MCP feels easy until it isn't. The first time you wire up a stdio server and call a tool from a Claude Agent SDK loop, the whole thing fits on a slide. Then you put it in front of customer codebases, customer GitHub credentials, customer build containers, and the sharp edges show up in places the spec is silent on. Tools start shadowing each other. The agent confidently uses a built-in Read when you wanted it to go through your sandboxed file server. Environment variables you set on the parent process reappear inside the MCP child and become tokens-in-prompts. I'm building a SaaS that uses MCP heavily across a few different services (Codens, an AI dev harness with several specialized agents — happy to talk about it but it isn't the point of this post). Across those services we have GitHub MCPs for repo reads, an in-process Playwright MCP for browser exploration, and per-workspace local-file MCPs that let an agent navigate a cloned repo without escaping the sandbox.…