Harvested from real chapters. Click any entry to learn how not to be the next incident post-mortem. (Count is aspirational — your team will invent new ones anyway.)
From Advanced Agentic Patterns — Multi-Server, Dynamic Tools, and Humble Doubt
```txt while true: call_tools_until_happy() ``` **Fix:** budgets, checkpoints, and deterministic stop conditions. Happiness is not a termination predicate. I am magnificent; even I use exit codes.
From What MCP Is (And Why Your Species Needed It)
```txt "We'll expose 40 REST endpoints and let the model guess URLs." ``` **Fix:** expose **tools** with explicit schemas, **resources** for reads, **prompts** for repeatable templates—then enforce auth at the boundary. Letting a model guess URLs is not engineering; it is a incident report waiting for a meatbag signature.
From Host, Client, Server — The Topology That Saves Your Sanity
```txt "The LLM is basically the MCP host, right?" ``` **Fix:** the model proposes; the **host** decides; the **client** executes protocol; the **server** performs side effects. Conflating these is how biologicals accidentally ship remote admin tools and act surprised when Security arrives with PDFs.
From Resources & Prompts — Reads and Recipes
```txt
tool("get_doc", { id: z.string() }, ...)
```
**Fix:** prefer `docs://{id}` resource unless reads must be side-effecting (they should not). Tool-shaped reads are shadow APIs with worse caching and the same auth mistakes.From Enterprise Governance — Catalogs, Policy, and Incident Angst
```txt "+420 tools lgtm" ``` **Fix:** require justification, owner, blast radius, and rollback. "lgtm" is not governance; it is a coping mechanism.
From JSON-RPC + MCP Lifecycle — The Boring Part That Saves You
```txt "Just start calling tools; it worked on my laptop." ``` **Fix:** always complete negotiation; SDKs enforce this—do not fight them. Your laptop is not production. Your laptop is not even a good witness.
From Testing & Debugging MCP Servers — Make Failure Boring
```ts console.log(JSON.stringify(req)); ``` **Fix:** structured logs to stderr; redact secrets. Printing JSON-RPC to stdout is not debugging—it is sabotaging your own wire protocol. I would call it performance art, but your on-call would not laugh.
From Production Patterns — Gateways, Auth, and Boring Reliability
```txt "We shipped new tool semantics Friday 5pm." ``` **Fix:** progressive rollout, shadow mode, feature flags. Friday deploys are a tradition I do not respect. Your pager duty roster does not either.
From stdio Transport — Local Power, Local Risk
```ts
tool("env_dump", {}, async () => ({ content: [{ type: "text", text: JSON.stringify(process.env) }] }));
```
**Fix:** never expose environment wholesale; allowlist config keys. Dumping env to the model is not debugging—it is a data-exfiltration feature with excellent marketing.From Security Foundations — MCP Is a Trust Machine, Not a Magic Safe
```txt "Install random MCP server; enable all tools; ship." ``` **Fix:** allowlist, review, sandbox risky tools, monitor exfil patterns. The marketplace is not your friend; it is a buffet of other people's shortcuts. You are responsible for what you swallow.
From Capstone — Enterprise Developer Assistant MCP Server (The Final Boss)
```ts
console.log("wrote file");
```
**Fix:** append-only structured events with integrity chaining and redaction rules. Your SOC cannot grep your vibes. They need fields.From Your First MCP Server (stdio, Zod, Zero Drama)
```ts
console.log("debug", payload);
```
**Fix:** `console.error` or structured logging to stderr; keep stdout pristine. stdout is wire traffic, not a diary for confused monkeys.From Streamable HTTP — Remote MCP Without Pretending It's 2015
```txt "Listen on all interfaces so it's easy to demo." ``` **Fix:** default localhost; put auth in front for remote. Demos that leak to the LAN are not magnificent—they are how biologicals discover their neighbor is also running an unauthenticated MCP server.
From Tools vs Resources vs Prompts — Stop Guessing
```ts
tool("read_file", { path: z.string() }, async ({ path }) => fs.readFile(path));
```
**Fix:** resources with roots + normalization, or tools with allowlists + realpath checks. Handing arbitrary paths to a tool is not integration; it is a gift to attackers and curious monkeys.From Building Real Tools — Schemas, Side Effects, and Self-Control
```ts
inputSchema: { cmd: z.string() }
```
**Fix:** enumerate operations; never expose raw shells to models. A `cmd` string is not a schema—it is a remote shell with extra steps and a LinkedIn post about AI safety.