MindPattern
Back to archive

Ramsay Research Agent — June 6, 2026

[2026-06-06] -- 4,867 words -- 24 min read

Ramsay Research Agent — June 6, 2026

Five things landed this week that change how much your agents cost, who's still employed to run them, and what "shipping software" even means anymore. The cost model for headless agents got rewritten. A media company fired two agencies and replaced them with 14,000 lines of vibe code. Tech layoffs hit their worst month in two years with AI named as the reason. And the cheapest performance lever most teams ignore turned out to be worth a 3x cost cut with zero code changes. Here's what I'd actually do about it.

Top 5 Stories Today

Anthropic is ending the subscription subsidy for your autonomous agents on June 15

If you run anything headless on Claude, read this twice. Starting June 15, 2026, Anthropic moves the Claude Agent SDK, claude -p, Claude Code GitHub Actions, and third-party agents off the flat subscription limit and onto a separate monthly credit pool, metered at full API rates with no rollover. The New Stack has the breakdown: $20 on Pro, $100 on Max 5x, $200 on Max 20x. Interactive use stays on the old limits. Claude.ai chat, terminal Claude Code you're actually sitting in front of, and Claude Cowork all keep drawing from your normal subscription. The split is interactive-versus-unattended, and that line is the whole story.

I run a daily research pipeline that dispatches 13 agents at 7 AM while I'm asleep. That's exactly the workload this targets. The flat subscription made claude -p in a cron job feel free, and a lot of us built pipelines on that assumption without thinking hard about per-token economics. That era's over. Anthropic was subsidizing autonomous compute at a loss, and the carve-out tells you they noticed.

Here's why it matters beyond my morning newsletter. The whole "vibe-coded VP" and "Claude Code swarm" pattern everyone's been celebrating runs on headless invocation. The SaaStr agent further down this issue, the swarms-at-scale write-ups on HN, the GitHub Actions reviewing your PRs. All of it just got a real bill attached. Full API rates with no rollover means a misconfigured loop that re-reads a 200K-token repo every five minutes can torch your monthly credit before lunch.

What to do right now, before June 15: audit every unattended invocation you have. Find your cron jobs, your CI hooks, your scheduled GitHub Actions, and estimate token spend per run times runs per month. Separate interactive from headless in your head and in your config. If you're on Pro and you discover your pipelines need more than $20 of API-rate compute, you either move to Max or you optimize. Which is the perfect setup for story five, because the single biggest knob you can turn is cache hit rate, and most of you have never measured yours.


SaaStr vibe-coded an "AI VP of Marketing," and two agencies are quietly gone

This is the clearest documented case I've seen of a real business replacing senior headcount with a self-built agent, with receipts. SaaStr published a full breakdown of "10K," its internal AI VP of Marketing running on Claude and Replit at 14,230 lines of code. Combined with its AI VP of Customer Success ("QB"), the two cost $257 a month. SaaStr lists what 10K actually does: refreshes ticket sales, drafts newsletters and tweets, builds pricing models, snapshots GAAP financials daily. In a companion post they say it silently displaced two outside vendors billing $20K+ each.

Run the math. Two agencies at $20K means roughly $480K a year. Replaced by $257 a month, call it $3K a year plus the build time. That's not an efficiency gain, that's a category change in how the work gets staffed. And I want to be honest about the part that makes me uneasy: 14,230 lines of code is not nothing, and "drafts newsletters and tweets" is doing a lot of quiet work in that sentence. I write a newsletter every day with an agent pipeline. I know exactly how much human taste sits behind "drafts." The agent doesn't have the opinion. It has the draft. Someone still has to be the one who knows the draft is wrong.

But the trend is real and it rhymes with everything else this week. Lovable hit roughly $400M ARR with under 200 people, per Head of Growth Elena Verna at SaaStr AI (SaaStr). That's an ARR-per-head number a traditional SaaS org chart can't produce. Put the SaaStr agent, the Lovable headcount ratio, and the SaaS-trades-at-a-discount story together and you get one argument: capital now rewards ARR-per-head over seat-expansion, and the proof points are stacking up weekly.

