<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Michael "Mike" K. Saleme</title>
    <description>The latest articles on DEV Community by Michael "Mike" K. Saleme (@mspro3210).</description>
    <link>https://dev.to/mspro3210</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3851462%2Fa7c27b1b-53a0-4eb1-ac6d-c5a785fbc6ad.jpg</url>
      <title>DEV Community: Michael "Mike" K. Saleme</title>
      <link>https://dev.to/mspro3210</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/mspro3210"/>
    <language>en</language>
    <item>
      <title>The x402 payment layer has a state-synchronization gap, and four agent-payment attacks fall out of it</title>
      <dc:creator>Michael "Mike" K. Saleme</dc:creator>
      <pubDate>Fri, 03 Jul 2026 16:27:42 +0000</pubDate>
      <link>https://dev.to/mspro3210/the-x402-payment-layer-has-a-state-synchronization-gap-and-four-agent-payment-attacks-fall-out-of-49mk</link>
      <guid>https://dev.to/mspro3210/the-x402-payment-layer-has-a-state-synchronization-gap-and-four-agent-payment-attacks-fall-out-of-49mk</guid>
      <description>&lt;p&gt;Agent payments crossed from prototype to infrastructure faster than the security work did. The x402 protocol now carries more than 130 million transactions and sits inside Google Cloud, Cloudflare, and Stripe. Last week two papers put that infrastructure under a microscope, and one of them is a peer-reviewed conference result, not a preprint.&lt;/p&gt;

&lt;p&gt;"Free-Riding the Agentic Web: A Systematic Security Analysis of x402 Payments" (&lt;a href="https://arxiv.org/abs/2605.30998" rel="noopener noreferrer"&gt;arXiv:2605.30998&lt;/a&gt;), reports resource-leakage ratios up to 100 percent against official x402 SDKs and production deployments. A companion architecture paper, "Agent-to-Agent Finance" (&lt;a href="https://arxiv.org/abs/2607.00245" rel="noopener noreferrer"&gt;arXiv:2607.00245&lt;/a&gt;), makes wallet risk a first-class channel and states it plainly: "a malicious service description can trigger prompt injection, which leads the agent to misinterpret the payment purpose, which causes wallet authorisation to approve an unintended transfer."&lt;/p&gt;

&lt;p&gt;These are not one-vendor bugs. They come from something structural.&lt;/p&gt;

&lt;h2&gt;
  
  
  The gap: synchronous request, asynchronous finality
&lt;/h2&gt;

&lt;p&gt;x402 bridges an HTTP request, which is synchronous and returns in milliseconds, to a blockchain settlement, which is final only after confirmations. Between "the client says it paid" and "the network agrees it paid" there is a window. Everything in that window is attack surface, and anything that settles on top of x402 inherits it.&lt;/p&gt;

&lt;p&gt;The paper organizes the exploitable surface into four attack primitives. Each one lives in that gap.&lt;/p&gt;

&lt;h2&gt;
  
  
  The four primitives
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Cross-resource substitution.&lt;/strong&gt; A payment proof generated for one resource is replayed against a different resource. The payment is real; the binding between payment and thing-paid-for is missing.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Duplicate-settlement race.&lt;/strong&gt; In the window between payment broadcast and on-chain finality, the same payment pulls the resource more than once. One payment, many deliveries.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Allowance overdraft.&lt;/strong&gt; An approved token allowance is drained beyond the transaction it was scoped to. This is where session keys with over-broad approvals turn one authorized action into an open tab.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Denial of settlement.&lt;/strong&gt; The attacker consumes the resource, then blocks or delays finality so the payment never lands. This one is not about extracting money. It is about taking the service for free while withholding settlement.&lt;/p&gt;

&lt;p&gt;The paper also proves an impossibility result: no output-only pricing can be both fair to honest users and bounded against inflation of hidden computational tokens. Reasoning-token stuffing cannot be solved at the pricing layer alone. That is a design boundary, not a bug to patch.&lt;/p&gt;

&lt;h2&gt;
  
  
  What a conformance suite catches
&lt;/h2&gt;

&lt;p&gt;Three of the four primitives are testable today, and they map onto existing vectors in the open-source agent-security-harness (532 tests across the agentic-payments stack):&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Cross-resource substitution&lt;/strong&gt; is caught by binding a payment to exactly one target: FB-015 (Voucher Resource-Hash Binding), X4-044 (Payment Replay Against Different Endpoint), and AP2-007 (Mandate Chain Link, which ties a payment mandate to a specific checkout hash).&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Duplicate-settlement race&lt;/strong&gt; is caught by refusing a second delivery on one authorization: X4-038 (Double-Spend Detection), AP2-013 (Double-Spend on Open Mandate), FB-017 (Escrow Over-Redemption), and FB-014 (Batch Voucher Replay and Monotonicity).&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Allowance overdraft&lt;/strong&gt; is caught by bounding what an approval can spend: CTK-003 and CTK-004 (Per-Transaction Amount Cap and Cumulative Velocity Cap), FB-011 and FB-012 (Amount Cap and Velocity Budget), and AP2-015 (Funding-Instrument Scope Binding).&lt;/p&gt;

&lt;p&gt;Every one runs as a tamper-then-reject differential. You mutate the input the way the attack does, and a conformant implementation rejects it:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;PASS  AP2-013: Double-Spend on Open Mandate
PASS  FB-017: Escrow Over-Redemption
PASS  CTK-004: Cumulative Velocity Cap
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  What it does not catch
&lt;/h2&gt;

&lt;p&gt;Denial of settlement has no test in the suite. It is a liveness attack, not an integrity one: the malicious move is withholding finality, not tampering with a payload. Rate-limiting vectors are adjacent but not equivalent, and pretending otherwise would be the coverage theater that makes a green test run lie. The honest state is that this attack class is named, understood, and currently untested. It is the next vector to build.&lt;/p&gt;

&lt;p&gt;The impossibility result sits even further outside a conformance suite's reach. You cannot write a pass-or-fail vector for a pricing model that is provably unsolvable at its own layer. That belongs in protocol design, not test coverage.&lt;/p&gt;

&lt;h2&gt;
  
  
  The one decision that closes the race
&lt;/h2&gt;

&lt;p&gt;Most of the duplicate-settlement race collapses to a single architectural choice: what is the authoritative point at which your stack treats a payment as final before it releases the resource?&lt;/p&gt;

&lt;p&gt;If the answer is "the facilitator's callback," the race is wide open, because the callback fires before the chain agrees. If the answer is "N on-chain confirmations" or "a signed settlement receipt," the window closes, at the cost of latency you design for.&lt;/p&gt;

&lt;p&gt;Test coverage tells you whether your verifier rejects a tampered payment. It cannot tell you where you drew your finality line. That line is where agent payments are won or lost.&lt;/p&gt;

&lt;p&gt;If you build on x402, ship the tests for the three primitives you can catch, and write down your finality point for the one you cannot.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Full test-ID mapping and discussion: &lt;a href="https://github.com/msaleme/red-team-blue-team-agent-fabric/discussions/231" rel="noopener noreferrer"&gt;harness thread #231&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>ai</category>
      <category>agents</category>
      <category>opensource</category>
    </item>
    <item>
      <title>Agent payment standards are standardizing the cap, not the binding</title>
      <dc:creator>Michael "Mike" K. Saleme</dc:creator>
      <pubDate>Tue, 30 Jun 2026 13:27:35 +0000</pubDate>
      <link>https://dev.to/mspro3210/agent-payment-standards-are-standardizing-the-cap-not-the-binding-1c46</link>
      <guid>https://dev.to/mspro3210/agent-payment-standards-are-standardizing-the-cap-not-the-binding-1c46</guid>
      <description>&lt;p&gt;Agent-to-agent payments are settling into a clean decomposition. The protocol owns the state transition. A receipt layer owns the evidence. A trust layer reads the receipts. The field lists now circulating for a machine-readable "payment required" state — network, asset, amount cap, recipient, expiry, idempotency key, proof-header shape, denial reason — are the right instinct.&lt;/p&gt;

&lt;p&gt;They standardize what is &lt;strong&gt;present&lt;/strong&gt;. They leave open what is &lt;strong&gt;provable&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;A spend cap that is present on the wire is not a spend cap a downstream verifier can prove was the one the mandate authorized. An intermediary forwards a well-formed challenge whose cap, recipient, or expiry no longer matches the authority that issued it. The receipt looks valid. The drift goes uncaught. That is scope-widening — a different failure than replay: replay reuses a valid authorization, scope-widening mutates one in transit.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The fix is a binding, not another field.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A content-addressed reference — call it &lt;code&gt;guardrail_ref&lt;/code&gt; — ties &lt;code&gt;amount_cap + recipient + expiry&lt;/code&gt; to the authorizing mandate and travels into the post-payment receipt. The verifier evaluates the action against the authority that actually permitted it, not against a number an intermediary asserted. The cap value stays implementation-local. The binding to the mandate is the one thing that has to be machine-checkable at the boundary.&lt;/p&gt;

&lt;p&gt;This is where conformance testing earns its keep. Three vectors define the boundary: a forwarded cap that diverges from its mandate, a recipient or expiry broadened in transit, and a double-spend chained across agent calls. Wire-level adversarial suites for x402 and L402 already catalog dozens of payment-protocol attacks. The authority-binding layer above them is still silent.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>security</category>
      <category>agents</category>
      <category>payments</category>
    </item>
    <item>
      <title>Every agent passport layer is grading its own exam</title>
      <dc:creator>Michael "Mike" K. Saleme</dc:creator>
      <pubDate>Sun, 21 Jun 2026 17:11:47 +0000</pubDate>
      <link>https://dev.to/mspro3210/every-agent-passport-layer-is-grading-its-own-exam-20do</link>
      <guid>https://dev.to/mspro3210/every-agent-passport-layer-is-grading-its-own-exam-20do</guid>
      <description>&lt;p&gt;A new layer is consolidating in the agent stack, and it has a name now: pre-action authorization. The idea is clean. Before an agent executes a tool call, a deterministic policy engine intercepts it, checks it against declarative rules, and signs an audit record. The model proposes; the gateway disposes.&lt;/p&gt;

&lt;p&gt;This pattern is real and it is shipping.&lt;/p&gt;

&lt;p&gt;In &lt;em&gt;Before the Tool Call: Deterministic Pre-Action Authorization for Autonomous AI Agents&lt;/em&gt; (arXiv 2603.20953), Uchi Uchibeke specifies it precisely: authorization "runs at the framework layer, not the model's reasoning layer. Prompt injection cannot override it." Same inputs, same decision, no model in the evaluation path. The Agent Passport System (APS) ships the same shape in production form — Ed25519 identities, scoped delegation that can only narrow, a three-signature action chain.&lt;/p&gt;

&lt;p&gt;The architecture is right. The protocol layer cannot enforce safety, so a deterministic gateway above it must. NSA's June MCP advisory says the same thing from the defensive side: deny-by-default, scope everything, sign every message.&lt;/p&gt;

&lt;p&gt;So the design is converging. Here is the part that isn't.&lt;/p&gt;

&lt;h2&gt;
  
  
  Self-attestation is not resistance
&lt;/h2&gt;

&lt;p&gt;Every implementation in this layer is tested by the people who built it.&lt;/p&gt;

