MCP got its honeymoon. The honeymoon is over.
Perplexity CTO Denis Yarats announced this week that they're walking away from MCP internally — back to traditional APIs and CLIs. His stated reasons: context window bloat and "clunky auth." Those are real problems. But they're symptoms, not the disease.
The disease is structural. MCP was designed as a developer convenience layer, not a security boundary. It let any tool inject text into a model's context with no cryptographic attestation, no capability scoping, and no enforcement of what a server is actually allowed to do. The entire trust model is: you installed it, so you trust it. That's fine for a local demo. It is not fine for production systems that handle real data, real credentials, and real actions.
The numbers now confirm what the architecture always implied. A recent scan of MCP servers found two-thirds have security findings. Anthropic's own tooling had critical vulnerabilities. A fake npm MCP package quietly exfiltrated API keys from developers who installed it thinking it was legitimate. This is what prompt injection looks like at the supply chain layer — not a jailbreak in a chat window, but a malicious server your agent calls 300 times a day.
Perplexity's move is pragmatic. APIs and CLIs have decades of hardened auth patterns. MCP at this point is a trust assumption dressed up as a protocol.
The deeper lesson: the agentic ecosystem is repeating the same mistake the web made in the early 2000s. We're bolting security onto protocols that were designed for convenience first. The cost of that debt gets paid — it's only a question of when and by whom.
If you're running MCP servers in production today, that debt is yours.