Signpath

@signpath list all signing policies for our organization and show which ones require approval workflows

Retrieved 5 signing policies from your SignPath organization. Two policies require approval: 'Production Release' (requires 2 approvers from Security team) and 'Customer Hotfix' (requires 1 approver from Engineering leads). The remaining policies—'Development Build', 'QA Testing', and 'Internal Tools'—allow automatic signing without manual approval. Each policy specifies artifact types, allowed signing certificates, and submission restrictions.

This example demonstrates policy discovery before initiating signing workflows. Requires API key with read access to organization settings. Useful for understanding approval gates before submitting artifacts, though policy details may vary significantly by organization configuration.

@signpath check our certificate inventory and flag any expiring within 90 days

Scanned 8 certificates in your SignPath organization. Found 2 certificates expiring soon: 'Acme Code Signing 2024' expires in 67 days (March 15, 2025), and 'Internal Test Cert' expires in 82 days (March 30, 2025). The remaining 6 certificates are valid for 200+ days. Both expiring certificates are currently used in active signing policies—'Production Release' and 'QA Testing' respectively—so renewal should be prioritized to avoid workflow disruptions.

Combines certificate listing with AI analysis to surface expiration risks. Requires API key with certificate read permissions. SignPath doesn't auto-renew certificates, so proactive monitoring prevents signing pipeline failures. Certificate replacement requires updating associated signing policies.

@signpath show me all projects and summarize which ones have had signing activity in the last 30 days

Retrieved 12 projects from your SignPath organization. Based on project metadata, 7 projects appear active: 'Desktop Client', 'Mobile SDK', 'Web Installer', 'Plugin Framework', 'CLI Tools', 'Admin Console', and 'Legacy Updater'. The remaining 5 projects—'Deprecated API', 'Old Mobile App', 'Prototype Dashboard', 'Test Harness', and 'Archive Utilities'—show no recent configuration changes, suggesting they may be inactive. Note: This analysis uses project-level data; actual signing request history requires additional API calls not currently available through this tool.

Demonstrates project discovery with AI-driven activity inference. The MCP's List Projects tool returns project metadata but not signing request timestamps, so activity assessment is based on configuration recency. For precise signing history, you'd need to query each project's artifact submissions separately—a workflow this MCP doesn't currently expose.

When Signpath MCP helps compliance teams trace code signatures

A 6-person security team at a regulated SaaS company needs to audit which certificates signed which builds during a quarterly compliance review. The Signpath MCP is the right call here because it surfaces certificate lists and signing policy details directly in Switchy's chat interface, letting the team cross-reference policies against release logs without toggling between the Signpath UI and their incident tracker. The four-tool scope is narrow enough that the MCP won't slow down unrelated queries, and API key auth means no OAuth dance for read-only audits. The trade-off: if your team needs to actually trigger new signing requests or modify policies, this MCP won't help—it's read-only metadata retrieval. For quarterly or monthly audits where you're just pulling reports, this MCP saves the context-switching tax and keeps the audit conversation in one thread.

When this MCP speeds up new-hire Signpath orientation

A startup hiring its first DevSecOps engineer uses the Signpath MCP to let the new hire explore the org's certificate inventory and signing policies without waiting for a walkthrough from the CTO. The MCP's Retrieve System Info and List Projects tools give the engineer a self-service map of the signing infrastructure on day one, and the chat log becomes documentation for the next hire. This works well for orgs with under 20 projects—beyond that, the List Projects pagination gets tedious in a chat interface and you're better off exporting a CSV from the Signpath UI. The buying call: if your onboarding checklist includes 'understand our signing setup' and you don't want to schedule a 30-minute screen-share, the Signpath MCP turns that into a 10-minute async chat session.

When the MCP helps SREs verify signing config mid-incident

A 4-person SRE team responding to a supply-chain alert needs to confirm which certificates are active and which signing policies apply to their production builds. The Signpath MCP is useful here because it pulls certificate and policy metadata into the same Switchy thread where the team is already coordinating the incident response, avoiding the 'who has Signpath access' scramble. The List Certificates and Retrieve Signing Policy Details tools answer the 'is this cert compromised' question in under a minute. The limitation: this MCP doesn't revoke certificates or pause signing workflows, so if the incident requires action beyond verification, you're back in the Signpath UI anyway. For read-heavy incident triage where you need to rule out signing misconfig fast, this MCP keeps the team in one workspace and the timeline tight.