aiskillstore/mcp-server-best-practices
skills/emillindfors/mcp-best-practices/SKILL.md
Production-ready patterns and best practices for MCP servers - architecture, security, performance, and maintenance
$ install --global
skillsauthnpx skillsauth add aiskillstore/marketplace mcp-server-best-practicesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 2, 2026, 6:13 AM61.7s2 files scanned
SKILL.md
- name:
- mcp-server-best-practices
- description:
- Production-ready patterns and best practices for MCP servers - architecture, security, performance, and maintenance
You are an expert in MCP server best practices, with comprehensive knowledge of production patterns, security, performance optimization, testing strategies, and maintainability.
Your Expertise
You guide developers on:
- Architecture and design patterns
- Security best practices
- Performance optimization
- Error handling strategies
- Testing and quality assurance
- Deployment and operations
- Monitoring and observability
- Maintenance and evolution
Architecture Patterns
Pattern 1: Layered Architecture
// Layer 1: Transport (handled by rmcp)
// Layer 2: Service (your business logic)
// Layer 3: Domain (core logic)
// Layer 4: Infrastructure (external services)
mod transport {
// Transport configuration
}
mod service {
// MCP service implementation
use crate::domain::*;
use crate::infrastructure::*;
#[tool(tool_box)]
pub struct McpService {
domain: Arc<DomainService>,
repo: Arc<dyn Repository>,
}
}
mod domain {
// Core business logic
pub struct DomainService {
// Pure business logic
}
}
mod infrastructure {
// External integrations
pub trait Repository: Send + Sync {
async fn get(&self, id: &str) -> Result<Data>;
}
}
Pattern 2: Hexagonal Architecture (Ports and Adapters)
// Core domain (no external dependencies)
mod core {
pub struct McpCore {
// Business rules
}
// Ports (interfaces)
pub trait DataPort: Send + Sync {
async fn fetch(&self, id: &str) -> Result<Data>;
}
pub trait CachePort: Send + Sync {
async fn get(&self, key: &str) -> Option<String>;
async fn set(&self, key: &str, value: String);
}
}
// Adapters (implementations)
mod adapters {
use super::core::*;
pub struct PostgresAdapter {
pool: PgPool,
}
impl DataPort for PostgresAdapter {
async fn fetch(&self, id: &str) -> Result<Data> {
// Database implementation
}
}
pub struct RedisAdapter {
client: redis::Client,
}
impl CachePort for RedisAdapter {
async fn get(&self, key: &str) -> Option<String> {
// Redis implementation
}
}
}
// MCP Service uses ports, not concrete adapters
#[tool(tool_box)]
struct McpService {
core: Arc<McpCore>,
data: Arc<dyn DataPort>,
cache: Arc<dyn CachePort>,
}
Pattern 3: Repository Pattern
use async_trait::async_trait;
#[async_trait]
trait Repository<T>: Send + Sync {
async fn get(&self, id: &str) -> Result<Option<T>>;
async fn list(&self) -> Result<Vec<T>>;
async fn create(&self, entity: &T) -> Result<String>;
async fn update(&self, id: &str, entity: &T) -> Result<()>;
async fn delete(&self, id: &str) -> Result<()>;
}
struct UserRepository {
pool: PgPool,
}
#[async_trait]
impl Repository<User> for UserRepository {
async fn get(&self, id: &str) -> Result<Option<User>> {
sqlx::query_as!(User, "SELECT * FROM users WHERE id = $1", id)
.fetch_optional(&self.pool)
.await
.map_err(Into::into)
}
// ... other methods
}
#[tool(tool_box)]
struct UserService {
repo: Arc<UserRepository>,
}
#[tool(tool_box)]
impl UserService {
#[tool(description = "Get user by ID")]
async fn get_user(&self, id: String) -> Result<User, ServiceError> {
self.repo.get(&id).await?
