For twenty years there was one way for software to talk to object storage: the S3 API. PutObject, GetObject, ListBucket — a small, stable contract that made storage programmable for applications. Every SDK, every backup tool, every data pipeline speaks it. It is the most successful storage interface ever shipped.
In a six-week stretch of spring 2026, the storage layer quietly grew a second interface — this one for agents. Not a replacement for the S3 API, but a parallel contract aimed at autonomous LLM systems that discover what's available, decide what to do, and act, with no human writing glue code in between. The protocol is MCP, the Model Context Protocol, and it is being baked directly into storage and database products at a pace that turns a feature into a category.
This is the companion piece to The Catalog Is Becoming a Database: that post argued the metadata layer is becoming an independent engine. This one is about the interface layer — and the two are the same story told from opposite ends. The catalog became a database because agents need to query it at machine speed; storage grew an agent interface because agents need to reach the bytes the same way.
The pain point this site mapped first
The gap underneath this wave is Tool Discovery Governance — the problem that an agent can only use what it can find, and that exposing tools for discovery is also exposing an attack surface. Before April 2026, connecting an agent to your object store meant hand-writing a tool wrapper: enumerate the operations, describe each one for the model, wire up auth, hope the descriptions stayed in sync with the API. Every team rebuilt the same bridge. The discoverability problem was real, named, and unsolved at the infrastructure layer.
Then the infrastructure layer started solving it itself.
The wave
Three products, three storage categories, six weeks:
| Product | Category | What shipped | Interface |
|---|---|---|---|
| Weaviate v1.37 | Vector database | First major vector DB with a built-in MCP server | /v1/mcp, Streamable HTTP, RBAC-gated1 |
| Pinecone (launch week) | Vector database | KnowQL — a declarative query language for agents | Six primitives: intent, filter, provenance, output shape, confidence, budget2 |
| RustFS | S3-compatible object store | MCP server exposing S3 operations as agent tools | bucket list / browse / upload / read, MIME-aware3 |
The shape is consistent across all three. The product exposes its native operations — vector search, object reads, schema introspection — as MCP tools, each carrying a natural-language description the model reads at runtime. The agent connects, enumerates what's available, and calls it. No bespoke wrapper. The same move is spreading to on-prem appliances and managed data stores; the three above are the clearest early instances, not the whole list.
Notice what each one actually exposes. Weaviate lets an agent introspect schema and create or delete collections — write access, not just read. Pinecone's KnowQL is the more radical bet: it doesn't expose the database's query surface, it invents a new one designed around what an agent needs to ask — including provenance (where did this knowledge come from) and budget (how much am I allowed to spend answering). That is not a vector-search API with an LLM bolted on. It is an interface whose user is assumed to be a machine that reasons about cost and trust.
Why it had to happen now
Two independent shifts made the agent interface inevitable, and both are recent.
The first is economics. DeepSeek V4 made its 75% price cut permanent in May 2026 — output tokens around $0.87 per million, roughly an order of magnitude under US frontier APIs.4 When inference was expensive, you minimized agent round-trips: pre-compute everything, hand the model one tight context, get one answer. When inference is cheap, the opposite is rational — let the agent poke at the storage layer, discover what's there, iterate. An MCP interface is only worth building if agents are going to call it constantly, and only cheap inference makes constant calling affordable.
The second is the retrieval shift. Direct Corpus Interaction — the 2026 agentic-search paradigm where the model interrogates a raw corpus with terminal tools instead of a pre-built vector index — points the same direction.5 Both DCI and MCP-native storage say: stop pre-digesting the data for the agent; give the agent an interface and let it do the digesting. The offline index pipeline that used to sit between the model and the storage is dissolving, replaced by the model reaching the storage directly through a discovery protocol.
Cheap tokens plus direct retrieval equals a model that wants to talk to storage continuously. The storage layer grew an interface to answer.
The bill that comes due
An agent-reachable storage layer is a larger attack surface, and 2026 has already shown what that costs. The Apache Polaris credential-vending CVE cluster — four CVEs disclosed in May, the lead one (CVE-2026-42810) scoring CVSS 9.9 — is the cautionary tale.6 Polaris is a catalog that issues short-lived, scoped cloud credentials on a caller's behalf. A bug in how it built those scopes let an attacker craft a table name containing literal wildcard characters that flowed unescaped into the generated S3 IAM policy, so credentials nominally scoped to one table matched every table's path.
