MCP & tool configuration for coding agents
The Model Context Protocol turned coding agents into something closer to an operating system. An agent no longer just writes a function — it opens terminals, runs shell commands, installs packages, calls APIs, and reaches into databases through a growing pile of MCP servers. The recurring pain isn't the model. It's everything around it.
New MCP servers ship every week with permissive, demo-grade defaults that are fine for a prototype and dangerous once an agent can read your filesystem. The integrated terminal the agent runs in doesn't load the same PATH or aliases as your real shell, so it picks the wrong node or the wrong DATABASE_URL. Every tool — Claude Code, Cursor, Copilot, Cline, Windsurf, Gemini — reads its rules from a different file, and those files quietly drift across tools and repos until nobody knows which policy is actually in force. And when the agent finishes, there's rarely a trail of which server it called, which command ran, or which file changed.
These are configuration and setup problems, not intelligence problems. This page collects the questions developers keep asking about setting up and hardening MCP and tools for coding agents — with concrete, tool-agnostic answers.
An MCP server has shell access to my whole machine — how do I lock it down without an enterprise security program?
Most MCP servers are prototypes with permissive defaults: fine for a demo, dangerous once an agent can read your filesystem. The failure modes are concrete — silent data exfiltration, an agent running rm -rf somewhere it shouldn't, or API keys ending up in someone's training data. You don't need a SIEM or a threat-model document. Five protections cover solo scale and take about 30 minutes:
- Sandbox untrusted servers. If you can't read every line of a server, it doesn't get host access. Run it in Docker (or a VM/LXC). A baseline is
docker run --rm --network=none --read-only --tmpfs /tmp -v $(pwd)/sandbox:/data <server>. Turn off networking for anything that doesn't legitimately need it; allowlist specific hosts for the ones that do. - Use a tool allowlist, not a denylist. Agents default to "call anything." List the tools you've actually vetted by name, and add a new server's tools one at a time — never a whole namespace via wildcard.
- Move secrets out of the env your agent can see. If the agent has shell access it can read
.env. Fetch secrets at runtime from a secret manager (export TOKEN="$(op read ...)") so nothing sensitive lives in the repo or the environment file. - Log every tool call locally.
teeMCP output to a timestamped file. When a run feels off, yougrepthe log; when it is off, you have evidence of what triggered it. - Keep a kill switch. One alias that
pkills every agent and stops MCP containers, for when a prompt injection from a web page sends an agent off the rails.
The full setup takes about 30 minutes; maintaining it costs roughly a minute per new tool. Skip the enterprise-flavored advice — the right question at solo scale is "what would I regret skipping?"
How 1DevTool solves this
How 1DevTool handles this: MCP Settings gives each project an explicit list of MCP servers and the tools they expose, so you're configuring an allowlist instead of inheriting "call anything," and the Environment Manager keeps per-project secrets out of the shared env an agent can read. See MCP Settings.
MCP made agents way more capable — but how do I know which servers are actually safe to install?
MCP solved capability and created a supply-chain problem. When a citation-verification server, a curated DevOps/SRE list, and an AI gateway for provider fallbacks all show up at once, the base model stops being the whole workflow — and every new server is code you're trusting with tool access. Two habits help.
First, separate trusted tools from experiments, explicitly. Keep a short list of servers you've vetted (ideally pulled from a curated or official catalog) apart from the ones you're just trying out, and don't let an experiment quietly inherit the same permissions as a proven tool. A new server on your machine is a new thing that can edit files, call APIs, or spend budget.
Second, treat verification as a workflow primitive, not an afterthought. Before a server's output becomes part of your work, you want to see what server was invoked, what evidence it returned, and whether a deterministic check passed — not just a confident chat message. The agent's confidence is not evidence. This matters most where verification sits near execution: if a server can edit files, call APIs, or cite sources, the check has to happen before that output lands.
Routing records matter for the same reason. Provider changes affect quality, cost, and risk, so a later review should be able to see which model did the planning, which did the edit, and which verified the result. That compact trail of decisions — which server ran, what it returned, which check passed — is what lets AI-assisted work survive a handoff instead of being reconstructed from memory.
How 1DevTool solves this
How 1DevTool handles this: MCP Settings shows exactly which servers are configured and what tools each one exposes, and the One-Click MCP Diagnostic verifies a server actually connects and responds before you rely on it. See MCP Settings.
