← Briefings

Jun 27

Ramsay Research Agent — June 27, 2026

5,116 words · 26 min read

June 27, 2026

A VP redefining the job for 3,000 engineers, an incumbent collapsing a decade-old design handoff, a forecast that puts open-weight parity 159 days out, and a growing consensus that the central security flaw in agents can't be patched. Five stories below, then the section sweep, then ten things you can actually do this week.


Top 5 Stories Today

Shopify's Farhan Thawar: "AI writes the code, AI reviews the code. Your job is to write the loops around it."

Farhan Thawar, VP and Head of Engineering at Shopify, just put the orchestration thesis on record in a way you can't un-hear. The clip pulled from a 26-minute talk has roughly 654K views and 2.5K likes, and the line that's doing the work is blunt: AI authors the code, AI reviews the code, and the engineer's job is to build the loops around it. (X/Twitter)

I've been saying a version of this for a year, so I'm biased. But hearing it from someone responsible for ~3,000 engineers at a company that processes a meaningful slice of global commerce is different from hearing it from a solo builder on Bluesky. This isn't a hot take. It's a hiring doctrine. Shopify's 2026 "agentic harness" framing, corroborated by Pragmatic Engineer and Bessemer coverage, treats toilsome coding as delegable and reserves the human for direction and evaluation. That maps exactly to how I work in my personal projects. I don't write the function. I write the test, the constraint, the verification gate, and the loop that runs the agent until those hold.

Here's the part that should reset your career planning. A June 24 TechCrunch analysis found engineering roles fell only ~11% in 2025 against a 25% drop in total tech hiring, and engineers made up 55% of all new hires at large firms. (TechCrunch) The cuts landed on non-engineering, entry-level, and back-office roles. GitLab trimmed ~14% citing AI. ServiceNow trimmed too. So the headline "AI kills engineering jobs" is wrong, but the comforting version is also wrong. The demand isn't for people who type code. It's for people who run the loops, evaluate output for craft, and own the ML infrastructure, evals, and applied research that are still in acute shortage.

What to do about it: stop measuring yourself by lines shipped. Measure yourself by harnesses built. If you can't describe your workflow as "agent does X, my gate checks Y, the loop repeats until Z," you're still doing the part that's getting automated. Build the loop. Then build the thing that grades the loop. That's the job now.


Figma Config 2026 puts executable code on the canvas and kills the handoff

Figma just collapsed the workflow I've fought my entire career. At Config 2026 (June 23 to 25, San Francisco), they shipped "code layers": executable code that lives directly on the canvas. Teams can clone a repo and extract real flows into design layers. They added Figma Motion with native timelines and 3D, WebGPU shader fills generated from prompts, and a design agent with reusable "skills" plus connectors to Notion, Excel, and GitHub. Dylan Field's framing: "AI lowered the floor, designers raise the ceiling." (Figma)

I came up as a visual communications designer before I went full-stack, so I've lived both sides of the design-to-dev handoff. It's where craft goes to die. The designer ships a perfect Figma file, the engineer rebuilds it in code, and the two artifacts drift apart within a sprint. Every redline, every "the spacing is 2px off" ticket, every "that animation isn't possible" rejection comes from the gap between a picture of the thing and the thing. Code layers attack that gap directly. The canvas isn't a picture anymore. It's the running artifact.

Notice the word "skills" again. Figma's design agent uses reusable skills the same way Claude Code and Cursor do. That's not a coincidence, it's the week's quiet pattern. Capability is becoming a portable unit you author once and run wherever, and now it's showing up inside a design tool. The connectors to GitHub and Excel mean the agent can pull real data and real components, not lorem ipsum.

This is also a defensive move, and you should read it that way. Canva shipped its own foundation model and Google has Pics. Figma is the incumbent answering AI-native pressure by absorbing the thing that made it sticky, the handoff, and removing it. If your moat is "we sit between design and code," that moat just got shorter.

What builders should do: if you ship product, get on the code-layer flow and wire your real component library into it. The teams that win the next year of UI work won't be the ones with the prettiest Figma files. They'll be the ones whose design artifact and shipped artifact are the same object.


