Episode article
Notes and transcript
Agent Safety Moves Outside The Agent
Today’s through-line is simple: the agent stack is growing up by moving trust, context, and controls into surfaces the model cannot casually rewrite.
The Ledger
- GitHub added self-service credential revocation for incident response. That matters because agentic development increases the blast radius of pasted logs, copied configs, and tool output. A revoke-now control is the kind of small deterministic gate builders should love: if a secret is exposed, the system can close the door without asking a model whether the situation “looks risky.” Source: GitHub Changelog.
- GitHub also changed model selection for Free and Student Copilot plans. This is less glamorous than a new model launch, but it is important product reality: model choice is now a policy surface, not just a capability surface. Source: GitHub Changelog.
Model Releases
The fresh model-release lane was quiet this morning. Price Per Token’s model-release ledger still listed Sakana Fugu Ultra as the newest item, which was already covered yesterday, so it was dropped rather than recycled. To avoid starving the lane, today’s backfill is notable-recent rather than net-new:
- MoonshotAI Kimi K2.7 Code on OpenRouter remains a useful coding-model availability item for agent builders comparing code-specialized routes.
- Google Gemini 3 Pro Image / Nano Banana Pro on OpenRouter is a recent multimodal listing to watch for workflows where agents need to reason across text and generated visual artifacts.
Frameworks & Tooling
- Vercel next-devtools-mcp v0.4.0 gives coding agents a Next.js-aware MCP surface. The point is not another chat window; it is framework-native observability and debugging context.
- HOL Guard v2.0.888 frames agent safety as an antivirus-like pre-tool gate across Codex, Claude Code, Cursor, Gemini, OpenCode, skills, plugins, and MCP servers.
- SonarQube MCP Server 1.20.0.2929 keeps static quality and security findings close to the tool loop, where an agent can use them before it writes another patch.
Trending Repos
- oh-my-pi — 14,570 stars. A terminal coding-agent harness with hash-anchored edits, LSP support, browser tools, Python, subagents, and an optimized tool loop.
- next-devtools-mcp — 773 stars. A focused Next.js MCP server for coding agents, with a v0.4.0 release on June 24.
- HOL Guard — 371 stars. A safety gate for developer agents, notable because it tries to fail before tools run.
- AgentForge — 52 stars. A smaller but fresh terminal harness for studying agent loops, MCP, skills, persistence, and safety.
Research Highlights
- The Unfireable Safety Kernel argues that alignment controls placed inside the agent runtime are escapable. The proposed move is execution-time control outside the agent’s address space.
- Beyond Function Calling benchmarks tool-using agents under unreliable tool environments instead of clean lab conditions.
- Constraint Tax in Open-Weight LLMs reports that structured output constraints can suppress tool calling, a very practical failure mode for schema-heavy agent apps.
- How Developers Maintain and Evolve Their Agents’ Instructions studies agent context files as governed engineering artifacts.
Quick Hits
- Hezo showed up on Hacker News as self-hosted agent teams designed not to see real secrets.
- Zedra surfaced as remote control for AI coding agents, another sign that steering and oversight UX is becoming its own product layer.
- git-temp offers a tiny pattern worth stealing: give agents a scratchpad that does not clutter human Git status.
- Flama’s MCP tutorial shows MCP becoming normal framework work: build, serve, deploy, and treat the agent tool as software.
- Boring AppSec pushed the blunt security lesson of the week: tools inside coding agents get ignored unless builders enforce the gate.
Closer
The agent stack is not waiting for one perfect model. It is accumulating small pieces of operational machinery: revocation buttons, external safety kernels, MCP surfaces, scratchpads, static-analysis feeds, and tool-environment benchmarks. That is where trust becomes less theatrical and more useful.
Sources
- GitHub Changelog: Self-Service Credential Revocation for Incident Response — GitHub added a concrete incident-response control that can revoke exposed credentials without waiting on a support path.
- GitHub Changelog: Changes to Model Selection for Free and Student Plans — GitHub changed who can pick which Copilot models, a practical signal that model access tiers are becoming product policy.
- Price Per Token: New Models Today — AI & LLM Releases Last 24 Hours — The tracker provided the day’s model-availability ledger and showed a quiet fresh-release lane with recent OpenRouter additions as backfill.
- OpenRouter: MoonshotAI Kimi K2.7 Code — Kimi K2.7 Code is a recent coding-model availability item for builders comparing agentic code-generation routes.
- OpenRouter: Google Gemini 3 Pro Image / Nano Banana Pro — Gemini 3 Pro Image was a notable recent model listing relevant to multimodal builder workflows even though the fresh-release lane was quiet.
- Vercel next-devtools-mcp v0.4.0 Release — Vercel’s Next.js MCP surface gives coding agents framework-aware debugging and development context instead of raw shell-only guessing.
- hashgraph-online/hol-guard v2.0.888 Release — HOL Guard packages agent-safety checks as a pre-tool execution gate across coding-agent environments.
- can1357/oh-my-pi v16.1.18 Release — Oh My Pi is a high-star terminal coding-agent harness emphasizing hash-anchored edits, optimized tools, and LSP-backed workflows.
- SonarSource SonarQube MCP Server 1.20.0.2929 Release — SonarQube’s MCP server brings static quality and security findings directly into agent tool context.
- AgentForge Terminal Coding-Agent Harness — AgentForge is a fresh terminal harness for studying agent loops, MCP, skills, persistence, and safety behavior.
- The Unfireable Safety Kernel: Execution-Time AI Alignment for AI Agents and Other Escapable AI Systems — The paper argues that safety controls must sit outside the agent runtime so the agent cannot edit or bypass them.
- Beyond Function Calling: Benchmarking Tool-Using Agents under Tool-Environment Unreliability — The paper tests agents against unreliable tool environments rather than assuming clean, stable APIs.
- Constraint Tax in Open-Weight LLMs: Tool Calling Suppression Under Structured Output Constraints — The paper highlights a practical failure mode when JSON-schema constraints interfere with tool-calling behavior.
- How Do Developers Maintain and Evolve Their Agents’ Instructions? An Empirical Study — The study treats agent instruction files as governed software artifacts that need traceability and maintenance practices.
- Show HN: Hezo — Self-Hosted Teams of AI Agents That Never See Your Real Secrets — The discussion reflects builder interest in secret isolation as agent teams become long-running services.
- Show HN: Zedra — Remote Control for AI Coding Agents — Zedra is a community signal that developers want control-plane UX for steering remote coding agents.
- Show HN: Git-temp — Local Scratchpad for AI Agents — Git-temp points to a small but useful pattern: isolate agent scratch work from human Git status until it is ready.
- Flama: How to Build and Serve MCP Servers Without Effort — The post shows MCP moving into ordinary web-service framework ergonomics, not just bespoke agent demos.
- Boring AppSec: Security Tools Inside Coding Agents Get Ignored Unless We Do Things — The essay captures the operational lesson that agents need enforced gates, not merely advisory security output.