The way every agent framework handles MCP is a latent security problem

When you configure MCP servers in any agent framework today, they all connect at session init and stay connected for the entire session. If your agent is set up with 12 integrations, all 12 are live from the moment the session starts. Holding connections, processes, and attack surfaces. Even if 9 of them never get called. If you're hosting your own MCP servers, you're paying for all of them 24/7 for no real benefit. The right model is closer to how ephemeral infra works: spin up on tool call, tear down when done. Exposure window is exactly as wide as the operation that opened it. Docker's MCP Gateway actually does something like this at the infra layer, container per call, destroyed after, but that's a deployment concern. The agent runtime still assumes everything is connected and waiting. This is one of the features built in Orloj [0]. MCP servers summoned on demand rather than pre-connected long running processes. Curious whether people running agents in production are actually hitting this, or whether it's being absorbed somewhere in the infra layer without much visibility. [0] https://github.com/OrlojHQ/orloj