https://news.ycombinator.com/user?id=axeldunkelHacker News RSShttps://hnrss.org/hnrss v2.1.1Fri, 10 Apr 2026 04:44:08 +0000Interesting that you manually mapped GET→resources and POST→tools. We hit the same pattern with ToolMesh.io so often that we built a declarative format for it — DADL, a YAML file that describes the REST API mapping, and the gateway generates the MCP server at runtime. No code, no deployment per API. The boilerplate of wrapping every REST API into an MCP server is probably the biggest adoption blocker right now.

]]>Thu, 09 Apr 2026 12:27:34 +0000https://news.ycombinator.com/item?id=47702805axeldunkelhttps://news.ycombinator.com/item?id=47702805https://news.ycombinator.com/item?id=47702805The connection lifecycle is one problem, but even with ephemeral connections you still have the authorization gap — MCP has no built-in concept of per-tool, per-user permissions. We ran into this building an MCP aggregator (ToolMesh, Apache 2.0) where 15+ backends connect through a single gateway. Our approach: OpenFGA for fine-grained ReBAC authorization on every tool call, plus an Output Gate that can run e.g. DLP policies before results reach the LLM. The attack surface isn't just about which servers are connected — it's about what each agent is allowed to do with them. https://toolmesh.io

]]>Thu, 09 Apr 2026 09:29:09 +0000https://news.ycombinator.com/item?id=47701268axeldunkelhttps://news.ycombinator.com/item?id=47701268https://news.ycombinator.com/item?id=47701268