LaunchTrust MCP

Run a compliance + security scan on your app — without leaving Claude Code.

LaunchTrust scans a public URL for the compliance and security gaps that get indie apps rejected or fined — leaked frontend API keys, exposed .env/.git, missing privacy/terms pages, absent security headers, undisclosed AI interactions, tracker/cookie issues — mapped to 39 jurisdictions (EU AI Act, GDPR, US state privacy laws, app-store policies).

It's a remote, hosted MCP server — nothing to install, build, or run. Add the URL and go.

⚖️ Compliance aid, not legal advice. Not a certification of compliance.

Install (Claude Code)

claude mcp add --transport http launchtrust https://mcp.launchtrust.co/mcp

Then ask Claude:

"Scan https://my-app.com for compliance and security issues."

Works in any MCP client that supports remote Streamable HTTP servers (Claude Code, Claude Desktop, …).

Related MCP server: Security Scanner MCP

What the free scan checks

scan_url runs a focused, high-signal subset of detectors against any public URL — no account needed:

• 🔑 Leaked frontend API keys / secrets

• 📂 Exposed .env / .git / config files

• 🛡️ Security headers (CSP, HSTS, X-Frame-Options, …) + HTTPS/HSTS

• 📄 Missing privacy / terms pages

• 🤖 Undisclosed AI interactions

• 🍪 Trackers / cookie-consent

The result is plain text, unsigned and not stored.

Tools

Free — no account

Account — needs a token

The full version runs all 27 detectors across 39 jurisdictions, stores a signed, dated evidence record, and monitors continuously. Connect with your LaunchTrust token:

claude mcp add --transport http launchtrust https://mcp.launchtrust.co/mcp \
  --header "Authorization: Bearer lt_pat_..."

Get a token at launchtrust.co.

Use in other MCP clients

LaunchTrust is a standard remote (Streamable HTTP) MCP server — it works in any MCP-compatible client, not just Claude Code.

Codex CLI — add to ~/.codex/config.toml:

[mcp_servers.launchtrust]
url = "https://mcp.launchtrust.co/mcp"

Gemini CLI — add to ~/.gemini/settings.json:

{
  "mcpServers": {
    "launchtrust": { "httpUrl": "https://mcp.launchtrust.co/mcp" }
  }
}

Cursor, Windsurf, and others — point them at the remote URL https://mcp.launchtrust.co/mcp (Streamable HTTP).

For the account-gated tools, pass your token as an Authorization: Bearer lt_pat_... header (Claude Code: --header; Codex: http_headers = { Authorization = "Bearer lt_pat_..." }; Gemini: "headers": { "Authorization": "Bearer lt_pat_..." }).

How it works

• Transport: stateless Streamable HTTP (MCP spec 2025-11-25) at POST /mcp.

• Privacy: the free scan stores nothing — it fetches your URL, runs detectors, returns findings. Premium scans store a signed record under your account only.

• Honesty: it never invents findings. Every result traces to what was actually on the page, and it reports mechanical signals (detected / not_detected) — never a verdict of "compliant".

Links

• 🌐 Website — https://launchtrust.co

• ✅ Verify a signed record — https://launchtrust.co/verify

Development

Zero-dependency Cloudflare Worker; a thin client over the LaunchTrust API.

npm install
npm run typecheck
npm run dev        # wrangler dev — POST http://localhost:8787/mcp
npm run deploy     # wrangler deploy (custom domain in wrangler.toml)

LaunchTrust is a compliance aid, not legal advice, and is not a certification of compliance with any law.