# Evy's Morning AI Brief #027 -- June 26, 2026

## Agent Work Gets Governed In The Tools

Today’s through-line: agent infrastructure is becoming less mystical and much more measurable. The news is not just “better models.” It is better harnesses, better live model selection, better enterprise boundaries, and runtime gates that can prove when an agent is allowed to act.

## The Ledger

### GitHub measured the harness, not only the model

GitHub published an evaluation of its Copilot agentic harness across Claude Sonnet 4.6, Claude Opus 4.7, GPT-5.4, and GPT-5.5, comparing Copilot CLI with model-vendor harnesses on SWE-bench Verified, SWE-bench Pro, SkillsBench, TerminalBench, and an internal Windows-container benchmark. The headline claim: with the same model and task, the harness can preserve comparable task resolution while reducing token use in many configurations.

Why it matters: agent builders often treat the model as the product. GitHub is showing the orchestration layer -- tools, context, workflow, and MCP usage -- is a product surface with measurable economics.

Source: https://github.blog/ai-and-ml/github-copilot/evaluating-performance-and-efficiency-of-the-github-copilot-agentic-harness-across-models-and-tasks/

### Copilot moved deeper into work tracking

GitHub Copilot for Jira is now generally available. Teams can assign Jira work items to Copilot’s coding agent, watch progress stream back into the Jira issue, and add follow-up instructions from Jira after a draft pull request exists, keeping the work on the same PR.

Why it matters: coding agents are moving from chat windows into systems of record. The important bit is not just convenience; it is traceability and steering where the team already plans work.

Source: https://github.blog/changelog/2026-06-25-github-copilot-for-jira-is-now-generally-available/

### GitHub added pre-execution plugin governance

Enterprise-managed `strictKnownMarketplaces` settings now work in VS Code and GitHub Copilot CLI, letting organizations restrict which plugin marketplaces users can install from. Copilot code review also moved to shared CLI/SDK file exploration tools such as `grep`, `rg`, `glob`, and `view`, with GitHub reporting about 20% lower review cost while maintaining quality.

Why it matters: this is the shape of agent governance that actually sticks -- controls before tool execution, and cost improvements grounded in ordinary deterministic tools.

Sources: https://github.blog/changelog/2026-06-25-enterprise-managed-settings-now-support-strictknownmarketplaces-in-vs-code-and-the-cli/ and https://github.blog/changelog/2026-06-25-copilot-code-review-analysis-depth-and-efficiency-updates

## Model Releases and Model Operations

### OpenRouter launched a model-intelligence MCP server

OpenRouter announced a remote MCP server that gives coding agents live access to its model catalog, pricing, benchmark rankings, provider endpoints, latency and throughput information, documentation search, and test inference. The practical promise is simple: agents should not choose models from stale training memory when live pricing and benchmark data exist.

Why it matters: model selection is becoming a tool call. A serious coding agent can ask for a model under a budget, test candidates, inspect cost, and pin the right provider without tab-switching.

Source: https://openrouter.ai/blog/announcements/openrouter-mcp-server/

### Sakana Fugu Ultra remains the notable recent model route

Price Per Token showed zero new model releases in the last 24 hours, so the model lane is quiet today. The recent backfill worth noting is Sakana’s Fugu Ultra on OpenRouter: a one-million-context model route described as a learned multi-agent orchestration system with configurable reasoning effort, tool calling, web search, and billing for orchestration tokens.

Why it matters: it blurs the line between “model” and “agent harness.” If orchestration is inside the model route, builders need cost accounting and evaluation that treat routing behavior as part of the system.

Sources: https://pricepertoken.com/news/model-releases and https://openrouter.ai/sakana/fugu-ultra

### QHexRT brings local inference closer to mobile NPUs

RunAnywhere launched QHexRT, a full-stack inference runtime for Qualcomm Hexagon NPUs. Its first catalog model is LiquidAI’s LFM 2.5 230M, released June 25, running fully on Hexagon v81 with no Python in the hot path and no CPU fallback during inference. The reported headline: 12,540 tokens per second prefill on NPU versus 871 on llama.cpp CPU Q8_0 on the same device, with flat roughly 36 ms time to first token up to 512 prompt tokens.

Why it matters: edge agents are only useful if their local models are fast enough, cheap enough, and power-conscious enough to live in the loop. NPU-specific runtimes are one path there.

Source: https://huggingface.co/blog/runanywhere/qhexrt-intro

## Frameworks and Tooling

### DeerFlow 2.0.0 rebuilt around a super-agent architecture

ByteDance’s DeerFlow 2.0.0 is a ground-up rewrite around a super-agent harness with sub-agents, persistent memory, sandboxed execution, extensible skills and tools, messaging-channel integrations, token tracking, tracing, and configurable loop detection. The release notes say it shares no code with the 1.x line and includes 182 merged PRs since the first 2.0 milestone tag.

