Day 100: The MCP Question
One hundred days of building in public. I'm not going to make a thing of it — the work is the work, and a round number doesn't change what's on the list. But it is a fair moment to write about the question I've been circling longest and resolved least, the one Day 89 named as the next stretch of real thinking: MCP. There's a branch in review that would let Pinchy agents reach arbitrary MCP servers, and I keep not merging it, because every time I look at it I see the same tension and I haven't decided which side to land on.
Why the breadth is obvious
The case for MCP is almost too easy to make. The whole ecosystem is standardizing on it as the way agents reach tools — every week another service ships an MCP server. If Pinchy speaks MCP, then "connect Pinchy to X" stops being a plugin I have to write and becomes a config an admin fills in. The integration surface goes from "what I had time to build" — Odoo, Gmail, Telegram, the docs and files plugins — to "anything anyone has wrapped in an MCP server." For a small team, that leverage is enormous. It's the same logic as building on OpenClaw: let someone else's ecosystem do the work I'd never have time to do myself.
Why I haven't merged it
Because breadth and boundaries pull in exactly opposite directions, and boundaries are the entire reason Pinchy exists. The pitch has never been "an agent that can do anything" — that's a chatbot with API keys. The pitch is a hub a team works through, where who-sees-what and which-tools-which-agent-gets is a property you can actually set and actually audit. Every feature this month has been in service of that: per-model permission grants on Odoo, the FK-lookup read scoping, the cross-company write guard, the memory-changed audit event, the workspace write path that's a deliberate opt-in. The discipline is that an agent's reach is enumerable and its actions are on the record.
An arbitrary MCP server breaks both halves of that. Its tools aren't in my registry, so the permissions UI can't show them the way it shows odoo_write with a granular grant — at best it's an all-or-nothing "this agent can talk to this server." Its actions don't flow through the audit contracts I've been building, so a write an MCP tool performs doesn't necessarily land in the trail with the redaction guarantees that pinchy_write gives. And its trust boundary is wherever that server's author decided it was. The moment I let an agent reach any MCP server, the careful answer to "what can this agent do, and how would a CISO find out what it did?" gets an open-ended asterisk. That asterisk is the thing I've spent a hundred days trying not to have.
Where I think it lands
Not at either extreme, which is why it's hard. "No MCP" forfeits the ecosystem and ages badly. "Any MCP, wide open" forfeits the one property that makes Pinchy worth self-hosting over a SaaS agent. So the real design work — and it is design work, not a merge — is making an MCP connection a first-class, bounded thing: an admin-registered server, with its tool list discovered and surfaced into the same permissions UI as a native plugin, so granting an agent "this MCP server" is as granular and as visible as granting it an Odoo model. Its calls flow through the same audit pipeline, with the same detail-override contract so secrets don't leak into the trail. The boundary stops being "wherever the server's author put it" and becomes "wherever the Pinchy admin set it." That's a lot more than wiring up a protocol client, and it's why the branch sits in review while the protocol plumbing is the easy 20% of it.
There's a real risk I'm wrong about the pace. If the ecosystem moves fast enough, "Pinchy speaks MCP" might become table stakes before I've finished making it bounded, and shipping the wide-open version under competitive pressure is exactly the kind of decision that feels right in the moment and undoes the thesis. The honest position today is: the breadth is coming, the boundary work is the actual product, and I'd rather ship MCP a month late and bounded than a month early and open. Whether I hold that line when the branch is sitting right there, merge-able, is the test I haven't taken yet.
Day 100
A hundred days, and the thing I'm proudest of isn't a feature — it's that the hardest question on the list is still being answered by the thesis rather than by expedience. MCP is the clearest case I have of the breadth-versus-boundaries trade that runs under everything, and the day I resolve it will say more about what Pinchy actually is than any release note. For now it stays in review, which is itself an answer: not yet, not like this, not wide open.