The day my MCP adapter stopped being just plumbing

TL;DR: Remote MCP Adapter started as a usability layer for remote MCP workflows, but recent MCP tool-poisoning research made one thing painfully clear: middleware in the path is also part of the security boundary. In v0.3.0, I added tool-definition pinning, drift detection, metadata sanitization, description minimization, and stricter session binding to reduce what unsafe upstream metadata and session misuse can do. After finishing the core work for Remote MCP Adapter , I did what most of us do after shipping something that finally works: I stepped back and started looking around. I wanted to see how other people were dealing with the same class of problems. Remote MCP is useful, but once the client and server stop sharing a filesystem, things get ugly fast. Uploads become awkward. Generated files become awkward. Anything involving screenshots, PDFs, artifacts, or session-scoped state becomes awkward. That was the original reason I built the adapter in the first place. I wrote more abo