David shipped: Shipped MCP security patches: OAuth consent flow, token exposure, scope enforcement

David oversaw the implementation of a set of MCP security patches across the Snitch and Granular MCP systems.

The work was partitioned between agents: one owned the MCP approval/OAuth slice, the other handled draft expiry and idempotency.

The task brief for the MCP security agent:

implement fixes for: 1) replace GET auto-complete OAuth with explicit consent/POST or CSRF-bound confirmation flow; 2) approval token must not be model-visible and should be content/version-bound, expiring, nonce/one-time if possible; 3) enforce OAuth scopes per tool; 4) remove/disable static bearer bypass for production; 5) add app/resource metadata/CSP/unique UI resource URI as appropriate

These patches addressed exploitable vulnerabilities in the draft→publish path that had been identified in a prior security review commit (da4eddb).