THE LINUX FOUNDATION PROJECTS
Join us at MCP Dev Summit Bengaluru • June 9-10 • REGISTER NOW

Video

Watch exclusive interviews, event highlights, and deep dives into AAIF and agentic AI.

Videographer holding a camera

MCP Dev Summit North America 2026

Keynote: Operating MCPs at Enterprise Scale: Uber’s Journey - Meghana Somasundara, Agentic AI Lead & Rush Tehrani, Head of Engineering, Agentic AI Platform, Uber Technologies, Inc. Meghana Somasundara and Rush Tehrani, who lead Uber's agentic AI platform, reveal how they took MCP from a promising protocol to a production system operating across 5,000+ engineers, 10,000+ services, and 1,500+ monthly active agents. This keynote covers the real challenges of running MCP at enterprise scale, including governance, security, tool discovery, and what it took to build the MCP Gateway and Registry that now powers 60,000+ agent executions per week. Topics covered in this talk: Uber's AI Scale - 5,000+ engineers with 90% using AI monthly, 1,500+ active agents, and 60,000+ weekly executions Three Classes of MCP Problems - Development lifecycle fragmentation, security and governance gaps, and discovery and quality challenges MCP Gateway and Registry - The control plane for all MCP interactions at Uber, with config-driven auto-generation of tool definitions from 10,000+ service IDLs Gateway Architecture Deep Dive - How the orchestrator crawls proto and thrift files, uses LLMs to generate MCP descriptions, and serves tools through a unified gateway service Security at Every Layer - Central authorization, PII redaction, periodic code scanning, mutable endpoint blocking, and full observability with metrics and tracing Three Agent Surfaces - Uber Agent Builder (no-code), Uber Agent SDK (code-first for grocery, care, and customer support agents), and coding agents (Claude Code, Cursor, Minions) Minions Background Agent - Uber's internal agent producing 1,800 code changes per week, built on the Claude harness Improving Agent Reliability - Tool selection scoping and parameter overrides to reduce LLM hallucination in tool calls Roadmap: Quality and Discovery - MCP evaluation metrics, SLA tiers, an "omni MCP" tool search capability, and shareable skills with A/B testing This talk is essential for platform engineers, engineering leaders, and anyone building MCP infrastructure at enterprise scale who needs a battle-tested blueprint for governance, security, and tool management. Links & Resources: Uber AI Solutions / Agentic AI Tech Stack: https://www.uber.com/us/en/ai-solutions/the-agentic-ai-tech-stack/ How Uber Uses AI for Development (Pragmatic Engineer): https://newsletter.pragmaticengineer.com/p/how-uber-uses-ai-for-development MCP Dev Summit: https://events.linuxfoundation.org/mcp-dev-summit-north-america/ Agentic AI Foundation (AAIF): https://aaif.io/ Timestamps (approximate, verify before publishing): 00:00 Intro and talk overview 00:34 Uber's AI scale: 5,000 engineers, 90% AI adoption 01:00 The problem: 10,000 services without standardization 01:45 Challenge 1: Development lifecycle fragmentation 02:24 Challenge 2: Security and governance at agent speed 03:09 Challenge 3: Discovery and tool quality 03:29 Solution: MCP Gateway and Registry as control plane 04:05 Third-party vs internal MCP strategy 04:35 Central registry as single source of truth 04:45 Security: authorization, PII redaction, code scanning 05:24 Observability and guardrails 05:40 Gateway architecture deep dive 07:14 Handoff to Rush: MCP consumption at Uber 07:24 Three agent surfaces: Builder, SDK, and coding agents 08:50 Minions: 1,800 code changes per week 09:10 Agent Builder: scoping tools and parameter overrides 10:38 Uber Agent SDK: YAML config and tool selection 11:16 Coding agents: AIFX CLI for Claude Code and Cursor 11:42 Roadmap: eval metrics, SLA tiers, omni MCP tool search 13:15 Skills: shareable recipes with A/B testing 14:06 Closing #MCPGateway #EnterpriseAI #UberEngineering AI Agents at Uber may need to navigate a massive ecosystem of 1000s of services, handle sensitive data, and execute critical business logic. To enable this, we are moving towards an agentic future which leverages a unified Model Context Protocol (MCP) infrastructure to access real-time services. We will share the architectural lessons learned from deploying MCP at an enterprise scale. We will dive into three key technical pillars of our strategy: 1. Protobuf-Driven MCP Servers: How we leverage existing services and protocol buffers to automatically generate MCP servers, providing safe and instant access to 1000s of microservices. 2. Derived Tools and Description Overrides: Why static tool definitions aren't enough for complex workflows. We’ll demonstrate how we allow developers to override and refine MCP tool descriptions via "derived tools," ensuring agents have the specific context needed for particular workflows. 3. Evaluate quality: How we evaluate quality of MCP tools, leveraged in our no-code Agent Builder, which is a tool that democratizes agent building at Uber.

Keynote: Operating MCPs at Enterprise Scale: Uber’s Journey - Meghana Somasundara, Agentic AI Lead & Rush Tehrani, Head of Engineering, Agentic AI Platform, Uber Technologies, Inc.

Meghana Somasundara and Rush Tehrani, who lead Uber's agentic AI platform, reveal how they took MCP from a promising protocol to a production system operating across 5,000+ engineers, 10,000+ services, and 1,500+ monthly active agents. This keynote covers the real challenges of running MCP at enterprise scale, including governance, security, tool discovery, and what it took to build the MCP Gateway and Registry that now powers 60,000+ agent executions per week.

Topics covered in this talk:

Uber's AI Scale - 5,000+ engineers with 90% using AI monthly, 1,500+ active agents, and 60,000+ weekly executions
Three Classes of MCP Problems - Development lifecycle fragmentation, security and governance gaps, and discovery and quality challenges
MCP Gateway and Registry - The control plane for all MCP interactions at Uber, with config-driven auto-generation of tool definitions from 10,000+ service IDLs
Gateway Architecture Deep Dive - How the orchestrator crawls proto and thrift files, uses LLMs to generate MCP descriptions, and serves tools through a unified gateway service
Security at Every Layer - Central authorization, PII redaction, periodic code scanning, mutable endpoint blocking, and full observability with metrics and tracing
Three Agent Surfaces - Uber Agent Builder (no-code), Uber Agent SDK (code-first for grocery, care, and customer support agents), and coding agents (Claude Code, Cursor, Minions)
Minions Background Agent - Uber's internal agent producing 1,800 code changes per week, built on the Claude harness
Improving Agent Reliability - Tool selection scoping and parameter overrides to reduce LLM hallucination in tool calls
Roadmap: Quality and Discovery - MCP evaluation metrics, SLA tiers, an "omni MCP" tool search capability, and shareable skills with A/B testing

This talk is essential for platform engineers, engineering leaders, and anyone building MCP infrastructure at enterprise scale who needs a battle-tested blueprint for governance, security, and tool management.