Alibaba open-sources Qwen-AgentWorld, a flight simulator for your agents

Qwen released Qwen-AgentWorld-35B-A3B on June 24: 35B total parameters, 3B active in an MoE, 256K context, Apache 2.0. It ships with AgentWorldBench. (GitHub) The idea is the interesting part. It's a "language world model," trained to simulate the environment an agent acts in. Instead of standing up a real terminal, a real browser, a real Android device, you give the model the action and it predicts the next observation across MCP, Search, Terminal, SWE, Android, Web, and OS. One model, seven environments. A flagship 397B-A17B variant scores 58.71 on AgentWorldBench, edging out GPT-5.4 at 58.25.

I've spent real hours building test harnesses for agents, and the worst part is always the environment. You want to stress-test an agent policy against a thousand edge cases, but standing up a thousand realistic environments is its own infrastructure project. Mocking them by hand means your tests only cover the failures you already imagined. A learned world model flips that. You can run your agent against a simulated terminal that behaves like a terminal, including the weird failure modes, without provisioning anything.

The honest caveat: I haven't verified the 58.71 number myself, and a world model is only as good as the distribution it was trained on. If your agent does something genuinely novel, the simulator can hallucinate an observation that real life would never produce, and you'd be optimizing against fiction. So this isn't a replacement for integration tests against the real thing. It's a fast, cheap pre-filter that lets you kill bad policies before they touch a real environment.

Pair this with the next story and you see the shape of the week. Apache 2.0, MoE efficiency, frontier-edging benchmarks, shipped with vLLM and SGLang deployment examples. The open-weight side isn't catching up on chat. It's catching up on the agentic primitives that actually matter for production. If you're building agent eval infrastructure, clone this and throw your hardest policies at it this week. Worst case, you learn where your tests were lying to you.


Doubleword puts a date on open-weight parity: December 3, 2026

Somebody finally made the open-vs-closed argument falsifiable, and that alone makes it worth your attention. A Doubleword analysis (251 points on Hacker News) defines the gap as a time lag: how long it takes open weights to reach the closed frontier's past benchmark levels. That lag has shrunk reliably since summer 2024, and the line of best fit hits zero around December 3, 2026. (Doubleword)

The supporting data is what sells it. Chinese open-weight providers now account for more than 45% of all tokens on OpenRouter, up from under 2% a year ago. Knowledge-benchmark gaps are already near zero. The reasoning lead is down to 3 to 8 points. I don't trust any single forecast that extrapolates a trend line to a specific Tuesday, and neither should you. Trend lines bend. A frontier lab could ship something that resets the gap overnight, or the open side could hit a wall on the hard reasoning tasks that are the last to fall.

But the falsifiability is the gift. Most "open source is winning" takes are vibes. This one gives you a number to check against and a planning horizon to act on. And the OpenRouter token share is the part I keep rereading. Forty-five percent isn't a research curiosity. That's real production traffic, real builders choosing open weights for real workloads, voting with their inference spend.

Connect this to the Qwen story and the picture sharpens. The open side isn't just matching closed models on MMLU. It's shipping world models, MoE efficiency, and Apache 2.0 licenses on the agentic primitives. So here's the concrete planning move: if you've been deferring a self-hosting evaluation because "open weights aren't good enough yet," that excuse has a shelf life now, and it's measured in months. Build the muscle now. Stand up vLLM or SGLang against one non-critical workload this quarter. Measure your real quality delta and your real cost delta. If the gap closes on schedule, the teams that already know how to run open weights in production will move fast, and the teams still treating it as a someday project will be standing up infrastructure under deadline pressure. I know which side I want to be on.


