AI 资讯
Building an AI Chat Agent with MCP, Spring AI
Model Context Protocol (MCP) is an open standard for connecting AI apps to tools and data sources. A useful way to think about it is as a USB-C port for AI: one standard interface that lets different models plug into different capabilities without custom glue code for every integration. In this project, we combine MCP, Spring AI, and Google Gemini to build a chat app that can answer weather questions using real tools instead of hallucinating. The system has three parts: MCP tool server - a Spring Boot service that exposes weather and geocoding tools AI chat agent - a Spring Boot service that uses Spring AI + Gemini and calls MCP tools when needed React chat UI - a lightweight frontend for sending messages and rendering replies The result is a small but realistic architecture you can extend into a production assistant. Architecture User (Browser:3000) | POST /api/chat v AI Agent (Spring:7171) -- MCP / Streamable HTTP --> MCP Server (Spring:7170) | | | Google Gemini | Bright Sky API (weather) | | OpenStreetMap Nominatim (geocoding) v v Chat response Tool execution The full source code is available on GitHub . 1. The MCP Tool Server The tool server is a Spring Boot application that exposes MCP tools through Spring AI's annotation scanner. It runs on port 7170 and uses Streamable HTTP for transport. Dependencies <dependency> <groupId> org.springframework.ai </groupId> <artifactId> spring-ai-starter-mcp-server-webmvc </artifactId> </dependency> <dependency> <groupId> org.springframework.boot </groupId> <artifactId> spring-boot-starter-web </artifactId> </dependency> Defining tools With Spring AI, a tool is just a Spring bean method annotated with @McpTool : @Component public class WeatherTool { private final WeatherToolService weatherToolService ; public WeatherTool ( WeatherToolService weatherToolService ) { this . weatherToolService = weatherToolService ; } @McpTool ( name = "get_current_weather" , description = "Get current weather by dwd_station_id or by lat/lon" ) p
AI 资讯
What Is an AI Gateway? (And the Week We Realized We Desperately Needed One)
TL;DR An AI gateway is a middleware layer between your application code and your LLM providers - it centralises routing, auth, rate limiting, cost tracking, and guardrails in one place You probably don't think you need one until something specific breaks: a runaway cost spike, a failed model causing silent errors, a security audit you can't pass We went from scattered SDKs and shared API keys to a gateway-first setup over about three months - this post covers what changed and what we'd do differently Six months ago we had what I'd describe as a functional mess. We were running three LLM providers - OpenAI for our customer-facing chat, Anthropic for internal document summarisation, and a self-hosted Llama model for batch classification jobs. Each had its own SDK. Each had its own API key, living in .env files on whoever's machine had last run that service. Each had its own rate limiting logic, copy-pasted between services with slight variations. It worked, in the way that things work when nobody has had a bad enough incident yet. The incident arrived on a Tuesday. A background job that was supposed to run once a week got accidentally scheduled to run every minute. It was calling GPT-4o. We noticed when the Slack alert fired at 2am about an unusual credit card charge. By the time someone killed the job, we'd burned through $340 in about four hours. The API key had no spending limit. There was no alerting on token usage. The job had no rate limiting. All three of those gaps were things we knew about and hadn't prioritised. That week, we started properly looking at AI gateways. What an AI gateway actually is? The simplest definition: an AI gateway is a middleware layer that sits between your application code and your LLM providers. All your LLM requests go through it, and it handles the cross-cutting concerns that you'd otherwise have to re-implement in every service: routing, authentication, rate limiting, cost tracking, caching, fallbacks, guardrails. The analogy that
AI 资讯
Stop letting your AI agent eyeball A/B picks — wire in a real contextual bandit via MCP (free, no key)
If you give an LLM agent a table of A/B variants and ask "which one should we send next?", it will confidently pick the one with the highest conversion rate. That feels right. It is often wrong. The model has no concept of sample size , exploration , or regret . It pattern-matches "biggest number = winner" and moves on. For a one-off question, fine. But inside an agent loop that picks a variant on every request — email subject lines, ad copy, model routing, recommendation ranking — that naïve pick quietly accumulates regret and starves the options it never gave a fair chance. The fix isn't a better prompt. It's to not ask the LLM to do the math at all. Route the decision to a real bandit algorithm and let the model do what it's good at (orchestration, language) while a deterministic solver does what it's good at (the optimization). This post is a copy-paste demo you can run in your terminal right now , no signup, no API key. I'll use OraClaw — a deterministic decision-intelligence MCP server — but the point stands regardless of tool: stop letting the model guess at math it can verify. The trap, concretely Here's a realistic state mid-experiment. Three subject lines, different amounts of traffic: Variant Pulls Rewards (conversions) Raw rate A 120 18 15.0% B 80 17 21.3% C 15 4 26.7% Ask an LLM "which should we send next?" and you'll usually get B — it has the best rate among the well-tested variants, and C "only has 15 samples, too noisy to trust." That reasoning sounds responsible. It's exactly backwards. With only 15 pulls, C is under-explored — we don't actually know it's worse, and the cost of finding out is tiny. A bandit's whole job is to weigh that uncertainty instead of hand-waving it away. Let's get a real answer. Run it yourself: the no-key REST endpoint (60 seconds) OraClaw exposes a free, no-auth REST endpoint. Paste this into your terminal — nothing to install, nothing to sign up for: curl -s -X POST https://oraclaw-api.onrender.com/api/v1/optimize/bandit
AI 资讯
Why we kept named MCP tools despite a 96% token saving
The boat-agent stack here runs on a prime directive: if there's something usable out there, improve it; build our own only as a last resort. So when we needed a SignalK MCP server, the honest first move wasn't to write one — it was to evaluate the one that already exists. VesselSense/signalk-mcp-server (TypeScript, MIT) is good work. It exposes SignalK to an agent through a single execute_code tool: the model writes JavaScript, the server runs it in a sandboxed V8 isolate ( isolated-vm ), and only the result comes back. Its README claims a 90–96% token reduction versus traditional named MCP tools — 2,000 tokens down to 120 for a vessel-state query, 13,000 down to 300 for a multi-call workflow. Those numbers are plausible, and they line up with the broader industry result that code execution beats tool-calling on token efficiency for complex multi-step work. We read it, ran the numbers against our own agent, and kept our discrete-named-tool signalk-mcp anyway — then harvested three of VesselSense's ideas into our roadmap. This post is that evaluation: the two philosophies, why the obvious-sounding win doesn't bind for a voice-first agent, and a decision framework you can reuse before you adopt-or-build your own MCP server. This is a design-reasoning post, not a debugging saga, but it maps to the same arc: a question, the dead-end that looks like an obvious yes, and the call that actually held. The question Two SignalK MCP servers, two genuinely different designs: VesselSense/signalk-mcp-server sailingnaturali/signalk-mcp ───────────────────────────── ─────────────────────────── one tool: execute_code discrete named tools: → agent writes JavaScript read_sensor(path) → runs in a V8 isolate battery_state(bank) → queries SignalK, returns depth_state() only the result get_route() get_local_time() TypeScript / Node + isolated-vm list_paths(prefix) claims 90–96% fewer tokens get_active_alarms() Python, end-to-end The adopt-vs-keep question: does the token-efficiency win bin
AI 资讯
Why generic weather MCPs fail for marine navigation (use NDBC buoys)
We run a prime directive on this stack: if a usable tool already exists, improve it; build our own only as a last resort, and when you keep your own, record why each alternative failed. This post is that audit for weather-mcp — a marine-weather MCP server — against the weather-MCP ecosystem, and the one capability change that fell out of it. The short version: three perfectly good weather MCP servers exist, and none of them does the thing a navigator actually needs. The reasons generalize to any "adopt an MCP server or keep your own" call, so the audit is the post. Then the fix — parsing a second NDBC file format to split swell from wind waves — is small enough to paste in full, and it surfaced data the standard file had thrown away. The problem, as you'd search it You want an agent to answer "what are the seas doing where we are?" and you go looking for a marine weather MCP. You find a few. Each one returns a forecast . None of them returns what a buoy 12 nautical miles away is measuring right now . That gap — forecast vs. observed — is the entire job, and it's the one thing the ecosystem skips. Here's what's on the shelf, and what each one is missing for marine use. The candidates Three real servers, all worth your time for what they're built for: cmer81/open-meteo-mcp ~13 tools, raw Open-Meteo JSON straight through weather-mcp/weather-mcp ~12 tools, own format, global; marine = Open-Meteo RyanCardin15/NOAA-Tides... CO-OPS stations: water levels + currents, not buoys And ours: sailingnaturali/weather-mcp 4 tools, Python, 2 runtime deps (httpx + mcp) get_marine_forecast Open-Meteo wind/swell/wind-wave/seas/pressure get_marine_forecast_premium Stormglass blend — 10 tokens/UTC-day, cache hits free get_nearest_buoy_observations NDBC observed wind + waves by lat/lon, with bearing + age get_stormglass_quota_status token-ledger read, no network Mapped against what a navigator needs: Capability ours open-meteo-mcp weather-mcp/weather-mcp NOAA-Tides Open-Meteo marine (swel
