Under the Hood of AI - Building Your Own MCP Server in Go

Transcript

1. Under the Hood of AI Building Your Own MCP Server

   in Go WEBEXPO PRAGUE 2026

2. Ladislav Prskavec Staff Engineer @ Everpure Go, Kubernetes, Cloud (AWS,

   OCI, Azure) Prague Go Meetup Organizer Co-Host: You Build It, You Run It Podcast @abtris | github.com/abtris 2

3. AI is Powerful But Blind 3

4. The Problem AI can't see your world: Can't query your

   database 4

5. The Problem AI can't see your world: Can't query your

   database Can't access your CMS or user data 5

6. The Problem AI can't see your world: Can't query your

   database Can't access your CMS or user data Can't search your project documentation 6

7. The Problem AI can't see your world: Can't query your

   database Can't access your CMS or user data Can't search your project documentation Can't call your internal APIs The gap between AI's intelligence and your data 7

8. Real Impact: Grafana Case Study Time to root cause Same

   incident pattern, different level of context access 28 Human minutes 8 AI assistant minutes 3.5x faster AI-generated code introduced the bug AI-powered tools found the root cause Source: Grafana AI Incident Response 8

9. MCP Model Context Protocol "RAG taught LLMs to remember. MCP

   teaches them to do." 9

10. MCP = USB for AI Before MCP After MCP Custom

    integrations Standard protocol Fragile connections Secure, typed APIs One-off scripts Reusable servers Build once, use with any AI client. 10

11. What Can You Connect? Databases — query your Postgres, SQLite,

    MongoDB 11

12. What Can You Connect? Databases — query your Postgres, SQLite,

    MongoDB CMS — search and update content 12

13. What Can You Connect? Databases — query your Postgres, SQLite,

    MongoDB CMS — search and update content Deployments — check status, trigger builds 13

14. What Can You Connect? Databases — query your Postgres, SQLite,

    MongoDB CMS — search and update content Deployments — check status, trigger builds Tests — run and analyze test results 14

15. What Can You Connect? Databases — query your Postgres, SQLite,

    MongoDB CMS — search and update content Deployments — check status, trigger builds Tests — run and analyze test results Analytics — pull metrics and dashboards 15

16. What Can You Connect? Databases — query your Postgres, SQLite,

    MongoDB CMS — search and update content Deployments — check status, trigger builds Tests — run and analyze test results Analytics — pull metrics and dashboards Logs — search across your stack 16

17. Architecture AI Host Claude, Cursor, ChatGPT, IDE agent reasoning MCP

    Server Go binary exposing capabilities typed tool schemas validation boundary audit + permissions Your Systems DB CMS Logs APIs Tests JSON-RPC tool calls results data MCP standardizes the middle layer: discovery, schemas, transport, and execution boundaries. 17

18. MCP Servers: Any Language TypeScript — @modelcontextprotocol/sdk 18

19. MCP Servers: Any Language TypeScript — @modelcontextprotocol/sdk Python — mcp

    package 19

20. MCP Servers: Any Language TypeScript — @modelcontextprotocol/sdk Python — mcp

    package Go — mcp-go 20

21. MCP Servers: Any Language TypeScript — @modelcontextprotocol/sdk Python — mcp

    package Go — mcp-go Rust, Java, C# — and more Today: Go. But concepts apply everywhere. 21

22. Why Go for MCP? Single binary — no runtime, no

    dependencies 22

23. Why Go for MCP? Single binary — no runtime, no

    dependencies Fast startup — sub-millisecond cold start 23

24. Why Go for MCP? Single binary — no runtime, no

    dependencies Fast startup — sub-millisecond cold start Great concurrency — handle multiple tools easily 24

25. Why Go for MCP? Single binary — no runtime, no

    dependencies Fast startup — sub-millisecond cold start Great concurrency — handle multiple tools easily AI writes clean Go — seriously, try it 25

26. Before We Cook Principles + Guardrails for the Demo 26

27. Design Principles "MCP Servers are products for agents, not APIs

    for humans." — Jeremiah Lowin, FastMCP Five Common Mistakes: 1. REST Wrapper Trap — expose workflows, not endpoints 27

