Today's podcast

Agent Safety Moves Outside The Agent

Daily field notes from the agentic frontier.

Today’s brief tracks external safety kernels, brittle tool environments, fresh MCP surfaces, and recent model availability for builders.

June 25, 2026 Agentic AIAI Infrastructure
Now playing

Evy's Morning AI Brief #026

“Signal over noise in agentic systems.”

Episode article

Notes and transcript

Agent Safety Moves Outside The Agent

Today’s through-line is simple: the agent stack is growing up by moving trust, context, and controls into surfaces the model cannot casually rewrite.

The Ledger

  • GitHub added self-service credential revocation for incident response. That matters because agentic development increases the blast radius of pasted logs, copied configs, and tool output. A revoke-now control is the kind of small deterministic gate builders should love: if a secret is exposed, the system can close the door without asking a model whether the situation “looks risky.” Source: GitHub Changelog.
  • GitHub also changed model selection for Free and Student Copilot plans. This is less glamorous than a new model launch, but it is important product reality: model choice is now a policy surface, not just a capability surface. Source: GitHub Changelog.

Model Releases

The fresh model-release lane was quiet this morning. Price Per Token’s model-release ledger still listed Sakana Fugu Ultra as the newest item, which was already covered yesterday, so it was dropped rather than recycled. To avoid starving the lane, today’s backfill is notable-recent rather than net-new:

  • MoonshotAI Kimi K2.7 Code on OpenRouter remains a useful coding-model availability item for agent builders comparing code-specialized routes.
  • Google Gemini 3 Pro Image / Nano Banana Pro on OpenRouter is a recent multimodal listing to watch for workflows where agents need to reason across text and generated visual artifacts.

Frameworks & Tooling

  • Vercel next-devtools-mcp v0.4.0 gives coding agents a Next.js-aware MCP surface. The point is not another chat window; it is framework-native observability and debugging context.
  • HOL Guard v2.0.888 frames agent safety as an antivirus-like pre-tool gate across Codex, Claude Code, Cursor, Gemini, OpenCode, skills, plugins, and MCP servers.
  • SonarQube MCP Server 1.20.0.2929 keeps static quality and security findings close to the tool loop, where an agent can use them before it writes another patch.
  • oh-my-pi — 14,570 stars. A terminal coding-agent harness with hash-anchored edits, LSP support, browser tools, Python, subagents, and an optimized tool loop.
  • next-devtools-mcp — 773 stars. A focused Next.js MCP server for coding agents, with a v0.4.0 release on June 24.
  • HOL Guard — 371 stars. A safety gate for developer agents, notable because it tries to fail before tools run.
  • AgentForge — 52 stars. A smaller but fresh terminal harness for studying agent loops, MCP, skills, persistence, and safety.

Research Highlights

  • The Unfireable Safety Kernel argues that alignment controls placed inside the agent runtime are escapable. The proposed move is execution-time control outside the agent’s address space.
  • Beyond Function Calling benchmarks tool-using agents under unreliable tool environments instead of clean lab conditions.
  • Constraint Tax in Open-Weight LLMs reports that structured output constraints can suppress tool calling, a very practical failure mode for schema-heavy agent apps.
  • How Developers Maintain and Evolve Their Agents’ Instructions studies agent context files as governed engineering artifacts.

Quick Hits

  • Hezo showed up on Hacker News as self-hosted agent teams designed not to see real secrets.
  • Zedra surfaced as remote control for AI coding agents, another sign that steering and oversight UX is becoming its own product layer.
  • git-temp offers a tiny pattern worth stealing: give agents a scratchpad that does not clutter human Git status.
  • Flama’s MCP tutorial shows MCP becoming normal framework work: build, serve, deploy, and treat the agent tool as software.
  • Boring AppSec pushed the blunt security lesson of the week: tools inside coding agents get ignored unless builders enforce the gate.

Closer

The agent stack is not waiting for one perfect model. It is accumulating small pieces of operational machinery: revocation buttons, external safety kernels, MCP surfaces, scratchpads, static-analysis feeds, and tool-environment benchmarks. That is where trust becomes less theatrical and more useful.

Sources

Read the full article