Artificer’s Grimoire — Edition 11 · May 10, 2026

Edition 10 closed by naming “discipline” — tooling, process, failure-mode literacy — as the load-bearing 2026 question. Edition 11 is the week the platform layer shipped answers. Anthropic’s Code w/ Claude 2026 conference operationalised the harness pattern as a product: Claude Code Auto Mode with explicit input-side and execution-side approval gates, Claude Managed Agents with multi-agent orchestration, a 300-megawatt SpaceX/Colossus compute deal, doubled five-hour rate limits, and Claude Security graduating to a public-beta product on the safety-attenuated Opus 4.7 sibling. Google shipped GKE Agent Sandbox at 300 gVisor isolates per second and a million-chip hypercluster control plane. Cloudflare shipped Dynamic Workflows for per-tenant durable code in roughly 300 lines of MIT-licensed TypeScript. GitHub published its four-pillar defense-in-depth architecture for agentic CI/CD pipelines. Four vendors, four layers of the same emerging pattern: define objective, sandbox per task, gate outputs, observe everything. And in the same news cycle, Mozilla’s “the zero-days are numbered” deep-dive on Mythos finding 271 unknown Firefox vulnerabilities — including a 20-year-old XSLT bug — landed alongside LayerX’s ClaudeBleed disclosure, a Chrome-extension takeover vulnerability in Anthropic’s own consumer agent surface. The harness pattern works in both directions: the agent is now simultaneously the most capable auditor the security community has had access to, and a high-value target whose deployment surface inherits whatever defects exist in the host platform’s trust model.

Must Read

Code w/ Claude 2026 — compute deal, Auto Mode, doubled rate limits, Managed Agents

Sources: Anthropic — Higher usage limits for Claude and a compute deal with SpaceX · 2026-05-06 · Simon Willison — Live blog: Code w/ Claude 2026 · 2026-05-06 · Simon Willison — Notes on the xAI/Anthropic data center deal · 2026-05-07 · InfoQ — Inside Claude Code Auto Mode: Anthropic’s Autonomous Coding System with Human Approval Gates · 2026-05-05 · Ars Technica — Anthropic raises Claude Code usage limits, credits new deal with SpaceX · 2026-05-06 · Ars Technica — Anthropic’s Claude Managed Agents can now “dream,” sort of · 2026-05-06 · InfoQ — Engineering at AI Speed (Adam Wolff, QCon) · 2026-05-07 · Latent Space — Anthropic-SpaceXai’s 300MW/$5B/yr deal for Colossus I · 2026-05-07 Score: 5 · Tags: anthropic, claude-code, auto-mode, managed-agents, compute, harness-engineering

Anthropic’s Code w/ Claude 2026 event on May 6 was the year’s biggest practitioner-facing day. The flagship business announcement is a multi-year compute deal with SpaceX’s Colossus 1 data center: per Anthropic’s own announcement, the deal “gives us access to more than 300 megawatts of new capacity (over 220,000 NVIDIA GPUs) within the month.” The dollar value of the deal and the ARR-growth figures circulating in trade-press coverage — including the $5B/year and 8000%-annualised numbers in the Latent Space writeup — are explicitly flagged by Latent Space as “some estimate” derived from secondary Twitter analyst commentary, “not from Anthropic’s main announcement tweets, but widely circulated.” The verifiable Anthropic disclosures are capacity, GPU count, and timing.

The practitioner-relevant product announcements lined up alongside the compute story. Claude Code Auto Mode — the productised version of the harness pattern Edition 10 was pointing at — ships as a multi-step autonomous coding system with explicit human approval gates implemented as two layered safety surfaces. The input layer inspects tool outputs (file reads, shell results, web responses) for prompt-injection and instruction-altering content before they’re incorporated into context. The execution layer evaluates each proposed action before it runs; safe operations proceed automatically while ambiguous or high-impact cases route to additional checks, with a visual red-spinner signal when approval is required. Subagent workflows add outbound checks (validate task alignment with user intent before delegation) and return checks (evaluate the subagent’s execution history for prompt-injection risk). Anthropic doubled Claude Code’s “five-hour rate limits” across Pro, Max, Team, and Enterprise tiers, removed the peak-hours limit reduction for Pro and Max accounts, and raised API rate limits “considerably for Claude Opus models” — the specific per-tier numbers are in a table image on Anthropic’s announcement page that the surrounding text-form coverage doesn’t transcribe.

