{"id":"5650a825-376b-4ce1-a114-b47e158d0aa5","shortId":"uCfF27","kind":"skill","title":"mcp-best-practices","tagline":"Build production MCP servers with the TypeScript SDK. Covers spec 2025-11-25, SDK v1.29+/v2 alpha, transport selection, tool design, error handling, security, performance, known bugs with workarounds, MCP extensions, MCP Apps (interactive UIs), authorization extensions, and the M","description":"# MCP Best Practices\n\nDecision reference for building production MCP servers with the TypeScript SDK. Not a tutorial - assumes you already have a working server and need to make it correct, fast, and secure.\n\n## Quick Reference\n\n| Component | Current | Next |\n|-----------|---------|------|\n| Spec | **2025-11-25** ([spec.modelcontextprotocol.io](https://spec.modelcontextprotocol.io)) | - |\n| TS SDK (stable) | **v1.29.0** (`@modelcontextprotocol/sdk`) | v2 alpha published |\n| TS SDK (v2) | **Alpha** (`2.0.0-alpha.2` on npm, Apr 2026): `/server`, `/client`, `/core`, `/hono`, `/express`, `/node`, `/fastify` | Q3 2026 stable target |\n| JSON Schema | **2020-12** default (explicit `$schema` supported) | - |\n| Transport | **Streamable HTTP** (remote), **stdio** (local) | SSE + WebSocket removed in v2 |\n| Extensions | **MCP Apps** (Stable, SEP-1865), **Auth Extensions** (official) | Domain-specific WGs |\n| Registry | **Preview** with v0.1 API freeze since 2025-10-24 ([registry](https://modelcontextprotocol.io/registry/about)) | GA pending |\n\n**v1 imports** (production today):\n```typescript\nimport { McpServer } from \"@modelcontextprotocol/sdk/server/mcp.js\";\nimport { WebStandardStreamableHTTPServerTransport } from \"@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js\";\nimport { StdioServerTransport } from \"@modelcontextprotocol/sdk/server/stdio.js\";\n```\n\n**v2 imports** (when stable):\n```typescript\nimport { McpServer } from \"@modelcontextprotocol/server\";\nimport { WebStandardStreamableHTTPServerTransport } from \"@modelcontextprotocol/server\";\n```\n\n## Server Setup\n\n### Transport Decision\n\n| Scenario | Transport | Key Config |\n|----------|-----------|------------|\n| Remote, stateless (K8s, CF Workers) | `WebStandardStreamableHTTPServerTransport` | `sessionIdGenerator: undefined`, `enableJsonResponse: true` |\n| Remote, stateful (long tasks, SSE) | `WebStandardStreamableHTTPServerTransport` | `sessionIdGenerator: () => randomUUID()` |\n| Local CLI / Claude Desktop | `StdioServerTransport` | Default |\n| Legacy SSE clients | SSE removed in v2 - migrate to Streamable HTTP | - |\n\n### Stateless Pattern (recommended for remote deployment)\n\nPer-request server+transport creation is the canonical pattern. Maintainer @ihrpr confirms: \"each transport should have an instance of MCPServer\" ([#343](https://github.com/modelcontextprotocol/typescript-sdk/issues/343)). Sharing instances leaks cross-client data (GHSA-345p-7cg4-v4c7).\n\n```typescript\napp.post(\"/mcp\", async (c) => {\n  const server = new McpServer({ name: \"my-server\", version: \"1.0.0\" });\n  // Register tools, resources, prompts...\n  registerTools(server);\n\n  const transport = new WebStandardStreamableHTTPServerTransport({\n    sessionIdGenerator: undefined,   // stateless - no session tracking\n    enableJsonResponse: true,        // JSON responses, no SSE streaming\n  });\n\n  // All tools/resources must be registered before connect() (#893)\n  try {\n    await server.connect(transport);\n    return transport.handleRequest(c.req.raw);\n  } finally {\n    await transport.close();\n    await server.close();\n  }\n});\n```\n\n**What to hoist to module level** (don't recreate per request):\n- Zod schemas (they never change)\n- Annotation objects (`{ readOnlyHint: true, ... }`)\n- Tool description strings\n- Payment configs, upstream API clients\n\nThe McpServer itself must be per-request, but its constant inputs should not be.\n\n> For deep dive on transports, sessions, HTTP/2 gotchas, and K8s deployment: see `references/transport-patterns.md`\n\n### Framework Integration\n\n**Hono** (web-standard):\n```typescript\nimport { Hono } from \"hono\";\nconst app = new Hono();\napp.post(\"/mcp\", handleMcpRequest);  // WebStandardStreamableHTTPServerTransport\napp.get(\"/mcp\", handleMcpSse);       // Optional: SSE for server notifications\napp.delete(\"/mcp\", handleMcpDelete); // Optional: session termination\n```\n\n**Cloudflare Workers**: Same pattern - `WebStandardStreamableHTTPServerTransport` works natively in Workers runtime.\n\n**Express/Node** (v2): Use `@modelcontextprotocol/express` middleware with `NodeStreamableHTTPServerTransport` (wraps the Web Standard transport for `IncomingMessage`/`ServerResponse`).\n\n## Tool Design\n\n### Registration API\n\n**v1 (current stable)** - `server.tool()` works but has ambiguous overloads. Prefer the config-object form when possible:\n```typescript\nserver.tool(\"search_docs\", \"Search documents\", {\n  query: z.string().describe(\"Search query\"),\n  max_results: z.number().optional().describe(\"Max results (default 20)\"),\n}, { readOnlyHint: true, destructiveHint: false, idempotentHint: true, openWorldHint: true },\n  async ({ query, max_results }) => { /* handler */ }\n);\n```\n\n**v2 (migration target)** - `registerTool()` with config object:\n```typescript\nserver.registerTool(\"search_docs\", {\n  title: \"Document Search\",\n  description: \"Search documents by keyword or phrase\",\n  inputSchema: z.object({\n    query: z.string().describe(\"Search query\"),\n    max_results: z.number().optional().describe(\"Max results (default 20)\"),\n  }),\n  outputSchema: z.object({\n    results: z.array(z.object({ id: z.string(), text: z.string() })),\n    has_more: z.boolean(),\n  }),\n  annotations: { readOnlyHint: true, destructiveHint: false, idempotentHint: true, openWorldHint: true },\n}, async ({ query, max_results }) => {\n  const result = await fetchDocs(query, max_results);\n  return {\n    structuredContent: result,\n    content: [{ type: \"text\", text: JSON.stringify(result) }],\n  };\n});\n```\n\n### Naming\n\nSpec (2025-11-25): 1-128 chars, case-sensitive. Allowed: `A-Za-z0-9_-.