Lesson 338 of 2116
Debugging Through MCP — Wiring Agents to Real Data
MCP lets agents query your database, search your logs, and inspect your services. Used right, it dramatically tightens debug loops. Used wrong, it's a security disaster. Learn both sides.
Lesson map
What this lesson covers
Learning path
The main moves in order
- 1When the Agent Can See Production
- 2MCP
- 3tool calling
- 4least privilege
Concept cluster
Terms to connect while reading
Section 1
When the Agent Can See Production
Model Context Protocol (MCP) is the open standard that lets an agent connect to external data sources and tools — databases, APIs, log systems, ticket trackers. As of 2026, MCP has 100M+ monthly downloads and 3000+ public servers. For debugging, it's transformative: the agent can run `SELECT * FROM users WHERE id=42` instead of asking you to do it. For security, it's a new surface area.
Where MCP shines for debugging
Compare the options
| Capability | Debugging use | Common server |
|---|---|---|
| Database query | "Show me the row this user complained about" | Postgres MCP, MySQL MCP, Supabase MCP |
| Log search | "Find every error from prod-api in the last hour" | Datadog MCP, Loki MCP, Sentry MCP |
| Issue tracker | "What other bugs reference this stack trace?" | Linear MCP, Jira MCP, GitHub MCP |
| Filesystem (sandboxed) | "Read the customer's uploaded file" | Built into Claude Code |
| Service health | "Is the redis cluster up?" | Custom MCP wrapping internal APIs |
A real debugging session via MCP
Three queries, one diagnosis. Without MCP this is 15 minutes of context-switching for the engineer.
Me: "User 8421 says they can't log in. Find their record."
Claude (via Postgres MCP):
Query: SELECT * FROM users WHERE id = 8421;
Result: { id: 8421, email: "x@y.com", status: "suspended",
suspended_at: "2026-04-22T14:33:00Z" }
The user is suspended. Let me check why.
Query: SELECT * FROM audit_log WHERE user_id = 8421
ORDER BY created_at DESC LIMIT 5;
Result: ..."login_failed_threshold_exceeded"...
Diagnosis: 5 failed login attempts triggered auto-suspension.
Fix: unsuspend or reset, depending on policy.Least privilege for MCP
Three rules: read-only, scoped tables, statement timeout. Gets you 90% of the way to safe MCP database access.
-- Create a role for AI agents with read-only, time-boxed access
CREATE ROLE ai_debug NOLOGIN;
GRANT USAGE ON SCHEMA public TO ai_debug;
GRANT SELECT ON users, orders, audit_log TO ai_debug;
-- NOT: GRANT ALL, NOT: superuser, NOT: DELETE/UPDATE/INSERT
-- Then create a login user that inherits this role
CREATE USER ai_agent LOGIN PASSWORD '<generated>' IN ROLE ai_debug;
-- Set a reasonable connection limit
ALTER USER ai_agent CONNECTION LIMIT 5;
-- Set statement timeout to prevent runaway queries
ALTER USER ai_agent SET statement_timeout = '30s';Production data needs extra care
- PII (emails, names, addresses): consider a redacted view, not the raw table
- Payment data: never. Use a sandbox with synthetic data instead.
- Multi-tenant data: scope queries to a specific tenant ID at the SQL level (RLS)
- Logs: redact tokens, secrets, headers before exposing through MCP
Common MCP debugging anti-patterns
Compare the options
| Anti-pattern | Why it's bad | Fix |
|---|---|---|
| Giving the agent prod write access | One bad query DROPs production | Read-only role; writes go through PRs |
| MCP server running as root in container | Container escape = host compromise | Run as non-root user, drop capabilities |
| No statement timeout | Agent's `SELECT *` on 10B-row table locks the DB | Set timeout at the role/user level |
| Returning every column to LLM | PII leaks into model provider's logs | Project specific columns; never `SELECT *` |
| No audit log of agent queries | Can't tell what the agent saw | Log every MCP-issued query with the session ID |
MCP for log debugging
Log searching is 80% of incident debugging. MCP turns it into one prompt.
Me: "User reports the upload failed. Find the relevant logs."
Claude (via Datadog MCP):
Search: service:upload-api status:error user_id:8421
last 1h
Result: 3 hits. Top one:
"upload failed: PutObject access denied (s3://...)"
This is an S3 permissions issue, not a user issue.
Recommend: check the IAM role for upload-api in staging.When MCP is the wrong tool
- Bug reproduces only on the customer's machine — agent can't see their state
- Bug requires a specific browser/OS combo — needs a browser-using tool, not MCP
- Bug is in client-side JS the agent can't run — instrument with Sentry first, then MCP-search Sentry
“MCP turns the agent from a code generator into a system operator. Treat it that way.”
Key terms in this lesson
The big idea: MCP gives agents access to the same data you'd debug with — but at agent speed. Scope the access tightly, log the queries, and pair with structured logs. The right MCP setup turns a 30-minute debugging session into a 3-minute one. The wrong setup turns a debugging session into an incident.
End-of-lesson quiz
Check what stuck
15 questions · Score saves to your progress.
Tutor
Curious about “Debugging Through MCP — Wiring Agents to Real Data”?
Ask anything about this lesson. I’ll answer using just what you’re reading — short, friendly, grounded.
Progress saved locally in this browser. Sign in to sync across devices.
Related lessons
Keep going
Creators · 75 min
Capstone: Ship a Real Full-Stack AI-Assisted Project
The creators capstone. You scope, design, build, test, deploy, and document a real full-stack project using an agentic workflow — end to end.
Creators · 13 min
Production Incidents With an AI Co-Pilot
When prod is on fire, AI agents can be either your best partner or a dangerous distraction. Learn the incident workflow that uses AI safely under pressure — and the moments to put it down.
Creators · 50 min
The Landscape: Copilot vs. Cursor vs. Windsurf vs. Claude Code
The AI coding tool market fragmented fast. Let's map the 2026 landscape honestly: who is for autocomplete, who is for agents, who wins on cost, and what the tradeoffs actually feel like.