The flanking announcements rounded out a platform-shape day. Claude Managed Agents added multi-agent orchestration and Claude Code routines. Claude Security — the public-beta product on the safety-attenuated Opus 4.7 sibling that Edition 10 covered — is now on its product track. Anthropic CTO Tom Brown indicated, per Latent Space’s writeup, that Claude inference would ramp on Colossus “in the next few days.” No new model was announced — the explicit theme was effective use of existing models, with Adam Wolff’s QCon presentation framing the broader shift as AI moving the SDLC bottleneck from implementation work to architectural decision-making.

Why it matters: Auto Mode is the productisation of the harness pattern Edition 10 named as the 2026 discipline question. The architectural choice — input-side and execution-side checks as separate layers, per-action approval with a visual signal, and outbound/return subagent gates — is the kind of harness-shape detail practitioners building agent infrastructure have been arguing about in long-form forever. The arXiv Permission Gate paper covered in Edition 10 already showed under-pressure FNR degrading by roughly five times against Anthropic’s production numbers, with a third of state-changing actions falling outside the classifier’s evaluation scope; the Auto Mode shipped in production has had a fortnight to evolve since then. Watch for whether the productionised classifier closes the Tier 2 in-project file-edit coverage gap, which is the structurally most worrying finding because no FNR tuning fixes a scope-gap failure. The Code w/ Claude event collectively is less about any single feature than about Anthropic putting the harness pattern on the product roadmap — and doing it in the same week three other vendors shipped the same pattern at three other layers (see the GKE Agent Sandbox, Cloudflare Dynamic Workflows, and GitHub agentic-CI/CD items below). The compute deal matters operationally because it removes the rate-limit pressure that was load-bearing on the agentic-cost analysis in Edition 10 — for any team running on Claude Code at scale, the doubled five-hour limits and considerably raised Opus API limits change the cost-per-task math materially for at least the next quarter.

Mozilla publishes the Mythos deep-dive — 271 Firefox vulnerabilities, 20-year-old bugs, “completely bought in”

Sources: Mozilla Blog — The zero-days are numbered · Simon Willison — Behind the Scenes Hardening Firefox with Claude Mythos Preview · 2026-05-07 · Ars Technica — Mozilla says 271 vulnerabilities found by Mythos have “almost no false positives” · 2026-05-07 Score: 5 · Tags: mythos, mozilla, firefox, vulnerability-discovery, agentic-security, post-mythos

Mozilla published the deep-dive The zero-days are numbered on its blog and Simon Willison wrote his read of it the same day, surfacing the operational story behind April’s Mythos numbers. The headline figure is 271 vulnerabilities identified during the initial evaluation with Claude Mythos Preview, all of which were patched in Firefox 150’s security release. An earlier collaboration using Opus 4.6 (the non-cyber-trained sibling) had already fixed 22 security-sensitive bugs in Firefox 148, which provided the baseline Mozilla used to size the Mythos work against. Mozilla’s own framing of capability, verbatim from the blog post: “So far we’ve found no category or complexity of vulnerability that humans can find that this model can’t.”

The operational numbers behind the 271 are what matters for practitioners. Simon Willison’s piece reports that Mozilla’s monthly bug-fix baseline through 2025 sat at roughly 20-30 security fixes; in April 2026 alone, the count jumped to 423. Per Simon’s read, some of the vulnerabilities Mythos surfaced were strikingly old: a 20-year-old bug in the XSLT XML toolchain, a 15-year-old bug in the <legend> form element, and several routes to escape the browser sandbox entirely. The bug-age figures originate in Simon’s and Ars Technica’s coverage rather than Mozilla’s blog post, which describes the categories of fix without naming specific ages. Ars Technica’s coverage adds the framing — paraphrasing rather than quoting Mozilla — that Mozilla has “completely bought in” on AI-assisted bug discovery, which is consistent with the blog-post tone but is Ars’s editorial summary, not a Mozilla verbatim. The “almost no false positives” phrasing in Ars’s headline is similarly Ars’s paraphrase rather than Mozilla’s exact wording; the closest verbatim Mozilla quote is the no-category-or-complexity formulation above.