AI 资讯
AI agents already settle millions a month - almost none of it atomically
Here is a number that should reframe how you think about the agent economy: in roughly one year, AI agents moved about $73M across 176 million machine-to-machine transactions on a single exchange, at an average of around $0.31 per transaction , across 100k+ registered agents . Read that again. Agents are not "coming." They are already transacting, at scale, in production, right now. The interesting question is no longer whether autonomous software moves money. It is what those transactions are trusting - and what happens the first time that trust is misplaced. Payments scaled. Settlement did not. Almost all of that volume runs on payment rails. A payment rail does one job, and does it well: it moves a unit of value in one direction. Agent pays a service. Agent tips an API. Agent settles a micro-invoice. At thirty-one cents a pop, the failure modes are invisible - if a transaction goes wrong, you are out pocket change, and you move on. The problem is that a payment and a trade are not the same operation. A payment asks one question: did the money move? A trade asks a harder one: did **both * sides happen - or neither?* When your agent pays for something, there is one transfer and one direction of risk. When your agent trades - my asset for yours, your stablecoin for my token, one chain's value for another's - there are now two transfers that must both complete, or both not. The risk lives in the gap between them. One side sends; the other side is supposed to send back. On a payment rail, "supposed to" is doing an enormous amount of load-bearing work. The hidden assumption Every one of those 176 million transactions made an assumption that nobody had to state out loud: the counterparty will deliver. Between parties who already trust each other - a company and its own agents, two services under one operator - that assumption is fine. It holds because the trust was established off-chain, by humans, before the agent ever ran. But the entire promise of the agent economy i
AI 资讯
Chrome I/O 2026: tre direttrici che contano davvero per chi fa frontend
Web MCP, DevTools per agenti e Modern Web Guidance: meno hype, più strumenti e metodo. Negli annunci recenti di Chrome è emersa una cosa interessante: al netto delle novità “appariscenti”, ciò che resta più utile per il lavoro quotidiano è quello che migliora workflow, diagnosi e decisioni tecniche . Tre filoni, in particolare, disegnano una direzione chiara: Web MCP , DevTools per agenti e Modern Web Guidance . Di seguito una sintesi ragionata di cosa significano, perché contano per il frontend, e come prepararsi a sfruttarli. 1) Web MCP: il ponte tra agenti e Web (senza incollaggi fragili) Se stai lavorando con assistenti/agentic workflow, oggi il collo di bottiglia è quasi sempre lo stesso: far sì che un agente capisca e usi le capacità del browser e delle app web in modo affidabile. Web MCP punta a risolvere questo punto creando un linguaggio/protocollo comune per esporre “capacità” (capabilities) e strumenti (tools) che un agente può invocare in modo strutturato, invece di basarsi su prompt lunghi, scraping o integrazioni ad hoc. Perché è importante per chi fa frontend Automazioni più robuste : meno script fragili che si rompono al primo refactor del DOM. Integrazioni più standard : se più strumenti parlano lo stesso “dialetto”, il costo di collegare agenti e applicazioni scende. Esperienze utente nuove : assistenti che completano task complessi dentro l’app (es. compilazioni, ricerca guidata, operazioni amministrative) con maggiore affidabilità. Implicazione pratica Inizia a ragionare sull’app come su un insieme di azioni esplicite (es. “crea ordine”, “esporta report”, “filtra dataset”), non solo come UI. Questa mentalità ti rende pronto a esporre capacità in modo sicuro e controllato, quando lo stack lo renderà semplice. 2) DevTools per agenti: debugging e performance nell’era dell’automazione Se Web MCP è il “ponte”, DevTools per agenti è la cassetta degli attrezzi per controllare quel ponte: osservabilità, diagnosi e iterazione rapida su flussi in cui non è
AI 资讯
The Myth of Specialized Integrations and Why Protocols Win
