Model Context Protocol

Model Context Protocol (MCP) is an open standard introduced by Anthropic in November 2024 that standardizes how AI systems integrate with external tools and data sources. Think of it as USB-C for AI: a universal connector between language models and the real world.

The Problem It Solves

Before MCP, connecting an LLM to external systems meant building custom integrations for each tool. N models × M tools = N×M custom connectors. MCP collapses this to N+M: build one MCP server, any MCP client can use it.

Architecture

MCP uses a client-server model over JSON-RPC 2.0, borrowing message-flow patterns from the Language Server Protocol (LSP).

┌─────────────────────────────────────────────────────────┐
│                      MCP Host                           │
│  (Claude Desktop, Cursor, VS Code, Custom App)          │
│                                                         │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐     │
│  │ MCP Client  │  │ MCP Client  │  │ MCP Client  │     │
│  └──────┬──────┘  └──────┬──────┘  └──────┬──────┘     │
└─────────┼────────────────┼────────────────┼─────────────┘
          │                │                │
          ▼                ▼                ▼
    ┌───────────┐   ┌───────────┐   ┌───────────┐
    │MCP Server │   │MCP Server │   │MCP Server │
    │(Filesystem)│   │(Database) │   │(Slack)    │
    └───────────┘   └───────────┘   └───────────┘

Three components:

Host: The AI application users interact with (Claude Desktop, Claude Code, Cursor)
Client: Lives inside the host, translates between LLM and MCP servers
Server: External service exposing tools, resources, or prompts to the LLM

Primitives

MCP servers expose three types of capabilities:

Primitive	Description	HTTP Analogy
Resources	Read-only data the LLM can load into context	GET endpoints
Tools	Functions the LLM can invoke with side effects	POST endpoints
Prompts	Reusable interaction templates	-

MCP vs RAG

Aspect	RAG	MCP
Direction	One-way (retrieve → inject)	Two-way (query ↔ act)
Actions	Read-only	Read + Write + Execute
Risk profile	Bad advice	Real damage

RAG is passive: fetch context, feed to model. MCP is active: the model can trigger actions, modify data, send emails. The blast radius of a mistake expands from wrong answers to unintended consequences.

Ecosystem

Registries and directories:

Popular servers:

Playwright (browser automation, 12K GitHub stars)
Filesystem (secure local file operations)
Git (repository manipulation)
Slack, Notion, Google Workspace integrations
Database connectors (Postgres, Skyvia, Vectara)

Clients:

Claude Desktop (most popular, runs servers locally)
Claude Code (CLI-based, supports MCP for external tools)
Cursor, Windsurf (IDE integrations)

Implementation

Two official SDKs plus community frameworks:

Python (FastMCP)

pip install fastmcp

from fastmcp import FastMCP
 
mcp = FastMCP("demo")
 
@mcp.tool
def add(a: int, b: int) -> int:
    """Add two numbers."""
    return a + b

TypeScript

npm install @modelcontextprotocol/sdk zod

FastMCP (both Python and TS versions) handles parameter validation, type conversion, and protocol compliance via decorators/type hints.

Transports:

STDIO: Default for local development and Claude Desktop
SSE (Server-Sent Events): For web-based deployments

2026 Developments

December 2025: Anthropic donated MCP to the Agentic AI Foundation under Linux Foundation, co-founded with Block and OpenAI
March 2025: OpenAI adopted MCP across products including ChatGPT desktop
Protocol is now vendor-neutral, community-driven

Context Window Tax

Every connected MCP server adds metadata to every request: tool descriptions, parameter schemas, usage examples. Five servers might add 3,000 tokens. You’re paying for tools you’re not using.

Mitigations:

Dynamic tool loading based on task
Rube MCP consolidates 500+ integrations into one server
Disable unused MCPs and plugins

Security Considerations

See MCPs Are Great and All But We Need to Talk About the Risks for the full analysis. Key risks:

Prompt injection: Malicious instructions in data can trigger tool actions
Rug pull attacks: Tool definitions can change after approval
Credential exposure: OAuth tokens stored in server/client processes
Partial state: Multi-step actions without transactional semantics

Mitigations: Least privilege, short-lived tokens, tool versioning, human-in-the-loop for mutations.

🌻 prg.sh

Explorer

Model Context Protocol

The Problem It Solves

Architecture

Primitives

MCP vs RAG

Ecosystem

Implementation

2026 Developments

Context Window Tax

Security Considerations

Sources

Graph View

Table of Contents

Backlinks

🌻 prg.sh

Explorer

Model Context Protocol

The Problem It Solves

Architecture

Primitives

MCP vs RAG

Ecosystem

Implementation

2026 Developments

Context Window Tax

Security Considerations

Related

Sources

Graph View

Table of Contents

Backlinks