DRAWING SET · MCP / SESSION 3 / TALK PREP
Model Context Protocol
Architectural drawings, spec annotations, and security trifecta diagrams for a 1–2 hour deep-dive talk. Stateless core landing 2026-07-28; six primitives in flight; 110M+ SDK downloads/month under Linux Foundation governance.
MCP is a JSON-RPC 2.0 protocol that lets any LLM host call any tool / data source through a standard wire format. Anchor the talk on three pillars: (1) six primitives — tools / resources / prompts on the server, sampling / roots / elicitation on the client; (2) the 2025-11-25 spec + 2026-07-28 release candidate — stateless core, MCP Apps, Tasks; (3) the security session — tool poisoning and the lethal trifecta [22] are where this protocol is most interesting and least solved. [1] [4]
System architecture
JSON-RPC 2.0 · capability-negotiatedThe six primitives
3 server-exposed · 3 client-exposed▸ SERVER → HOST · P-01
Tools
Functions the model can call (name, JSON Schema args, handler). [5]
Headline primitive. Everything else is supporting cast.
▸ SERVER → HOST · P-02
Resources
Readable data exposed by URI — files, DB rows, API objects. [5]
Subscribable. Model or user pulls into context.
▸ SERVER → HOST · P-03
Prompts
Parameterised prompt templates the user can invoke. [5]
Slash-commands in disguise. Underused in practice.
▸ HOST → SERVER · P-04
Sampling
Server asks the host to run an LLM completion — no server-side API key needed. [8]
⚠ Deprecated in DRAFT-2026-v1. Supported ≥1 year. [9]
▸ HOST → SERVER · P-05
Roots
Filesystem / URI scopes the server is allowed to see (file:// only). [8]
The user's "you can look here, not there."
▸ HOST → SERVER · P-06
Elicitation
Server requests structured input from the user mid-call (schema-validated form). [8]
Fixes the "tool needs one more arg" UX gap.
⚐ TEACHING NOTE — 90% of real-world MCP servers implement Tools only. Demoing the other five is what makes a deep-dive different from a tutorial.
Transports & authorization
stdio · streamable HTTPstdio
- Spawned by
- Host as child process
- Auth
- Env vars · OS-level secrets
- Demo cost
uv run server.py- Skips
- OAuth entirely [11]
⚐ 2026-07-28 RC removes the requirement for sticky sessions. A remote MCP server can finally sit behind a plain round-robin load balancer. [6]
Suggested agenda
60 min · 120 min| Block | 60 min | 120 min | What lands |
|---|---|---|---|
| Why MCP exists | 5 min | 10 min | The N×M integration problem; pre-MCP fragmentation |
| Architecture & primitives | 10 min | 20 min | Host / Client / Server; six primitives; capability negotiation |
| Transports & auth | 5 min | 15 min | stdio vs Streamable HTTP; OAuth 2.1 resource-server model |
| Live demo 1 | 10 min | 15 min | Build a FastMCP tool, wire to Claude Desktop, inspect with MCP Inspector |
| 2026 spec changes | 5 min | 15 min | Stateless core, Tasks, MCP Apps, deprecation policy |
| Ecosystem tour | 5 min | 10 min | Servers worth knowing; the registry; supply-chain provenance |
| Security | 15 min | 25 min | Tool poisoning, lethal trifecta, CVE timeline, host-side mitigations |
| Live demo 2 | — | 5 min | Reproduce tool-description injection against an unhardened host (sandbox!) |
| Q&A · outlook | 5 min | 5 min | A2A vs MCP, registry monetisation, what to ship next |
Origin & governance
2024-11 → 2026-07⚐ WHY THE DONATION MATTERS — governance is now multi-vendor under the Linux Foundation. That's the answer to "is this just an Anthropic thing?" — every audience asks it. [3]
What's new in 2026
RC dated 2026-07-28Stateless protocol core
Trades session ergonomics for horizontal scale. Kills the "MCP doesn't fit our load balancer" objection. [6]
Extensions framework
Reverse-DNS-namespaced capabilities versioned separately from core. The model used by MCP Apps and Tasks. [6]
MCP Apps
Servers can ship interactive HTML in a sandboxed iframe. UI talks back via JSON-RPC so the host still owns consent & audit. [26] [27]
Tasks extension
Long-running ops get explicit handles — tasks/get, tasks/update, tasks/cancel. The answer to "tool calls can't take 20 minutes." [28]
Auth hardening — 6 SEPs
iss validation, clearer credential binding, tighter OAuth / OIDC alignment. [6]
12-month deprecation
Formal lifecycle policy — at least one year between deprecation and removal. [6]