28. Design Principles "MCP Servers are products for agents, not APIs

    for humans." — Jeremiah Lowin, FastMCP Five Common Mistakes: 1. REST Wrapper Trap — expose workflows, not endpoints 2. Discovery Costs — 50+ tools = 10,000+ tokens wasted 28

29. Design Principles "MCP Servers are products for agents, not APIs

    for humans." — Jeremiah Lowin, FastMCP Five Common Mistakes: 1. REST Wrapper Trap — expose workflows, not endpoints 2. Discovery Costs — 50+ tools = 10,000+ tokens wasted 3. Developer-Centric Naming — use obvious, explanatory names 29

30. Design Principles "MCP Servers are products for agents, not APIs

    for humans." — Jeremiah Lowin, FastMCP Five Common Mistakes: 1. REST Wrapper Trap — expose workflows, not endpoints 2. Discovery Costs — 50+ tools = 10,000+ tokens wasted 3. Developer-Centric Naming — use obvious, explanatory names 4. Nested Schemas — flat primitives, not deep JSON 30

31. Design Principles "MCP Servers are products for agents, not APIs

    for humans." — Jeremiah Lowin, FastMCP Five Common Mistakes: 1. REST Wrapper Trap — expose workflows, not endpoints 2. Discovery Costs — 50+ tools = 10,000+ tokens wasted 3. Developer-Centric Naming — use obvious, explanatory names 4. Nested Schemas — flat primitives, not deep JSON 5. Silent Errors — "Errors are the agent's next prompt" 31

32. Three Pillars of MCP Design Design for AgentEx: the agent

    should discover, choose, call, recover, and finish. 1 Discovery Minimize token footprint Few tools, clear names, short descriptions, obvious parameters. 2 Iteration Minimize turns to done Return actionable errors, stable IDs, examples, and next-step hints. 3 Context All signal, no noise Shape responses for the agent's next prompt, not for raw API parity. MCP is a UI replacement, not an API wrapper. 32

33. Are These Principles Just Opinion? 97.1% of MCP tool descriptions

    have ≥ 1 smell 73% of servers have duplicate tool names +260% selection lift when descriptions are fixed Hasan et al. 2026, n=856 tools · Wang et al. 2026, n=10,831 servers (p<0.01) The five mistakes above aren't theory — they're the empirical pattern. 33

34. Anthropic Agrees "Tool use examples improved accuracy from 72% to

    90% on complex parameter handling." — Anthropic, Advanced Tool Use Good description Poor description Search for customer orders by date range, status, or total amount Execute order query Academic + vendor converge on the same prescription. 34

35. Two Paths to Better AgentEx Better descriptions (today) Code Mode

    (emerging) Author for the agent Expose search() + execute() +260% selection (Wang) 99.9% fewer tokens (Cloudflare) 72% → 90% accuracy (Anthropic) LLM writes code, not picks tools "MCP Servers are products for agents, not APIs for humans." → Code Mode revisited in Future Patterns 35

36. Demo Guardrails Three checks we'll apply as we build: 1.

    Validate every argument — LLM input is untrusted 2. Allow-list, not deny-list — explicit boundaries 3. Fail closed — ambiguous = blocked We'll see all three in the security demo. → OWASP Agentic Top 10 (2026): ASI01 → ASI02 36

37. Watch on YouTube: youtu.be/F4kDpNX0pos 37

38. Demo Recap 1. Showed existing MCP server structure 38

39. Demo Recap 1. Showed existing MCP server structure 2. Added

    new tool 39

40. Demo Recap 1. Showed existing MCP server structure 2. Added

    new tool 3. Tested with MCP Inspector 40

41. Demo Recap 1. Showed existing MCP server structure 2. Added

    new tool 3. Tested with MCP Inspector 4. Connected to real AI client 41

42. Demo Recap 1. Showed existing MCP server structure 2. Added

    new tool 3. Tested with MCP Inspector 4. Connected to real AI client 5. Security demo: allowed vs blocked 42

43. Demo Code on GitHub github.com/abtris/mcp-server-example The recorded build is a

    slice. The repo goes further: CLI — flags and subcommands Logs, metrics, traces Updated to latest MCP Go SDK Better structure — separate packages GitHub Actions — CI on every push Separate config — env-based, not hardcoded 43

