Forem: Todd Fearn The latest articles on Forem by Todd Fearn (@tfearn). https://forem.com/tfearn https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3882580%2F08e20ce6-226c-459b-a785-9f3a059eae3e.png Forem: Todd Fearn https://forem.com/tfearn en I Built a Market Intelligence Agent That Operates a Data Platform Autonomously via MCP Todd Fearn Tue, 21 Apr 2026 16:01:52 +0000 https://forem.com/tfearn/i-built-a-market-intelligence-agent-that-operates-a-data-platform-autonomously-via-mcp-5g2h https://forem.com/tfearn/i-built-a-market-intelligence-agent-that-operates-a-data-platform-autonomously-via-mcp-5g2h <p>Most AI agent demos follow the same pattern: pre-loaded dataset, clever prompt, nice answer. The infrastructure is invisible and static.</p> <p>I wanted to show something different — an agent that <em>operates</em> the data infrastructure itself. Creates pipelines, ingests live data, manages the lifecycle, then answers questions against what it just built. No pre-loaded anything.</p> <p>This is a working example on top of <a href="https://datris.ai" rel="noopener noreferrer">Datris</a>, an agent-native data platform I've been building (with Claude helping, full transparency). The platform exposes data pipeline operations as MCP tools. The agent discovers what's available and figures out the rest.</p> <p><strong>Video walkthrough:</strong> <a href="https://datris.ai/videos/market-intelligence-agent-mcp" rel="noopener noreferrer">https://datris.ai/videos/market-intelligence-agent-mcp</a></p> <h2> What It Does </h2> <p>The Market Intelligence Agent is a FastAPI + vanilla JS app (no Node) that connects to the Datris MCP server and handles a full financial data workflow end-to-end — live, in the browser.</p> <p>Two example queries that show the pattern:</p> <p><strong>"What's the current macro picture?"</strong><br> The agent doesn't query a database. It:</p> <ol> <li>Discovers available MCP tools via <code>tools/list</code> </li> <li>Decides it needs FRED macro data (yields, VIX, CPI, credit spreads) + equity OHLCV</li> <li>Creates pipelines for each source</li> <li>Ingests live data from the public APIs</li> <li>Queries the results and returns a cited answer</li> </ol> <p><strong>"Is crypto confirming the risk-on trade in equities?"</strong><br> Cross-asset reasoning across BTC/ETH/SOL (CoinGecko) vs SPY/QQQ/TLT/GLD/XLE/IWM — pipelines created and ingested on the fly, same pattern.</p> <p>All data sources are free: FRED, yfinance, CoinGecko, SEC EDGAR (10-K/10-Q).</p> <h2> The Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Browser (vanilla JS) │ ├── Chat panel → FastAPI → Anthropic API │ │ │ MCP Client → Datris MCP Server │ │ │ Pipeline Lifecycle │ (create, ingest, query) │ └── Pipeline status panel ← SSE stream (live tiles + activity feed) </code></pre> </div> <p>The agent connects to the Datris MCP server and calls <code>tools/list</code> at startup to discover what operations are available — it's not hardcoded to any specific tool names. Background refresh keeps active pipelines current via SSE.</p> <h2> Why MCP for This </h2> <p>The interesting design choice here is using MCP as the control plane between the agent and the data platform rather than building a custom API layer.</p> <p>The agent doesn't need to know ahead of time what pipelines exist or what data sources are configured. It discovers capabilities at runtime, decides what it needs, and operates accordingly. Add a new tool to the MCP server and the agent picks it up automatically.</p> <p>This is the pattern I think is underexplored: agents that manage infrastructure, not just agents that query infrastructure someone else built.</p> <h2> Run It Yourself </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Clone the platform</span> git clone https://github.com/datris/datris-platform-oss </code></pre> </div> <p><strong>Example code:</strong> <a href="https://github.com/datris/datris-platform-oss/tree/main/examples/market-macro-agent" rel="noopener noreferrer">https://github.com/datris/datris-platform-oss/tree/main/examples/market-macro-agent</a><br><br> <strong>Platform (AGPL, open core):</strong> <a href="https://github.com/datris/datris-platform-oss" rel="noopener noreferrer">https://github.com/datris/datris-platform-oss</a><br><br> <strong>Docs:</strong> <a href="https://docs.datris.ai" rel="noopener noreferrer">https://docs.datris.ai</a><br><br> <strong>Site:</strong> <a href="https://datris.ai" rel="noopener noreferrer">https://datris.ai</a> </p> <p>Happy to answer questions on the MCP server design, SSE streaming approach, or pipeline architecture in the comments.</p> ai agents mcp dataengineering From Demo to Production: Building an MCP Control Plane Inside Your Agent Architecture Todd Fearn Thu, 16 Apr 2026 13:43:29 +0000 https://forem.com/tfearn/from-demo-to-production-building-an-mcp-control-plane-inside-your-agent-architecture-34d7 https://forem.com/tfearn/from-demo-to-production-building-an-mcp-control-plane-inside-your-agent-architecture-34d7 <p>Most AI agent demos are impressive for about five minutes.</p> <p>Then someone asks: <em>Who authorized that tool call? What data did it access? Can we audit that?</em></p> <p>The answer is usually silence.