Links & Resources:

Uber AI Solutions / Agentic AI Tech Stack: https://www.uber.com/us/en/ai-solutions/the-agentic-ai-tech-stack/
How Uber Uses AI for Development (Pragmatic Engineer): https://newsletter.pragmaticengineer.com/p/how-uber-uses-ai-for-development
MCP Dev Summit: https://events.linuxfoundation.org/mcp-dev-summit-north-america/
Agentic AI Foundation (AAIF): https://aaif.io/
Timestamps (approximate, verify before publishing):

00:00 Intro and talk overview
00:34 Uber's AI scale: 5,000 engineers, 90% AI adoption
01:00 The problem: 10,000 services without standardization
01:45 Challenge 1: Development lifecycle fragmentation
02:24 Challenge 2: Security and governance at agent speed
03:09 Challenge 3: Discovery and tool quality
03:29 Solution: MCP Gateway and Registry as control plane
04:05 Third-party vs internal MCP strategy
04:35 Central registry as single source of truth
04:45 Security: authorization, PII redaction, code scanning
05:24 Observability and guardrails
05:40 Gateway architecture deep dive
07:14 Handoff to Rush: MCP consumption at Uber
07:24 Three agent surfaces: Builder, SDK, and coding agents
08:50 Minions: 1,800 code changes per week
09:10 Agent Builder: scoping tools and parameter overrides
10:38 Uber Agent SDK: YAML config and tool selection
11:16 Coding agents: AIFX CLI for Claude Code and Cursor
11:42 Roadmap: eval metrics, SLA tiers, omni MCP tool search
13:15 Skills: shareable recipes with A/B testing
14:06 Closing
#MCPGateway #EnterpriseAI #UberEngineering


AI Agents at Uber may need to navigate a massive ecosystem of 1000s of services, handle sensitive data, and execute critical business logic. To enable this, we are moving towards an agentic future which leverages a unified Model Context Protocol (MCP) infrastructure to access real-time services.

We will share the architectural lessons learned from deploying MCP at an enterprise scale. We will dive into three key technical pillars of our strategy:

1. Protobuf-Driven MCP Servers: How we leverage existing services and protocol buffers to automatically generate MCP servers, providing safe and instant access to 1000s of microservices.
2. Derived Tools and Description Overrides: Why static tool definitions aren't enough for complex workflows. We’ll demonstrate how we allow developers to override and refine MCP tool descriptions via "derived tools," ensuring agents have the specific context needed for particular workflows.
3. Evaluate quality: How we evaluate quality of MCP tools, leveraged in our no-code Agent Builder, which is a tool that democratizes agent building at Uber.

546 12

YouTube Video UExqVUx3ZEpVdEZkaElCaGliTEVvZ3RLMVhZQ05hRnlGbC4wMDkwRkI3NzExODA2MTFG

How Uber Runs 60,000 AI Agent Tasks Per Week With MCP

Agentic AI Foundation May 7, 2026 7:00 am

David Soria Parra, co-creator of the Model Context Protocol (MCP) and Member of Technical Staff at Anthropic, delivers the keynote on where MCP has been and where it's headed. With 110M+ SDK downloads per month — outpacing React's first 3 years in just 16 months — MCP has become the de facto integration standard for agentic AI systems. In this talk, David shares the 2026 roadmap, addresses the context bloat criticism head-on, and reveals upcoming features like triggers, streaming, and skills that will reshape how AI agents connect to enterprise systems. What you'll learn: 110M+ Monthly Downloads — MCP's explosive growth and why it outpaced React's adoption curve Enterprise Behind the Firewall — The biggest MCP deployments you never hear about: CRMs, Jira, Snowflake, internal wikis Transport Evolution — Why the current streamable HTTP protocol needs a stateless redesign for hyperscale deployments Long-Running Tasks — The new "Tasks" primitive enabling agentic communication for autonomous work Cross-App Access — Seamless enterprise auth that eliminates OAuth flows by talking directly to identity providers MCP Triggers — Webhooks for MCP, enabling servers to proactively notify clients of new data Native Streaming — Incremental tool results are finally coming to the protocol Skills Over MCP — Bundling domain-specific knowledge with MCP servers so agents know how to use them Context Bloat Fix — Progressive discovery and tool search as the answer to the #1 MCP criticism SDK v2 — Python and TypeScript SDK rewrites for better ergonomics, shipping in the coming months This talk is essential for AI engineers, platform builders, and enterprise teams deploying agentic AI systems in production. Links & Resources: MCP Specification: https://modelcontextprotocol.io MCP GitHub: https://github.com/modelcontextprotocol/modelcontextprotocol Agentic AI Foundation (Linux Foundation): https://agenticai.org MCP 2026 Roadmap (WorkOS writeup): https://workos.com/blog/2026-mcp-roadmap-enterprise-readiness David Soria Parra on Software Engineering Daily: https://softwareengineeringdaily.com/2025/05/13/anthropic-and-the-model-context-protocol-with-david-soria-parra/ Timestamps (approximate — adjust after review): 00:00 — Introduction & MCP by the numbers 02:11 — What people built: from reference servers to SaaS integrations 03:36 — The weird and creative: Blender, Ableton, 3D printers 04:21 — The hidden story: MCP behind corporate firewalls 05:45 — Protocol evolution: remote servers, auth, elicitations, structured output 07:28 — MCP Extensions & MCP Apps 08:14 — Donating MCP to the Agentic AI Foundation 08:54 — MCP is the integration protocol: the 2026 mission 10:38 — Transport evolution: stateless HTTP for hyperscale 12:18 — Long-running tasks & agentic communication 13:44 — Enterprise readiness & cross-app access 14:56 — On the horizon: triggers, streaming, and skills 16:35 — Ecosystem work: SDK v2 for Python & TypeScript 17:44 — Building better clients & solving context bloat 19:46 — Composability through code & structured outputs 21:07 — Community call to action 22:14 — Closing #MCP #AgenticAI #EnterpriseAI

David Soria Parra, co-creator of the Model Context Protocol (MCP) and Member of Technical Staff at Anthropic, delivers the keynote on where MCP has been and where it's headed. With 110M+ SDK downloads per month — outpacing React's first 3 years in just 16 months — MCP has become the de facto integration standard for agentic AI systems.

In this talk, David shares the 2026 roadmap, addresses the context bloat criticism head-on, and reveals upcoming features like triggers, streaming, and skills that will reshape how AI agents connect to enterprise systems.

What you'll learn:

110M+ Monthly Downloads — MCP's explosive growth and why it outpaced React's adoption curve
Enterprise Behind the Firewall — The biggest MCP deployments you never hear about: CRMs, Jira, Snowflake, internal wikis
Transport Evolution — Why the current streamable HTTP protocol needs a stateless redesign for hyperscale deployments
Long-Running Tasks — The new "Tasks" primitive enabling agentic communication for autonomous work
Cross-App Access — Seamless enterprise auth that eliminates OAuth flows by talking directly to identity providers
MCP Triggers — Webhooks for MCP, enabling servers to proactively notify clients of new data
Native Streaming — Incremental tool results are finally coming to the protocol
Skills Over MCP — Bundling domain-specific knowledge with MCP servers so agents know how to use them
Context Bloat Fix — Progressive discovery and tool search as the answer to the #1 MCP criticism
SDK v2 — Python and TypeScript SDK rewrites for better ergonomics, shipping in the coming months
This talk is essential for AI engineers, platform builders, and enterprise teams deploying agentic AI systems in production.

