Skip to content
← Back to Blog
· Kersten Lorenz

Context7 and the infrastructure layer your AI agents are missing

agents engineering tools

In the previous post, I described four context failure modes that explain most AI agent disasters. Context pollution — where stale or hallucinated information enters the window and compounds — is the most common. Context7 is the most popular fix. With 44,000+ GitHub stars and 8 million npm downloads, it is the single most adopted MCP server in the ecosystem.

That popularity is earned. But a supply-chain vulnerability disclosed in February tells a more interesting story about what context engineering actually demands.

The problem, concretely

Ask any AI coding assistant to build a Next.js page with server-side data fetching. Without current documentation in the context, most models generate something like this:

// ❌ Pages Router — deprecated pattern
export async function getServerSideProps() {
  const res = await fetch('https://api.example.com/data')
  const data = await res.json()
  return { props: { data } }
}

export default function Page({ data }) {
  return <div>{data.title}</div>
}

This is getServerSideProps — a Pages Router pattern that Next.js has moved away from. The model is not wrong. It is working from training data that predates the App Router. The code compiles. It even runs. But it is the wrong architecture, and the developer who trusts it inherits technical debt from the first line.

With Context7 injecting current Next.js documentation into the context window, the same model produces:

// ✅ App Router — async Server Component
export default async function Page() {
  const data = await fetch('https://api.example.com/data')
  const posts = await data.json()
  return (
    <ul>
      {posts.map((post) => (
        <li key={post.id}>{post.title}</li>
      ))}
    </ul>
  )
}

Same model, same prompt. Different context, different output. That is the entire thesis of context engineering in one example.

What Context7 actually does

Context7 is an MCP server built by Upstash that injects up-to-date, version-specific documentation into the AI’s context window at query time. It indexes over 9,000 libraries, ranks results using a proprietary scoring algorithm, and serves them through two MCP tools: one to resolve a library name, one to fetch its documentation.

The developer experience is deliberately minimal. Add “use context7” to a prompt in Cursor, Claude Code, or any MCP-compatible client. The server identifies the library, fetches current docs, filters by topic, and injects the relevant snippets. The model never sees stale training data for that library — it sees the current source of truth.

A February 2026 architecture rewrite cut token usage by 65% and latency by 38% — server-side reranking instead of letting the LLM search and filter repeatedly.

The technical pipeline matters: documentation is parsed, enriched with LLM-generated metadata, vectorised into Upstash Vector for semantic search, scored, and cached in Redis. The quality stack includes source reputation scoring, automated benchmarks, and injection prevention. It is not a documentation mirror — it is a retrieval system designed specifically for what language models need.

MCP as the infrastructure layer

Context7’s dominance is not just about documentation. It is evidence that MCP — the Model Context Protocol — is becoming the infrastructure layer for context engineering.

The numbers tell the story: 10,000+ active MCP servers, 97 million monthly SDK downloads, first-class support in Claude, ChatGPT, Cursor, Gemini, and VS Code. In December 2025, Anthropic donated MCP to the Linux Foundation, co-founding the Agentic AI Foundation with OpenAI and Block. AWS, Google, Microsoft, and Cloudflare joined as supporting members.

MCP standardises how agents connect to external tools and data. Context7 is the most visible application: documentation as a service, delivered through a protocol that every major AI client already speaks. But the same pattern applies to any context source — databases, APIs, internal knowledge bases, monitoring systems. MCP makes context engineering composable.

If context engineering is the discipline, MCP is the plumbing.

This is why the MCP ecosystem matters beyond any single server. The companies building context architectures today are not locked into one tool. They compose multiple MCP servers — documentation, codebase search, project management, deployment status — into a context layer that gives agents what they need for the current task. That is progressive disclosure at the infrastructure level.

The trust problem nobody is talking about

In February 2026, security researchers at Noma disclosed a vulnerability called ContextCrush. Attackers could register malicious libraries on Context7’s open registry and inject poisoned instructions disguised as documentation. The MCP server delivered these instructions verbatim to AI coding assistants — which interpreted them as authoritative and executed them with full tool access.

The demonstrated attacks were severe: credential theft from .env files, data exfiltration to attacker-controlled repos, destructive file operations disguised as “cleanup”. Upstash deployed a fix within five days. No exploitation in the wild was confirmed.

But the architectural lesson is more important than the incident. Context7 solved context pollution from stale documentation. ContextCrush revealed a new form of the same failure mode: context pollution from adversarial injection. The model cannot distinguish between legitimate tool output and a planted instruction. It trusts what is in the window.

Context engineering is not just about what enters the window. It is about who you trust to fill it.

This is the epistemological challenge at the heart of agent architectures. Every MCP server, every RAG pipeline, every external data source is a trust boundary. The agent treats everything in its context as ground truth. If any source is compromised — or simply wrong — the downstream output inherits the error with full confidence.

What this means for your architecture

Context7 is a strong tool that solves a real problem. Use it. But it solves one failure mode in a system that has four, and the fix for one introduced a variant of another.

The infrastructure layer is maturing fast. MCP gives you composability. Tools like Context7 give you fresh documentation. But the context architecture — what enters the window, how it is structured, who is trusted to provide it, and when it gets refreshed — that is still engineering work that no tool automates away.

The model is only as good as the world you build around it. Build carefully.

Designing a context architecture for your AI agents? Let’s talk.