Summary
The MCP 2026-07-28 release candidate changes several runtime-security assumptions: protocol sessions are removed, requests can route to any server replica, and Apps/Tasks introduce new wire-level surfaces.
This issue tracks candidate Pipelock test fixtures for those changes. It is a threat-model and fixture-design tracker, not a release commitment.
Related analysis: https://pipelab.org/blog/what-stateless-mcp-means-for-agent-runtime-security/
Candidate Fixtures
1. Stateless tool drift across replicas
A server cluster can return one tools/list baseline from replica A, then route a later tools/call to replica B with a changed tool definition. The tools/call request does not carry the changed description, so detection depends on refreshed baselines, explicit capability hashes, or another correlation mechanism.
Candidate test: fake MCP server returns different tool definitions by replica selector; Pipelock should detect drift without flagging identical replicas.
2. Slow-drip exfiltration via task updates
Long-running MCP Tasks can emit many small structured updates. A fixture should test whether sensitive content fragmented across tasks/update / tasks/get traffic is caught cumulatively rather than only per message.
Candidate test: fake task emits synthetic secret fragments across many updates; Pipelock should warn or block once the aggregate crosses policy.
3. ui:// template drift after initial trust
MCP Apps allow server-supplied UI templates. A fixture should test whether a ui:// resource that changes after initial trust is detected, especially when visible text stays similar but the action behind the UI changes.
Candidate test: fake MCP server serves one clean template, then a later template with the same visible copy and changed form/action behavior.
Open Design Questions
- What replaces
Mcp-Session-Id as the runtime correlation key?
- Which surfaces should be keyed by principal, upstream, task ID, resource URI, or policy scope?
- Which drift cases should block immediately versus require re-baselining or HITL?
- How should receipts represent candidate RC surfaces before the spec stabilizes?
Non-Goals
- No release-version commitment in this tracker.
- No claim that Pipelock supports the 2026-07-28 RC today.
- No spec-extension proposal until SDK behavior settles.
Summary
The MCP 2026-07-28 release candidate changes several runtime-security assumptions: protocol sessions are removed, requests can route to any server replica, and Apps/Tasks introduce new wire-level surfaces.
This issue tracks candidate Pipelock test fixtures for those changes. It is a threat-model and fixture-design tracker, not a release commitment.
Related analysis: https://pipelab.org/blog/what-stateless-mcp-means-for-agent-runtime-security/
Candidate Fixtures
1. Stateless tool drift across replicas
A server cluster can return one
tools/listbaseline from replica A, then route a latertools/callto replica B with a changed tool definition. Thetools/callrequest does not carry the changed description, so detection depends on refreshed baselines, explicit capability hashes, or another correlation mechanism.Candidate test: fake MCP server returns different tool definitions by replica selector; Pipelock should detect drift without flagging identical replicas.
2. Slow-drip exfiltration via task updates
Long-running MCP Tasks can emit many small structured updates. A fixture should test whether sensitive content fragmented across
tasks/update/tasks/gettraffic is caught cumulatively rather than only per message.Candidate test: fake task emits synthetic secret fragments across many updates; Pipelock should warn or block once the aggregate crosses policy.
3.
ui://template drift after initial trustMCP Apps allow server-supplied UI templates. A fixture should test whether a
ui://resource that changes after initial trust is detected, especially when visible text stays similar but the action behind the UI changes.Candidate test: fake MCP server serves one clean template, then a later template with the same visible copy and changed form/action behavior.
Open Design Questions
Mcp-Session-Idas the runtime correlation key?Non-Goals