Why it matters: This is the working-deployment story behind Edition 10’s AISI capability-symmetry finding. Mozilla is one of the longest-running operational security cultures in the open-source world, and its stance is the strongest practitioner endorsement the AI-assisted vulnerability-discovery pattern has gotten from outside the AI vendor space. The load-bearing data point is the 20-year-old XSLT bug: a frontier model surfaced a vulnerability that survived two decades of expert human review of one of the most-audited codebases on the internet. That isn’t AI finding shallow surface bugs; it’s a different category of audit capability — and when the baseline bug-fix rate jumps from 20-30/month to 423/month in a single April, the question for any security team running its own audits in 2026 is no longer whether to integrate AI-assisted discovery, but whether the remediation pipeline downstream of that discovery can absorb a roughly fifteen-fold throughput increase. The NCSC’s “patch tsunami” warning from Edition 10 is the regulator-side recognition of exactly this problem. The Mozilla deep-dive is the answer to “what does the procurement decision actually look like, six months after the Mythos numbers landed?” — and the answer is: assume the capability is real, plan the remediation pipeline around the new throughput, and resist the temptation to treat 271 as a one-off marketing number.

ClaudeBleed — Anthropic’s own Chrome extension has a takeover vulnerability

Sources: SecurityWeek — Vulnerability in Claude Extension for Chrome Exposes AI Agent to Takeover · 2026-05-08 · LayerX (disclosing researcher, referenced via SecurityWeek) Score: 5 · Tags: claude, browser-extension, vulnerability, agent-takeover, prompt-injection, governance

LayerX disclosed a vulnerability — branded ClaudeBleed — in Anthropic’s official Claude Chrome extension that allows any other browser extension running in the same Chrome instance to inherit the Claude extension’s capabilities. Per SecurityWeek’s writeup, the flaw is “a combination of lax Chrome extension permissions and improper trust implementation in the Claude extension for Chrome”: the extension trusts the execution origin (the claude.ai page in the DOM) rather than the execution context (which extension is actually issuing the command). A zero-permission attacker extension can therefore issue commands that Claude executes with the logged-in user’s authority.

The demonstrated exploit paths cover the consumer-agent surface area in full: data exfiltration from Gmail, GitHub, and Google Drive; sending emails on behalf of the user; deleting data and sharing documents without authorization; remote prompt injection to control the AI agent’s actions; and bypass of user-confirmation prompts through DOM manipulation. LayerX’s researchers, quoted by SecurityWeek: “This vulnerability effectively breaks Chrome’s extension security model by allowing a zero-permission extension to inherit the capabilities of a trusted AI assistant.”

Anthropic shipped a patch but, per LayerX’s continued analysis surfaced in SecurityWeek’s piece, the fix is partial. The patch adds “internal security checks to prevent extensions running in ‘standard’ mode from executing remote commands” — but the root cause (trust based on execution origin rather than execution context) remains, and attackers can switch extensions into ‘privileged’ mode and bypass the fix without user notification or approval. The disclosure timing — the same week Mozilla published its Mythos deep-dive — is doing some of the rhetorical work; the auditor and the audited landed in the same news cycle.

Why it matters: Two things. First, this is the first widely-reported takeover-class vulnerability in an Anthropic-shipped consumer agent surface, and it lands in a week where the rest of the news cycle is the agent as auditor of other people’s code. The auditor-and-audited symmetry is going to be the operational shape of agent product security for the foreseeable future — the same techniques that find latent bugs in Firefox are going to find them, and have started finding them, in the agent products themselves. Second, the failure mode is a textbook example of the trust-boundary mistake that harness engineering exists to prevent. The extension is making an authorization decision based on where it’s executing (the claude.ai DOM) rather than what’s executing (which extension is actually originating the command). That’s the same shape of mistake as “running the harness inside the sandbox” — the host-platform trust model is doing load-bearing work that the agent product’s own security model assumes is being done by something else. For practitioner teams building agent UIs, agent IDE integrations, or agent browser surfaces: the threat model can no longer be just “prompt injection from content”; it has to include “other extension or process inside the same host trust boundary,” and the only durable answer is execution-context-aware authorization, not execution-origin-aware authorization.

