https://notes.karlmcguinness.com/series/least-privilege-mcp/Recent content in Least-Privilege MCP Tool Calls on Control Plane by Karl McGuinnessHugoen-uspublic@karlmcguinness.com (Karl McGuinness)public@karlmcguinness.com (Karl McGuinness)Fri, 26 Jun 2026 10:00:00 -0700https://notes.karlmcguinness.com/notes/closing-the-gaps-least-privilege-mcp-tool-calls/Fri, 26 Jun 2026 10:00:00 -0700public@karlmcguinness.com (Karl McGuinness)https://notes.karlmcguinness.com/notes/closing-the-gaps-least-privilege-mcp-tool-calls/Part one laid out two models for least-privilege MCP tool calls: carry a narrow token, or decide each call at the resource. Both leave the same gaps on plain OAuth. AuthZEN standardizes the policy question, COAZ the mapping into it, and ARAP the denial-to-approval workflow, which can run at the resource, at the authorization server, or both. Proposals like AROP, MCP SEP-2643, and MCP SEP-2848 bind that workflow to the wire. None of them gives multiple calls a common unit of user intent. The task object that would, a Mission, is the gap that remains.https://notes.karlmcguinness.com/notes/least-privilege-mcp-tool-calls/Thu, 25 Jun 2026 10:00:00 -0700public@karlmcguinness.com (Karl McGuinness)https://notes.karlmcguinness.com/notes/least-privilege-mcp-tool-calls/There are two natural ways to lock an agent’s MCP tool calls down to least privilege. The agent can carry a narrow token scoped to the action, or the server can decide each call as it happens. Carrying a token gives portable proof of what the agent may do, but pushes domain knowledge onto the authorization server and token management onto the client. Deciding at the resource keeps the meaning where it lives, but the decision is not portable. MCP makes the tool boundary first-class for both. This part compares the two models and how to choose. Part two covers the standards that close the per-call gaps and the task object neither names.