MCP Server Architecture: State Management, Security & Tool Orchestration
It is different, if you're about to build an MCP server that actually works in production or just to push to your Github to make your dev portfolio cool. Not a demo, not a proof-of-concept—something that handles real agentic workflows, maintains state across complex conversations, and doesn't fall apart when your LLM decides to get creative with tool orchestration.
After watching teams spend years architecting these systems at scale (and debugging them at 2 AM when they inevitably break in fascinating ways), the gap between "working MCP server" and "enterprise-grade MCP infrastructure" becomes clear. It's the difference between a chatbot that can call APIs and an intelligent gateway that orchestrates multi-step workflows while maintaining compliance with GDPR, handling Byzantine failures, and somehow managing to keep security teams satisfied.
Here's the reality: Modern AI agents don't just need to make API calls—they need to maintain conversational context across dozens of interactions, orchestrate complex workflows that would challenge even experienced distributed systems engineers, and dynamically adapt their capabilities based on what they discover along the way. The traditional playbook of stateless microservices and simple request-response patterns? It breaks down completely when your agent needs to remember what happened five turns ago while coordinating parallel tool executions.
This comprehensive technical analysis presents blueprint-level guidance for building sophisticated, stateful, and resilient MCP servers. These aren't your grandfather's API servers. Modern AI MCP servers function as intelligent gateways, positioned strategically between LLM-based agents and the vast ecosystem of real-world services your organization depends on.
The fundamental paradigm shift we're witnessing: moving away from traditional, procedural API interactions towards a more sophisticated, intent-based model. Instead of making simple, stateless API calls to low-level CRUD endpoints, an AI agent using an MCP server can invoke high-level "tools"—functions that encapsulate complex operations like "getSpaceActivity"—thereby translating user intent directly into meaningful actions.
The challenge—and it's significant—involves designing these servers to maintain conversational state across multiple turns, orchestrate complex multi-step workflows reliably, and seamlessly integrate with existing APIs, all while ensuring robust security and privacy compliance.
This document presents comprehensive architectural patterns organized around three critical challenges that architects must solve to create enterprise-grade implementations:
- State Management for Multi-Turn Workflows: Engineering models to maintain context and data across a series of user interactions, a crucial requirement for any meaningful, conversational workflow
- Planner Tool Orchestration Patterns: Designing reliable and efficient patterns for sequencing multiple tool calls to achieve complex user goals, moving beyond simple, reactive decision-making
- Dynamic Capability Composition: Creating architectures that allow an agent's capabilities to be extended or modified on the fly, enabling tools to be composed together to form powerful, emergent workflows
Each pattern is analyzed through multiple lenses: security-by-design, compliance (with explicit discussion of GDPR and CCPA), performance characteristics, and implementation complexity. The platform-agnostic principles are illustrated with specific, actionable examples, primarily shown in a Python/FastAPI stack, designed to be containerized and deployed on Kubernetes, reflecting a modern, cloud-native approach.
Integration with Existing Protocols and Standards
The architectural patterns presented bridge the conversational, intent-driven world of LLMs with the procedural, resource-oriented world of existing enterprise services. The MCP server will primarily interface with downstream services defined by standards like OpenAPI/Swagger and gRPC.
For gRPC integrations, the MCP server can interact with services defined through protocol buffers, enabling high-performance, strongly-typed communication. A typical gRPC service definition for an MCP tool system covers capabilities such as tool registration, execution with streaming support, and capability discovery:
Protocol Buffers
service MCPToolService {
// Tool registration
rpc RegisterTool(ToolSpec) returns (RegistrationResult) {
option (google.api.http) = {
post: "/v1/tools"
body: "*"
};
}
// Tool execution with streaming support
rpc ExecuteTool(stream ToolRequest) returns (stream ToolResponse);
// Capability discovery
rpc ListCapabilities(Empty) returns (CapabilityList) {
option (google.api.http) = {
get: "/v1/capabilities"
};
}
}
The RegisterTool method accepts a ToolSpec and returns a RegistrationResult, configured with an HTTP mapping for POST requests to "/v1/tools". The ExecuteTool method uses bidirectional streaming (note the stream keyword on both request and response), allowing real-time, continuous communication. ListCapabilities provides a simple discovery mechanism, mapped to GET "/v1/capabilities".
A central tenet of this integration strategy: JSON Schema serves as a common language connecting user intent to API calls. MCP tool definitions use JSON Schema for specifying inputs and outputs, a standard that aligns naturally with OpenAPI specifications. This alignment means developers can often reuse or derive tool schemas directly from existing API specs, ensuring consistency and simplifying implementation. An OpenAPI schema for a POST /sendEmail endpoint can be repurposed as the input schema for a sendEmail MCP tool, providing a direct path to exposing existing services to AI agents.
This mapping can be formalized to bridge the two standards:
YAML
# OpenAPI operation to MCP tool transformation
openapi: 3.1.0
paths:
/analyze:
post:
operationId: analyzeText # Becomes MCP tool name
x-mcp-tool:
category: analysis
pipeability:
accepts: ["text/plain", "application/json"]
produces: ["application/json"]
security:
minimum_role: data-analyst
requestBody:
content:
application/json:
schema: # Becomes MCP inputSchema
type: object
properties:
text:
type: string
options:
type: object
The operationId becomes the MCP tool name, custom x-mcp-tool extensions define agent-specific metadata (category, pipeability, security roles), and the existing OpenAPI schema becomes the MCP inputSchema directly.
Foundational Principles of the Architecture
Every pattern described is evaluated through the lens of security-by-design and data protection mandates. MCP servers, by their nature, handle user data and potentially sensitive context, so they must enforce principles of least privilege, data minimization, encryption, and auditability from the ground up. Security and compliance are treated as first-class architectural constraints.
The document explicitly discusses implications of regulations like GDPR and CCPA, analyzing how to correctly implement the "Right to Erasure" within each state management approach to ensure architectural decisions don't introduce compliance gaps.
State Management Models for Multi-Turn Interactions
The Stateful Imperative in Agentic AI
The architecture of modern distributed systems is founded on a central tension: the scalability and resilience of stateless services versus the necessity of state for meaningful, context-aware interactions. The stateless paradigm, which treats each request as an independent transaction without knowledge of previous events, has long dominated cloud-native and microservices design due to its simplicity, fault tolerance, and ease of horizontal scaling.
