[_enjn]

The connection lifecycle is one problem, but even with ephemeral connections you still have the authorization gap — MCP has no built-in concept of per-tool, per-user permissions. We ran into this building an MCP aggregator (ToolMesh, Apache 2.0) where 15+ backends connect through a single gateway. Our approach: OpenFGA for fine-grained ReBAC authorization on every tool call, plus an Output Gate that can run e.g. DLP policies before results reach the LLM. The attack surface isn't just about which servers are connected — it's about what each agent is allowed to do with them. https://toolmesh.io

[An0n_Jon]

Yeah, this is the reasons why Orloj has built in policies which are applied to your resources and managed at the runtime level. This way you can allow only certain tool usage per agent for a more fine grained setup.