惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
Visual Studio Blog
爱范儿
爱范儿
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
雷峰网
雷峰网
V
V2EX
博客园_首页
Engineering at Meta
Engineering at Meta
博客园 - 聂微东
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Apple Machine Learning Research
Apple Machine Learning Research
GbyAI
GbyAI
H
Help Net Security
A
About on SuperTechFans
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Blog — PlanetScale
Blog — PlanetScale
W
WeLiveSecurity
云风的 BLOG
云风的 BLOG
D
Docker
Security Archives - TechRepublic
Security Archives - TechRepublic
Help Net Security
Help Net Security
N
News and Events Feed by Topic
Simon Willison's Weblog
Simon Willison's Weblog
G
Google Developers Blog
A
Arctic Wolf
T
The Blog of Author Tim Ferriss
博客园 - 叶小钗
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Google DeepMind News
Google DeepMind News
博客园 - 三生石上(FineUI控件)
aimingoo的专栏
aimingoo的专栏
Hacker News: Ask HN
Hacker News: Ask HN
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - 司徒正美
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy International News Feed
T
Troy Hunt's Blog
T
Tenable Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Recorded Future
Recorded Future
F
Fortinet All Blogs
D
DataBreaches.Net
B
Blog
T
Threat Research - Cisco Blogs
MyScale Blog
MyScale Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
The GitHub Blog
The GitHub Blog
Security Latest
Security Latest
M
MIT News - Artificial intelligence

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
MCP After Year One — Six Design Lessons the Industry Is Still Learning
Arthur · 2026-06-24 · via DEV Community

Anthropic announced the Model Context Protocol in November 2024. A year and a half later it is the closest thing the agent ecosystem has to a standard, with Anthropic's reference servers, a long tail of community implementations, IDE-level integrations in Cursor and Zed, and a W3C-adopted browser-side variant called WebMCP. The protocol is no longer the question. The question is what to build on top of it.

David Soria Parra, the MCP co-creator at Anthropic, recently gave a talk on the design lessons of the protocol's first year — the things teams keep doing wrong, and the design discipline the second year is going to require. The talk is the kind of artifact you don't normally get from a protocol author at this stage of an ecosystem's life: a clear, opinionated summary of where the mistakes are concentrated and what the corrective shape looks like.

This piece is my summary of those lessons, with the design rationale I think a developer building an MCP server in May 2026 actually needs. There are six of them.

1. Don't wrap REST as MCP

This is the design mistake every team makes once.

A REST API is a contract for developers and CRUD operations. It is structured around resources. The verbs are HTTP verbs. The granularity is one row at a time: GET /users, POST /orders, PATCH /documents/:id. That granularity is correct for a developer writing a frontend. It is wrong for an agent.

An agent wants to perform an action — a piece of work the user actually cares about. Prepare a customer for onboarding. Find the contract and check it for risk clauses. Draft a response to the open support ticket. Each of those actions, in CRUD terms, is a sequence of dozens of REST calls, each of which the agent has to plan, sequence, and check the result of. The agent ends up doing the work of an ORM and a controller, in a context window that has better things to do.

The bad version of an MCP server looks like this:

# DON'T: REST-style MCP server (one tool per API method)
@server.tool()
def get_user(user_id: str) -> dict: ...

@server.tool()
def create_order(user_id: str, items: list) -> dict: ...

@server.tool()
def patch_document(doc_id: str, fields: dict) -> dict: ...

@server.tool()
def list_permissions(user_id: str) -> list: ...

# ... seventeen more atomic CRUD wrappers

The good version is the same backend exposing tools at the granularity the agent actually thinks in:

# DO: action-shaped MCP server (one tool per meaningful task)
@server.tool()
def prepare_user_for_onboarding(user_id: str) -> OnboardingResult:
    """Run the full onboarding checklist: provision account, send welcome
    email, set initial permissions, attach to default workspace, audit-log."""
    ...

@server.tool()
def find_and_review_contract(party: str, period: str) -> ContractReview:
    """Locate the contract, parse it, flag clauses by risk category,
    summarize key terms, return a structured review."""
    ...

@server.tool()
def draft_customer_response(ticket_id: str) -> DraftResponse:
    """Pull the ticket history, the customer's account context, and the
    current state of the issue; produce a draft response with citations."""
    ...

The two servers wrap the same backend. The agent's behavior against them is not comparable. The first one produces a long chain of tool calls and a high probability of getting one of them wrong. The second one is one call, returns a structured result, and the agent moves on to the next step of its actual task.

The shift required is conceptual, not technical. You are no longer designing an interface for a developer to make CRUD calls. You are designing an interface for an agent to perform business operations. The CRUD layer still exists underneath; it is not what your MCP server exposes.

2. Progressive discovery — don't dump every tool into context

The second mistake is also a context-window problem.

An MCP server with thirty tools, connected naively, dumps thirty tool descriptions into the agent's context at the start of every conversation. With several MCP servers connected, the count climbs to a hundred or more. The cost is real on every dimension:

  • The model has to choose between many tools, which it does worse than choosing between few
  • Per-request input-token cost goes up
  • Latency goes up, because the prompt is longer
  • The risk of an incorrect tool call goes up, because the model has more confusable options
  • The actual data the agent needs gets squeezed out by descriptions of tools it will never invoke

The corrective is progressive discovery — the agent fetches the tools it needs as it needs them, rather than receiving the full catalog at session start. The MCP server presents a small index. The agent reads the index, decides what it needs, asks for the specific tool descriptions, and only then has those descriptions in its context.