</p> <p>That's the gap between a demo and a production system. And the thing that closes it isn't a better prompt — it's a control plane inserted between your agent and every MCP tool it can reach.</p> <p>Here's how to build it.</p> <h2> The Core Idea </h2> <p>The agent has one address: the control plane. That's it.</p> <p>It doesn't know where MCP servers live. It doesn't hold credentials. It can't route around policy. The control plane is the only entity in the system with network access to the MCP layer — and the agent talks to nothing else.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Agent → Control Plane → MCP Server A (market data) ↑ → MCP Server B (trade execution) Tool Registry → MCP Server C (research/docs) </code></pre> </div> <p>The control plane is a router. The agent calls two endpoints — <code>/tools</code> at startup, <code>/invoke</code> at runtime — and has no idea how many MCP servers sit behind them. That topology is entirely the control plane's concern.</p> <p>Four pillars enforce this. All code. No prompt engineering.</p> <h2> 1. Discovery: The Registry Layer </h2> <p>This is where most teams get it wrong. They hard-code tool definitions into the agent's system prompt and call it done. The agent sees everything. That's not access control — it's a flat namespace with a label on it.</p> <p>The correct model: the agent discovers tools through the control plane, not from MCP servers directly.</p> <p>On startup, the agent calls <code>/tools</code>. The control plane queries a Service Catalog — a DynamoDB table or a GitOps-managed JSON file — and returns only the tool names that agent's role is permitted to see. Crucially, the response contains names only. No server URLs. No routing information. The agent gets a menu, not a map.</p> <p>That filtered list is what populates the agent's tool definitions.</p> <p>A "Research Agent" is never told that "Execute Trade" exists. It can't attempt to call it. It can't be jailbroken into calling it. The tool is simply absent from its world.</p> <p>That's least privilege at discovery time — before a single request is ever made.</p> <h2> 2. Identity: Scoped, Short-Lived Credentials </h2> <p>Agents should never own long-lived credentials. If they do, a compromised agent is a compromised system.</p> <p>The pattern: agents operate on Service Tokens or OIDC delegation. When an agent wants to invoke a tool, the control plane validates its Service Identity first. If valid, it mints a short-lived, scoped token from your IAM provider — AWS STS or HashiCorp Vault — specific to that one tool call, scoped to the specific MCP server being called.</p> <p>The token expires. The blast radius of a compromised agent is bounded to a single, already-expiring credential against one server.</p> <p>This is standard infrastructure security. Apply it to agents exactly the same way.</p> <h2> 3. Policy: Hard Guardrails in Code </h2> <p>This is the most important pillar — and the one most teams skip.</p> <p>The instinct is to put guardrails in the prompt. <em>"Never move funds in production."</em> That's not a control. That's a suggestion. LLMs hallucinate. They get jailbroken. Prompts drift.</p> <p>Move the logic into code. Use Open Policy Agent (OPA) and write Rego policies that the control plane evaluates before any request touches an MCP server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="n">allow</span> <span class="o">=</span> <span class="kc">true</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">action</span> <span class="o">==</span> <span class="s2">"read_positions"</span> <span class="n">input</span><span class="p">.</span><span class="n">agent_role</span> <span class="o">==</span> <span class="s2">"analyst"</span> <span class="p">}</span> <span class="n">allow</span> <span class="o">=</span> <span class="kc">false</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">action</span> <span class="o">==</span> <span class="s2">"move_funds"</span> <span class="n">input</span><span class="p">.</span><span class="n">environment</span> <span class="o">==</span> <span class="s2">"production"</span> <span class="p">}</span> </code></pre> </div> <p>If the policy evaluates to false, the request is dropped. Not logged. Not flagged for review. Dropped.</p> <p>The LLM doesn't get a vote on this. It never reaches the tool.</p> <h2> 4. Observability: The Audit Wrapper </h2> <p>Every interaction gets wrapped in a logging decorator. Structured JSON. Four fields that matter:</p> <ul> <li> <strong>Who</strong> — Agent ID</li> <li> <strong>What</strong> — MCP tool invoked</li> <li> <strong>Where</strong> — Data source targeted</li> <li> <strong>Was</strong> — Result or failure status</li> </ul> <p>Ship those logs to Kafka or an ELK stack. More importantly, propagate a <code>trace_id</code> from the initial user prompt all the way through the control plane to the MCP server and back. Every hop in the chain carries the same ID.</p> <p>When a compliance audit lands on your desk, that trace ID lets you reconstruct the entire chain of thought and data access path for any agent, any session, any point in time.</p> <p>That's not a nice-to-have. In regulated environments, it's the requirement.