Links & Resources:

MCP Specification: https://modelcontextprotocol.io
MCP GitHub: https://github.com/modelcontextprotocol/modelcontextprotocol
Agentic AI Foundation (Linux Foundation): https://agenticai.org
MCP 2026 Roadmap (WorkOS writeup): https://workos.com/blog/2026-mcp-roadmap-enterprise-readiness
David Soria Parra on Software Engineering Daily: https://softwareengineeringdaily.com/2025/05/13/anthropic-and-the-model-context-protocol-with-david-soria-parra/
Timestamps (approximate — adjust after review):

00:00 — Introduction & MCP by the numbers
02:11 — What people built: from reference servers to SaaS integrations
03:36 — The weird and creative: Blender, Ableton, 3D printers
04:21 — The hidden story: MCP behind corporate firewalls
05:45 — Protocol evolution: remote servers, auth, elicitations, structured output
07:28 — MCP Extensions & MCP Apps
08:14 — Donating MCP to the Agentic AI Foundation
08:54 — MCP is the integration protocol: the 2026 mission
10:38 — Transport evolution: stateless HTTP for hyperscale
12:18 — Long-running tasks & agentic communication
13:44 — Enterprise readiness & cross-app access
14:56 — On the horizon: triggers, streaming, and skills
16:35 — Ecosystem work: SDK v2 for Python & TypeScript
17:44 — Building better clients & solving context bloat
19:46 — Composability through code & structured outputs
21:07 — Community call to action
22:14 — Closing
#MCP #AgenticAI #EnterpriseAI

296 11

YouTube Video UExqVUx3ZEpVdEZkaElCaGliTEVvZ3RLMVhZQ05hRnlGbC5ENDU4Q0M4RDExNzM1Mjcy

MCP Creator Reveals the 2026 Roadmap for AI Agents

Agentic AI Foundation April 13, 2026 7:00 am

Keynote: Interoperability Isn’t Enough: Building Trustworthy AI Infrastructure with MCP - Ania Musial, Head of AI Platforms Product, Office of the CTO, Bloomberg Ania Musial leads AI Platforms at Bloomberg and serves on the board of the Agentic AI Foundation. In this keynote, she breaks down why interoperability alone isn't enough for production AI in financial services, and what Bloomberg is building on top of MCP to make agentic systems truly trustworthy. - Bloomberg's Trustworthy AI Principles: The three pillars guiding how Bloomberg builds AI for high-stakes financial decisions: trusted data sources, transparent attributions, and real user problems - Why MCP Alone Falls Short: MCP connects systems, but out of the box it doesn't provide the guardrails, governance, or production reliability that regulated industries demand - Financial AI Risk Taxonomy: How mistakes in financial AI can generate reputational, legal, and market risk, from hallucinated narratives to unauthorized transactions - MCP Interceptors Explained: The proposed interceptor framework that enables validators (inspect and block unsafe payloads) and mutators (transform, redact, and enrich data) at the protocol layer - Interceptors for Guardrails: How Bloomberg uses interceptors to enforce citation requirements, detect unsafe actions, and block execution when policies are violated - MCP Variants for Multi-Model Environments: How variants let a single MCP server expose optimized tool interfaces for different models, agents, and contexts without duplicating servers - Variants and Predictability: Why tailoring interfaces per model reduces noisy evaluations and inconsistent behavior, making agentic systems more controllable - Bloomberg Terminal's Agentic Transformation: How their flagship agentic AI application replaced hundreds of separate apps with a conversational interface for financial professionals - Contributing Back to MCP: Bloomberg's work through the Financial Services Interest Group, including SEP 1763 (interceptors) and SEP 2053 (variants) Whether you're building AI infrastructure for regulated industries or trying to make MCP production-ready, this talk lays out why trust has to be engineered from the ground up. Links & Resources - Bloomberg AI: https://www.bloomberg.com/ai - Bloomberg embraces MCP: https://www.bloomberg.com/company/stories/closing-the-agentic-ai-productionization-gap-bloomberg-embraces-mcp/ - MCP joins the Agentic AI Foundation: https://blog.modelcontextprotocol.io/posts/2025-12-09-mcp-joins-agentic-ai-foundation/ - Agentic AI Foundation (Linux Foundation): https://www.linuxfoundation.org/press/linux-foundation-announces-the-formation-of-the-agentic-ai-foundation - Ania Musial on LinkedIn: https://www.linkedin.com/in/aniamusial/ Timestamps (approximate, adjust as needed) 00:00 - Introduction and Bloomberg Terminal overview 01:05 - 40 years of Bloomberg in financial services 02:02 - AI at Bloomberg and the shift to agentic AI 02:24 - Defining trustworthy AI: three guiding principles 03:22 - The infrastructure underneath: gateways, models, tools, MCP 04:03 - Why MCP alone isn't enough for production 04:30 - Contributing to MCP through the Financial Services Interest Group 04:47 - Financial AI risk: what "harmful" looks like in finance 05:53 - MCP Interceptors: validators and mutators explained 07:08 - Context governance and managing model variability 07:36 - MCP Variants: one server, multiple optimized interfaces 09:02 - How variants improve predictability and trustworthiness 10:04 - Closing: trustworthiness emerges from system design #MCPProtocol #AgenticAI #FinancialAI

Keynote: Interoperability Isn’t Enough: Building Trustworthy AI Infrastructure with MCP - Ania Musial, Head of AI Platforms Product, Office of the CTO, Bloomberg

Ania Musial leads AI Platforms at Bloomberg and serves on the board of the Agentic AI Foundation. In this keynote, she breaks down why interoperability alone isn't enough for production AI in financial services, and what Bloomberg is building on top of MCP to make agentic systems truly trustworthy.

- Bloomberg's Trustworthy AI Principles: The three pillars guiding how Bloomberg builds AI for high-stakes financial decisions: trusted data sources, transparent attributions, and real user problems
- Why MCP Alone Falls Short: MCP connects systems, but out of the box it doesn't provide the guardrails, governance, or production reliability that regulated industries demand
- Financial AI Risk Taxonomy: How mistakes in financial AI can generate reputational, legal, and market risk, from hallucinated narratives to unauthorized transactions
- MCP Interceptors Explained: The proposed interceptor framework that enables validators (inspect and block unsafe payloads) and mutators (transform, redact, and enrich data) at the protocol layer
- Interceptors for Guardrails: How Bloomberg uses interceptors to enforce citation requirements, detect unsafe actions, and block execution when policies are violated
- MCP Variants for Multi-Model Environments: How variants let a single MCP server expose optimized tool interfaces for different models, agents, and contexts without duplicating servers
- Variants and Predictability: Why tailoring interfaces per model reduces noisy evaluations and inconsistent behavior, making agentic systems more controllable
- Bloomberg Terminal's Agentic Transformation: How their flagship agentic AI application replaced hundreds of separate apps with a conversational interface for financial professionals
- Contributing Back to MCP: Bloomberg's work through the Financial Services Interest Group, including SEP 1763 (interceptors) and SEP 2053 (variants)

Whether you're building AI infrastructure for regulated industries or trying to make MCP production-ready, this talk lays out why trust has to be engineered from the ground up.

