The instruction/data trust boundary for MCP: a scanner, an enforcing proxy with action-gating, Ed25519 content signing, a tamper-evident audit ledger, and a prevalence study over ~1,000 real MCP servers. Runs at $0.
The instruction and data boundary for MCP. Agents cannot reliably tell trusted instructions from untrusted data, because a model reads system instructions, user input, and retrieved content as one token stream with no enforced boundary between them. Anything that reaches the context can act like a command. Airlock makes that boundary explicit and enforceable at