What Statelessness Left on the Table

The 2026-07-28 MCP specification landed first as a release candidate locked on May 21, with the final publication scheduled for July 28. Where last month's stateless transition stripped out sessions, these clauses govern how the tool catalog gets cached, shared, and eventually retired. A server that dropped sessions but recomputes tools/list on every request hands the cost of statelessness right back, so cache safety and lifecycle operations are the work that remains.

ttlMs and cacheScope Open a Shared Cache

List and read results now travel with two fields modeled on HTTP Cache-Control. ttlMs carries a freshness hint in milliseconds, telling a client how long it may reuse a tools/list response before refetching, while cacheScope — introduced by SEP-2549 — takes 'public' or 'private' to declare whether that response may be shared across users. A catalog whose exposed tools differ per user must be private; only a catalog where everyone receives an identical list may be public.

From Active to Removed: A 12-Month Lifecycle

This release also pins down a feature lifecycle policy. Every feature moves through Active → Deprecated → Removed, with a minimum of 12 months guaranteed between a deprecation notice and the earliest possible removal. 2026-07-28 ships zero removals against three deprecations: tasks/list is removed in this cut, Roots, Sampling, and Logging are deprecated with documented replacements, and the 'resource not found' error code shifts from -32002 to -32602.

Wiring Cache and Deprecation Policy into the Gateway and Server

Start with target numbers. A tools/list cache hit rate of 70% or higher, zero cross-user cache-contamination incidents, header-based routing success at 99.9% or above, and deprecated-feature usage drained before its 12-month countdown reaches zero make a workable baseline. Without those four figures, caching degrades into a hunch about speed and deprecation into a vague "we'll fix it someday."

Failure splits four ways. First, emitting a per-user tool list as cacheScope=public, which lets an unauthorized user see someone else's tools — a permission leak. Second, ignoring ttlMs and polling on every call, so cost and latency spike together. Third, not monitoring deprecation alerts, so code built on tasks/list or Sampling breaks silently 12 months later. Fourth, keeping session-header routing at the gateway after the stateless move, which sends requests to the wrong instance and breaks routing.

Recovery differs by failure point. When contamination is detected, force the affected response's cacheScope down to private and invalidate the shared cache immediately. Because clients carry Mcp-Method and Mcp-Name headers on the Streamable HTTP POST, the gateway must route on those two headers rather than session affinity, and the server must read the protocol version and capabilities from _meta and implement server/discover to complete capability negotiation without a session.

Lock the operations checklist before deployment. Log the basis for each cacheScope verdict (whether the response is user-dependent), verify through pre-deploy scenarios that no user identifier leaks into the tools/list cache, and count calls to the deprecated tasks/list, Roots, Sampling, and Logging on a dedicated counter. Update any error handler that hardcoded -32002 to also accept -32602, and surface the share of legacy clients sending requests without the new headers on the dashboard.

The improvement loop turns on the deprecation countdown. Aggregate residual calls to deprecated features and contamination incidents weekly, then split the 12-month clock into four quarters and set a migration target of retiring 25% of the residual each quarter — that avoids a scramble right before the removal date. If the residual is not shrinking, the deprecation policy lives in meeting notes rather than in code.

Takeaways at a Glance

Surviving 2026-07-28 means caching with a boundary and managing deprecation by counter rather than by calendar. Split user-dependent lists as private and only shared-for-all lists as public, respect ttlMs to hold a 70% hit rate, move gateway routing onto the Mcp-Method and Mcp-Name headers while implementing server/discover, and drain the 12-month residual of the three deprecations quarter by quarter — then the same operational frame carries into the next spec.

References

The 2026-07-28 MCP Specification Release Candidate — Model Context Protocol

MCP 2026-07-28 spec: what changed, what breaks — stacktr.ee