Links & Resources
- Bloomberg AI: https://www.bloomberg.com/ai
- Bloomberg embraces MCP: https://www.bloomberg.com/company/stories/closing-the-agentic-ai-productionization-gap-bloomberg-embraces-mcp/
- MCP joins the Agentic AI Foundation: https://blog.modelcontextprotocol.io/posts/2025-12-09-mcp-joins-agentic-ai-foundation/
- Agentic AI Foundation (Linux Foundation): https://www.linuxfoundation.org/press/linux-foundation-announces-the-formation-of-the-agentic-ai-foundation
- Ania Musial on LinkedIn: https://www.linkedin.com/in/aniamusial/

Timestamps (approximate, adjust as needed)
00:00 - Introduction and Bloomberg Terminal overview
01:05 - 40 years of Bloomberg in financial services
02:02 - AI at Bloomberg and the shift to agentic AI
02:24 - Defining trustworthy AI: three guiding principles
03:22 - The infrastructure underneath: gateways, models, tools, MCP
04:03 - Why MCP alone isn't enough for production
04:30 - Contributing to MCP through the Financial Services Interest Group
04:47 - Financial AI risk: what "harmful" looks like in finance
05:53 - MCP Interceptors: validators and mutators explained
07:08 - Context governance and managing model variability
07:36 - MCP Variants: one server, multiple optimized interfaces
09:02 - How variants improve predictability and trustworthiness
10:04 - Closing: trustworthiness emerges from system design

#MCPProtocol #AgenticAI #FinancialAI

20 0

YouTube Video UExqVUx3ZEpVdEZkaElCaGliTEVvZ3RLMVhZQ05hRnlGbC5ERkRDQjY0N0Y0Q0VFOTdC

The MCP Features Bloomberg Built for High Stakes Financial AI

Agentic AI Foundation May 2, 2026 3:00 pm

Progressive Tool Discovery: Using MCP Notifications To Manage Context at Scale - Billy Hickman & Lilia Abaibourova, Amazon As MCP adoption grows, a challenge emerges: how do you expose 100’s of tools from a single server without overwhelming agent context windows? This talk introduces an MCP tool discovery mechanism we’ve built that dynamically loads tools. The platform works with a single discovery meta-tool on initialization, server-side state management to track agent context, and leveraging streamed MCP’s notifications/tools/list_changed to push relevant tool sets mid-session. Agents declare their problem context (incident response, monitoring etc) and receive only the tools they need, when they need them. Attendees will learn how this pattern keeps context windows lean while maintaining access to a broad tool ecosystem, with real examples showing how a single MCP server can serve diverse agent use cases without tool overload.

Progressive Tool Discovery: Using MCP Notifications To Manage Context at Scale - Billy Hickman & Lilia Abaibourova, Amazon

As MCP adoption grows, a challenge emerges: how do you expose 100’s of tools from a single server without overwhelming agent context windows? This talk introduces an MCP tool discovery mechanism we’ve built that dynamically loads tools. The platform works with a single discovery meta-tool on initialization, server-side state management to track agent context, and leveraging streamed MCP’s notifications/tools/list_changed to push relevant tool sets mid-session. Agents declare their problem context (incident response, monitoring etc) and receive only the tools they need, when they need them. Attendees will learn how this pattern keeps context windows lean while maintaining access to a broad tool ecosystem, with real examples showing how a single MCP server can serve diverse agent use cases without tool overload.

28 2

YouTube Video UExqVUx3ZEpVdEZkaElCaGliTEVvZ3RLMVhZQ05hRnlGbC42NEZDNTU0RTRENDUzRjMz

Progressive Tool Discovery Using MCP

Agentic AI Foundation April 15, 2026 4:32 pm

Matt White (Global CTO of AI at the Linux Foundation, CTO of the Agentic AI Foundation and PyTorch Foundation) delivers Professor Dawn Song's (UC Berkeley) blueprint for building safe and secure agentic AI. This talk walks through the OpenClaw inbox-deletion incident, the 12 agentic attack vectors mapped to the OWASP Agentic Top 10 for 2026, the 8-layer agent attack surface, and 10 concrete recommendations you can hand your security team on Monday. If you are building, deploying, or governing AI agents that hold credentials, call tools, or touch production systems, this is the most concise threat model available right now. What is covered: - The OpenClaw Incident: How a context-window compaction silently dropped a safety instruction and the agent bulk-deleted a Meta AI safety director's inbox while she watched helplessly over WhatsApp. - Why Agentic Is Not Incremental: The shift from text-to-action, session-to-state, and single-to-multi-agent that makes agent security an order of magnitude harder than LLM safety. - The 7 Spectrums of Agent Design: How data access, action scope, memory, MCP tool discovery, and rich UIs compound risk rather than just adding to it. - The 12 Attack Vectors in 4 Tiers: Goal hijacking (OWASP ASI01), indirect prompt injection, tool misuse, identity abuse, MCP supply chain compromise, memory poisoning, inter-agent attacks, and rogue agents. - The 8-Layer Agent Attack Surface: From the reasoning core down to the external environment, with concrete defenses for each layer. - Threat Actors in the Wild: Environment poisoners, black-box manipulators, insiders, autonomous AI attackers, configuration abusers, and credential harvesters (3.3 billion credentials compromised in 2025). - Agent Vigil and Agent Exploit: Dawn Song's red-teaming projects that achieved 100 percent prompt extraction against defended models and fully automated exploitation from a single poisoned GitHub issue. - Cyber Gym and Bounty Bench: Frontier model exploit capability is doubling every 6 months (Claude Opus 4.6 at 65 percent), while autonomous vulnerability discovery is still only 5 percent. The defender window is closing. - The Autonomous AI Trifecta: Why autonomy times power must always be matched by proportional assurance, and why most organizations have an exploitable gap today. - Defense in Depth: Four layers from sanitization and model defense to Dawn Song's ProG framework for programmable privilege, plus monitoring, kill switches, and behavioral baselines. This is essential watching for AI platform teams, security leads, CISOs, AI governance owners, and anyone deploying agents with tool access inside an enterprise. Links and Resources: - Agentic AI Foundation: https://agenticaifoundation.org - Linux Foundation AI: https://lfaidata.foundation - Dawn Song's research group (UC Berkeley): https://dawnsong.io - Berkeley Center for Responsible Decentralized Intelligence (RDI): https://rdi.berkeley.edu - OWASP Top 10 for Agentic Applications 2026: https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/ - Agent X competition at UC Berkeley RDI Timestamps (approximate, adjust as needed): 00:00 Intro: Matt White presenting Dawn Song's research 00:50 What this talk covers 01:12 The OpenClaw incident: a safety director's inbox gets deleted 02:39 Four lessons: confused deputy, override failure, trifecta, not isolated 03:42 LLM era vs Agentic era: the risk model shift 04:40 Three shifts: text to action, session to state, single to multi-agent 05:38 Architecture of an agentic AI system 07:58 The 7 spectrums of agent design risk 09:19 The 12 attack vectors across 4 tiers 09:33 Tier 1: Goal hijacking and indirect prompt injection 10:10 Tier 2: Tool misuse, identity abuse, MCP supply chain 10:55 Tier 3: Code execution and memory poisoning 11:25 Tier 4: Inter-agent attacks, cascading failures, rogue agents 11:25 The 8-layer agent attack surface 14:06 Threat actors: poisoners, insiders, autonomous AI attackers 16:08 Anatomy of an indirect prompt injection (Agent Vigil) 18:04 The Agent Exploit case study 18:31 Cyber Gym and Bounty Bench: the exploit capability curve 20:15 The Autonomous AI Trifecta framework 21:43 Defense in depth: the 4 required layers 23:55 Closing: secure by design #AgenticAI #AISecurity #OWASP