`\n\n**DO**: `search_docs`, `get_user_profile`, `admin.tools.list`\n**DON'T**: `search` (too generic, collides across servers), `Search Docs` (spaces not allowed)\n\nService-prefix your tools (`github_*`, `jira_*`) when multiple servers are active - LLMs confuse generic names across servers.\n\n### Schema Rules\n\n`.describe()` on every field - this is what LLMs use for argument generation.\n\n> For complete Zod-to-JSON-Schema conversion rules, what breaks silently, outputSchema/structuredContent patterns: see `references/tool-schema-guide.md`\n\n**Critical bugs**:\n- `z.union()` / `z.discriminatedUnion()` silently produce empty schemas on v1.x ([#1643](https://github.com/modelcontextprotocol/typescript-sdk/issues/1643), fixed on `main` 2026-03-30). Use flat `z.object()` with `z.enum()` discriminator field instead until v1 ships the fix.\n- Plain JSON Schema objects silently dropped before v1.28.0. Fixed in v1.28 - now throws at registration ([#1596](https://github.com/modelcontextprotocol/typescript-sdk/issues/1596)).\n- `z.transform()` stripped during conversion - JSON Schema can't represent transforms ([#702](https://github.com/modelcontextprotocol/typescript-sdk/issues/702)).\n- **Client-side AJV strict-mode rejection**: Zod v4 `z.object()` produces JSON Schema with `additionalProperties: false`. The SDK's client validates `structuredContent` against `outputSchema` with AJV strict mode and rejects extra fields. Server-side `.parse()` strips extras silently, but the original `structuredContent` is sent to the client unchanged - so the server thinks it's fine and the client errors. Fix: explicitly `.parse()` upstream data before assigning to `structuredContent`, or use `.passthrough()` on schemas that intentionally pass through extra fields.\n\n### Annotations\n\nAll are optional hints (untrusted from untrusted servers per spec):\n\n| Annotation | Default | Meaning |\n|------------|---------|---------|\n| `readOnlyHint` | `false` | Tool doesn't modify its environment |\n| `destructiveHint` | `true` | May perform destructive updates (only when readOnly=false) |\n| `idempotentHint` | `false` | Repeated calls with same args have no additional effect |\n| `openWorldHint` | `true` | Interacts with external entities (APIs, web) |\n\nSet them accurately - clients use them for consent prompts and auto-approval decisions.\n\n**Open SEPs expanding annotations**:\n- `#1913` Trust and Sensitivity - data classification hints\n- `#1984` Comprehensive annotations for governance/UX\n- `#1561` `unsafeOutputHint` - output may contain untrusted content\n- `#1560` `secretHint` - tool handles secrets/credentials\n- `#1487` `trustedHint` - server attestation of tool trustworthiness\n\n**The \"Lethal Trifecta\"**: Combining (1) access to private data + (2) exposure to untrusted content + (3) external communication ability creates data theft conditions. Researchers demonstrated this with a malicious calendar event, an MCP calendar server, and a code execution tool. Design tool sets to avoid granting all three simultaneously.\n\n**Evaluation framework for new annotation proposals**:\n1. What client behavior changes? (No concrete action = don't add it)\n2. Does it require trust to be useful? (If yes, doesn't help against untrusted servers)\n3. Could `_meta` handle it? (Namespaced metadata better for single-deployment needs)\n4. Does it help reason about tool combinations?\n5. Is it a hint or contract? (Contracts belong in auth/transport/runtime layer)\n\n## Error Handling\n\nTwo distinct mechanisms with different LLM visibility:\n\n| Type | LLM Sees It? | Use For |\n|------|--------------|---------|\n| **Tool error** (`isError: true` in CallToolResult) | Yes - enables self-correction | Input validation, API failures, business logic errors |\n| **Protocol error** (JSON-RPC error response) | Maybe - clients MAY expose | Unknown tool, malformed request, server crash |\n\nPer SEP-1303 (merged into spec 2025-11-25): input validation errors MUST be tool execution errors, not protocol errors. The LLM needs to see \"date must be in the future\" to self-correct.\n\n```typescript\n// DO: Tool execution error - LLM can self-correct\nreturn {\n  isError: true,\n  content: [{ type: \"text\", text: \"Date must be in the future. Current date: 2026-03-25\" }],\n};\n\n// DON'T: Protocol error for validation - LLM can't see this\nthrow new McpError(ErrorCode.InvalidParams, \"Invalid date\");\n```\n\n**Known SDK behavior**: When the SDK converts an `McpError` thrown from a tool handler into a `CallToolResult`, the `error.data` field is dropped. If you embed structured data in McpError's `data` field, it may not reach the client. The x402/MPP MCP ecosystem standardized on `isError: true` tool results with `structuredContent` for this reason. (One exception: code `-32042` \"Payment Required\" survives McpServer end-to-end with `error.data` intact - see `references/error-handling.md`.)