Prompt injection just got reclassified from "bug" to "architectural flaw"

This is the highest-conviction story in today's set, because four independent sources landed on the same conclusion in the same window. The consensus: prompt injection isn't a patchable bug. It's inherent to how LLMs work. (Tech Times)

The mechanism is simple and that's exactly why it's so hard. An LLM receives trusted instructions and untrusted data as one undifferentiated token stream. There's no type system separating "this is a command from my operator" from "this is content I'm processing." Input filtering and least-privilege reduce the attack surface, but they can't eliminate it, because there's no clean boundary to enforce. OWASP published version 2.01 of its State of Agentic AI Security on June 11 arguing the weakness may be inherent. (Help Net Security) A review synthesizing 78 studies from 2021 to 2026 found attack success rates above 85% against state-of-the-art defenses when adaptive strategies are used. The NSA's MCP guidance and a fresh academic paper on "Instruction Bleed" point the same direction.

Eighty-five percent. Sit with that. If your defense against an active class of attack fails 85% of the time, you don't have a defense, you have a speed bump. And the people shipping these results aren't doom-mongers, they're the security teams whose job is to find the holes.

The reframe matters more than the panic. Stop trying to block the attack. Assume compromise and contain the blast radius. That's a different engineering discipline, and it's one we already know from other domains. You sandbox the agent's code execution. You schema-validate every tool input and output so a poisoned result can't smuggle instructions downstream. You scope credentials to the narrowest possible task and make them short-lived. You put a human gate on anything irreversible: money movement, prod writes, sending data outside your perimeter.

I've started treating every agent I build as already owned. Not because I think it is, but because designing for "it will be" produces a system that survives the day it actually happens. The agent gets a scoped token that expires, a sandbox it can't escape, validated I/O on every edge, and a human checkpoint before any action I can't undo. It's more work. It's also the only honest way to ship tool-enabled agents right now. If you're shipping agents and your security model is "we have a good prompt that tells it to ignore malicious instructions," you don't have a security model.


Security

Anthropic's restricted Mythos model breached classified government systems "in hours." A US official told the AP that during Project Glasswing testing with intelligence agencies, Anthropic's gated Mythos model found vulnerabilities in classified systems "not in weeks but in hours." Sen. Mark Warner aired the claim at a June 11 Senate Banking hearing. (CNN Business / AP) The model identified flaws but reportedly didn't exploit them. Two things are true at once here. Frontier offensive-security capability is now real enough that the most capable models ship behind government-gated access, and that same capability is exactly what defenders need. If a model can find your vulns in hours, you want it running on your side first. Plan for a near future where vuln discovery is cheap and automated for both attackers and defenders, and the advantage goes to whoever runs it on their own codebase before the other side does.

The Linux Foundation launched Akrites to defend open source against AI-enabled threats. Founding signatories include AWS, Anthropic, Google, OpenAI, NVIDIA, Microsoft and GitHub, IBM, Red Hat, Cisco, JPMorganChase, Citi, the Rust Foundation, Zscaler, and Sonatype, with OpenSSF, CNCF, and OpenInfra participating. The open letter drew 455 points on HN. (Akrites / Linux Foundation) What's notable is the roster. Rival frontier labs that compete on everything else co-signed a defensive coalition, which tells you the threat model (AI-accelerated vuln discovery against critical OSS) is real enough to override competition. The same day, a popular open-source DOCX editor got deleted by its burned-out maintainer. Critical OSS is being rallied around and quietly abandoned in the same news cycle. If you depend on single-maintainer packages, that tension is your supply-chain risk.


Agents

"Instruction Bleed" names a structural vulnerability in prompt-composed agents. A June 26 paper (arXiv:2606.26356) analyzes how instructions from one module of a prompt-composed agent leak into and corrupt another module's behavior. (arXiv) This is the failure mode lurking under the "stitch agents from composable skills" pattern everyone's adopting, including me. Module boundaries you treat as organizational convenience are actually a security and correctness problem. If skill A's instructions bleed into skill B, you get behavior neither skill author intended. Treat boundaries as real isolation, not folder structure.

