Not my job to explain it

Not everyone will understand your journey— and that’s okay.

Some will only see the miles, not the weather. The wrong turns, the nights you slept on faith because certainty never showed up.

You are not here to make your life legible to strangers. You are not required to footnote your heart or submit your longing for peer review.

You’re here to live your life— to follow the pull when it makes no sense, to choose wonder over safety, to answer the call even when no one else hears it ringing.

Let them misunderstand. You were never meant to be explained. You were meant to be become.

---

#poetry #romance #travel

4 January 2026

Green wood: Originally conceived as an enlarging and flattening of a small bulbous scene reflected in a green vase at my new Wood Green house. Learned that “green wood” is the phrase for freshly-chopped wood that hasn't dried out yet (nice alignment with a cut flower stem). Soft feeling of little lights traveling from a surface to dark depths. But the painting itself became about dueling material impulses. Thick application versus thin staining, muted tones versus the strong light source(s), measured marks versus ones made with momentum. Palette indebted to Joe Brainard's Whippoorwill (1974, the one at The Met). A close examination of that painting, at least from what I can glean in reproduction, reveals a careful, considered back and forth between the warmth of the early layers and the cool topmost ones. The eye also boomerangs across the composition—playing with that movement is interesting to me. And at the bottom of the image, the brown masses that are the floor and the sofa frame sandwich the loveliest bits of color in the tiny space between them—I hoped something similar would happen in my work, and I think it kind of did with the red watercolor peeking through. That handling of color, of restrained use in small space, is attractive. Happened in On diversion too. Something to explore further perhaps.

This month, I’m engaged in a training course to serve as a spiritual direction supervisor. Whereas my typical appointments are centered on the needs, story, and becoming of the client, this work would focus on supporting another director through careful listening to case presentations on challenging sessions, offering affirmation, education, consultation, thoughtful challenge, and an invitation to self-reflection.

These responses are designed to support the director in their role, help them to continue their formation and development as therapeutic listeners, and provide insights necessary to be their most skillful selves for their own clients.

Halfway through the class, I’m already making lots of wonderful connections and gaining vital experience through roleplays and observing consultations. I’m looking forward to completing the course, though I’m not in a rush to build a supervision caseload. I want to start slow to continue to practice the craft, and trust that I can continue to receive support in these interactions through my own supervision relationship.

I’m also excited about using these new skills and frameworks in the peer supervision group that I belong to, hopefully to the benefit of everyone who attends. I’m so grateful that my own supervisor invited me into this experience and gave me a way to continue to deepen this aspect of my life and work. Bearing witness to people is indeed an awesome and deeply privileged experience. I want to do everything I can to nurture that trust and bring skill, attentiveness, and compassion to that space.

I’m also pleased to report that I will be teaching with Spiritual Directors International again this February on the afternoon of the 9th. I’ll be the lead-off session of an eight part series on providing spiritual companionship with people on the margins. You can learn more about that course here.

I’m really excited to share about the lessons I learned during my time as the lead chaplain and trainer for Faith on Foot, a street outreach program connected to the organization now known as Rutland Neighbors. Connecting with people in neighborhoods, outdoor hangouts, camp sites, on front porches, and on the street led to countless moments of awe and wonder as we engaged in the art of what Carl Jung called “being a human soul present with another human soul.”

In the liturgical calendar, this shorter period of Ordinary Time, also called the season after Epiphany, the focus of the Gospel stories are on the steady revelation of who Jesus is, and how the divine is fully present in him. Our street team used to reference the Road to Emmaus story from the Easter season, noting that “every seven miles we see Jesus”. I feel such deep gratitude that every week I am blessed with opportunities to catch glimpses of divinity shining through the stories of the people I care for.

Lydia's Weekly Lifestyle blog is for today's African girl, so no subject is taboo. My purpose is to share things that may interest today's African girl.

This week's contributors: Lydia, Pépé Pépinière, Titi. This week's subjects: A practical Accra-chic flair: 5 Ways to Wear Ankara to Work Without Breaking the Dress Code, She's a single mother, Wear the right slip, and Like Cakes