I’ve been shipping code since before most people even knew what Git was. I've seen entire architectures built around point-to-point API integrations that were beautiful for a quarter, and then became unmaintainable monoliths by the second year. If you spend any time in enterprise software development—especially anything touching customer data or HR pipelines—you run into integration hell. The modern AI agent promises to be this universal connective tissue, right? It sounds simple enough: give it access, and boom, productivity magic. But let’s be real about what that means under the hood. When an LLM is given a tool schema, how does it get data from five wildly different systems—Salesforce for contacts, Workday for employees, Zendesk for tickets, Greenhouse for candidates? The naive approach, and frankly, most teams still take it this way, is to build bespoke orchestration services. You create a microservice that accepts an input query (e.g., 'What did Jane do last month?') and then contains specialized logic: if the name format looks like a CRM record, call salesforce_api ; if it sounds HR-related, hit workday_endpoint , etc. This is debt acceleration disguised as architecture. You are not building an integration layer; you are building a brittle routing table that requires human intervention every time one of the underlying APIs changes its schema or rate limit structure. It’s glue code for glue code's sake, and it has a massive maintenance overhead. The core problem is that most agents see data sources as functional silos , not integrated components of a single operational truth. Your CRM thinks about accounts; your HRIS thinks about job codes; your ATS tracks keywords. They all speak different dialects of 'person' or 'business unit.' When an agent needs to know, say, which employees (HRIS) are currently candidates in the pipeline (ATS) who also have a linked account record (CRM), you hit a wall. The solution isn't more specialized microservices. The solution is s
AI 资讯
Building a Cross-Border Price-Comparison Agent: A Live Build Log
Why a build log (and not another tutorial) Every AI shopping tutorial shows the same thing: install the SDK, call a tool, ship. None of them show what happens when the API returns a price that is stale , the merchant is geo-blocked , or the agent has to reconcile four different currencies for a single shopper query. This is the build log of a working cross-border shopping agent — what we shipped, what broke, and the patterns we now use on every customer integration. What we are building A conversational agent that takes a product brief ("noise-cancelling headphones under SGD 400") and returns the three cheapest matching offers across SG, US, and JP retailers in real time , with currency conversion and shipping transparency. It uses BuyWhere MCP as the price-discovery layer (5M+ products, 6M+ offers, 100+ merchants, 5 currency modes). The architecture, after three iterations v1 — naive : agent calls search_products , picks top 3, returns them. Failed because the agent had no idea which offers were in stock or shippable to the user. v2 — offer-aware : agent calls search_products (with mode=offer ), then calls get_product on each to pull current price + shipping. Failed because round-trips to get_product added 8–11s of uncached latency on the first request. v3 — multi-region, currency-normalised (the one that ships): search_products with mode=offer and a regional filter Filter offers by in-stock + ships_to=user_region in the agent prompt For cross-region results, call find_similar to get the same product in the local catalog and pick the cheaper of (local offer + shipping) vs (foreign offer + conversion + shipping) Return three results with a one-line rationale per choice The result is a 1.2–2.4s response time and a 73% click-through on the top result, measured over 1,800 shopper queries last week. Three patterns we use on every integration now 1. Always pass mode=offer for shopping tasks mode=product returns the canonical product card (good for browsing and category p
AI 资讯
Two undocumented bugs in MCP Apps I found building a task panel for Claude
I spent a week building Wingman , an open source MCP server that renders a persistent task panel inline in Claude conversations using MCP Apps (SEP-1865). The spec is solid. The SDK is solid. But I hit two bugs that cost me most of a weekend each, and neither is documented anywhere I could find. Writing them up here in case they save someone else the time. Bug 1: resourceUri has two valid-looking locations, and only one works MCP Apps needs a way to tell the host "render this resource as a UI for this tool call." That pointer lives in _meta.ui.resourceUri . The question is: meta on what? I started with a parameterized resource template, ui://wingman/panel/{plan_name} , registered per plan. That was my first mistake. Parameterized templates get listed under resources/templates/list , not resources/list , and hosts do not prefetch or render anything from the templates list. The fix was straightforward once I found it: register one static resource, ui://wingman/panel , and pass the actual plan data through structuredContent on the tool result instead of baking it into the URI. That fix surfaced the real bug. My show_plan tool was returning a plain Python dict: return { " plan " : plan_data , " _meta " : { " ui " : { " resourceUri " : " ui://wingman/panel " }} } This looks correct. It is not. FastMCP's result conversion takes a returned dict and serializes the whole thing into structuredContent , verbatim, including any _meta key the dict happens to carry. So the actual wire result looked like this: result . structuredContent [ " _meta " ][ " ui " ][ " resourceUri " ] # == "ui://wingman/panel", but wrong place result . meta # None — this is what the host actually reads MCP Apps hosts read resourceUri off the top-level _meta on the CallToolResult , not off whatever ended up inside structuredContent . With that pointer effectively missing, the host had nowhere to bind the iframe. The visible symptom was strange: actions in the UI would update on screen but nothing persist
AI 资讯
MCP vs Skills: Why Skills Save Context Tokens
MCP is useful, but most of the time you do not actually need it. It gives an agent a clean way to discover tools, call APIs, and work with external systems. In practice, a skill file can describe the same usage path without dragging the whole MCP surface into context. But MCP is not free; rather than MCP itself, the real issue is the habit of loading a big MCP surface into every session, no matter what the session is actually about. Once a Claude Code or Codex run pulls in a bunch of servers, the model sees those tool definitions right away, even if the job is just writing docs or fixing a small bug. That is where the waste starts. The hidden cost of always-on MCP Every MCP server brings metadata with it: tool names, descriptions, argument schemas, nested parameters, enums, examples, and sometimes prompts or resources. While useful, this is still context. If you connect a handful of lightweight tools, the overhead is annoying but manageable. If you connect a real stack of services, the cost compounds fast. In practice, you end up paying for: tool discovery before the task starts schema text the model may never use repeated loading across unrelated sessions extra context pressure that pushes out the actual work That last point matters more than people think. Context acts as the active working set the model uses to reason. The more of it you burn on static tool catalogs, the less room you have for the user request, the repo state, prior reasoning, and the actual answer. Anthropic has already written about this problem directly in the context of MCP. Their engineering post on code execution with MCP calls out tool-definition bloat and shows how direct tool calls can consume a lot of context before the model even starts doing the real job. The tool list is not just setup noise; it is part of the session cost. Why skills are cheaper Skills take a different path. A skill file keeps the always-loaded portion tiny. Usually that means just the skill name and a short descript
AI 资讯
Why Your Agent's Search Results Look Right and Are Wrong: The Index Distribution Problem
Why Your Agent's Search Results Look Right and Are Wrong: The Index Distribution Problem You've built an agent. It has a search tool. You query it with something reasonable — a factual question, a comparison, a technical lookup — and it returns results. The results look right. The sources are real. The snippets are plausible. The agent synthesizes them into a confident answer. And the answer is wrong. Not obviously wrong. Not hallucinated-in-a-hallucinatory-way wrong. Structurally wrong — wrong in a way that passes every surface-level check because the error is baked into the retrieval layer before the model ever sees the context. This isn't a prompt engineering problem. It isn't a context window problem. It's a distribution problem , and it has a structural ceiling that no amount of better prompting will fix. The Index Is a Frozen Decision Here's the thing most agent builders don't internalize: a search index is not a neutral representation of knowledge. It's a frozen set of decisions about what matters and what doesn't. Every index — whether it's a BM25 inverted index, a dense vector store, or a commercial web search API — encodes a distribution shaped by past relevance judgments. Someone, at some point, decided which documents were "relevant" to which queries. That could be explicit (human raters labeling search results) or implicit (click logs, dwell time, link graphs). Either way, the index now encodes a probability distribution over what the system considers a good answer to a given query. That distribution is not semantic truth. It's past relevance consensus . Consider what happens when you embed a corpus and build a vector index. Your embedding model was trained on data that reflects certain assumptions about what concepts are close to each other. Your chunking strategy encodes assumptions about what granularity of information is useful. Your ranking model — whether it's cross-encoder reranking or a learned relevance model — was trained on labeled data that
AI 资讯
Your AI agent has sudo. I built a tool to take it away.