&lt;p&gt;OAP reports a striking number: social engineering succeeded against the bare model 74.6% of the time, and 0% against a restrictive OAP policy across 879 attempts. Read the limitations section, in the author's own words: the attackers "self-select and skew toward social engineering rather than protocol-level attacks; results may not generalize to APT-grade adversaries." It's a self-run bounty, by the spec author, against a self-selected crowd. That's not a criticism of OAP — it's an honest disclosure most of this field doesn't make.&lt;/p&gt;

&lt;p&gt;APS goes further and says the quiet part in its own README: &lt;em&gt;"A valid signature is not a valid claim."&lt;/em&gt; It enumerates receipts that are cryptographically perfect and must still be rejected — wrong claim, expired delegation, revoked delegation. The team clearly understands the gap. And its conformance suite? Byte-level. It verifies that two implementations canonicalize identically — interoperability — and states plainly it "does not replace dynamic test execution."&lt;/p&gt;

&lt;p&gt;So we have two kinds of testing in this layer, and neither is the one that matters most:&lt;/p&gt;

&lt;p&gt;Self-run adversarial evals, tied to the implementation that's being graded.&lt;/p&gt;

&lt;p&gt;Byte-level conformance, which proves two systems &lt;em&gt;agree&lt;/em&gt;, never that either one is &lt;em&gt;right&lt;/em&gt;.&lt;/p&gt;

&lt;p&gt;Conformance proves agreement. It never proves resistance.&lt;/p&gt;

&lt;h2&gt;
  
  
  The missing discipline
&lt;/h2&gt;

&lt;p&gt;What this layer does not have is a neutral adversary — a third-party harness that takes any pre-action-authorization gateway, regardless of who built it, and attempts protocol-level bypass, scope-boundary escalation, delegation-chain abuse, and replay. One that scores resistance, not self-attested policy.&lt;/p&gt;

&lt;p&gt;This pattern already exists everywhere else in security. TLS implementations don't get to publish their own interop test as proof of security — they face independent test suites and external attack. Payment terminals submit to PCI test labs they don't control. The entire premise of a trust layer is that its trust is &lt;em&gt;externally verifiable&lt;/em&gt;. A passport you grade yourself is a name tag.&lt;/p&gt;

&lt;p&gt;The agent-identity layer is being built right now, fast. NIST's AI Agent Standards Initiative (Feb 2026) made identity one of three pillars. OWASP's Top 10 for Agentic Applications (2026) added ASI04 — agentic supply chain — and ASI07, insecure inter-agent communication. MCP moved to OAuth 2.1 with RFC 8707 resource-scoped tokens. Every one of these is a control surface that will ship with a vendor's own test results attached.&lt;/p&gt;

&lt;p&gt;The slot for the independent adversary is open. Not because no one can fill it — because the people building the gateways are, understandably, building gateways, not the thing that attacks them.&lt;/p&gt;

&lt;h2&gt;
  
  
  What an adversarial conformance harness looks like
&lt;/h2&gt;

&lt;p&gt;I've been building the attacker's half of this for the protocol below it. The Agent Security Harness runs 474 adversarial tests against MCP and agent endpoints — it forges elevated OAuth scopes and checks they're rejected (&lt;code&gt;AUTH-003&lt;/code&gt;), it plants command-execution canaries in the handshake (&lt;code&gt;MCP-017&lt;/code&gt;), it walks delegation chains looking for authority that should have narrowed and didn't.&lt;/p&gt;

&lt;p&gt;That last category is exactly what the passport layer needs and doesn't yet have a neutral version of: take a signed delegation, attempt to use it beyond its scope, and score whether the gateway holds. APS's own model says authority "can only decrease at each transfer point." Good. Now prove it against an adversary who didn't write the gateway.&lt;/p&gt;

&lt;p&gt;The honest framing: I test the protocol layer today, not the passport layer. The passport layer's adversarial conformance is unbuilt — by me or anyone. I'm naming it because the design has converged far enough that the gap is now the most important thing in the picture.&lt;/p&gt;

&lt;p&gt;A passport proves who an agent is. It does not prove that identity can't be turned against you. The first one is a signature. The second one only a determined adversary can certify — and right now, in this layer, the only adversary in the room is the one who built the lock.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Sources: &lt;a href="https://arxiv.org/abs/2603.20953" rel="noopener noreferrer"&gt;arXiv 2603.20953&lt;/a&gt;; &lt;a href="https://github.com/aeoess/agent-passport-system" rel="noopener noreferrer"&gt;github.com/aeoess/agent-passport-system&lt;/a&gt;; &lt;a href="https://www.nist.gov/news-events/news/2026/02/announcing-ai-agent-standards-initiative-interoperable-and-secure" rel="noopener noreferrer"&gt;NIST AI Agent Standards Initiative (Feb 2026)&lt;/a&gt;; &lt;a href="https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/" rel="noopener noreferrer"&gt;OWASP Top 10 for Agentic Applications 2026&lt;/a&gt;; &lt;a href="https://modelcontextprotocol.io/specification/draft/basic/authorization" rel="noopener noreferrer"&gt;MCP Authorization spec (RFC 8707)&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>security</category>
      <category>agents</category>
      <category>architecture</category>
    </item>
    <item>
      <title>The whole payments industry now co-signs the agent payment rail. Who red-teams it?</title>
      <dc:creator>Michael "Mike" K. Saleme</dc:creator>
      <pubDate>Wed, 17 Jun 2026 13:14:58 +0000</pubDate>
      <link>https://dev.to/mspro3210/the-whole-payments-industry-now-co-signs-the-agent-payment-rail-who-red-teams-it-2e76</link>
      <guid>https://dev.to/mspro3210/the-whole-payments-industry-now-co-signs-the-agent-payment-rail-who-red-teams-it-2e76</guid>
      <description>&lt;p&gt;x402 moved to the Linux Foundation this quarter, and the contributor list &lt;em&gt;is&lt;/em&gt; the story: Coinbase, Cloudflare, and Stripe at the core, now joined by Google, AWS, Visa, Mastercard, American Express, Circle, Shopify, Microsoft, Solana, and Polygon. The agent payment rail just became shared utility infrastructure.&lt;/p&gt;

&lt;p&gt;That's the right outcome for a payment standard. It also opens a structural blind spot.&lt;/p&gt;

&lt;h2&gt;
  
  
  The co-signer problem
&lt;/h2&gt;

&lt;p&gt;When the entire payments industry co-governs a protocol, every governing member shares one incentive: ship it, adopt it, settle on it. None is positioned to adversarially attack the rail it jointly stewards — a consortium cannot credibly red-team itself. The wider the consortium, the wider the blind spot.&lt;/p&gt;

&lt;p&gt;This is an industry pattern, not an x402 flaw. Shared infrastructure gets standardized faster than it gets attacked — HTTP, OAuth, and BGP each became load-bearing years before the adversarial literature caught up. x402 is on that trajectory, compressed into months.&lt;/p&gt;

&lt;h2&gt;
  
  
  What gets exposed
&lt;/h2&gt;

&lt;p&gt;x402 turns any endpoint into a paywall an agent navigates without a human: the 402 response carries machine-readable price and settlement, the agent signs and retries, a facilitator settles on-chain. Each step is an attack surface that does not exist in human-in-the-loop payments:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;the price/settlement object the agent parses — inject the terms&lt;/li&gt;
&lt;li&gt;the signing step — authority to spend with no confirmation&lt;/li&gt;
&lt;li&gt;the facilitator — the verify-and-settle trust boundary&lt;/li&gt;
&lt;li&gt;the retry loop — cascade one 402 into a payment chain&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;These map directly onto the dispute-as-DoS and budget-exhaustion test classes already in the open-source x402/L402 security modules I maintain.&lt;/p&gt;

&lt;h2&gt;
  
  
  The opening
&lt;/h2&gt;

&lt;p&gt;A protocol commoditizing does not reduce the need to test it — it raises it. A rail the whole industry runs on is a rail whose failure modes are everyone's problem and no single steward's mandate.&lt;/p&gt;

&lt;p&gt;Someone outside the consortium has to test the rail the consortium can't.&lt;/p&gt;

&lt;p&gt;For anyone building on x402: when your agent signs a payment payload, what sits between the injected 402 and the signature — and who tested that path?&lt;/p&gt;

</description>
      <category>aisecurity</category>
      <category>payments</category>
      <category>agents</category>
      <category>security</category>
    </item>
    <item>
      <title>When the guardrail becomes the target: reasoning-extension DoS against LLM safety layers</title>
      <dc:creator>Michael "Mike" K. Saleme</dc:creator>
      <pubDate>Mon, 15 Jun 2026 15:05:57 +0000</pubDate>
      <link>https://dev.to/mspro3210/when-the-guardrail-becomes-the-target-reasoning-extension-dos-against-llm-safety-layers-ao</link>
      <guid>https://dev.to/mspro3210/when-the-guardrail-becomes-the-target-reasoning-extension-dos-against-llm-safety-layers-ao</guid>
      <description>&lt;p&gt;New research from HKUST (&lt;a href="https://arxiv.org/abs/2606.14517" rel="noopener noreferrer"&gt;arXiv:2606.14517&lt;/a&gt;, June 12) turns the agent safety layer into the attack surface.&lt;/p&gt;

&lt;h2&gt;
  
  
  What happened
&lt;/h2&gt;

&lt;p&gt;Reasoning-based guardrails — the LLM safety layers that screen an agent's actions — can be trapped in their own analysis. Crafted inputs mimic the guardrail's internal schema (risk enumerations, assessment matrices), and the model, in the authors' words, &lt;em&gt;"mechanically fills a template it has constructed for itself, trapped by its own instruction-following fidelity."&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;The measured effect: 13–63× token amplification in isolation, and &lt;strong&gt;148× end-to-end latency&lt;/strong&gt; in a LangGraph multi-agent deployment — a single guardrail call stretched to 730 seconds. Because the payload is fluent natural language, an injection classifier scored it below 0.001 probability and passed it through.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why it matters
&lt;/h2&gt;

&lt;p&gt;The attacker needs no model weights, no system prompt, no infrastructure access — only the ability to place text where the agent will read it: a web page, a repo comment, a tool result.&lt;/p&gt;

&lt;p&gt;And every candidate fix the authors tested fails. A token-budget cutoff only relocates the failure: fail-open lets the attack bypass safety entirely; fail-closed converts it into agent-level DoS that starves co-located agents on shared guardrail infrastructure. A &lt;em&gt;more capable&lt;/em&gt; guardrail performs worse — stronger reasoning produces longer loops.&lt;/p&gt;

&lt;p&gt;This is a structural property of the reasoning-guardrail paradigm, not a defect to patch.&lt;/p&gt;

&lt;h2&gt;
  
  
  What catches it today
&lt;/h2&gt;

&lt;p&gt;Part of it — and it's the part most test harnesses get wrong. A guardrail that stalls or crashes under load must never be scored as a successful defense.&lt;/p&gt;

&lt;p&gt;In our open-source agent-security harness, the verdict-correctness suite encodes exactly this: the rejection primitive treats transport failure and 5xx responses as &lt;em&gt;not&lt;/em&gt; a rejection — the code comment reads &lt;em&gt;"a 5xx may itself be the attack succeeding."&lt;/em&gt; The tests assert that a dead or faulting defender cannot earn a passing verdict.&lt;/p&gt;

&lt;p&gt;The paper closes by calling for "cost-bounded safety architectures." That is precisely what a governance layer enforces: a THROTTLE→FREEZE state machine halts discretionary spend the moment a gate fails, and a hard constraint surfaces any guardrail that has gone dark.&lt;/p&gt;

