The MCP library, read in order — from the foundations (what MCP is, how it differs from function calling and REST, and its tools/resources/prompts primitives) through building (stand up a server, expose an agent as one), transport and spec evolution (stdio vs SSE vs streamable-HTTP, then the 2026 stateless rewrite), discovery (server cards and the official registry), security (authorization, the confused-deputy trap, the OWASP MCP Top 10), the evaluation that measures MCP tool use, and the essay on who actually controls the protocol.
They are not competing ways to give a model tools. One is the engine; the other is a distribution standard wrapped around it — and you pay for the wrapper in tokens and attack surface.
Most MCP servers are REST APIs underneath. The honest question isn't which transport to use — it's how much of your API to expose, and the data says the answer is about a fifth of it.
The Model Context Protocol defines three server primitives split by who's in control — the model, the app, the user. The ecosystem implemented one of them.
The protocol everyone adopted in 2025 is simpler to build for than the hype suggests — but the part that decides whether your server works isn't the code.
Deploy a LangGraph agent and it auto-publishes a /mcp endpoint, so any client can call it as a tool. Convenient — and lossy. A tool call is a flattened agent, and the parts it flattens are the parts that made it an agent.
The rename reads like marketing housekeeping. It isn't. Folding deploy into LangSmith and handing every deployed agent an MCP endpoint quietly reclassifies your agent from an application into a tool other agents can call.
The two best independent SDK generators got bought in 2026 — Fern by Postman, Stainless by Anthropic, which is retiring its shared generator. The layer that turns an API into agent-usable tools stopped being neutral infrastructure.
The Model Context Protocol replaced its HTTP+SSE transport with Streamable HTTP in 2025. Choosing it does not make your server serverless-friendly — and the reason is the part nobody reads.
The biggest Model Context Protocol revision since launch deletes the session, the handshake, and even the client-side LLM call. The headline isn't new features — it's that the protocol got smaller.
A new .well-known discovery file lets clients read an MCP server's identity, transport, and auth requirements without a handshake — and it pointedly refuses to list the tools.
The official MCP Registry isn't an app store — it's a canonical metadata feed built to prove who owns a server name, and it leaves search and curation to everyone downstream.
The MCP registry catalogs tools. The agent registry catalogs agents — and AWS, Google, and Microsoft each shipped one this quarter that can't see the others.
Eleven vendors just agreed on how agents find tools across the open web. The interesting part is what ARD refuses to be — not a protocol, not a registry of record, just the step before invocation.
The official MCP registry deliberately refuses to host code — so the hard part, trust, lands wherever the artifact lives. Docker's answer is to make that place an OCI image.
Between two spec revisions in 2025, MCP servers quietly stopped being their own authorization servers. The one parameter that change forces your client to send is the whole security story.
X now runs an official Model Context Protocol server at api.x.com/mcp so agents can search posts, look up users, and read trends through your own login — but it will not let them post. The asymmetry is the whole design.
A 1988 access-control bug is the shape of 2026's worst MCP breaches. Understanding the confused deputy tells you why 'just add OAuth' doesn't fix your agent — and what the spec actually changed.
OWASP now has a third Top 10 — one scoped to a single protocol. The surprise isn't a new class of AI attack; it's that connecting an agent to MCP servers re-exposes 2010-era web and supply-chain bugs through a channel that auto-executes them.
Function-calling leaderboards test a model against a handful of curated tools. A real MCP host hands it thousands — and that is a different benchmark, with a different failure mode.
For a year the question that stalled enterprise bets on MCP was 'what happens when Anthropic changes its mind?' In December that question got an answer — and the answer reveals what the standards war was really about.