Ilura
GUIDE · MCP

What is an MCP gateway?

MCP (Model Context Protocol) is the open standard Anthropic released in late 2024 to connect AI agents with tools. An MCP gateway sits on the agent side of that protocol, routing every tool call through a PolicyEngine, hardening subprocess spawns, and writing each decision to an audit chain. Instead of trusting an MCP server directly, the gateway enforces policy at the application layer.

01Kimler için?

An MCP gateway becomes important for:

  • Developers using Claude Desktop, Cursor, Cline, or Zed in production. MCP servers there ship in dev configurations that aren't hardened.
  • Anyone running AI on sensitive files. A "read_file" tool must not wander into the wrong directory.
  • Teams taking the 2026 Ox Security advisory seriously. The MCP STDIO transport has an RCE-by-design vulnerability that requires application-layer defense.

02Nasıl çalışır?

MCP has two halves: server (provides tools) and client (the agent). A gateway sits on the client side:

  1. Server registration. An MCP server (filesystem, github, postgres, slack, etc.) is registered with the agent — command, transport (Stdio or SSE), permission scope.
  2. Tool inventory. The server publishes its tool manifest ("read_file", "create_pull_request", "send_slack_message"). The agent adds them to its capability pool.
  3. Tool call. When the agent reasons that it needs a tool, the gateway intercepts: is the tool allowed in this pod, are the parameters safe, does this risk level require user approval?
  4. Signed record. The gateway writes the decision, the result, and the duration to the audit chain (SHA-256 + ECDSA). Tomorrow you can trace "what triggered the Stripe refund?" in microseconds.

03Ilura ile nasıl yapılır?

Ilura runs the gateway layer of MCP as a native desktop application:

  • Both client and server. Ilura exposes its own MCP tools (file_io, network, time_machine) and consumes external MCP servers in the same runtime.
  • spawn_validator. When an MCP server is spawned over stdio, the binary and its arguments pass through an allowlist filter (sh/bash/curl/rm/sudo blocked, -c/-e/--eval flags blocked).
  • TLS for SSE. SSE transport is wrapped with rustls + rcgen self-signed certificates for end-to-end encryption.
  • Approval bridge. Tool calls flow into low (auto), medium (UI confirm), high (UI + reason), or critical (biometric) approval lanes.
  • Cache + circuit breaker. Tool results are cached; three consecutive failures open the circuit breaker for a short cool-down.

04Sık sorulan sorular

Who maintains MCP?

Anthropic released MCP as an open standard in November 2024. As of 2026, Claude Desktop, Cursor, Windsurf, Cline, Zed, Continue, GitHub Copilot, and many other agent platforms support MCP. SDKs exist for Python, TypeScript, and Rust (rmcp).

How is an MCP gateway different from an MCP server?

An MCP server provides tools (filesystem-server, github-server). A gateway sits on the agent side and supervises calls to multiple servers — policy + audit + retry layered above. The server is a shop; the gateway is the customs gate.

Which MCP servers work with Ilura?

Any server compliant with the MCP protocol — filesystem, github, gitlab, slack, postgres, sqlite, brave-search, fetch, memory, time, plus your own custom servers. Ilura registers them through config.toml or the UI.

What's the difference between stdio and SSE transports?

Stdio: spawns a local subprocess and communicates over stdin/stdout with JSON-RPC. Most common, fastest. SSE: HTTPS-based Server-Sent Events for remote servers. Ilura supports both; stdio is the default.

Was the 2026 Ox Security MCP issue patched?

Anthropic stated this is "by design," so no protocol patch is planned. Mitigation lives in the application layer — Ilura's spawn_validator + binary/arg blocklist + biometric approval closes the gap. Detailed response: our blog post.

Can I run an agent without an MCP gateway?

Technically yes, practically risky. Without a gateway, every tool call hits the file system, network, or OS directly. Fine for low-risk demos; not for production. A zero-trust gateway is the right default.

05İlgili sayfalar

yanındayım — Ilura