← Back to Writing
Agentic AI

MCP, Agentic Workflows, and Guardrails: A Production Field Guide

What Model Context Protocol actually looks like in a real engineering workflow — how to set up context servers, build guardrails that earn trust, and integrate agents where they matter.

Author Bruno Mentges
Published April 2026
Reading time 15 min

Most engineering teams using AI today are stuck in the same place: they have a coding assistant, it autocompletes reasonably well, and nobody would call it transformative. The gap between "we have copilot" and "AI is part of our engineering process" is enormous — and it's not a model gap. It's a context gap.

Agents without context about your system give generic advice. They suggest patterns that contradict your architecture decisions. They scaffold pipelines that ignore your naming conventions. They generate code that doesn't account for the constraints your team learned the hard way over two years of production incidents.

I've spent the past two years integrating AI agents into data engineering workflows at a major B2B data platform — pipelines processing terabytes daily, dozens of engineers, hundreds of models. The agents that actually shipped and earned team trust weren't the smartest ones. They were the ones with the best context infrastructure underneath them.

That infrastructure has three layers: MCP for live infrastructure access, guardrails for trust boundaries, and a knowledge base for institutional memory. This article is a field guide to building all three.

MCP: what it actually is

Model Context Protocol is one of those things that sounds abstract until you use it, and then you wonder how you ever worked without it. Let me cut through the marketing.

MCP is not a framework. It's not a library. It's a protocol — a standardized way for LLM agents to access external data sources. Think of it as an API specifically designed for agent context. The agent is the client. Your infrastructure is the server. MCP defines how they talk to each other.

Before MCP, giving an agent context about your system meant one of two things: dump thousands of lines of code into a prompt (expensive, noisy, hits token limits) or accept that the agent would give generic advice based on its training data. Neither option works for production engineering.

MCP changes this by letting you build context servers — lightweight services that expose specific slices of your infrastructure in a structured format that agents can query on demand. The agent asks "what does the schema of this table look like?" and the MCP server returns the answer. The agent asks "what are the upstream dependencies of this pipeline?" and gets a precise graph. No prompt stuffing. No guessing.

The client-server model is the key insight. The agent doesn't need to know how your infrastructure works. It just needs to know how to ask questions through the protocol. This means you can swap out infrastructure without changing the agent, and you can upgrade agents without changing your servers.

MCP Client-Server Model CLIENT LLM Agent Claude Code Cursor / Codex any MCP client MCP Protocol structured queries + context responses SERVERS Pipeline Server Schema Server Code Server Docs Server The agent queries through MCP. Context servers answer. Your infrastructure stays behind the protocol boundary.

Setting up context servers in practice

For a data engineering team, I've found four context servers cover roughly 90% of what agents need. Here's what each one looks like and what makes the difference between a useful server and a noisy one.

1. Pipeline/orchestrator metadata server

This server exposes your workflow orchestrator's metadata: DAG definitions, schedule configurations, dependency graphs, recent run histories, task durations, and failure rates. When an agent needs to understand how a pipeline is structured or why a run failed, this is where it looks.

What makes it good: Expose the operational view, not just the config. An agent doesn't just need to know that Pipeline X runs at 06:00 UTC — it needs to know that Pipeline X's average runtime is 23 minutes, it failed 3 times last month, and its downstream consumers start at 07:00. The difference between config and operations is the difference between a map and ground truth.

2. Schema/warehouse metadata server

This server exposes your data warehouse structure: table schemas, column types, partition strategies, freshness metadata, row counts, and lineage. When an agent scaffolds a new model or reviews a query, this is its reference.

What makes it good: Include freshness and lineage, not just structure. Knowing that a table has 50 columns is useful. Knowing that it was last refreshed 3 hours ago, updates daily at 05:00, and feeds into 12 downstream tables is what changes an agent's output from "technically valid SQL" to "production-aware SQL."

3. Code repository context server

This server exposes your codebase structure: directory layout, file types, recent changes (last N commits per path), active branches, and code conventions. Not the full code — that's what the agent reads directly. This server provides the metadata about the code.

What makes it good: Surface change velocity and ownership. A file that hasn't been touched in 18 months needs different handling than one with 40 commits this quarter. Knowing who last modified a module helps agents understand context even when the code comments are sparse.