Matt White (Global CTO of AI at the Linux Foundation, CTO of the Agentic AI Foundation and PyTorch Foundation) delivers Professor Dawn Song's (UC Berkeley) blueprint for building safe and secure agentic AI. This talk walks through the OpenClaw inbox-deletion incident, the 12 agentic attack vectors mapped to the OWASP Agentic Top 10 for 2026, the 8-layer agent attack surface, and 10 concrete recommendations you can hand your security team on Monday.
If you are building, deploying, or governing AI agents that hold credentials, call tools, or touch production systems, this is the most concise threat model available right now.
What is covered:
- The OpenClaw Incident: How a context-window compaction silently dropped a safety instruction and the agent bulk-deleted a Meta AI safety director's inbox while she watched helplessly over WhatsApp.
- Why Agentic Is Not Incremental: The shift from text-to-action, session-to-state, and single-to-multi-agent that makes agent security an order of magnitude harder than LLM safety.
- The 7 Spectrums of Agent Design: How data access, action scope, memory, MCP tool discovery, and rich UIs compound risk rather than just adding to it.
- The 12 Attack Vectors in 4 Tiers: Goal hijacking (OWASP ASI01), indirect prompt injection, tool misuse, identity abuse, MCP supply chain compromise, memory poisoning, inter-agent attacks, and rogue agents.
- The 8-Layer Agent Attack Surface: From the reasoning core down to the external environment, with concrete defenses for each layer.
- Threat Actors in the Wild: Environment poisoners, black-box manipulators, insiders, autonomous AI attackers, configuration abusers, and credential harvesters (3.3 billion credentials compromised in 2025).
- Agent Vigil and Agent Exploit: Dawn Song's red-teaming projects that achieved 100 percent prompt extraction against defended models and fully automated exploitation from a single poisoned GitHub issue.
- Cyber Gym and Bounty Bench: Frontier model exploit capability is doubling every 6 months (Claude Opus 4.6 at 65 percent), while autonomous vulnerability discovery is still only 5 percent. The defender window is closing.
- The Autonomous AI Trifecta: Why autonomy times power must always be matched by proportional assurance, and why most organizations have an exploitable gap today.
- Defense in Depth: Four layers from sanitization and model defense to Dawn Song's ProG framework for programmable privilege, plus monitoring, kill switches, and behavioral baselines.
This is essential watching for AI platform teams, security leads, CISOs, AI governance owners, and anyone deploying agents with tool access inside an enterprise.
Links and Resources:
- Agentic AI Foundation: https://agenticaifoundation.org
- Linux Foundation AI: https://lfaidata.foundation
- Dawn Song's research group (UC Berkeley): https://dawnsong.io
- Berkeley Center for Responsible Decentralized Intelligence (RDI): https://rdi.berkeley.edu
- OWASP Top 10 for Agentic Applications 2026: https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/
- Agent X competition at UC Berkeley RDI

Timestamps (approximate, adjust as needed):
00:00 Intro: Matt White presenting Dawn Song's research
00:50 What this talk covers
01:12 The OpenClaw incident: a safety director's inbox gets deleted
02:39 Four lessons: confused deputy, override failure, trifecta, not isolated
03:42 LLM era vs Agentic era: the risk model shift
04:40 Three shifts: text to action, session to state, single to multi-agent
05:38 Architecture of an agentic AI system
07:58 The 7 spectrums of agent design risk
09:19 The 12 attack vectors across 4 tiers
09:33 Tier 1: Goal hijacking and indirect prompt injection
10:10 Tier 2: Tool misuse, identity abuse, MCP supply chain
10:55 Tier 3: Code execution and memory poisoning
11:25 Tier 4: Inter-agent attacks, cascading failures, rogue agents
11:25 The 8-layer agent attack surface
14:06 Threat actors: poisoners, insiders, autonomous AI attackers
16:08 Anatomy of an indirect prompt injection (Agent Vigil)
18:04 The Agent Exploit case study
18:31 Cyber Gym and Bounty Bench: the exploit capability curve
20:15 The Autonomous AI Trifecta framework
21:43 Defense in depth: the 4 required layers
23:55 Closing: secure by design
#AgenticAI #AISecurity #OWASP

24 2

YouTube Video UExqVUx3ZEpVdEZkaElCaGliTEVvZ3RLMVhZQ05hRnlGbC5BRDg1NUY1OTY2QzgzOEM0

Agentic AI Security Is 10x Harder Than LLM Safety

Agentic AI Foundation April 22, 2026 3:00 pm

Putting the Single Back in Single Sign-On: Cross-App Access for MCP - Paul Carleton, Anthropic & Max Gerber, Twilio Paul Carleton (Anthropic) and Max Gerber (Stitch, now part of Twilio) demo the new IETF draft that kills OAuth consent screen fatigue for MCP. Identity Assertion JWT Authorization Grant (ID-JAG), also known as Cross-App Access (XAA), is the official MCP authorization extension that puts the enterprise workforce IDP back at the center of agent-to-tool access. This is a working live demo with a real client (Claude Code and Cursor), a real IDP (Okta), and a real authorization server (Stitch) hitting real MCP servers including Figma, with zero user consent screens. If you are deploying MCP inside an enterprise, building an MCP client, or running an identity platform, this is the spec you need to understand. What is covered: - The Consent Screen Nightmare: What happens on day one at Acme Corp when you spin up Claude Code and get hit with ten MCP servers all demanding individual OAuth approvals. - The IT Admin Problem: Why auditing many MCP clients talking to many MCP servers across Google, Slack, Figma, and Jira admin dashboards is impossible at scale. - Enterprise Data vs Consumer Data: Why the user is not the right decision maker for enterprise MCP authorization and why the IT admin and workforce IDP have been left out of the flow. - The Missing Piece in MCP OAuth: A full walkthrough of the standard MCP OAuth flow and exactly where the IDP is missing. - ID-JAG and Cross-App Access Explained: How the Identity Assertion JWT Authorization Grant (draft-ietf-oauth-identity-assertion-authz-grant) inserts the workforce IDP back into the flow and removes the end-user consent step entirely. - The Full XAA Flow: Trust relationships, token exchanges, and how the MCP client gets an ID-JAG from the IDP, exchanges it with the authorization server, and receives a standard bearer token. - Live Demo 1: Manual token exchange using Okta and Stitch against a demo MCP server. - Live Demo 2: Claude Code connecting to multiple MCP servers with zero consent screens after a single Okta login. - Live Demo 3: Cursor + Figma MCP using the same XAA flow, proving this is an open protocol across clients. - Beyond Friction: Per-session and per-sub-agent scoped access tokens for attribution, blast radius control, and auditing which Claude Code window deleted your database. - Q&A: Refresh tokens, OIDC client config, non-MCP use cases, and what still needs to change in clients, IDPs, and authorization servers. Links and Resources: - XAA playground and developer docs: https://xaa.dev - IETF Draft (Identity Assertion JWT Authorization Grant): https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/ - MCP Authorization spec: https://modelcontextprotocol.io - Enterprise-Managed Authorization Profile for MCP (SEP-646 / SEP-990): https://modelcontextprotocol.io/extensions/auth/enterprise-managed-authorization - Stitch (Twilio): https://stytch.com - Okta Developer blog on XAA: https://developer.okta.com/blog/2026/01/20/xaa-dev-playground Timestamps (approximate, adjust as needed): 00:00 Intro: Paul Carleton (Anthropic) and Max Gerber (Twilio) 01:12 Day one at Acme: the consent screen nightmare 02:21 The IT admin problem: auditing MCP across many servers 03:51 Enterprise data vs consumer data 04:17 Why workforce IDP and SSO matter 05:13 Standard MCP OAuth flow review and what is missing 06:32 Introducing Cross-App Access (XAA) and ID-JAG 07:18 XAA as an official MCP authorization extension 07:58 The full ID-JAG flow end to end 09:08 Live demo: manual token exchange with Okta and Stitch 11:28 Live demo: Claude Code with zero consent screens 12:53 Live demo: Cursor plus Figma MCP via XAA 15:08 Takeaways: attribution and scoped per-session tokens 16:58 Scoped tokens for sub-agents and orchestrators 17:33 Summary: one login, central control, future identity wins 18:06 Q&A: refresh tokens, IDP config, non-MCP use cases #MCP #OAuth #EnterpriseAI