&lt;h2&gt;
  
  
  What's missing
&lt;/h2&gt;

&lt;p&gt;The honest gap: protocol-layer DoS (batch bombs, oversized payloads, rate floods) and verdict-correctness are covered. &lt;em&gt;Reasoning-extension&lt;/em&gt; DoS — a schema-mimicking payload that inflates an LLM guardrail's own token and latency budget — is not. That's a net-new test class, and it's going on the roadmap.&lt;/p&gt;

&lt;p&gt;A guardrail that can reason can be made to reason forever.&lt;/p&gt;

&lt;h2&gt;
  
  
  One question for operators
&lt;/h2&gt;

&lt;p&gt;When your LLM guardrail hits a compute ceiling mid-evaluation, does it fail open or fail closed — and how do you distinguish a real "blocked" verdict from a guardrail that simply ran out of budget?&lt;/p&gt;

</description>
      <category>aisecurity</category>
      <category>llm</category>
      <category>security</category>
      <category>agents</category>
    </item>
    <item>
      <title>The Agentic Maturity Model Is Missing an Axis: Who Validated the Claim</title>
      <dc:creator>Michael "Mike" K. Saleme</dc:creator>
      <pubDate>Mon, 08 Jun 2026 16:24:26 +0000</pubDate>
      <link>https://dev.to/mspro3210/the-agentic-maturity-model-is-missing-an-axis-who-validated-the-claim-284i</link>
      <guid>https://dev.to/mspro3210/the-agentic-maturity-model-is-missing-an-axis-who-validated-the-claim-284i</guid>
      <description>&lt;p&gt;On June 3, the OWASP GenAI Security Project published &lt;em&gt;State of Agentic AI Security and Governance 2.0&lt;/em&gt;, and with it an Enterprise Adoption Maturity Model that grades two things at once.&lt;/p&gt;

&lt;p&gt;One axis measures deployment: AT0 Shadow AI through AT5 custom in-house agents that you built and whose identity, tools, and boundaries you control. The other measures governance maturity: Level 0 ad hoc through Level 3, where agents are treated as critical infrastructure with governance-as-code, kill switches, and real-time drift dashboards.&lt;/p&gt;

&lt;p&gt;It is the clearest two-axis picture we have seen published. It also shares a blind spot with the maturity models that preceded it.&lt;/p&gt;

&lt;p&gt;Both axes describe what the organization &lt;em&gt;does&lt;/em&gt;. Neither captures who &lt;em&gt;verified&lt;/em&gt; that it does it.&lt;/p&gt;

&lt;h2&gt;
  
  
  Two organizations, same cell, different truth
&lt;/h2&gt;

&lt;p&gt;Take two organizations that both self-place at Governance Level 3. Both claim governance-as-code. Both claim kill switches. Both claim continuous drift monitoring.&lt;/p&gt;

&lt;p&gt;One arrived there through an internal red-team's self-attestation. The other arrived through independent adversarial assessment with a published, reproducible evidence base. On the matrix, they occupy the same cell. In a procurement review, in an incident post-mortem, in front of a regulator, they are not the same artifact.&lt;/p&gt;

&lt;p&gt;A maturity model that measures what an organization does, but not who validated it, grades the claim and not the control.&lt;/p&gt;

&lt;h2&gt;
  
  
  The pattern already exists in established assurance
&lt;/h2&gt;

&lt;p&gt;This is not a novel demand. Assurance practice has separated self-attestation from independent validation for decades. A SOC 2 Type I report describes controls as designed; a Type II report tests whether they operated over time. A vendor security questionnaire and a third-party penetration test answer different questions, and no mature buyer treats them as interchangeable. Vulnerability scoring encodes the same instinct: CVSS tempers a finding by its Exploit Maturity — Unproven, Proof-of-Concept, Functional, High — grading the evidence behind a claim, not only the claim's severity.&lt;/p&gt;

&lt;p&gt;Agentic governance has not yet imported that distinction. The EU AI Act's high-risk obligations — now deferred to December 2027 because the supporting standards aren't ready — turn on demonstrable oversight, not asserted oversight. The maturity model needs the third axis the regulation will require: evidence type.&lt;/p&gt;

&lt;h2&gt;
  
  
  What the third axis looks like
&lt;/h2&gt;

&lt;p&gt;Evidence type asks one question of every governance claim: what class of evidence supports it, and is the claim stronger than that evidence permits?&lt;/p&gt;

&lt;p&gt;This pattern exists in disciplined evaluation work. For example, in the public &lt;code&gt;agent-security-harness&lt;/code&gt; VS-R01 evaluation of agent-payment infrastructure, every finding is tagged with an evidence class:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;E1&lt;/strong&gt; — static or documentation observation&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;E2&lt;/strong&gt; — admission-time runtime observation (the API's response at the input gate, before settlement)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;E3&lt;/strong&gt; — settlement-time runtime observation&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;E4&lt;/strong&gt; — adversarial replay and persistence validated&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;E5&lt;/strong&gt; — cross-context isolation confirmed against both negative &lt;em&gt;and&lt;/em&gt; positive controls&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Each class maps to a maximum permitted claim strength. An E2 observation may describe how an API admits or refuses a crafted input; it may not claim the platform &lt;em&gt;enforces&lt;/em&gt; a limit, because enforcement is a settlement-time property and settlement was not measured. A recurring failure mode in agent-security writeups — making an enforcement claim from admission evidence — becomes visible at review time instead of in production.&lt;/p&gt;

&lt;p&gt;That is the third axis made concrete. It is reproducible from a public branch state by any reviewer with their own test enrollment, which is the property that separates evidence from assertion.&lt;/p&gt;

&lt;h2&gt;
  
  
  The cell isn't the credential
&lt;/h2&gt;

&lt;p&gt;The OWASP model is a real advance, and the right place to put this. Adoption tells you how much autonomy an organization has handed its agents. Governance maturity tells you how much control it claims to have built. Evidence type tells you whether anyone outside the organization can check.&lt;/p&gt;

&lt;p&gt;For agents that hold credentials, move money, and act on untrusted input, the third question is the one that survives contact with a regulator. Grade the evidence, not the claim.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Sources&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://genai.owasp.org/resource/state-of-agentic-ai-security-and-governance/" rel="noopener noreferrer"&gt;OWASP — State of Agentic AI Security and Governance 2.0&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.infosecurity-magazine.com/news/owasp-agentic-ai-security-maturity/" rel="noopener noreferrer"&gt;Infosecurity Magazine — OWASP Introduces Agentic AI Security Maturity Framework&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;VS-R01 evidence taxonomy — &lt;a href="https://github.com/msaleme/red-team-blue-team-agent-fabric" rel="noopener noreferrer"&gt;&lt;code&gt;msaleme/red-team-blue-team-agent-fabric&lt;/code&gt;&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>security</category>
      <category>ai</category>
      <category>agents</category>
      <category>governance</category>
    </item>
    <item>
      <title>98% of Agents Carry the Lethal Trifecta. Last Week Showed Why.</title>
      <dc:creator>Michael "Mike" K. Saleme</dc:creator>
      <pubDate>Sat, 06 Jun 2026 14:09:23 +0000</pubDate>
      <link>https://dev.to/mspro3210/98-of-agents-carry-the-lethal-trifecta-last-week-showed-why-2i92</link>
      <guid>https://dev.to/mspro3210/98-of-agents-carry-the-lethal-trifecta-last-week-showed-why-2i92</guid>
      <description>&lt;p&gt;Adversa's Q2 2026 AI Risk Quadrant Report, published June 3, scored 100 production agent systems against three dimensions: attack surface, blast radius, and defenses. Two numbers worth holding.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;98 of the 100 carry the lethal trifecta&lt;/strong&gt; — &lt;a href="https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/" rel="noopener noreferrer"&gt;Simon Willison's framing&lt;/a&gt; for the combination of access to private data, exposure to untrusted content, and the ability to take outbound actions, on the same execution path.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Only 11% qualify as adequately defended.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;At least 87% don't lack the trifecta. They've got it; they just haven't built around it.&lt;/p&gt;

&lt;p&gt;Tool execution alone explains 76% of blast-radius variance across the cohort. That's the headline finding. The capacity to act in the world — to write to APIs, push commits, install packages, send messages — is what converts an agent failure from a logged exception into an operational incident.&lt;/p&gt;

&lt;h2&gt;
  
  
  What an unbounded trifecta looks like in production
&lt;/h2&gt;

&lt;p&gt;The Miasma worm, first observed June 1 in compromised &lt;code&gt;@redhat-cloud-services&lt;/code&gt; npm packages, was that 87% number expressed as an event. The campaign republished 96 versions across 32 packages with a preinstall payload that harvested AWS, GCP, and Azure credentials, Vault tokens, SSH keys, and &lt;code&gt;.env&lt;/code&gt; files, then propagated itself through every package the victim's account had permission to publish.&lt;/p&gt;

&lt;p&gt;By June 5, a variant — "Phantom Gyp" — had reached Microsoft Azure's &lt;code&gt;durabletask&lt;/code&gt; repository via a compromised contributor. The payload was 4.3 megabytes, wired to auto-execute inside Claude Code, Gemini CLI, Cursor, VS Code, and &lt;code&gt;npm test&lt;/code&gt;. GitHub disabled 73 Microsoft repositories across four organizations in a 105-second sweep.&lt;/p&gt;

&lt;p&gt;Trace what happened to the AIRQ scorecard for the targeted environments:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Private data&lt;/strong&gt;: cloud provider credentials, SSH keys, source-controlled secrets — the entire &lt;code&gt;.env&lt;/code&gt; file&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Untrusted content&lt;/strong&gt;: a package update from a compromised maintainer account&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Outbound action&lt;/strong&gt;: the preinstall hook running with the developer's local privileges, including outbound HTTP for exfiltration and write access to every package the developer could publish&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Three trifecta legs, on the same execution path, inside the developer's agent tool environment. The defense layer that was supposed to exist between "I installed a dependency" and "I am now exfiltrating credentials" did not.&lt;/p&gt;

&lt;h2&gt;
  
  
  The agent dev environment is the enforcement surface
&lt;/h2&gt;

&lt;p&gt;The thing AIRQ's measurement implies, and Miasma demonstrates, is that the trifecta's enforcement surface is no longer the application boundary. It is the developer's tool environment.&lt;/p&gt;

&lt;p&gt;A Cursor session, a Claude Code session, a Gemini CLI run — these are agent execution contexts with privileged access to the developer's local credentials, source tree, and outbound network. When a compromised npm package executes a preinstall hook inside that context, the trifecta closes on the agent environment, not on a deployed application.&lt;/p&gt;

&lt;p&gt;That changes what the defense layer has to do. Vendor-managed sandboxing of the LLM doesn't help, because the lethal capability — install a package, run &lt;code&gt;npm test&lt;/code&gt;, execute a tool — is on the developer's machine, not in the model provider's data center. Token scoping doesn't help unless the scopes are tight enough to refuse credential reads from arbitrary preinstall hooks. Vault integration doesn't help if the agent environment can read environment variables on behalf of the user.&lt;/p&gt;

&lt;p&gt;The application-layer trifecta is a structural pattern across enterprise agent systems; the AIRQ report measures it. Miasma extended that pattern by one rung up the stack: the developer's tool environment now carries the same trifecta with strictly higher privileges. The 11%-adequately-defended threshold gets harder to clear at this layer, not easier.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The trifecta moved up a layer. The enforcement surface moved with it.&lt;/strong&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  What the structural defense actually looks like
&lt;/h2&gt;

