C# got left behind in the AI Agent hype. So I fixed it! AgentDevKit

Orchestrating Secure AI Agents in C#: A Native Approach with MCP and Gemini

Current Situation Analysis

The .NET ecosystem currently faces a structural asymmetry in the generative AI landscape. While Python and TypeScript have rapidly matured with frameworks like LangChain and CrewAI, C# developers are often forced to choose between immature ports or overly abstracted wrappers that obscure model behavior. This gap is particularly problematic for enterprise backend engineering, where strict type safety, deterministic error handling, and secure integration patterns are non-negotiable.

Script-based agent frameworks frequently neglect the rigorous constraints required in production environments. They often rely on dynamic typing, ad-hoc security checks, and opaque execution flows that make debugging and auditing difficult. Furthermore, the industry is converging on the Model Context Protocol (MCP) as the universal standard for connecting AI models to local data sources and tools. Without a native .NET implementation that treats MCP as a first-class citizen, developers risk building brittle integrations that cannot leverage standardized tool connectivity or enforce enterprise-grade security policies.

The core challenge is not just enabling an LLM to generate text; it is orchestrating autonomous workflows where the agent can reason, plan, and execute actions against real infrastructure while maintaining strict boundaries. A native C# approach allows for compile-time validation of tool schemas, policy-driven security enforcement, and seamless integration with existing dependency injection and configuration systems, reducing runtime failures and security vulnerabilities inherent in dynamic agent frameworks.

WOW Moment: Key Findings

Comparing dynamic/script-based agent frameworks against a native C# orchestration model reveals significant advantages in reliability, security, and performance. The following analysis highlights the operational differences when building production-grade agents.

Approach	Type Safety	Runtime Overhead	Security Model	MCP Integration
Dynamic/Port Frameworks	Weak/Dynamic	High (Serialization/Interop)	Ad-hoc/Post-hoc	Wrapper Dependent
Native C# Orchestration	Strict/Compile-time	Low (Direct API)	Policy-driven/HITL	First-class Protocol

Why this matters: Native C# orchestration enables the compiler to catch schema mismatches before deployment. Security policies can be enforced via interceptors before tool execution, preventing unauthorized access rather than reacting after the fact. First-class MCP support ensures that tool discovery and invocation follow industry standards, reducing custom integration code and improving interoperability with external systems.

Core Solution

Building a secure, autonomous agent in C# requires a structured approach that separates tool definition, agent configuration, protocol integration, and security enforcement. The following implementation demonstrates a native pattern using Google Gemini for reasoning and MCP for tool connectivity.

1. Define Strictly Typed Tools

Tools should be defined as classes implementing a contract that enforces input/output types. This ensures the agent receives structured data and that the LLM's tool calls are validated against a schema.

public interface ITool
{
    string Name { get; }
    string Description { get; }
    Task<string> ExecuteAsync(object input);
}

public class DatabaseQueryTool : ITool
{
    public string Name => "execute_read_only_query";
    public string Description => "Executes a SELECT query against the analytics database.";

    public async Task<string> ExecuteAsync(object input)
    {
        var request = input as QueryRequest 
            ?? throw new ArgumentException("Invalid input type");
        
        // Implementation details omitted
        return await _repository.ExecuteQueryAsync(request.Sql);
    }
}

public record QueryRequest(string Sql);

2. Configure the Agent Orchestrator

The agent orchestrator manages the interaction loop, tool selection, and execution policy. It should be configured with a specific model client and a set of available tools.

var geminiClient = new GeminiClient(ApiKeyProvider.Get());

var dataAnalyst = new AutonomousWorker("DataAnalyst")
    .WithInstructions("Analyze data trends and generate reports. Use tools to fetch data.")
    .AttachTool(new DatabaseQueryTool())
    .AttachTool(new ReportGeneratorTool())
    .WithClient(geminiClient);

3. Integrate Model Context Protocol (MCP)

MCP allows the agent to discover and use tools from external servers without writing custom wrappers. The orchestrator should support loading tool definitions from MCP endpoints.

var mcpBridge = new McpBridge();
var config = McpConfig.Load("mcp-endpoints.json");

// Load tools from external MCP servers
var externalTools = await mcpBridge.DiscoverToolsAsync(config);

// Attach discovered tools to the worker
dataAnalyst.AttachTools(externalTools);

4. Implement Delegation Patterns

Complex workflows benefit from multi-agent delegation. A manager agent can delegate sub-tasks to specialized workers, enabling parallel execution and hierarchical reasoning.

var researcher = new AutonomousWorker("Researcher")
    .WithInstructions("Gather facts from web sources.")
    .AttachTool(new WebSearchTool())
    .WithClient(geminiClient);

var projectLead = new AutonomousWorker("ProjectLead")
    .WithInstructions("Coordinate research and compile final deliverables.")
    .AttachProxy(new SubordinateProxy(researcher, geminiClient))
    .WithClient(geminiClient);

5. Enforce Guardrails and Human-in-the-Loop

Security policies must be enforced before tool execution. Sensitive operations should require explicit approval, and interceptors should validate inputs to prevent attacks.

dataAnalyst.ExecutionPolicy = new SafetyPolicy
{
    OnToolInvocation = async (context) =>
    {
        // Validate inputs to prevent injection
        if (context.Args.Contains(".."))
            throw new SecurityViolation("Path traversal attempt detected.");