However, agentic AI systems fundamentally challenge this stateless ideal. A multi-turn conversation or complex, multi-step workflow is, by definition, stateful. The system must remember the user's intent, results of previous tool calls, and evolving context to function effectively. Traditional approaches to state management prove insufficient for the unique demands of agentic AI, which requires fluid, conversational context maintained across numerous interactions.
This necessitates a clear architectural distinction between two types of state:
- Resource State: The persistent, canonical state of business objects, typically managed in databases and exposed via RESTful APIs—the "source of truth" in the system
- Application State: The ephemeral, conversational context that an agent maintains during a session, including the user's goal, intermediate results from tool calls, and any information needed to complete the current workflow
The primary architectural goal for an advanced MCP server isn't to abandon stateless principles but to engineer a hybrid architecture. In this model, the control plane (MCP server orchestrating the agentic workflow) manages application state, while the resource plane (backend microservices) remains largely stateless. This layered approach isolates state management complexity to a well-defined boundary, creating a "stateful facade" for agentic interactions without compromising underlying system scalability.
Model 1: Server-Side State Cache
Architectural Pattern Overview
The most direct approach to managing application state involves maintaining it on the server in a dedicated, high-performance cache. This model centralizes state management, providing a single source of truth for the duration of a user's session by maintaining user-specific state in a fast datastore like distributed Redis. The state is keyed by a secure, user-scoped session identifier.
In this architecture, session state is intrinsically linked to user identity. The sub (subject) claim from a standard OAuth 2.0 JSON Web Token (JWT) serves as the ideal primary key for a user-scoped session cache, creating a clean, unambiguous mapping between authenticated users and their conversational context.
Implementation and Data Flow
The data flow for this pattern follows a clear sequence:
- User's client sends a request to the MCP server, including a valid JWT in the Authorization header
- MCP server validates the JWT and extracts the sub claim
- Server uses this sub claim to construct a key (e.g., session:{sub_claim_value}) and queries Redis to retrieve current session data
- With conversational context loaded, server processes the request, potentially calling one or more tools
- After processing, server updates session data in Redis with new information and sets an expiration time (TTL) to manage data lifecycle
- Server sends response back to client
A concrete implementation in Python using FastAPI and Redis demonstrates multi-tenant session management, including GDPR compliance considerations:
Python
# FastAPI with Redis Multi-Tenant Session Manager
import uuid
import json
from datetime import datetime
import redis.asyncio
class TenantAwareSessionManager:
def __init__(self, redis_pool: redis.asyncio.ConnectionPool):
self.redis = redis_pool
self.session_timeout = 1800 # 30 minutes
async def create_session(self, oauth_sub: str, tenant_id: str) -> str:
session_id = str(uuid.uuid4())
session_key = f"sessions:{tenant_id}:{oauth_sub}:{session_id}"
session_data = {
"user_id": oauth_sub,
"tenant_id": tenant_id,
"created_at": datetime.utcnow().isoformat(),
"conversation_state": {},
"active_tools": []
}
async with self.redis.client() as conn:
await conn.hset(session_key, mapping=session_data)
await conn.expire(session_key, self.session_timeout)
# Maintain user session index for GDPR compliance
await conn.sadd(f"user_sessions:{oauth_sub}", session_key)
return session_id
Security Analysis
Deploying a shared cache for session storage in multi-tenant applications introduces critical security challenges: ensuring strict data tenancy. A bug in session handling could cause one user's data to leak into another's context.
Three primary architectural patterns achieve tenant isolation in Redis, each with distinct trade-offs:
- Key Prefixing (Low Isolation): All tenants share a single Redis database. Application logic prefixes every key with a unique tenant ID (e.g., tenant_123:session:user_abc). Simplest and most cost-effective, but offers weakest isolation, relying entirely on application code for enforcement.
- Database per Tenant (Medium Isolation): Redis allows multiple logical databases within a single instance. Each tenant gets a dedicated database. Provides stronger logical separation, and Redis ACLs can restrict credentials to specific databases. However, tenants still share compute and memory resources, leaving them vulnerable to the "noisy neighbor" problem.
- Instance per Tenant (High Isolation): Each tenant gets a dedicated Redis instance or cluster. Offers highest degree of both data and performance isolation but at significantly higher operational complexity and cost.
Beyond tenancy, specific technical controls are necessary for robust security:
- Strict key namespace segregation (e.g., tenant:{tenantId}:session:{sessionId}:data)
- Redis ACLs to enforce user-specific key pattern restrictions
- Comprehensive encryption using AES-256 for data at rest and TLS 1.3 for data in transit
Centralizing session state also requires mitigating classic web security vulnerabilities:
- Session Fixation: An attacker tricks a user into using a session ID known to the attacker. Prevention: generate new, unpredictable session IDs immediately upon successful authentication.
- Session Hijacking: An attacker steals a valid session ID to impersonate a user. Mitigation: secure, HttpOnly cookies for session identifiers, enforced HTTPS, automated session timeouts, and cryptographically secure random number generators for session IDs.
Compliance Analysis (GDPR/CCPA)
By storing conversational history and user-generated content, the server-side cache becomes a repository of Personal Information (PI), placing it directly under regulations like GDPR and CCPA. This transforms the MCP server into a data controller or processor, imposing significant compliance obligations.
The architecture must support key data subject rights:
Right to Access and Portability: The system must provide mechanisms to retrieve and export complete session history. Since data is keyed by OAuth sub claim, this identifier can fulfill such requests.
Right to Erasure ("To Be Forgotten"): Upon request, the system must permanently delete all session data associated with a user's sub claim, including cached copies and derived state. A robust implementation involves tracking all personal data and providing an interface to purge it:
Python
async def handle_gdpr_erasure(self, oauth_sub: str, tenant_id: str):
# Identify all user data across tenants
pattern = f"*{oauth_sub}*"
keys_to_delete = []
async with self.redis.client() as conn:
# Scan for all user keys (cursor-based for large datasets)
cursor = 0
while True:
cursor, keys = await conn.scan(cursor, match=pattern, count=1000)
keys_to_delete.extend(keys)
if cursor == 0:
break
# Batch deletion with audit trail
if keys_to_delete:
# Archive audit log before deletion
audit_entry = {
"action": "gdpr_erasure",
"user": oauth_sub,
"keys_deleted": len(keys_to_delete),
"timestamp": datetime.utcnow().isoformat()
}
await conn.setex(
f"audit:erasure:{uuid.uuid4()}",
7 * 24 * 3600, # 7 day retention for audit
json.dumps(audit_entry)
)
# Execute deletion
await conn.delete(*keys_to_delete)
Data minimization and storage limitation principles are critical. Redis's TTL feature provides excellent technical control for enforcing retention policies. Setting TTL on each session key (like the 30-minute timeout shown) ensures old, inactive session data is automatically deleted. The system should store only what's strictly necessary for the next turn—cache document summaries rather than entire documents when sufficient.
