Or Weis

MCP risk is not frozen at build time. This article explains how to vet third-party MCP servers, treat manifests as security boundaries, enforce runtime authorization, and preserve incident-grade audit evidence.

CVE-2026-49257 in mcp-pinot shows why network-reachable MCP database servers must fail closed: secure startup, endpoint authentication, and per-tool runtime authorization are all mandatory. This guide breaks down the confused-deputy pattern, risk-tiered tool policy for read vs schema/admin operations, and the audit model needed for real incident forensics.

Specs and PRDs make coding agents more accurate, but not inherently safe. This guide explains how to secure MCP-enabled coding and workflow agents with short-lived delegated access, runtime policy decisions, and auditable zero standing permissions.

Agent traces are observability signals, not accountability evidence. This guide defines a causal, replayable authorization commit log for MCP tool calls so teams can prove who delegated access, why policy allowed an action, and what happened next.

Subagents are delegated actors, not implementation details. This guide explains how to design MCP permission delegation, OAuth token brokering, approval routing, and audit trails to avoid silent stalls and privilege expansion.

OpenAPI-to-MCP gateways can instantly expose REST endpoints as agent tools, but endpoint filtering alone does not enforce least privilege. This guide shows how to classify generated tools by risk, enforce runtime policy per delegator and intent, keep credentials server-side, and log auditable MCP decisions.

Text refusal and tool behavior can diverge in coding agents. This article explains why runtime, action-time authorization is the real security boundary for Codex, Claude Code, Cursor, and MCP tool calls.

Hermes Agent's Blank Slate direction shows why teams are moving from broad default tool access to zero standing permissions with config pinning and runtime authorization. This guide explains the safest local defaults, risk-tiered tool access, and practical temporary grant patterns for web, browser, terminal, MCP, memory, and delegation.

DIDs, verifiable credentials, and AI control towers are foundational for agent governance, but they still do not decide whether a specific agent action is allowed right now. This article explains the runtime authorization model enterprises need for delegated AI execution.

Prompt injection becomes a security incident when untrusted content is promoted across authority boundaries into actions. This article shows how to enforce RAG and MCP promotion gates with runtime authorization outside the model.

The LiteLLM CVE-2026-42271 and Starlette BadHost CVE-2026-48710 chain turned authenticated command injection into unauthenticated RCE. The deeper lesson: AI gateways hold model credentials, route sensitive traffic, and expose MCP utility endpoints — and need action-time authorization, not flat API keys.

Sandboxing a coding agent isolates it from the host—but the real blast radius is the credentials it holds. GitHub tokens, cloud keys, MCP connections, and CI/CD access define what an agent can actually do. Here's the runtime permission model that closes the gap.