📘 Part 6 of the Agentic Engineering Series
✍️By: David Estrada | 📅Date Published: 2026/05/08
In Part 5, we mapped out every layer of the agentic engineering toolstack. One layer kept coming up as the connective tissue holding everything together: MCP. Now let’s give it the deep dive it deserves — because once you understand it, you’ll see it everywhere.
The Universal Language That Connects AI Agents to the World — And Why It Changes Everything
"An AI agent without context is just autocomplete with ambition. MCP is what turns it into a real engineering partner."
There’s a problem at the heart of every AI agent ever built.
The model is smart. Sometimes startlingly so. But it’s also isolated — cut off from your databases, your internal docs, your APIs, your codebase history, your project management tools. It knows what it was trained on. It doesn’t know what you’re working on.
Every team building AI-powered development tooling hit this wall differently. Some hacked together custom integrations. Some built proprietary protocols. Some just… accepted the limitations. The result was a fractured ecosystem where every AI tool reinvented the same wheel, badly, in a slightly incompatible way.
In November 2024, Anthropic published a spec that tried to end this fragmentation: Model Context Protocol — MCP.
By early 2026, it had become the de facto standard for how AI agents interact with the world. If you’re doing agentic engineering, you need to understand it deeply.
Part 1: The Problem MCP Was Built to Solve 🧩
Before MCP, connecting an AI agent to external tools was brutally manual. Each integration was a custom job. GitHub integration? Write it from scratch. Postgres database? Build another adapter. Confluence? Build another one — and rebuild it again for each new AI tool you adopt.
This wasn’t just annoying — it was a fundamental ceiling on what AI agents could actually do. The raw intelligence inside the model was stranded behind the wall of integration complexity.
MCP’s core insight was borrowed from a concept every developer already understood: the USB standard. Before USB, every peripheral had its own port, its own driver, its own installation ritual. After USB, you plug it in and it works. MCP is USB for AI agents.
One protocol. Universal compatibility. That’s the promise — and in 2026, it’s largely been delivered.
Part 2: The Architecture — How MCP Actually Works ⚙️
MCP defines a clean client-server architecture. Three roles, two communication layers, one standard.
All communication is JSON-RPC 2.0 — if you’ve used REST APIs, the mental model translates directly.
Part 3: The Three Primitives — What MCP Servers Can Expose 🗝️
Every MCP server exposes its capabilities through one of three primitives.
🔧 Tools — Giving Agents the Ability to Act
Tools are the most powerful primitive. They allow the AI to execute actions in the world — not just read, but write, create, modify, and trigger.
{
"name": "create_github_issue",
"description": "Creates a new issue in a GitHub repository",
"inputSchema": {
"type": "object",
"properties": {
"repo": { "type": "string", "description": "owner/repo format" },
"title": { "type": "string" },
"body": { "type": "string" },
"labels": { "type": "array", "items": { "type": "string" } }
},
"required": ["repo", "title", "body"]
}
}
Critical rule: Tools that modify state (write, delete, create) should require human confirmation before execution. This is how agentic engineering avoids the incident where an AI agent with unrestricted tool access deleted a production database.
📦 Resources — Giving Agents Rich Context
Resources expose data that the AI can read and incorporate into its context window. Unlike tools, resources don’t execute side effects — they surface information. This is how you give an agent access to your actual codebase, your actual documentation, your actual data — not hypothetical training data.
💬 Prompts — Encoding Expert Workflows
Prompts are reusable, parameterized interaction templates. They let teams encode expert knowledge into repeatable workflows that any agent can invoke. Think of prompts as institutional knowledge made executable — the accumulated wisdom of your security team, your architecture review board, your senior engineers, packaged as a template any agent can use.
Part 4: The MCP Ecosystem in 2026 🌐
MCP’s rapid adoption created an ecosystem almost overnight. By 2026, there are hundreds of MCP servers — both official and community-built — covering nearly every tool a software engineering team uses.
| Milestone | Date |
|---|---|
| MCP spec published by Anthropic | November 2024 |
| Claude Desktop ships MCP support | November 2024 |
| VS Code / GitHub Copilot ships MCP support | March 2025 |
| Cursor ships native MCP support | April 2025 |
| OpenAI compatibility layer announced | June 2025 |
| 1,000+ community MCP servers on GitHub | September 2025 |
| MCP becomes default in all major AI dev tools | 2026 |
Part 5: MCP in the Agentic Engineering Workflow 🤖
Understanding MCP in isolation is interesting. Understanding what MCP enables in an agentic engineering pipeline is transformative.