4. Documentation/conventions server

This server exposes your team's standards: naming conventions, testing requirements, PR checklists, style guides, and onboarding documentation. This is the "how we do things here" layer.

What makes it good: Be prescriptive, not descriptive. "We use snake_case for table names" is more useful to an agent than "table names vary across the codebase." If the conventions are aspirational rather than actual, say so — agents that enforce conventions the team doesn't actually follow lose trust fast.

Four Context Servers for Data Engineering Pipeline Server DAG definitions Schedules Run history Failure rates Operational view of workflow orchestration Schema Server Tables & columns Lineage Freshness Partitions Warehouse structure, types, and data health Code Server Repo structure Recent changes Active branches Conventions Codebase metadata and change velocity Docs Server ADRs Onboarding Runbooks Style guides Team standards and institutional documentation Agent Context Four servers, one unified context. Each exposes a different slice of your infrastructure.

A common mistake: building context servers that return too much data. An agent doesn't need a full table dump — it needs the schema, the freshness timestamp, and the top consumers. Think about what a senior engineer would look up when answering a question, and expose that. If a server response requires scrolling, it's too verbose.

The guardrails framework

Here's a pattern I've seen kill AI adoption at three different teams: someone builds a capable agent, it does something unexpected in production, and the entire initiative gets shut down. Not because the agent was bad — because there were no boundaries. One misstep costs months of trust.

Guardrails come before capabilities. Before you give an agent the ability to do anything useful, you define what it absolutely cannot do. This sounds backward — why limit the thing you're trying to make powerful? Because trust is the bottleneck, not capability. A limited agent that the team trusts will be adopted. A capable agent that the team fears will be shelved.

I use a three-zone framework:

Zone 1: CAN DO (autonomous)

Actions the agent can take without any human approval. These are read-only or low-blast-radius operations:

  • Read data — query schemas, inspect pipeline metadata, browse run histories
  • Generate code — produce code snippets, scaffold new files, write tests
  • Suggest changes — propose PR descriptions, recommend fixes, draft documentation
  • Review PRs — comment on pull requests, flag issues, check conventions

Zone 2: WITH REVIEW (supervised)

Actions the agent can prepare but a human must approve before execution:

  • Deploy suggestions — the agent can draft a deployment plan, but a human runs it
  • Modify configurations — the agent can propose config changes, but they go through normal review
  • Create tickets/issues — the agent can draft incident reports or feature requests for human review

Zone 3: CANNOT (hard boundary)

Actions that are off-limits regardless of context. These are non-negotiable:

  • Modify production data — no writes to production tables, no deleting records, no schema migrations
  • Merge code — agents can suggest, review, and approve, but the merge button is human-only
  • Skip tests — no bypassing CI/CD gates, no overriding quality checks, no "just this once" exceptions
Guardrails Framework: Three Trust Zones CAN DO Autonomous Read data & metadata Generate code Suggest changes Review PRs Zero blast radius WITH REVIEW Supervised Deploy suggestions Modify configs Create tickets Human approves CANNOT Hard boundary Modify prod data Merge code Skip tests / CI gates Non-negotiable Define boundaries first, expand capabilities later. Trust is the adoption bottleneck.

The key insight: guardrails aren't restrictions on what AI can do. They're the foundation for what AI is allowed to do. Every time the agent operates cleanly within its boundaries, trust compounds. And trust is what lets you gradually expand the "CAN DO" zone over time.

As I described in my experience integrating AI agents into data pipelines, the teams that defined guardrails first moved faster in the long run than teams that gave agents broad permissions and then pulled back after incidents.

Workflow integration patterns

Context servers give agents eyes. Guardrails give them boundaries. The next question is: where do agents actually plug into the engineering lifecycle? Not "where could they theoretically help" — where do they produce measurable value with acceptable risk?

After building five agents and watching which ones earned adoption and which ones got ignored, I've identified five integration points that consistently work:

1. Pipeline scaffolding

Trigger: Engineer starts a new pipeline or model. Context needed: Schema server (upstream tables), code server (naming conventions, directory structure), docs server (standards). Output: Pre-populated pipeline with correct naming, partitioning, tests, and documentation stubs. Guardrails: CAN DO — generates files only, no execution.

This cut new pipeline setup from 45-60 minutes to 15 minutes. The real win isn't speed — it's consistency. Every scaffolded pipeline follows the team's conventions because the agent reads them from the context server, not from memory.