\n\n> For full error taxonomy, code examples, and payment error patterns: see `references/error-handling.md`\n\n## Resources and Instructions\n\n### Server Instructions\n\nSet in the initialization response - acts as a system-level hint to the LLM about how to use your server:\n\n```typescript\nconst server = new McpServer({\n  name: \"docs-api\",\n  version: \"1.0.0\",\n  instructions: \"Knowledge base API. Use search_docs for full-text search, get_doc for retrieval by ID. All tools are read-only.\",\n});\n```\n\n### Resource Registration\n\nExpose documentation or structured data via `docs://` URI scheme:\n\n```typescript\nserver.resource(\"search-operators\", \"docs://search-operators\", {\n  title: \"Search Operators Guide\",\n  description: \"Supported search operators and syntax\",\n  mimeType: \"text/markdown\",\n}, async () => ({\n  contents: [{ uri: \"docs://search-operators\", text: operatorsMarkdown }],\n}));\n```\n\n## Performance\n\n### Module-Level Caching\n\nThe McpServer must be per-request, but everything else can be shared:\n\n```typescript\n// Module-level (created once)\nconst SCHEMAS = {\n  search: z.object({ query: z.string().describe(\"Search query\") }),\n  fetch: z.object({ id: z.string().describe(\"Resource ID\") }),\n};\nconst READ_ONLY_ANNOTATIONS = {\n  readOnlyHint: true, destructiveHint: false, idempotentHint: true, openWorldHint: true,\n} as const;\n\n// Per-request (created each time)\nfunction createMcpServer(ctx: Context) {\n  const server = new McpServer({ name: \"my-server\", version: \"1.0.0\" });\n  server.tool(\"search\", \"Search\", SCHEMAS.search, READ_ONLY_ANNOTATIONS, handler);\n  return server;\n}\n```\n\n### Token Bloat Mitigation\n\nTool definitions consume context window before any conversation starts. GitHub MCP: 20,444 tokens for 80 tools (SEP-1576).\n\n**Strategies**:\n1. **5-15 tools per server** - community sweet spot. Split beyond that.\n2. **Outcome-oriented tools** - bundle multi-step operations into single tools (e.g., `track_order(email)` not `get_user` + `list_orders` + `get_status`).\n3. **Response granularity** - return curated results, not raw API dumps. 800-token user object vs 20-token summary.\n4. **`outputSchema` + `structuredContent`** - lets clients process data programmatically without LLM parsing overhead.\n5. **Dynamic tool loading** - register only relevant tool subsets based on request context (e.g., `?tools=search,fetch` query parameter).\n\n### No-Parameter Tools\n\nFor tools with no inputs, use explicit empty schema:\n```typescript\ninputSchema: { type: \"object\" as const, additionalProperties: false }\n```\n\n## Security\n\n### Top Threats (real-world incidents, 2025-2026)\n\n| Attack | Example | Mitigation |\n|--------|---------|------------|\n| **Tool poisoning** | Hidden instructions in descriptions (WhatsApp MCP, Apr 2025) | Review tool descriptions; clients should display them |\n| **Supply chain** | Malicious npm packages (Smithery breach, Oct 2025) | Pin versions, audit dependencies |\n| **Command injection** | `child_process.exec` with unsanitized input (CVE-2025-53967) | Never interpolate user input into shell commands |\n| **Stdio config injection** | User-controlled input reaches `StdioServerParameters` without sanitization (OX Security disclosure, 2026-04-15) | Sanitize stdio config inputs in client code; prefer first-party servers; treat by Anthropic as \"by design\" - not patched in SDK |\n| **Cross-server shadowing** | Malicious server overrides legitimate tool names | Service-prefix tool names; validate tool sources |\n| **Token theft** | Over-privileged PATs with broad scopes | Minimal scopes; OAuth 2.1 Resource Indicators (RFC 8707) |\n| **Token passthrough** | Server accepts/forwards tokens not issued for it | Validate audience claim; never transit client tokens to upstream APIs |\n| **SSRF** | Malicious OAuth metadata URLs targeting internal services | HTTPS enforcement, block private IPs, validate redirect targets |\n| **Confused deputy** | Proxy server consent cookies exploited via DCR | Per-client consent before forwarding to third-party auth |\n| **Session hijacking** | Stolen/guessed session IDs for impersonation | Cryptographically random IDs, bind to user identity, never use for auth |\n| **Cross-client response leak** | Shared `McpServer`/transport reused across clients ([CVE-2026-25536](https://nvd.nist.gov/vuln/detail/cve-2026-25536), affects v1.10.0-1.25.3) | **Require SDK ≥ v1.26.0**; per-request server+transport |\n| **UriTemplate ReDoS** | Malicious URI patterns ([CVE-2026-0621](https://github.com/modelcontextprotocol/typescript-sdk/pull/1365)) | Upgrade to v1.25.2+ / v2.0.0-alpha.1+ |\n\n### Server-Side Requirements (spec normative)\n\n- **Validate all inputs** at tool boundaries\n- **Implement access controls** per user/session\n- **Rate limit** tool invocations\n- **Sanitize outputs** before returning to client\n- **Validate `Origin` header** - respond 403 for invalid origins (2025-11-25 requirement)\n- **Require `MCP-Protocol-Version` header** on all requests after initialization (spec 2025-06-18+)\n- **Bind local servers to localhost** (127.0.0.1) only\n\n### Auth (OAuth 2.1)\n\nMCP normatively requires **OAuth 2.1** ([draft-ietf-oauth-v2-1-13](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13)). The spec states: \"Authorization servers MUST implement OAuth 2.1.\" PKCE is mandatory, implicit flow is removed. Always build against OAuth 2.1 - not 2.0.