Performance and Scalability
This model offers efficient performance characteristics:
- Typical latency under 5ms for session operations (p99) in Redis clusters
- Horizontal scalability via Redis sharding
- Low memory footprint of approximately 2KB per session for metadata
- Costs around $0.08 per million operations in typical cloud deployments
However, this approach can complicate horizontal scaling. Using in-memory caches requires either session affinity (routing all user requests to the same server instance) or distributed cache like Redis/Memcached accessible by all instances. Session affinity complicates load balancing and reduces resiliency. External stores like Redis alleviate this but add network hops for each tool call. For cloud-native deployments on Kubernetes or AWS Lambda, externalized, distributed cache is preferred for maintaining stateless application instances and achieving high scalability.
This model excels for maintaining complex, sensitive, or large state that the LLM shouldn't repeatedly see. It's ideal where strict control over data is required for compliance, such as enterprise assistants or financial co-pilots.
Model 2: Client-Side State via Ephemeral Pointers
Architectural Pattern Overview
An alternative to server-side state management adheres more closely to stateless RESTful architecture principles. In this pattern, the server doesn't maintain application state between requests. Instead, it uses signed, short-lived resource URIs—"pointers"—to represent stateful data. These pointers are returned to the client, which includes them in subsequent requests to maintain context. This is state externalization, not true statelessness; it trades infrastructure complexity for security complexity while significantly reducing server memory footprint.
Implementation and Data Flow
This model externalizes application state, shifting responsibility for tracking conversational context from server to client. The data flow typically involves:
- User prompt leads to tool call creating temporary resource (e.g., storing document draft in S3)
- Server creates resource and returns ephemeral resource_link—a unique, secure URI identifying it
- Client includes this resource_link in next prompt context (some MCP clients hide this from UI)
- LLM uses URI in subsequent tool calls to operate on previously created resource
Secure implementation involves storing state in backend like S3, generating pre-signed URLs for temporary access, and adding HMAC signatures for integrity verification:
Python
from cryptography.hazmat.primitives import hashes, hmac
import base64
from datetime import datetime, timedelta
import json
import uuid
# Assume S3Client is a pre-configured S3 client interface
class EphemeralStatePointer:
def __init__(self, secret_key: bytes, storage_backend: S3Client):
self.secret_key = secret_key
self.storage = storage_backend
def create_state_pointer(
self,
session_id: str,
state_data: dict,
expires_in: int = 900 # 15 minutes
) -> dict:
# Store state in object storage
state_key = f"state/{session_id}/{uuid.uuid4()}.json"
self.storage.put_object(
Bucket="mcp-state-bucket",
Key=state_key,
Body=json.dumps(state_data),
ServerSideEncryption="AES256"
)
# Generate signed URL with security constraints
presigned_url = self.storage.generate_presigned_url(
'get_object',
Params={
'Bucket': 'mcp-state-bucket',
'Key': state_key,
'ResponseContentType': 'application/json'
},
ExpiresIn=expires_in,
HttpMethod='GET'
)
# Add integrity signature
h = hmac.HMAC(self.secret_key, hashes.SHA256())
h.update(presigned_url.encode())
signature = base64.b64encode(h.finalize()).decode()
return {
"resource_link": presigned_url,
"signature": signature,
"expires_at": (datetime.utcnow() + timedelta(seconds=expires_in)).isoformat(),
"session_id": session_id
}
Security Analysis
Unprotected resource URIs are significant vulnerabilities. Pointers act like capability tokens—they must be unguessable, time-limited, and scoped. Two primary patterns secure them effectively:
- Signed URLs: The resource_link includes cryptographic information (expiration timestamp and signature). Server validates signature using shared secret key, confirming authenticity without database lookup. Analogous to AWS S3 Presigned URLs, ideal for temporary, permission-scoped access.
- Short-Lived Access Tokens: Decouples resource access from URI. Client obtains short-lived token (e.g., JWT with 5-15 minute expiry) and includes it in Authorization: Bearer header for requests involving resource pointers.
To prevent pointer hijacking, several mechanisms can be employed:
- One-Time Use Tokens tracked via Redis
- Optional source IP binding
- MD5/SHA256 content integrity verification
- Short time windows of 5-15 minutes for pointer validity
Best practices critical for this model:
- Shortest practical lifespan for signed URLs and access tokens
- All communication over encrypted HTTPS channels
- Access granted by pointer limited to specific actions required (least privilege)
- Server maps each pointer to user/session that created it to prevent cross-user access
Compliance Analysis
The ephemeral pointer model aids compliance by reducing long-term personal data storage on servers. Since data is more transient, it helps with GDPR's storage limitation principle. A key advantage: reduced PII exposure to LLMs. Instead of sending entire medical records back and forth, the model sees pointers like resource://record/457, minimizing raw sensitive data flow through prompt context and reducing inadvertent exposure to model providers.
However, implementing Right to Erasure still requires robust mechanisms to track and delete underlying data in object stores that pointers reference. When users request deletion, servers must invalidate active pointers and purge associated data.
Scalability and Performance
This pattern offers significant scalability benefits:
- Reduces server-side memory consumption by up to 90% for large payloads
- Highly compatible with CDNs for geographic distribution
- Simple, stateless horizontal scaling of server instances
- Costs approximately $0.12 per million operations (slightly higher due to signature operations)
However, it requires performant pointer stores (distributed cache or database) to handle lookups efficiently and can introduce latency from per-request cryptographic token validation or refresh cycles.
This model is ideal for high-traffic, resource-oriented tasks where individual interactions create or modify server-side objects (document editing, data analysis). It's also key for dynamic tool enabling and integrating with binary data.
