Descriptions:
Sam Morrow, the engineer who leads development of GitHub’s MCP server, delivered this talk at AI Engineer Europe 2026, sharing hard-won lessons from scaling GitHub’s remote MCP server since its public open-source launch in April 2025. The presentation covers the full arc of problems encountered: accumulating over 100 community-contributed tools caused agents to perform worse, a pattern consistent with LangChain’s February 2025 research showing that more tools shoved into context degrade agent reliability.
Morrow walks through a series of solutions—tool sets for grouping related functionality, dynamic tool discovery, and targeted context optimization—ultimately achieving a 49% reduction in initial context load with further cuts by consolidating CRUD tools down to roughly 40. A recurring theme is that elegant configurations go unused: most users stick to defaults, and only 17% enable read-only mode despite it being a clean win for enterprise use cases.
The talk dedicates substantial time to authentication and security: the pitfalls of plain-text long-lived access tokens, GitHub’s adoption of OAuth 2.1 with PKCE (which Morrow’s team added directly to GitHub’s authorization server), and why dynamic client registration was rejected due to unbounded app database growth. Morrow also addresses a public prompt injection exfiltration attack demonstrated by Invariant Labs, arguing the underlying ‘lethal trifecta’ vulnerability applies to virtually all agent architectures, not just GitHub’s MCP implementation.
📺 Source: AI Engineer · Published April 27, 2026
🏷️ Format: Deep Dive