        // Require approval for sensitive tools
        if (context.Tool.IsSensitive)
        {
            var approved = await ApprovalService.RequestAsync(context);
            if (!approved)
                throw new AuthorizationException("Tool execution denied by policy.");
        }
    }
};

6. Handle Resilient Parsing

LLMs may occasionally produce malformed JSON when invoking tools. The orchestrator should include a self-correction mechanism that detects parsing errors and feeds the error back to the model for correction within a retry budget.

var orchestrator = new AgentOrchestrator(dataAnalyst)
    .WithRetryPolicy(new RetryBudget(maxRetries: 3))
    .EnableSelfCorrection();

Pitfall Guide

Production agent systems introduce unique failure modes. The following pitfalls and mitigations are derived from real-world orchestration experience.

1. Unbounded Execution Loops

   • Explanation: Agents may enter infinite loops if tools return ambiguous results or if the model fails to recognize task completion.
   • Fix: Implement strict iteration limits and timeout policies. The orchestrator must terminate execution after a maximum number of tool calls or elapsed time.

2. Prompt Injection via Tool Output

   • Explanation: If a tool returns untrusted content (e.g., from a web scrape), that content may contain instructions that alter the agent's behavior.
   • Fix: Sanitize tool outputs before injecting them into the context. Use separate context segments for tool results and isolate them from system instructions.

3. Ignoring JSON Hallucination

   • Explanation: Models may generate invalid JSON structures for tool arguments, causing runtime crashes.
   • Fix: Implement a self-correction loop that catches deserialization errors and requests the model to regenerate the tool call. Define strict JSON schemas for all tools.

4. Over-Delegation and Cost Explosion

   • Explanation: Creating too many agents or delegating simple tasks can lead to excessive API calls and latency.
   • Fix: Analyze workflow complexity before introducing delegation. Use flat hierarchies for simple tasks and reserve multi-agent patterns for complex, multi-step reasoning.

5. Static Tool Schemas

   • Explanation: If tool definitions change but the agent's schema is not updated, the model may invoke tools with incorrect parameters.
   • Fix: Dynamically generate tool schemas from code definitions. Ensure schema updates are propagated to the model context during initialization.

6. Missing Human-in-the-Loop for Destructive Ops

   • Explanation: Agents executing write or delete operations without approval can cause data loss or security breaches.
   • Fix: Classify tools by sensitivity. Enforce mandatory approval workflows for all tools marked as sensitive. Integrate with existing approval systems.

7. Context Window Overflow

   • Explanation: Long-running agents may exceed the model's context window, causing truncation and loss of critical information.
   • Fix: Implement context management strategies such as summarization of past interactions or sliding window buffers. Monitor token usage and trigger compaction when thresholds are reached.

Production Bundle

Action Checklist

• Define all tools using strict DTOs and implement ITool interface.
• Configure SafetyPolicy with interceptors for input validation and HITL approval.
• Set up MCP endpoints in configuration for external tool discovery.
• Enable self-correction with a defined retry budget for JSON parsing errors.
• Implement execution timeouts and maximum iteration limits.
• Add audit logging for all tool invocations and agent decisions.
• Test agent behavior with adversarial inputs to verify guardrails.
• Monitor token usage and implement context summarization for long tasks.

Decision Matrix

Scenario	Recommended Approach	Why	Cost Impact
Simple Data Retrieval	Single Agent with MCP Tools	Low latency, minimal overhead	Low
Complex Multi-Step Workflow	Manager/Researcher Delegation	Improved reasoning accuracy	Medium
High-Risk Operations	HITL + Sensitive Tool Classification	Prevents unauthorized actions	Human Cost
External System Integration	MCP Bridge	Standardized, secure connectivity	Low
High-Volume Processing	Parallel Agent Execution	Throughput optimization	High

Configuration Template

Use this template to configure agent behavior, security policies, and MCP endpoints.

{
  "agent": {
    "model": "gemini-2.0-flash",
    "maxTokens": 4096,
    "temperature": 0.2
  },
  "security": {
    "hitlEnabled": true,
    "sensitiveTools": ["delete_record", "update_schema"],
    "maxIterations": 10,
    "timeoutSeconds": 60
  },
  "mcp": {
    "servers": [
      {
        "name": "postgres-analytics",
        "command": "npx",
        "args": ["-y", "@modelcontextprotocol/server-postgres", "postgresql://..."]
      },
      {
        "name": "filesystem",
        "command": "python",
        "args": ["mcp_filesystem_server.py", "/data"]
      }
    ]
  },
  "retry": {
    "jsonCorrection": {
      "enabled": true,
      "maxRetries": 3
    }
  }
}

Quick Start Guide

1. Install Dependencies: Add the native agent SDK and MCP client packages to your .NET project.
2. Define Tools: Create classes implementing ITool for each action the agent can perform. Use strict input types.
3. Initialize Worker: Instantiate AutonomousWorker, attach tools, and configure the Gemini client.
4. Load MCP Config: Call McpBridge.DiscoverToolsAsync to load external tools from your configuration.
5. Execute: Run the agent with a prompt and handle the result. Ensure guardrails are active before production deployment.