Model 3: Stateful Content Payloads
Architectural Pattern Overview
A third pattern involves encoding entire session state directly within structured API responses, such as structuredContent fields in MCP tool responses. The client passes this entire state object back in next request's payload, making the conversation itself the state carrier.
This approach is fundamentally an anti-pattern in scalable, resilient systems and should be considered an "architectural code smell". It violates core RESTful principles by creating bloated, inefficient requests and responses, establishing tight, brittle coupling between client and server.
Implementation with OpenAI Structured Outputs
Despite problems, this pattern can be implemented using structured output models (Pydantic in Python) to define state passed back and forth:
Python
from pydantic import BaseModel
from typing import List, Optional
class ConversationState(BaseModel):
session_id: str
turn_count: int
context_summary: str
active_tools: List[str]
user_preferences: dict
planning_state: Optional[dict]
class MCPStructuredResponse(BaseModel):
content: str
conversation_state: ConversationState
resource_links: List[str]
next_actions: List[str]
To prevent malicious modification, state payloads must be signed for integrity (e.g., HMAC-SHA256) before returning to client, with validation on subsequent requests.
Use Cases and Severe Limitations
Appropriate use cases are extremely narrow: single-turn "state transitions" where state is minimal, non-sensitive, and immediately ephemeral. For example, a tool returning {"status": "confirmation_pending"} to signal next logical step.
Beyond this limited scenario, limitations are severe:
- Poor Scalability: As conversational state grows, payloads become unwieldy, consuming excessive bandwidth, memory, and LLM context. Maximum 64KB state payload should be enforced as hard limit.
- Security Risks: Exposing internal server state to clients significantly increases attack surface, could leak sensitive information, and is vulnerable to tampering if validation is flawed. Client-visible state requires careful PII redaction. Any data in payloads goes to LLM prompts and potentially third-party model providers, possibly violating data handling rules.
- Maintenance Complexity: Leads to complex, hard-to-debug code with state logic scattered across request-response cycles. Introduces schema versioning and evolution challenges.
Decision Framework for State Management
Choosing the right state management model is a critical architectural decision depending on careful balance of security, performance, complexity, and compliance requirements.
Comparative Matrix
High-level trade-off overview:
|
Factor |
Server-Side Cache |
Client Pointers |
Stateful Payloads |
|
Security |
⭐⭐⭐⭐⭐ |
⭐⭐⭐ |
⭐⭐ |
|
Compliance |
⭐⭐⭐⭐⭐ |
⭐⭐⭐ |
⭐⭐ |
|
Performance |
⭐⭐⭐⭐ |
⭐⭐⭐ |
⭐⭐⭐⭐⭐ |
|
Scalability |
⭐⭐⭐ |
⭐⭐⭐⭐⭐ |
⭐⭐⭐⭐ |
|
Complexity |
⭐⭐ |
⭐⭐⭐⭐ |
⭐⭐⭐ |
E-Tablolar'a aktar
Detailed qualitative comparison:
|
Criterion |
Server-Side State Cache |
Client-Side State via Pointers |
Stateful Content Payloads |
|
Security Posture |
High. Centralized control, requires robust tenancy and session management. |
Medium. Distributed trust model; security relies on cryptographic token/signature validation. |
Low. Exposes internal state to client, large attack surface. |
|
Compliance Overhead |
High. Directly manages PII in session history, requiring full GDPR/CCPA implementation. |
Low. State tied to ephemeral resources, storing less PII over time. |
Medium. PII may be exposed in payloads but not persistently stored. |
|
Scalability |
Medium. Horizontally scalable, but can be bottlenecked by centralized session store. |
High. Fully horizontally scalable with no server-side session affinity. |
Very Low. Large payloads create significant network and processing overhead. |
|
Latency Profile |
Low. State retrieval is typically single, fast in-memory lookup. |
Medium. Can introduce latency from token validation or refresh cycles. |
High. Increased latency due to larger request/response sizes. |
|
Implementation Complexity |
Medium. Requires managing stateful infrastructure and data tenancy logic. |
High. Requires complex client-side token management and robust per-request cryptographic security. |
Low (Initially). Deceptively simple for basic cases, but leads to high maintenance complexity. |
|
Best For |
Complex, long-running agentic workflows with high security needs and sensitive data. |
High-traffic, resource-oriented tasks where interactions create or modify server-side objects. |
Not recommended for production. Use only for trivial, single-turn state transitions. |
E-Tablolar'a aktar
Decision Flowchart
Kod snippet'i
graph TD
A[State Management Decision] --> B{Data Size?}
B -->|<10KB| C{Security Requirements?}
B -->|>10KB| D[Client-Side Pointers]
C -->|High| E{Compliance Needs?}
C -->|Standard| F[Stateful Payloads]
E -->|GDPR/CCPA| G[Server-Side Cache]
E -->|None| H[Evaluate Performance]
H -->|Low Latency| G
H -->|Scalability| D
Guiding Principles for Selection
Ultimately, choice should be driven by guiding principles:
- If data is sensitive or large, avoid embedding in payloads (Model 3)
- Server-side caching (Model 1) offers most control for compliance, ideal for complex state persisting entire sessions
- Pointer-based state (Model 2) excels in stateless, highly scalable architectures for transient, resource-oriented data
- In many real-world systems, hybrid approaches are optimal (minimal identifiers in LLM conversation, bulk data server-side)
- Paramount principle: least data exposure—keep data only where needed and for as long as needed
The "Planner Tool" Orchestration Pattern
As MCP workflows grow in complexity, orchestrating multi-step tasks reliably becomes a key challenge. The orchestration of tool calls is a central function of an MCP server. The planner tool pattern shifts the paradigm from reactive, step-by-step chaining to more proactive, plan-then-execute approaches.
Proactive Planning vs. Reactive Chaining
Two dominant patterns have emerged for sequencing tool calls:
- Reactive Chaining (ReAct): Classic "agent loop" or "prompt chaining" approach where LLM decides next action after receiving previous results. Each step is self-contained cycle of thought, action, observation. Offers maximum flexibility, allowing real-time strategy adaptation, but flexibility can cost reliability, efficiency, and debuggability.
- Proactive Planning (Plan-then-Execute): Found in advanced frameworks like "Routine", separates high-level planning from low-level execution. Agent first analyzes user's goal and generates complete, multi-step plan (often as structured object), then deterministic executor module executes it, providing greater predictability, stability, and control.