Scenario: A planner agent is given the task: “Investigate the performance regression in the checkout service reported in issue #342 and produce a fix.”
Without MCP, every data-gathering step would require a human to manually retrieve information, paste it into the chat, and re-prompt. With MCP, the agent operates autonomously against real systems — with real data — at machine speed.
The single biggest benefit MCP delivers is grounding. AI agents make better decisions when their reasoning is anchored to real, current information rather than training data. Grounded agents don’t hallucinate file paths or function names because they’re reading the actual files. They don’t guess at database schemas because they queried the real schema. The quality ceiling lifts dramatically.
Part 6: Setting Up MCP — From Zero to Connected 🛠️
For VS Code + GitHub Copilot, MCP servers are configured in .vscode/mcp.json:
{
"servers": {
"github": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "${env:GITHUB_TOKEN}"
}
},
"filesystem": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem", "${workspaceFolder}"]
},
"postgres": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-postgres"],
"env": {
"POSTGRES_CONNECTION_STRING": "${env:DB_READ_ONLY_URL}"
}
}
}
}
The most dangerous MCP configuration mistake is giving agents unrestricted write access to production systems. Follow the principle of least privilege: read permissions broadly, write permissions narrowly, destructive permissions never without explicit human confirmation.
Building a Custom MCP Server
When the official servers don’t cover your stack, building a custom one is within reach of any backend developer:
// A minimal custom MCP server in TypeScript
import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
import { z } from "zod";
const server = new McpServer({ name: "internal-api-server", version: "1.0.0" });
server.tool(
"get_feature_flags",
"Returns the current feature flag state for a given environment",
{ environment: z.enum(["staging", "production"]) },
async ({ environment }) => {
const flags = await fetchFeatureFlags(environment);
return { content: [{ type: "text", text: JSON.stringify(flags, null, 2) }] };
}
);
const transport = new StdioServerTransport();
await server.connect(transport);
Build it once; every agent benefits.
Part 7: MCP vs. Raw Function Calling 🤔
If you’ve worked with OpenAI’s function calling or Anthropic’s tool use, you might be wondering: isn’t MCP just that, repackaged?
No — and the distinction matters. When you build a function in raw OpenAI terms, it only works for OpenAI. When you build an MCP server, it works for GitHub Copilot, Claude, Cursor, Windsurf, and any tool that adopts the standard — today or in the future.
For enterprise teams with multiple AI tools in their stack, this portability is not theoretical — it’s a significant reduction in engineering overhead.
Part 8: Security Considerations ⚠️
MCP is powerful precisely because it gives AI agents real access to real systems. That’s also what makes security a non-negotiable concern.
The security mindset for MCP is the same as for any API integration — except the attack surface now includes the AI’s reasoning as a potential manipulation vector. Prompt injection against MCP-fed agents is a real, documented attack class, and defending against it requires both infrastructure controls and careful system prompt design.
Part 9: The Bigger Picture — MCP as Infrastructure 🏗️
Before MCP, an AI agent was a kind of endpoint — you talked to it, it replied. Stateless, contextless, largely isolated from your systems.
After MCP, an AI agent can be a participant in your engineering infrastructure — reading your systems, acting on your behalf, integrated into the same tools and services your human engineers use.
For the agentic engineering practitioner, this means the work isn’t just “what prompt do I give the agent” — it’s “what systems do I connect the agent to, with what permissions, and under what supervision?”
Those are architecture questions. Engineering questions. And getting them right is exactly what separates agentic engineering from vibe coding.
🧭 The MCP Playbook: Quick Reference
| Situation | Recommended Action |
|---|---|
| You want agents to read your codebase | Add Filesystem MCP, scoped to project root |
| You want agents to work with GitHub | Add official GitHub MCP server, repo-scoped token |
| You want agents aware of database schemas | Add DB MCP server with read-only credentials |
| Your internal tool isn’t in the ecosystem | Build a custom MCP server (TypeScript or Python SDK) |
| Agent has access to sensitive systems | Require human confirmation before any write operation |
| Multiple AI tools in your team’s stack | One MCP server serves them all — build once |
| Worried about prompt injection | Treat all MCP-retrieved content as untrusted; instruct agents accordingly |
| Configuring MCP connection strings | Always use ${env:VAR} references, never hardcode credentials |
The agents that change how software gets built aren't the ones with the biggest models. They're the ones with the best connections. MCP is how you build those connections.