An MCP server exposes tools. delete_repository , create_charge , execute_query . The agent calls whatever it decides to call, and the server runs it. Nothing sits in between. Connect a coding agent to a GitHub MCP server and it can delete a repository as readily as it can read one. Point it at a Stripe server and create_refund is one tool call away from list_charges . The Model Context Protocol defines how tools are discovered and invoked. It does not define who is allowed to invoke what. An MCP