In practice this means a developer building an MCP server in 2026 should be thinking not only about which tools to expose but about how the agent finds them. A flat list of forty tools is rarely the right answer. A short categorized index with two-line descriptions, plus an on-demand expansion mechanism, is closer.

3. Skills and MCP are not competitors

Anthropic also ships a Skills system — a different mechanism for giving an agent a procedural capability. The natural reaction is to ask which one wins. The answer that came out of the talk is that neither wins; they are answers to different questions.

Skills are good for local, procedural, CLI-utility-driven work. Take this video file, run it through ffmpeg with these flags, put the result in this directory. The capability is a self-contained procedure that does not need authorization or audit. The cost of building it is low. The cost of running it is also low.

MCP is the right tool when you need the things a procedure cannot provide on its own: authorization, role-based access control, audit logs, observability, stable contracts between the agent and an external system, lifecycle management of the tool itself. If the action involves customer data, finances, or anything that lives in an enterprise system, you want MCP. If the action is a deterministic local procedure, Skills are simpler.

The decision rule is: use the simplest mechanism that solves the problem. MCP servers are not free to build, run, or maintain. If a Skill works, ship the Skill.

4. Enterprise needs a gateway

The largest organizational mistake is letting every team build its own MCP server independently. After twelve months, the result is a sprawl of half-documented servers with inconsistent authorization models, no shared audit trail, and a security team that cannot tell you which agents have access to which systems. This is shadow IT for agents, and the standard response — we'll catalog them later — does not work, for all the reasons it has not worked in any prior generation of integration sprawl.

The corrective is a connectivity-and-gateway layer: a single platform-side component that sits between the agents and the enterprise systems and handles, in one place:

  • Tool registration and lifecycle
  • Authorization policies (which agent, calling on whose behalf, can invoke which tool)
  • Audit logging of every tool call
  • Rate limits and quotas
  • Observability and tracing
  • The lifecycle of tool definitions across versions

This is not a novel architectural pattern. It is API-gateway design applied to a slightly different problem. The pieces that are different — agent identity, multi-step delegated authority, async tool execution — are listed in lesson six. The frame that is the same is single chokepoint; consistent policy; auditable trail.

A company that does not invest in this layer in 2026 will spend most of 2027 trying to put it in retroactively, while incidents in the meantime keep paging the security team.

5. Agent identity is the unsolved part

This is the lesson the talk treated most carefully, because it is the one with the fewest solutions.

The traditional auth pattern is: user authenticates → user clicks a button → system performs an action. The user's identity, the user's intent, and the system's action are all colocated in a single moment.

Agents break that pattern in several directions at once. The agent acts on the user's behalf, but the action may happen minutes or hours after the user's last interaction. The agent may chain through multiple systems, each of which sees a different intermediate identity. The agent may continue a task overnight while the user is offline. The agent may be one of several agents working on the same task, with no clean way to attribute a specific tool call to a specific initiating user action.

The open questions are concrete:

  • Who exactly called the tool? The agent, the user, the system that invoked the agent?
  • On whose behalf? With what claim chain?
  • With what permissions? The agent's own, the user's, or some intersection?
  • Can the agent continue without re-asking the user? Under what conditions?
  • How do you revoke access mid-task, when the agent is in the middle of a multi-step operation that has already done some of its work?
  • How do you show an auditor, six months later, what actually happened?

These questions are not resolved by MCP itself. MCP carries the tool-call protocol, not the identity-and-authorization chain. The industry is mostly bolting OAuth flows, signed delegation tokens, and ad-hoc audit logging on top, and each of those is its own engineering effort with no canonical answer yet. The talk frames this as the unsolved layer. That framing is honest.

6. The MCP server is not your old API

Pulling the threads together: the lesson at the center of all five preceding ones is that an MCP server is a different kind of artifact from the REST API the same team probably built last year, even when both expose the same backend.

The REST API is a contract for software developers. It is granular, resource-oriented, designed to compose into application logic written by humans who know which calls to make in what order. The MCP server is a contract for agents. It should be coarse-grained at the level of meaningful tasks, on-demand discoverable, gated by an enterprise-aware authorization model, and instrumented for an audit trail that survives multi-step delegated execution.

The teams that have figured this out in the first year of MCP did so by treating "design for an agent" as a different design problem from "design for a frontend." The teams that have not figured it out yet are mostly the teams whose first MCP server was a one-to-one wrapper of an existing REST API, shipped because the JIRA ticket said expose this as MCP and the path of least resistance was to wrap the methods. Those servers are now what their teams have to maintain.

The corrective in May 2026 is a short, opinionated list:

  1. Tools as actions, not endpoints. Design the verb the agent actually wants. Compose the CRUD calls underneath.
  2. Atomic-but-composable. Each tool does one meaningful thing. The agent can chain tools, but each chain link is a complete unit on its own.
  3. Bounded tool sets per task. Don't expose 40 tools to a workflow that needs 4. Curate the surface.
  4. Progressive discovery as default. Tools loaded into context only when relevant.
  5. Audit and access from day one. Bolt it on later and you'll bolt it on poorly.
  6. CLI where CLI is enough. Skills where Skills are enough. MCP where you need the contract.
  7. Gateway for enterprise. No exceptions. The cost of skipping this is paid in incidents.

A year in, MCP is a working protocol with real adoption and real production traffic. It is also a category in which most teams are still learning the design discipline. The protocol authors have now said publicly what they have been telling teams in private for a year: it is not a CRUD wrapper, it is not a silver bullet, and the parts of the problem that look easy at the start are the parts the second year will be spent retrofitting.

The teams that ship the second-year version of this design discipline get to compound on the foundation. The teams that ship the first-year version get to do it again.