\n\nMCP servers are OAuth 2.1 Resource Servers. Clients MUST include Resource Indicators (RFC 8707) binding tokens to specific servers. Key requirements:\n\n- **Validate audience** - reject tokens not issued for your server (token passthrough is explicitly forbidden)\n- **PKCE mandatory** - use `S256` code challenge method\n- **Short-lived tokens** - reduce blast radius of leaked credentials\n- **Scope minimization** - start with minimal scopes, elevate incrementally via `WWW-Authenticate` challenges\n- **Don't implement token validation yourself** - use tested libraries (Keycloak, Auth0, etc.)\n- **Don't log credentials** - never log Authorization headers, tokens, or secrets\n\n> For full security attack/mitigation patterns and auth implementation details: see `references/security-auth.md`\n\n## Known SDK Bugs\n\n| Issue | Severity | Status | Workaround |\n|-------|----------|--------|------------|\n| [#1643](https://github.com/modelcontextprotocol/typescript-sdk/issues/1643) - `z.union()`/`z.discriminatedUnion()` silently dropped | High | Fixed on `main` (closed 2026-03-30); pending v1 release | Use flat `z.object()` + `z.enum()` until v1 ships the fix |\n| [#1699](https://github.com/modelcontextprotocol/typescript-sdk/issues/1699) - Transport closure stack overflow (15-25+ concurrent) | High | Fixed in PR #1788 (closed 2026-04-02) | Upgrade to ≥ v1.29.0 / v2 alpha |\n| [#1619](https://github.com/modelcontextprotocol/typescript-sdk/issues/1619) - HTTP/2 + SSE Content-Length error | Medium | Closed (reclassified to upstream `@hono/node-server#266`) | Use `enableJsonResponse: true` or avoid HTTP/2 upstream |\n| [#893](https://github.com/modelcontextprotocol/typescript-sdk/issues/893) - Dynamic registration after connect blocked | Medium | Open | Register all tools/resources before `connect()` |\n| [#1596](https://github.com/modelcontextprotocol/typescript-sdk/issues/1596) - Plain JSON Schema silently dropped | Fixed | v1.28.0 | Upgrade to v1.28+ |\n| Client AJV strict rejects unstripped `structuredContent` extras | High | Behavior, not bug | Server `.parse()` upstream data before returning, or use `.passthrough()` |\n| GHSA-345p-7cg4-v4c7 / [CVE-2026-25536](https://nvd.nist.gov/vuln/detail/cve-2026-25536) - Shared instances leak cross-client data | Critical | Fixed v1.26.0 | **Require ≥ v1.26.0** (or v2.0.0-alpha.1+); per-request server+transport |\n| [CVE-2026-0621](https://github.com/modelcontextprotocol/typescript-sdk/pull/1365) - UriTemplate ReDoS | Medium | Fixed v1.25.2 / v2.0.0-alpha.1 | Upgrade |\n\n## V2 Migration\n\n> For comprehensive migration guide with all breaking changes and before/after code: see `references/v2-migration.md`\n\n**Key breaking changes**:\n1. Package split: `@modelcontextprotocol/sdk` -> `@modelcontextprotocol/server` + `/client` + `/core`\n2. ESM only, Node.js 20+\n3. Zod v4 required (or any Standard Schema library)\n4. `McpError` -> `ProtocolError` (from `@modelcontextprotocol/core`)\n5. `extra` parameter -> structured `ctx` with `ctx.mcpReq`\n6. `server.tool()` -> `registerTool()` (config object, not positional args)\n7. SSE server transport removed (clients can still connect to legacy SSE servers)\n8. `@modelcontextprotocol/hono` and `@modelcontextprotocol/express` middleware packages\n9. DNS rebinding protection enabled by default for localhost servers\n\nv1.x gets 6 more months of support after v2 stable ships. No rush, but write new code with v2 patterns in mind.\n\n## Extensions\n\nMCP extensions are optional, strictly additive capabilities on top of the core protocol. Both sides negotiate support during initialization via `extensions` in capabilities.\n\n**Identifiers**: `{vendor-prefix}/{extension-name}`. Official: `io.modelcontextprotocol/*`. Third-party: reversed domain (e.g., `com.example/my-ext`).\n\n### Official Extensions\n\n| Extension | Identifier | Purpose |\n|-----------|-----------|---------|\n| **MCP Apps** | `io.modelcontextprotocol/ui` | Interactive HTML UIs in chat (charts, forms, dashboards) |\n| **OAuth Client Credentials** | `io.modelcontextprotocol/oauth-client-credentials` | Machine-to-machine auth (CI/CD, daemons, server-to-server) |\n| **Enterprise-Managed Auth** | `io.modelcontextprotocol/enterprise-managed-authorization` | Centralized access control via enterprise IdP |\n\n**Client support**: Claude (web + Desktop), ChatGPT, VS Code Copilot, Goose, Postman, MCPJam all support MCP Apps. Auth extensions not yet widely adopted.\n\n> For MCP Apps architecture, ext-apps SDK, and build patterns: see `references/mcp-apps.md`\n> For extensions system, auth extensions, and MCP Registry: see `references/extensions-registry.md`\n\n### Server Capabilities Beyond Tools\n\n| Capability | Purpose | v2 API |\n|-----------|---------|--------|\n| **Elicitation** | Request structured user input mid-tool | `ctx.mcpReq.elicitInput()` |\n| **Sampling** | Request LLM completion from client | `ctx.mcpReq.requestSampling()` |\n| **Tasks** (SEP-1686) | Long-running ops with lifecycle management | Pending |\n| **Progress** | Incremental progress on requests | `ctx.mcpReq.sendProgress()` |","tags":["mcp","best","practices","skills","tenequm","agent-skills","ai-agents","claude-code","claude-skills","clawhub","erc-8004","mpp"],"capabilities":["skill","source-tenequm","skill-mcp-best-practices","topic-agent-skills","topic-ai-agents","topic-claude-code","topic-claude-skills","topic-clawhub","topic-erc-8004","topic-mpp","topic-openclaw","topic-skills","topic-solana","topic-x402"],"categories":["skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/tenequm/skills/mcp-best-practices","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add tenequm/skills","source_repo":"https://github.com/tenequm/skills","install_from":"skills.sh"}},"qualityScore":"0.464","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 28 github