That is a confused-deputy attack — the catalog, holding broad authority, was tricked into exercising it on the attacker's behalf — and it is exactly the failure mode that scales with an agent interface. The whole value of MCP-native storage is that an autonomous system supplies inputs (collection names, prefixes, query filters) that the storage layer acts on. Every one of those inputs is now an injection vector into whatever policy or credential the storage synthesizes downstream. The Polaris flaws were in a catalog, but the lesson is general: any identifier an agent can supply must be treated as untrusted before it reaches policy generation. The fix Polaris shipped in 1.4.1 — escape metacharacters, validate-then-reserve before vending — is the pattern every agent-facing storage product will need.
This is why the discoverability problem and the governance problem are the same node. You cannot expose tools for agents to find without also deciding what those agents are allowed to do with them — and the credential layer is where that decision is enforced or lost.
What it means for a smaller team
The strategic read is the part that matters if you are not a hyperscaler. The bridge between an AI agent and your data used to be an engineering project — weeks of building and maintaining tool wrappers, auth plumbing, and schema-sync glue that only a well-staffed platform team could afford. The MCP wave collapses that project into a configuration flag. Turn on the endpoint, set the RBAC scopes, and your self-hosted object store or vector index is natively addressable by the same agents the big companies use — running on commodity storage you already own.
The capability that was enterprise-only because of its integration cost just became a default. That is the pattern across this entire stretch of 2026: the things large companies built with bespoke infrastructure — agent glue here, RAM-resident vector databases elsewhere, costly inference everywhere — are arriving as object-storage-native open source, built-in protocol endpoints, and cheap frontier-adjacent models. The agent interface is the most under-told of them, because it doesn't look like a product launch. It looks like a point release.
The second interface
The S3 API won because it was small, stable, and made storage programmable for every application that would ever be written. MCP is making the same bet for the next class of caller. An agent doesn't want GetObject; it wants to ask what's here, judge whether it's trustworthy, and decide what it can afford to do — which is why Pinecone's KnowQL has primitives for provenance and budget and the raw S3 API never will.
Storage spent twenty years with one interface, for applications. In the spring of 2026 it grew a second one, for agents. The products that shipped it first — Weaviate, Pinecone, RustFS — are not the story. The story is that "expose your data to an agent" stopped being something you build and started being something your storage already does.
Footnotes
-
Weaviate v1.37 release — built-in MCP server at
/v1/mcp, exposed as a Streamable HTTP endpoint, disabled by default and RBAC-governed viaread_mcp/create_mcp/update_mcppermissions. weaviate.io/blog/weaviate-1-37-release. ↩ -
Pinecone Nexus and KnowQL — a declarative query language for agents exposing six primitives (intent, filter, provenance, output shape, confidence, budget). Pinecone — The Knowledge Engine for Agents; Pinecone Nexus product page. ↩
-
RustFS MCP server — a high-performance MCP server exposing S3-compatible object operations (list buckets, browse, upload with MIME detection, read) as agent tools. RustFS MCP documentation; source at github.com/rustfs/rustfs — crates/mcp. ↩
-
DeepSeek V4-Pro permanent pricing — $0.435/M input (cache miss), $0.87/M output, $0.003625/M cached input, made permanent May 22, 2026. DeepSeek API pricing; InfoWorld — DeepSeek's V4-Pro price cut escalates the AI pricing war. ↩
-
Direct Corpus Interaction — "Beyond Semantic Similarity: Rethinking Retrieval for Agentic Search via Direct Corpus Interaction," submitted May 3, 2026. arXiv:2605.05242. ↩
-
Apache Polaris credential-vending CVE cluster (CVE-2026-42809 / 42810 / 42811 / 42812), disclosed May 4, 2026, fixed in Polaris 1.4.1; lead flaw CVE-2026-42810 scores CVSS 3.1 9.9 / CVSS 4.0 9.4. CVE-2026-42810 (ThreatInt); GitHub Advisory GHSA-8ggj-j522-h5qf. ↩