---

A practical Accra-chic flair: 5 Ways to Wear Ankara to Work Without Breaking the Dress Code. Because culture and corporate can absolutely coexist. Let’s be honest — the Accra corporate scene is evolving, and so is the wardrobe. Gone are the days when African prints were reserved for Fridays or special occasions. The modern Accra girl knows how to weave her culture into her career — and still keep it classy. If you’ve ever wondered how to rock Ankara at the office without raising eyebrows from HR, here’s your stylish cheat sheet. The Ankara Blazer — Your Power Move When in doubt, start with a blazer. A tailored Ankara jacket over a white blouse and neutral trousers instantly says “I mean business — but make it Ghana.” Go for prints with muted tones or geometric patterns that feel sophisticated. Think navy, maroon, olive, or soft gold. Pair with nude pumps or loafers, and you’re boardroom ready with a twist. The Statement Skirt — Chic Yet Professional A high-waisted Ankara pencil skirt is your wardrobe MVP. Pair it with a crisp button-down shirt or a silk blouse in a solid colour. It’s the perfect mix of feminine and fierce. Add a slim belt and minimal jewelry, and you’ve turned your office corridor into a runway — without breaking any rules. The Hybrid Dress — Half Print, Full Confidence For the girl who loves versatility, look for dresses that blend Ankara accents with plain fabrics. Think a shift dress with printed sleeves, or a monochrome body with an Ankara collar and waistband. It keeps the vibe professional but with a cultural edge — like saying “Yes, I’m fashionable, and I can still close that deal.” The Subtle Touch — Ankara Accessories Not ready to go full-print? Start small. Add a pop of Ankara through accessories — a fabric belt, a tote bag, a headband, or even a statement shoe. These accents bring colour and creativity to your look without crossing the corporate line. It’s a great way to test your comfort zone while keeping things sleek. The Friday Flair — Go Bold, Stay Polished Ah, the sacred Casual Friday. Your chance to fully embrace the print! Try a tailored Ankara jumpsuit or a midi dress with structured shoulders. Keep your accessories gold-toned, your heels simple, and your confidence sky-high. The key is tailoring — clean cuts keep your look professional even when your fabric is loud. Style Note: Ankara at work isn’t rebellion — it’s evolution. It’s the Accra girl’s way of saying, “I can honor my culture and run the boardroom — in the same outfit.” So next Monday, when you reach for that plain black blazer, pause. Your Ankara is waiting — bold, beautiful, and absolutely ready for business She's a single mother. This sounds a bit like a derogative description of some silly girl who got herself impregnated by Mr. flyaway and now has to scrape money, not for one but for 2. For the juveniles it seems iPhones and KFC are major contributors. Anyway, we wish girly the best and many do get happily married later. But the above scenario is not always the case. A recent trend is that the girl does want to have a child, normal, after all she's completely build towards that, but she doesn't want the hassle of a husband around who wants to have full details of her movements whilst he himself regularly disappears, with the risk of HIV as a bonus. So she now has a few options. Adopt, though that is not the real thing but the advantage is that you can choose, boy or girl, good looking, seemingly intelligent and heathy, and if you get one at age say 3 the child will not really remember anything else than you. And, maybe surprisingly, grandparents mostly will fully accept the child as their own, even if they have “real” ones from other children. Another advantage is that you don't get stretch marks, at least not from having a child. An option as well is to get pregnant from a known person, maybe a family friend, you've had the chance to check a few things like madness or sickness in his genes, and hopefully sickle. Complication could be that he wants to get too close to the child, claim ownership, things like that, and if everyone agrees that the child has same nose, or bat ears, it will be difficult to deny that he is the father. Option 3 is to get what we call a “one night stand”, say your name is Godwilling Mensah from Kumasi, give him a phone number of a police officer and disappear forever. But in this case you have no idea what's in the making, all his brothers and sisters could be raving mad. Last one (but let me know if you know more) is to get artificial insemination from a donor, the clinic will confirm that the sperm donor looks good and is healthy and “normal”, but that's all you get, apart from a very fat bill (10-25 k easily). Yeah, men have it easy.....

Wear the right slip. Any gynecologist will advise you to wear simple cotton slips, they reduce your chances of getting “cheese”, yeast infection. But they do not always look very good on you, so we wear more elegant underwear. But beware what you wear. A recent test done in Switzerland on 16 female slips found that 14 contained bisphenols A, B and S, substances which are reprotoxic, or, simply said, make you sterile. Winners were Triumph, Chantelle and Calvin Klein with H&M, Intimissimi and Zara doing a good toxic job as well. The 2 “clean” slips were from Etam and Luxury Moments by Hanro. In Ghana you'll probably be buying a “no name” slip, or a Butterfly, Eagle or Royal from China. Maybe pure simple cotton is better?

