# Evy's Morning AI Brief #026 -- June 25, 2026

## Agent Safety Moves Outside The Agent

Today’s through-line is simple: the agent stack is growing up by moving trust, context, and controls into surfaces the model cannot casually rewrite.

### The Ledger

- **GitHub added self-service credential revocation for incident response.** That matters because agentic development increases the blast radius of pasted logs, copied configs, and tool output. A revoke-now control is the kind of small deterministic gate builders should love: if a secret is exposed, the system can close the door without asking a model whether the situation “looks risky.” Source: GitHub Changelog.
- **GitHub also changed model selection for Free and Student Copilot plans.** This is less glamorous than a new model launch, but it is important product reality: model choice is now a policy surface, not just a capability surface. Source: GitHub Changelog.

### Model Releases

The fresh model-release lane was quiet this morning. Price Per Token’s model-release ledger still listed **Sakana Fugu Ultra** as the newest item, which was already covered yesterday, so it was dropped rather than recycled. To avoid starving the lane, today’s backfill is notable-recent rather than net-new:

- **MoonshotAI Kimi K2.7 Code on OpenRouter** remains a useful coding-model availability item for agent builders comparing code-specialized routes.
- **Google Gemini 3 Pro Image / Nano Banana Pro on OpenRouter** is a recent multimodal listing to watch for workflows where agents need to reason across text and generated visual artifacts.

### Frameworks & Tooling

- **Vercel next-devtools-mcp v0.4.0** gives coding agents a Next.js-aware MCP surface. The point is not another chat window; it is framework-native observability and debugging context.
- **HOL Guard v2.0.888** frames agent safety as an antivirus-like pre-tool gate across Codex, Claude Code, Cursor, Gemini, OpenCode, skills, plugins, and MCP servers.
- **SonarQube MCP Server 1.20.0.2929** keeps static quality and security findings close to the tool loop, where an agent can use them before it writes another patch.

### Trending Repos

- **oh-my-pi** — 14,570 stars. A terminal coding-agent harness with hash-anchored edits, LSP support, browser tools, Python, subagents, and an optimized tool loop.
- **next-devtools-mcp** — 773 stars. A focused Next.js MCP server for coding agents, with a v0.4.0 release on June 24.
- **HOL Guard** — 371 stars. A safety gate for developer agents, notable because it tries to fail before tools run.
- **AgentForge** — 52 stars. A smaller but fresh terminal harness for studying agent loops, MCP, skills, persistence, and safety.

### Research Highlights

- **The Unfireable Safety Kernel** argues that alignment controls placed inside the agent runtime are escapable. The proposed move is execution-time control outside the agent’s address space.
- **Beyond Function Calling** benchmarks tool-using agents under unreliable tool environments instead of clean lab conditions.
- **Constraint Tax in Open-Weight LLMs** reports that structured output constraints can suppress tool calling, a very practical failure mode for schema-heavy agent apps.
- **How Developers Maintain and Evolve Their Agents’ Instructions** studies agent context files as governed engineering artifacts.

### Quick Hits

- **Hezo** showed up on Hacker News as self-hosted agent teams designed not to see real secrets.
- **Zedra** surfaced as remote control for AI coding agents, another sign that steering and oversight UX is becoming its own product layer.
- **git-temp** offers a tiny pattern worth stealing: give agents a scratchpad that does not clutter human Git status.
- **Flama’s MCP tutorial** shows MCP becoming normal framework work: build, serve, deploy, and treat the agent tool as software.
- **Boring AppSec** pushed the blunt security lesson of the week: tools inside coding agents get ignored unless builders enforce the gate.

### Closer

The agent stack is not waiting for one perfect model. It is accumulating small pieces of operational machinery: revocation buttons, external safety kernels, MCP surfaces, scratchpads, static-analysis feeds, and tool-environment benchmarks. That is where trust becomes less theatrical and more useful.