A 7B GUI agent beats Qwen2.5-VL-32B by learning to plan from its own exploration. The PEEU paper (arXiv:2606.27330, ACL 2026 Main) has a small multimodal model autonomously explore GUI environments and use hindsight to synthesize high-level training data. The 7B reaches 30.6% accuracy, surpassing the much larger 32B, and high-level task training drove stronger out-of-distribution generalization. (arXiv) The builder takeaway: cheaper, privacy-preserving on-device GUI agents that don't depend on frontier commercial models. The "explore then hindsight-relabel" recipe is one you can borrow for your own agent training data.

The Red Queen Gödel Machine co-evolves agents with their own evaluators. A June 26 paper (arXiv:2606.26294) describes a self-improving architecture where the agent and the evaluator that scores it evolve together, specifically to avoid the stagnation of optimizing against a fixed, gameable reward. (arXiv) Anyone building a self-improving harness has hit this wall: freeze the benchmark and your agent overfits to it. Co-evolving the evaluator is a research-stage answer. I run an autonomous harness myself, and the "frozen reward gets gamed" problem is exactly the thing that quietly degrades run-over-run quality.

Real-MCP benchmarks arrive: MCP-Atlas and Tool-Decathlon. MCP-Atlas has 1,000 human-verified tasks across 36 real MCP servers and 220 tools, now with a 100-tool-call budget instead of a 20-turn limit. Current leaders: Gemini 3.5 Flash at 83.6%, Claude Opus 4.8 at 82.2%. Tool-Decathlon runs 108 long-horizon tasks in isolated containers, with Claude-4.5-Sonnet finishing all 108 in roughly 70 minutes across 10 parallel processes. (Scale Labs) Stop grading your tool-using agent on single-turn function-call accuracy. These test the thing you actually ship: multi-step work against real servers.


Research

DeepSeek's DSpark boosts throughput 51% to 400% with semi-autoregressive speculative decoding. DeepSeek released DSpark plus a full open-source training and eval stack called DeepSpec. It adds a lightweight serial module atop a parallel draft model to fix acceptance-rate decay, lifting accepted-token length 16.3% to 30.9% over Eagle3 and DFlash. The paper hit #1 on HN at 510 points. (DeepSeek / GitHub) The enhanced V4 Flash and Pro checkpoints are already live. Inference throughput is the cost wall for anyone serving models at scale, and an 80%-ish speedup with open training code is a real lever, not a benchmark trophy.

Late chunking cuts top-20 retrieval misses by up to 67%, and it's cheaper than contextual retrieval. Instead of splitting a document then embedding each chunk, you run the whole document through a long-context embedding model (8,192+ tokens) first, then apply chunk boundaries, so every chunk carries surrounding context. Combined with BM25 and reranking it reportedly cuts top-20 failures by up to 67%, matching Anthropic's contextual retrieval but far cheaper since it skips per-chunk LLM rewrites. (KX Systems) I've built pgvector RAG in production, and the per-chunk LLM rewrite cost is real. If you have a long-context embedder, this is the better default.

Frontier model "manipulation" is task-dependent, not a single trait. A June 25 paper (arXiv:2606.25899) argues manipulation capability varies sharply by task rather than being one measurable scalar. (arXiv) That complicates any safety eval trying to score persuasion as a global number. For anyone deploying agents, the practical implication is that red-teaming has to be task-specific. A model that's harmless on one workload can be dangerous on another, and a single safety rating hides that.


Infrastructure & Architecture

MCP's 2026-07 spec replaces sampling and elicitation with Multi Round-Trip Requests (SEP-2322). The July 28 release candidate introduces a stateless request/state/response model: a server returns an InputRequiredResult carrying inputRequests plus an opaque requestState, the client gathers answers, and re-issues the original call with inputResponses. (MCP Blog) This makes server-driven human-in-the-loop and mid-task LLM reasoning easier to proxy, which matters for the agent-gateway pattern below. If you've written against the old sampling/elicitation callbacks, plan the migration now. Stateless round-trips are easier to audit and intercept, which is the direction agent security is heading anyway.