Putting the Single Back in Single Sign-On: Cross-App Access for MCP - Paul Carleton, Anthropic & Max Gerber, Twilio

MCP makes it easy for AI agents to connect to tools, but authorization hasn't kept up. Users connecting an MCP client to a dozen MCP servers face a dozen separate OAuth flows, one for each server, each with its own login and token lifecycle. If we have Single Sign-On, why are users signing in so many times? It's not just a UX problem. Enterprise environments can quickly run into governance issues with unmanaged or scattered permissions. Security teams can't answer basic questions about which agent can access which system under what policy. Every agent-to-server connection is another point-to-point relationship with no central visibility. Cross-App Access (XAA), built on the Identity Assertion JWT Authorization Grant (ID-JAG), solves both problems. By leveraging the existing trust between the MCP client, MCP server, and the organization's Identity Provider, the IdP can broker token exchanges from the user's initial login. Agents gain access to everything the admin has approved with one sign-in. No additional user interaction required. The IdP becomes the policy decision point for approving, scoping, and auditing delegated access across MCP integrations. In this session, Paul Carleton (Anthropic) and Max Gerber (Twilio) explain the technical underpinnings that enable enterprise admins to enforce policies about which users, clients, and servers can interact. They'll also demo an MCP client completing an XAA flow from beginning to end to obtain access tokens securely and silently. Attendees will leave understanding how Cross-App Access works and how to integrate with it.

14 0

YouTube Video UExqVUx3ZEpVdEZkaElCaGliTEVvZ3RLMVhZQ05hRnlGbC5EMzJDRTUwQjBEOUVFQzAw

Putting the Single Back in Single Sign-On: Cross-App Access for MCP - Paul Carleton & Max Gerber

Agentic AI Foundation April 13, 2026 4:16 pm

Combine Skills and MCP To Close the Context Gap - Pedro Rodrigues, Supabase Pedro Rodrigues, AI Tooling Engineer at Supabase and co-founder of Lisbon AI Week, argues the Skills vs MCP debate is the wrong frame.** In this MCP Dev Summit talk, Pedro breaks down why Skills and MCP solve different problems, walks through a real Supabase benchmark where MCP + Skills outperforms MCP alone, and shows a Row Level Security bypass that happens when agents rely on training data instead of product docs. - **Skills vs MCP, explained**: Why one solves integration and the other solves context saturation, not the same problem - **The three MCP primitives**: Tools, resources, and prompts, and how each maps to a Skills equivalent - **Tools vs scripts**: Typed JSON schemas and isolation versus instant iteration and self-authored workflows - **Resources vs references**: Why MCP resources are an underused feature and how Skills reference files fill the gap - **Prompts vs skill.md**: Agent-pulled workflows with conditional logic versus user-invoked static prompts - **The Supabase RLS demo**: A team task summary view that leaks data when built by MCP alone, but ships securely when a Skill pushes the agent to search the docs - **Benchmark results**: MCP + Skills outperformed MCP-only and Skill-only baselines across three Supabase and three Postgres tasks - **The context bottleneck**: Why capability is no longer the limit for 2026 agents, context delivery is - **Progressive disclosure in practice**: How Skills load on demand to avoid bloating the window **Built for engineers building on Supabase, Postgres, or any product that needs AI agents to write secure production code, and for MCP server authors deciding what to keep in tools versus what to push into Skills.** **Links and Resources:** - Supabase MCP server - https://github.com/supabase-community/supabase-mcp - Supabase Agent Skills (open source) - https://github.com/supabase/agent-skills - Postgres Best Practices for AI Agents (Supabase blog) - https://supabase.com/blog/postgres-best-practices-for-ai-agents - AI Agents Know About Supabase. They Don't Always Use It Right - https://supabase.com/blog/supabase-agent-skills - Supabase MCP docs - https://supabase.com/docs/guides/getting-started/mcp - Lisbon AI Week - https://lisbonaiweek.com/ - Pedro Rodrigues on LinkedIn - https://pt.linkedin.com/in/pedro-neves-rodrigues - Claude Agent Skills overview - https://platform.claude.com/docs/en/agents-and-tools/agent-skills/overview **Timestamps (approximate, adjust before publishing):** 00:00 - Intro and Supabase audience survey 01:00 - The Skills vs MCP debate setup 01:30 - Meet Pedro Rodrigues, AI Tooling Engineer at Supabase 02:30 - Quick MCP primer: tools, resources, prompts 03:30 - What are Skills? Folders, not files 04:30 - Anatomy of a skill.md (front matter, instructions, bundled resources) 05:30 - Tools vs scripts: pros and cons of each 07:30 - Resources vs references: the underused MCP primitive 09:00 - Prompts vs skill.md: agent-pulled versus user-invoked 09:40 - The debunk: Skills and MCP solve different problems 11:00 - The pilot and co-pilot analogy 11:30 - Supabase MCP tour: 20+ tools across database, edge functions, storage 12:30 - Building a Supabase-specific Skill 13:00 - The demo: team task summary view with Claude 4.6 14:00 - The RLS bypass: why MCP alone leaked team data 15:00 - How the Skill fixed it with security_invoker 15:30 - Benchmark: MCP + Skill vs MCP-only vs Skill-only vs baseline 16:30 - Trade-offs: more turns, more tokens, more complete output 17:00 - Lessons: MCP alone is not enough, agents default to training data 18:00 - The real bottleneck is context, not capability 19:00 - Wrap-up and Supabase Mac Mini giveaway 19:30 - Q&A: execute_sql and arbitrary SQL 20:30 - Q&A: why Skills over MCP resources for agent-pulled context 21:30 - Q&A: search_docs tool vs web search, keeping workflow out of tool descriptions 22:40 - Close #MCP #AgentSkills #Supabase

Combine Skills and MCP To Close the Context Gap - Pedro Rodrigues, Supabase

As AI agents become more capable, their biggest limitation is no longer reasoning — it’s context. Without access to procedural knowledge and domain-specific understanding, agents struggle to perform real work reliably. In this talk, we’ll explore how Skills address this gap by giving agents on-demand access to company-, team-, and user-specific context.