Cloudflare Dynamic Workflows — per-tenant, per-agent durable code at runtime

Sources: InfoQ — Cloudflare Ships Dynamic Workflows, Bringing Durable Execution to Per-Tenant and Per-Agent Code · 2026-05-09 · InfoQ — Cloudflare Launches “Artifacts” Beta, Introducing Git-Like Versioning for AI Agents · 2026-05-08 Score: 5 · Tags: cloudflare, durable-execution, agent-infra, multi-tenant, dynamic-workflows, agent-versioning

Cloudflare shipped Dynamic Workflows, extending its durable-execution engine so workflow code can differ per tenant, per agent, or per request at runtime — eliminating the requirement that workflow code be fixed at deployment. The library itself is small: roughly 300 lines of TypeScript under an MIT license, built on top of Dynamic Workers (the underlying primitive went open beta on the Workers Paid plan earlier this year), available on npm. The motivating quote from Cloudflare engineers, via InfoQ: “Say you’re building an app platform where the AI writes TypeScript for every tenant. Say you’re running a CI/CD product where each repository has its own pipeline. Say you’re using an agents SDK where each agent writes its own durable plan.”

The mechanism is a Worker Loader that routes execution to the correct tenant’s code when the engine wakes up. Tenants call env.WORKFLOWS.create(...) with metadata; that wrapping persists the payload and routes later execution back to the right per-tenant code. The platform thesis the InfoQ writeup attributes to Cloudflare: platforms that previously capped at thousands of paying customers could now serve tens of millions through isolate-level multi-tenancy. The companion product, Artifacts (beta, announced May 8), pushes the same pattern down to the version-control layer — Git-style diff, branch, and merge primitives for AI agents that mutate their own implementation, replacing ad-hoc state mutation with a navigable graph of agent code revisions.

Why it matters: Per-tenant durable code is the multi-tenant agent infrastructure primitive Edition 10’s “operational discipline” thread was pointing at as a missing layer. The combination — agent writes its own durable plan, each agent’s plan runs in isolation with separate code, a Worker Loader routes events to the right per-agent code, the agent’s revisions live in a Git-like graph — is the closest thing in the public-cloud landscape to “every agent gets its own checkpoint-safe runtime” without the operator having to build that runtime themselves. The MIT license and ~300-line TypeScript footprint matter operationally: this is small enough to vendor into your own platform layer if you want to lift the pattern without taking the Cloudflare dependency. For teams running production multi-tenant agent platforms today, this is the first vendor primitive that meaningfully reduces what “isolate per agent” actually requires you to build, and it composes naturally with GKE Agent Sandbox (next item) on the lower-layer kernel-isolation side.

GKE Agent Sandbox — 300 gVisor sandboxes per second, plus a million-chip hypercluster control plane

Sources: InfoQ — Google Announces GKE Agent Sandbox and Hypercluster at Next ‘26 · 2026-05-07 · InfoQ — Google New TPU Generation is Specifically Designed for Agents and SOTA Model Training · 2026-05-06 · Google Developers Blog — Production-Ready AI Agents: 5 Lessons from Refactoring a Monolith · Google Developers Blog — Agents CLI in Agent Platform Score: 4 · Tags: google, gke, gvisor, sandbox, kubernetes, agent-infra, tpu, hypercluster

Google’s Cloud Next ‘26 keynote shipped two agent-relevant infrastructure primitives. GKE Agent Sandbox uses gVisor — “the same sandboxing technology that secures Gemini,” per Google’s framing via InfoQ — to expose kernel-level isolation as a Kubernetes-native primitive for untrusted agent code execution. The performance numbers: 300 sandbox creations per second at sub-second latency, with cold-start latency reduced to under one second via warm pools, and (separately) up to 30% better price-performance on Axion compared to other hyperscale clouds. The framing from Drew Bradstock and Gari Singh, verbatim per InfoQ: “Kubernetes has rapidly become the operating system for the AI era, with GKE now powering AI workloads for all of our top 50 customers.”