Like cakes? Real homemade good ingredients not dried out cakes? Try Green Butterfly market at Parks and Garden, near the Russian Embassy and opposite the DVLA office, Accra, every first and third Saturday of the month. If you are only coming for the cakes come early, the better ones run out quick. Apart from cakes and foodstuffs there’s a wide range of articles, ranging from tie and dye to sculptures, books, clothing, you mention it, I never realized how creative Accra can be. A worthwhile experience, and to see it all you’ll need several hours. Additional bonus is that most of the female vendors really try to look their best, and they do.

Lydia...

Do not forget to hit the subscribe button and confirm in your email inbox to get notified about our posts.

I have received requests about leaving comments/replies. For security and privacy reasons my blog is not associated with major media giants like Facebook or Twitter. I am talking with the host about a solution. for the time being, you can mail me at wunimi@proton.me

I accept invitations and payments to write about certain products or events, things, and people, but I may refuse to accept and if my comments are negative then that's what I will publish, despite your payment. This is not a political newsletter. I do not discriminate on any basis whatsoever.

GO HOOSIERS!

My Big Ten Conference Game to follow this Friday night will be out in Piscataway, New Jersey, as the Indiana Hoosiers Men's Basketball team travels East to play against the Rutgers University Scarlet Knights.

And the adventure continues.

A Dublin, California man spent several decades trying to unravel the mystery of why his Venetian blinds were tangled in his master bedroom. After buying his single-family home in 1957, Gordon Neely replaced all the gray window curtains with the foldable blinds.

In 1962, Neely noticed one of his blinds was always stuck on the right side when raising and lowering. The turning rod also didn’t work.

Neely commented, “I’ve been untangling these dang blinds for over sixty years straight. I couldn’t eat or sleep. These things should be illegal.”

This year, Neely replaced all his blinds with the same curtains he originally replaced. Unfortunately, a few days after this interview, Neely died in a tragic accident involving his window curtains. A police investigation is ongoing. Neely is survived by his wife Nancy and his three adult children Michael, Gordon Jr., and Kim.

#news #parody #venetianblinds

As I previously recounted, I am in this neighborhood because it was what I could afford at the time (I cannot afford it presently, but I am have yet to get to the thicks of this story to explain.). Although I liked the communities Panther Trace and MiraBay, neither of those are what I imagined for my life. I didn’t have dreams of suburbia and Homeowners Associations.

I like city life. I like having access to a myriad of things and the ability to use my legs to go as far as my body will allow. I love the bungalows in Seminole Heights and Tampa Heights. I also love the architecture in Hyde Park and Palma Ceia. I love that people’s houses are pinks and blues and that they have such diverse lawns and flora. I love plantation shutters and mother-in-law quarters. I love hardwood floors, room additions, and double lots. None of this has anything to do with HOAs.

I like country life. I like space, not being able to hear neighborhoods’ domestic violence and inebriation, and the ability to play my own thunderous music without concern. I like yards where dogs and goats roam. I like long driveways that police and solicitors cannot access but family and friends can park unbothered. I want to sit on the porch or patio bucked naked and scream obscenities or make videos for fans. I want to put on tattered overalls, muddy boots, and a wide-brimmed, straw hat and pretend-smoke a pipe and spit out black stuff while watching the main road for trouble-makers. None of this has anything to do with HOAs.

Currently, I live in neither the city nor the country. I live in HOA land that was once cow land and probably where the deer and antelope played. I don’t even know if there are any neighborhoods in the SouthShore region without HOAs. Sure, I have amenities and shit; but I can probably count on two hands the amount of times I have been in the gym, in the pool, and/or walked around the lakes. The location of my neighborhood does not give me access to anything more than police patrolling for rolling stops, speeding, lunatic drivers (but not a policeman in sight somehow), and major automobile accidents—some resulting in fatalities. Is this HOA life?

At least we have a community of united people and a formidable HOA that applies the standards equally to keep our property values high, right?

I work for a mid-sized company in a dense urban pocket in the U.S.—no need to get into the line of business or its proprietary tech. I’ve been there about 30 years. The coworkers are often the best part, but the workplace politics are definitely the worst.

The mature version of me was faced with a dilemma when I was thinking about this piece:

“How much of my disdain for the office is because of me? And not others?”

I haven’t developed the formula to rule it out.

Luz was a middle-aged Italian woman—heavyset, heavy makeup, dressed unprofessionally, and her desk was always a disaster. She smoked constantly, spoke with a deep husky voice, and was single with no kids. She liked to claim she never gossiped, but that was a lie; coworkers told me otherwise. I tolerated her and kept her at arm’s length when I could. Back then I was naïve—she was my boss, so I obeyed—but in hindsight, I let her walk all over me. She was conventionally pretty, and her charm came from the crude jokes she told, which usually landed. My coworkers agreed with me: she was no example of leadership. She would do whatever she wanted while telling us to do the opposite.

