Blog
Notes on building with Claude Code.
Deep dives on MCP servers, hooks, agents, and the operational side of shipping AI-first workflows. No fluff, no "top 10 AI agents of 2026" lists.
MCP transports: when stdio wins, when HTTP wins
An MCP server can talk to its client over stdio (subprocess) or HTTP/SSE/streamable-HTTP (network). The choice changes your auth model, your attack surface, your multi-tenancy story, and the kind of bugs you ship. Most builders default without thinking — here's the decision matrix, the operational consequences of each transport, and when "start stdio, migrate later" is the right move.
Read post →
BadHost (CVE-2026-48710): is your MCP server actually affected?
BadHost (CVE-2026-48710) is a Starlette flaw where a single crafted Host header bypasses path-based authorization — and Starlette powers FastAPI, vLLM, LiteLLM, and most HTTP-transport MCP servers. Here's the precise blast radius for MCP operators (stdio servers aren't exposed, HTTP/SSE servers are), how to check in 30 seconds, the fix, and why credential-rich MCP servers make this worse than its CVSS 6.5 suggests.
Read post →
Testing FastMCP servers: the layer hierarchy your unit tests miss
A taxonomy of the layers in a FastMCP server, what your existing tests probably cover (and don't), and the minimum test set that would have caught every wrapper-layer bug we've shipped. Concrete patterns for each layer — assert tool shape, exercise the protocol, lint the anti-patterns — with copy-pasteable code.
Read post →
What we learned shipping our first 4 MCP servers
Concrete patterns that emerged across mcp-content-opportunity, mcp-sqlite-query, mcp-gmail-reader, and mcp-twitter — what surprised us, what we'd do differently, and the seven non-obvious lessons that should be in any FastMCP project from the first commit.
Read post →
How much does an MCP server actually cost to build?
A grounded breakdown of the four cost dimensions of an MCP server — API call billing, hosting, build time, ongoing maintenance — with real numbers from four shipped servers in 2026. When DIY makes sense, when hiring is cheaper, and the hidden costs most teams don't price in.
Read post →
The FastMCP wrapper-layer bug your unit tests won't catch
A FastMCP @mcp.tool() with sync def + asyncio.run() inside passes every unit test, then breaks at the first protocol call with "asyncio.run() cannot be called from a running event loop." Here's why, the fix, the AST lint that catches it across any FastMCP project, and the broader principle — test the wrapper layer, not just the inner functions.
Read post →
Skills, subagents, slash commands — a decision tree for Claude Code
Three customisation mechanisms in Claude Code that people conflate constantly. When to reach for each, what they cost, and the one anti-pattern that ruins all three.
Read post →
Production-grade MCP servers: the three things every open-source one gets subtly wrong
A field guide to building MCP servers you'd actually put in a team's shared config. Error handling, testing strategy, deployment patterns — and the failure modes I see in almost every MCP server on GitHub right now.
Read post →
I built an MCP server to triage my sales inbox. It can read and draft — but it literally cannot send.
A case study in deliberate constraint. Building a Claude Code MCP server for Gmail that reads one label, drafts replies to the Drafts folder, and has no capability to send or delete — three independent safety layers, 55 tests, and a design I'd trust on a shared account.
Read post →
Claude Code hooks that don't break your workflow
Four rules for writing Claude Code hooks that catch real problems without annoying you into disabling them. With two working hook scripts (secret-blocking + bash logging) you can drop in today.
Read post →
The Claude Code deny-list most teams skip (and how it eliminates a class of disasters)
Why a five-line deny list in your .claude/settings.json is the cheapest foot-gun protection in Claude Code, what to put in it, and how it interacts with hooks.
Read post →
I built an MCP server to plan this blog. Here's the code, the ranking logic, and the first 10 ideas it surfaced.
A walkthrough of building a Model Context Protocol server that mines Hacker News and Reddit for content opportunities, ranks them with a simple 5-signal heuristic, and surfaces ten unanswered questions developers are asking about Claude Code and MCP.
Read post →