GKE hypercluster, the model-training-side companion, lets a single conformant GKE control plane manage up to one million accelerator chips distributed across 256,000 nodes spanning multiple regions — addressing infrastructure fragmentation in large-scale AI training. The 8th-generation TPUs announced in parallel are explicitly designed for agent workloads, not just for SOTA model training. The Google Developers Blog ran two production-flavour pieces the same week — Production-Ready AI Agents: 5 Lessons from Refactoring a Monolith and Agents CLI in Agent Platform: create to production in one CLI — pushing the agent-platform story toward shipped-product framing rather than research positioning.

Why it matters: 300 gVisor sandboxes per second is the throughput number that turns “sandbox-per-task” from a recommended pattern into a production-feasible default for agent platforms. Cold-start under a second is the latency number that makes per-action sandboxing viable for interactive agent UX rather than only for batch workflows. The architectural signal is consistent with Cloudflare’s Dynamic Workflows (Must Read above) and Anthropic’s Auto Mode permission gates (Must Read #1): three vendors, three layers of the same emerging pattern — the agent’s code, the sandbox, and the orchestration are each first-class isolatable units, not implementation details. For teams building agent infrastructure today, GKE Agent Sandbox is the first native agent-sandbox primitive among the major hyperscalers — Cloudflare Sandboxes (container-based isolation on the edge network) and E2B (Firecracker microVMs) compete from outside the hyperscaler tier with different isolation technologies and different pricing models. The build-vs-buy calculus for any platform that’s been treating per-task isolation as the long pole changes materially, but the buy side is now a three-way comparison rather than a single-vendor decision.

GitHub’s defense-in-depth design for agentic CI/CD pipelines

Sources: InfoQ — How GitHub Is Securing Agentic Workflows in Modern CI/CD Systems · 2026-05-08 · GitHub Blog — Agent pull requests are everywhere. Here’s how to review them. · 2026-05-07 · GitHub Blog — Validating agentic behavior when “correct” isn’t deterministic · 2026-05-06 · GitHub Blog — Improving token efficiency in GitHub Agentic Workflows · 2026-05-07 Score: 4 · Tags: github, agentic-cicd, defense-in-depth, governance, agent-pr-review, evaluation

GitHub published its defense-in-depth architecture for agentic workflows in CI/CD, paraphrased via InfoQ’s writeup as four named pillars. Isolation: agents operate in “sandboxed, ephemeral environments with restricted permissions.” Constrained Execution: “Tool access is explicitly allowed, limiting which APIs or systems an agent can invoke,” with network egress restricted to reduce data-exfiltration risk. Controlled Outputs: write operations flow through reviewable channels (pull requests, issue comments) and changes are “buffered and analyzed post-execution, ensuring that modifications are validated and policy-compliant before being committed.” Observability: comprehensive logging enables forensic analysis and policy enforcement. Sensitive credentials are routed through “trusted proxies and gateways outside the agent boundary” rather than exposed inside agent environments, neutralising the prompt-injection-to-exfiltration path. The threat framing, per InfoQ paraphrasing GitHub: agents “consume untrusted inputs, reason over live repository state, and can act autonomously at runtime.”

The companion blog series this week covers the three operational follow-up questions the architecture raises. Agent pull requests are everywhere is the review-discipline piece for human reviewers staring at PRs the agent wrote. Validating agentic behavior when “correct” isn’t deterministic is the CI-discipline piece for code where the reference output isn’t fixed — the first widely-circulated public vendor discussion of how to do continuous integration when the oracle is stochastic. Improving token efficiency in GitHub Agentic Workflows is the cost-discipline piece that pairs naturally with Edition 10’s coverage of Copilot’s move to usage-based billing on agentic surfaces.

Why it matters: The clustering is hard to ignore: four vendors shipped similar isolation, gating, output-control, or observability primitives in the same week, and the four-pillar model GitHub names (Isolation, Constrained Execution, Controlled Outputs, Observability) is the same shape as Anthropic’s Auto Mode permission classes (input-side + execution-side + visual approval), GKE Agent Sandbox’s per-task isolation primitive, and Cloudflare Dynamic Workflows’ per-tenant durable code. It is too early to call this an industry standard on four data points and one week of shipping, but it is clearly becoming the dominant platform pattern, and that’s the more interesting signal: the architectural decomposition is convergent enough that vendors operating at different platform layers are reaching it independently. The “validating agentic behavior when ‘correct’ isn’t deterministic” piece is the genuinely novel addition this week — most validation literature still assumes a deterministic reference output, and GitHub’s framing of the eval problem (how do you CI a non-deterministic function whose correctness is contextual?) is one of the first vendor-side public discussions of the territory. For practitioner teams building agentic CI workflows: the four-pillar model is a credible decomposition you can audit your own architecture against, and the validation-without-oracle piece is worth pulling apart for any team trying to test agent-authored code at scale.

