AI Learning Ramp
Course 8 is a one-hour systems session on designing tool schemas, execution loops, and MCP boundaries for a BigQuery copilot that can query safely without turning every external call into hidden model magic.
Assume the BigQuery copilot can inspect datasets, fetch lineage, run dry-run estimates, execute approved SQL, create charts, and open tickets. The interview question is how you expose those capabilities as constrained tools: clear JSON contracts, least-privilege credentials, idempotent execution, observable receipts, retry policy, and MCP servers that do not leak authority across tenants or tool calls.
One-hour objective: design a safe tool layer for an AI analytics agent and explain how OpenAI/Anthropic-style tool calls relate to MCP server tools, auth, retries, and sandboxed execution.
For one BigQuery tool, list purpose, JSON schema, caller identity, allowed side effects, timeout, retry rule, cost guard, and audit receipt.
Focus on tool definitions, structured arguments, strict schemas, parallel calls, and how the application remains responsible for executing the tool and returning results.
Track the model-request cycle: the model requests a tool, the client executes it, and tool results are sent back for the next model turn.
Read the MCP tools spec for discovery, input schemas, optional output schemas, tool-call responses, and error reporting between clients and servers.
Assign auth, sandboxing, retry caps, idempotency keys, dry-run gates, and human approval to the tools that can read data, spend money, or mutate state.
Explain why the model chooses or requests tools, but the product still owns execution policy, credentials, observability, cost control, and incident recovery.
Use three required sources: one OpenAI tool-calling guide, one Anthropic tool-use guide, and the MCP tools specification. Keep the optional refresher for authorization only.
Official guidance for defining tools, producing structured arguments, using strict schemas, handling parallel tool calls, and routing model-selected calls back through application code.
Read for: the concrete schema and execution-loop vocabulary needed to discuss tool use in OpenAI-style systems.
Anthropic's tool-use model for extending Claude with client tools and server tools, including when tools fit and how tool choice changes an agentic application.
Read for: the product boundary between model reasoning, client-side execution, and remotely hosted tools.
The core MCP tools specification: listing available tools, input schemas, optional output schemas, tool invocation, tool results, error handling, and safety considerations.
Read for: how to turn individual function calls into a protocol boundary for tool discovery and execution.
A focused refresher on MCP authorization for HTTP-based servers when credentials, tenant isolation, and tool access policy matter.
Skim for: the auth vocabulary to separate transport/session authorization from per-tool business authorization.
You are ready for the interview version of this topic when you can design a tool interface and defend the operational controls around it.
Prompt: design a tool and MCP layer for a BigQuery analytics agent that can inspect schema, estimate query cost, run approved SQL, summarize results, and escalate risky requests.