Compile-time vs runtime: where MCP security actually lives

Disclosure: I'm the author of capgate , a compile-time policy compiler for MCP servers. capgate appears as the worked example in the compile-time section. The other three sections describe categories, not specific products. The goal isn't to argue that any one layer is best — it's to give you a way to figure out which layer your team actually needs, so you stop bolting the wrong tool onto the wrong problem. The four layers A tool call through an MCP server passes through, conceptually, four poin