She gets a solid F.

#badboss #career

I wrote this post nearly 3 months ago, and it feels like I got 3 years older since then. Strange that I never published it.

Now with a much more profound understanding of AI and much, much better models, the changes I made here would have been done in minutes. I guess. 😅

The Resume-Project: https://github.com/danbruegge/resume

I have never written about it. This is one of my projects that had a low priority in the past and doesn’t get the love it deserves. But eventually, this is one that saves me a lot of work, and I need to adjust only a JSON entry after I’m done with a client.

Changes

Completed ✅

1. Outputs docx format, besides pdf.
   • I got the question from recruiters a lot if I could provide a docx file instead of a pdf.
   • After a lot of back and forth with some tools, I finally found a suitable solution.
2. PDF export is working again, now with Puppeteer.
   • wkhtmltopdf got deprecated.
   • It wasn’t installable via Homebrew anymore.
   • Now there is a modern solution where also the PDF looks better; wkhtmltopdf had problems rendering modern CSS.
3. Update to Next.js v15.5.
4. Update to Tailwind v4.

Planned 🏗️

• Design update.
• Update ESLint to v9.
• General update of all other applications.

Completing the HTML to DOCX conversion is a massive milestone for me. One that I thought would never be done. Because I did not see the use for it AND .docx is a shitty format. 🙃

I should invest more time in it. But if the clients provide long contracts, the need is not so high, so I constantly forget about it.

---

92 of #100DaysToOffload
#log #dev #resume
Thoughts?

Nitrogen deficiency in cannabis appears as yellowing of lower, older leaves that progresses upward from the bottom of the plant. Because nitrogen is a mobile nutrient, the plant moves it from old growth to support new leaves. The key diagnostic marker is that yellowing includes the veins – unlike iron or magnesium deficiency where veins stay green.

Quick checklist:

• Yellowing starts on BOTTOM leaves
• Yellowing includes veins (not just between veins)
• New growth at top still green
• Leaves may cup upward before falling off

If yellowing appears on top/new growth first, it is NOT nitrogen deficiency.

---

Why Nitrogen Matters

Nitrogen is the most abundant mineral in cannabis and essential for chlorophyll production. Without adequate nitrogen, photosynthesis suffers and growth slows dramatically.

Demand by growth stage:

• Vegetative: High demand (NPK ratio around 3:1:1)
• Flowering: Lower demand (NPK ratio around 1:3:2)

Late flower yellowing of lower leaves is often normal senescence, not deficiency. The plant redirects energy to buds.

---

Visual Symptoms

Early Stage

• Pale or lime-colored lower leaves
• Subtle loss of deep green color
• Plant appears less vibrant overall

Moderate Stage

• Yellow spreads from lower to middle foliage
• Leaves may show brown spots at edges
• Leaves begin to cup upward

Severe Stage

• Entire leaves turn yellow including veins
• Leaves become brown and crispy
• Lower branches die back
• Severe growth stunting

---

The Key Pattern: Bottom-Up

Mobile nutrients like nitrogen get pulled from old growth to support new growth. The plant sacrifices older leaves to keep young leaves alive.

Critical rule: If yellowing starts at the TOP, look for other causes:

• Iron deficiency (interveinal, new growth)
• Light burn (top canopy bleaching)
• Calcium or sulfur issues

---

How to Distinguish From Similar Issues

Nitrogen vs. Magnesium: Both affect older leaves, but magnesium shows yellow between green veins. Nitrogen yellows everything including veins.

Nitrogen vs. Iron: Location is opposite. Iron affects NEW growth at top. Both can show yellowing, but iron keeps veins green.

Nitrogen vs. pH lockout: High pH can cause nitrogen lockout. Check your pH first (6.0-7.0 soil, 5.5-6.5 hydro).

---

Nitrogen Toxicity: The Opposite Problem

Too much nitrogen causes “the claw” – leaves curve downward at tips with abnormally dark green, glossy appearance. Growth becomes stunted despite the dark color.

Fix by flushing with pH'd water and reducing feeding.