</p> <h2> What It Looks Like in Code </h2> <p>Here's a minimal Python control plane. Two endpoints: one for discovery, one for invocation. The agent calls both. It calls nothing else.</p> <p>The tool registry maps each role's actions directly to the MCP server that handles them. The agent never sees this mapping — it only sees the tool names:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">uuid</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">requests</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">HTTPException</span> <span class="kn">from</span> <span class="n">pydantic</span> <span class="kn">import</span> <span class="n">BaseModel</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="sh">"</span><span class="s">control_plane</span><span class="sh">"</span><span class="p">)</span> <span class="n">logging</span><span class="p">.</span><span class="nf">basicConfig</span><span class="p">(</span><span class="n">level</span><span class="o">=</span><span class="n">logging</span><span class="p">.</span><span class="n">INFO</span><span class="p">)</span> <span class="c1"># --- Tool registry: maps role → action → MCP server URL --- # The agent sees tool names only. Server URLs stay here. </span> <span class="n">TOOL_REGISTRY</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">analyst</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">read_positions</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">http://mcp-marketdata:8001</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">run_report</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">http://mcp-research:8003</span><span class="sh">"</span><span class="p">,</span> <span class="p">},</span> <span class="sh">"</span><span class="s">trader</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">read_positions</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">http://mcp-marketdata:8001</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">execute_trade</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">http://mcp-execution:8002</span><span class="sh">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="n">POLICY_RULES</span> <span class="o">=</span> <span class="p">{</span> <span class="p">(</span><span class="sh">"</span><span class="s">execute_trade</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span><span class="p">):</span> <span class="bp">False</span><span class="p">,</span> <span class="c1"># hard block </span><span class="p">}</span> <span class="k">def</span> <span class="nf">get_scoped_token</span><span class="p">(</span><span class="n">agent_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">action</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">mcp_url</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="c1"># In production: call Vault or AWS STS, scoped to this server </span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">tok_</span><span class="si">{</span><span class="n">agent_id</span><span class="si">}</span><span class="s">_</span><span class="si">{</span><span class="n">action</span><span class="si">}</span><span class="s">_</span><span class="si">{</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">().</span><span class="nb">hex</span><span class="p">[</span><span class="si">:</span><span class="mi">8</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span> <span class="c1"># --- Request models --- </span> <span class="k">class</span> <span class="nc">DiscoveryRequest</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">agent_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">agent_role</span><span class="p">:</span> <span class="nb">str</span> <span class="k">class</span> <span class="nc">ToolRequest</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">agent_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">agent_role</span><span class="p">:</span> <span class="nb">str</span> <span class="n">action</span><span class="p">:</span> <span class="nb">str</span> <span class="n">environment</span><span class="p">:</span> <span class="nb">str</span> <span class="n">payload</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="p">{}</span> <span class="c1"># --- 1. Discovery endpoint --- # Returns tool names only. No URLs. No routing info. # The agent builds its tool definitions from this list. </span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/tools</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_tools</span><span class="p">(</span><span class="n">req</span><span class="p">:</span> <span class="n">DiscoveryRequest</span><span class="p">):</span> <span class="n">role_tools</span> <span class="o">=</span> <span class="n">TOOL_REGISTRY</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">req</span><span class="p">.</span><span class="n">agent_role</span><span class="p">,</span> <span class="p">{})</span> <span class="n">tool_names</span> <span class="o">=</span> <span class="nf">list</span><span class="p">(</span><span class="n">role_tools</span><span class="p">.</span><span class="nf">keys</span><span class="p">())</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">({</span><span class="sh">"</span><span class="s">agent_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">req</span><span class="p">.