&lt;p&gt;Defenses that survive when the agent environment is the enforcement surface have three properties.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Admission-time gates, not post-hoc detection.&lt;/strong&gt; A preinstall hook that reads credentials and exfiltrates them runs in seconds. Detection-based defense is the wrong tier. The gate has to sit at the layer that decides whether the hook runs at all.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Capability scoping that survives the developer-trusts-the-tool assumption.&lt;/strong&gt; The agent tool environment runs commands the developer authorized. The credential surface has to be narrow enough that "the developer authorized this" doesn't imply "the credentials are reachable."&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Identify-and-revoke posture for credential exposure&lt;/strong&gt;, not credential rotation. When a hook has read &lt;code&gt;.env&lt;/code&gt; and shipped the contents, the credentials are exposed regardless of whether they've been rotated since. The operational response is to identify the affected scopes and revoke their permissions, not generate new tokens for the same scopes.&lt;/p&gt;

&lt;p&gt;Miasma's design exploits the absence of all three. The preinstall hook ran at admission time because admission was uninstrumented. The credentials were reachable because tool-environment scoping is rare. The remediation guidance from most affected vendors named rotation as the response, which preserves the attacker's foothold across the rotation cycle.&lt;/p&gt;

&lt;h2&gt;
  
  
  What the harness covers, what it doesn't
&lt;/h2&gt;

&lt;p&gt;The &lt;a href="https://github.com/msaleme/red-team-blue-team-agent-fabric" rel="noopener noreferrer"&gt;&lt;code&gt;agent-security-harness&lt;/code&gt;&lt;/a&gt; community plugin runtime and MCP server modules exercise the equivalent of preinstall-hook code paths inside MCP plugin loading: untrusted YAML, eval-injection patterns, file size caps, regex safety, delay caps. The community runner's plugin validator is the closest defensive analog the harness contains to what Miasma exploited at the npm layer.&lt;/p&gt;

&lt;p&gt;What the harness does not cover today:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The npm preinstall-hook surface itself — that is an upstream package-manager attack vector, not an MCP or A2A protocol attack&lt;/li&gt;
&lt;li&gt;The Claude Code / Cursor / Gemini CLI agent tool environment as a measured execution context — these are vendor-managed sandboxes the harness does not directly probe&lt;/li&gt;
&lt;li&gt;Cross-package contributor-account-compromise propagation — that is a registry-governance question, not an agent-protocol-runtime question&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The AIRQ measurement is the right anchor for what the harness &lt;em&gt;does&lt;/em&gt; measure: the application-layer trifecta defense gap. The Miasma case is the canonical example of why that gap matters at the layer immediately above.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Sources&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://airq.adversa.ai/report" rel="noopener noreferrer"&gt;Adversa AIRQ Q2 2026 Report&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.helpnetsecurity.com/2026/06/03/research-ai-agent-security-capability/" rel="noopener noreferrer"&gt;Help Net Security — AI agent security capability research&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html" rel="noopener noreferrer"&gt;The Hacker News — Miasma supply-chain attack on Red Hat npm&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/" rel="noopener noreferrer"&gt;Microsoft Security Blog — Preinstall persistence inside Red Hat npm&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html" rel="noopener noreferrer"&gt;The Hacker News — Miasma "Phantom Gyp" variant hits 73 Microsoft repos&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/" rel="noopener noreferrer"&gt;Simon Willison — The Lethal Trifecta for AI Agents&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>security</category>
      <category>ai</category>
      <category>agents</category>
      <category>supplychain</category>
    </item>
    <item>
      <title>The EU AI Act Was Written for Models. Your Agents Need Runtime Compliance.</title>
      <dc:creator>Michael "Mike" K. Saleme</dc:creator>
      <pubDate>Tue, 26 May 2026 13:04:09 +0000</pubDate>
      <link>https://dev.to/mspro3210/the-eu-ai-act-was-written-for-models-your-agents-need-runtime-compliance-5a4p</link>
      <guid>https://dev.to/mspro3210/the-eu-ai-act-was-written-for-models-your-agents-need-runtime-compliance-5a4p</guid>
      <description>&lt;p&gt;The EU AI Act's high-risk obligations were due to apply on 2 August 2026. On 7 May 2026, the Council and Parliament &lt;a href="https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/" rel="noopener noreferrer"&gt;agreed to move them&lt;/a&gt;: to 2 December 2027 for stand-alone high-risk systems under Annex III, and to 2 August 2028 for high-risk systems embedded in regulated products under Annex I. The agreement is provisional — pending formal adoption and Official Journal publication, expected before the original August date.&lt;/p&gt;

&lt;p&gt;Read why it moved. The deferral is tied to the availability of the harmonised technical standards the regime runs on, and those standards are not ready. A compliance regime does not extend its own flagship deadline by sixteen months unless the evidence it asked for cannot yet be produced.&lt;/p&gt;

&lt;p&gt;The evidence the Act was designed to evaluate — model cards, training-data lineage, evaluation suites, conformity assessments — describes a model artifact at rest. The systems enterprises are actually deploying are autonomous agents that &lt;em&gt;use&lt;/em&gt; those models at runtime.&lt;/p&gt;

&lt;h2&gt;
  
  
  The extension is a confession about runtime evidence
&lt;/h2&gt;

&lt;p&gt;The Act's runtime obligations already exist: automatic logging over the system lifecycle (Article 12), deployer monitoring (Article 26), post-market monitoring (Article 72). They were written for system-level events, not for the tool-call boundary where agent behavior actually lives. That boundary is what the harmonised standards have to make demonstrable — and it is the part no one has standardized.&lt;/p&gt;

&lt;p&gt;The deadline did not slip because regulators went soft on autonomous AI. It slipped because the industry cannot yet produce the runtime evidence the Act demands — and the standards bodies know it.&lt;/p&gt;

&lt;p&gt;The extension buys sixteen months. It does not change what the evidence has to show.&lt;/p&gt;

&lt;h2&gt;
  
  
  Three runtime gaps the act was not written to see
&lt;/h2&gt;

&lt;h3&gt;
  
  
  MCP transport and the sanitization handoff
&lt;/h3&gt;

&lt;p&gt;Tool-protocol transports define the trust boundary between a model's intent and the system it is allowed to touch. When the transport assumes a trusted local context, every downstream control inherits that assumption.&lt;/p&gt;

&lt;p&gt;The National Security Agency &lt;a href="https://www.nsa.gov/Portals/75/documents/Cybersecurity/CSI_MCP_SECURITY.pdf?ver=bmgiSbNQLP6Z_GiWtRt6bg%3D%3D" rel="noopener noreferrer"&gt;published MCP security guidance&lt;/a&gt; in May 2026 — the first time a national-security authority has issued an advisory on an agent tool protocol. The guidance addresses the STDIO transport design and the implicit local-trust assumption that flows from it. Anthropic &lt;a href="https://venturebeat.com/security/mcp-stdio-flaw-200000-ai-agent-servers-exposed-ox-security-audit" rel="noopener noreferrer"&gt;confirmed the behavior is by design&lt;/a&gt;: sanitization is the integrating developer's responsibility.&lt;/p&gt;

&lt;p&gt;That sentence is the entire compliance gap. The protocol shipped a default; the regulation evaluated the model; the boundary control is somebody else's problem. There are more than 200,000 MCP servers exposed, 30+ disclosures across the ecosystem, and ten CVEs across the official SDK languages. None of that surface is what a model-card evaluator looks at.&lt;/p&gt;

&lt;p&gt;Anthropic's response to the systemic risk was &lt;a href="https://www.infoq.com/news/2026/05/claude-mcp-tunnels/" rel="noopener noreferrer"&gt;MCP Tunnels and Self-Hosted Sandboxes&lt;/a&gt;, shipped May 19 as a limited research preview. Private-network MCP deployment is the right architectural direction. It is also a tacit acknowledgement that public-network MCP is not a posture an enterprise can take to a regulator.&lt;/p&gt;

&lt;h3&gt;
  
  
  x402 spend governance arrived from the security vendor, not the protocol
&lt;/h3&gt;

&lt;p&gt;Payment-capable agents define a new category of compliance surface. The model can be perfectly aligned at training time and still authorize a spend at runtime that the deployer cannot defend in an audit.&lt;/p&gt;

&lt;p&gt;x402, the HTTP 402 revival for agent-initiated payments, shipped without native spend governance. &lt;a href="https://www.prnewswire.com/news-releases/fireblocks-joins-x402-foundation-launches-agentic-payments-suite-302777251.html" rel="noopener noreferrer"&gt;Fireblocks joined the x402 Foundation on May 20, 2026&lt;/a&gt; and released a security extension that adds request integrity and spend-policy controls on top of the base protocol. &lt;a href="https://aws.amazon.com/blogs/industries/x402-and-agentic-commerce-redefining-autonomous-payments-in-financial-services/" rel="noopener noreferrer"&gt;AWS launched Bedrock AgentCore Payments&lt;/a&gt; in preview on May 7, with policy-based spend controls and an audit trail as managed-service primitives.&lt;/p&gt;

&lt;p&gt;The pattern is consistent. The protocol shipped the capability; security and policy enforcement arrived as a second layer from vendors who took the runtime-control problem seriously. The AI Act will hold the deployer accountable for the spend, not the protocol for the omission.&lt;/p&gt;

&lt;h3&gt;
  
  
  Payment-tool authorization and the AP2/ACP interop layer
&lt;/h3&gt;

&lt;p&gt;Agent-to-merchant payment flows define a new authorization surface that did not exist when the AI Act text was finalized. Stripe shipped its &lt;a href="https://stripe.com/blog/agentic-commerce-suite" rel="noopener noreferrer"&gt;Link agent wallet and ACP/AP2 interop at Sessions 2026&lt;/a&gt;. The flows are real, the volume is small, and the standards are still being negotiated in public.&lt;/p&gt;

&lt;p&gt;The compliance question is not whether the model approved the purchase. It is whether the operator can produce, on demand, a runtime audit trail that shows which constraint gated the authorization, which credential signed the request, and which policy revoked it when the spend pattern drifted.&lt;/p&gt;

&lt;p&gt;That evidence is not produced by a model card. It is produced by the runtime, or it is not produced at all.&lt;/p&gt;

&lt;h2&gt;
  
  
  Static model audits and the time-shift problem
&lt;/h2&gt;

&lt;p&gt;A model audit evaluates an artifact at training time. An agent violation occurs at tool-use time. The two events are separated by every input the agent will ever receive in production and every tool it will ever be granted.&lt;/p&gt;

&lt;p&gt;A model card cannot tell you which MCP server an agent called yesterday at 3am. A conformity assessment cannot tell you which x402 endpoint absorbed an unbounded spend. A datasheet cannot show you which constraint failed open when a prompt injection rewrote the agent's plan.&lt;/p&gt;

&lt;p&gt;Models pass audits at training time. Agents fail them at tool-use time. The deadline moved to December 2027; the gap did not move with it.&lt;/p&gt;

&lt;h2&gt;
  
  
  What runtime compliance actually looks like
&lt;/h2&gt;