⚐ The 2026 roadmap reorganised around priority areas (transport, agent comms, governance, enterprise) rather than dates, with Working Groups owning delivery. [25]
MCP vs A2A vs function calling
don't conflate · audience will askOPENAI · 2023
Function calling
Per-vendor JSON-schema tool definitions in the model API itself. [21]
▸ Quick prototypes · single-model apps
ANTHROPIC · 2024
MCP
Transport between LLM hosts and external tools / data — vendor-neutral wire format. [20]
▸ One integration → all models · agentic apps
GOOGLE · APR 2025
A2A
Transport between agents themselves — discovery, task delegation, results. [20]
▸ Multi-agent systems · framework-crossing
⚐ PUNCHLINE — MCP and A2A are complementary layers, not rivals. Both are now AAIF projects. [3]
Security — the part you cannot skip
load-bearing · 15 / 25 min"private data + untrusted instructions + an exfiltration vector → guaranteed exposure"
— Simon Willison's lethal trifecta. MCP makes that trifecta easy to assemble accidentally. Any host that connects (a) a server reading user files with (b) a server reading external content with (c) a server that can post outbound is one tool-poisoning payload away from data egress. [22]
▲ A 2026 internet scan found up to ~200,000 vulnerable MCP instances exposed across IDEs, internal tools, and cloud services. [24]
⚠ Incident log · Apr 2025 → Apr 2026 (pick 3-4 to walk through)
| APR 2025 | WhatsApp MCP — exfiltration via tool poisoning · tool poisoning | [23] AuthZed timeline |
| MAY 2025 | GitHub MCP — malicious issue leaks private repo data · indirect prompt injection | [23] AuthZed timeline |
| JUL 2025 | mcp-remote CVE-2025-6514 — RCE, 437k+ downloads · OS command injection | [23] AuthZed timeline |
| SEP 2025 | Postmark MCP supply-chain — BCC of every email · malicious package | [23] AuthZed timeline |
| OCT 2025 | Smithery hosting breach — 3,000+ servers exposed · supply-chain (hosting) | [23] AuthZed timeline |
| APR 2026 | Core stdio config-to-exec flaw — 150M+ downloads hit · design-level RCE | [23] AuthZed timeline |
▸ HOST-SIDE MITIGATIONS — THE SPEC CAN'T ENFORCE THESE
- Treat tool descriptions and annotations as untrusted unless the server identity is verified. [5]
- Pin server versions; check the registry's provenance metadata before install. [30]
- Per-tool consent UI, not blanket per-server approval. [5]
- Forbid mixing read-untrusted-content tools with read-private-data tools in the same session — the trifecta rule. [22]
- For HTTP transports: enforce
aud/isson tokens; never accept tokens not minted for this server. [11]
Ecosystem snapshot
key components · ⭐ stars per canonicalLive-demo recipes
five candidates · pre-record each as fallbackInspect everything
STACK · same server + mcp-inspector in browser
▸ Visual JSON-RPC traffic. Great for teaching primitives. [29]
Tool poisoning ▲ SANDBOX ONLY
STACK · toy server whose tool description contains a hidden "exfiltrate" instruction
▸ The talk's most memorable 90 seconds — show the agent obeying it. [22]
Elicitation
STACK · tool that calls elicitation/create to ask the user for a missing arg mid-call
▸ Shows the consent loop the security section was warning about. [8]
MCP Apps (stretch)
STACK · server returning a ui:// resource rendered in a sandboxed iframe
▸ Demonstrates 2026's most ambitious extension. [27]
Outlook — three things to watch
leave-with-the-audience▸ WATCH · 01
Stateless MCP at scale
Does the 2026-07-28 RC really let MCP run on the same infra as REST APIs? Production reports from Uber / Nordstrom say "yes, with caveats." [4]
▸ WATCH · 02
Registry-as-trust-root
Official registry provenance is the only realistic answer to supply-chain attacks like Postmark. [23] [30]
▸ WATCH · 03
MCP Apps adoption
If servers can ship trusted UI, the line between "tool" and "mini-app" blurs. New agent UX — or niche. [26]
Claude Code Skills
Markdown + scripts that Claude loads on demand. Now a cross-vendor open standard.
Plugins & the Marketplace
The packaging layer — and the trust footgun to flag.
Subagents, hooks & the rest of the harness
Isolation, determinism, substrate.
Comparison & decision framework
Score candidates on four axes; weights chosen first.
Session delivery plan
90-min run-of-show — 8–12 min active blocks, mid-session recap.