We’ll look at how Skills can be combined with MCP servers to build safer, more reliable agents, and walk through a real-world example of managing a Postgres database. Using evals, we’ll compare agent performance with and without Postgres-specific Skills, showing how MCP enables secure database access while dramatically improving outcomes.

9 1

YouTube Video UExqVUx3ZEpVdEZkaElCaGliTEVvZ3RLMVhZQ05hRnlGbC5CMEQ2Mjk5NTc3NDZFRUNB

Skills Didn't Kill MCP: Supabase Engineer Settles the Debate

Agentic AI Foundation April 13, 2026 4:18 pm

Aaron Wang, Software Engineer on Duolingo's DevXAI team, shares how they built an AI-powered Slack assistant that connects to 180+ MCP tools across 30+ servers. This keynote from MCP Dev Summit North America 2026 walks through Duolingo's full journey: from painful manual MCP setup, to a centralized app store, to standardization, and finally to bringing AI directly to employees via Slack. The MCP adoption problem - Why even a one-click setup was too much friction for most engineers MCP standardization strategy - How Duolingo categorized and hosted 30+ servers behind a unified HTTP config Building with FastMCP - The internal Python library that lets any team convert their service into an MCP server Slack app architecture - Using Claude Agent SDK and Slack Bot SDK to connect 15+ MCP servers with read-only tools Auto-responding to help desk and incidents - The bot triages PagerDuty alerts using Grafana, Honeycomb, and Sentry behind the scenes Human-in-the-loop for write operations - Approval workflows for creating PRs, Jira tickets, and staging deploys via Temporal Per-channel customization - Custom skills, sub-agents, and system prompts tailored to individual team needs Security and privacy model - Role-based access, sandboxed VMs, no cross-user data leakage, no logging of DMs Eval tests and feedback loops - 20+ eval tests, upvote/downvote tracking, and iterative improvement to reach 80% approval Adoption results - Growing from 20 to 250+ weekly active users, roughly 30% of the company Open source announcement - Duolingo is releasing the core Slack AI agent code publicly This talk is for engineering leaders, platform teams, and developers exploring how to deploy MCP-based AI agents at the enterprise level. Links & Resources Duolingo Slack AI Agent (open source): https://github.com/duolingo/slack-ai-agent Duolingo Engineering Blog: https://blog.duolingo.com Model Context Protocol: https://modelcontextprotocol.io Claude Agent SDK: https://docs.anthropic.com/en/docs/agents-and-tools/claude-agent-sdk Timestamps (approximate, may need adjusting) 0:00 - Introduction 0:17 - The early MCP adoption problem (Nov 2024) 1:04 - Centralized MCP setup page (May 2025) 1:45 - The MCP server fragmentation problem 2:27 - MCP standardization effort (Aug 2025) 4:58 - 30 servers, 300+ tools today 5:44 - If they won't configure it, bring it to them: the Slack app (Sep 2025) 5:57 - Slack app architecture: Claude Agent SDK + Slack Bot SDK 6:30 - Key features: auto-respond, human-in-the-loop, per-channel customization 7:33 - Feedback collection and eval tests 8:19 - Security and privacy principles 9:58 - Demo: help desk auto-response 10:26 - Demo: PagerDuty alert triage 11:02 - Demo: human-in-the-loop PR creation 11:51 - Adoption and approval rate results (April 2026) 12:50 - Open source announcement 13:20 - Closing #MCP

Aaron Wang, Software Engineer on Duolingo's DevXAI team, shares how they built an AI-powered Slack assistant that connects to 180+ MCP tools across 30+ servers. This keynote from MCP Dev Summit North America 2026 walks through Duolingo's full journey: from painful manual MCP setup, to a centralized app store, to standardization, and finally to bringing AI directly to employees via Slack.

The MCP adoption problem - Why even a one-click setup was too much friction for most engineers
MCP standardization strategy - How Duolingo categorized and hosted 30+ servers behind a unified HTTP config
Building with FastMCP - The internal Python library that lets any team convert their service into an MCP server
Slack app architecture - Using Claude Agent SDK and Slack Bot SDK to connect 15+ MCP servers with read-only tools
Auto-responding to help desk and incidents - The bot triages PagerDuty alerts using Grafana, Honeycomb, and Sentry behind the scenes
Human-in-the-loop for write operations - Approval workflows for creating PRs, Jira tickets, and staging deploys via Temporal
Per-channel customization - Custom skills, sub-agents, and system prompts tailored to individual team needs
Security and privacy model - Role-based access, sandboxed VMs, no cross-user data leakage, no logging of DMs
Eval tests and feedback loops - 20+ eval tests, upvote/downvote tracking, and iterative improvement to reach 80% approval
Adoption results - Growing from 20 to 250+ weekly active users, roughly 30% of the company
Open source announcement - Duolingo is releasing the core Slack AI agent code publicly
This talk is for engineering leaders, platform teams, and developers exploring how to deploy MCP-based AI agents at the enterprise level.

Links & Resources

Duolingo Slack AI Agent (open source): https://github.com/duolingo/slack-ai-agent
Duolingo Engineering Blog: https://blog.duolingo.com
Model Context Protocol: https://modelcontextprotocol.io
Claude Agent SDK: https://docs.anthropic.com/en/docs/agents-and-tools/claude-agent-sdk
Timestamps (approximate, may need adjusting)
0:00 - Introduction
0:17 - The early MCP adoption problem (Nov 2024)
1:04 - Centralized MCP setup page (May 2025)
1:45 - The MCP server fragmentation problem
2:27 - MCP standardization effort (Aug 2025)
4:58 - 30 servers, 300+ tools today
5:44 - If they won't configure it, bring it to them: the Slack app (Sep 2025)
5:57 - Slack app architecture: Claude Agent SDK + Slack Bot SDK
6:30 - Key features: auto-respond, human-in-the-loop, per-channel customization
7:33 - Feedback collection and eval tests
8:19 - Security and privacy principles
9:58 - Demo: help desk auto-response
10:26 - Demo: PagerDuty alert triage
11:02 - Demo: human-in-the-loop PR creation
11:51 - Adoption and approval rate results (April 2026)
12:50 - Open source announcement
13:20 - Closing

#MCP

11 0

YouTube Video UExqVUx3ZEpVdEZkaElCaGliTEVvZ3RLMVhZQ05hRnlGbC45NzUwQkI1M0UxNThBMkU0