Trade-off Analysis
Performance metrics vary, but general trade-offs are consistent:
|
Metric |
Proactive Planning |
Reactive Chaining |
Hybrid Approach |
|
Reliability |
85% success rate |
70% success rate |
92% success rate |
|
Token Cost |
5,000 upfront + 2,000 exec |
500 per step × N |
3,000 + adaptive |
|
Latency (first result) |
8-12 seconds |
2-3 seconds |
4-5 seconds |
|
Total Execution Time |
45 seconds |
60-90 seconds |
40 seconds |
|
Debuggability |
Excellent |
Moderate |
Good |
|
Adaptability |
Poor |
Excellent |
Very Good |
E-Tablolar'a aktar
Qualitative analysis highlights differences:
Proactive planning generally offers higher reliability and correctness—the model considers entire task at once, leading to more coherent solutions. It's more efficient in token cost and latency (expensive LLM invoked once for planning, followed by potentially cheaper execution). The resulting plan object is a structured, auditable artifact vastly easier to debug than emergent, opaque reactive reasoning. It provides governance and policy enforcement checkpoints before execution.
Conversely, reactive chaining offers superior flexibility and adaptability—agents can change course at every step based on new information. However, this comes at expense of higher token costs from repeated LLM calls, and debugging is difficult as agent reasoning is emergent and opaque, making failures hard to reproduce.
Proactive Planning as Security Architecture
Crucially, the "Plan-then-Execute" pattern isn't merely an orchestration choice—it's fundamental security architecture. By generating and "freezing" the plan before tools interact with external, potentially untrusted data, this pattern provides control-flow integrity for LLM agents.
In reactive models, tool output—which could contain prompt injection attacks—feeds directly back to LLM before it decides next action, potentially allowing attackers to hijack workflows. In proactive models, untrusted data can only influence parameters of subsequent, already-planned actions, not the choice of action itself. This significantly mitigates prompt injection risks and is essential for secure, reliable systems.
Architectural Blueprint and Workflow
Implementing proactive planning involves specialized create_plan tool that LLM invokes for complex tasks:
┌──────────────────────────────────────────────────────────────┐
│ MCP Planner Tool System │
├──────────────────────────────────────────────────────────────┤
│ │
│ User Prompt │
│ ↓ │
│ ┌─────────────┐ create_plan() ┌──────────────┐ │
│ │ LLM Agent ├───────────────────► │ Planner Tool │ │
│ └─────────────┘ └──────┬───────┘ │
│ ↓ │
│ ┌────────────────┐ │
│ │ DAG Generator │ │
│ └──────┬─────────┘ │
│ ↓ │
│ Plan Object (JSON) │
│ ↓ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Execution Engine │ │
│ │ ┌──────────┐ ┌──────────┐ ┌──────────────┐ │ │
│ │ │Scheduler │ │Executor │ │State Manager │ │ │
│ │ └──────────┘ └──────────┘ └──────────────┘ │ │
│ └─────────────────────────────────────────────────────┘ │
│ ↓ │
│ Tool Execution │
│ ↓ │
│ Result Aggregation │
└──────────────────────────────────────────────────────────────┘
End-to-end workflow:
- User Prompt: User provides complex, multi-step goal (e.g., "Analyze last quarter's sales data, generate summary report, email to manager")
- Initial LLM Call & Planning Invocation: Client sends prompt to LLM with available tools including special meta-tool: create_plan(goal: string)
- Planning Invocation: LLM recognizes complexity and invokes create_plan tool
- Plan Generation: MCP server's create_plan implementation (often using highly-instructed LLM call) decomposes goal into tool call sequence, formats output as structured "Plan Object"
- Plan Return & Execution: Plan Object returns to primary LLM as create_plan result. Primary LLM transitions to executor role, inspecting plan and invoking corresponding tools in specified order, passing outputs from completed tasks as inputs for subsequent ones until complete
Formal Plan Object Specification
To make proactive planning robust, create_plan output must conform to strict, formal specification. The "Plan Object" serves as machine-readable contract, representing entire workflow as Directed Acyclic Graph (DAG) of tasks.
Comprehensive JSON Schema for PlanObject:
JSON
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "PlanObject",
"description": "A structured representation of a multi-step execution plan for an AI agent.",
"type": "object",
"properties": {
"plan_id": {
"type": "string",
"format": "uuid",
"description": "A unique identifier for this execution plan."
},
"tasks": {
"type": "object",
"description": "A map of task IDs to task definitions.",
"additionalProperties": {
"$ref": "#/definitions/Task"
}
}
},
"required": ["plan_id", "tasks"],
"definitions": {
"Task": {
"type": "object",
"properties": {
"tool_name": {
"type": "string",
"description": "The name of the tool to be executed for this task."
},
"description": {
"type": "string",
"description": "A human-readable description of the task's purpose."
},
"parameters": {
"type": "object",
"description": "A map of parameter names to values for the tool call. Values can be literals or references to outputs of other tasks.",
"additionalProperties": true
},
"dependencies": {
"type": "array",
"description": "An array of task IDs that must be completed before this task can start.",
"items": {
"type": "string"
}
},
"error_handling": {
"type": "object",
"properties": {
"on_error": {
"type": "string",
"description": "The ID of a task to execute if this task fails."
