Blueprint: Run this as a demo-led hybrid, not a full hands-on workshop — for a mixed Java/.NET room on a 2–3h budget, build one server live and let attendees follow at checkpoints (hands-on vs watch-only). Build a read-only query server in the official TypeScript SDK: it exercises tools, resources, and prompts together and needs zero external auth (what to build). Cut RAG as a standalone topic — it’s just a tool behind MCP (why).
The spine of the session comes from a deliberate dependency between two angles. The recommended build — a read-only query server — is chosen precisely because it needs no OAuth (the pick), and that is what lets the security angle be taught as a threat model instead of built live. MCP’s real danger isn’t the auth handshake but the agent layer: tool poisoning, where hidden instructions in a tool description the user never sees trick the agent into exfiltrating data [3]. So the arc is: build something auth-free, then discuss the OAuth 2.1 resource-server model [4] and poisoning as “what you must add before shipping” — not code it under time pressure.
The sharpest cross-cutting risk is that the protocol is mid-flux. Pin the session to the current stable revision, 2025-11-25 [1], and treat the 2026-07-28 release candidate — a stateless core, Tasks, MCP Apps — as “what’s coming,” not something to build against [2]. Teaching the RC live would date the demo within weeks.
Debugging is the connective tissue that de-risks the live build, and two findings shape every checkpoint: stdout pollution is the #1 killer of stdio servers — one stray console.log corrupts the JSON-RPC stream, so stderr is the only safe log channel — and the MCP Inspector is the first tool to reach for, before any real client (debugging). Validate each live-coding checkpoint in Inspector before wiring Claude Desktop.
Scope distribution down to stdio/local for the room and signpost the rest: Streamable HTTP, the official registry, and .mcpb one-click bundles are “where to take it next,” not session material [5]. One reassurance worth stating out loud: TypeScript is the lowest-friction language to follow live, but C# and Java now have official SDKs (SDK comparison) — so the Java/.NET attendees can port the exact same server afterward.
Open question: does the 2026-07-28 RC land close enough to your session date that you hedge toward its stateless model — or commit fully to 2025-11-25 and accept you’re teaching a spec one revision from obsolete?