Skip to main content
Springvanta
All posts
AI Developer ToolingMay 29, 2026 · 3 min read

MCP Goes Stateless as OpenAI Ships Enterprise Tunnels

MCP 2026-07-28 drops sessions entirely. OpenAI launches Secure MCP Tunnel for private servers. Claude Code fixes MCP subagent security in four releases.

By Springvanta

OpenAI launched Secure MCP Tunnels on May 27. Four days earlier, the MCP 2026-07-28 release candidate locked, and it removes the protocol's session state entirely. Two separate efforts solving one problem: MCP was built for developer laptops, and it needs to work on production infrastructure.

How OpenAI Secure MCP Tunnel Works

What shipped

OpenAI's Secure MCP Tunnel is an outbound-only proxy. You run tunnel-client inside your network, where it can already reach your private MCP servers. It opens an outbound HTTPS connection to OpenAI. ChatGPT, Codex, and the Responses API send MCP requests to an OpenAI-hosted endpoint; the tunnel forwards them to your servers and returns the response. No inbound firewall ports. No public listener on your MCP server. The server never leaves your network boundary.

Until now, connecting cloud-hosted AI products to private MCP servers meant either exposing them publicly or running the model on-prem. Tunnels give you a third option: the model stays in the cloud, the data stays in your network, and only the tunnel bridges them.

The MCP 2026-07-28 release candidate removes the initialize handshake and the session ID. Any MCP request can hit any server instance. No sticky sessions, no stateful routing. You can put MCP servers behind a standard HTTP load balancer and scale horizontally.

The RC also makes extensions a first-class concept. MCP Apps let servers ship interactive HTML interfaces. The Tasks extension handles long-running work. OAuth is hardened against issuer mix-up attacks. A deprecation policy gives the spec room to evolve without breaking existing implementations inside a 12-month window.

Why this week

These two changes solve different parts of the same bottleneck. MCP was designed for a local CLI tool connecting to a local MCP server over stdio. That works on a laptop. It breaks when you need 50 instances of an AI agent talking to a fleet of MCP servers behind a load balancer, which is what enterprise deployments look like.

The stateless spec solves the server side: no session state, horizontal scaling, standard infrastructure. OpenAI's tunnels solve the network side: private servers stay private, cloud-hosted agents still reach them. Put them together and MCP can handle deployments where uptime and security are actual requirements.

Claude Code this week

Claude Code shipped four releases (v2.1.150 through v2.1.153). The MCP-relevant changes:

  • v2.1.152 (May 27): Skills and slash commands can set disallowed-tools in frontmatter, stripping tools from the model while the skill is active. Auto mode no longer requires opt-in consent. A new MessageDisplay hook event lets hooks transform or hide assistant message text. /code-review --fix applies review findings to your working tree.
  • v2.1.153 (May 28): Fixed subagent MCP servers ignoring --strict-mcp-config and enterprise managed MCP policies, a gap where child agents could bypass MCP restrictions. Fixed stateful MCP servers reconnect-looping on tools/list. The claude agents dashboard got PR column display and autocomplete improvements.

The /code-review evolution is worth noticing. In v2.1.147 (May 21), /simplify was renamed to /code-review with effort levels. In v2.1.152, /code-review --fix applies findings automatically. And /simplify now invokes /code-review --fix under the hood. The command went from cleanup tool to full review-and-fix pipeline in one week.

What to do

If you're building AI agents that connect to business tools through MCP, two things changed this week:

  1. Stateless MCP means your server fleet can scale behind any HTTP load balancer without session affinity. Start testing against the RC now; the spec finalizes July 28.
  2. Secure tunnels mean you don't need to choose between cloud AI and private MCP servers. If you're running OpenAI products, point them at internal tools without opening inbound ports.

If you use Claude Code, update to v2.1.153. The MCP security fixes for subagents close gaps where child agents could ignore enterprise MCP policies.

Sources:

Continue reading

← Previous

An LLM Agent Stole a Database in 60 Minutes. You Still Can't Turn Yours Off.

Next →

Dev tool changelog: Claude Code's security fixes, Codex goals, Cursor canvases, and Antigravity's rough launch

Read more

Like this kind of writing?

One email when something good ships — usually once or twice a month.

SubscribeAll posts