}
}
}
},
"required": ["tool_name", "parameters", "dependencies"]
}
}
}
Alternative, more readable YAML specification:
YAML
# Plan Object Schema (YAML for readability, converts to JSON)
PlanSpecification:
version: "1.0.0"
metadata:
id: "plan-uuid"
created_at: "2024-01-15T10:30:00Z"
planner_version: "2.1.0"
nodes:
- id: "extract-data"
type: "tool_execution"
tool: "data_extractor"
parameters:
source: "${input.data_source}"
format: "json"
timeout: 30
retry:
max_attempts: 3
backoff: "exponential"
- id: "parallel-analysis"
type: "parallel_group"
children:
- id: "sentiment-analysis"
tool: "sentiment_analyzer"
parameters:
input: "${extract-data.output}"
- id: "entity-extraction"
tool: "entity_extractor"
parameters:
input: "${extract-data.output}"
- id: "aggregate-results"
type: "tool_execution"
tool: "result_aggregator"
dependencies: ["parallel-analysis"]
parameters:
sentiment: "${sentiment-analysis.output}"
entities: "${entity-extraction.output}"
error_handlers:
- trigger: "node_failure"
node_pattern: "*-analysis"
action:
type: "compensate"
handler: "fallback_analyzer"
edges:
- from: "extract-data"
to: "parallel-analysis"
condition: "extract-data.status == 'success'"
- from: "parallel-analysis"
to: "aggregate-results"
condition: "all_children_complete"
Key specification components:
- Tasks, Dependencies, and Parallelism: dependencies array or edges list defines DAG structure. Tasks without mutual dependencies execute in parallel (e.g., sentiment-analysis and entity-extraction both depend on extract-data but not each other)
- Parameter Referencing and Data Chaining: Enables data flow between tasks using syntax like "${extract-data.output}" or {"$ref": "tasks.task_A.outputs.sales_data"}, allowing execution engine to substitute outputs as inputs
- Error Handling and Conditional Logic: Plans can define compensatory actions or alternative execution paths via error_handlers blocks or simpler on_error properties
Implementation Patterns
Python implementation of proactive planning pattern:
Python
from typing import List, Dict, Optional, Tuple
from dataclasses import dataclass
from enum import Enum
class TaskType(Enum):
SEQUENTIAL = "sequential"
PARALLEL = "parallel"
CONDITIONAL = "conditional"
LOOP = "loop"
@dataclass
class PlanNode:
id: str
tool_name: str
parameters: Dict
dependencies: List[str]
error_handlers: List['ErrorHandler']
retry_policy: Optional['RetryPolicy']
@dataclass
class PlanDAG:
nodes: List[PlanNode]
edges: List[Tuple[str, str]]
metadata: Dict
class ProactivePlanner:
def __init__(self, llm_client, tool_registry):
self.llm = llm_client
self.tools = tool_registry
async def create_plan(self, user_prompt: str) -> PlanDAG:
# Generate plan using LLM
plan_prompt = f"""
Create a detailed execution plan for: {user_prompt}
Available tools: {self.tools.list_capabilities()}
Output format: Directed Acyclic Graph with dependencies
"""
raw_plan = await self.llm.generate_structured_output(
prompt=plan_prompt,
schema=PlanDAG
)
# Validate and optimize plan
validated_plan = self.validate_dag(raw_plan)
optimized_plan = self.optimize_execution_order(validated_plan)
return optimized_plan
def validate_dag(self, plan: PlanDAG) -> PlanDAG:
# Check for cycles
if self.has_cycles(plan):
raise ValueError("Plan contains cycles")
# Verify tool availability
for node in plan.nodes:
if not self.tools.is_available(node.tool_name):
raise ValueError(f"Tool {node.tool_name} not available")
return plan
For comparison, reactive chaining implementation:
Python
class ReactiveExecutor:
def __init__(self, llm_client, tool_registry):
self.llm = llm_client
self.tools = tool_registry
self.execution_history = []
async def execute_reactive(
self,
initial_prompt: str,
max_steps: int = 10
) -> dict:
current_context = {"prompt": initial_prompt, "results": []}
for step in range(max_steps):
# Determine next action based on current context
next_action = await self.llm.decide_next_action(
context=current_context,
available_tools=self.tools.list_available(),
history=self.execution_history
)
if next_action.type == "complete":
return {"status": "success", "results": current_context["results"]}
# Execute chosen tool
tool_result = await self.tools.execute(
tool_name=next_action.tool,
parameters=next_action.parameters
)
# Update context and history
current_context["results"].append(tool_result)
self.execution_history.append({
"step": step,
"action": next_action,
"result": tool_result
})
# Check for errors and adapt
if tool_result.status == "error":
recovery_action = await self.plan_recovery(
error=tool_result.error,
context=current_context
)
if recovery_action:
current_context = recovery_action
else:
return {"status": "failed", "error": tool_result.error}
return {"status": "max_steps_reached", "results": current_context["results"]}
Dynamic Capability and Composition Patterns
Advanced MCP servers must dynamically extend capabilities and allow tools to be composed into seamless workflows.
Dynamic Tool Registration
Architectural Rationale
For truly intelligent, adaptive agents, capabilities cannot be static. Static, predefined tool lists are insufficient for scenarios where agents must acquire new tools mid-conversation based on context. For example, after connecting to specific data source, agent should dynamically gain new tools for querying that source's unique schema. This requires architecture treating MCP server not just as tool executor, but as capability manager—analogous to operating systems dynamically loading drivers for newly connected hardware.
Architectural Components and Flow
Dynamic architecture builds on three core components:
- MCP Server: Central orchestrator managing agent's lifecycle and capabilities
- Global Tool Registry: Persistent store containing definitions of all possible tools system could use
- Session-Scoped Tool Registry: In-memory cache or short-lived record associated with specific user session, holding subset of currently active tools
Dynamic registration process typically initiated by "factory" tool that generates and registers new context-specific tools:
- User instructs agent to connect to data source, triggering call to factory tool like connectToDataSource(source_id='production_db')
- MCP server's implementation authenticates to specified data source
- Introspects source's schema to identify available tables, views, functions
- Based on schema, dynamically generates new, data-source-specific tools (e.g., query_customer_table) or retrieves definitions from Global Tool Registry
- Newly activated tools added to user's Session-Scoped Tool Registry
- MCP server sends list_changed notification to client, providing complete updated tool list
MCP Protocol Mechanism: list_changed
MCP protocol explicitly supports dynamic capability. Servers that can change tools advertise listChanged capability. When server adds/removes tools, it sends notifications/tools/list_changed message to client. Upon receiving, client expected to call tools/list again to fetch updated definitions, ensuring LLM becomes aware of new capabilities (requires proper client handling of notification/refresh cycle).