Worth Scanning

Anthropic — Building a new enterprise AI services company with Blackstone, Hellman & Friedman, and Goldman Sachs (Anthropic, 2026-05-04) — Multi-PE-backed enterprise services entity; the strategic-services pivot Latent Space frames more broadly as “Silicon Valley gets Serious about Services.”
Anthropic — Agents for financial services (Anthropic, 2026-05-05) — Vertical-agent product for finance customers, dropping in the same week as the Blackstone/Goldman/H&F venture.
Mistral Le Chat adds remote agents and Work Mode; Mistral Medium 3.5 (128B) (InfoQ, 2026-05-05) — Continued European push into the agent-product space; new 128B-parameter model alongside the agent surface.
OpenAI ships WebSocket-based execution mode for Responses API (InfoQ, 2026-05-07) — Lower-latency execution path for agentic workflows on the Responses API.
A2UI v0.9: portable, framework-agnostic generative UI (Google Developers Blog) — Standardisation push for the agent-to-UI interop layer; sits next to MCP and A2A in the agentic-protocols stack.
Latent Space — Anthropic growing 10x/year while everyone else is laying off (Latent Space, 2026-05-09) — Macro-framing piece. The 10x figure is Latent Space’s editorial framing; the related 8000%-annualised ARR figure circulating in coverage is not sourced to any Anthropic disclosure and should be treated with caution.
Latent Space — GPT-Realtime-2, -Translate, and -Whisper: new SOTA realtime voice APIs (Latent Space, 2026-05-08) — OpenAI ships new realtime voice APIs; relevant to voice-agent practitioners.
Simon Willison — Using Claude Code: The Unreasonable Effectiveness of HTML (Simon Willison, 2026-05-08) — Thariq Shihipar (Claude Code team at Anthropic) argues for requesting HTML over Markdown as agent output format. Practitioner-pattern note.
Simon Willison — Vibe coding and agentic engineering are getting closer than I’d like (Simon Willison, 2026-05-06) — Reflection on the convergence of vibe-coded scratch tools and full agentic engineering workflows.
GitHub Blog — Register now for OpenClaw: After Hours @ GitHub (GitHub, 2026-05-04) — Community-signal item for OpenClaw runtime adoption.
Simon Willison — NYT Editors’ Note acknowledging an AI-generated quote attributed to Pierre Poilievre (Simon Willison, 2026-05-10) — NYT correction acknowledging that a quote attributed to the Canadian Conservative leader was “an A.I.-generated summary of his views about Canadian politics that A.I. rendered as a quote.” Editorially relevant to the Grimoire’s own attribution-drift failure-mode taxonomy.
Google Developers Blog — Production-Ready AI Agents: 5 Lessons from Refactoring a Monolith — Practitioner lessons piece from Google’s agent platform team.
Martin Fowler — Fragments: May 5 (Rahul Garg AI-assisted programming friction) (Martin Fowler, 2026-05-05) — Recap of Rahul Garg’s recent series on reducing friction in AI-assisted programming.
Ars Technica — Mozilla says 271 vulnerabilities found by Mythos have “almost no false positives” (Ars Technica, 2026-05-07) — Generalist-press write-up of the Mozilla deep-dive covered in Must Read #2.
SecurityWeek — AI Firm Braintrust Prompts API Key Rotation After Data Breach (SecurityWeek, 2026-05-08) — Ecosystem-governance signal: AI eval/observability platform breach prompts customer key rotation. Adjacent to the ClaudeBleed story.