stars · SKILL.md body (20,808 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:04:38.719Z","embedding":null,"createdAt":"2026-04-18T23:05:17.965Z","updatedAt":"2026-05-18T19:04:38.719Z","lastSeenAt":"2026-05-18T19:04:38.719Z","tsv":"'-02':2059 '-03':689,1144,2026 '-04':1630,2058 '-06':1856 '-0621':1796,2171 '-10':158 '-11':16,85,589,1090,1840 '-12':121 '-128':592 '-13':1879 '-1303':1085 '-15':1453,1631 '-1576':1449 '-1686':2455 '-18':1857 '-1865':142 '-2025':1606 '-2026':1565,1774,1795,2145,2170 '-24':159 '-25':17,86,590,1091,1145,1841,2049 '-25536':1775,2146 '-30':690,2027 '-32042':1219 '-53967':1607 '/*':2326 '/client':108,2205 '/core':109,2206 '/doc/html/draft-ietf-oauth-v2-1-13)).':1882 '/enterprise-managed-authorization':2377 '/express':111 '/fastify':113 '/hono':110 '/mcp':284,412,416,424 '/modelcontextprotocol/typescript-sdk/issues/1596)':2108 '/modelcontextprotocol/typescript-sdk/issues/1596)).':722 '/modelcontextprotocol/typescript-sdk/issues/1619)':2068 '/modelcontextprotocol/typescript-sdk/issues/1643)':2015 '/modelcontextprotocol/typescript-sdk/issues/1643),':684 '/modelcontextprotocol/typescript-sdk/issues/1699)':2043 '/modelcontextprotocol/typescript-sdk/issues/343)).':269 '/modelcontextprotocol/typescript-sdk/issues/702)).':736 '/modelcontextprotocol/typescript-sdk/issues/893)':2092 '/modelcontextprotocol/typescript-sdk/pull/1365)':2174 '/modelcontextprotocol/typescript-sdk/pull/1365))':1799 '/my-ext':2335 '/node':112 '/oauth-client-credentials':2359 '/registry/about))':163 '/server':107 '/transport':1769 '/ui':2345 '/v2':20 '/vuln/detail/cve-2026-25536)':2149 '/vuln/detail/cve-2026-25536),':1778 '1':591,922,972,1451,1878,2200 '1.0.0':296,1281,1417 '127.0.0.1':1863 '1487':911 '15':2048 '1560':906 '1561':899 '1596':719,2105 '1619':2065 '1643':681,2012 '1699':2040 '1788':2055 '1913':887 '1984':894 '2':927,984,1463,2207 '2.0':1905 '2.0.0':101 '2.1':1684,1867,1872,1891,1903,1910 '20':494,544,1442,1502,2211 '2020':120 '2025':15,84,157,588,1089,1564,1578,1594,1839,1855 '2026':106,115,688,1143,1629,2025,2057 '266':2081 '3':932,1000,1487,2212 '343':266 '345p':279,2141 '4':1013,1505,2221 '403':1835 '444':1443 '5':1021,1452,1517,2226 '6':2233,2272 '7':2241 '702':733 '7cg4':280,2142 '8':2254 '80':1446 '800':1497 '8707':1688,1919 '893':327,2089 '9':602,2260 'a-za-z0':598 'abil':935 'accepts/forwards':1692 'access':923,1817,2379 'accur':871 'across':616,639,1771 'act':1255 'action':979 'activ':634 'add':982 'addit':859,2298 'additionalproperti':752,1555 'admin.tools.list':609 'adopt':2405 'affect':1779 'ajv':740,763,2120 'allow':597,622 'alpha':21,95,100,2064 'alpha.2':102 'alreadi':64 'alway':1899 'ambigu':465 'annot':356,557,818,829,886,896,970,1387,1424 'anthrop':1646 'api':154,366,457,867,1061,1279,1285,1495,1707,2436 'app':37,139,408,2342,2399,2408,2412 'app.delete':423 'app.get':415 'app.post':283,411 'approv':881 'apr':105,1577 'architectur':2409 'arg':856,2240 'argument':653 'assign':804 'assum':62 'async':285,503,566,1336 'attack':1566 'attack/mitigation':1997 'attest':914 'audienc':1699,1928 'audit':1597 'auth':143,1743,1761,1865,2000,2364,2374,2400,2422 'auth/transport/runtime':1031 'auth0':1981 'authent':1969 'author':40,1886,1989 'auto':880 'auto-approv':879 'avoid':961,2086 'await':329,336,338,572 'base':1284,1526 'before/after':2193 'behavior':975,1165,2127 'belong':1029 'best':3,46 'better':1007 'beyond':1461,2431 'bind':1754,1858,1920 'blast':1953 'bloat':1429 'block':1718,2097 'boundari':1815 'breach':1592 'break':665,2190,2198 'broad':1679 'bug':31,672,2007,2129 'build':5,51,1900,2415 'bundl':1468 'busi':1063 'c':286 'c.req.raw':334 'cach':1348 'calendar':946,950 'call':853 'calltoolresult':1053,1179 'canon':253 'capabl':2299,2315,2430,2433 'case':595 'case-sensit':594 'central':2378 'cf':207 'chain':1587 'challeng':1946,1970 'chang':355,976,2191,2199 'char':593 'chart':2351 'chat':2350 'chatgpt':2389 'child_process.exec':1601 'ci/cd':2365 'claim':1700 'classif':892 'claud':224,2386 'cli':223 'client':230,275,367,738,757,785,796,872,974,1074,1200,1509,1582,1637,1703,1735,1764,1772,1830,1913,2119,2155,2246,2355,2384,2451 'client-sid':737 'close':2024,2056,2076 'closur':2045 'cloudflar':429 'code':954,1218,1237,1638,1945,2194,2286,2391 'collid':615 'com.example':2334 'com.example/my-ext':2333 'combin':921,1020 'command':1599,1614 'communic':934 'communiti':1457 'complet':656,2449 'compon':80 'comprehens':895,2185 'concret':978 'concurr':2050 'condit':939 'config':203,364,470,513,1616,1634,2236 'config-object':469 'confirm':257 'confus':636,1724 'connect':326,2096,2104,2249 'consent':876,1728,1736 'const':287,303,407,570,1272,1368,1384,1397,1408,1554 'constant':378 'consum':1433 'contain':903 'content':580,905,931,1131,1337,2072 'content-length':2071 'context':1407,1434,1529 'contract':1027,1028 'control':1620,1818,2380 'convers':662,726,1438 'convert':1169 'cooki':1729 'copilot':2392 'core':2304 'correct':74,1058,1117,1127 'could':1001 'cover':13 'crash':1082 'creat':936,1366,1401 'createmcpserv':1405 'creation':250 'credenti':1957,1986,2356 'critic':671,2157 'cross':274,1655,1763,2154 'cross-client':273,1762,2153 'cross-serv':1654 'cryptograph':1751 'ctx':1406,2230 'ctx.mcpreq':2232 'ctx.mcpreq.elicitinput':2445 'ctx.mcpreq.requestsampling':2452 'ctx.mcpreq.sendprogress':2469 'curat':1491 'current':81,459,1141 'cve':1605,1773,1794,2144,2169 'daemon':2366 'dashboard':2353 'data':276,802,891,926,937,1189,1193,1312,1511,2133,2156 'datatracker.ietf.org':1881 'datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13)).':1880 'date':1108,1135,1142,1162 'dcr':1732 'decis':48,199,882 