Disclosure: I'm the author of capgate , a compile-time policy compiler for MCP servers. capgate appears as the worked example in the compile-time section. The other three sections describe categories, not specific products. The goal isn't to argue that any one layer is best — it's to give you a way to figure out which layer your team actually needs, so you stop bolting the wrong tool onto the wrong problem. The four layers A tool call through an MCP server passes through, conceptually, four points where security work can happen: manifest → [1] compile-time policy → [2] sandbox runtime → [3] tool invocation → [4] decision log emission inspection gateway / auth signed receipts Enter fullscreen mode Exit fullscreen mode Each of these is its own discipline with its own tooling and its own people who care deeply about it. Lumping them together as "MCP security" is what causes teams to evaluate one tool for a problem it doesn't solve. 1. Compile-time policy emission What it does.…