2. Pre-review checks

Trigger: PR opened or updated. Context needed: Schema server (affected tables), pipeline server (downstream dependencies), docs server (conventions). Output: Comments on the PR flagging mechanical issues — missing null checks, partition skew risks, schema drift, convention violations. Guardrails: CAN DO — comments only, cannot approve or merge.

This freed senior engineers to focus on architectural review instead of catching mechanical issues. The agent handles the "did you remember to..." checklist so humans can focus on "should we..."

3. Incident context assembly

Trigger: Alert fires or on-call engineer escalates. Context needed: Pipeline server (run history, upstream status, failure patterns), schema server (recent changes to affected tables). Output: A context briefing — what failed, what changed recently upstream, similar past failures, affected downstream consumers. Guardrails: CAN DO — read-only assembly, no remediation actions.

This was the most impactful agent. At 3 AM, nobody wants to spend 20 minutes manually checking upstream statuses and cross-referencing recent deploys. The agent assembles the same context in seconds.

4. Documentation sync

Trigger: Code merged to main branch. Context needed: Code server (diff analysis), schema server (affected models), docs server (existing documentation). Output: Updated documentation reflecting code changes — model descriptions, column definitions, dependency notes. Guardrails: WITH REVIEW — docs are generated as a PR for human approval before merge.

Documentation that stays in sync with code is one of those things every team wants and nobody maintains. The agent handles the "what" (this model now has a new column, this pipeline added a dependency) and humans review to add the "why."

5. Architecture planning

Trigger: Engineer or tech lead starts planning a new feature or migration. Context needed: All four servers plus the knowledge base (architecture decisions, past failures, in-flight projects). Output: A structured plan draft with dependency analysis, risk flags, and references to relevant prior decisions. Guardrails: WITH REVIEW — the plan is a starting point for human refinement, never executed directly.

This is where the knowledge base matters most. An agent with only MCP can tell you which tables are involved. An agent with MCP plus the knowledge base can tell you that this migration pattern failed last year and what the team learned from it.

Agent Integration Points in the Engineering Lifecycle Plan Scaffold Code Review Deploy Operate Document Architecture Planning WITH REVIEW Pipeline Scaffolding CAN DO Pre-review Checks CAN DO Incident Context CAN DO Doc Sync WITH REVIEW CAN DO (autonomous) WITH REVIEW (supervised) Agents plug into existing steps. Each has explicit guardrail zones. No new interfaces to learn.

Notice the pattern: agents plug into existing steps in the engineering lifecycle. They don't create new workflows — they augment the ones the team already uses. This is critical for adoption. An agent that lives inside your PR process gets used. An agent that requires opening a separate tool gets ignored.

The missing layer: institutional memory

MCP gives agents real-time infrastructure data — the what of your system right now. Schema server knows your table structure. Pipeline server knows your DAG definitions. Code server knows your repo layout.

But there's an entire category of knowledge that doesn't live in infrastructure:

  • Why was this pipeline designed this way? What constraints shaped the decision?
  • The last three times the team tried to optimize this query, what approaches failed?
  • This failure pattern recurs every quarter-end due to seasonal data volume spikes — but that's nowhere in the DAG definition
  • The team standardized on a specific partitioning strategy six months ago — but that decision lives in a Slack thread, not in code
  • Two modules are being deprecated next quarter, and any new pipeline should route around them

This is institutional knowledge — the accumulated wisdom of the team, scattered across people's heads, old threads, postmortems, and design documents nobody maintains. MCP can't see any of it. And without it, agents produce work that is technically correct but architecturally naive.

The solution is a structured knowledge base — an LLM-maintained wiki that captures the institutional knowledge MCP can't reach. I've written about this in depth in The Knowledge Base Strategy: Giving AI Agents a Memory That Compounds, and I've open-sourced a template to build one: knowledge-base-template.

The knowledge base isn't a replacement for MCP. It's the complementary layer. MCP tells the agent what the system looks like. The knowledge base tells the agent why the system looks that way.