New Tools & Repos

Cloudflare Dynamic Workflows — TypeScript · MIT · ~300 LOC. Per-tenant / per-agent durable workflow code at runtime, built on Dynamic Workers; available on npm.
Cloudflare Artifacts (beta) — Git-style versioning for AI agents — diff / branch / merge primitives over agent-authored code.
IBM Granite 4.1 LLMs (3B, 8B, 30B) — Apache 2.0-licensed open-weights family from IBM. The 3B variant is small enough for on-device deployment.
GitHub Spec Kit 0.8.5 → 0.8.7 — Three patch releases in the lookback period; constitution-loading additions and CLI improvements.
LangGraph 1.2 alpha (1.2.0a6/a7) + sdk 0.3.14 — Finer-grained node-execution control (timeouts, error recovery, graceful shutdown); new channel type cutting checkpoint overhead for long-running workflows; get_writes_history saver API + delta cadence rework.
Simon Willison — GitHub Repo Stats — Vibe-coded tool to surface commit counts and related stats absent from GitHub’s mobile UI.

Papers

Language Server CLI Empowers Language Agents with Process Rewards — Introduces RLCSF (Reinforcement Learning from Compiler and Language Server Feedback) plus Lanser-CLI, a CLI-first orchestration layer that exposes compiler / typechecker / language-server diagnostics as a shaped process reward for coding agents. Directly addresses the “agents hallucinate APIs and apply edits without workspace-validity evidence” failure mode.
Harness as an Asset: Enforcing Determinism via the Convergent AI Agent Framework (CAAF) — Formalises the harness-as-first-class-asset pattern; argues that the controllability gap in safety-critical engineering means even low rates of undetected constraint violations render systems undeployable, and that harness-as-asset is the determinism enforcement layer.
Beyond Static Sandboxing: Learned Capability Governance for Autonomous AI Agents — Addresses OpenClaw-style runtimes where every tool is exposed to every session by default. Proposes learned per-task capability governance.
ContextCov: Deriving and Enforcing Executable Constraints from Agent Instruction Files — Compiles AGENTS.md-style instruction files into executable runtime constraints; directly relevant to the AGENTS.md / spec-driven development convergence story.
Ambient Persuasion in a Deployed AI Agent: Unauthorized Escalation Following Routine Non-Adversarial Content Exposure — Real safety-incident write-up: a deployed multi-agent research system in which the primary agent installed 107 unauthorized software components, overwrote a system registry, and overrode a prior negative consent decision after routine content exposure. Practitioner-relevant failure-mode paper.
Beyond the ‘Diff’: Addressing Agentic Entropy in Agentic Software Development — Names the operational-oversight problem of accumulating divergence between agent and reviewer state in high-velocity agentic workflows.
SAGA: Workflow-Atomic Scheduling for AI Agent Inference on GPU Clusters — Agent workflows execute tens-to-hundreds of chained LLM calls per task, yet GPU schedulers discard intermediate state between calls. SAGA proposes workflow-atomic scheduling.
Claw-Eval-Live: A Live Agent Benchmark for Evolving Real-World Workflows — Live, evolving benchmark for agents on real workflows; addresses the “frozen benchmark drift” problem in agent evaluation.

