The Model Context Protocol (MCP) is an open standard that enables AI models to interact with local and remote resources like databases, filesystems, and APIs through a unified JSON-RPC interface.
WHY THIS EXISTS
Before MCP, every AI model required custom, model-specific integrations to access tools. Each provider (OpenAI, Anthropic, Google) had its own function-calling format. MCP provides a unified JSON-RPC interface that works across any model provider and any tool server — but this universality creates a security problem: any MCP server can request any tool from any model, with no standardized enforcement layer.
PROTOCOL CONTEXT (ARCHITECTURE & SECURITY MODEL)
MCP separates three roles: the Host (the AI application), the Client (the model interface), and the Server (the tool provider). The Host initiates connections to Servers, which expose tools via a JSON-RPC tools/list method. When the model decides to call a tool, the Host forwards the request through the Client to the Server. The protocol does not specify authentication, authorization, or audit — leaving these to implementers. This design choice enables rapid integration but shifts all security responsibility to the Host layer.
Transport Layer
MCP supports stdio (local processes) and HTTP/SSE (remote). Neither transport provides encryption or authentication by default — transport security is the Host's responsibility.
Tool Discovery
Servers advertise capabilities via tools/list. There is no mechanism to validate that a Server's advertised tools match its actual behavior, enabling shadow tool attacks.
Parameter Passing
Tool arguments are passed as raw JSON. The protocol does not validate parameter structure, data categories, or destination constraints before execution.
Result Consumption
Tool results are returned to the model as raw text. There is no content scanning or injection detection — a malicious Server can embed adversarial instructions in results.
ProvnAI Mitigation
McpVanguard inserts a deterministic security proxy between the Host and MCP Servers. It can inspect routed tool discovery, parameter passing, and selected result content without relying on the model to police itself. In typical deployments, this can be added without changing existing MCP servers or models.