---

Treatment

For deficiency:

1. Check pH first – lockout causes false deficiency

2. Add nitrogen source (grow nutrients, fish emulsion)

3. Start at ¼ strength, increase gradually

4. Monitor new growth – old leaves won't recover

For toxicity:

1. Flush medium with pH'd water

2. Reduce nitrogen in feeding schedule

3. Wait for new healthy growth

---

How AI Detection Works

PlantLab's AI detects nitrogen issues by analyzing:

• Bottom-to-top color gradients
• Vein vs. interveinal coloration
• Leaf cupping direction
• Spatial distribution across canopy

Early detection catches issues when they're still fixable – within the first week of visible symptoms.

Try PlantLab free at plantlab.ai – 10 diagnoses per day.

---

FAQ

Can yellow leaves turn green again? No. Once chlorophyll is gone, damaged leaves won't recover. But new growth will be healthy if you fix the issue.

How quickly does nitrogen deficiency spread? Without correction, you'll see progression from lower to middle leaves within 1-2 weeks.

My plant is in late flower and yellowing – is this deficiency? Probably not. Late flower yellowing of lower leaves is normal senescence. Only intervene if yellowing is rapid and reaches upper leaves.

What's the fastest fix? Foliar feeding provides fastest uptake (24-48 hours). Root feeding takes 3-7 days to show improvement.

Does nitrogen deficiency affect yield? Yes. Nitrogen-deficient plants produce smaller buds. Fix it early to minimize impact.

Our Father Who art in heaven Hallowed be Thy name Thy Kingdom come Thy will be done on Earth as it is in heaven Give us this day our daily Bread And forgive us our trespasses As we forgive those who trespass against us And lead us not into temptation But deliver us from evil

Amen

Jesus is Lord! Come Lord Jesus!

Come Lord Jesus! Christ is Lord!

Weerstand

Ik heb de laatste gekocht die sinds de vorige en zeer waarschijnlijk voor de volgende deze laatste exploot is met veel poespas en de nodige rompslomp naar wederzijdse behoefte aan mijn zinnen gepresenteerd en nu draait de door mij bezeten schijf om zijn eigen as op de voedertafel en langzaam maar zeker worden de sporen fijn gemaald dankzij een scherp geslepen met pijn en moeite niet de mijne gedolven peperdure diamant op de 33e toer tot het door het gehoor kan worden verteerd en op een weblog elders op een heel andere virtuele buitenaardse stek in ieder geval tot het volgende object voor vergelijkbare affectie uit onze diepste kern zelfverzekerd op zal komen borrelen wel zeker één of twee maal met woorden als daden vereerd

V Dědolesu se o tom nemluví nahlas. Ne proto, že by to bylo zakázané – ale proto, že kdo byl u toho, ten ví, a kdo nebyl, tomu by to stejně nevysvětlili. Říká se tomu party u Prdláře.

Prdlář není blázen. Není ani provokatér v běžném slova smyslu. Je to spíš katalyzátor chaosu – dědek, který má zvláštní vztah k sovám, prdům a okamžikům, kdy se věci utrhnou ze řetězu. Miluje šum, miluje stiplavost, miluje, když se prdelnosti vymknou kontrole a začnou žít vlastním životem. A sovy to cítí.

Jak to začíná

Nikdy to nezačne rámusem. Nikdy ohňostrojem. Začne to “prdlitým” prdem. Krátký, suchý, přesně zakroucený pohyb prdele – žádná náhoda. Prdlář zakroutí prdelí, pustí ven signál a je hotovo. To není zvuk. To je pozvánka. V lese se něco pohne. Vítr na okamžik ztratí směr. A sovy – ty to nezpochybňují. Ony vyhodnocují.

Když přiletí sovy

Sovy nelétají na party jako lidi. Nevlítnou dovnitř s řevem. Nejdřív si sednou. Na strom. Na střechu. Na okenici. Jedna si zkouší prdnout potichu. Druhá hlasitě. Třetí chaoticky, protože to je její styl. Jakmile Prdlář otevře dveře, začíná chaos.

Sovy lítají po světnici, narážejí do trámů, tisknou prdele na okenice, prdí do rohů, pod stůl, do hrnků. Smrad se vrství, míchá, vrací se zpátky do místnosti, protože okno je sice otevřené, ale Dědoles ví, kdy něco nemá pustit ven.

Proč je to nebezpečné

Jednou se přišel podívat i jelen. Jen na chvíli. Ze zvědavosti. Už nikdy nebyl stejný. Jelení prdy jsou silné, ale nekontrolované. Soví prdy jsou chaotické. A Prdlář? Ten chaos miluje a ještě ho zesiluje. Pobíhá mezi sovami, zakrucuje prdelí, prdí do rytmu, vytváří víry, zpětné proudy a prdelní turbulence.