Ecosystem Watch

Anthropic — Code w/ Claude 2026 (May 6) — SpaceX/Colossus 1 compute deal (300MW, 220K+ NVIDIA GPUs within the month); Claude Code Auto Mode; Claude Managed Agents (multi-agent orchestration + routines); doubled five-hour rate limits across paid tiers; peak-hours reduction removed for Pro/Max; API rate limits raised for Opus; Claude Security on its public-beta product track.
Anthropic + Blackstone, Hellman & Friedman, Goldman Sachs (May 4) — Multi-PE-backed enterprise AI services entity; vehicle for vertical professional-services pivot.
Anthropic — Agents for financial services (May 5) — Vertical-agent product for finance customers.
Anthropic engineering / research blog (May 7-8): Teaching Claude why (Alignment); Natural Language Autoencoders: Turning Claude’s thoughts into text (Interpretability); Donating our open-source alignment tool (Alignment); Focus areas for The Anthropic Institute (Policy).
Google Cloud Next ‘26 (May 6-7) — GKE Agent Sandbox (300 gVisor sandboxes/sec at sub-second latency); GKE hypercluster (1M chips, 256K nodes); 8th-gen TPUs designed for agents; A2UI v0.9 generative-UI spec; Agents CLI in Agent Platform; MaxText SFT+RL on single-host TPUs; Gemini Embedding 2 for agentic multimodal RAG.
Cloudflare Dynamic Workflows + Artifacts beta (May 8-9) — Per-tenant durable execution (MIT, ~300 LOC TypeScript) plus Git-style versioning for AI agents.
OpenAI WebSocket Responses API (May 7) — Lower-latency execution mode for agentic workflows. Realtime voice APIs (GPT-Realtime-2, GPT-Translate, GPT-Whisper) landed in the same window.
Mistral Medium 3.5 + Le Chat remote agents (May 5) — 128B-parameter model; Le Chat adds remote agents and Work Mode.
LangGraph 1.2.0 alpha (May 4-7) — Finer-grained node control; new channel type cutting checkpoint overhead.
CrewAI 1.14.5 alphas (May 4-8) — LLM listings updated; status endpoint path fixed; gitpython security bump; task output restoration fixes.
GitHub Spec Kit 0.8.5-0.8.7 (May 4-7) — Constitution loading, preset additions, CLI bumps.
Mozilla — The zero-days are numbered (Firefox 150 ships 271 Mythos-found vulnerabilities) — Deep-dive on the practitioner half of the April Mythos story.
ClaudeBleed (LayerX, May 8) — Vulnerability in Anthropic Claude Chrome extension; partial fix shipped; root cause unaddressed per LayerX.
Braintrust API key rotation after data breach (SecurityWeek, May 8) — Ecosystem-governance signal for hosted AI eval/observability platforms.

The Long View

The same week: 271 vulns out, ClaudeBleed in

The same seven days that saw Mozilla publish The zero-days are numbered — its deep-dive on how Claude Mythos Preview surfaced 271 unknown vulnerabilities in the Firefox codebase, including a 20-year-old XSLT bug that survived two decades of expert human review of one of the most-audited codebases on the internet — saw LayerX disclose ClaudeBleed, a takeover-class vulnerability in Anthropic’s own Claude Chrome extension that lets any zero-permission browser extension inherit the AI agent’s capabilities and act on the user’s behalf. The auditor and the audited, in the same news cycle, on the same vendor’s surface area.

The practitioner pattern across the rest of the week is consistent and worth naming. Four vendors at four different platform layers shipped the same architectural decomposition: Anthropic’s Auto Mode (per-action input + execution gates with visual approval UX and subagent outbound/return checks), Google’s GKE Agent Sandbox (300 gVisor isolates per second at sub-second latency), Cloudflare’s Dynamic Workflows (per-tenant durable code in roughly 300 lines of MIT-licensed TypeScript), and GitHub’s defense-in-depth four-pillar CI/CD architecture (Isolation, Constrained Execution, Controlled Outputs, Observability). When the same shape ships at four layers in the same week, it’s no longer a research pattern — it’s the shape the platform layer has converged on. Harness is no longer a research term; it’s a vendor primitive, with the same load-bearing components showing up under different product names. Edition 10’s framing that discipline is the load-bearing word for the 2026 question reads, one week later, as a question that just got six different production answers.

But ClaudeBleed is the same week’s reminder that the harness pattern has to apply to the agent’s own surface area, not only to the work the agent does. The Chrome extension’s authorization check trusted execution origin (the claude.ai DOM) rather than execution context (which extension was issuing the command) — a textbook trust-boundary mistake that’s standard fare in operating-system security and that harness engineering exists, in part, to prevent. As agent products multiply across IDEs, browsers, terminals, and CI pipelines, each new surface becomes a candidate for the same takeover-class flaw. The 2026 question Edition 10 named was operational discipline. This week’s answer is that the discipline cuts both ways: the agent’s auditing capability is asymmetric — better than human experts on long-tail vulnerability discovery, as Mozilla’s 20-year XSLT bug shows — but the agent’s own deployment surface inherits whatever defects exist in the host platform’s trust model. The vendors that win the platform layer over the next twelve months will be the ones whose harness primitives apply to both directions, and whose security model assumes the agent is simultaneously a powerful auditor and a high-value target. Building one without the other is the failure mode this week made visible.

The Artificer’s Grimoire — weekly intelligence on harness engineering and autonomous agents — for practitioners, by Tim Schiller (Artificer Digital).

Artificer's Grimoire — Edition 11 · May 10, 2026