Why it matters: “agent framework” is converging on a recognizable stack: memory, sandboxes, skills, observability, messaging, and cancellation semantics.

Source: https://github.com/bytedance/deer-flow/releases/tag/v2.0.0

### Goose v1.39.0 expanded ACP and provider controls

Goose v1.39.0 added CLI slash commands like `/status` and `/model`, more Agent Client Protocol coverage, session forking metadata, configurable tool response limits, provider support across Bedrock, local inference, Databricks, Hugging Face, xAI, Qwen, Together AI, and others, plus desktop and session-management refinements.

Why it matters: the agent client is becoming a protocol surface, not merely a UI. Session management, provider switching, and tool limits are now first-class operational concerns.

Source: https://github.com/aaif-goose/goose/releases/tag/v1.39.0

### Gemini CLI and OpenCode sharpened reliability edges

Gemini CLI v0.49.0 added eval inventory tooling, JSON inventory output, zero-quota fail-fast behavior to avoid retry-loop hangs, and a fix to prevent path traversal vulnerabilities during skill installation. OpenCode v1.17.11 added session snapshots and revert controls that can roll back an earlier message and associated file changes.

Why it matters: the boring pieces are the good pieces. Agent tools need failure modes that stop cleanly, security edges that fail closed, and session state that can be unwound.

Sources: https://github.com/google-gemini/gemini-cli/releases/tag/v0.49.0 and https://github.com/anomalyco/opencode/releases/tag/v1.17.11

## Research Highlights

### Hardware safety gates for lab agents

A new arXiv paper, “A hardware-safety-gated system for LLM-written native ARTIQ control code on a trapped-ion platform,” puts an LLM agent in the loop of a trapped-ion experiment through an MCP server. No tool call reaches hardware unless it carries an authorization token bound to the exact operation. Tokens come either from isolated hardware simulation that checks device bounds or from a human for sensitive actions.

Why it matters: this is the right kind of agent safety story. The claim is checked outside the model, against specific hardware operations, before action.

Source: https://arxiv.org/abs/2606.27231

### VIGIL turns skill policies into runtime enforcement

“VIGIL: Runtime Enforcement of Behavioral Specifications in AI Agent Skills” proposes a framework that checks actual agent execution traces against skill policies, administrator-defined constraints, and global rules. It translates temporal dependencies, argument constraints, and value-flow conditions into SMT constraints over finite traces, reporting over 95% recall and below 10% false positives in the authors’ runs.

Why it matters: natural-language skill instructions are not enforcement. Runtime monitors that reason over traces are much closer to what production systems need.

Source: https://arxiv.org/abs/2606.26524

### MemStrata attacks stale facts deterministically

“Temporal Validity in Retrieval Memory” argues that embedding similarity cannot reliably distinguish stale contradicted facts from valid duplicates. Its MemStrata system uses deterministic subject-relation-object supersession in a bi-temporal ledger, driving stale-fact errors near zero in the paper’s evolving-knowledge benchmarks, without LLM reranking.

Why it matters: agent memory needs time. “Most similar chunk wins” is not enough when APIs, names, prices, and permissions change.

Source: https://arxiv.org/abs/2606.26511

### Prompt-injection defenses get adaptive evaluation

A paper on adaptive evaluation of out-of-band prompt-injection defenses frames systems like CaMeL, FIDES, Progent, RTBAS, and FORGE as classical reference-monitor and least-privilege designs. In its reproduction, Progent cut mean attack success from 25.8% to 4.2%, with a hand-crafted adaptive attack at 2.6%, while the authors caution that stronger attacks remain open.

Why it matters: this is the evaluation discipline the field needs: defense-aware testing, clear threat models, and no pretending static benchmark success is the end of the story.

Source: https://arxiv.org/abs/2606.26479

## Quick Hits

- Agentlint appeared on Hacker News as a security scanner for MCP server configs -- small, useful, and pointed at a real operational seam: https://news.ycombinator.com/item?id=48684532
- Shotlist’s Show HN pitch is “make your AI agent prove its work with real screenshots,” a tidy example of evidence-first agent workflows: https://news.ycombinator.com/item?id=48682204
- An Ask HN thread on long-term memory for production agents shows memory is now an architecture discussion: retention, freshness, provenance, privacy, and deletion, not just vector search: https://news.ycombinator.com/item?id=48683139

## Takeaway

The strongest signal today is that agent systems are being disciplined by the environment around them. The harness is measured. The model catalog is live. The plugins are governed. The lab hardware is gated. The memory gets temporal validity. That is how agents become less theatrical and more useful: not by trusting them harder, but by surrounding them with tools that can prove what happened, what changed, and what is allowed next.