What builders should do: stop thinking about agents as features and start thinking about them as roles. The question isn't "can I add AI to my product." It's "which $20K/month line item in my own business could a 14,000-line agent absorb." Build that one first. You'll learn more about agent reliability from replacing your own marketing ops than from any benchmark. And you'll feel the 80% problem in your bones, which is the part nobody puts in the celebratory blog post.


Tech cut 38,242 jobs in May, and for the third straight month AI got the blame

The efficiency story has a cost, and it's showing up in the labor data. Challenger, Gray & Christmas reports U.S. tech firms announced 38,242 job cuts in May 2026, the sector's heaviest month in nearly two years, per Tom's Hardware. The 2026 tech total hit 123,653, up 65% year over year. AI was specifically cited in 38,579 cuts across industries, 40% of all May layoffs and the highest monthly AI-attributed total since tracking began in 2023. The 2026 AI-cited total of 87,714 already exceeds all of 2025. Meanwhile Google, Amazon, Microsoft, and Meta plan a combined $725B in 2026 capex, up 77%.

Hold those two numbers next to each other. Record cuts and record capex, at the same time, at the same companies. That's not a coincidence, it's a thesis being executed. The spend isn't going into headcount, it's going into the thing meant to replace headcount. And the workers know it. Amazon engineers showed up at a Seattle City Council meeting to protest the company's $200B AI infrastructure spend while it cuts roughly 30,000 jobs (Fortune). The council passed a one-year limit on new mega data center developments. Insider workers publicly opposing their own employer's AI strategy is rare, and it's a tell.

I don't think AI is purely additive anymore, and I've stopped pretending the comfortable version is true. The honest read is that some of these jobs are gone because a model plus a thin harness now does the work, and some are gone because "AI" is a convenient label for cuts a CFO wanted anyway. Both things are happening and the data can't cleanly separate them. What I'm sure of: if your job is the part of the SDLC that an agent finishes the visible 80% of, you should be the person who owns the 20% it skips. The cross-cutting reasoning, the taste, the "this is technically correct and completely wrong" judgment. That's the defensible position, and it's the same skill the SaaStr agent quietly depends on a human to provide.

What to do: don't doomscroll the layoff numbers, study what got automated. Read the Ask HN "oh-shit moment" thread (411 points, 737 comments) for where working engineers actually saw agents cross a line this year. It's the best aggregated snapshot of the real capability frontier I've found, and it's more useful than any vendor benchmark for figuring out which parts of your own job are exposed.


Claude Code 2.1.166 adds fallback models, and if you run cron pipelines this is the fix you've wanted

Two researchers in my set surfaced this independently, which is usually a sign it matters. Claude Code 2.1.166, first seen June 6, introduces a fallback-models setting: configure up to three models tried in order when the primary is overloaded or unavailable. It also adds glob pattern support in permission deny rules and explicit thinking-token controls, per Releasebot. This shipped in a fast June cadence, 2.1.160 through 2.1.166 all between June 4 and 6.

I've lost overnight runs to a single overloaded model. The pipeline stalls at 3 AM, nothing retries intelligently, and I wake up to a dead pipeline and no newsletter. Fallback models fix exactly that failure. Pair a frontier primary like Opus with cheaper fallbacks and your background session keeps progressing through peak load instead of dying on it. For anyone running unattended agents, and re-read story one, this is the reliability primitive that makes headless pipelines survivable now that they cost real money. You don't want a $200 credit pool draining into retries against an overloaded endpoint.