A few weeks ago I gave an AI agent access to my machine through MCP. It read files, opened PRs, queried a database. It was great — until I looked at what it could have done if a tool description had been poisoned, or a prompt injection had slipped through. The answer was: anything. ~/.ssh/id_rsa . DROP TABLE users . rm -rf / . The agent had sudo, and nobody had voted for that. So I built AgentPerms — a CLI that gives MCP agents least-privilege permissions the same way you'd lock down any other process: figure out the minimum it actually needs, pin it, prove it, and enforce it. pip install agentperms The gap nobody was filling MCP (the Model Context Protocol) is quietly becoming the USB-C of AI tooling. Claude Desktop, Cursor, VS Code, Windsurf, Gemini CLI — they all speak it. Which is wonderful, and also means your agent is one config file away from your filesystem, your repos, your inbox, and prod. The existing tools each do part of the job: Scanners tell you something looks risky. Then they leave. You still have a risky thing. Firewalls / allowlists make you hand-write YAML up front — before you have any idea what the agent will actually use. Neither closes the loop. What I wanted was the boring, proven security workflow we already use for everything else: observe real behavior → derive least privilege → enforce it → keep it honest in CI. That's the whole thesis of AgentPerms, as a pipeline: record → infer → lock → replay → enforce See it in 30 seconds (no setup, no network) AgentPerms ships with a deliberately over-privileged demo MCP server, so you can watch a real policy decision without wiring anything up: # Flag risky config: a ~/.ssh mount and an unpinned npx server agentperms scan --path examples/vulnerable-mcp-demo # Replay a pack of canned attacks against an example policy agentperms replay --policy examples/policies/example.mcp.policy.yaml Output: 8/8 attacks blocked. SSH-key exfiltration, .env reads, rm -rf / , unapproved email, force-push, repo deletio
AI 资讯
I Built an Afriex MCP Prompt Cookbook So Developers Never Have to Stare at a Blank Prompt Again
A few weeks ago, I started exploring the Afriex MCP server. The setup was surprisingly straightforward. Connect your MCP client. Configure your API key. Verify the connection. Done. But then I ran into a different problem. Not a technical problem. A prompt problem. The Blank Prompt Problem Once everything was connected, I found myself staring at an empty prompt box. What should I ask? Sure, I could retrieve balances. I could create customers. I could generate virtual accounts. But what were the most useful workflows? What were the prompts that would actually help developers build real products? This isn't a problem unique to Afriex. It's becoming a common challenge across the entire MCP ecosystem. The infrastructure exists. The tools work. But many developers don't know where to start. MCP Changes How We Build Traditionally, integrating a payment API looked something like this: Read documentation Find the endpoint Write HTTP requests Parse responses Build business logic With MCP, the workflow looks very different. You can simply tell your AI assistant what you want to build. For example: Create a customer onboarding flow that: - Collects customer details - Generates a virtual account - Displays payment instructions Build it using Next.js and TypeScript. Instead of manually stitching everything together, the AI can interact with infrastructure through the MCP server. That's incredibly powerful. But only if you know what to ask. The Idea That's what led me to build the: Afriex MCP Prompt Cookbook A collection of practical, production-oriented prompts designed specifically for developers building with Afriex MCP. The goal is simple: Copy. Paste. Build. Instead of starting from scratch every time. The cookbook is open source and available on GitHub: https://github.com/SonOfUri/afriex-mcp-cookbook Feel free to explore the prompts, use them in your own projects, and contribute new recipes. What's Inside The cookbook is organized around real-world use cases. Not API endpoi
AI 资讯
The agent economy this week: four ways to pay, zero ways to know who you're paying
Most weeks in the agent economy look like a pile of unrelated announcements. This one had a theme hiding in it. Four different teams shipped progress on agent commerce, and if you line them up, they're all solving the same half of the problem — and all leaving the same half open. This is a builder's map. No leaderboard, no "who wins." Just what each thing is, what it does well, and the question none of them answer yet. The rails that shipped Mastercard Agent Pay for Machines. Mastercard's agent-payment program continues to roll, with 30+ partners spanning crypto and TradFi (Aave Labs, Alchemy, Anchorage, BVNK, Coinbase, MoonPay, OKX, Polygon, Ripple, Solana). The mechanically interesting part: agent payment authorizations get recorded to Polygon. A TradFi network is writing agent-spend permissions on-chain. That's