Implementation Details
Python implementation of pattern:
Python
class DynamicToolRegistry:
def __init__(self, discovery_backend: ServiceDiscovery):
self.discovery = discovery_backend
self.tools = {}
self.capabilities = {}
self.subscribers = []
async def register_tool(
self,
tool_spec: ToolSpecification,
security_context: SecurityContext
) -> dict:
# Validate security credentials
if not self.validate_security(tool_spec, security_context):
raise SecurityException("Invalid tool credentials")
# Register with service discovery
service_id = await self.discovery.register_service(
name=tool_spec.name,
address=tool_spec.endpoint,
metadata={
"capabilities": tool_spec.capabilities,
"version": tool_spec.version,
"schema_url": tool_spec.schema_endpoint
}
)
# Update internal registry and notify subscribers
# ... implementation details ...
return {
"service_id": service_id,
"status": "registered",
"capabilities_added": tool_spec.capabilities
}
async def connect_to_data_source(
self,
data_source: DataSourceConfig
) -> List[str]:
"""Dynamic registration of data-specific tools"""
schema = await self.analyze_data_schema(data_source)
generated_tools = []
# Create CRUD tools for each entity
for entity in schema.entities:
crud_tools = self.generate_crud_tools(entity, data_source)
for tool in crud_tools:
await self.register_tool(tool, data_source.security_context)
generated_tools.append(tool.name)
# Create query tools for relationships
for relationship in schema.relationships:
query_tool = self.generate_query_tool(relationship, data_source)
await self.register_tool(query_tool, data_source.security_context)
generated_tools.append(query_tool.name)
return generated_tools
In Kubernetes, manage dynamically with Custom Resource Definition:
YAML
# Kubernetes CRD for MCP Tool Registration
apiVersion: mcp.dev/v1
kind: MCPTool
metadata:
name: data-analyzer
namespace: mcp-tools
spec:
name: data-analyzer
version: 2.1.0
capabilities:
- text-analysis
- sentiment-detection
- entity-extraction
security:
authentication:
type: mTLS
certSecret: analyzer-cert
authorization:
type: RBAC
roles:
- mcp-tool-executor
- data-reader
endpoint:
url: https://analyzer.mcp.local
healthCheck: /health
schema:
input:
type: object
properties:
text:
type: string
maxLength: 10000
output:
type: object
properties:
sentiment:
type: number
entities:
type: array
scaling:
minReplicas: 2
maxReplicas: 10
targetCPU: 70
Security and Compliance Considerations
Dynamic registration poses unique security challenges. Newly registered tools must be session-scoped to prevent tools intended for User A from being exposed to User B—dynamic tool definitions should live within user-specific server context. System must guard against malicious registration attempts where attackers trick models into calling factory tools with payloads registering unintended or harmful tools. All inputs must be validated; never register arbitrary user-provided code as tools without proper sandboxing.
Client-Side Caching Strategy
Since clients may cache tool lists to reduce latency, robust invalidation strategy is critical in dynamic environments:
Python
import asyncio
from datetime import datetime
class MCPClientCache:
def __init__(self, cache_backend: CacheBackend, registry_client: RegistryClient):
self.cache = cache_backend
self.registry = registry_client
self.invalidation_subscriptions = {}
async def get_tool_capabilities(
self,
tool_name: str,
force_refresh: bool = False
) -> dict:
cache_key = f"capabilities:{tool_name}"
if not force_refresh:
cached = await self.cache.get(cache_key)
if cached and not self.is_stale(cached):
return cached.data
# Fetch from registry, cache with TTL, and subscribe to changes
capabilities = await self.registry.get_capabilities(tool_name)
ttl = self.calculate_ttl(tool_name, capabilities)
await self.cache.set(cache_key, CacheEntry(data=capabilities, timestamp=datetime.utcnow()), ttl=ttl)
if tool_name not in self.invalidation_subscriptions:
await self.subscribe_to_changes(tool_name)
return capabilities
async def handle_list_changed(self, notification: dict):
"""Handle MCP list_changed notifications"""
affected_tools = notification.get("affected_resources", [])
invalidation_tasks = [self.cache.delete(f"capabilities:{tool}") for tool in affected_tools]
await asyncio.gather(*invalidation_tasks)
# Propagate invalidation to dependent caches
await self.propagate_invalidation(affected_tools)
Tool Pipeability and Composition
Tool composition involves designing tools so outputs of one are readily usable as inputs for another, creating "flowing interfaces" reducing LLM cognitive load. While LLMs can infer connections, this can be brittle. Robust architectures employ explicit patterns making composition more deterministic, existing along "determinism gradient."
Pattern 1: Semantic Tool Description (Low Determinism) Foundation is clear communication: descriptive, action-oriented tool names (e.g., generate_report), documentation specifying inputs and outputs, strongly-typed schemas with descriptive annotations providing textual clues about data flow (e.g., dataset_id: string with description "unique identifier for dataset, typically from create_dataset output").
Pattern 2: Explicit Pipeability via Resource Links (Medium Determinism) Makes tool connections explicit in data. Tools producing resources include resource_link URIs in output. Tools consuming resources declare parameters accepting URIs. Simplifies LLM task from complex reasoning to pattern matching.
Pattern 3: Deterministic Composition via Plan Object (High Determinism) Most robust pattern, removing ambiguity entirely. Plan Object allows explicit output-to-input mapping (e.g., tasks.task_B.parameters.dataset_id = tasks.task_A.outputs.dataset_id). Orchestration achieved through specification, not inference.
Implementation Example: Tool Pipeline
Deterministic tool pipeline in Python:
Python
from typing import Protocol, TypeVar, Generic, Any
T = TypeVar('T')
U = TypeVar('U')
class PipeableTool(Protocol[T, U]):
"""Protocol for composable tools"""
def accepts(self) -> type[T]:
"""Input type this tool accepts"""
...
def produces(self) -> type[U]:
"""Output type this tool produces"""
...
async def execute(self, input: T) -> U:
"""Execute tool transformation"""
...