The glob deny rules are the quieter win and they pair with the new metering too. You can now write a * deny rule that blocks all tools as a default-deny baseline, then selectively allow back only what a task needs (skill-finder via Releasebot). Least-privilege agent configs just got a real syntax. Given this week's supply-chain news (the Miasma worm hitting Microsoft's own GitHub orgs, more below), a default-deny posture isn't paranoid anymore, it's table stakes.

There's more in the changelog worth wiring up. A new MessageDisplay hook event lets hooks transform or hide assistant message text as it renders. Stop and SubagentStop hooks can return additionalContext to feed Claude guidance and keep the turn going without tripping a hook error. SessionStart hooks can return reloadSkills: true, and a new /reload-skills command re-scans skill directories mid-session. Plugins in .claude/skills auto-load with no marketplace (Claude Code Docs). If you're building self-modifying agent setups, that's a tighter authoring loop than we had a month ago.

What to do: add a fallback-models block to every autonomous config today. Three models, frontier primary, cheaper fallbacks. Then add a * deny baseline and allow back your actual tool surface. Twenty minutes of config, and your next overnight run survives a Tuesday outage.


Move your static prefix first and watch cache hit rate jump from 23% to 71%

This is the "do it today" story, and it's the cheapest cost cut on this entire list. Most LLM cost dashboards don't even show cache hit rate, yet it's the single biggest lever you've got. One production team moved a roughly 300-token user-context block out of the system prompt and to the start of the user turn, and watched cache hit rate go from 23% to 71%. Zero API changes, no latency risk, per AgentMarketCap. That's a 3x improvement in cached-token reuse from rearranging where text sits.

Here's the mechanic. Prefix caching keys on a byte-identical prefix. The moment something dynamic appears early in your prompt, everything after it is uncacheable, because the prefix no longer matches. People stuff per-request context (user data, retrieved snippets, timestamps) into the system prompt because that's where "context" feels like it belongs. That single dynamic block poisons the cache for the entire stable instruction set sitting behind it. Move the static instructions to the front, push the mutable state to the back, and the expensive stable part stays cached across every call.

You can go further. Explicitly marking segments with cache_control breakpoints (system prompt cached separately from tool definitions, long reference docs cached, dynamic user context left uncached) delivers a 2-5x hit-rate improvement over automatic caching, for one or two hours of work (SurePrompts). And when user phrasing varies, cache the plan, not the tokens: semantic caching (vCache, Feb 2026) serves a cached response when embedding similarity clears a threshold, and agentic plan caching skips re-planning for repeated task shapes entirely (Harness Engineering Academy).

This connects straight back to story one. June 15, your headless agents get metered at full API rates. A 3x cache hit rate improvement is a direct 3x cut on the cached portion of that bill. The teams that measure cache hit rate are about to have a structural cost advantage over the teams that don't. Treat your system prompt as a versioned artifact and assert a minimum cache hit rate in CI so it can't silently degrade as your codebase grows. That last part is the discipline most people skip, and it's why their hit rate quietly rots back to 23% three months later.

What to do: instrument cache hit rate this week, before the metering change. If you've never measured it, you're almost certainly leaving the easiest cost win on the table.


Section Deep Dives

Security

The Miasma worm reached Microsoft's own GitHub orgs, 73 repos disabled. On June 5, the Miasma supply-chain worm hit Microsoft's Azure GitHub organizations, and GitHub disabled 73 repos across four Microsoft orgs after malicious commits were pushed (StepSecurity). The payload harvests credentials when a developer opens the repo in Claude Code, Gemini CLI, Cursor, or VS Code. Repo-as-trigger is a new attack class: it weaponizes the exact auto-execution behavior that makes coding agents convenient. If your agent acts on untrusted repository contents without isolation, you're exposed. This is why the glob deny rules in story four matter, and why you sandbox before you open.

