AI Harness EngineeringChapter 7 of 19

Part 3Tools, Actions, and MCP

07

MCP — The Agent Integration Standard

Sections in this chapter

  1. 1What MCP is, in one sentence
  2. 2Why a protocol matters
  3. 3Clients, servers, transports
  4. 4The three primitives
  5. 5Discovery and capability boundaries
  6. 6Authentication and authorization
  7. 7Composition: connecting multiple MCP servers
  8. 8Security pitfalls
  9. 9When to use MCP versus alternatives
  10. 10A worked example: designing an MCP server for a CI/CD platform

Key Takeaways

Insight

The interview test of MCP fluency is not reciting the spec. It is explaining why a protocol matters in the first place, and naming the three properties above. Candidates who launch into transport deta

Insight

A memorable way to lock in the three primitives: tools do, resources show, prompts say. Tools perform actions. Resources expose data for reading. Prompts inject templates.

Insight

A good heuristic: if an integration would benefit from being reusable across agents, across hosts, or across teams, choose MCP. If it would not, a direct tool is simpler and sufficient. Protocols pay

Common Trap

The two cardinal sins of MCP authentication are over-scoped tokens ("read/write everything" for a task that needed one pipeline) and long-lived tokens ("this token works forever" for an agent that

Interview Questions

1

Explain MCP to a senior engineer who's never heard of it.

Frame: start with the analogy (LSP for editors → MCP for agents). Then the three properties: discoverability, transport agnosticism, capability boundaries. Then the three primitives (tools do, resources show, prompts say). Close with the practical payoff: new integrations become discoverable without code c

2

Your MCP server was compromised. What's the blast radius and how do you limit it?

Frame: name the attack vectors — poisoned tool results (indirect injection), false capability advertisement, data exfiltration via resource access. Defences: scope tokens tight (one tenant, short lived), vet servers like dependencies with signed capabilities, output guardrails on tool results, spotlighting

3

Design an MCP server for a CI/CD platform. What tools, resources, and prompts do you expose?

Frame: walk through the three buckets with 4–6 examples each. Emphasise destructive tools are present but gated, resources are URI-addressable and scoped per tenant, prompts are named templates the host surfaces as slash commands. Wrap with auth (OAuth, scoped, short-lived), audit, and rate limits.

4

What's the difference between a tool and a resource in MCP, and why does the distinction matter?

Frame: tools are agent-initiated actions with side effects; resources are client/host-initiated reads with no side effects. The consent boundary differs: the user picks which resources to include; the agent decides which tools to call. Merging them collapses consent and auditability.

5

Would you ever choose not

Frame: yes, when the integration is tightly coupled to one agent, latency is critical, or the consumer base is a single codebase. Direct function tools are simpler. Use MCP when reuse across agents/hosts/teams justifies the protocol cost.

6

Describe a confused-deputy attack against an MCP server and its defence.

Frame: server has standing access to multi-tenant data; agent acting for user A tricked into accessing user B's resources. Defence: every server request authenticated against the user principal, not the agent platform; multi-tenant servers must not use shared service credentials; user token is the sole pri