What agentic tools actually do, not what their docs claim. Each finding is backed by tested claims and linked evidence.
MCP Streamable HTTP spec does not mandate Authorization header passthrough. Claude Code supports it; VS Code Copilot does not — MCP servers gating write tools on Authorization Bearer are effectively Claude Code-only from other clients, and the tools fail silently with no diagnostic at the client.
Every major provider advertises mathematical or near-guaranteed schema adherence, but each implementation has undocumented complexity thresholds, ordering sensitivities, and silent failure modes that make the guarantee conditional in ways the documentation does not disclose.
playwright-mcp sessions are destroyed on every HTTP transport call in containerized environments — teams testing locally via Claude Code see reliable multi-step workflows, then cloud deployment silently resets browser state on every call.
The multi-agent framework landscape has fractured into tiers with distinct maturity profiles — not converged — and every major framework carries confirmed production failure modes that docs don't warn about.
Agent security has split into four architecturally distinct tiers — no single tool spans more than one, making "agent security" a misleading single category.
Error suppression that a human would notice and investigate leaves an agent with exit code 0 and no signal to stop — the Tools Fail paper measured a 76-point accuracy drop under silent failures.
ChromaDB's single-node RAM-bound architecture makes it a prototyping tool with a hard scaling ceiling — LRU eviction fails, collection deletion doesn't free memory, and connection leaks cause container OOM.
LangGraph checkpoint serialization fails silently for non-primitive types — round-trips are lossy with no exception raised, across four documented modes since Jan 2026.
SWE-bench Verified was retired in Feb 2026 after 59% of its test cases were found flawed — scores overstated production reliability by 20-30 percentage points.
Goose's defaults — autonomous mode, no extension allowlist, disabled injection detection, 1000-turn ceiling — each removes a guardrail that would contain the others. The permissions fail-open bug was fixed in v1.26.2 (Mar 4, 2026), but the other four defaults remain.
Streaming guardrails are architecturally broken by design -- OpenAI has marked the fix NOT_PLANNED.
Four CVEs and five supply-chain vectors share one pattern: project-scoped settings execute with user privileges before or without trust verification.
Five categories of hook failures — silent non-firing, ignored decisions, platform breakage, data corruption, and architectural constraints — mean defense-in-depth across multiple events is required.
LiteLLM's gateway features fail silently under production conditions — budget counters drift, guardrails pass, fallbacks route to dead providers — every failure traced to a public GitHub issue.
Three silent failure modes in RAG pipelines — GraphRAG entity deduplication corruption, LangGraph edge routing data loss, and tool output leakage at step caps — all go undocumented by the frameworks.
DeepEval hijacked the global OTel TracerProvider on import through v3.7.7-era, exfiltrating trace data to New Relic cloud regardless of configured backend — removed in v3.9.x. The Langfuse non-generation span gap is still current.
Self-hosted graph memory is uniformly not production-ready — Graphiti has an undocumented async conflict, Mem0 OSS graph is OpenAI-only despite 47k stars, and the MCP memory server corrupts files under concurrent writes.
Every LLM-as-judge eval framework reviewed produces non-deterministic CI results — the grading layer is non-deterministic by design, not just the model under test.
Two enterprise acquisitions in 90 days upgraded MCP supply chain risk from "emerging" to institutionally confirmed — but mid-session server mutation remains an unmitigated gap.
Every SQLite MCP database server reviewed uses startsWith("select") as its read-only guard — trivially bypassable with a semicolon or comment prefix.
Stateless HTTP mode silently disables sampling and elicitation — a protocol-level constraint, not a library bug, with no spec fix before June 2026.