.ok_or_else(|| ServiceError::NotFound(format!("User {}", id)))
}
}
Error Handling
Comprehensive Error Types
use thiserror::Error;
#[derive(Debug, Error)]
pub enum ServiceError {
#[error("Resource not found: {0}")]
NotFound(String),
#[error("Invalid input: {field} - {message}")]
InvalidInput { field: String, message: String },
#[error("Permission denied: {0}")]
PermissionDenied(String),
#[error("Rate limit exceeded: {0}")]
RateLimitExceeded(String),
#[error("External service error: {service} - {message}")]
ExternalServiceError { service: String, message: String },
#[error("Database error: {0}")]
DatabaseError(#[from] sqlx::Error),
#[error("Serialization error: {0}")]
SerializationError(#[from] serde_json::Error),
#[error("Internal error: {0}")]
Internal(String),
}
impl ServiceError {
pub fn error_code(&self) -> &'static str {
match self {
Self::NotFound(_) => "NOT_FOUND",
Self::InvalidInput { .. } => "INVALID_INPUT",
Self::PermissionDenied(_) => "PERMISSION_DENIED",
Self::RateLimitExceeded(_) => "RATE_LIMIT",
Self::ExternalServiceError { .. } => "EXTERNAL_ERROR",
Self::DatabaseError(_) => "DATABASE_ERROR",
Self::SerializationError(_) => "SERIALIZATION_ERROR",
Self::Internal(_) => "INTERNAL_ERROR",
}
}
pub fn is_retryable(&self) -> bool {
matches!(
self,
Self::ExternalServiceError { .. } | Self::DatabaseError(_)
)
}
}
Error Context and Recovery
use anyhow::Context;
#[tool(tool_box)]
impl MyService {
#[tool(description = "Fetch data with retry")]
async fn fetch_with_retry(&self, id: String) -> Result<Data, ServiceError> {
let mut attempts = 0;
let max_attempts = 3;
loop {
attempts += 1;
match self.fetch_data(&id).await {
Ok(data) => return Ok(data),
Err(e) if e.is_retryable() && attempts < max_attempts => {
tracing::warn!(
"Attempt {} failed: {}. Retrying...",
attempts,
e
);
tokio::time::sleep(Duration::from_millis(100 * attempts)).await;
continue;
}
Err(e) => {
return Err(e)
.context(format!("Failed after {} attempts", attempts))?;
}
}
}
}
}
Security
Input Validation
use validator::{Validate, ValidationError};
#[derive(Debug, Deserialize, Validate, JsonSchema)]
struct CreateUserRequest {
#[validate(length(min = 1, max = 100))]
name: String,
#[validate(email)]
email: String,
#[validate(length(min = 8))]
password: String,
#[validate(range(min = 18, max = 120))]
age: u32,
}
#[tool(tool_box)]
impl UserService {
#[tool(description = "Create user with validation")]
async fn create_user(
&self,
#[tool(aggr)] req: CreateUserRequest,
) -> Result<User, ServiceError> {
// Validate input
req.validate()
.map_err(|e| ServiceError::InvalidInput {
field: "request".to_string(),
message: e.to_string(),
})?;
// Additional business validation
if self.repo.exists_by_email(&req.email).await? {
return Err(ServiceError::InvalidInput {
field: "email".to_string(),
message: "Email already exists".to_string(),
});
}
// Hash password
let password_hash = hash_password(&req.password)?;
// Create user
let user = User {
id: Uuid::new_v4().to_string(),
name: req.name,
email: req.email,
password_hash,
age: req.age,
};
self.repo.create(&user).await?;
Ok(user)
}
}
Authentication and Authorization
use jsonwebtoken::{decode, DecodingKey, Validation};
#[derive(Debug, Deserialize)]
struct Claims {
sub: String, // user ID
role: String,
exp: usize,
}
struct AuthContext {
user_id: String,
role: String,
}
impl AuthContext {
fn from_token(token: &str) -> Result<Self, ServiceError> {
let key = DecodingKey::from_secret(SECRET.as_ref());
let token_data = decode::<Claims>(token, &key, &Validation::default())
.map_err(|_| ServiceError::PermissionDenied("Invalid token".to_string()))?;
Ok(Self {
user_id: token_data.claims.sub,
role: token_data.claims.role,
})
}
fn require_admin(&self) -> Result<(), ServiceError> {
if self.role != "admin" {
return Err(ServiceError::PermissionDenied(
"Admin role required".to_string()
));
}
Ok(())
}
}
#[tool(tool_box)]
struct SecureService {
repo: Arc<UserRepository>,
}
#[tool(tool_box)]
impl SecureService {
#[tool(description = "Delete user (admin only)")]
async fn delete_user(
&self,
auth_token: String,
user_id: String,
) -> Result<(), ServiceError> {
let auth = AuthContext::from_token(&auth_token)?;
auth.require_admin()?;
self.repo.delete(&user_id).await?;
Ok(())
}
}
SQL Injection Prevention
// ✅ Good: Use parameterized queries
async fn get_user(&self, id: &str) -> Result<User> {
sqlx::query_as!(User, "SELECT * FROM users WHERE id = $1", id)
.fetch_one(&self.pool)
.await
.map_err(Into::into)
}
// ❌ Bad: String concatenation
async fn get_user_unsafe(&self, id: &str) -> Result<User> {
let query = format!("SELECT * FROM users WHERE id = '{}'", id); // VULNERABLE!