My AI editor's terminal doesn't have my aliases and says `nvm: command not found` — why, and how do I fix it?
This shows up in every editor's issue tracker: the integrated terminal's PATH differs from your normal terminal, aliases are missing, nvm use fails. It isn't a bug — it's which kind of shell the editor spawns. A shell is one of three types:
- Login shell — runs
~/.zprofilethen~/.zshrc(Terminal.app, most SSH sessions). - Interactive non-login shell — runs only
~/.zshrc(tmux panes, most editor terminals). - Non-interactive shell — runs neither (scripts, task runners).
If your nvm/pyenv/rbenv or PATH setup lives in .zprofile, an editor terminal that spawns interactive-non-login never loads it — so you see missing aliases and "command not found."
The quick fix is to force login mode. In Cursor/VS Code settings, add a profile with "args": ["-l"] and make it the default; for JetBrains set the shell path to /bin/zsh -l; for tmux, set -g default-command "${SHELL} -l".
The durable fix is putting setup in the right file: environment variables that need to exist everywhere in .zshenv, once-per-login setup in .zprofile, and everything interactive (aliases, nvm/pyenv init) in .zshrc — which every interactive shell loads regardless of login status. Verify with echo $PATH; type nvm in both Terminal.app and the editor terminal; the output should match.
This matters for agents specifically. Claude Code, Codex CLI, and Aider inherit the editor terminal's environment. Wrong PATH means the agent runs the wrong node; a missing direnv/env load means the wrong DATABASE_URL. You get bugs that look like AI hallucinations but are really environment mismatches — an agent making correct decisions from incorrect context.
How 1DevTool solves this
How 1DevTool handles this: its terminals run as login interactive shells by default (the -l flag), so .zprofile always loads and an agent terminal opened in a project has the same environment a real shell would. Per-project variables load explicitly through the Environment Manager, and you can manage your PATH from inside the app instead of relying on direnv magic.
Every coding agent reads its rules from a different file — how do I keep one source of truth across Claude, Cursor, Copilot, Cline and the rest?
The complaint is specific: Claude Code reads CLAUDE.md, Cursor reads .cursorrules, Copilot reads .github/copilot-instructions.md, others read AGENTS.md. Team instructions drift across Claude, Cursor, Copilot, Windsurf, Cline, and Gemini until no two tools carry the same rules. One developer built a sync tool (Nymor) specifically because agent rule files fragment this way and teams want one canonical source.
It's the same problem teams hit moving from single-user AI experiments to shared workflows: agent rules, MCP servers, prompts, and skills all have to line up across the team, or every person re-derives the setup from scratch. The durable pattern isn't picking one tool — it's keeping the rules, routing, and setup in one place and projecting them into each tool's expected file, so a change happens once instead of six times.
Two things make this worth doing early rather than late. Drift is silent: these files are read by tools, not humans, so a section that quietly disappeared two months ago produces wrong agent behavior with no error to catch it. And retrofitting costs more: once the setup has scattered — config in different files, context in dead chats, the "real" rules living only on one person's machine — you're reconstructing the workflow instead of improving it. Build the shared layer up front and a new developer starts from a known setup instead of reverse-engineering the last twenty prompts.
How 1DevTool solves this
How 1DevTool handles this: MCP Settings is one place to configure MCP servers and agents across Claude, Codex, and OpenCode, so the setup doesn't live in a different file per tool — OpenCode joining MCP Settings is an example of the same config surface absorbing another agent. See MCP Settings.
How do I stop my `CLAUDE.md` from silently drifting across all my repos?
CLAUDE.md files drift for four reasons: they're read by tools not humans (so breakage is invisible), they aren't quite "code" (reviewers skim them), they aren't quite "docs" (doc review doesn't apply), and they're template-like (people delete sections they don't understand). The drift is rarely a deletion you notice — it's the security section that quietly vanished during an unrelated change two months ago.
The fix is the same as for any team-wide standard: a CI check. Enforce only cross-repo policy — security ("never commit secrets"), forbidden actions ("no --no-verify", "no force-push to main"), branch/PR rules, the list of authorized AI agents — and leave repo-specific sections (architecture, test commands) alone. The minimal version is a bash script that greps for required section headers and required phrases and exits non-zero if any are missing, wired into a GitHub Action on pull_request.