</span><span class="n">agent_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="n">req</span><span class="p">.</span><span class="n">agent_role</span><span class="p">,</span> <span class="sh">"</span><span class="s">tools_returned</span><span class="sh">"</span><span class="p">:</span> <span class="n">tool_names</span><span class="p">})</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">tools</span><span class="sh">"</span><span class="p">:</span> <span class="n">tool_names</span><span class="p">}</span> <span class="c1"># --- 2. Invocation endpoint --- # Resolves the MCP server, enforces policy, mints a token, # and calls the MCP server. The agent has no direct route to any of this. </span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/invoke</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">invoke_tool</span><span class="p">(</span><span class="n">req</span><span class="p">:</span> <span class="n">ToolRequest</span><span class="p">):</span> <span class="n">trace_id</span> <span class="o">=</span> <span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">().</span><span class="nb">hex</span> <span class="n">role_tools</span> <span class="o">=</span> <span class="n">TOOL_REGISTRY</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">req</span><span class="p">.</span><span class="n">agent_role</span><span class="p">,</span> <span class="p">{})</span> <span class="c1"># Discovery check — is this tool in this agent's allowed list? </span> <span class="k">if</span> <span class="n">req</span><span class="p">.</span><span class="n">action</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">role_tools</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">({</span><span class="sh">"</span><span class="s">trace_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">trace_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">agent_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">req</span><span class="p">.</span><span class="n">agent_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="n">req</span><span class="p">.</span><span class="n">action</span><span class="p">,</span> <span class="sh">"</span><span class="s">result</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">denied_discovery</span><span class="sh">"</span><span class="p">})</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">403</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Tool not available for this role</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Policy check — hard rules, no exceptions </span> <span class="k">if</span> <span class="n">POLICY_RULES</span><span class="p">.</span><span class="nf">get</span><span class="p">((</span><span class="n">req</span><span class="p">.</span><span class="n">action</span><span class="p">,</span> <span class="n">req</span><span class="p">.</span><span class="n">environment</span><span class="p">))</span> <span class="ow">is</span> <span class="bp">False</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">({</span><span class="sh">"</span><span class="s">trace_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">trace_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">agent_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">req</span><span class="p">.</span><span class="n">agent_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="n">req</span><span class="p">.</span><span class="n">action</span><span class="p">,</span> <span class="sh">"</span><span class="s">result</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">denied_policy</span><span class="sh">"</span><span class="p">})</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">403</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Action blocked by policy</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Resolve the MCP server for this action </span> <span class="n">mcp_url</span> <span class="o">=</span> <span class="n">role_tools</span><span class="p">[</span><span class="n">req</span><span class="p">.</span><span class="n">action</span><span class="p">]</span> <span class="c1"># Mint a short-lived token scoped to this server and action </span> <span class="n">token</span> <span class="o">=</span> <span class="nf">get_scoped_token</span><span class="p">(</span><span class="n">req</span><span class="p">.</span><span class="n">agent_id</span><span class="p">,</span> <span class="n">req</span><span class="p">.</span><span class="n">action</span><span class="p">,</span> <span class="n">mcp_url</span><span class="p">)</span> <span class="c1"># Control plane calls the MCP server — not the agent </span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">mcp_url</span><span class="si">}</span><span class="s">/invoke</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="n">req</span><span class="p">.</span><span class="n">action</span><span class="p">,</span> <span class="sh">"</span><span class="s">payload</span><span class="sh">"</span><span class="p">:</span> <span class="n">req</span><span class="p">.