docs: add MCPTrust to community projects

[dtang19]

Motivation and Context

MCPTrust is a deny-by-default security layer for MCP servers. It provides lockfiles, drift detection, artifact integrity/provenance verification, and a runtime enforcement proxy.

How Has This Been Tested?

• Go unit tests (go test ./...)
• 17-phase adversarial test suite
• Tested with Claude Desktop, Claude Code, GitHub Actions, Docker

Breaking Changes

N/A — new community project addition.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• [ x ] Documentation update

Checklist

• [ x ] I have read the MCP Documentation
• [ x ] My code follows the repository's style guidelines
• [ x ] New and existing tests pass locally
• [ x ] I have added appropriate error handling
• [ x ] I have added or updated documentation as needed

Additional context

[jonathanhefner]

Hi, @dtang19! 👋 Can you clarify how this is related to the MCP Registry?

[dtang19]

Hi @jonathanhefner 👋 Good question!

MCPTrust isn’t part of the registry itself, it complements it. The MCP Registry helps people discover/install MCP servers; MCPTrust helps teams safely consume those servers by pinning artifacts (lockfiles + hashes), verifying integrity/provenance, detecting tool/schema drift, and enforcing the reviewed surface at runtime via a deny-by-default proxy.

In practice: you pick a server you found in the registry, MCPTrust locks and verifies what you’re about to run, and blocks anything that changes or wasn’t approved. That’s why it fits under Community Projects: it’s ecosystem tooling for registry users/operators, not a registry feature. Happy to clarify anything else.