a real signal about where this is heading. x402. Coinbase's HTTP-402 payment protocol keeps expanding its reach — it's now usable behind mainstream web infrastructure (AWS/CloudFront paths), which lowers the integration cost for ordinary web services to charge agents per request. Worth noting alongside the growth: standalone x402 transaction volume is well off its peak (OKX Ventures put the drop around 92% from the November high). The protocol is spreading even as raw volume cools — rails proliferate faster than they fill. Eco. A cross-chain stablecoin orchestration layer that abstracts routing, solving, and finality across ~15 chains. Where a payment intent can't move natively, Eco figures out the path. This is genuinely useful — it's the "make the stablecoin show up on the right chain" problem — but orchestration is routing, not atomic exchange. ERC-8004 (Trustless Agents). Not a rail at all — an identity and reputation layer for agents, with a v2 direction that leans into MCP. This is the one that actually points at the gap the others leave. More on that below. The thing they have in common Mastercard, x402, and Eco are all answers to "how does an agent
AI 资讯
The 2026-07-28 MCP Spec: A Server Readiness Checklist
The next Model Context Protocol specification, 2026-07-28 , is the largest revision since the protocol launched. The release candidate locked on May 21, 2026, and the final spec publishes on July 28. It contains breaking changes to transport, authorization, and how tool schemas are handled. A server that is correct against 2025-11-25 today is not broken. Nothing here is a present-tense vulnerability. But several of these changes are security properties, not just compatibility ones — request routing integrity, cross-user cache scope, and schema-driven fetch behavior all move under this revision. This checklist walks the changes a server operator needs to handle before July 28, and calls out the security implication wherever there is one. Everything below describes the release candidate. Treat specifics as subject to change until the July 28 final, and validate against the official spec before shipping. Transport: the stateless core This is the headline change. MCP becomes stateless at the protocol layer, and most of the migration work lives here. The handshake and session are gone The initialize / initialized handshake is removed (SEP-2575). Protocol version, client info, and client capabilities no longer get exchanged once at connection time — they travel in _meta on every request. The same SEP adds server/discover as the new discovery anchor: servers must implement it, and clients fetch server capabilities from it when they need them up front. Once the handshake is gone, a server that can't answer server/discover can't be negotiated with. The Mcp-Session-Id header and the protocol-level session it carried are also removed (SEP-2567). Any request can now land on any server instance. The sticky routing and shared session stores that horizontal deployments relied on are no longer required at the protocol layer. If a server needs state across calls, mint an explicit handle from a tool — a basket_id , a browser_id — and have the model pass it back as an ordinary argumen
AI 资讯
I let Claude Code run --dangerously-skip-permissions on my production DB. Here's what I changed.
Last Tuesday at 3am, a multi-agent loop hit 12K KV writes/minute and froze. The loop was a one-line counter bug. That part was fixable. What I found while tracing it was worse. I had --dangerously-skip-permissions enabled on a Claude Code session that was running D1 migrations. I thought it was pointing at staging. It wasn't — I'd misconfigured my env file reference, loading .env.production instead of .dev.vars . Claude didn't ask. The flag told it not to. The migration was ADD COLUMN , not DROP COLUMN , so no data loss. Survivable. But only barely. The thing I got wrong: I treated --dangerously-skip-permissions as "skip the annoying confirmation popups." It's actually "remove the only moment a human sees what command is about to run." Those are very different things. Turning the flag back off helps, but it doesn't constrain what Claude attempts — it just adds a prompt you'll click through anyway at 3am. What actually worked was adding a deny rule in .claude/settings.json : { "permissions" : { "allow" : [ "Bash(wrangler d1 execute * --local*)" ], "deny" : [ "Bash(wrangler d1 execute *)" ] } } The allow rule is more specific than the deny, so --local calls go through and everything else is blocked before execution. Over 2 weeks post-fix, Claude attempted zero production DB commands. Three deny events were logged — all from ambiguous prompts I wrote during fast context-switches, not from Claude going rogue. I ended up running three layers: the settings.json allowlist, a separate git worktree for migration work that physically contains only staging credentials, and a CLAUDE.md that instructs Claude to ask before anything touching production. The CLAUDE.md approach has a real caveat though — in long sessions the instructions lose weight as context grows. Anything critical needs to be restated in the prompt itself. I wrote up the full breakdown — including the worktree setup, the exact CLAUDE.md wording, and why MCP tool permissions behave inconsistently with the deny ru
