MCP Server Hardening: Close the Auth Gap Before an Auditor DoesThe MCP spec describes a protocol, not a security posture. Most production deployments shipped with a static secret in a header, no identity propagation, and error messages that leak internals. Four enforcement layers, executable, before the next incident review.