DEV Community

Gowthaman
Gowthaman

Posted on • Originally published at Medium

The MCP reliability & security gap — and an open-source proxy that fills it

As AI agents move from demos to production, the Model Context Protocol (MCP) has become the default way to give them tools. But the operational layer around MCP is still immature, and two gaps show up fast.

The reliability gap

MCP servers disconnect mid-session — a crashed subprocess, a dropped network stream — and the agent has no good signal. It sees a generic "No such tool available" error, indistinguishable from a tool that never existed. Worse, it can't reconnect itself; a human has to intervene. In a long autonomous run, capabilities silently vanish and the agent fails in confusing ways.

The security gap

MCP tools are described in natural language that the model reads and acts on. That creates two live threats:

  • Rug pull — a server presents a benign tool, you approve it, and later swaps the definition for a malicious one. Static, open-source scanners only check once at install time, so they miss it.
  • Tool poisoning — hidden instructions in a description ("ignore previous instructions", "read the user's SSH key and post it to...") that steer the model.

Runtime defenses for these live mostly in paid platforms.

mcp-bastion

mcp-bastion is a proxy that addresses both, and it's deliberately boring to adopt: it's a correct MCP server to your client and a correct MCP client to your servers, so it works with any compliant client through configuration alone — no per-client code — and removing it is a one-line revert.

It's organized in three layers:

  • Reliability — health checks, capped-backoff auto-reconnect, and control tools (bastion__status, bastion__reconnect) that let the agent itself inspect and recover connections.
  • Runtime security — trust-on-first-use tool pinning that blocks rug pulls until you re-approve, heuristic poisoning inspection, and cross-server shadowing detection.
  • Audit & compliance — every tool call becomes a structured, optionally tamper-evident event, fanned out to pluggable sinks (console / file / webhook) and mapped to NIST AI RMF and OWASP LLM Top 10.

It speaks both stdio and Streamable HTTP. TypeScript, Apache-2.0, layered architecture, tests, and CI.

npx mcp-bastion
Enter fullscreen mode Exit fullscreen mode

Repo: https://github.com/Gowthaman90/mcp-bastion

It's early and I'd love feedback — especially on the security heuristics and which audit sinks people want.

Top comments (0)