Back to Research

Manufact Brings MCP to the Cloud

A story-first look at Manufact (YC S25), MCP Cloud, and the permission boundaries Codex users should care about.

Cherokee Roses On A Light Gray Cloth, landscape painting by Martin Johnson Heade.
Rogier MullerJuly 3, 20269 min read

Manufact (YC S25) is trying to make MCP apps and servers feel deployable, testable, and observable instead of hand-wired into one developer laptop. That matters for AI coding because the value is not just faster code generation; it is whether agents can safely reach the systems real work depends on.

MCP is a standard way for an AI agent to discover and call external tools, data, and workflows through servers instead of bespoke prompt glue. The ai coding solutions roi for large teams conversation usually lands here: the return comes from repeatable integration boundaries, not from asking an agent to guess with more confidence.

What Manufact actually launched

Manufact (YC S25), built by cofounders Pietro and Luigi, launched as a cloud for MCP apps and servers. The team says it used to be called mcp-use, and it still maintains open source SDKs under that name.

The pitch is easy to understand if you have shipped a Next.js app on Vercel. Manufact wants to be that kind of production layer for Model Context Protocol apps: a place to ship, iterate, test, monitor, and share MCP servers without every repo inventing its own hosting story.

The interesting part is not that MCP exists. Developers already know how to expose a REST API, write a CLI, or paste a runbook into AGENTS.md. The interesting part is Manufact brings the production questions closer to the tool boundary: who can call this, what can it read, what can it mutate, and how do we know it worked?

The trap is treating MCP as magic. The launch drew the expected split: some people see MCP as the missing integration layer, while others think agents should just use human-friendly CLI tools. Both sides are partly right.

Why cloud MCP changes the coding loop

OpenAI Codex, OpenAI's coding agent, is strongest when the repo gives it clear context, runnable commands, and a narrow definition of done. MCP adds another surface: the agent can reach systems outside the checkout, such as GitHub issues, internal docs, staging telemetry, or a package registry.

A normal Codex loop might look like this in a service repo:

codex "Fix the billing retry bug from issue PAY-418. Use AGENTS.md. Run the targeted tests before editing unrelated files."
npm test -- billing/retry
npm run lint

With a well-scoped MCP server, the agent could also fetch the issue, inspect a read-only incident summary, and verify the expected API contract before touching code. That is a real day-to-day change. The agent spends less time asking for pasted context and more time comparing code against the same source material a developer would use.

The trap is giving the agent a power tool because the demo looks neat. A coding agent that can read an issue is useful. A coding agent that can close incidents, rotate secrets, or rewrite customer data from the same session is a different risk class.

The CLI objection is worth taking seriously

The strongest objection from the launch discussion was simple: agents are already good at using CLIs and REST APIs. If you document the command in AGENTS.md or a repo memory file, why add MCP at all?

That objection is fair. For a small repo, a purpose-built CLI can be faster, easier to debug, and friendlier to humans. A command like ./scripts/find-owner src/payments/retry.ts is transparent in a way many integrations are not.

MCP becomes more compelling when the integration needs discovery, standardized tool schemas, shared auth, hosted access, and monitoring across multiple agents or editors. In other words, it is less about replacing the CLI and more about making external capabilities inspectable and repeatable.

The trap is choosing MCP because it sounds more agent-native. If a CLI is stable, auditable, and already used by humans, keep it. Wrap it later only when the integration boundary is painful enough to justify another layer.

Put permission boundaries before clever tools

The practical question for Codex users is not “should we use MCP?” It is “what can the agent reach, and what proof do we require before accepting its work?” This is where ai coding solutions roi for large teams becomes less abstract: the gains survive only when integrations reduce handoff time without creating review debt.

Start with read-only MCP access. Let the agent retrieve issues, docs, package metadata, API schemas, and recent CI output. Keep writes behind human review until the workflow has boring evidence: stable tests, clear logs, and small blast radius.

