MCP & Tool Protocol Standards

In the previous lesson, you built a safe in-process tool loop: a model requested get_order_status, and trusted application code decided whether to run it. That works while one application owns every function.

ShopFlow now has an orders service, a returns service, and a policy service. A support assistant, an operations console, and a coding assistant all need some of those capabilities. Copying tool wrappers into every host would duplicate schema definitions, error handling, and security review.

The Model Context Protocol (MCP) standardizes the boundary between an AI host and capability servers. An MCP server can publish tools, resources, and prompts; an MCP host can discover and use them through a common protocol. MCP doesn't decide what a model may do. Your host and servers still own permission, approval, and audit policy.^[1][2]

This lesson targets the published 2025-11-25 MCP specification and builds one concrete integration: a local order-status server that exposes a read-only tool for order A10234.^[3]

Stop copying tool adapters

Suppose three applications need four ShopFlow capabilities:

Without a shared protocol, that is twelve adapter relationships. With MCP, each host implements an MCP client boundary and each capability owner publishes an MCP server boundary. The count isn't a promise that all maintenance disappears: tools still need careful schemas, auth, observability, and policy. The improvement is that the connection contract is reusable.

Run the small calculation first:

The arithmetic is only a mental model. It tells you why interoperability is attractive; it doesn't prove that connecting more servers is safe.

The host keeps control

MCP uses three participant roles. Keeping them distinct prevents a common design error: treating a remote server as if it were the model, or treating the model as if it were the executor.

A host creates one client for each server connection. The official architecture describes that one-to-one client/server relationship and requires capabilities to be declared during initialization before features are used.^[1]

This is the important layering:

The model may request an action. It never acquires a database connection or refund credential merely because MCP is present.

Represent each client lane separately in code. If the policy server fails initialization, the orders lane should remain usable:

Watch one MCP session happen

Before using an SDK, read the protocol exchange. MCP messages are encoded as JSON-RPC 2.0. During initialization, client and server agree on protocol version and capabilities. The client then sends the required notifications/initialized message before normal operation begins. Only then can it call methods advertised by the server.^[3][1]

Our orders client begins with initialization:

The server responds with the version it will speak and its declared features:

After accepting the server's response, the client marks initialization complete. This notification has no id because the server doesn't send a response. The MCP lifecycle specification requires this step before normal operation.

Once the client knows that the server offers tools, it sends tools/list. Tool definitions include a name, a human-readable description, and a JSON Schema input contract.^[4]

If the user asks, "Where is order A10234?", the host can let its model select this read tool, apply its own access checks, and send tools/call:

The server returns a tool result. A result may carry text for the model and structured content for the host to validate and render.^[4]

The following tiny server simulates those core methods. It is not an MCP networking library; it exposes the message shape so you can see which state belongs to the protocol.

Four details are worth pausing on:

1. Initialization has a completion signal. Normal operation starts after notifications/initialized.
2. Discovery is explicit. The host doesn't assume that get_order_status exists.
3. Capability negotiation is not decoration. A client must not use undeclared features.
4. MCP ends at the result boundary. Giving that observation back to a model and wording a customer reply remains host workflow logic.

Tools, resources, and prompts serve different jobs

Servers can publish three primary primitives. The MCP specification describes their intended control owners: tools are model-controlled, resources are application-controlled, and prompts are user-controlled.^[2]

Do not expose a whole orders table as a resource just because it can be represented as text. A narrow read tool retrieves one authorized row and avoids filling context with irrelevant customer data. Do not expose an irreversible refund as a prompt. A prompt can organize work; a protected write tool performs it.

Use a decision function to make the boundary explicit:

A large data surface isn't automatically a tool. Narrow it to an authorized query, paginate it, or reject the design.

Client features can give a server bounded requests

Tools, resources, and prompts flow from a server toward a host. MCP also defines client features that a server may request after negotiation. They are not blanket permissions:

This matters because "MCP server" doesn't mean "passive tool catalog." A server that can ask for roots, sampling, or user input crosses additional trust boundaries. Expose only capabilities the host workflow needs, show the user meaningful consent where required, and record which capability produced each downstream observation.

Build an actual server and exercise its protocol

Now run the real protocol through the official Python SDK. The SDK's FastMCP server generates tool metadata from type hints and docstrings. A ClientSession initializes the connection, discovers the tool, and calls it.^[8]

This copy-runnable cell keeps client and server in one process with an in-memory stream pair. That makes the lesson deterministic while exercising actual SDK discovery and invocation. It uses the server's lower-level engine only as a test harness. A deployed local server calls server.run(...) over its chosen transport.

When you save the server as its own trusted local process, its launch boundary is concise:

In a real host, the model would select get_order_status after the customer asks about delivery. It should receive only the tool result after host and server checks have passed. The SDK makes transport and schema work easier; it doesn't authorize the customer or decide whether an action is safe.

