The authorization gap you're describing is real but I think there's a layer missing even before the gateway the MCP server itself. If the tool schema is compromised or the server is a trojanized fork (there's an active thread about this today), a gateway that enforces policy on tool calls is still trusting the server's self-reported tool definitions.

Provenance at the server level knowing the binary you're running was signed by the original author seems like a necessary complement to runtime authorization. Has Permit thought about integrating with any signing or attestation layer, or is the assumption that server integrity is out of scope?