</span><span class="n">payload</span><span class="p">},</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Bearer </span><span class="si">{</span><span class="n">token</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">X-Trace-Id</span><span class="sh">"</span><span class="p">:</span> <span class="n">trace_id</span><span class="p">}</span> <span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="c1"># Structured audit log — includes which MCP server was called </span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">({</span><span class="sh">"</span><span class="s">trace_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">trace_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">agent_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">req</span><span class="p">.</span><span class="n">agent_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="n">req</span><span class="p">.</span><span class="n">action</span><span class="p">,</span> <span class="sh">"</span><span class="s">mcp_server</span><span class="sh">"</span><span class="p">:</span> <span class="n">mcp_url</span><span class="p">,</span> <span class="sh">"</span><span class="s">environment</span><span class="sh">"</span><span class="p">:</span> <span class="n">req</span><span class="p">.</span><span class="n">environment</span><span class="p">,</span> <span class="sh">"</span><span class="s">result</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">allowed</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">]})</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">trace_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">trace_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">result</span><span class="sh">"</span><span class="p">:</span> <span class="n">result</span><span class="p">}</span> </code></pre> </div> <p>The agent's startup sequence is two lines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Agent startup — discover available tools through the control plane </span><span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sh">"</span><span class="s">http://control-plane/tools</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">agent_id</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">agent-42</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">agent_role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">analyst</span><span class="sh">"</span><span class="p">})</span> <span class="n">available_tools</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">"</span><span class="s">tools</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># → ["read_positions", "run_report"] # No URLs. No server topology. Just the tool names it's allowed to use. </span></code></pre> </div> <p>At runtime, every tool call goes to <code>/invoke</code>. The control plane resolves the server, mints the token, and makes the call. The agent is completely isolated from the MCP layer.</p> <h2> What the Router Gives You </h2> <p>Routing through the control plane isn't just indirection for its own sake. It unlocks capabilities that a direct agent-to-MCP connection can never have:</p> <ul> <li> <strong>Fan-out</strong>: A single action can call multiple MCP servers and aggregate results — useful for cross-system reads where the agent shouldn't care about the seams</li> <li> <strong>Versioning</strong>: Route <code>read_positions_v2</code> to a new MCP server without the agent knowing anything changed. Zero agent-side deployment</li> <li> <strong>Circuit breaking</strong>: If <code>mcp-execution</code> is down, the control plane fails fast and returns a clean error rather than hanging the agent mid-task</li> <li> <strong>Per-server token scoping</strong>: Each MCP server gets a credential scoped specifically to it — not a shared token that opens the entire layer</li> </ul> <h2> The Stack </h2> <p>If you're building this today, the control plane looks like this:</p> <ul> <li> <strong>Language</strong>: Python or Go</li> <li> <strong>Protocol</strong>: FastMCP or the official MCP SDK</li> <li> <strong>Policy engine</strong>: Open Policy Agent</li> <li> <strong>Cache</strong>: Redis for tool schemas and server topology</li> <li> <strong>Audit store</strong>: PostgreSQL for the trail</li> </ul> <p>None of this is exotic. It's the same infrastructure patterns that have governed data pipelines and API gateways for years. The only thing new is the surface being controlled.</p> <p>The full working source code for this control plane is available at <a href="https://github.com/datris/sample-code" rel="noopener noreferrer">github.com/datris/sample-code</a>.</p> <h2> The Takeaway </h2> <p>The LLM is not the system. The LLM is a component of the system.</p> <p>An MCP control plane is what enforces that distinction. The agent discovers tools through it, invokes tools through it, and never holds a credential or a server address. Add as many MCP servers as your architecture demands — the agent doesn't care, because it was never exposed to the topology in the first place.</p> <p>Discovery, identity, policy, and observability — implemented as code, not instructions — is what takes an agent from a demo that works most of the time to infrastructure you can actually run in production.</p> <p>Build the control plane. Then let the agents loose.</p> ai mcp agents agentskills