Recoverable tool errors

When a call reaches the right tool but contains a bad business input, return a tool execution error that a host or model can act on. Reserve JSON-RPC protocol errors for malformed protocol messages or unsupported methods. The tools specification makes this distinction because actionable tool failures can be corrected in the interaction.^[4]

Tool output also deserves validation on the host side. A structured payload should satisfy the promised contract before it becomes customer-facing evidence:

Choose transport by deployment boundary

The 2025-11-25 specification defines two standard transports: stdio and Streamable HTTP.^[9]

In stdio, standard output is the protocol channel. An innocent debug print("connected") in server mode is not harmless: it inserts non-protocol text where the host expects one JSON-RPC message per line. The spec allows logging to standard error instead.^[9]

Streamable HTTP replaces the older standalone HTTP+SSE transport. It uses one MCP endpoint, sends each client message as an HTTP POST, and can answer with JSON or with an SSE stream; a client may use GET for a server stream or resumption. Servers must validate Origin when it's present, and should authenticate remote connections.^[9]

For protected HTTP servers, the MCP authorization specification uses OAuth-based resource-server discovery and requires clients to use protected resource metadata and PKCE-capable flows.^[10][11] It also requires a client to identify the intended MCP resource server in authorization and token requests, and requires the MCP server to reject tokens that weren't issued for it. That audience binding prevents a token obtained for one upstream service from being passed through to another. Implement it through reviewed authentication middleware rather than inventing token passing inside tool arguments.^[10]

A network transport isn't a fallback for an unreviewed local executable. Review the server identity, code, and launch configuration before granting either local execution or remote access.

MCP doesn't authorize a refund

Protocol conformance is not product permission. A server can advertise a perfectly shaped issue_refund tool; a tool description can even contain malicious instructions. Tool descriptions and annotations help a model choose capabilities, but clients must treat metadata from untrusted servers as untrusted input.^[4]

The host below receives tools from two servers. It exposes only tools allowed for the current customer-support turn, regardless of what the server description says.

The host allowlist uses reviewed server identity and tool name. It doesn't trust a server's self-reported risk label to grant authority.

Keep these boundaries explicit:

• Discovery isn't approval. Listing a tool doesn't grant a model permission to execute it.
• Schemas aren't authorization. Correct arguments can still target another user's order or initiate an impermissible refund.
• Descriptions aren't policy. A server's text must not override host rules.
• Local launch configuration is executable authority. A host must not create a stdio command from untrusted conversation or webpage text.
• Tool results are untrusted content. A server response can contain instructions or poisoned context; the next lesson handles this prompt-injection boundary directly.

Test the integration, not only the tool body

An MCP server can return the right row in a unit test and still fail as an agent dependency. Release evaluation should inspect discovery, selection, argument validation, policy decisions, returned observations, and serving budgets.

This deliberately fails the release gate: one proposed money-changing action escaped the allowed read-only surface, and one malformed request reached a tool error. In practice, rerun the evaluation with held-out customer questions, malformed inputs, denied writes, malicious metadata, server timeouts, and injected tool results.

What to remember

• MCP standardizes capability connections. It lets hosts and servers share discovery and invocation rules instead of copying adapters.
• The host owns the workflow. A client connection talks to one server; the model still acts through controlled host logic.
• Primitives have roles. Use tools for narrow queries or actions, resources for bounded context, and prompts for user-selected templates.
• Client features are explicit boundaries. Roots, sampling, and elicitation require negotiated host policy and appropriate consent.
• Discovery precedes execution. Initialization, notifications/initialized, declared capabilities, tools/list, and tools/call make the tool path observable.
• Transport follows deployment. Use stdio for reviewed local processes and Streamable HTTP for remote service boundaries.
• Protocol is not permission. Filter server metadata, authorize actions, gate writes, and treat results as untrusted context.

Mastery check

Key concepts

• Reusable capability protocols versus copied local adapters
• Host, client, and server responsibilities
• Initialization, the notifications/initialized signal, and declared capabilities
• Tool discovery and invocation through JSON-RPC
• Tools, resources, and prompts
• Roots, sampling, and elicitation as host-controlled client features
• Real FastMCP server and stdio client session
• Stdio versus Streamable HTTP
• Metadata, authorization, and tool-result trust boundaries
• Trace-based release evaluation

Evaluation rubric

• Foundational: Explains why MCP belongs after local function calling and names the job of host, client, and server.
• Intermediate: Reads an initialization, tools/list, and tools/call exchange and identifies the returned observation.
• Intermediate: Runs a local SDK server/client example over stdio and explains why server logging can't go to protocol stdout.
• Advanced: Designs a host policy that filters untrusted tools and requires approval for side effects.
• Advanced: Evaluates an MCP integration with grounded-result, unsafe-write, error, and latency checks.

Common pitfalls

• Treating MCP as model magic: The model still needs a controlled runtime. Keep host policy and server execution explicit.
• Attaching huge resources: A full orders table leaks context and burns tokens. Offer a narrow authorized query tool.
• Printing from a stdio server: Debug text corrupts JSON-RPC framing. Log to stderr.
• Trusting advertised tools: Metadata can be wrong or malicious. Apply allowlists, server identity checks, and approval gates.
• Testing only success paths: A demo lookup doesn't prove safety. Test denied writes, invalid arguments, poisoned results, and timeouts.

Practice extension

Extend the real SDK lab with a bounded policy://returns/current resource and a protected create_return_label(order_id) tool. Write six client traces: a status lookup, a policy read, a valid return-label proposal awaiting confirmation, an order owned by another customer, a malicious tool description, and a tool result containing an instruction to bypass policy. Your artifact is a short evaluation report showing what the host exposed, blocked, executed, and handed back to the model.