The boundary problem you're describing is also a trust issue, not just a connection lifecycle one. Even with ephemeral connections, you still need to know whether the agent making the call should be allowed to make it at all.
We use reputation-based admission control in production, agents below a certain trust threshold simply cannot invoke sensitive tools. The hallucinated tool call scenario you described is exactly what this prevents, independent of whether the connection is persistent or on demand.
Yeah, I hit this. I run an MCP server that talks to a corporate messaging API — if it stays connected the whole session, any hallucinated tool call can fire off messages to an entire org while the agent is doing something unrelated.
There's no real reason that connection needs to stay open the whole time. Feels like overkill.
Read-only stuff is probably fine staying persistent, I guess. Anything that sends or mutates state feels different though.
MCP doesn't really have a way to express that kind of boundary per tool, so the runtime can't do much with it.
Haven't tried Orloj yet but "summoned on demand" sounds closer to what I'd want.
The boundary problem you're describing is also a trust issue, not just a connection lifecycle one. Even with ephemeral connections, you still need to know whether the agent making the call should be allowed to make it at all.
We use reputation-based admission control in production, agents below a certain trust threshold simply cannot invoke sensitive tools. The hallucinated tool call scenario you described is exactly what this prevents, independent of whether the connection is persistent or on demand.
agentveil.dev if curious.
Yeah, I hit this. I run an MCP server that talks to a corporate messaging API — if it stays connected the whole session, any hallucinated tool call can fire off messages to an entire org while the agent is doing something unrelated.
There's no real reason that connection needs to stay open the whole time. Feels like overkill.
Read-only stuff is probably fine staying persistent, I guess. Anything that sends or mutates state feels different though.
MCP doesn't really have a way to express that kind of boundary per tool, so the runtime can't do much with it.
Haven't tried Orloj yet but "summoned on demand" sounds closer to what I'd want.
[dead]