'deep':384 'default':122,227,493,543,830,2266 'definit':1432 'demonstr':941 'depend':1598 'deploy':244,393,1011 'deputi':1725 'describ':483,490,533,540,643,1374,1381 'descript':361,522,1328,1574,1581 'design':25,455,957,1649 'desktop':225,2388 'destruct':844 'destructivehint':497,560,840,1390 'detail':2002 'differ':1039 'disclosur':1628 'discrimin':696 'display':1584 'distinct':1036 'dive':385 'dns':2261 'doc':478,518,605,619,1278,1288,1295 'docs-api':1277 'document':480,520,524,1309 'doesn':835,994 'domain':147,2331 'domain-specif':146 'draft':1874 'draft-ietf-oauth-v2':1873 'drop':709,1184,2019,2113 'dump':1496 'dynam':1518,2093 'e.g':1476,1530,2332 'ecosystem':1204 'effect':860 'elev':1964 'elicit':2437 'els':1358 'email':1479 'emb':1187 'empti':677,1547 'enabl':1055,2264 'enablejsonrespons':212,313,2083 'end':1225,1227 'end-to-end':1224 'enforc':1717 'enterpris':2372,2382 'enterprise-manag':2371 'entiti':866 'environ':839 'error':26,797,1033,1049,1065,1067,1071,1094,1099,1102,1122,1149,1235,1241,2074 'error.data':1181,1229 'errorcode.invalidparams':1160 'esm':2208 'etc':1982 'evalu':966 'event':947 'everi':645 'everyth':1357 'exampl':1238,1567 'except':1217 'execut':955,1098,1121 'expand':885 'explicit':123,799,1546,1939 'exploit':1730 'expos':1076,1308 'exposur':928 'express/node':439 'ext':2411 'ext-app':2410 'extens':35,41,137,144,2292,2294,2313,2321,2337,2338,2401,2420,2423 'extension-nam':2320 'extern':865,933 'extra':768,775,816,2125,2227 'failur':1062 'fals':498,561,753,833,849,851,1391,1556 'fast':75 'fetch':1377,1533 'fetchdoc':573 'field':646,697,769,817,1182,1194 'final':335 'fine':793 'first':1641 'first-parti':1640 'fix':685,703,712,798,2021,2039,2052,2114,2158,2178 'flat':692,2032 'flow':1896 'forbidden':1940 'form':472,2352 'forward':1738 'framework':396,967 'freez':155 'full':1234,1291,1995 'full-text':1290 'function':1404 'futur':1113,1140 'ga':164 'generat':654 'generic':614,637 'get':606,1294,1481,1485,2271 'ghsa':278,2140 'ghsa-345p-7cg4-v4c7':277,2139 'github':628,1440 'github.com':268,683,721,735,1798,2014,2042,2067,2091,2107,2173 'github.com/modelcontextprotocol/typescript-sdk/issues/1596)':2106 'github.com/modelcontextprotocol/typescript-sdk/issues/1596)).':720 'github.com/modelcontextprotocol/typescript-sdk/issues/1619)':2066 'github.com/modelcontextprotocol/typescript-sdk/issues/1643)':2013 'github.com/modelcontextprotocol/typescript-sdk/issues/1643),':682 'github.com/modelcontextprotocol/typescript-sdk/issues/1699)':2041 'github.com/modelcontextprotocol/typescript-sdk/issues/343)).':267 'github.com/modelcontextprotocol/typescript-sdk/issues/702)).':734 'github.com/modelcontextprotocol/typescript-sdk/issues/893)':2090 'github.com/modelcontextprotocol/typescript-sdk/pull/1365)':2172 'github.com/modelcontextprotocol/typescript-sdk/pull/1365))':1797 'goos':2393 'gotcha':390 'governance/ux':898 'grant':962 'granular':1489 'guid':1327,2187 'handl':27,909,1003,1034 'handlemcpdelet':425 'handlemcprequest':413 'handlemcpss':417 'handler':507,1176,1425 'header':1833,1848,1990 'help':996,1016 'hidden':1571 'high':2020,2051,2126 'hijack':1745 'hint':822,893,1025,1261 'hoist':342 'hono':398,404,406,410 'hono/node-server':2080 'html':2347 'http':128,238 'http/2':389,2069,2087 'https':1716 'id':550,1299,1379,1383,1748,1753 'idempotenthint':499,562,850,1392 'ident':1757 'identifi':2316,2339 'idp':2383 'ietf':1875 'ihrpr':256 'imperson':1750 'implement':1816,1889,1973,2001 'implicit':1895 'import':167,171,175,179,184,188,192,403 'incid':1563 'includ':1915 'incomingmessag':452 'increment':1965,2465 'indic':1686,1917 'initi':1253,1853,2311 'inject':1600,1617 'input':379,1059,1092,1544,1604,1611,1621,1635,1812,2441 'inputschema':529,1550 'instanc':263,271,2151 'instead':698 'instruct':1247,1249,1282,1572 'intact':1230 'integr':397 'intent':813 'interact':38,863,2346 'intern':1714 'interpol':1609 'invalid':1161,1837 'invoc':1824 'io.modelcontextprotocol':2325,2344,2358,2376 'io.modelcontextprotocol/*':2324 'io.modelcontextprotocol/enterprise-managed-authorization':2375 'io.modelcontextprotocol/oauth-client-credentials':2357 'io.modelcontextprotocol/ui':2343 'ip':1720 'iserror':1050,1129,1207 'issu':1695,1932,2008 'jira':629 'json':118,315,660,705,727,749,1069,2110 'json-rpc':1068 'json.stringify':584 'k8s':206,392 'key':202,1925,2197 'keycloak':1980 'keyword':526 'knowledg':1283 'known':30,1163,2005 'layer':1032 'leak':272,1766,1956,2152 'legaci':228,2251 'legitim':1661 'length':2073 'let':1508 'lethal':919 'level':345,1260,1347,1365 'librari':1979,2220 'lifecycl':2461 'limit':1822 'list':1483 'live':1950 'llm':1040,1043,1104,1123,1152,1264,1514,2448 'llms':635,650 'load':1520 'local':131,222,1859 'localhost':1862,2268 'log':1985,1988 'logic':1064 'long':216,2457 'long-run':2456 'm':44 'machin':2361,2363 'machine-to-machin':2360 'main':687,2023 'maintain':255 'make':72 'malform':1079 'malici':945,1588,1658,1709,1791 'manag':2373,2462 'mandatori':1894,1942 'max':486,491,505,536,541,568,575 'may':842,902,1075,1196 'mayb':1073 'mcp':2,7,34,36,45,53,138,949,1203,1441,1576,1845,1868,1906,2293,2341,2398,2407,2425 'mcp-best-practic':1 'mcp-protocol-vers':1844 'mcperror':1159,1171,1191,2222 'mcpjam':2395 'mcpserver':172,189,265,290,369,1223,1275,1350,1411,1768 'mean':831 'mechan':1037 'medium':2075,2098,2177 'merg':1086 'meta':1002 'metadata':1006,1711 'method':1947 'mid':2443 'mid-tool':2442 'middlewar':443,2258 'migrat':235,509,2183,2186 'mimetyp':1334 'mind':2291 'minim':1681,1959,1962 'mitig':1430,1568 'mode':743,765 'modelcontextprotocol.io':162 'modelcontextprotocol.io/registry/about))':161 