Skip to content
Tank
Get Started

@tank/mcp-server-dev

1.0.0

Description

Build MCP servers in TypeScript and Python. Covers tools/resources/prompts, TypeScript SDK v2, FastMCP, tool design, OAuth 2.1 auth, security, transports, inspector testing, and deployment.

Triggered by

MCP servermodel context protocolFastMCPMCP toolsMCP resourcesMCP security
Download
Verified
tank install @tank/mcp-server-dev

MCP Server Development

Core Philosophy

  1. Tools are the primary interface — Most LLM interactions go through tools. Design tools first, add resources for context and prompts for canned workflows.
  2. Validate everything, trust nothing — Tool inputs originate from LLM output shaped by potentially adversarial context. Validate with Zod/Pydantic, sanitize against injection, constrain with additionalProperties: false.
  3. Return errors, don't throw them — Set isError: true so the LLM can self-correct. Thrown exceptions become opaque protocol errors the model cannot reason about.
  4. Choose transport by deployment — stdio for local CLI integrations (Claude Desktop, OpenCode). Streamable HTTP for remote servers accessible over the network. Never mix them.
  5. Scope permissions to the minimum — Each server gets its own credentials with narrow OAuth scopes. Broad tokens across servers create aggregation risk and confused deputy attacks.

Quick-Start: Common Problems

"How do I create a basic MCP server?"

LanguageCommand
TypeScriptnpm init -y && npm i @modelcontextprotocol/server zod
Pythonpip install fastmcp or uv add fastmcp
  1. Register tools with typed schemas (Zod for TS, type hints for Python)
  2. Choose transport: StdioServerTransport for local, NodeStreamableHTTPServerTransport for remote
  3. Connect: server.connect(transport)
  4. Test with MCP Inspector: npx @modelcontextprotocol/inspector -> See references/typescript-sdk.md and references/python-fastmcp.md

"My tool returns data but the LLM ignores it"

  1. Check description — it drives LLM tool selection. Be specific about when and why to use the tool
  2. Return content: [{ type: 'text', text: '...' }] — not raw objects
  3. Add outputSchema for structured responses the LLM can parse reliably
  4. Use isError: true for failures instead of empty responses -> See references/tool-design.md

"How do I add authentication to my remote server?"

  1. Remote servers (Streamable HTTP) need OAuth 2.1 or bearer tokens
  2. Use @modelcontextprotocol/express or FastMCP's auth providers for built-in OAuth
  3. Validate tokens on every request — bind sessions to user identity
  4. Never store tokens in config files; use OS secure credential storage -> See references/auth-transport.md

"How do I test my MCP server?"

  1. MCP Inspector: npx @modelcontextprotocol/inspector — visual tool testing
  2. Programmatic: create a client, call tools/list and tools/call, assert results
  3. FastMCP: InMemoryTransport for unit tests without network
  4. Integration: test against real data sources in CI -> See references/testing-deployment.md

Decision Trees

SDK Selection

SignalSDK
TypeScript/Node.js project@modelcontextprotocol/server (v2) + Zod
Python projectFastMCP 3 (fastmcp)
Go projectmcp-go
Wrapping an OpenAPI specFastMCP from_openapi()
Need both languagesBuild two servers; compose at the host level

Transport Selection

DeploymentTransportSession
Claude Desktop / local CLIstdioSingle client
Remote API serverStreamable HTTPMulti-client, stateful
Legacy SSE requirementSSE (deprecated)Multi-client
Serverless (Vercel/CF Workers)Streamable HTTP (stateless)Per-request

Primitive Selection

NeedPrimitiveWho Controls
LLM executes an actionToolModel decides
Read-only context dataResourceApplication decides
Canned interaction patternPromptUser invokes
Structured LLM outputTool with outputSchemaModel decides

Reference Index

FileContents
references/typescript-sdk.mdTypeScript SDK v2: McpServer, registerTool, registerResource, registerPrompt, Zod schemas, Express/Hono middleware, server instructions, completions
references/python-fastmcp.mdFastMCP 3: decorators, Pydantic, Context, lifespan, composition, OpenAPI import, dependency injection, middleware
references/tool-design.mdTool definition patterns: inputSchema, outputSchema, annotations, error handling, progress reporting, ResourceLink outputs, multi-tool servers, naming conventions
references/resources-prompts.mdResource patterns (static, dynamic templates, subscriptions), prompt templates, argument completions, URI design, MIME types
references/auth-transport.mdTransport mechanics (stdio, Streamable HTTP, SSE), OAuth 2.1 for remote servers, bearer tokens, session management, DNS rebinding protection
references/security.mdOWASP MCP security: tool poisoning defense, input/output validation, sandboxing, supply chain, cross-server isolation, prompt injection via return values
references/testing-deployment.mdMCP Inspector, programmatic testing, InMemoryTransport, deployment (Vercel, Cloudflare Workers, Docker, npm/PyPI publishing), CI/CD patterns

Command Palette

Search skills, docs, and navigate Tank