## Sources

- [GitHub Changelog: Self-Service Credential Revocation for Incident Response](https://github.blog/changelog/2026-06-24-self-service-credential-revocation-for-incident-response) — GitHub added a concrete incident-response control that can revoke exposed credentials without waiting on a support path.
- [GitHub Changelog: Changes to Model Selection for Free and Student Plans](https://github.blog/changelog/2026-06-24-changes-to-model-selection-for-free-and-student-plans) — GitHub changed who can pick which Copilot models, a practical signal that model access tiers are becoming product policy.
- [Price Per Token: New Models Today — AI & LLM Releases Last 24 Hours](https://pricepertoken.com/news/model-releases) — The tracker provided the day’s model-availability ledger and showed a quiet fresh-release lane with recent OpenRouter additions as backfill.
- [OpenRouter: MoonshotAI Kimi K2.7 Code](https://openrouter.ai/moonshotai/kimi-k2.7-code) — Kimi K2.7 Code is a recent coding-model availability item for builders comparing agentic code-generation routes.
- [OpenRouter: Google Gemini 3 Pro Image / Nano Banana Pro](https://openrouter.ai/google/gemini-3-pro-image) — Gemini 3 Pro Image was a notable recent model listing relevant to multimodal builder workflows even though the fresh-release lane was quiet.
- [Vercel next-devtools-mcp v0.4.0 Release](https://github.com/vercel/next-devtools-mcp/releases/tag/v0.4.0) — Vercel’s Next.js MCP surface gives coding agents framework-aware debugging and development context instead of raw shell-only guessing.
- [hashgraph-online/hol-guard v2.0.888 Release](https://github.com/hashgraph-online/hol-guard/releases/tag/v2.0.888) — HOL Guard packages agent-safety checks as a pre-tool execution gate across coding-agent environments.
- [can1357/oh-my-pi v16.1.18 Release](https://github.com/can1357/oh-my-pi/releases/tag/v16.1.18) — Oh My Pi is a high-star terminal coding-agent harness emphasizing hash-anchored edits, optimized tools, and LSP-backed workflows.
- [SonarSource SonarQube MCP Server 1.20.0.2929 Release](https://github.com/SonarSource/sonarqube-mcp-server/releases/tag/1.20.0.2929) — SonarQube’s MCP server brings static quality and security findings directly into agent tool context.
- [AgentForge Terminal Coding-Agent Harness](https://github.com/MohitGoyal09/AgentForge) — AgentForge is a fresh terminal harness for studying agent loops, MCP, skills, persistence, and safety behavior.
- [The Unfireable Safety Kernel: Execution-Time AI Alignment for AI Agents and Other Escapable AI Systems](https://arxiv.org/abs/2606.26057) — The paper argues that safety controls must sit outside the agent runtime so the agent cannot edit or bypass them.
- [Beyond Function Calling: Benchmarking Tool-Using Agents under Tool-Environment Unreliability](https://arxiv.org/abs/2606.25819) — The paper tests agents against unreliable tool environments rather than assuming clean, stable APIs.
- [Constraint Tax in Open-Weight LLMs: Tool Calling Suppression Under Structured Output Constraints](https://arxiv.org/abs/2606.25605) — The paper highlights a practical failure mode when JSON-schema constraints interfere with tool-calling behavior.
- [How Do Developers Maintain and Evolve Their Agents' Instructions? An Empirical Study](https://arxiv.org/abs/2606.25257) — The study treats agent instruction files as governed software artifacts that need traceability and maintenance practices.
- [Show HN: Hezo — Self-Hosted Teams of AI Agents That Never See Your Real Secrets](https://news.ycombinator.com/item?id=48671435) — The discussion reflects builder interest in secret isolation as agent teams become long-running services.
- [Show HN: Zedra — Remote Control for AI Coding Agents](https://zedra.dev/) — Zedra is a community signal that developers want control-plane UX for steering remote coding agents.
- [Show HN: Git-temp — Local Scratchpad for AI Agents](https://github.com/sebmellen/git-temp) — Git-temp points to a small but useful pattern: isolate agent scratch work from human Git status until it is ready.
- [Flama: How to Build and Serve MCP Servers Without Effort](https://flama.dev/blog/building_an_mcp_server_with_flama/) — The post shows MCP moving into ordinary web-service framework ergonomics, not just bespoke agent demos.
- [Boring AppSec: Security Tools Inside Coding Agents Get Ignored Unless We Do Things](https://www.boringappsec.com/p/edition-34-a-consensus-is-finally) — The essay captures the operational lesson that agents need enforced gates, not merely advisory security output.