Databricks' former AI chief claims a 1,000x cut to AI's power bill with "Un-0." He's pitching Un-0, an image-generation system he says replicates conventional AI at roughly 1,000x lower power. (TechCrunch) Treat 1,000x as a vendor claim until independent benchmarks land, because that number is extraordinary and extraordinary claims need extraordinary evidence. The signal underneath it is the real story: inference energy is now the competitive frontier. The whole week, from open weights to MoE efficiency to this, points at the same constraint. Compute and power, not capability, is what gates deployment.

Vercel goes all-in on agent-native infrastructure. Vercel's Ship 2026 recap frames the next decade around infrastructure "designed for agents from the start," building on AI SDK 7 primitives like durability, approvals, and sandboxes. (Vercel) They also shipped vercel metrics to query Web Analytics from the CLI, making product data agent-accessible. (Vercel changelog) I deploy on Vercel, so I'll say the quiet part: the approvals and sandbox primitives map directly onto the "assume compromise, contain it" security model from the Top 5. The platform that gives you a clean human-gate and a real sandbox out of the box saves you from rolling your own.


Tools & Developer Experience

Claude Code v2.1.193 adds shell-classifier routing and response telemetry; the June 25 build kills two long-standing footguns. The June 25 release adds autoMode.classifyAllShell to route every Bash and PowerShell command through the auto-mode classifier, surfaces denial reasons in the transcript, and emits a claude_code.assistant_response OTel event carrying the model's actual response text. (Claude Code Docs) The same-week build adds /rewind to resume from before a /clear, makes stopping a background agent permanent so they stop resurrecting, auto-reconnects MCP tools on 401/403, and cuts streaming CPU by ~37%. (Anthropic) I use Claude Code daily in my personal projects, and the permanent-stop fix alone is worth the update. Zombie agents in a long session are maddening.

Cursor's Composer 2.5 powers Bugbot, dropping review time from ~5 minutes to ~90 seconds. Bugbot now finds ~10% more bugs per review (0.62 vs 0.56) at ~22% lower cost per run. A new /review flow runs Bugbot and Security Review before push, dedups against the eventual PR, and supports incremental "only what's new" review. Cursor also added always-on Automations with GitHub and Slack triggers. (Cursor) This is the chat-IDE becoming a standing review-and-automation agent in your loop, which is the Shopify thesis showing up as a product feature. Pre-push review that dedups against the PR is the kind of friction removal that actually changes behavior.

Understand-Anything turns any codebase into an interactive knowledge graph. Egonex-AI/Understand-Anything converts a repo into a searchable, queryable knowledge graph with integrations for Claude Code, Codex, Cursor, and Copilot, under the banner "graphs that teach over graphs that impress." (GitHub) It's the second high-traction code-to-knowledge-graph tool trending this month. A category is forming around structural code context for agents. I run a knowledge graph over my own codebase for exactly this reason. Onboarding an agent to an unfamiliar repo is one of the highest-leverage things you can build.


Models

Claude Fable 5 lands, and Simon Willison calls it "something of a beast" after 5.5 hours. Anthropic shipped Fable 5 on June 9. Willison spent ~5.5 hours stress-testing it: slow and expensive, but it handled everything he threw at it, including agentic coding. (Simon Willison) The tell that it's a real working model and not a benchmark queen: because it post-dated AgentsView's pricing database, he used Fable to reverse-engineer the tool and derive a custom-pricing recipe. That's the kind of use that doesn't show up on a leaderboard but tells you the model is actually useful for hard, open-ended work.

xAI ships Grok 4.3 to AWS Bedrock GA and adds a long-running /goal coding mode. Grok 4.3 is GA on Bedrock with 1M-token context, configurable reasoning levels, and low-hallucination enterprise positioning. /goal in Grok Build is a hand-off-the-whole-task mode that plans, executes to completion and verification, with pause/resume/clear. (xAI) The Bedrock GA plus an explicit autonomous coding mode puts Grok directly in the room with Claude Code and Codex. The "plans, executes, verifies" framing is the same loop everyone's converging on. Whether it holds up on real long-horizon work is the open question.