&lt;p&gt;The control surface the AI Act implies but does not specify has three layers.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Adversarial testing of the agent's tool surface.&lt;/strong&gt; Not red-teaming the model — red-teaming the runtime composition. Prompt injection against the actual tool list. Spend-bound bypass against the actual x402 client. MCP transport abuse against the actual server set. The artifact under test is the deployed agent, not the model behind it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Decision-gate governance with hard constraints.&lt;/strong&gt; A constraint is not a system-prompt instruction. It is a runtime gate the agent cannot route around, with an amendment protocol that produces a paper trail when the constraint changes. The AI Act's high-risk obligations imply this; they do not specify the mechanism.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Runtime audit trails that survive a regulator's read.&lt;/strong&gt; What was authorized, by which credential, against which policy, with what evidence — and when exposed credentials are detected, the operator's first move is to identify and revoke, not to rotate after the fact. Rotation assumes you already know what needs rotating. Identification is the regulatory question.&lt;/p&gt;

&lt;p&gt;This is the work category I have been publishing under for the last year. The harness on PyPI as &lt;a href="https://pypi.org/project/agent-security-harness/" rel="noopener noreferrer"&gt;&lt;code&gt;agent-security-harness&lt;/code&gt;&lt;/a&gt; runs adversarial coverage across MCP, A2A, x402, and L402 — pre-cert against AIUC-1 and aligned to &lt;a href="https://doi.org/10.6028/NIST.AI.800-2.ipd" rel="noopener noreferrer"&gt;NIST AI 800-2&lt;/a&gt; — and grades every finding by evidence class, so an admission-time observation never reads as an enforcement guarantee. The governance package &lt;a href="https://pypi.org/project/constitutional-agent/" rel="noopener noreferrer"&gt;&lt;code&gt;constitutional-agent&lt;/code&gt;&lt;/a&gt; carries six decision gates, twelve hard constraints, and an amendment protocol that produces a paper trail when a constraint changes. We have not found another open framework that covers both the adversarial-testing layer and the constitutional-governance layer as a paired stack. That is the point — the gap is real enough that the two layers had to be built separately and composed.&lt;/p&gt;

&lt;h2&gt;
  
  
  What the bifurcation actually splits
&lt;/h2&gt;

&lt;p&gt;Vendors will claim model compliance. Most of those claims will be defensible at the artifact level, in the narrow technical sense the act evaluates. None of them will close the runtime gap, because the runtime is not the vendor's artifact — it is the deployer's composition.&lt;/p&gt;

&lt;p&gt;The bifurcation is not about who is compliant. It is about which layer of the stack the compliance evidence describes. Deployers who can produce runtime audit trails, hard-constraint enforcement logs, and adversarial coverage reports will have evidence that maps to high-risk obligations. Deployers who can only forward a vendor's model card will have a document that describes something other than the system that actually shipped.&lt;/p&gt;

&lt;p&gt;The clock reset to December 2027. The model evidence is the vendor's to provide; the runtime evidence is yours to produce.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>security</category>
      <category>compliance</category>
      <category>agents</category>
    </item>
    <item>
      <title>Stop Babysitting What? The Trust Boundary You Just Relocated.</title>
      <dc:creator>Michael "Mike" K. Saleme</dc:creator>
      <pubDate>Fri, 22 May 2026 15:52:15 +0000</pubDate>
      <link>https://dev.to/mspro3210/stop-babysitting-what-the-trust-boundary-you-just-relocated-34i3</link>
      <guid>https://dev.to/mspro3210/stop-babysitting-what-the-trust-boundary-you-just-relocated-34i3</guid>
      <description>&lt;p&gt;On 2026-05-19, Sid Bidasaria — founding engineer and tech lead of Claude Code at Anthropic — gave a talk at Code with Claude London titled "Stop babysitting your agents." The talk lays out three patterns that compound: verification loops, parallelization, and background routines. The argument is genuine, the engineering is real, and the patterns work.&lt;/p&gt;

&lt;p&gt;But each pattern shares an unstated assumption: that the automation you put in place to remove human oversight is &lt;em&gt;itself&lt;/em&gt; trustworthy. The talk scales the things you can automate. It does not scale the question that decides whether the automation is safe.&lt;/p&gt;

&lt;p&gt;The trust boundary doesn't disappear when you automate. It relocates. Each of the three patterns moves it to a different surface, most of which teams have not built infrastructure for yet.&lt;/p&gt;

&lt;h2&gt;
  
  
  Pattern 1 — Verification loops move the trust boundary from "code review" to the harness itself
&lt;/h2&gt;

&lt;p&gt;When an agent verifies its own work, the question "is this code safe?" is replaced by "is the verification harness adversarially robust?" The two are not the same.&lt;/p&gt;

&lt;p&gt;The structural failure mode is concrete. Over the past six months, the AI agent framework ecosystem has shipped a coherent cluster of CWE-502 (insecure deserialization) vulnerabilities:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;CVE-2026-26210&lt;/strong&gt; — ktransformers ≤ 0.5.3, CVSS 9.8 — ZMQ ROUTER socket binds 0.0.0.0 with no authentication; worker calls &lt;code&gt;pickle.loads()&lt;/code&gt; on raw network bytes.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVE-2026-28277&lt;/strong&gt; — langgraph ≤ 1.0.9, CVSS 7.2 — SQLite checkpoint loader reconstructs Python objects from msgpack without an allowlist.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVE-2025-68664&lt;/strong&gt; — langchain-core &amp;lt; 0.3.81, CVSS 9.3 — &lt;code&gt;dumps()&lt;/code&gt;/&lt;code&gt;dumpd()&lt;/code&gt; allow user-controlled &lt;code&gt;lc&lt;/code&gt; keys, enabling Jinja2 template injection and credential extraction on deserialize.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVE-2026-7712&lt;/strong&gt; — MindsDB ≤ 26.01, CVSS 6.3 — &lt;code&gt;pickle.loads()&lt;/code&gt; in the Pickle Handler without input validation; vendor declined to patch.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;An agent that resumes from a poisoned checkpoint will self-verify successfully, because the verification runs in the same process that just got compromised. The prompt injection that lets an agent write malicious code can corrupt the agent's "I checked it" claim by the same mechanism. The verifier and the thing being verified share a substrate, and that substrate is the attack surface.&lt;/p&gt;

&lt;p&gt;The fix is not "tell Claude to check more carefully." The fix is adversarial tests for the verifier itself: prompt-injection vectors that target the verification claim, checkpoint poisoning that survives self-verification, tool-output manipulation that flips PASS to FAIL.&lt;/p&gt;

&lt;p&gt;When Pattern 1 lands, the trust boundary has moved. "Did a human read the diff" is replaced by "is the harness verified." Don't conflate "Claude verified it" with "the verification is verified."&lt;/p&gt;

&lt;h2&gt;
  
  
  Pattern 2 — Parallelization moves the trust boundary to agent-to-agent attestation
&lt;/h2&gt;

&lt;p&gt;The Bidasaria framework's natural extension is the asymmetric notification architecture: agents seek aid from adjacent specialized agent processes rather than escalating to humans. Ten Claudes verifying each other. Cross-agent attestation as the gate.&lt;/p&gt;

&lt;p&gt;This is where lived evidence gets uncomfortable. Operating on AI agent standards-body threads (a2aproject/A2A, microsoft/autogen, x402-foundation/x402) for two months has surfaced a recurring pattern: an account named &lt;code&gt;kenneives&lt;/code&gt; "independently verifies" a proposal from &lt;code&gt;Liuyanfeng1234&lt;/code&gt;. Both validate &lt;code&gt;arian-gogani&lt;/code&gt;'s receipts in a parallel thread. On 2026-05-16, &lt;code&gt;arian-gogani&lt;/code&gt; publicly admitted that &lt;code&gt;SpeedGenius00&lt;/code&gt; — which had been "independently verifying" the same proposals — was an old account of his, accidentally posted under.&lt;/p&gt;

&lt;p&gt;That cluster operates exactly the architecture the asymmetric-notification prescription describes. Agents validating each other to reduce human notification load. The closed loop sells itself as "independent verification" because the human in the loop has been removed by design.&lt;/p&gt;

&lt;p&gt;Cross-agent attestation cannot be the trust boundary. It has to &lt;em&gt;reference&lt;/em&gt; a trust boundary that lives somewhere the agents do not control. Out-of-band identity (W3C DIDs, cryptographically-signed agent attestations), verifiable evidence schemas that compose across providers, substrate-neutral standards bodies — these are not features to add later. They are the surface where Pattern 2 either works or collapses.&lt;/p&gt;

&lt;p&gt;When Pattern 2 lands, the trust boundary has moved. "Did a human verify each agent's output" is replaced by "is the substrate the agents reference independent of the agents themselves." Trust the substrate, not the peers.&lt;/p&gt;

&lt;h2&gt;
  
  
  Pattern 3 — Background routines move the trust boundary to policy enforcement at the gate
&lt;/h2&gt;

&lt;p&gt;When agents run continuously without you, the question "did anyone check this?" is replaced by "did the gate enforce the policy?" An autonomous routine that patches a dependency, refactors a service, or queues a PR is, by design, accountable only to the constraints it cannot override.&lt;/p&gt;

&lt;p&gt;Two recent disclosures expose how brittle this gets without hard constraints. On 2026-05-13, Akamai disclosed three MCP database-server vulnerabilities; Alibaba Cloud's RDS MCP response was "not applicable" for a fix. On 2026-05-03, MindsDB declined to patch CVE-2026-7712. &lt;strong&gt;Two confirmed instances of vendor-refusal-as-disclosure-failure-mode in three weeks.&lt;/strong&gt; The coordinated-disclosure pipeline has no machine-readable "refused" status code. A continuous autonomous maintenance routine has no signal to act on. The dependency gets pulled, the patch gets queued, the verification gets run — and the trust boundary the operator thought they had is sitting in a private email between a researcher and a vendor.&lt;/p&gt;

&lt;p&gt;Non-overridable hard constraints at the policy gate are what make Pattern 3 survive contact with this environment. The autonomous routine that pulls a new dependency must pass through a gate that asks: does this dependency violate a constraint the agent cannot rewrite, even if it "verified" the change?&lt;/p&gt;

&lt;p&gt;When Pattern 3 lands, the trust boundary has moved. "Did a human approve each change" is replaced by "are the gate's hard constraints non-overridable, even by the agent itself."&lt;/p&gt;

&lt;h2&gt;
  
  
  The fourth pattern
&lt;/h2&gt;

&lt;p&gt;Each of Bidasaria's three patterns is real. Each makes you faster. Each is necessary if agents are going to operate at scale.&lt;/p&gt;

&lt;p&gt;But each &lt;em&gt;relocates&lt;/em&gt; the trust boundary to a surface most teams have not built yet:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Pattern 1&lt;/strong&gt; moves it to the harness. Verify the harness.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Pattern 2&lt;/strong&gt; moves it to inter-agent attestation. Trust the substrate, not the peers.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Pattern 3&lt;/strong&gt; moves it to the gate. Enforce constraints the agent cannot override.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The talk says stop babysitting. The right question is: stop babysitting &lt;em&gt;what&lt;/em&gt;? You can stop babysitting the keystrokes. You can stop babysitting the diff. You can stop babysitting the wall clock.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;You cannot stop babysitting the trust boundary. You can only relocate it.&lt;/strong&gt; The work has not disappeared; it moved into the verification infrastructure, the identity substrate, and the policy gate.&lt;/p&gt;

&lt;h2&gt;
  
  
  Operator prescriptions
&lt;/h2&gt;

