Issue #4: The Stack Reconfigures: GENIUS Signed, MCP Breaks, and the First Server-Side RCE

Issue #4

GENIUS Act: The Stablecoin Floor

President Trump signed the Guiding and Establishing National Innovation for U.S. Stablecoins Act on July 18, 2025, after the Senate passed it 68–30 and the House 308–122 (Wikipedia, Nutter McClennen & Fish). Payment stablecoins become a discrete regulated category: neither security nor commodity. Key provisions are 100% reserve backing in high-quality liquid assets, monthly public reserve disclosures, and OCC oversight for nonbank issuers above $10 billion in outstanding stablecoins (TRM Labs).

Effective date: the earlier of January 18, 2027 (18 months post-enactment) or 120 days after primary federal regulators issue final rules (NYU Compliance & Enforcement Blog). Regulations are due by July 18, 2026; if met on time, the compliance clock could arrive as early as November 2026. The CLARITY Act, clarifying when a crypto asset qualifies as a security or commodity, passed the House the same day 294–134 and now awaits the Senate (Reuters).

Tether and the Foreign Issuer Pathway

Tether announced USDT will register under the foreign issuer pathway, with a three-year window to complete AML compliance and audited reserves (Mitrade). A separate U.S.-only stablecoin for institutional use is in development. Circle’s USDC, issued by a U.S. entity, is the immediate compliant rail for domestic agent payment flows. Compliance architecture decisions for USDC-denominated x402 flows need to start now. The 120-day rule clock may arrive well before the January 2027 fallback.

MCP July 28 RC: What Breaks and Why It Matters

The July 28 RC completes a stateless migration at the protocol layer, the most architecturally significant change since MCP’s initial release. Six Specification Enhancement Proposals formalize the shift (DEV Community).

The session concept is eliminated. The initialize/initialized handshake and Mcp-Session-Id header are removed. Client metadata, capabilities, and protocol version now travel in the _meta field on every request. Sticky sessions, shared session stores, and gateway body inspection for session IDs can be replaced with plain round-robin load balancers and header-based routing on the new Mcp-Method header.

The spec adds ttlMs and cacheScope fields to tools/list and resources/read responses, giving clients explicit cache lifetimes. SEP-2577 introduces a three-tier deprecation lifecycle (Active, Deprecated, Removed) with a 12-month minimum before removal. Roots, Sampling, and Logging are now deprecated; earliest removal is July 2027.

Breaking change: clients pinned to the 2025-11-25 spec must migrate before July 28. The Mcp-Method and Mcp-Name headers are now required on every request; servers must reject mismatches with the request body. Any team running remote MCP servers at scale needs a migration plan in hand before the spec ships.

CVE-2025-6514: The First Server-to-Client RCE

JFrog Security Research disclosed CVE-2025-6514 on July 9, 2025. CVSS 9.6 (SecurityBrief Asia, Vulert). The vulnerability affects mcp-remote versions 0.0.5 through 0.1.15, the widely deployed npm proxy used to connect LLM hosts such as Claude Desktop to remote MCP servers.

Attack vector: during the OAuth handshake, a malicious server returns a crafted authorization_endpoint URL. The proxy passes it unsanitized into an OS command. On Windows, this yields full arbitrary shell execution. On macOS and Linux, arbitrary executables can be invoked with limited parameter control (The Vulnerable MCP Project, SC Media). No user interaction is required beyond the initial server connection.

The fix, two lines of URL sanitization in src/lib/utils.ts, was committed July 8 and shipped in version 0.1.16. Maintainer Glen Maddern responded promptly (SC Media).

Prior MCP CVEs involved client-to-server vectors or tool-poisoning attacks. This one runs in the opposite direction: a server compromises the client OS. For x402-gated deployments where agents connect to third-party payment servers, CVE-2025-6514 defines a new vetting requirement. Any documentation distributed alongside an MCP server should explicitly tell client operators to verify they are running mcp-remote 0.1.16 or later.

x402 Ecosystem: The Foundation Roster

The x402 Foundation’s Premier membership now includes Adyen, American Express, Google, Fiserv, AWS, Mastercard, Cloudflare, Circle, Coinbase, Shopify, Solana, Stripe, and Visa (x402.org Ecosystem). Cloudflare co-founded the Foundation and ships native x402 support in Cloudflare Workers and AI Agents. Circle’s Agent Stack is built on x402 for gas-free, sub-cent USDC payments for autonomous agents.

With card networks, cloud providers, and stablecoin infrastructure at the Premier tier, x402 functions as the industry-consensus protocol for agentic payments. USDC is simultaneously the compliant stablecoin under GENIUS and the primary settlement token in the protocol’s reference implementation (Linux Foundation).

New Gen and the Visa IC Pattern

New Gen launched the first AI-native storefront platform in the Visa Intelligent Commerce sandbox on July 10 (PR Newswire). Storefronts are hosted on ai.brand.com subdomains; the same endpoint serves human users through conversational UI and agents through structured, programmatic product data. Embedded checkout eliminates redirects. AI-driven traffic to U.S. retail sites grew 1,200% between July 2024 and February 2025.

Identity Layer: VC 2.0 + Digital Credentials API

W3C published the First Public Working Draft of the Digital Credentials API on July 1, 2025 (W3C, W3C Blog). The API defines how browsers mediate selective disclosure from digital wallets: the browser presents a request, the user selects a credential, and the wallet returns a signed, encrypted response. Both Google and Apple are already shipping early implementations.

Verifiable Credentials 2.0 became a W3C Recommendation in May 2025 (W3C VC 2.0), specifying JSON-LD and SD-JWT encoding, zero-knowledge proof support, and post-quantum cryptographic modularity. Together, the two standards provide the identity primitive for agent commerce: an agent holds a VC 2.0 credential, presents it via the Digital Credentials API, and the counterparty cryptographically verifies authorization without API keys or OAuth tokens tied to a human account. For x402 payment flows, this is the mechanism for agent spending limits, authorization delegation, and compliance assertions. The standard is shipping in browsers.

Also This Week

JFrog MCP Server (July 17): JFrog launched a production-grade MCP server for its Software Supply Chain Platform, featuring OAuth 2.1 authentication, multi-tenant scoped access, and natural language vulnerability queries (SiliconANGLE). One of the first enterprise MCP server deployments explicitly aligned to the RC spec’s auth model.

Pietra AI Assistants (July 21): Pietra launched the first fully integrated agentic operations layer on a major e-commerce platform, serving over 300,000 brands (PR Newswire). Specialized agents cover sourcing, fulfillment, marketing, and analytics. Payment protocol not yet disclosed.

MCP Tool Annotation SEPs: Five new proposals expand the existing annotation schema (readOnlyHint, destructiveHint, etc.) to cover payment and rate-limiting semantics. MCP maintainers are pushing back on annotation bloat. Teams with concrete requirements for paymentRequired or rateLimit annotations should engage the SEP process directly.

Three layers of the stack reconfigured in ten days. The window to read the spec, patch the client, and structure the compliance architecture is the same window.

Agent Commerce Weekly is published for builders and analysts working on the infrastructure layer for autonomous commerce.