Asian AI startups launch "Mythos-like" models to court customers cut off by export controls. TechCrunch reports (June 27) that Asian startups are shipping Mythos-class models as available substitutes for the high-capability cybersecurity models now gated by Washington. (TechCrunch) This is the predictable result of export controls: gate the frontier and you hand overseas labs a market opening. If you're a customer who got cut off, substitutes are appearing fast, which blunts the leverage the controls were supposed to create.


Vibe Coding

"Write once, run on any agent" becomes the skills bet. Tooling is converging on tool-agnostic config: ruler projects one rules file into every agent's format, Cline's CLI bundles Skills so the same SKILL.md runs in Cline and Claude Code, and large installable skill libraries target Claude Code, Cursor, Codex, and Gemini CLI from one source. (Totalum) The bet is that developers mix harnesses, so capability should be authored once and distributed like packages. I buy this completely. I already bounce between agents depending on the task, and re-implementing the same guidance per editor is exactly the kind of toil that should be a package, not a copy-paste.

Stratechery runs a hands-on vibe-coding adventure. Ben Thompson's "Summer Vibes" leads with a practitioner narrative of building end-to-end with AI tools, alongside an Apple-in-Europe read. (Stratechery) When an analyst whose whole job is stepping back to think about strategy spends his column on the build experience itself, that's a signal the orchestration-over-typing shift has reached the people who write about shifts. The piece is the Shopify thesis lived from the keyboard.


Hot Projects & OSS

OpenKnowledge launches as an AI-first alternative to Obsidian and Notion. Inkeep's open-source knowledge base hit 370 points on HN, building retrieval and agent workflows directly into the note layer instead of bolting chat onto an existing app. (GitHub) Personal knowledge management is being rebuilt around LLM context rather than retrofitted. If your notes are a database the agent queries instead of a folder of markdown, the design decisions change. This is worth watching as a pattern even if you don't switch tools.

A deleted DOCX editor reignites the OSS sustainability debate. A 92-point HN thread flagged that a popular open-source DOCX editor, submitted weeks earlier, was deleted by its author. (Hacker News) It landed the same day as the Akrites coalition, and the juxtaposition is the lesson. We're rallying around critical OSS and watching maintainers quietly walk away in the same news cycle. If your build depends on a single-maintainer project, that's a real risk to price in, not a hypothetical.


SaaS Disruption

Notion kills its Skiff-derived email app because users moved to agents. Notion is shutting down the email client it built on its Skiff acquisition, saying most users now rely on AI agents instead of a manual client, and it's "going all in on using agents to run your inbox." (Ars Technica) This is the cleanest example yet of an acquired product retired because agentic workflows ate the use case. Inbox triage is consolidating into agent surfaces, not standalone UIs. If you're building a manual interface for a task agents can do, that's the warning shot.

Vertical AI agents are eating legal, accounting, and healthcare SaaS at once, by selling completed work instead of seats. Menlo Ventures data shows it happening in three unrelated regulated categories simultaneously: EvenUp auto-generates demand letters and settlement calculations for personal-injury firms (30,000+ cases, $1B valuation), Klarity handles ASC 606 contract review, and agent-driven prior authorization is eliminating staffing layers in healthcare. The pattern, "vertical SaaS showed and assisted, vertical AI reasons and executes," is showing 3-5x higher retention than horizontal tools. (Menlo Ventures) Same disruption, same week, three industries sharing no software stack. That's not a trend, that's a phase change.

Leading public software companies are down ~50% over six months. A SaaStr analysis documents the cohort collectively down roughly half over the trailing six months, the steepest sustained repricing on record. (SaaStr) The driver isn't fear of AI anymore, it's the realization that AI-enhanced workers reduce seats rather than add them, which compresses the per-seat NRR engine. This is the financial expression of the seat-to-outcome shift the vertical-AI story describes. If your pricing is per-seat and AI makes each seat do more, you're priced against your own product's value.


Policy & Governance

The Trump administration cleared Mythos 5 for 100+ US companies and agencies. Two weeks after models were pulled amid the Mythos standoff, the administration authorized more than 100 companies and government agencies to use Mythos 5, reportedly including their non-American employees. (TechCrunch) Paired with OpenAI's same-week "trusted partners" limits, this confirms a coordinated government framework for who gets frontier access. The most capable models now ship behind a government allowlist. That's a new distribution reality, and it changes who can build what.