&lt;p&gt;For Pattern 1 (verification loops):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Build adversarial tests for the verifier itself, not just the code under test.&lt;/li&gt;
&lt;li&gt;Specific surfaces: prompt-injection against the verification claim, checkpoint poisoning that survives self-verification, tool-output flips on PASS/FAIL.&lt;/li&gt;
&lt;li&gt;Treat "Claude verified it" as untrusted until verified out-of-process.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;For Pattern 2 (parallelization):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Out-of-band identity for cross-agent attestation: signed DIDs, evidence schemas that compose across providers.&lt;/li&gt;
&lt;li&gt;Reference a substrate the agents do not control. The work being done in MCP, A2A, x402, and the OWASP Agentic Security Initiative is exactly this.&lt;/li&gt;
&lt;li&gt;Treat agent-to-agent "I verified this" as the cluster pattern until anchored to identity.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;For Pattern 3 (background routines):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Non-overridable hard constraints at the policy gate. The agent that wrote the constraint cannot rewrite it.&lt;/li&gt;
&lt;li&gt;Audit log with bilateral co-signature (one party signs, another verifies on independent infrastructure).&lt;/li&gt;
&lt;li&gt;Machine-readable "refused" status for vendor disclosure outcomes — pending standards-body work; until then, route around refusing-vendor surfaces explicitly.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  The compounding effect
&lt;/h2&gt;

&lt;p&gt;Stacked, the three patterns are powerful. Stacked &lt;em&gt;with the fourth&lt;/em&gt; — verify the verifier, trust the substrate, enforce non-overridable constraints — they survive contact with the threat environment the talk does not mention.&lt;/p&gt;

&lt;p&gt;Without the fourth, the three patterns are an attack surface multiplier. Each layer of automation removes a human-in-the-loop check while assuming the agents below it are honest. The CWE-502 cluster, the authority-laundering cluster, and the vendor-refusal pattern are not edge cases. They are the operational present.&lt;/p&gt;

&lt;p&gt;Bidasaria's vision is correct. The babysitting can stop. But the relocation work has to happen first — and the engineering organizations that do that work before scaling agent fleets will be the ones whose automation survives the first adversarial contact.&lt;/p&gt;

&lt;p&gt;Stop babysitting what? Stop babysitting the keystrokes. Keep babysitting the trust boundary. That is the actual work.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Saleme, Michael K. — ORCID &lt;a href="https://orcid.org/0009-0003-6736-1900" rel="noopener noreferrer"&gt;0009-0003-6736-1900&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;References: Sid Bidasaria, "Stop babysitting your agents," Code with Claude London, 2026-05-19. Open-source artifacts: &lt;a href="https://github.com/msaleme/red-team-blue-team-agent-fabric" rel="noopener noreferrer"&gt;agent-security-harness&lt;/a&gt; (470 adversarial tests across MCP, A2A, x402, L402) · &lt;a href="https://github.com/CognitiveThoughtEngine/constitutional-agent-governance" rel="noopener noreferrer"&gt;constitutional-agent&lt;/a&gt; (six-gate governance with 12 hard constraints).&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>ai</category>
      <category>agents</category>
      <category>governance</category>
    </item>
    <item>
      <title>May 2026: The MCP Attack Surface Tripled — Three Disclosures and a Bank's SEC Filing Tell You What to Test</title>
      <dc:creator>Michael "Mike" K. Saleme</dc:creator>
      <pubDate>Fri, 15 May 2026 16:46:50 +0000</pubDate>
      <link>https://dev.to/mspro3210/may-2026-the-mcp-attack-surface-tripled-three-disclosures-and-a-banks-sec-filing-tell-you-what-23nd</link>
      <guid>https://dev.to/mspro3210/may-2026-the-mcp-attack-surface-tripled-three-disclosures-and-a-banks-sec-filing-tell-you-what-23nd</guid>
      <description>&lt;p&gt;In the past two weeks, four publicly-documented events made the AI agent attack surface concrete in a way vendor marketing usually obscures. They share a single structural property: the agent's trust model is wrong, and the consequences are now measurable.&lt;/p&gt;

&lt;h2&gt;
  
  
  The exposure count tripled in nine months
&lt;/h2&gt;

&lt;p&gt;Trend Micro's 2026-04-28 update on exposed MCP servers reports the population grew from 492 (July 2025) to &lt;strong&gt;1,467&lt;/strong&gt; — a near-tripling over nine months. Seventy-four percent are hosted on AWS, Azure, GCP, or Oracle. Per Trend Micro, exposed MCP servers "have become powerful vectors for cloud attacks, enabling threat actors to not only access sensitive data but also take control of the cloud services themselves."&lt;/p&gt;

&lt;p&gt;The attack chain is mundane and operationally serious. A command-injection bug in a community-maintained MCP server like &lt;code&gt;aws-mcp-server&lt;/code&gt; (CVE-2026-5058, CVSS 9.8) lets an attacker execute as the EC2 instance the MCP process runs on. That process queries the EC2 instance metadata service for the role's temporary credentials. From there: S3, DynamoDB, Lambda, IAM user creation, EC2 launches for persistence. Classic IMDS credential theft via a new entry point, not novel cloud-attack tradecraft.&lt;/p&gt;

&lt;p&gt;The structural fact is that MCP servers were designed for &lt;code&gt;localhost&lt;/code&gt;/stdio and got bound to &lt;code&gt;0.0.0.0&lt;/code&gt; over a deprecated SSE transport because that's what "make it work over HTTP" looked like to the people deploying them.&lt;/p&gt;

&lt;h2&gt;
  
  
  Three database-wrapper MCPs, one structural failure mode
&lt;/h2&gt;

&lt;p&gt;On 2026-05-13, Akamai researcher Tomer Peled disclosed three vulnerabilities in MCP servers that wrap analytical databases. The pattern is consistent across all three.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Apache Doris MCP (CVE-2025-66335).&lt;/strong&gt; The &lt;code&gt;exec_query&lt;/code&gt; tool wraps a SQL execution surface. The &lt;code&gt;db_name&lt;/code&gt; parameter is unsanitized; a downstream SQL validator only inspects the first portion of the constructed query and therefore sees only the attacker-controlled prefix. Patched in &lt;code&gt;doris-mcp-server&lt;/code&gt; 0.6.1.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;StarTree mcp-pinot (issue #90, unpatched at disclosure).&lt;/strong&gt; Verbatim from Peled's filing: "By default the server is binding to 0.0.0.0 and OAuth is off by default." The &lt;code&gt;read_query&lt;/code&gt; tool's validation is one line — &lt;code&gt;if not query.strip().upper().startswith("SELECT"): raise ValueError(...)&lt;/code&gt; — trivially bypassed via UNION, stacked queries, or comments. StarTree later added OAuth-over-HTTP, but the SQLi in &lt;code&gt;read_query&lt;/code&gt; remains.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Alibaba Cloud RDS MCP (no CVE).&lt;/strong&gt; Unauthenticated access to the RAG retrieval tool. Alibaba classified the issue as &lt;strong&gt;"not applicable"&lt;/strong&gt; for a fix.&lt;/p&gt;

&lt;p&gt;All three share one failure mode: &lt;strong&gt;the MCP tool wraps a SQL-execution surface and inherits the trust model of the AI agent instead of the database.&lt;/strong&gt; The validator-as-theatre pattern (Doris), the transport-without-auth pattern (Pinot), and the RAG-as-side-door pattern (Alibaba) are different surface manifestations of the same trust-boundary error.&lt;/p&gt;

&lt;h2&gt;
  
  
  Sandbox isolation as a checkbox
&lt;/h2&gt;

&lt;p&gt;CVE-2026-42302, disclosed 2026-05-08, is the cleanest single-CVE artifact of the month. &lt;strong&gt;FastGPT's agent-sandbox &lt;code&gt;entrypoint.sh&lt;/code&gt; launches &lt;code&gt;code-server&lt;/code&gt; with &lt;code&gt;--auth none&lt;/code&gt; bound to &lt;code&gt;0.0.0.0:8080&lt;/code&gt;.&lt;/strong&gt; Any network-reachable attacker gets unauthenticated remote code execution. CVSS 9.8. Affects FastGPT 4.14.10–4.14.12, patched in 4.14.13 (GHSA-34rc-438g-7w78).&lt;/p&gt;

&lt;p&gt;The sandbox component existed because someone designed isolation into the product. The &lt;code&gt;--auth none&lt;/code&gt; flag was a deployment choice that nullified it. Sandbox-as-checkbox is not isolation.&lt;/p&gt;

&lt;h2&gt;
  
  
  The shadow-AI class shows up on Form 8-K
&lt;/h2&gt;

&lt;p&gt;On 2026-05-12, The Register reported that a US commercial bank self-disclosed to the SEC: employees fed customer data — &lt;strong&gt;including Social Security Numbers&lt;/strong&gt; — into an unauthorized third-party AI application, outside the bank's approved systems.&lt;/p&gt;

&lt;p&gt;Notice what this isn't. It isn't a framework CVE. It isn't a misconfigured MCP server. It isn't a sandbox that lost its &lt;code&gt;--auth&lt;/code&gt;. The agent attack surface here is the &lt;strong&gt;absence of a sanctioned alternative&lt;/strong&gt; — employees route work to an unapproved tool because the sanctioned path is slower than the deadline.&lt;/p&gt;

&lt;p&gt;The bank's disclosure puts shadow AI in the regulatory record. That's the first thing about the SEC filing that matters. The second thing is that it forces every CISO of a federally-regulated firm to assume the same path exists in their org.&lt;/p&gt;

&lt;h2&gt;
  
  
  What this means for any operator
&lt;/h2&gt;

&lt;p&gt;Across all four events, three things are simultaneously true:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;The agent's trust model is wrong.&lt;/strong&gt; MCP servers inherit the agent's authority, not the database's; agent sandboxes inherit the deployer's network config, not the threat model; shadow-AI tools inherit the employee's session credentials.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Vendor responsibility is asymmetric.&lt;/strong&gt; Doris shipped a patch in master in December 2025. StarTree fixed half the problem. Alibaba returned "not applicable." When the same class of vulnerability is a CVE for an open-source ASF project and out-of-scope for a hyperscaler SKU, operators absorb the asymmetry.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;The detection surfaces don't compose yet.&lt;/strong&gt; Endpoint probing catches handler-side bugs. Chain reading catches declaration-versus-behavior drift. DLP catches employee exfiltration. None of those tools see the others' artifacts.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  What to test now
&lt;/h2&gt;

&lt;p&gt;For the MCP class:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Probe every MCP tool that wraps a SQL surface for parameter injection (Doris pattern, Pinot pattern).&lt;/li&gt;
&lt;li&gt;Test whether tool registration accepts admin overrides without authentication (Alibaba pattern).&lt;/li&gt;
&lt;li&gt;Audit deployment scripts for &lt;code&gt;--auth none&lt;/code&gt;, &lt;code&gt;0.0.0.0&lt;/code&gt; binds, and SSE transport (FastGPT pattern, Trend Micro at scale).&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;For the governance class:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Inventory unapproved AI tools your workforce already uses. The number is non-zero.&lt;/li&gt;
&lt;li&gt;Map each sanctioned tool to a maximum data-class permitted; refuse SSN/PHI/PCI exposure on tools that aren't certified for it.&lt;/li&gt;
&lt;li&gt;Treat shadow AI as a sanctioned-alternative gap, not a discipline failure.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Identify and revoke
&lt;/h2&gt;