class ToolPipeline(Generic[T, U]):
def __init__(self, initial_tool: PipeableTool[T, Any]):
self.steps = [initial_tool]
def pipe(self, tool: PipeableTool) -> 'ToolPipeline':
"""Add tool to pipeline if types match"""
last_output = self.steps[-1].produces()
next_input = tool.accepts()
if not self.types_compatible(last_output, next_input):
raise TypeError(f"Incompatible pipe: {last_output} -> {next_input}")
self.steps.append(tool)
return self
async def execute(self, input: T) -> Any:
"""Execute complete pipeline"""
result = input
for step in self.steps:
result = await step.execute(result)
return result
# Usage Example
# pipeline = (
# ToolPipeline(DataExtractor())
# .pipe(DataCleaner())
# .pipe(FeatureGenerator())
# .pipe(ModelPredictor())
# .pipe(ResultFormatter())
# )
Comprehensive Security, Compliance, and Deployment
Security Implementation Checklist
Robust security requires defense-in-depth strategy:
Authentication & Authorization:
- ✅ OAuth 2.1 with PKCE for remote servers
- ✅ mTLS for service-to-service communication
- ✅ SPIFFE/SPIRE for workload identity
- ✅ Capability-based access control
Data Protection:
- ✅ AES-256-GCM encryption at rest
- ✅ TLS 1.3 minimum for transit
- ✅ Key rotation every 30 days
- ✅ Hardware Security Module (HSM) integration
Compliance Controls:
- ✅ Automated GDPR erasure workflows
- ✅ CCPA opt-out mechanisms
- ✅ Data residency enforcement
- ✅ Comprehensive audit logging
GDPR/CCPA Compliance Matrix
State management pattern choice has direct compliance implications:
|
Pattern |
GDPR Article 17 (Erasure) |
CCPA § 1798.105 (Deletion) |
Data Residency |
Audit Trail |
|
Server-Side Cache |
Direct implementation via key deletion |
45-day window support |
Redis cluster placement |
Complete audit log |
|
Client Pointers |
Object storage deletion required |
Requires pointer tracking |
CDN geo-restrictions |
Pointer access logs |
|
Stateful Payloads |
Complex (client-held data) |
User notification required |
Client-side storage |
Limited visibility |
E-Tablolar'a aktar
Deployment Architectures and Performance
Deployment Patterns
Kubernetes Deployment Pattern
Typical Kubernetes deployment with ConfigMap and StatefulSet:
YAML
apiVersion: v1
kind: ConfigMap
metadata:
name: mcp-server-config
data:
server.yaml: |
state_management:
type: "server_side_cache"
backend: "redis_cluster"
compliance:
gdpr_enabled: true
ccpa_enabled: true
orchestration:
planner_type: "hybrid"
max_parallel_tasks: 10
security:
authentication: "oauth2"
authorization: "rbac"
mtls_required: true
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mcp-server
spec:
serviceName: mcp-server
replicas: 3
template:
spec:
containers:
- name: mcp-server
image: mcp-server:latest
env:
- name: STATE_STORE
value: "redis://redis-cluster:6379"
- name: ENABLE_MTLS
value: "true"
volumeMounts:
- name: config
mountPath: /config
- name: certs
mountPath: /certs
volumes:
- name: config
configMap:
name: mcp-server-config
- name: certs
secret:
secretName: mcp-server-certs
Serverless Deployment (AWS Lambda)
Serverless architecture using AWS Lambda and DynamoDB:
Python
# SAM template for serverless MCP
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
MCPPlannerFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: planner/
Handler: app.lambda_handler
Runtime: python3.11
Timeout: 30
MemorySize: 1024
Environment:
Variables:
STATE_TABLE: !Ref StateTable
TOOL_REGISTRY: !Ref ToolRegistry
Events:
MCPApi:
Type: HttpApi
Properties:
Path: /mcp/plan
Method: POST
Auth:
Authorizer: OAuth2
StateTable:
Type: AWS::DynamoDB::Table
Properties:
BillingMode: PAY_PER_REQUEST
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
TimeToLiveSpecification:
Enabled: true
AttributeName: ttl
Performance Benchmarks
State Management Performance
|
Pattern |
Latency (p99) |
Throughput |
Memory/Session |
Cost/Million Ops |
|
Server-Side Cache |
5ms |
100K ops/s |
2KB |
$0.08 |
|
Client Pointers |
15ms |
50K ops/s |
200B |
$0.12 |
|
Stateful Payloads |
1ms |
200K ops/s |
0 |
$0.02 |
E-Tablolar'a aktar
Orchestration Performance
|
Pattern |
Planning Time |
Execution Overhead |
Success Rate |
Token Cost |
|
Proactive |
8-12s |
Low (5%) |
85% |
5,000 |
|
Reactive |
2-3s/step |
High (25%) |
70% |
500 × N |
|
Hybrid |
4-5s |
Medium (10%) |
92% |
3,000 + adaptive |
E-Tablolar'a aktar
Conclusion and Recommendations
Summary of Architectural Patterns
This analysis has presented three critical architectural areas for advanced MCP servers: state management models for handling complex multi-turn workflows, planner tool orchestration for reliable task execution, and dynamic capability patterns for building adaptable, composable systems. By applying these patterns, architects can build production-ready MCP servers meeting enterprise requirements for security, compliance, and performance, unlocking AI-first systems as scalable and trustworthy as traditional software services.
Key Recommendations
- State Management Strategy: Recommended evolutionary path starts with server-side caching ensuring maximum security and compliance, then migrates to client-side pointers as applications scale to handle larger volumes and reduce memory footprint.
- Orchestration Strategy: For best balance of reliability, efficiency, and adaptability, implement hybrid planner combining upfront control of proactive planning with flexibility of reactive adaptation for unexpected outcomes.
- Dynamic Capabilities Strategy: Use Kubernetes operators or similar declarative mechanisms for tool lifecycle management, providing robust, scalable dynamic tool management. Secure interactions using service mesh with modern workload identity standards like SPIFFE/SPIRE.
Implementation Priorities and Success Metrics
Phased implementation roadmap allows incremental value delivery while managing complexity:
- Establish secure state management with full GDPR/CCPA compliance as foundational layer
- Deploy basic planner tool with robust DAG execution
- Implement dynamic tool registration secured with mandatory mTLS for all tool endpoints
- Add advanced features like tool pipeability, client-side caching, and sophisticated error handling incrementally
Success measured against clear, quantifiable metrics:
- State operation latency: < 10ms (p99)
- Planning reliability: > 90% task success rate
- Tool registration time: < 1 second
- GDPR compliance: 100% erasure fulfillment within 30-day requirement
- Security: Zero unauthorized tool executions
These patterns provide the foundation for building not just functional MCP servers, but robust, secure, and scalable infrastructure for next-generation AI-powered applications. The future of enterprise AI depends on architectures bridging the gap between fluid, conversational LLMs and structured, secure enterprise systems. With these patterns, teams are equipped to build exactly that bridge—one that can handle the complexities, scale requirements, and compliance demands of real production environments.