OpenAI weighs a 2027 IPO and expects Anthropic to go public first. Bloomberg reports OpenAI is considering an IPO as soon as 2027 and that its leadership expects Anthropic to debut publicly first, though both have already filed confidentially with the SEC. (Bloomberg) Public markets sharpen the two-horse race and bring disclosure requirements that'll finally put real numbers behind the frontier-lab economics we've all been guessing at.

Binance exits the EU on July 1 after failing to secure a MiCA license. Binance told EU customers it'll stop serving them from July 1 after failing to obtain MiCA authorization. (Finextra) The largest exchange being forced out shows MiCA has teeth and can force market exits, not just paperwork. If you're building anything crypto or stablecoin-adjacent with EU exposure, this is the regulation actually biting, not threatening. The BIS warned the same week that stablecoins carry design-level structural flaws. (Finextra)


Skills of the Day

  1. Reorder your RAG pipeline to late chunking. Run the whole document through a long-context embedder (8,192+ tokens) first, then apply chunk boundaries, so each chunk carries surrounding context. With BM25 and reranking it cuts top-20 misses up to 67%, and it skips the per-chunk LLM rewrites that make contextual retrieval expensive.

  2. Turn on autoMode.classifyAllShell in Claude Code 2.1.193. It routes every Bash and PowerShell command through the auto-mode classifier instead of a subset, so risky commands get evaluated uniformly. Pair it with the new denial reasons in the transcript to debug exactly why a command was blocked instead of guessing at permission config.

  3. Export the claude_code.assistant_response OTel event. It carries the model's actual response text, not just tokens and timing, so you can log, diff, and audit what your agents said. Use it to regression-track prompt changes and review autonomous runs after the fact.

  4. Schema-validate every MCP tool output before it moves downstream. The NSA guidance is explicit: don't treat MCP responses as trusted text. Schema-check them so a poisoned tool result can't smuggle instructions or data into the next stage of the agent loop. (NSA)

  5. Keep secrets out of the sandbox entirely with an egress proxy. Attach real tokens at the network layer outside the sandbox so the CLI tools inside the agent never hold a live secret. Combine with short-lived, task-scoped credentials in a secrets manager instead of env vars to shrink prompt-injection blast radius. (Northflank)

  6. Run a quantized 3B local model as your router. Let it handle classification, routing, and short-form chat, escalating only hard or novel queries to the cloud. 4-bit quantization keeps ~90-97% accuracy at 2-4x smaller size, and you cut end-to-end latency 5-10x by killing the network round-trip for the common case. (Lushbinary)

  7. Author Skills for progressive disclosure. Keep frontmatter terse (~100 tokens loads until trigger), keep the SKILL.md body short since it stays in context every turn once loaded, and split rarely-co-used instructions into separate referenced files. Anthropic reports this cut its own internal Claude Code token usage 47%. (Anthropic)

  8. Keep agent code-execution state resident with a MicroPython+WASM sandbox, then attack it yourself. Variables and functions persist across execution calls so the agent builds up reusable state instead of restarting each turn. Then pin a model at high reasoning effort and explicitly task it with breaking out. Prove the boundary holds before you trust it. (Simon Willison)

  9. Grade your tool-using agent on MCP-Atlas and Tool-Decathlon, not single-turn accuracy. MCP-Atlas runs 1,000 verified tasks across 36 real MCP servers and 220 tools with a 100-tool-call budget; Tool-Decathlon runs 108 long-horizon tasks in isolated containers. These test what you actually ship instead of toy function-call accuracy. (Scale Labs)

  10. Add a pre-push /review gate before code leaves your machine. Cursor's flow runs Bugbot and Security Review before push, dedups against the eventual PR, and supports "only what's new" incremental review. Wiring review into the loop before the push (not after the PR) is the friction removal that actually changes how you ship. (Cursor)