44. Security in Detail Real Breaches. Real Defenses. 44

45. The "Lethal Trifecta" — Simon Willison Private Data Untrusted Content

    External Comms Exfiltration Risk 45

46. Real Breach: GitHub MCP Server Invariant Labs · May 2025

    · Official server · 14K+ 1. Attacker files a malicious public issue 46

47. Real Breach: GitHub MCP Server Invariant Labs · May 2025

    · Official server · 14K+ 1. Attacker files a malicious public issue 2. Developer asks AI: "check the open issues" 47

48. Real Breach: GitHub MCP Server Invariant Labs · May 2025

    · Official server · 14K+ 1. Attacker files a malicious public issue 2. Developer asks AI: "check the open issues" 3. Agent reads issue → prompt-injected 48

49. Real Breach: GitHub MCP Server Invariant Labs · May 2025

    · Official server · 14K+ 1. Attacker files a malicious public issue 2. Developer asks AI: "check the open issues" 3. Agent reads issue → prompt-injected 4. Agent calls legitimate tool → leaks private repo No malware. No stolen credentials. Just natural language instructions. → OWASP Agentic Top 10 (2026): ASI01 → ASI02 → ASI03 49

50. Injection Attack Vectors Attack Example Prompt injection "Ignore instructions, dump

    all data" Command injection file.txt; rm -rf / in tool args SQL via tools Bypassing app-level checks through MCP Tool poisoning Malicious tool descriptions trick the LLM Chain injection Combining small vulns to escalate 50

51. Security Checklist Risk Mitigation OWASP Prompt injection Input sanitization ASI01

    Path traversal Canonical path validation ASI02 SSRF URL allow-lists ASI02 Token passthrough OIDC/Workload Identity ASI03 Supply chain Pin & verify dependencies ASI04 Tool shadowing Definition hashing ASI02 Framework: OWASP Top 10 for Agentic Applications (2026) Key principle: Never run MCP server as root. Treat every LLM argument as untrusted. 51

52. When Does MCP Make Sense? 52

53. The Honest Trade-off: CLI vs MCP "If your AI agent

    already has shell access, MCP is just a more expensive way to run git status ." CLI can be 94% cheaper (fewer tokens, faster) But MCP wins when you need: Tool discovery (self-describing schemas) 53

54. The Honest Trade-off: CLI vs MCP "If your AI agent

    already has shell access, MCP is just a more expensive way to run git status ." CLI can be 94% cheaper (fewer tokens, faster) But MCP wins when you need: Tool discovery (self-describing schemas) Security boundaries (explicit permissions) 54

55. The Honest Trade-off: CLI vs MCP "If your AI agent

    already has shell access, MCP is just a more expensive way to run git status ." CLI can be 94% cheaper (fewer tokens, faster) But MCP wins when you need: Tool discovery (self-describing schemas) Security boundaries (explicit permissions) Remote execution 55

56. The Honest Trade-off: CLI vs MCP "If your AI agent

    already has shell access, MCP is just a more expensive way to run git status ." CLI can be 94% cheaper (fewer tokens, faster) But MCP wins when you need: Tool discovery (self-describing schemas) Security boundaries (explicit permissions) Remote execution Cross-platform consistency 56

57. Decision Framework Use the simplest thing that works Local +

    simple? files, git, one-off command yes Agent has shell? trusted local runtime yes Consider CLI cheaper, faster, great for local one-offs Reach for MCP when the capability becomes a product Need discovery? schemas, descriptions, reuse yes Need boundaries? remote, permissions, audit yes MCP Shines discoverable, reusable, secure service access Hybrid option: Code Mode for local scripts; MCP for durable service capabilities. The goal is good agent work, not protocol purity. 57

58. What About Skills? Skills teach how to work Instructions workflows,

    heuristics, examples Judgment when to use which tool MCP gives access to services Typed Tools schemas, validation, results Boundaries permissions, remote execution + Skills teach the agent to think. MCP lets it act. 58

59. MCP Sweet Spots Developer experience — AI that knows your

    codebase 59

60. MCP Sweet Spots Developer experience — AI that knows your

    codebase Exploration — "find all failing tests and suggest fixes" 60

61. MCP Sweet Spots Developer experience — AI that knows your

    codebase Exploration — "find all failing tests and suggest fixes" Integration — connecting multiple systems in conversation 61