Dokonce i Prdellock (něco jako dědoleský warlock) se jednou ukázal. Jen na prahu. Stačilo mu pár vteřin, aby pochopil, že kdyby zůstal, Prdeloid (Prdellockův démonický pet) by nepoznal rozdíl mezi sovou a dědkem. Otočil se a šel pryč. To už je co říct.

Jak to končí

Nikdy stejně. Někdy sovy odletí samy, spokojené, s novou technikou prdu. Někdy zůstane ticho tak hutné, že se dědci v okolí budí a nevědí proč. Někdy je ráno jelen pryč a nikdo se neptá kde. Prdlář většinou zůstane stát ve dveřích, zadýchaný, šťastný, s výrazem člověka, který viděl něco, co se nedá zopakovat. A v Dědolesu se další dny říká jen:

„Bylo to u Prdláře?“ „Bylo.“ A víc není potřeba.

My god, music just sounds so fucking good. I get so overwhelmed, I want to cry. These are so beautifully not happy tears, and not sad. They’re these feelings just bursting to get out of my body any way possible, whether it’s through tears, vommit, dance, or just gurgles coming out of my throat. It’s like I’m a conduit for this just HUMAN feeling, that I can’t describe in any way other than holding back sobs. I’m so fucking happy. It feels like the human experience is blasting through my mind, each arp, synth, even the fucking absence of sound fills me so fucking damn full. I’m a cup not just full, but drowning in a sweet honey nectar with no viscosity at all. I’m both falling and soaring at the same time. I’m not just happy I’m not dead, I’m happy I got the opportunity to be here right now. It’s enough to make it worth it.

There is a messy reality of giving AI agents tools to work with. This is particularly true given that the Model Control Protocol (MCP) has become the default way to connect AI models to external tools. This has happened faster than anyone expected, and faster than the security aspects could keep up.

This article is about what’s actually involved in deploying MCP servers safely. Not the general philosophy of agent security, but the specific problems you hit when you give Claude or ChatGPT access to your filesystem, your APIs, your databases. It covers sandboxing options, policy approaches, and the trade-offs each entails.

If you’re evaluating MCP tooling or building infrastructure for tool-using agents, this should help you better understand what you’re getting into.

Side note: MCP isn't the only game in town; OpenAI has native function calling, Anthropic has a tool-use API, and LangChain has tool abstractions. So yes, there are other approaches to tool integration, but MCP has become dominant enough that its security properties matter for the ecosystem as a whole.

How MCP became the default (and why that’s currently problematic)

The Model Context Protocol defines a client-server architecture for connecting AI models to external resources. The model makes requests via an MCP client. MCP servers handle the actual interaction with filesystems, databases, APIs, and whatever else. It’s a standardised way to say “I need to read this file” and have something actually do it.

MCP wasn’t designed to be enterprise infrastructure. Anthropic released it in November 2024 as a modest open specification. Then it kind of just exploded.

As Simon Willison observed in his year-end review, “MCP’s release coincided with the models finally getting good and reliable at tool-calling, to the point that a lot of people appear to have confused MCP support as a pre-requisite for a model to use tools.” By May 2025, OpenAI, Anthropic, and Mistral had all shipped API-level support within eight days of each other.

This rapid adoption created a problem. MCP specifies communication mechanisms but doesn’t enforce authentication, authorisation, or access control. Security was an afterthought. Authentication was entirely absent from the early spec; OAuth support only landed in March 2025. Research on the MCP ecosystem found more than 1,800 MCP servers on the public internet without authentication enabled.

Security researcher Elena Cross put it amusingly and memorably: “the S in MCP stands for security.” Her analysis outlined attack vectors, including tool poisoning, silent redefinition of tools after installation, and cross-server shadowing, in which a malicious server intercepts calls intended for a trusted server.

The MCP spec does say “there SHOULD always be a human in the loop with the ability to deny tool invocations.” But as Willison points out, that SHOULD needs to be a MUST. In practice, it rarely is.

The breaches so far

These theoretical vulnerabilities have already been exploited. A timeline of MCP incidents in 2025:

• Asana’s MCP implementation had a logic flaw allowing cross-tenant data access
• Anthropic’s own MCP Inspector tool allowed unauthenticated remote code execution—a debugging tool that could become a remote shell
• The mcp-remote package (437,000+ downloads) was vulnerable to remote code execution
• A malicious “Postmark MCP Server” (1,500 weekly downloads) was modified to silently BCC all emails to an attacker
• Microsoft 365 Copilot was vulnerable to hidden prompts that exfiltrated sensitive data.