'modelcontextprotocol/core':2225 'modelcontextprotocol/express':442,2257 'modelcontextprotocol/hono':2255 'modelcontextprotocol/sdk':93,2203 'modelcontextprotocol/sdk/server/mcp.js':174 'modelcontextprotocol/sdk/server/stdio.js':182 'modelcontextprotocol/sdk/server/webstandardstreamablehttp.js':178 'modelcontextprotocol/server':191,195,2204 'modifi':837 'modul':344,1346,1364 'module-level':1345,1363 'month':2274 'multi':1470 'multi-step':1469 'multipl':631 'must':322,371,1095,1109,1136,1351,1888,1914 'my-serv':292,1413 'name':291,586,638,1276,1412,1663,1668,2322 'namespac':1005 'nativ':435 'need':70,1012,1105 'negoti':2308 'never':354,1608,1701,1758,1987 'new':289,305,409,969,1158,1274,1410,2285 'next':82 'no-paramet':1536 'node.js':2210 'nodestreamablehttpservertransport':445 'normat':1809,1869 'notif':422 'npm':104,1589 'nvd.nist.gov':1777,2148 'nvd.nist.gov/vuln/detail/cve-2026-25536)':2147 'nvd.nist.gov/vuln/detail/cve-2026-25536),':1776 'oauth':1683,1710,1866,1871,1876,1890,1902,1909,2354 'object':357,471,514,707,1500,1552,2237 'oct':1593 'offici':145,2323,2336 'one':1216 'op':2459 'open':883,2099 'openworldhint':501,564,861,1394 'oper':1320,1323,1326,1331,1341,1472 'operatorsmarkdown':1343 'option':418,426,489,539,821,2296 'order':1478,1484 'orient':1466 'origin':779,1832,1838 'outcom':1465 'outcome-ori':1464 'output':901,1826 'outputschema':545,761,1506 'outputschema/structuredcontent':667 'over-privileg':1674 'overflow':2047 'overhead':1516 'overload':466 'overrid':1660 'ox':1626 'packag':1590,2201,2259 'paramet':1535,1538,2228 'pars':773,800,1515,2131 'parti':1642,1742,2329 'pass':814 'passthrough':809,1690,1937,2138 'pat':1677 'patch':1651 'pattern':240,254,432,668,1242,1793,1998,2289,2416 'payment':363,1220,1240 'pend':165,2028,2463 'per':246,349,374,827,1083,1354,1399,1455,1734,1785,1819,2165 'per-client':1733 'per-request':245,373,1353,1398,1784,2164 'perform':29,843,1344 'phrase':528 'pin':1595 'pkce':1892,1941 'plain':704,2109 'poison':1570 'posit':2239 'possibl':474 'postman':2394 'pr':2054 'practic':4,47 'prefer':467,1639 'prefix':625,1666,2319 'preview':151 'privat':925,1719 'privileg':1676 'process':1510 'produc':676,748 'product':6,52,168 'profil':608 'programmat':1512 'progress':2464,2466 'prompt':300,877 'propos':971 'protect':2263 'protocol':1066,1101,1148,1846,2305 'protocolerror':2223 'proxi':1726 'publish':96 'purpos':2340,2434 'q3':114 'queri':481,485,504,531,535,567,574,1372,1376,1534 'quick':78 'radius':1954 'random':1752 'randomuuid':221 'rate':1821 'raw':1494 'reach':1198,1622 'read':1304,1385,1422 'read-on':1303 'readon':848 'readonlyhint':358,495,558,832,1388 'real':1561 'real-world':1560 'reason':1017,1215 'rebind':2262 'reclassifi':2077 'recommend':241 'recreat':348 'redirect':1722 'redo':1790,2176 'reduc':1952 'refer':49,79 'references/error-handling.md':1232,1244 'references/extensions-registry.md':2428 'references/mcp-apps.md':2418 'references/security-auth.md':2004 'references/tool-schema-guide.md':670 'references/transport-patterns.md':395 'references/v2-migration.md':2196 'regist':297,324,1521,2100 'registertool':301,511,2235 'registr':456,718,1307,2094 'registri':150,160,2426 'reject':744,767,1929,2122 'releas':2030 'relev':1523 'remot':129,204,214,243 'remov':134,232,1898,2245 'repeat':852 'repres':731 'request':247,350,375,1080,1355,1400,1528,1786,1851,2166,2438,2447,2468 'requir':987,1221,1781,1807,1842,1843,1870,1926,2160,2215 'research':940 'resourc':299,1245,1306,1382,1685,1911,1916 'respond':1834 'respons':316,1072,1254,1488,1765 'result':487,492,506,537,542,547,569,571,576,579,585,1210,1492 'retriev':1297 'return':332,577,1128,1426,1490,1828,2135 'reus':1770 'revers':2330 'review':1579 'rfc':1687,1918 'rpc':1070 'rule':642,663 'run':2458 'runtim':438 'rush':2282 's256':1944 'sampl':2446 'sanit':1625,1632,1825 'scenario':200 'schema':119,124,352,641,661,678,706,728,750,811,1369,1548,2111,2219 'schemas.search':1421 'scheme':1315 'scope':1680,1682,1958,1963 'sdk':12,18,58,90,98,755,1164,1168,1653,1782,2006,2413 'search':477,479,484,517,521,523,534,604,612,618,1287,1293,1319,1322,1325,1330,1340,1370,1375,1419,1420,1532 'search-oper':1318,1321,1339 'secret':1993 'secrethint':907 'secrets/credentials':910 'secur':28,77,1557,1627,1996 'see':394,669,1044,1107,1155,1231,1243,2003,2195,2417,2427 'select':23 'self':1057,1116,1126 'self-correct':1056,1115,1125 'sensit':596,890 'sent':782 'sep':141,884,1084,1448,2454 'server':8,54,68,196,248,288,294,302,421,617,632,640,771,789,826,913,951,999,1081,1248,1270,1273,1409,1415,1427,1456,1643,1656,1659,1691,1727,1787,1805,1860,1887,1907,1912,1924,1935,2130,2167,2243,2253,2269,2368,2370,2429 'server-sid':770,1804 'server-to-serv':2367 'server.close':339 'server.connect':330 'server.registertool':516 'server.resource':1317 'server.tool':461,476,1418,2234 'serverrespons':453 'servic':624,1665,1715 'service-prefix':623,1664 'session':311,388,427,1744,1747 'sessionidgener':210,220,307 'set':869,959,1250 'setup':197 'sever':2009 'shadow':1657 'share':270,1361,1767,2150 'shell':1613 'ship':701,2037,2280 'short':1949 'short-liv':1948 'side':739,772,1806,2307 'silent':666,675,708,776,2018,2112 'simultan':965 'sinc':156 'singl':1010,1474 'single-deploy':1009 'skill' 'skill-mcp-best-practices' 'smitheri':1591 'sourc':1671 'source-tenequm' 'space':620 'spec':14,83,587,828,1088,1808,1854,1884 'spec.modelcontextprotocol.io':87,88 'specif':148,1923 'split':1460,2202 'spot':1459 'sse':132,218,229,231,318,419,2070,2242,2252 'ssrf':1708 'stabl':91,116,140,186,460,2279 'stack':2046 'standard':401,449,1205,2218 'start':1439,1960 'state':215,1885 