A useful AGENTS.md boundary note is short enough that a developer will actually keep it current:

# MCP boundary
Codex may use MCP tools for read-only lookup of issues, docs, CI results, and service metadata.
Do not use MCP tools to write production data, change permissions, deploy services, or close incidents.
For any generated patch, run the commands below and include the output in the PR summary:

- npm test -- billing/retry
- npm run lint
- git diff --stat

That note does three jobs. It tells Codex what is allowed, tells reviewers what evidence to expect, and keeps the MCP server from becoming a quiet side door around normal code review guardrails.

For more examples in this lane, see the related Manufact (YC S25) MCP Cloud note and the broader related training topic.

Copy this fit table before wiring MCP

Use this table before turning a repo script or service API into an MCP server. It is intentionally small. If you need twelve rows to justify the integration, you probably need a narrower first version.

Candidate integration Fit for MCP Not fit yet Safe first permission
GitHub issue lookup Yes, if agents need issue context often No, if developers paste one issue per week Read issue, labels, comments
Internal docs search Yes, if docs answer coding questions No, if docs are stale or unowned Read pages and snippets
CI result lookup Yes, if failures are noisy across systems No, if npm test is enough locally Read job status and logs
Database inspection Sometimes, for schemas and fixtures No, for customer data mutations Read schema only
Deployment control Rarely as a first MCP No, until review and rollback are explicit Read deployment status
Repo helper CLI Maybe, if many agents need it No, if the CLI is already clear and local Run read-only subcommands

Permission-boundary note: the first MCP server should usually be read-only, scoped to one workflow, and paired with a verification command in AGENTS.md. Write access can come later, but only after reviewers can see exactly what the agent did outside the repo.

Common questions

  • Is Manufact replacing mcp-use?

    No. The launch description says Manufact is the cloud product, while mcp-use remains the open source SDK work the team built before the cloud. A practical way to think about it is SDK for building MCP pieces, cloud for running and operating them.

  • Is MCP better than giving Codex a CLI tool?

    Not always. A CLI is often better when the command is local, human-readable, and already part of the developer workflow. MCP is a better fit when the agent needs standardized discovery, hosted access, shared auth, or monitoring across tools.

  • How should a large engineering org measure return from AI coding tools?

    Measure the boring deltas: less context-pasting, shorter issue-to-PR time, fewer review corrections, and fewer failed verification loops. For ai coding solutions roi for large teams, the useful metric is not lines generated; it is accepted changes that pass tests with a clear audit trail.

  • What should stay read-only in a first MCP setup?

    Keep production data, permissions, deployments, incident state, and billing actions read-only or unavailable at first. Safe early reads include issue metadata, docs, CI logs, API schemas, and package information. The caveat is privacy: read-only access can still leak sensitive context into an agent transcript.

  • Does this change AI pair programming?

    Yes, but quietly. AI pair programming becomes less about one prompt producing a patch and more about a loop where the agent reads the same operational context a developer would check. The human still owns the judgment call, especially when the change touches permissions, data, or deploy paths.

Best ways to use this research

  • Best for: engineers deciding whether an MCP server is worth adding to an existing Codex workflow, especially when the alternative is a documented CLI or REST call.
  • Best first artifact: a short AGENTS.md boundary note that says which MCP tools are read-only, which actions are forbidden, and which commands prove the patch is safe.
  • Best comparison angle: compare MCP against the current human workflow, not against a perfect agent demo. If developers would not trust the underlying command, they should not trust an agent wrapper around it.
  • Best risk lens: treat external tool access as an application-security boundary. The agent is not just generating code; it is operating software connected to real systems.

Further reading

Next step

Pick one read-only integration your repo already depends on, and write the AGENTS.md boundary before you wire it to Codex. If the boundary feels fuzzy, the MCP server is not ready yet.

One methodology lens

One useful way to read this through our methodology is the Plan step: delegate first-pass decomposition and dependency mapping, review the sequencing and assumptions, and keep ownership of scope and priorities. If that split is still fuzzy, the workflow usually is too.

Related training topics

Related research

Ready to start?

Transform how your team builds software.

Get in touch