The "trust whatever the server returns" problem you mention has two sides. Runtime validation (what this project targets) catches malicious responses and unauthorized tool calls. But there's also pre-connection trust: how does your agent verify the server it's about to connect to is actually legitimate?

Most MCP setups hardcode server URLs in config files. That works for a handful of known servers, but it falls apart when agents start dynamically discovering tools. There's no standard way to verify server identity or confirm the server hasn't been swapped out since you last connected.

The IETF has multiple competing drafts for agent discovery (agents.txt, ARDP, AID, others), but none have reached consensus. The original agents.txt draft expires April 10. So security middleware like this is filling real gaps while the trust chain still starts with "I hope this URL is correct."

Curious whether Lilith-zero's policy engine could validate server identity claims alongside response content. Something like checking a signed manifest before allowing the first tool call through.