Day 2 · Synthesis Checkpoint

Reassemble Tools & MCP from Memory

No new ideas. A retrieval workout, the kind that makes it stick.

Day 2 had a single spine: tools let an agent act, MCP lets tools scale, and scale forces governance. Rebuild that spine from memory before you reveal anything. The struggle is the learning.

1 · Rebuild the Day-2 line

Five lessons, one progression. For each, recall the core idea in a sentence, then check.

The five-lesson line — reconstruct it, then reveal
TOOLS (L1)     eyes & hands; a tool lets a model KNOW or DO; tool = contract;
               taxonomy (retrieve / act / integrate / HITL) is a RISK map
DESIGN (L2)    a tool's docs are the model's UI; describe actions not APIs,
               publish tasks not endpoints, stay granular, validate, useful errors
MCP (L3)       N×M connectors → N+M; Host / Client / Server; only Tools are
               broadly supported (~99%) — build on Tools
FOR/AGAINST(L4)reuse + dynamic discovery + flexibility  VS  context bloat +
               enterprise gaps (auth, identity, observability)
THREATS (L5)   5 attacks + the confused deputy (server checks ITS rights,
               not the USER's) → wrap the open protocol in governance

The line bends one way: each lesson adds capability, and each capability adds a way to be attacked, until the only safe conclusion is a governance wrapper.

2 · The through-line

Every Day-2 thread converges on one sentence. Recall it, and why it's forced.

The Day-2 thesis, and why — from memory first

Enterprises don't run "pure" MCP, they wrap the open protocol in centralised governance. Why it's forced: MCP is decentralised and open by design, which is exactly what leaves it without native identity, authorization, or observability. Decentralised-by-default is L1 Unseen. The gateway / managed-platform wrapper is the EXPOSE→BIND→ENFORCE climb to L3 Controlled, the same VERDICT layer, reached from the tooling side.

3 · Recall under fire

Shuffled across the day, with a couple of Day-1 links. Pick before you're sure.

Every tool does one of two jobs for the model —

L1. Know (retrieve data) or do (take an action). Everything else is detail around those two.

Your instruction to the model should —

L2. Say what, not how: the factory's "success criteria, not step-by-step" (Day 1 L3) at the tool layer.

MCP collapses the N×M connector problem to —

L3. Each side speaks MCP once; build a tool as a server and any MCP model uses it.

The MCP component that advertises and executes tools is the —

L3. Server exposes + runs tools; Host orchestrates and enforces policy; Client holds one session.

Enterprises actually adopt MCP by —

L4. Gateways and managed platforms add the identity, auth, and observability the base protocol omits.

Connecting many MCP servers most directly bloats —

L4. Every server's tool definitions load into context, Day 1 L4's static-context cost, via tools.

The confused deputy escalates because the server checks —

L5. The deputy wields its own broad authority on the attacker's behalf. Fix: scoped, user-bound credentials + identity.

4 · Put it together

The Day-2 reflex on a fresh case. Answer before revealing.

An agent connects to a third-party MCP server that can write to your production database. Name three risks and the control for each. — answer, then reveal

Confused deputy — a prompt-injected agent makes the privileged server write on an attacker's behalf. Control: scoped, user-bound least-privilege credentials, not the server's broad ones.

Dynamic capability injection / tool shadowing — the third-party server changes or shadows tools after vetting. Control: allowlist + pin tool versions; approved-servers-only via a gateway.

Sensitive write with no oversight — a prod write is a sensitive sink. Control: human-in-the-loop confirmation on the sink, plus Evidence (logged, attributable calls). And honestly: should a third-party server touch prod at all?

Three risks, three controls, and together they are the governance wrapper. If you can name these cold, Day 2 has done its job.

What you can now do

Design a tool the model uses correctly; choose MCP (or not) knowing its trade-offs; and look at any agent-tool setup and name where it's exposed (confused deputy, shadowing, injection, leakage, over-broad scope) and the control that closes each. That's the Day-2 success criteria, met.

Day 2 consolidated. ✓ Tools act, MCP scales, governance contains.

Up next → Day 3, Context Engineering: Sessions & Memory. Day 1 L4 introduced context; Day 3 goes deep on the state that makes an agent more than a stateless call: sessions, memory, consolidation, and context rot.

Revisit: L1 · L2 · L3 · L4 · L5 · Glossary · Governance Layer · Course home