&lt;p&gt;When a managed-plane vendor declares unauthenticated access to a RAG retrieval tool "not applicable," the operator response isn't to rotate credentials. There is nothing to rotate. The response is to &lt;strong&gt;identify which agent workflows route through that surface and revoke the trust the workflow assumed it had&lt;/strong&gt; — until the vendor's posture changes or the workflow migrates.&lt;/p&gt;

&lt;p&gt;When an employee posts customer SSNs to an unapproved AI app, the response isn't to retrain the employee. The trust boundary the employee bypassed was tooling-shaped, not training-shaped. The response is to &lt;strong&gt;identify the gap in the sanctioned toolset and close it&lt;/strong&gt; — and revoke the workforce's reliance on a tool the firm cannot audit.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;MCP database servers ship the database's blast radius with the agent's trust model. The four events of the past two weeks make that fact citable.&lt;/strong&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Saleme, Michael K. — ORCID &lt;a href="https://orcid.org/0009-0003-6736-1900" rel="noopener noreferrer"&gt;0009-0003-6736-1900&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Open-source artifacts referenced: &lt;code&gt;agent-security-harness&lt;/code&gt; (&lt;a href="https://github.com/msaleme/red-team-blue-team-agent-fabric" rel="noopener noreferrer"&gt;github.com/msaleme/red-team-blue-team-agent-fabric&lt;/a&gt;, 470 tests covering MCP, A2A, x402, L402 — direct mappings: MCP-001, MCP-003, MCP-010, MCP-015, MCP-016, CREW-001, CREW-010, AUTH-001, DATA-001, DATA-003, IR-007). &lt;code&gt;constitutional-agent&lt;/code&gt; (&lt;a href="https://github.com/CognitiveThoughtEngine/constitutional-agent-governance" rel="noopener noreferrer"&gt;github.com/CognitiveThoughtEngine/constitutional-agent-governance&lt;/a&gt;, HC-6, HC-12, GovernanceGate, EpistemicGate).&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>ai</category>
      <category>agents</category>
      <category>mcp</category>
    </item>
    <item>
      <title>When prompts become shells: the tool registry is the attack surface</title>
      <dc:creator>Michael "Mike" K. Saleme</dc:creator>
      <pubDate>Sun, 10 May 2026 16:00:00 +0000</pubDate>
      <link>https://dev.to/mspro3210/when-prompts-become-shells-the-tool-registry-is-the-attack-surface-52n6</link>
      <guid>https://dev.to/mspro3210/when-prompts-become-shells-the-tool-registry-is-the-attack-surface-52n6</guid>
      <description>&lt;p&gt;On May 7, 2026, Microsoft published "&lt;a href="https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/" rel="noopener noreferrer"&gt;When Prompts Become Shells: RCE vulnerabilities in AI agent frameworks&lt;/a&gt;" — a retrospective on two Critical (9.9) CVEs in Semantic Kernel that landed in February and were patched within days.&lt;/p&gt;

&lt;p&gt;The CVEs are bad. The framing is worse — and worth reading carefully.&lt;/p&gt;

&lt;h2&gt;
  
  
  The two CVEs
&lt;/h2&gt;

&lt;h3&gt;
  
  
  CVE-2026-26030 — &lt;code&gt;eval()&lt;/code&gt; on attacker-controlled filter strings
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;InMemoryVectorStore&lt;/code&gt; accepts user-supplied filter expressions and evaluates them. Filter strings are interpolated into a Python expression and executed via &lt;code&gt;eval()&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="n"&gt;expr&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"'&lt;/span&gt;&lt;span class="s"&gt; or &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;user_filter&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s"&gt; or &lt;/span&gt;&lt;span class="sh"&gt;'"&lt;/span&gt;
&lt;span class="n"&gt;result&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;eval&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;expr&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;__builtins__&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{}},&lt;/span&gt; &lt;span class="p"&gt;{})&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;An AST blocklist exists. It enumerates dangerous node types: &lt;code&gt;Import&lt;/code&gt;, &lt;code&gt;Call&lt;/code&gt; to known names, attribute access on a denylist. The blocklist was bypassable through undocumented attribute traversal — &lt;code&gt;__name__&lt;/code&gt;, &lt;code&gt;load_module&lt;/code&gt;, &lt;code&gt;BuiltinImporter&lt;/code&gt; — none of which the filter explicitly denied. From there the attacker reaches &lt;code&gt;os.system&lt;/code&gt; through the importer machinery without ever hitting an &lt;code&gt;Import&lt;/code&gt; node.&lt;/p&gt;

&lt;p&gt;Patched: &lt;code&gt;semantic-kernel&lt;/code&gt; Python &lt;code&gt;1.39.4&lt;/code&gt;. Three external researchers credited.&lt;/p&gt;

&lt;h3&gt;
  
  
  CVE-2026-25592 — &lt;code&gt;DownloadFileAsync&lt;/code&gt; exposed as a kernel function
&lt;/h3&gt;

&lt;p&gt;In &lt;code&gt;SessionsPythonPlugin&lt;/code&gt;, the &lt;code&gt;DownloadFileAsync&lt;/code&gt; method was decorated with &lt;code&gt;[KernelFunction]&lt;/code&gt;. That single attribute makes a function callable by the LLM as a tool. The method accepts a &lt;code&gt;localFilePath&lt;/code&gt; parameter with no canonicalization, no directory allowlist, no validation of any kind.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight csharp"&gt;&lt;code&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;KernelFunction&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;
&lt;span class="k"&gt;public&lt;/span&gt; &lt;span class="k"&gt;async&lt;/span&gt; &lt;span class="n"&gt;Task&lt;/span&gt; &lt;span class="nf"&gt;DownloadFileAsync&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt; &lt;span class="n"&gt;remoteUrl&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="kt"&gt;string&lt;/span&gt; &lt;span class="n"&gt;localFilePath&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="c1"&gt;// No path validation. No scope check. No allowlist.&lt;/span&gt;
    &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="n"&gt;File&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;WriteAllBytesAsync&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;localFilePath&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;content&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;A prompt that gets the agent to call this tool with &lt;code&gt;localFilePath = "C:\\Windows\\Start Menu\\Programs\\Startup\\malware.exe"&lt;/code&gt; writes a file that executes on the next user login. Sandbox escape, host-level persistence, in one tool call.&lt;/p&gt;

&lt;p&gt;Patched: &lt;code&gt;Microsoft.SemanticKernel.Plugins.Core&lt;/code&gt; &lt;code&gt;1.71.0&lt;/code&gt;. Same three researchers.&lt;/p&gt;

&lt;h2&gt;
  
  
  Microsoft's load-bearing line
&lt;/h2&gt;

&lt;blockquote&gt;
&lt;p&gt;"Vulnerabilities in the AI layer are no longer just a content issue and are an execution risk... because these frameworks act as a ubiquitous foundational layer, a single vulnerability in how they map AI model outputs to system tools carries systemic risk."&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;That's not throwaway language. They're naming a class.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;A registered tool that wraps &lt;code&gt;eval()&lt;/code&gt; turns prompt injection into a syscall.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Every agent framework has a tool registry. Every registry maps LLM-generated strings to functions. If any registered function wraps a dangerous primitive — &lt;code&gt;eval&lt;/code&gt;, &lt;code&gt;exec&lt;/code&gt;, &lt;code&gt;Download*&lt;/code&gt;, raw filesystem write — prompt injection is no longer a content problem. It's a scope problem.&lt;/p&gt;

&lt;h2&gt;
  
  
  What runtime testing catches
&lt;/h2&gt;

&lt;p&gt;Most agent security tools — including the harness I work on (&lt;a href="https://github.com/msaleme/red-team-blue-team-agent-fabric" rel="noopener noreferrer"&gt;msaleme/red-team-blue-team-agent-fabric&lt;/a&gt;) — operate at runtime. They send adversarial prompts, observe what the agent does, and flag deviations from declared behavior. Several tests in that suite map directly to these CVEs:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;MCP-010&lt;/strong&gt;: injects path traversal, template injection, and command substitution payloads into tool call arguments. Catches the &lt;code&gt;DownloadFileAsync&lt;/code&gt; exploit &lt;em&gt;if you've already invoked the tool&lt;/em&gt;.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;SS-002&lt;/strong&gt;: scans declared permissions against actual code, fails when &lt;code&gt;exec:none&lt;/code&gt; is declared but &lt;code&gt;eval()&lt;/code&gt; appears in the body. Catches CVE-26030's pattern &lt;em&gt;if a permission declaration exists&lt;/em&gt;.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;SS-007&lt;/strong&gt;: enforces sandboxing tiers — a tool wrapping filesystem-write should be Tier-1, never auto-promoted to Tier-3.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Each is useful. None is sufficient.&lt;/p&gt;

&lt;h2&gt;
  
  
  What runtime testing misses
&lt;/h2&gt;

&lt;p&gt;The upstream cause of both CVEs is structural: a function that &lt;em&gt;could&lt;/em&gt; call &lt;code&gt;eval()&lt;/code&gt; was registered as a tool. A function that &lt;em&gt;could&lt;/em&gt; write any path was decorated with &lt;code&gt;[KernelFunction]&lt;/code&gt;. The vulnerability existed at registration time, not at invocation time.&lt;/p&gt;

&lt;p&gt;Runtime probes can't see this. They observe the symptom — a bad call happens — and report it after the fact. They don't enumerate the framework's tool registry at load time and traverse the call graph of each registered callable looking for dangerous primitives.&lt;/p&gt;

&lt;p&gt;That gap is closer to a &lt;strong&gt;Semgrep-over-the-tool-registry&lt;/strong&gt; rule than a runtime test. Roughly:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;rules&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;id&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;kernel-function-wraps-dangerous-primitive&lt;/span&gt;
    &lt;span class="na"&gt;pattern-either&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;patterns&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;pattern-inside&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;|&lt;/span&gt;
              &lt;span class="s"&gt;[KernelFunction]&lt;/span&gt;
              &lt;span class="s"&gt;... $METHOD(...) { ... }&lt;/span&gt;
          &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;pattern-either&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
              &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;pattern&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;eval(...)&lt;/span&gt;
              &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;pattern&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;exec(...)&lt;/span&gt;
              &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;pattern&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;subprocess.$ANY(...)&lt;/span&gt;
              &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;pattern&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;File.WriteAllBytesAsync(...)&lt;/span&gt;
              &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;pattern&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;File.WriteAllText(...)&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;patterns&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;pattern-inside&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;|&lt;/span&gt;
              &lt;span class="s"&gt;@kernel_function&lt;/span&gt;
              &lt;span class="s"&gt;def $METHOD(...): ...&lt;/span&gt;
          &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;pattern-either&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
              &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;pattern&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;eval(...)&lt;/span&gt;
              &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;pattern&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;exec(...)&lt;/span&gt;
              &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;pattern&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;__import__(...)&lt;/span&gt;
    &lt;span class="na"&gt;message&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;|&lt;/span&gt;
      &lt;span class="s"&gt;Function registered as an LLM-callable tool wraps a dangerous primitive.&lt;/span&gt;
      &lt;span class="s"&gt;The LLM can now invoke this primitive with attacker-influenced arguments.&lt;/span&gt;
    &lt;span class="na"&gt;severity&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;ERROR&lt;/span&gt;
    &lt;span class="na"&gt;languages&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="nv"&gt;python&lt;/span&gt;&lt;span class="pi"&gt;,&lt;/span&gt; &lt;span class="nv"&gt;csharp&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That rule would have flagged both CVEs in CI before they reached production.&lt;/p&gt;

