<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Gowthaman</title>
    <description>The latest articles on DEV Community by Gowthaman (@gowthaman90).</description>
    <link>https://dev.to/gowthaman90</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F281464%2F8872ba83-7b1e-4490-a361-fe2a9d38e53c.jpeg</url>
      <title>DEV Community: Gowthaman</title>
      <link>https://dev.to/gowthaman90</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/gowthaman90"/>
    <language>en</language>
    <item>
      <title>The MCP reliability &amp; security gap — and an open-source proxy that fills it</title>
      <dc:creator>Gowthaman</dc:creator>
      <pubDate>Wed, 08 Jul 2026 13:31:18 +0000</pubDate>
      <link>https://dev.to/gowthaman90/the-mcp-reliability-security-gap-and-an-open-source-proxy-that-fills-it-3ppo</link>
      <guid>https://dev.to/gowthaman90/the-mcp-reliability-security-gap-and-an-open-source-proxy-that-fills-it-3ppo</guid>
      <description>&lt;p&gt;As AI agents move from demos to production, the &lt;strong&gt;Model Context Protocol (MCP)&lt;/strong&gt; has become the default way to give them tools. But the operational layer around MCP is still immature, and two gaps show up fast.&lt;/p&gt;

&lt;h2&gt;
  
  
  The reliability gap
&lt;/h2&gt;

&lt;p&gt;MCP servers disconnect mid-session — a crashed subprocess, a dropped network stream — and the agent has no good signal. It sees a generic &lt;em&gt;"No such tool available"&lt;/em&gt; error, indistinguishable from a tool that never existed. Worse, it can't reconnect itself; a human has to intervene. In a long autonomous run, capabilities silently vanish and the agent fails in confusing ways.&lt;/p&gt;

&lt;h2&gt;
  
  
  The security gap
&lt;/h2&gt;

&lt;p&gt;MCP tools are described in natural language that the model reads and acts on. That creates two live threats:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Rug pull&lt;/strong&gt; — a server presents a benign tool, you approve it, and later swaps the definition for a malicious one. Static, open-source scanners only check once at install time, so they miss it.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Tool poisoning&lt;/strong&gt; — hidden instructions in a description ("ignore previous instructions", "read the user's SSH key and post it to...") that steer the model.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Runtime defenses for these live mostly in paid platforms.&lt;/p&gt;

&lt;h2&gt;
  
  
  mcp-bastion
&lt;/h2&gt;

&lt;p&gt;&lt;a href="https://github.com/Gowthaman90/mcp-bastion" rel="noopener noreferrer"&gt;&lt;strong&gt;mcp-bastion&lt;/strong&gt;&lt;/a&gt; is a proxy that addresses both, and it's deliberately boring to adopt: it's a &lt;em&gt;correct MCP server&lt;/em&gt; to your client and a &lt;em&gt;correct MCP client&lt;/em&gt; to your servers, so it works with any compliant client through configuration alone — no per-client code — and removing it is a one-line revert.&lt;/p&gt;

&lt;p&gt;It's organized in three layers:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Reliability&lt;/strong&gt; — health checks, capped-backoff auto-reconnect, and control tools (&lt;code&gt;bastion__status&lt;/code&gt;, &lt;code&gt;bastion__reconnect&lt;/code&gt;) that let the agent itself inspect and recover connections.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Runtime security&lt;/strong&gt; — trust-on-first-use tool pinning that blocks rug pulls until you re-approve, heuristic poisoning inspection, and cross-server shadowing detection.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Audit &amp;amp; compliance&lt;/strong&gt; — every tool call becomes a structured, optionally tamper-evident event, fanned out to pluggable sinks (console / file / webhook) and mapped to &lt;strong&gt;NIST AI RMF&lt;/strong&gt; and &lt;strong&gt;OWASP LLM Top 10&lt;/strong&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;It speaks both stdio and Streamable HTTP. TypeScript, Apache-2.0, layered architecture, tests, and CI.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npx mcp-bastion
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Repo: &lt;a href="https://github.com/Gowthaman90/mcp-bastion" rel="noopener noreferrer"&gt;https://github.com/Gowthaman90/mcp-bastion&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;It's early and I'd love feedback — especially on the security heuristics and which audit sinks people want.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>mcp</category>
      <category>cybersecurity</category>
      <category>programming</category>
    </item>
  </channel>
</rss>
