feat: add admin operations documentation and scripts for server management

domdomegg · domdomegg · commit 4b6311968d77 · 2025-08-28T21:23:07.000Z
🏠 Remote-Dev: homespace
diff --git a/docs/admin-operations.md b/docs/admin-operations.md
@@ -0,0 +1,46 @@
+# Admin Operations
+
+This is a brief guide for admins and moderators managing content on the registry. All actions should be taken in line with the [moderation guidelines](./moderation-guidelines.md).
+
+## Prerequisites
+
+- Admin account with @modelcontextprotocol.io email
+  - If you are a maintainer and would like an account, ask in the Discord
+- `gcloud` CLI installed and configured
+- `curl` and `jq` installed
+
+## Authentication
+
+```bash
+# Run this, then run the export command it outputs
+./tools/admin/auth.sh
+```
+
+## Edit a Server
+
+Step 1: Download Server
+
+```bash
+export SERVER_ID="<server-uuid>"
+curl -s "https://registry.modelcontextprotocol.io/v0/servers/${SERVER_ID}" > server.json
+```
+
+Step 2: Open `server.json` and make changes. You cannot change the server name.
+
+Step 3: Push Changes
+
+```bash
+curl -X PUT "https://registry.modelcontextprotocol.io/v0/servers/${SERVER_ID}" \
+  -H "Authorization: Bearer ${REGISTRY_TOKEN}" \
+  -H "Content-Type: application/json" \
+  -d "{\"server\": $(cat server.json)}"
+```
+
+## Takedown a Server
+
+```bash
+export SERVER_ID="<server-uuid>"
+./tools/admin/takedown.sh
+```
+
+This soft deletes the server. If you need to delete the content of a server (usually only where legally necessary), use the edit workflow above to scrub it all.
diff --git a/docs/moderation-guidelines.md b/docs/moderation-guidelines.md
@@ -0,0 +1,60 @@
+# Moderation Guidelines
+
+Guidelines for server publishers on the Official MCP Registry.
+
+## TL;DR
+
+We're quite permissive! We only remove illegal content, malware, spam and completely broken servers.
+
+We don't make guarantees about our moderation, and subregistries should take our data "as is", assuming minimal to no moderation.
+
+## Scope
+
+These guidelines apply to the **Official MCP Registry** at `registry.modelcontextprotocol.io`. 
+
+Subregistries may have their own moderation policies. If you have questions about content on a specific subregistry, please contact them directly.
+
+## Disclaimer
+
+We have limited active moderation capabilities, and this is a community supported projects. We largely rely on upstream package registries (like NPM, PyPi, and Docker) or downstream subregistries (like the GitHub MCP Registry) to do more in-depth moderation.
+
+This means there may be content in the registry that should be removed under these guidelines, which we haven't yet removed. You should treat registry data accordingly.
+
+## What We Remove
+
+We'll remove servers that contain:
+
+- Illegal content, which includes obscene content, copyright violations, and hacking tools
+- Malware, regardless of intentions
+- Spam, especially mass-created servers that disrupt the registry. Examples:
+    - The same server being submitted multiple times under different names.
+    - The server doesn't do anything but provide a fixed response with some marketing copy.
+    - The server description is stuffed with marketing copy, and its implementation is unrelated to its name or description.
+- Non-functioning servers
+
+## What We Don't Remove
+
+Generally, we believe in keeping the registry open and pushing moderation to subregistries. We therefore **won't** remove servers that are:
+
+- Low quality or buggy servers
+- Servers with security vulnerabilities
+- Do the same thing as other servers
+- Provide or contain adult content
+
+## How Removal Works
+
+When we remove a server:
+
+- It's set to "deleted" status but remains accessible via the API
+- This allows subregistries to remove it from their indexes
+- In extreme cases, we may overwrite or erase details of a server, e.g. where the metadata itself is unlawful
+
+## Appeals
+
+Think we made a mistake? Open an issue on our [GitHub repository](https://github.com/modelcontextprotocol/registry) with:
+- The ID and name of your server
+- Why you believe it doesn't meet the criteria for removal above
+
+## Changes to this policy
+
+We're still learning how to best run the MCP registry! As such, we might end up changing this policy in the future.
diff --git a/tools/admin/auth.sh b/tools/admin/auth.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+# Simple OIDC authentication helper using gcloud
+
+REGISTRY_URL="${REGISTRY_URL:-https://registry.modelcontextprotocol.io}"
+
+if ! gcloud projects list &> /dev/null; then
+    gcloud auth login >&2
+fi
+
+# Get Google Cloud identity token
+OIDC_TOKEN=$(gcloud auth print-identity-token)
+
+# Exchange for registry token
+RESPONSE=$(curl -s -X POST "${REGISTRY_URL}/v0/auth/oidc" \
+  -H "Content-Type: application/json" \
+  -d "{\"oidc_token\": \"${OIDC_TOKEN}\"}")
+
+# Check if successful
+REGISTRY_TOKEN=$(echo "$RESPONSE" | jq -r '.registry_token // empty')
+
+if [ -z "$REGISTRY_TOKEN" ]; then
+    echo "Error: Authentication failed" >&2
+    echo "$RESPONSE" | jq '.' >&2
+    exit 1
+fi
+
+# Output the export command
+echo "# Successfully authenticated! Now run this to use your token:" >&2
+echo "export REGISTRY_TOKEN='${REGISTRY_TOKEN}'"
diff --git a/tools/admin/takedown.sh b/tools/admin/takedown.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Simple takedown script
+
+REGISTRY_URL="${REGISTRY_URL:-https://registry.modelcontextprotocol.io}"
+
+if [ -z "$SERVER_ID" ] || [ -z "$REGISTRY_TOKEN" ]; then
+    echo "Usage: REGISTRY_TOKEN=<token> SERVER_ID=<server-uuid> $0"
+    exit 1
+fi
+
+# Get current server and update status to deleted
+curl -s "${REGISTRY_URL}/v0/servers/${SERVER_ID}" | \
+jq '.status = "deleted" | {server: .}' | \
+curl -X PUT "${REGISTRY_URL}/v0/servers/${SERVER_ID}" \
+  -H "Authorization: Bearer ${REGISTRY_TOKEN}" \
+  -H "Content-Type: application/json" \
+  -d @-