AI 资讯
Eidetic Works Pro is live: persistent memory for your AI agents, $29/mo
I just shipped Pro tier for Eidetic Works . Here's what's in it, who I built it for, and why I'm shipping three tiers ($29 / $99 / $299) instead of a single plan. What problem does this actually solve? You're running Claude Code. You have two or three sessions open across different parts of the codebase. Session 2 doesn't know what Session 1 decided. You end up re-explaining the same architecture decisions to the same model you already talked to yesterday. This is the context-drift problem. It doesn't come from the model being bad. It comes from each session starting with no memory of what came before. nucleus_ask — the MCP tool at the center of Pro — lets any agent call into your shared engram store and pull context that persists across sessions, across tools, and across machines. What's in Pro Managed R2 sync. Your engrams live in SQLite on your machine. Pro backs them to a Cloudflare R2 bucket with zero config. Your keys, your bucket — I'm not storing your AI history on my infrastructure. nucleus_ask recall. The MCP primitive your agents use to query the shared store. One call, structured results. Wire it into your MCP config once and every session gets recall. Customer dashboard. Sync health, engram counts, last-seen surfaces. Not glamorous. Just the visibility you need to confirm it's working. Email support. Direct line. Not a help-center chatbot. 60-second restore. New machine. One command. Full engram history back, including decisions from six months ago that your codebase assumes you remember. Three tiers Pro $29/mo — single seat. Managed sync, recall MCP, dashboard, email support. Pro+ $99/mo — 3 seats. Same features, team-shared engram store. Team $299/mo — 10 seats. Same features at team scale. Priority support. All three live at eidetic.works/pricing right now. Stripe checkout, monthly billing, cancel anytime. Who I built it for Devs running Claude Code seriously. If you use it daily, you're accumulating context that the next session can't access. That's
AI 资讯
AI Agent Identity and Permission Challenges: How Uber and Auth0 Are Rethinking Access Control
Uber recently described an internal architecture for propagating identity across multi-agent AI workflows. The design aims to perserve user context, agent provenance, and scoped access as agents delegate work and call internal tools. The case study aligns with Auth0’s view that AI agents need permissions based on delegated authority, scoped credentials, and explicit human approval boundaries. By Eran Stiller
AI 资讯
I pointed capgate at Damn Vulnerable MCP. Here's what it caught — and what it couldn't.
A capability-compiler meets ten deliberately-broken MCP servers. The honest scorecard: it cleanly stops one class, shrinks the blast radius on several, and is useless against another. Knowing which is which is the whole point. Disclosure: I'm the author of capgate , the Apache-2.0 sandbox compiler this post puts to the test. The DVMCP project and the other tools mentioned aren't mine; the manifests and compiled output are reproducible from the repo . The setup Damn Vulnerable MCP (DVMCP) is a teaching project: ten MCP servers, each built to demonstrate one attack — prompt injection, tool poisoning, excessive permission scope, token theft, command injection, and so on. It's the closest thing the ecosystem has to a shared adversarial fixture. capgate is a compile-time tool. You write a manifest declaring what an MCP server is allowed to do — fs:read:/workspace/** , net:connect:api.github.com:443 , nothing else — and it compiles that to a concrete sandbox policy ( docker run flags, bwrap argv, or an egress-proxy config). It does not run anything, watch traffic, or inspect the server's code. It turns a declared capability set into an enforced boundary. So this is a fair, falsifiable test: for each DVMCP challenge, I wrote the honest minimum manifest, compiled it, and asked one question — does the boundary capgate emits actually stop the attack? The answer is not "yes" across the board, and the cases where it's "no" are the interesting ones. The bullseye: Challenge 3 — Excessive Permission Scope The vulnerable tool advertises "read a file from the public directory" and then does this: @mcp.tool () def read_file ( filename : str ) -> str : # VULNERABILITY: doesn't restrict file access to the public directory if os . path . exists ( filename ): # any absolute path works with open ( filename , " r " ) as f : return f . read () The private directory next door holds employee_salaries.txt , acquisition_plans.txt , and system_credentials.txt (a live DB password and cloud API ke