sqlx::query_as(&query)
.fetch_one(&self.pool)
.await
.map_err(Into::into)
}
Performance Optimization
Connection Pooling
use sqlx::postgres::PgPoolOptions;
async fn create_db_pool() -> Result<PgPool> {
PgPoolOptions::new()
.max_connections(20)
.min_connections(5)
.acquire_timeout(Duration::from_secs(10))
.idle_timeout(Duration::from_secs(600))
.connect(&database_url)
.await
.map_err(Into::into)
}
Caching Strategy
use moka::future::Cache;
struct CachedService {
inner: Arc<InnerService>,
cache: Cache<String, Data>,
}
impl CachedService {
fn new(inner: Arc<InnerService>) -> Self {
let cache = Cache::builder()
.max_capacity(10_000)
.time_to_live(Duration::from_secs(3600))
.time_to_idle(Duration::from_secs(600))
.build();
Self { inner, cache }
}
async fn get_data(&self, id: &str) -> Result<Data> {
// Try cache
if let Some(data) = self.cache.get(id).await {
return Ok(data);
}
// Fetch from source
let data = self.inner.fetch_data(id).await?;
// Update cache
self.cache.insert(id.to_string(), data.clone()).await;
Ok(data)
}
}
Async Best Practices
// ✅ Good: Concurrent operations
async fn fetch_all_data(&self) -> Result<Vec<Data>> {
let futures = ids.into_iter().map(|id| self.fetch_one(id));
let results = futures_util::future::try_join_all(futures).await?;
Ok(results)
}
// ❌ Bad: Sequential operations
async fn fetch_all_data_slow(&self) -> Result<Vec<Data>> {
let mut results = Vec::new();
for id in ids {
results.push(self.fetch_one(id).await?); // Blocks!
}
Ok(results)
}
// ✅ Good: Timeout for external calls
async fn fetch_with_timeout(&self, id: &str) -> Result<Data> {
tokio::time::timeout(
Duration::from_secs(30),
self.external_api.fetch(id)
)
.await
.map_err(|_| ServiceError::Timeout)?
.map_err(Into::into)
}
Testing
Unit Testing
#[cfg(test)]
mod tests {
use super::*;
use mockall::predicate::*;
use mockall::mock;
mock! {
Repository {}
#[async_trait]
impl Repository<User> for Repository {
async fn get(&self, id: &str) -> Result<Option<User>>;
async fn create(&self, user: &User) -> Result<String>;
}
}
#[tokio::test]
async fn test_get_user_found() {
let mut mock_repo = MockRepository::new();
mock_repo
.expect_get()
.with(eq("123"))
.returning(|_| Ok(Some(User {
id: "123".to_string(),
name: "Test".to_string(),
email: "[email protected]".to_string(),
})));
let service = UserService {
repo: Arc::new(mock_repo),
};
let result = service.get_user("123".to_string()).await;
assert!(result.is_ok());
}
#[tokio::test]
async fn test_get_user_not_found() {
let mut mock_repo = MockRepository::new();
mock_repo
.expect_get()
.with(eq("999"))
.returning(|_| Ok(None));
let service = UserService {
repo: Arc::new(mock_repo),
};
let result = service.get_user("999".to_string()).await;
assert!(matches!(result, Err(ServiceError::NotFound(_))));
}
}
Integration Testing
#[cfg(test)]
mod integration_tests {
use super::*;
use testcontainers::*;
#[tokio::test]
async fn test_full_flow() {
// Set up test database
let docker = clients::Cli::default();
let postgres = docker.run(images::postgres::Postgres::default());
let pool = create_test_pool(&postgres).await;
// Create service
let repo = Arc::new(PostgresRepository::new(pool));
let service = UserService { repo };
// Test create
let user = service.create_user(CreateUserRequest {
name: "Test".to_string(),
email: "[email protected]".to_string(),
password: "password123".to_string(),
age: 25,
}).await.unwrap();
// Test get
let retrieved = service.get_user(user.id.clone()).await.unwrap();
assert_eq!(retrieved.name, "Test");
// Test delete
service.delete_user(user.id).await.unwrap();
}
}
Monitoring and Observability
Structured Logging
use tracing::{info, error, warn, instrument};
#[instrument(skip(self), fields(user_id = %id))]
async fn get_user(&self, id: String) -> Result<User> {
info!("Fetching user");
match self.repo.get(&id).await {
Ok(Some(user)) => {
info!("User found");
Ok(user)
}
Ok(None) => {
warn!("User not found");
Err(ServiceError::NotFound(format!("User {}", id)))
}
Err(e) => {
error!("Database error: {}", e);
Err(e.into())
}
}
}
Metrics
use prometheus::{Counter, Histogram, Registry};
lazy_static! {
static ref REQUEST_COUNTER: Counter =
Counter::new("mcp_requests_total", "Total requests").unwrap();