The full stack: MCP + Knowledge Base + Guardrails

This is where the three pieces come together into a complete context layer for production-grade AI agent integration:

  • MCP = eyes. Live infrastructure data. What the system looks like right now. Real-time, precise, infrastructure-scoped. The agent queries context servers to understand schemas, pipelines, run histories, and conventions.
  • Knowledge Base = memory. Institutional wisdom. Why the system looks that way. Compounding, synthesized, organization-scoped. Architecture decisions, postmortem lessons, domain rules, in-flight projects. The knowledge that code alone can't convey.
  • Guardrails = boundaries. Trust framework. What the agent can and cannot do. Three zones that earn adoption by making risk explicit. The foundation that lets the team say "yes" to agent integration instead of "maybe later."

Each piece is valuable on its own. Together, they're the complete context infrastructure that turns generic AI tools into team-specific engineering partners.

The Full Context Stack Eyes + Memory + Boundaries = Production-Grade AI Integration MCP Eyes Pipeline metadata Schema & lineage Code context Docs & conventions Real-time Precise Infrastructure-scoped Knowledge Base Memory Architecture decisions Postmortem lessons Domain rules In-flight projects Compounding Synthesized Organization-scoped Guardrails Boundaries CAN DO: read, generate REVIEW: deploy, config CANNOT: prod, merge Trust-earning Explicit Adoption-enabling LLM Agent full context eyes memory boundaries Production-Grade AI Integration Three layers, one agent. MCP gives eyes. KB gives memory. Guardrails give trust. Together: the complete stack.

Without MCP, agents guess about your infrastructure. Without the knowledge base, agents forget your organizational context. Without guardrails, agents don't get adopted. You need all three.

The order matters too. In my experience, starting with guardrails earns the trust that lets you build context servers. MCP context servers produce the immediate value that justifies investing in a knowledge base. And the knowledge base is what makes the entire system compound over time.

Getting started

If you're reading this and thinking "this sounds like a lot," here's the pragmatic path. You don't need all three layers on day one. You need one well-chosen entry point that earns trust and demonstrates value.

Step 1: Define guardrails (day 1)

Before you build anything, write down the three zones for your team. What can agents do autonomously? What needs review? What's off-limits? This takes an hour and it's the most important hour you'll spend. Without this document, your first agent incident will kill the initiative. With it, incidents become boundary refinements.

Step 2: Build one context server (week 1)

Pick the server with the most immediate value. For most data engineering teams, that's the schema/warehouse metadata server — agents use it constantly for code generation, review, and scaffolding. Get it running, connect it to your agents via MCP, and let the team experience context-aware AI assistance. The jump from generic suggestions to infrastructure-grounded suggestions is visceral. It sells the approach faster than any slide deck.

Step 3: Build your first agent (week 2)

Start with incident context assembly. It has the highest impact-to-effort ratio and the fastest team buy-in — nobody argues with "the thing that makes 3 AM pages less painful." Keep it in the CAN DO zone (read-only context assembly, no remediation actions). Let it prove itself.

Step 4: Start the knowledge base (week 3)

Ingest your most important institutional documents — three ADRs, two postmortems, your system topology doc. Use the knowledge-base-template to set up the structure. The knowledge base starts compounding from the moment you feed it the first document. Every agent you build after this point benefits from it.

Step 5: Expand (week 4+)

Add context servers. Build more agents. Ingest more institutional knowledge. The compound effect means each addition is more valuable than the last — the second agent benefits from the context the first agent's server already provides, plus whatever knowledge base content has accumulated since week 3.

Measure adoption, not capability. The metric that matters isn't "how smart is the agent" — it's "how many engineers use it regularly." Smart agents that nobody trusts produce zero value. Limited agents that the team relies on daily compound into transformative tools.

The bottom line

AI agents in engineering are production-ready. But their value is determined entirely by the context infrastructure underneath them.

MCP gives agents eyes into your live infrastructure — the what. A knowledge base gives them memory of your organization — the why. Guardrails define the boundaries that earn team trust — the how much. Together, they're the full context layer that turns generic AI into your team's AI.

The teams that will win with AI agents aren't the ones with the best models. They're the ones that build the context infrastructure to make those models genuinely understand their system. MCP is open. The knowledge base template is open. The guardrails framework is straightforward. The hard part isn't the technology — it's the organizational discipline to start with boundaries, build context systematically, and let trust compound.

Start small. Start with guardrails. Build one context server. Ship one agent. Let it prove itself. Then expand.

Ready to integrate AI into your engineering workflows?

I help teams build the full context layer — MCP, knowledge base, guardrails — so AI agents actually understand your system.

Book a Discovery Call Read the KB Strategy