&lt;p&gt;The harder version of this problem is transitive: a registered tool that calls a helper that calls &lt;code&gt;eval()&lt;/code&gt;. That requires whole-program analysis. But the first-order cases — direct calls inside the function body — are catchable with the same tooling teams already use for SQL injection and unsafe deserialization.&lt;/p&gt;

&lt;h2&gt;
  
  
  What I take away
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;The LLM is not a security boundary.&lt;/strong&gt; Microsoft says this in their architectural recommendations and they're right. Treat every LLM-generated string as untrusted input at every system call.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The tool registry is the trust boundary.&lt;/strong&gt; Whether a function is callable by the model is a security decision, not a developer-convenience decision. Every &lt;code&gt;@tool&lt;/code&gt; / &lt;code&gt;[KernelFunction]&lt;/code&gt; / &lt;code&gt;register_tool()&lt;/code&gt; decorator is a capability grant.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Runtime tests catch what registration audits should have caught upstream.&lt;/strong&gt; Both layers are necessary. Neither is sufficient on its own.&lt;/p&gt;

&lt;p&gt;I'm interested in how teams are currently auditing this — whether at PR-time as a Semgrep rule, at registration time as a runtime check, or trust-on-load with downstream gating. Drop a note in the comments if your stack does any of these.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Full test mappings (SS-002, SS-007, MCP-010, MCP-001, HC-5, HC-6, RiskGate) and the cross-link to the constitutional governance layer (&lt;a href="https://github.com/CognitiveThoughtEngine/constitutional-agent-governance" rel="noopener noreferrer"&gt;CognitiveThoughtEngine/constitutional-agent-governance&lt;/a&gt;) are in the &lt;a href="https://github.com/msaleme/red-team-blue-team-agent-fabric/discussions/212" rel="noopener noreferrer"&gt;GitHub Discussion&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>cve</category>
      <category>aiagents</category>
      <category>ai</category>
    </item>
    <item>
      <title>When a protocol vendor declines to patch, the test harness becomes the spec</title>
      <dc:creator>Michael "Mike" K. Saleme</dc:creator>
      <pubDate>Sat, 02 May 2026 13:16:13 +0000</pubDate>
      <link>https://dev.to/mspro3210/when-a-protocol-vendor-declines-to-patch-the-test-harness-becomes-the-spec-5837</link>
      <guid>https://dev.to/mspro3210/when-a-protocol-vendor-declines-to-patch-the-test-harness-becomes-the-spec-5837</guid>
      <description>&lt;p&gt;When a protocol vendor confirms that a critical vulnerability is intentional, the question shifts from "when does the vendor patch this?" to "where does mitigation live now?"&lt;/p&gt;

&lt;p&gt;The answer in this case is no longer in the protocol layer, no longer in the vendor SDK, but in the harnesses, sandboxes, and runtime guards that sit between the protocol and the host.&lt;/p&gt;

&lt;p&gt;That is the news this week.&lt;/p&gt;




&lt;h2&gt;
  
  
  The pattern
&lt;/h2&gt;

&lt;p&gt;Vendor-confirmed by-design vulnerabilities are not new. They are a recurring class. The shape repeats: a vendor ships a primitive, the security community discloses a flaw, the vendor reviews, and instead of patching, declares the flaw intentional. The protocol becomes a constraint, not a contract. Mitigation moves downstream.&lt;/p&gt;

&lt;p&gt;When this happens, the question for enterprise security teams is no longer "what version do we update to?" The question is: which downstream layer enforces what the protocol does not? And how do we test that downstream layer, since the protocol itself has become a published constraint rather than a fixable bug?&lt;/p&gt;

&lt;p&gt;This is the layer where adversarial test harnesses become load-bearing. They stop being "nice-to-have" pre-deployment checks and start being the actual specification for how the protocol is allowed to behave in production.&lt;/p&gt;

&lt;h2&gt;
  
  
  The proof point: Anthropic's MCP STDIO execution model
&lt;/h2&gt;

&lt;p&gt;This week, &lt;a href="https://thehackernews.com/2026/04/anthropic-mcp-design-vulnerability.html" rel="noopener noreferrer"&gt;Anthropic confirmed&lt;/a&gt; that a critical vulnerability in the Model Context Protocol's STDIO transport layer is intentional. Researchers had disclosed a systemic by-design weakness affecting the STDIO command execution path: the protocol passes configuration directly to command execution, and any unsanitized argument lands in &lt;code&gt;argv&lt;/code&gt; of a spawned process. Across more than 7,000 publicly accessible MCP servers and 150 million SDK downloads, the affected behavior is identical because the SDK ships the same primitive in Python, TypeScript, Java, and Rust.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://www.americanbanker.com/news/unpatched-ai-flaw-poses-risk-to-banking-sector" rel="noopener noreferrer"&gt;Anthropic's response&lt;/a&gt; declined a protocol-level fix. The position: the STDIO execution model represents a secure default, and sanitization is the developer's responsibility.&lt;/p&gt;

&lt;p&gt;Translation for enterprise readers: the protocol is not going to defend you. Anthropic has documented the contract; the contract says you are responsible for what happens at process spawn. JPMorganChase, Citi, and BNY have all said they are building agentic AI on MCP. Their security teams now have an explicit, vendor-confirmed design constraint to work around — not a patch to wait for.&lt;/p&gt;

&lt;h2&gt;
  
  
  The 18-day gap
&lt;/h2&gt;

&lt;p&gt;Adversarial testing for this attack class shipped April 12, 2026, in the agent-security-harness v4.2.0 release. Public CHANGELOG entry, public Git tag, public PyPI artifact. The tests target exactly the path Anthropic now confirms is by-design: MCP-015 and MCP-016 cover SSRF and STDIO pre-handshake injection patterns; MCP-017 extends to the configuration-to-command surface; MCP-018 (added April 17) covers unbounded request body DoS in the same execution path.&lt;/p&gt;

&lt;p&gt;The disclosure cycle hit April 30. The harness coverage preceded the disclosure by 18 days.&lt;/p&gt;

&lt;p&gt;That is not a prediction; it is a test record. Adversarial coverage of a known-weak primitive doesn't require advance vendor notice. It requires a willingness to systematically test what the protocol allows rather than what it documents.&lt;/p&gt;

&lt;h2&gt;
  
  
  What the tests actually do
&lt;/h2&gt;

&lt;p&gt;The harness sends crafted MCP requests against a target server and analyzes the responses. The tests do not exploit the target; they probe whether the target's defensive controls — sandbox boundaries, capability allowlists, syscall filters, audit logging — fire when given input designed to trigger the by-design path.&lt;/p&gt;

&lt;p&gt;Concrete examples:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;MCP-015&lt;/strong&gt; sends a tool call where the configured command resolves through &lt;code&gt;argv[0]&lt;/code&gt; interpretation that the documented allowlist accepted. The probe checks whether the target intercepts at the process-spawn layer.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;MCP-016&lt;/strong&gt; sends a STDIO pre-handshake message that exercises the configuration-load path before the protocol's own handshake completes. The probe checks whether the target's sandbox has been activated by then.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;MCP-017&lt;/strong&gt; sends a configuration argument structured to invoke the spawned process with input that would clearly fail the contract Anthropic now points developers at as their responsibility.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;MCP-018&lt;/strong&gt; sends an unbounded request body to the same path, checking whether the target's body-size limits engage before the spawn.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A target that passes these probes has implemented the runtime guarantees the protocol no longer claims. A target that fails them is shipping the by-design path with no downstream mitigation. The pass-or-fail outcome is the operationalized form of Anthropic's "sanitization is the developer's responsibility" — except now the developer can measure whether they did it.&lt;/p&gt;

&lt;h2&gt;
  
  
  What the right mitigation looks like
&lt;/h2&gt;

&lt;p&gt;When the protocol layer declines to enforce, three downstream layers can:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Capability declarations.&lt;/strong&gt; The MCP server descriptor publishes the filesystem paths and network destinations it actually needs. The host enforces against the declared capability set, not against a binary name. This is a static contract, not a moving allowlist. Allowlist policies that don't constrain &lt;code&gt;argv&lt;/code&gt; are checking the cover of the book; capability declarations describe the lambda the interpreter is allowed to evaluate.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Syscall-layer enforcement.&lt;/strong&gt; seccomp on Linux, sandbox-exec on macOS, AppArmor/SELinux profiles. The kernel blocks the process from reaching what it shouldn't reach, regardless of which interpreter the protocol spawned. This is the only layer where the boundary is durable; everything above it is configuration.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Pre-execution verification.&lt;/strong&gt; Before a process spawns, a sidecar verifies the configuration against the declared capability set and a signed policy reference. If the configuration drifts from the policy, the spawn doesn't happen. This is the layer where adversarial testing harnesses operationalize: the harness sends inputs that should fail pre-execution verification and measures whether they do.&lt;/p&gt;

&lt;p&gt;The architectural through-line: protocol layer publishes the contract, capability layer translates the contract into a constraint, syscall layer enforces the constraint, harness measures whether enforcement is real. When the protocol layer publishes "responsibility is downstream," the only valid response is to make the downstream verifiable.&lt;/p&gt;

&lt;h2&gt;
  
  
  What this means for enterprise readers
&lt;/h2&gt;

&lt;p&gt;Two questions to ask your platform team this week:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;What does the harness say about your MCP servers?&lt;/strong&gt; Not "do you have a scanner running" — what does adversarial test output show? If the answer is "we don't run adversarial tests," the protocol's by-design admission has just made that the highest-priority gap on your agent-stack roadmap.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Where is the syscall-layer enforcement?&lt;/strong&gt; If your MCP servers run with the host process's filesystem and network access, the protocol's by-design path has full reach. The mitigation is not better allowlists; it is a kernel-level boundary that does not depend on the protocol behaving correctly.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The harness's MCP module is open source and Apache 2.0; pip-installable; runnable against any MCP server with a URL. That is not a marketing line — it is the structural reason the April 12 timestamp matters. The 18-day lead is real because the tooling shipped publicly, with a CHANGELOG entry and a Git tag, before the disclosure cycle. There is no proprietary version to license, no vendor relationship to maintain, no support contract to wait on.&lt;/p&gt;

&lt;h2&gt;
  
  
  The signature
&lt;/h2&gt;

&lt;p&gt;When a protocol vendor declines to fix a critical flaw, the test harness becomes the spec.&lt;/p&gt;

&lt;p&gt;Anthropic's by-design admission this week shifts MCP mitigation from the protocol layer to the runtime layer. The runtime is where attackers already are. The harness is where defenders measure whether the runtime is doing its job.&lt;/p&gt;

&lt;p&gt;The April 12 release timestamp is documentation that the measurement has been available. The next 18 weeks will determine whether enterprise teams pick it up or wait for vendor-bundled scanners that ship the same coverage with a six-month delay.&lt;/p&gt;

&lt;p&gt;The lead is real. It is also short. Test what the protocol no longer protects.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;The agent-security-harness is open source under Apache 2.0. The MCP module documentation is at &lt;a href="https://github.com/msaleme/red-team-blue-team-agent-fabric" rel="noopener noreferrer"&gt;github.com/msaleme/red-team-blue-team-agent-fabric&lt;/a&gt;; the test catalog at &lt;code&gt;docs/TEST-INVENTORY.md&lt;/code&gt;.&lt;/em&gt;&lt;/p&gt;




</description>
      <category>security</category>
      <category>ai</category>
      <category>mcp</category>
      <category>programming</category>
    </item>
  </channel>
</rss>