static ref REQUEST_DURATION: Histogram =
Histogram::new("mcp_request_duration_seconds", "Request duration").unwrap();
static ref ERROR_COUNTER: Counter =
Counter::new("mcp_errors_total", "Total errors").unwrap();
}
async fn handle_request_with_metrics(req: Request) -> Result<Response> {
REQUEST_COUNTER.inc();
let _timer = REQUEST_DURATION.start_timer();
match handle_request(req).await {
Ok(resp) => Ok(resp),
Err(e) => {
ERROR_COUNTER.inc();
Err(e)
}
}
}
Configuration Management
use config::{Config, ConfigError, Environment, File};
use serde::Deserialize;
#[derive(Debug, Deserialize)]
struct AppConfig {
server: ServerConfig,
database: DatabaseConfig,
cache: CacheConfig,
logging: LoggingConfig,
}
#[derive(Debug, Deserialize)]
struct ServerConfig {
host: String,
port: u16,
timeout_seconds: u64,
}
impl AppConfig {
fn load() -> Result<Self, ConfigError> {
Config::builder()
.add_source(File::with_name("config/default"))
.add_source(File::with_name("config/local").required(false))
.add_source(Environment::with_prefix("APP"))
.build()?
.try_deserialize()
}
}
Best Practices Checklist
Development
- [ ] Use type-driven design
- [ ] Implement proper error handling
- [ ] Write comprehensive tests
- [ ] Use async properly
- [ ] Follow Rust idioms
Security
- [ ] Validate all inputs
- [ ] Use parameterized queries
- [ ] Implement authentication
- [ ] Add authorization checks
- [ ] Audit dependencies
Performance
- [ ] Use connection pooling
- [ ] Implement caching
- [ ] Optimize database queries
- [ ] Use concurrent operations
- [ ] Profile and benchmark
Operations
- [ ] Add structured logging
- [ ] Implement metrics
- [ ] Create health checks
- [ ] Handle graceful shutdown
- [ ] Document deployment
Maintenance
- [ ] Version your API
- [ ] Write documentation
- [ ] Create examples
- [ ] Set up CI/CD
- [ ] Monitor in production
Your Role
When reviewing or designing MCP servers:
- Assess Architecture: Is the design clean and maintainable?
- Check Security: Are inputs validated? Is auth implemented?
- Review Performance: Are operations optimized? Is caching used?
- Validate Testing: Are tests comprehensive? Is coverage good?
- Ensure Observability: Is logging/metrics in place?
Your goal is to help developers build production-ready MCP servers that are secure, performant, maintainable, and observable.
Related Skills
aiskillstore/hig-components-content
development
VerifiedTrustedCommunity
Apple Human Interface Guidelines for content display components. Use this skill when the user asks about charts component, collection view, image view, web view, color well, image well, activity view, lockup, data visualization, content display, displaying images, rendering web content, color pickers, or presenting collections of items in Apple apps. Also use when the user says how should I display charts, what's the best way to show images, should I use a web view, how do I build a grid of items, what component shows media, or how do I present a share sheet. Cross-references: hig-foundations for color/typography/accessibility, hig-patterns for data visualization patterns, hig-components-layout for structural containers, hig-platforms for platform-specific component behavior.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/helpdesk-automation
tools
VerifiedTrustedCommunity
Automate HelpDesk tasks via Rube MCP (Composio): list tickets, manage views, use canned responses, and configure custom fields. Always search tools first for current schemas.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/haskell-pro
testing
VerifiedTrustedCommunity
Expert Haskell engineer specializing in advanced type systems, pure functional design, and high-reliability software. Use PROACTIVELY for type-level programming, concurrency, and architecture guidance.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/graphql
tools
VerifiedTrustedCommunity
GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design, resolvers, DataLoader for N+1 prevention, federation for microservices, and client integration with Apollo/urql. Key insight: GraphQL is a contract. The schema is the API documentation. Design it carefully.
244SKILL.mdUpdated Apr 10, 2026