return nil, &RegistryAddError{Code: apiResp.Code, Message: msg, RequestID: apiResp.RequestID}
+	}
+	if apiResp.Data == nil {
+		return nil, fmt.Errorf("daemon returned success with no registry data")
+	}
+	return &apiResp.Data.Registry, nil
+}

internal/config/config.go

@@ -101,6 +101,13 @@ type Config struct {
 	// Registries configuration for MCP server discovery
 	Registries []RegistryEntry `json:"registries,omitempty" mapstructure:"registries"`
 
+	// RegistriesLocked is an enterprise stub knob (MCP-866): when true, runtime
+	// additions of custom registries (e.g. `registry add-source`, the REST/MCP
+	// add-source surface) are rejected so an administrator can pin the discovery
+	// sources. Built-in defaults are unaffected. Documented but otherwise inert
+	// beyond the add-source rejection.
+	RegistriesLocked bool `json:"registries_locked,omitempty" mapstructure:"registries-locked"`
+
 	// Deprecated: Features flags are unused and have no runtime effect. Kept for backward compatibility.
 	Features *FeatureFlags `json:"features,omitempty" mapstructure:"features"`
 
@@ -251,6 +258,16 @@ type ServerConfig struct {
 	LauncherWaitTimeout Duration `json:"launcher_wait_timeout,omitempty" mapstructure:"launcher_wait_timeout" swaggertype:"string"`
 	EnabledTools        []string `json:"enabled_tools,omitempty" mapstructure:"enabled_tools"`   // Allowlist: only these tools are exposed; mutually exclusive with disabled_tools
 	DisabledTools       []string `json:"disabled_tools,omitempty" mapstructure:"disabled_tools"` // Denylist: these tools are hidden; mutually exclusive with enabled_tools
+
+	// SourceRegistryID records which registry this server was added from (empty
+	// for manually-configured servers). MCP-866: surfaced in the approval /
+	// quarantine view so a reviewer can see a server's origin.
+	SourceRegistryID string `json:"source_registry_id,omitempty" mapstructure:"source_registry_id"`
+	// SourceRegistryProvenance is the trust tag of the source registry at add
+	// time (RegistryProvenanceOfficial / RegistryProvenanceCustom). When it is
+	// RegistryProvenanceCustom, skip_quarantine is forbidden — a custom,
+	// unverified registry can never opt its servers out of quarantine.
+	SourceRegistryProvenance string `json:"source_registry_provenance,omitempty" mapstructure:"source_registry_provenance"`
 }
 
 // OAuthConfig represents OAuth configuration for a server
@@ -632,6 +649,18 @@ func (c *OutputSanitisationConfig) WouldMutate(trust string) bool {
 	return trust == "untrusted" && (c.IsStripEnabled() || c.IsSpotlightEnabled())
 }
 
+// Registry provenance tags (MCP-866). Trust is derived, not user-asserted: a
+// registry is "trusted" only when it is one of the shipped built-in defaults.
+// Anything a user adds at runtime (e.g. via `registry add-source`) is
+// "custom/unverified" and can NEVER skip quarantine — there is no allowlist a
+// user can append themselves into.
+const (
+	// RegistryProvenanceOfficial marks a built-in, shipped-by-default registry.
+	RegistryProvenanceOfficial = "official/trusted"
+	// RegistryProvenanceCustom marks a user-added registry of unknown trust.
+	RegistryProvenanceCustom = "custom/unverified"
+)
+
 // RegistryEntry represents a registry in the configuration
 type RegistryEntry struct {
 	ID          string      `json:"id"`
@@ -646,6 +675,19 @@ type RegistryEntry struct {
 	// true and no key is configured, the registry is skipped/marked unavailable
 	// rather than failing the whole search (FR-008).
 	RequiresKey bool `json:"requires_key,omitempty"`
+	// Provenance is the trust tag for this registry (MCP-866):
+	// RegistryProvenanceOfficial for built-in defaults, RegistryProvenanceCustom
+	// for user-added registries. It is authoritatively (re)computed by the
+	// registries merge from whether the ID is a shipped default — a user cannot
+	// claim "official/trusted" by writing it into their config.
+	Provenance string `json:"provenance,omitempty" mapstructure:"provenance"`
+}
+
+// IsTrusted reports whether the registry is an official, shipped-by-default
+// source. Trust is never granted by omission — an absent provenance tag is
+// untrusted.
+func (r *RegistryEntry) IsTrusted() bool {
+	return r != nil && r.Provenance == RegistryProvenanceOfficial
 }
 
 // CursorMCPConfig represents the structure for Cursor IDE MCP configuration
@@ -847,6 +889,7 @@ func DefaultRegistries() []RegistryEntry {
 			ServersURL:  "https://registry.modelcontextprotocol.io/v0.1/servers",
 			Tags:        []string{"verified", "official"},
 			Protocol:    "modelcontextprotocol/registry",
+			Provenance:  RegistryProvenanceOfficial,
 		},
 		{
 			ID:          "reference",
@@ -856,6 +899,7 @@ func DefaultRegistries() []RegistryEntry {
 			ServersURL:  "builtin://reference",
 			Tags:        []string{"verified", "official", "reference"},
 			Protocol:    "builtin/reference",
+			Provenance:  RegistryProvenanceOfficial,
 		},
 		{
 			ID:          "docker-mcp-catalog",
@@ -865,6 +909,7 @@ func DefaultRegistries() []RegistryEntry {
 			ServersURL:  "https://hub.docker.com/v2/repositories/mcp/",
 			Tags:        []string{"verified"},
 			Protocol:    "custom/docker",
+			Provenance:  RegistryProvenanceOfficial,
 		},
 		{
 			ID:          "pulse",
@@ -875,6 +920,7 @@ func DefaultRegistries() []RegistryEntry {
 			Tags:        []string{"verified"},
 			Protocol:    "custom/pulse",
 			RequiresKey: true,
+			Provenance:  RegistryProvenanceOfficial,
 		},
 		{
 			ID:          "smithery",
@@ -885,6 +931,7 @@ func DefaultRegistries() []RegistryEntry {
 			Tags:        []string{"verified"},
 			Protocol:    "modelcontextprotocol/registry",
 			RequiresKey: true,
+			Provenance:  RegistryProvenanceOfficial,
 		},
 	}
 }
@@ -1247,6 +1294,16 @@ func (c *Config) ValidateDetailed() []ValidationError {
 				Message: "enabled_tools and disabled_tools are mutually exclusive; use one or the other",
 			})
 		}
+
+		// MCP-866: a server sourced from a custom/unverified registry can NEVER
+		// skip quarantine. There is no allowlist a user can add themselves into,
+		// so an unverified third-party source must always be reviewed.
+		if server.SkipQuarantine && server.SourceRegistryProvenance == RegistryProvenanceCustom {
+			errors = append(errors, ValidationError{
+				Field:   fieldPrefix + ".skip_quarantine",
+				Message: "skip_quarantine is not allowed for a server added from a custom/unverified registry",
+			})
+		}
 	}
 
 	// Validate DataDir exists (if specified and not empty).