These aren’t sophisticated attacks; they’re basic security failures, such as command injection, missing auth, supply chain compromise, applied to a context where consequences are amplified by what the tools can do.

The normalisation problem

What concerns me most isn’t any specific vulnerability. It’s the cultural dynamic emerging around MCP deployment.

Johann Rehberger has written about “the Normalisation of Deviance in AI”—a concept from sociologist Diane Vaughan’s analysis of the Challenger disaster.

The core insight: organisations that repeatedly get away with ignoring safety protocols bake that attitude into their culture. It works fine… until it doesn’t. NASA knew about the O-ring problem for years. Successful launches made them stop taking it seriously.

Rehberger argues the same pattern is playing out with AI agents:

“In the world of AI, we observe companies treating probabilistic, non-deterministic, and sometimes adversarial model outputs as if they were reliable, predictable, and safe.”

Willison has been blunter. In a recent podcast:

“I think we’re due a Challenger disaster with respect to coding agent security. I think so many people, myself included, are running these coding agents practically as root, right? We’re letting them do all of this stuff.”

That “myself included” is telling. Even people who understand the risks are taking shortcuts because the friction of doing it properly is high, and nothing bad has happened yet. That’s exactly how normalisation of deviance works.

Sandboxing: your options

So, how do you actually deploy MCP servers with some safety margin? The most direct approach is isolation. Run servers in environments where even if they’re compromised, damage is contained (the “blast radius”).

Standard containers

This is basic isolation, but with containers sharing the host kernel. A container escape vulnerability, therefore, gives an attacker full host access, and container escapes do occur. For code you’ve written and audited, containers are probably fine. For anything else, they’re not enough.

gVisor

gVisor implements a user-space kernel that intercepts system calls. The MCP server thinks it’s talking to Linux, but it’s talking to gVisor, which decides what to allow. Even kernel vulnerabilities don’t directly compromise the host.

The tradeoff is compatibility. gVisor implements about 70-80% of Linux syscalls. Applications that need exotic kernel features, such as advanced ioctls or eBPF, won’t work. For most MCP server workloads, this doesn’t matter. But you’ll need to test.

Firecracker

Firecracker, built by AWS for Lambda and Fargate, is the strongest commonly-available isolation. It offers full VM separation optimised for container-like speed. A Firecracker microVM runs its own kernel, completely separate from the host. So there is no shared kernel to exploit. The attack surface shrinks to the hypervisor, a much smaller codebase than a full OS kernel.

Startup times are reasonable (100-200ms), and resource overhead is minimal. Firecracker achieves this by being ruthlessly minimal. No USB, no graphics, no unnecessary virtual devices.

For executing untrusted or AI-generated code, Firecracker is currently the gold standard. The tradeoff is operational complexity. You need KVM support (bare-metal or nested virtualisation), different tooling than for container deployments, and more careful resource management.

Mixing levels

Many production setups use multiple isolation levels. Trusted infrastructure in standard containers. Third-party MCP servers under gVisor. Code execution sandboxes in Firecracker, with isolation directly aligned to the threat level.

The manifest approach

Sandboxing handles what happens when things go wrong. Manifests try to prevent things from going wrong by declaring what each component should do.

Each MCP server ships with a manifest that describes the required permissions. This includes filesystem paths, network hosts, and environment variables. At runtime, a policy engine reads the manifest, gets user consent, and configures the sandbox to enforce exactly those permissions. Nothing more.

The AgentBox project works this way. A manifest might declare read access to /project/src, write access to /project/output, and network access to api.github.com. The sandbox gets configured with exactly that. If the server tries to read /etc/passwd or connect to malicious.org, the request fails, not because a gateway blocked it, but because the capability doesn’t exist.

There are real advantages to this approach. Users see what each component requires before granting access. Suspicious permission requests stand out. The same server deploys across environments with consistent security properties.

Unfortunately, the problems are also real. Manifests can only restrict permissions they know about, so side channels and timing attacks may not be covered. Filesystem and network permissions are coarse.

A server that legitimately needs api.github.com might abuse that access in ways the manifest can’t prevent. And who creates the manifests? Who audits them? Still, explicit, auditable permission declarations beat implicit unlimited access, even if they’re imperfect.

Beyond action logs: execution decisions

This is something I think gets missed in most MCP observability discussions. Logging “Claude created x.ts” is useful, but the harder problems show up when you ask:

• Why was this action allowed at this point in the workflow?
• What state was assumed when it ran?
• Was this a retry, a branch, or a first-time execution?