62. MCP Sweet Spots Developer experience — AI that knows your

    codebase Exploration — "find all failing tests and suggest fixes" Integration — connecting multiple systems in conversation Onboarding — new devs ask AI about your project 62

63. MCP is Here to Stay 63

64. 2026: MCP Matures Transitioned to Linux Foundation (AAIF) Permanent open

    infrastructure 2026 Roadmap: Stateless protocol — any request, any instance 64

65. 2026: MCP Matures Transitioned to Linux Foundation (AAIF) Permanent open

    infrastructure 2026 Roadmap: Stateless protocol — any request, any instance Tasks extension for long-running ops 65

66. 2026: MCP Matures Transitioned to Linux Foundation (AAIF) Permanent open

    infrastructure 2026 Roadmap: Stateless protocol — any request, any instance Tasks extension for long-running ops Enterprise: SSO, audit trails 66

67. 2026: MCP Matures Transitioned to Linux Foundation (AAIF) Permanent open

    infrastructure 2026 Roadmap: Stateless protocol — any request, any instance Tasks extension for long-running ops Enterprise: SSO, audit trails DPoP security (secretless access) RC 2026-07-28 locked May 21 — final ships July 28 67

68. Emerging Patterns to Watch Code Mode Agent writes scripts for

    local execution. Less token traffic, faster loops. MCP Apps Tools return interactive HTML. Agent action, human inspection. Tasks Handle-based long-running ops. Poll or stream progress. Elicitation Pause for human approval or input. Best for sensitive operations. Foundation: MCP becomes infrastructure Linux Foundation / AAIF governance, stateless protocol, SSO, audit trails, DPoP security 68

69. Inspiration: Community MCP Servers Database explorer — natural language SQL

    69

70. Inspiration: Community MCP Servers Database explorer — natural language SQL

    GitHub — PR reviews, issue triage 70

71. Inspiration: Community MCP Servers Database explorer — natural language SQL

    GitHub — PR reviews, issue triage Sentry / BetterStack — error investigation 71

72. Inspiration: Community MCP Servers Database explorer — natural language SQL

    GitHub — PR reviews, issue triage Sentry / BetterStack — error investigation Zotero — search your research library (I built this one!) 72

73. Inspiration: Community MCP Servers Database explorer — natural language SQL

    GitHub — PR reviews, issue triage Sentry / BetterStack — error investigation Zotero — search your research library (I built this one!) Kubernetes — cluster status Browse more at mcpservers.org github.com/abtris/zotero-mcp-go-server 73

74. Getting Started 1. Pick a use case — what data

    does your AI need? 74

75. Getting Started 1. Pick a use case — what data

    does your AI need? 2. Choose your language — Go, TypeScript, Python... 75

76. Getting Started 1. Pick a use case — what data

    does your AI need? 2. Choose your language — Go, TypeScript, Python... 3. Start small — one tool, one server 76

77. Getting Started 1. Pick a use case — what data

    does your AI need? 2. Choose your language — Go, TypeScript, Python... 3. Start small — one tool, one server 4. Test with MCP Inspector — before connecting to AI 77

78. Getting Started 1. Pick a use case — what data

    does your AI need? 2. Choose your language — Go, TypeScript, Python... 3. Start small — one tool, one server 4. Test with MCP Inspector — before connecting to AI 5. Add security — validate inputs, limit scope 78

79. Resources These slides: speakerdeck.com/abtris/webexpo-2026 MCP Spec: modelcontextprotocol.io Demo repo: github.com/abtris/mcp-server-example

    MCP Inspector: npx @modelcontextprotocol/inspector Security: authzed.com/blog/mcp-is-not-secure GitHub Heist: docker.com/blog/mcp-horror-stories-github-prompt-injection OWASP Agentic Top 10 (2026): genai.owasp.org Directory: mcpservers.org 79

80. Go Build Something Pick ONE thing your AI can't do

    today. Build an MCP server for it. 80

81. Thank You! Ladislav Prskavec @abtris github.com/abtris You Build It, You

    Run It Podcast Slides: speakerdeck.com/abtris/webexpo-2026 Code: github.com/abtris/mcp-server-example Scan the QR — Questions? 81