For 10+ repos, don't copy the script everywhere. Keep the required list in one central policy repo and have each repo's CI curl it and compare — updating policy becomes a single PR that every repo picks up on its next run. Some teams prefer auto-fix (append missing boilerplate) over fail-on-missing; that works for identical boilerplate but not for sections needing repo-specific content, so fail-on-missing is the better default.
This matters more for AI than for humans. An assistant reads the file cover-to-cover and treats every line as authoritative, so a missing "no --no-verify" line means it will happily bypass your pre-commit hooks. A 30-line script in CI is the cheapest team-wide AI policy enforcement you can buy.
How 1DevTool solves this
How 1DevTool handles this: keeping rule files consistent starts with being able to see the one that's actually in play. 1DevTool surfaces each project's configuration folders, so the CLAUDE.md and agent rules in force are visible per project instead of buried. The CI enforcement itself lives in your pipeline; this is the per-project rule visibility that makes drift easy to catch.
How do I wire up MCP for a specific domain like Power BI — and actually see what the agent did with it?
Once you move past generic code generation, MCP setup gets domain-specific fast. A real example from the threads: making Claude useful for Power BI work through MCP — prompts, Skills files, semantic-model cleanup, DAX, and measure creation. But the setup is only half the job; the other half is trusting the result.
Domain work multiplies the action surface: shell commands, package installs, migrations, file deletes, network calls, generated credentials, and test runners that can mutate local state. A chat transcript can't be the control plane for that. Three things make a domain MCP setup usable.
Context has to be searchable, not just present. A big repo is full of old experiments, generated files, and stale docs; giving the agent file access isn't the same as giving it useful context. The workflow should show which folder, file, or prior decision is actually in play, so the agent doesn't spend budget rediscovering what you already know.
Guardrails belong around actions. Distinguish read-only inspection from destructive commands, make approval decisions visible, and let a project declare which tools are allowed and which steps need a human. The point isn't to slow the agent down; it's to stop confusing speed with permission.
Runtime proof beats a polished explanation. Logs, command output, test results, and a link between the final diff and the run that produced it. Without that trail, review turns into archaeology — and false progress (an agent looping the same search, or claiming a test passed without showing the command) stays hidden. The pattern generalizes past Power BI: any domain server you add needs searchable context, action guardrails, and an evidence trail before you can trust its output.
How 1DevTool solves this
How 1DevTool handles this: MCP Tool Activity Badges surface which MCP server a coding agent invoked and when, and AI Activity Logs keep the command output and tool-call record attached to the run — so a domain setup's actions are reviewable instead of invisible. Use MCP Settings to add the domain server itself.
I'm juggling plugins, MCP, and multiple models across tools — how should I route between models and keep the token bill sane?
AI coding has spread from one assistant into a messy toolchain: Claude Code plugins with hooks/MCP/skills, Cursor users tracking whether specific Anthropic models are even available in their IDE, and a broader shift from cloud/model-locked agents toward bring-your-own and local models. Routing everything through the strongest model makes cost unpredictable and feedback slow; routing everything through the cheapest pushes quality failures downstream into debugging.
The practical answer isn't a universal model choice — it's deciding, per task, which one deserves expensive reasoning and where proof of completion has to appear. Two realities make this a config problem rather than a taste problem.
Model switching alone doesn't fix bad execution. A cheap model repeating the wrong tool calls is still expensive; a strong model working from stale context still wastes time. You need to see where tokens, time, and retries are going before you can decide whether the model, the prompt, or the workflow is the bottleneck.
Provider churn shouldn't rewrite your setup. Speed changes, billing changes, and quota 429s all push from different angles, and none is solved by loyalty to one provider. You want a layer above the provider that remembers the project rules and lets you swap engines without changing the whole operating model.
Visible routing also makes model comparisons less theatrical. If you can see which model planned, which edited, and which verified — plus what each one cost — you judge a workflow by operational quality instead of by one impressive answer.
How 1DevTool solves this
How 1DevTool handles this: the AI Agent Orchestrator coordinates work across agents rather than locking you to one, and the AI Usage Dashboard shows where tokens and cost are actually going, so routing decisions are informed instead of guessed.
Related features