All work
AI / LLM Engineering

MCP AI Tool-Server Engineering

Model Context Protocol (MCP) servers that safely expose governed, read-only enterprise analytics capabilities to AI assistants — the protocol work that lets an LLM take real, bounded actions against real enterprise data.

Fixed typed tools — no raw SQL

Query surface exposed to the LLM

Per-user, catalog-scoped

Access model

Zero

Arbitrary/raw queries permitted

The Problem

Enterprise AI assistants are far more useful when they can query real business data, but exposing that data to an LLM naively (e.g., an arbitrary-SQL tool) creates real injection, data-exfiltration, and governance risk. The goal was tool access that's genuinely useful and safe by construction.

My Approach

  • Conducted structured research into MCP architecture, vendor integration patterns for enterprise AI platforms, security best practices, and production-readiness checklists (input sanitization, observability, lifecycle management) before writing implementation code.
  • Designed a governed semantic query layer instead of exposing raw SQL: the server offers a fixed set of typed tools (e.g., account search, pipeline summaries, renewal-risk assessment, schema introspection) backed by server-owned, pre-defined read-only query templates — the model can ask rich analytical questions, but cannot construct or execute arbitrary queries, run writes/DDL, or dump raw tables.
  • Enforced per-user authentication against the underlying data platform with catalog-level access control, so the AI assistant only ever sees data the requesting user is already entitled to see — no shared "super user" service credential doing the querying.
  • Built the local development version to be fully offline-safe by default (no live connection on import/startup, dry-run profiling mode) so it's safe to develop and test against without accidentally touching production data.
  • Validated the deployed version end-to-end against real production data before intentionally pausing/decommissioning it pending a broader security review — a deliberate, security-first decision rather than leaving an unreviewed integration running indefinitely.

Stack

Protocol/Framework

Model Context Protocol (MCP)FastMCP (mcp.server.fastmcp)Streamable HTTP transport

Data Platform

Databricks (Unity Catalog governed access, per-user OAuth)

Language

Python

Deployment

Google Cloud RunAuthenticated-only ingress

AI Integration

Google Cloud Gemini Enterprise (Vertex AI Search / Discovery Engine)

Practices

Secure-by-design tool surfaces for LLMsLeast-privilege data accessOffline-safe local development

Skills Demonstrated

  • Applied understanding of emerging AI tool-use protocols (MCP) ahead of mainstream adoption
  • Security-first API design specifically for LLM consumers (a meaningfully different threat model than a typical human-facing API)
  • Data governance and least-privilege access control in an AI context
  • Willingness to build something, prove it works, and then pause it for proper review rather than optimizing purely for "shipped"