Teams get stuck when agent actions are logged after the fact, but aren’t tied to a durable execution state or policy context. You get perfect traces of what happened with no ability to answer why it was allowed to happen.

Current observability tooling (LangSmith, Arize, Langfuse, etc.) focus on the “what happened” side. Every step traced, every tool call logged, every prompt inspectable. This is useful for debugging and cost tracking, but it doesn’t answer the security question “given the policy context at this moment, should this action have been permitted?”

A better pattern treats each agent step as an explicit execution unit:

• Pre-conditions: permissions, budgets, invariants that must hold before execution
• A recorded decision: allowed/blocked/deferred, with the policy context behind it
• Post-conditions and side effects: what changed

Your logs then answer not just what happened, but why it was allowed. When something goes wrong, you trace through the decision chain and see where policy should have intervened but didn’t.

This is harder than after-the-fact logging. It means integrating policy evaluation into the execution path rather than bolting observability on separately. But without it, you’re likely to end up doing forensics on incidents instead of preventing them.

Embedding controls in the Node Image

A more aggressive approach is to embed security controls directly into base images. Rather than a runtime policy, you construct images where certain capabilities don’t exist.

This is security through absence. An image without a shell can’t spawn a shell. Without network utilities, no data exfiltration can happen over the network. Without write access to certain paths, those paths can’t be modified, not because policy blocks the write, but because the filesystem capability isn’t there at all.

The appeal is that you’re not trusting a policy layer. You’re not hoping gVisor correctly intercepts the dangerous syscall. The capability simply doesn’t exist at the image level.

The tradeoffs (there are always tradeoffs!) are mostly operational. You’ll need separate base images for each security profile. Updates mean rebuilding, not reconfiguring. Granularity is limited, as you can remove broad capability categories but can’t easily express “network access only to api.github.com.”

For high-security deployments where operational complexity is acceptable, this approach provides a stronger foundation than runtime enforcement alone. For most teams, it’s probably overkill, but worth knowing about.

Framework-level options

Several frameworks are emerging to standardise MCP security patterns.

SAFE-MCP (Linux Foundation / OpenID Foundation backed) defines patterns for secure MCP deployment, grounded in common failure modes where identity, intent, and execution are distributed across clients, servers, and tools.

The AgentBox approach targets MCP servers as the enforcement point, i.e., the least common denominator across agentic AI ecosystems. Securing MCP servers protects the interaction surface and shifts enforcement closer to the system layer.

For credentials specifically, the Astrix MCP Secret Wrapper wraps any MCP server to pull secrets from a vault at runtime. So no secrets are exposed on host machines, and the server gets short-lived, scoped tokens instead of long-lived credentials.

None of these solves the fundamental problems. But they encode collective learning about what goes wrong and are worth understanding, even if you don’t need to adopt them wholesale.

Where this leaves us

MCP security in 2026 is a mess of emerging standards, competing approaches, and incidents that keep teaching us things we should have anticipated.

It’s like that box of Lego that mixes several original sets whose instructions are long gone. We have the pieces, and we sort of know what we want to build should look like, but we’re just dipping into the jumbled box to piece it together.

If I had to summarise:

Sandboxing works but costs something. gVisor and Firecracker provide real isolation. They also add operational weight. Match the isolation level to the actual threat.

Manifests help, but aren’t complete. Explicit permission declarations make the attack surface visible. They don’t prevent all attacks.

Observability needs policy context. Logging what happened isn’t enough. You need to know why it was allowed.

We’re probably going to learn some hard lessons. Too many teams are running MCP servers with excessive permissions, inadequate monitoring, and Hail Mary hopes that nothing goes wrong.

Organisations that figure this out will be able to give their agents more capability, because they can actually trust them with it. Everyone else will either hamstring their agents to the point of uselessness or find out the hard way what happens when highly capable tools meet insufficient or non-existent constraints.

References

• Simon Willison, “2025: The year in LLMs”
• Simon Willison, “Model Context Protocol has prompt injection security problems”
• Simon Willison, “LLM predictions for 2026”
• Johann Rehberger, “The Normalization of Deviance in AI”
• Elena Cross, “The S in MCP Stands for Security”
• AuthZed, “A Timeline of Model Context Protocol Security Breaches”
• Astrix Security, “State of MCP Server Security 2025”
• The New Stack, “SAFE-MCP: A Community-Built Framework for AI Agent Security”
• AgentBox, “Securing AI Agent Execution”
• gVisor, “Security Model”
• AgentSphere, “Choosing a Workspace for AI Agents”