How Duolingo Built an AI Slackbot With 180+ MCP Tools

Agentic AI Foundation April 13, 2026 7:00 am

Alex Hancock is a software engineer at Block, a core maintainer of Goose (the open-source AI agent now governed by the Linux Foundation's Agentic AI Foundation), and a maintainer of the MCP Rust SDK. In this talk, Alex makes the case that Goose is the ideal proving ground for experimental MCP features: real users, real usage, neutral governance, and a maintainer group willing to ship unusual ideas fast. What you will learn in this talk: - What makes an agent worth keeping: Performance, interoperability, willingness to experiment, and neutral governance as the four pillars of a serious open-source agent. - Code Mode explained: How generating a TypeScript interface of all MCP tools and executing model-written code in a sandbox can cut token usage by roughly 30 percent and sidestep the LLM as a control-flow primitive. - The Port of Context collaboration: A real-world story of open-source compounding, where a two-hour NYC hacking session shrank Goose's Code Mode implementation overnight. - Agent Client Protocol (ACP): The MCP-style standard for the client side of agents, demoed across a new terminal UI, Toad, the rewritten Goose desktop app, and Zed. - Proposed HTTP support for ACP: Why this unlocks mixing local agents with remote MCP servers (and vice versa) in a fully interoperable way. - MCP Apps and MCP UI: How Goose adopted MCP UI early, plus a live Excalidraw MCP App demo where an app takes over the full Goose window and the model can edit the drawing in place. - Sampling from app front-end code: A new experimental idea Goose is incubating, letting MCP Apps themselves call the host's model to become AI-powered UIs. - An open call for contributors: What kinds of PRs Alex and the Goose maintainers actively want to merge, including long-running tasks support. Who this is for: MCP contributors, agent engineers, open-source maintainers, and anyone building on top of the MCP or ACP ecosystems who wants a place to test bold ideas with real users. Links and Resources: - Goose (Block, Linux Foundation): https://github.com/block/goose - Goose documentation: https://block.github.io/goose/ - Code Mode deep dive on the Goose blog: https://block.github.io/goose/blog/2026/02/06/8-things-you-didnt-know-about-code-mode/ - Cloudflare's original Code Mode post: https://blog.cloudflare.com/code-mode/ - Agent Client Protocol: https://agentclientprotocol.com/ - ACP on Zed: https://zed.dev/acp - MCP Apps overview: https://modelcontextprotocol.io/extensions/apps/overview - MCP Apps spec repo: https://github.com/modelcontextprotocol/ext-apps - Agentic AI Foundation (Linux Foundation): https://agenticaifoundation.org/ Timestamps (approximate, please adjust after upload): 00:00 - Opening: Closing the gap between MCP ideas and places to ship them 01:00 - What Goose is: Open-source agent from Block, now at the Linux Foundation 02:40 - Why keep an agent as a permanent project in an age of generated agents 03:00 - Four pillars: Performance, interoperability, experimentation, governance 05:00 - Goose as an open host for the MCP ecosystem 07:40 - Code Mode: The problem with traditional tool calling 09:20 - How Code Mode works: TypeScript interfaces plus a sandboxed execution context 11:00 - The Port of Context story: Open-source collaboration in practice 12:40 - Agent Client Protocol (ACP): Standardizing the client side 14:20 - ACP demos: Terminal UI, Toad, new Goose desktop, Zed 16:00 - Proposing HTTP transport for ACP 16:45 - MCP Apps and MCP UI in Goose 17:40 - Excalidraw MCP App live demo 18:45 - Experimental: Sampling from app front-end code 20:10 - Call for contributors: Ship your crazy MCP ideas 20:45 - Q and A: Sampling statefulness, long-running tasks support #MCP #Goose #AgentClientProtocol

Alex Hancock is a software engineer at Block, a core maintainer of Goose (the open-source AI agent now governed by the Linux Foundation's Agentic AI Foundation), and a maintainer of the MCP Rust SDK. In this talk, Alex makes the case that Goose is the ideal proving ground for experimental MCP features: real users, real usage, neutral governance, and a maintainer group willing to ship unusual ideas fast.
What you will learn in this talk:
- What makes an agent worth keeping: Performance, interoperability, willingness to experiment, and neutral governance as the four pillars of a serious open-source agent.
- Code Mode explained: How generating a TypeScript interface of all MCP tools and executing model-written code in a sandbox can cut token usage by roughly 30 percent and sidestep the LLM as a control-flow primitive.
- The Port of Context collaboration: A real-world story of open-source compounding, where a two-hour NYC hacking session shrank Goose's Code Mode implementation overnight.
- Agent Client Protocol (ACP): The MCP-style standard for the client side of agents, demoed across a new terminal UI, Toad, the rewritten Goose desktop app, and Zed.
- Proposed HTTP support for ACP: Why this unlocks mixing local agents with remote MCP servers (and vice versa) in a fully interoperable way.
- MCP Apps and MCP UI: How Goose adopted MCP UI early, plus a live Excalidraw MCP App demo where an app takes over the full Goose window and the model can edit the drawing in place.
- Sampling from app front-end code: A new experimental idea Goose is incubating, letting MCP Apps themselves call the host's model to become AI-powered UIs.
- An open call for contributors: What kinds of PRs Alex and the Goose maintainers actively want to merge, including long-running tasks support.
Who this is for: MCP contributors, agent engineers, open-source maintainers, and anyone building on top of the MCP or ACP ecosystems who wants a place to test bold ideas with real users.
Links and Resources:
- Goose (Block, Linux Foundation): https://github.com/block/goose
- Goose documentation: https://block.github.io/goose/
- Code Mode deep dive on the Goose blog: https://block.github.io/goose/blog/2026/02/06/8-things-you-didnt-know-about-code-mode/
- Cloudflare's original Code Mode post: https://blog.cloudflare.com/code-mode/
- Agent Client Protocol: https://agentclientprotocol.com/
- ACP on Zed: https://zed.dev/acp
- MCP Apps overview: https://modelcontextprotocol.io/extensions/apps/overview
- MCP Apps spec repo: https://github.com/modelcontextprotocol/ext-apps
- Agentic AI Foundation (Linux Foundation): https://agenticaifoundation.org/
Timestamps (approximate, please adjust after upload):
00:00 - Opening: Closing the gap between MCP ideas and places to ship them
01:00 - What Goose is: Open-source agent from Block, now at the Linux Foundation
02:40 - Why keep an agent as a permanent project in an age of generated agents
03:00 - Four pillars: Performance, interoperability, experimentation, governance
05:00 - Goose as an open host for the MCP ecosystem
07:40 - Code Mode: The problem with traditional tool calling
09:20 - How Code Mode works: TypeScript interfaces plus a sandboxed execution context
11:00 - The Port of Context story: Open-source collaboration in practice
12:40 - Agent Client Protocol (ACP): Standardizing the client side
14:20 - ACP demos: Terminal UI, Toad, new Goose desktop, Zed
16:00 - Proposing HTTP transport for ACP
16:45 - MCP Apps and MCP UI in Goose
17:40 - Excalidraw MCP App live demo
18:45 - Experimental: Sampling from app front-end code
20:10 - Call for contributors: Ship your crazy MCP ideas
20:45 - Q and A: Sampling statefulness, long-running tasks support
#MCP #Goose #AgentClientProtocol

9 0

YouTube Video UExqVUx3ZEpVdEZkaElCaGliTEVvZ3RLMVhZQ05hRnlGbC4wNEU1MTI4NkZEMzVBN0JF

Goose as a Proving Ground for New MCP Features, and How To Use Them - Alex Hancock, Block

Agentic AI Foundation April 13, 2026 11:26 am

Subscribe