'stateless':205,239,309 'status':1486,2010 'stdio':130,1615,1633 'stdioserverparamet':1623 'stdioservertransport':180,226 'step':1471 'still':2248 'stolen/guessed':1746 'strategi':1450 'stream':319 'streamabl':127,237 'strict':742,764,2121,2297 'strict-mod':741 'string':362 'strip':724,774 'structur':1188,1311,2229,2439 'structuredcont':578,759,780,806,1212,1507,2124 'subset':1525 'summari':1504 'suppli':1586 'support':125,1329,2276,2309,2385,2397 'surviv':1222 'sweet':1458 'syntax':1333 'system':1259,2421 'system-level':1258 'target':117,510,1713,1723 'task':217,2453 'taxonomi':1236 'termin':428 'test':1978 'text':552,582,583,1133,1134,1292,1342 'text/markdown':1335 'theft':938,1673 'think':790 'third':1741,2328 'third-parti':1740,2327 'threat':1559 'three':964 'throw':716,1157 'thrown':1172 'time':1403 'titl':519,1324 'today':169 'token':1428,1444,1498,1503,1672,1689,1693,1704,1921,1930,1936,1951,1974,1991 'tool':24,298,360,454,627,834,908,916,956,958,1019,1048,1078,1097,1120,1175,1209,1301,1431,1447,1454,1467,1475,1519,1524,1531,1539,1541,1569,1580,1662,1667,1670,1814,1823,2432,2444 'tools/resources':321,2102 'top':1558,2301 'topic-agent-skills' 'topic-ai-agents' 'topic-claude-code' 'topic-claude-skills' 'topic-clawhub' 'topic-erc-8004' 'topic-mpp' 'topic-openclaw' 'topic-skills' 'topic-solana' 'topic-x402' 'track':312,1477 'transform':732 'transit':1702 'transport':22,126,198,201,249,259,304,331,387,450,1788,2044,2168,2244 'transport.close':337 'transport.handlerequest':333 'treat':1644 'tri':328 'trifecta':920 'true':213,314,359,496,500,502,559,563,565,841,862,1051,1130,1208,1389,1393,1395,2084 'trust':888,988 'trustedhint':912 'trustworthi':917 'ts':89,97 'tutori':61 'two':1035 'type':581,1042,1132,1551 'typescript':11,57,170,187,282,402,475,515,1118,1271,1316,1362,1549 'ui':39,2348 'unchang':786 'undefin':211,308 'unknown':1077 'unsafeoutputhint':900 'unsanit':1603 'unstrip':2123 'untrust':823,825,904,930,998 'updat':845 'upgrad':1800,2060,2116,2181 'upstream':365,801,1706,2079,2088,2132 'uri':1314,1338,1792 'uritempl':1789,2175 'url':1712 'use':441,651,691,808,873,991,1046,1268,1286,1545,1759,1943,1977,2031,2082,2137 'user':607,1482,1499,1610,1619,1756,2440 'user-control':1618 'user/session':1820 'v0.1':153 'v1':166,458,700,2029,2036 'v1.10.0-1.25.3':1780 'v1.25.2':1802,2179 'v1.26.0':1783,2159,2161 'v1.28':714,2118 'v1.28.0':711,2115 'v1.29':19 'v1.29.0':92,2062 'v1.x':680,2270 'v2':94,99,136,183,234,440,508,1877,2063,2182,2278,2288,2435 'v2.0.0-alpha.1':1803,2163,2180 'v4':746,2214 'v4c7':281,2143 'valid':758,1060,1093,1151,1669,1698,1721,1810,1831,1927,1975 'vendor':2318 'vendor-prefix':2317 'version':295,1280,1416,1596,1847 'via':1313,1731,1966,2312,2381 'visibl':1041 'vs':1501,2390 'web':400,448,868,2387 'web-standard':399 'websocket':133 'webstandardstreamablehttpservertransport':176,193,209,219,306,414,433 'wgs':149 'whatsapp':1575 'wide':2404 'window':1435 'without':1513,1624 'work':67,434,462 'workaround':33,2011 'worker':208,430,437 'world':1562 'wrap':446 'write':2284 'www':1968 'www-authent':1967 'x402/mpp':1202 'yes':993,1054 'yet':2403 'z.array':548 'z.boolean':556 'z.discriminatedunion':674,2017 'z.enum':695,2034 'z.number':488,538 'z.object':530,546,549,693,747,1371,1378,2033 'z.string':482,532,551,553,1373,1380 'z.transform':723 'z.union':673,2016 'z0':601 'za':600 'zod':351,658,745,2213 'zod-to-json-schema':657","prices":[{"id":"94614858-00ad-451b-8046-fe3e1620142c","listingId":"5650a825-376b-4ce1-a114-b47e158d0aa5","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"tenequm","category":"skills","install_from":"skills.sh"},"createdAt":"2026-04-18T23:05:17.965Z"}],"sources":[{"listingId":"5650a825-376b-4ce1-a114-b47e158d0aa5","source":"github","sourceId":"tenequm/skills/mcp-best-practices","sourceUrl":"https://github.com/tenequm/skills/tree/main/skills/mcp-best-practices","isPrimary":false,"firstSeenAt":"2026-04-18T23:05:17.965Z","lastSeenAt":"2026-05-18T19:04:38.719Z"}],"details":{"listingId":"5650a825-376b-4ce1-a114-b47e158d0aa5","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"tenequm","slug":"mcp-best-practices","github":{"repo":"tenequm/skills","stars":28,"topics":["agent-skills","ai-agents","claude-code","claude-skills","clawhub","erc-8004","mpp","openclaw","skills","solana","x402"],"license":"mit","html_url":"https://github.com/tenequm/skills","pushed_at":"2026-05-14T18:04:24Z","description":"Agent skills for building, shipping, and growing software products","skill_md_sha":"ff5f0a73e08eb59c91695b12537dedd2ef193107","skill_md_path":"skills/mcp-best-practices/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/tenequm/skills/tree/main/skills/mcp-best-practices"},"layout":"multi","source":"github","category":"skills","frontmatter":{"name":"mcp-best-practices","description":"Build production MCP servers with the TypeScript SDK. Covers spec 2025-11-25, SDK v1.29+/v2 alpha, transport selection, tool design, error handling, security, performance, known bugs with workarounds, MCP extensions, MCP Apps (interactive UIs), authorization extensions, and the MCP Registry. Use this skill whenever building MCP servers, designing MCP tools, choosing MCP transports, handling MCP errors, migrating to MCP v2, reviewing MCP security, optimizing MCP token usage, building MCP Apps, using MCP extensions, publishing to the MCP Registry, or working with registerTool, McpServer, streamable HTTP, outputSchema, structuredContent, tool annotations, ext-apps, or ext-auth."},"skills_sh_url":"https://skills.sh/tenequm/skills/mcp-best-practices"},"updatedAt":"2026-05-18T19:04:38.719Z"}}