The way every agent framework handles MCP is a latent security problem
If your agent is set up with 12 integrations, all 12 are live from the moment the session starts. Holding connections, processes, and attack surfaces. Even if 9 of them never get called.
If you're hosting your own MCP servers, you're paying for all of them 24/7 for no real benefit.
The right model is closer to how ephemeral infra works: spin up on tool call, tear down when done. Exposure window is exactly as wide as the operation that opened it.
Docker's MCP Gateway actually does something like this at the infra layer, container per call, destroyed after, but that's a deployment concern. The agent runtime still assumes everything is connected and waiting.
This is one of the features built in Orloj [0]. MCP servers summoned on demand rather than pre-connected long running processes.
Curious whether people running agents in production are actually hitting this, or whether it's being absorbed somewhere in the infra layer without much visibility.
[0] https://github.com/OrlojHQ/orloj
6 comments
[ 5.2 ms ] story [ 25.2 ms ] threadThere's no real reason that connection needs to stay open the whole time. Feels like overkill.
Read-only stuff is probably fine staying persistent, I guess. Anything that sends or mutates state feels different though.
MCP doesn't really have a way to express that kind of boundary per tool, so the runtime can't do much with it.
Haven't tried Orloj yet but "summoned on demand" sounds closer to what I'd want.
Orloj is a runtime with policies you apply as guardrails to keep agents in check for tools and other limits which all happen at the runtime level. And building out the tooling it just made sense to containerize tools so they can be spun up on demand and stay alive when needed and spin down after.
We use reputation-based admission control in production, agents below a certain trust threshold simply cannot invoke sensitive tools. The hallucinated tool call scenario you described is exactly what this prevents, independent of whether the connection is persistent or on demand.
agentveil.dev if curious.