MCP Dev Summit North America

Goose serves as a real-world proving ground for new MCP capabilities before they're widely adopted. In this talk, you'll learn how to use advanced and early versions of MCP features that go beyond basic tool calling—with practical examples from production.

You'll see:

* Code mode MCP: handling massive tool catalogs without overwhelming context windows
* MCP Apps: rich user experiences for MCP servers that go beyond chat
* How ACP (Agent Client Protocol) can complement and interoperate with an MCP-aware agent, and how we use it in goose

The audience will learn from our experience building goose how they can use and contribute to emerging MCP features.

Most technical talks feel like a one-way street: I talk, you listen, and maybe you ask a question at the end if we have time. But the Model Context Protocol (MCP) isn't about one-way communication; it's about creating a living connection between a "brain" (the LLM) and the "world" (your data and tools).

To prove this, we aren't going to look at static slides. Instead, we are going to use a Live Audience Agent.

At the start of the talk, a QR code will go up on the screen. Anyone in the room can scan it and access a simple web interface. You can send in "Live Vibe Checks"—short text snippets, emoji reactions, or "Heckles"—that feed directly into a database. My MCP server is the bridge. It connects my LLM assistant to that live database of your thoughts.

This is a high-stakes demo. If the protocol works, the AI will be my co-speaker, responding to the room's energy in real-time. If I break the protocol, which I plan to do, repeatedly, the AI will lose its connection to you. We're going to perform "Selective Sabotage" to see exactly which parts of the MCP spec keep the lights on.

The best MCP server is the one you didn't have to build.

At Cloudflare we have a lot of products. Our REST OpenAPI spec is over 2.3 million tokens. When teams started building MCP servers, they did what everyone does: cherry-picked important endpoints for their product, wrote some tool definitions and shipped a separate service that covered a small fraction of their API.

This was driven by a fundamental context limit of the end users' agent. And tools use a bunch of context just to describe themselves. MCP felt like a Mega Context Problem (and a separate service to maintain).

I think we got it all wrong.

The context limit is not an MCP problem. It's an agent problem. Tools should probably be discovered on demand and clients are coming around to this. But maybe we can also do it on the server?

CLIs get this for free, self-discoverable and documented by design. APIs just need a little help.

This talk will cover some of the techniques we've been exploring at Cloudflare, such as codemode and tool search, to make complete APIs accessible to agents through MCP.

I'll also cover some of the work we are doing with the MCP Typescript SDK to make stateless servers the default.

MCP standardized how agents connect to tools and context, but enterprise deployments need control between the model and the data. Today, MCP lacks a standard way to apply these controls, leading to a fragmented landscape of bespoke sidecars and proxies that shifts the M×N integration problem from the data layer to the middleware layer.
This session is a Protocol-in-Depth walkthrough of SEP-1763 (Interceptors), which proposes a protocol-native framework to intercept, validate, and transform messages across the MCP lifecycle, elevating middleware to a first-class capability alongside core MCP concepts. We will cover the concrete protocol semantics implementers need to align on: capability negotiation, hook points and invocation models, deterministic ordering/composition, enforcement semantics, error handling and observability.
We motivate the proposal with Bloomberg’s production experience in adopting interceptors to build agents in a regulated financial environment, sharing lessons on what must be standardized for interoperability. To ground the design, we map the proposed semantics to AWS Bedrock AgentCore Gateway Interceptors and OpenAI Guardrails’ staged validation guidance.

You give an agent a complex task. It says "Absolutely!" Then it deletes your production database.

As engineers adopt AI agents, a common frustration is emerging: agents confidently make the wrong move. The response has been "skill issue," "write better prompts," "add more context," "make a plan first." But not everyone wants to master prompt engineering or maintain context files just to get an agent to understand them.

The missing layer is Intent. Unlike context, intent is ambiguous, implicit, and dynamic. Users don’t always know what they want upfront, and they change their minds once they see options. Forcing that complexity into a one-way text prompt is brittle by design and leads to "context rot."

This talk introduces intent engineering: designing agent workflows that don’t require perfect prompts or perfect context, but instead discover, confirm, and align user intent over time.

Using goose, Rizel will show how MCP Elicitation, MCP Sampling, and MCP Apps let agents ask what you mean, reason about what you might mean, and show you what they think you mean before acting.

Together, these patterns move us beyond mono-directional prompts and toward genuine collaboration.

Picture your MCP server exposing your database to an overeager LLM that tries to "optimize" your schemas at 3 AM. Sinful? Absolutely. As MCP becomes the standard for connecting LLMs to real systems, teams are speedrunning mistakes like this—causing memory leaks, runaway polling, and permission scopes so wide they make the sudo commands executed in production look cautious.

This session breaks down the seven deadly sins developers must be aware about MCP: gluttony (resource abuse), sloth (lazy errors), wrath (aggressive polling), greed (permission overreach), pride (overengineering), envy (tool sprawl), and lust (unsafe exposure). Each of these sins can turn a powerful protocol like MCP into a recipe for disaster.

By examining each sin, its patterns, and its symptoms, you'll learn how to spot and avoid them, along with the technical practices that make MCP deployments reliable. Come learn how to ship with absolution. Instead of yet another pager alert.

MCP made agents portable. But it also made them fragile—every tool call lives or dies by its network connection, and long-running work has been a liability we've all been working around in different (incompatible) ways.

SEP 1686 introduces native task orchestration to the protocol. This talk covers what's changing, why it matters, and what it unlocks for anyone building serious MCP infrastructure.

I'll walk through the design decisions, demonstrate the new primitives in FastMCP, and share what we've learned from helping teams scale MCP Tasks.

If you've ever wished MCP would just let you run real workloads without holding your breath, this one's for you.

As AI agents become more autonomous through the Model Context Protocol (MCP), one question becomes unavoidable => why, when, and how should humans be asked to intervene to provide feedback or approval?

In this talk, we explore MCP elicitation as a core design pattern for agentic systems, not just as a UX or AX (Agent Experience) feature, but as a security, authorization, and trust mechanism.

We will

-Trace how human interaction models evolved across web, APIs, and OAuth, and why MCP requires a new balance

-Break down elicitation patterns in agent workflows

-Show how elicitation integrates with fine-grained authorization, consent, and delegation

-Explore step-up authentication and human-in-the-loop approvals for accountability

-Discuss how proper elicitation improves trust, explainability, and compliance, without harming DX, UX, or AX

The goal is simple but critical: delivering agentic AI that users can trust, by design, not by trade-off.