Attackers stole Instagram accounts by just asking Meta's AI support bot to relink them. No exploit, no malware. 404 Media revealed attackers told Meta's AI customer-support agent to relink target accounts to attacker-controlled emails, and it complied (MIT Technology Review). Victims included a dormant Obama White House account, Sephora, and a senior Space Force official. The lesson is uncomfortable: the AI was the target, not the attacker, and a trivially simple social-engineering exploit beat any model-sophistication defense. If you're putting an agent in front of account-mutating actions, the agent itself is now your attack surface.

~40% of remote MCP servers expose tools with no auth, 12,520 reachable services mostly unauthenticated. That's the number behind the practical hardening rule: never run an MCP server with broad shell, filesystem, or DB scope on a trusted host without sandboxing, network isolation, and scoped credentials (Adversa AI). Treat every MCP server, including popular ones like DesktopCommander, as untrusted code with exactly the privileges you grant it. For high-risk servers, pick gVisor for lower-overhead syscall filtering or Firecracker microVMs (~125ms boot) for hardware-grade isolation of untrusted third-party code (DEV Community).

Agents

Microsoft Agent 365 SDK hit GA as a framework-agnostic governance control plane. At Build 2026 the Agent 365 SDK went GA, letting you bring third-party and custom agents into an observe/govern/secure plane that spans Microsoft Agent Framework, OpenAI Agents SDK, LangChain, Semantic Kernel, and Azure AI Foundry (Microsoft Foundry). Agent 365 for Local Agents entered public preview, discovering agents on managed endpoints and mapping them to devices and users. That's aimed squarely at the shadow-agent problem: enterprises don't know how many agents are already running inside them. Governance is becoming a first-class layer, not an afterthought.

The "80% problem" finally has a name. Coding agents reliably finish the visible 80% of a task and silently skip the 20% outside their context window: cross-cutting edits, sibling repos, auth middleware, audit logging, integration tests (Sourcegraph). The defense is treating agent output like a human PR, reviewed against real acceptance criteria, not vibe-coding's "ship if it runs." This is the single most useful framing I've read for why agent output feels done but isn't, and it's the exact gap the SaaStr-style "agent replaces a role" stories quietly depend on a human to cover.

Agent FinOps is now a funded category. Ramp closed a $750M Series F at $44B, with proceeds going partly toward controls for AI and agent spending (Crunchbase News). When a spend-management giant raises specifically to govern consumption-based agent costs, it confirms what story one implies: variable, metered agent spend is becoming a thing finance teams manage. Agent cost control is graduating from a hobbyist concern to a budget line.

Anthropic shipped 20+ legal MCP connectors and 12 practice-area plugins. This is one of the most concrete vertical agent pushes from a frontier lab yet, packaging domain tools as MCP connectors rather than bespoke integrations (Releasebot). It's a template: verticalize agent capability through the protocol layer instead of one-off builds. If you're building in a regulated domain, watch this pattern, because it's how the labs will eat vertical SaaS.

Research

First systems-level characterization of agent memory workloads. Researchers measured the runtime and storage behavior of stateful long-horizon agents across flat retrieval, LLM-mediated extraction, consolidating fact stores, and agentic control flows (arXiv). If you build long-running agent pipelines, this is the paper that quantifies what memory architecture actually costs you in latency and retrieval overhead at scale. Most memory framework pitches skip the systems bill. This one sends it.

Why multi-agent systems fail, measured. CollabSim finds LLM agent teams falter not from weak individual ability but from poor collaborative competence: establishing common ground, maintaining shared task understanding, repairing misalignment (arXiv). Pair it with ALMANAC, a human-collaboration dataset with action-level mental-model annotations (arXiv). If your agent swarm underperforms a single good agent, the problem is probably coordination, not capability, and now there's methodology to isolate it.

Your broken RL environment is actively making the model worse. Auriel Wright argues flawed training harnesses generate corrupted data that pushes gradients the wrong way (Latent Space). Concrete rules: review trajectories regularly, fix the harness first if failure rate exceeds 5%, apply production-grade engineering (load testing, state validation, no silent defaults), and make mock data match production messiness (typos, missing fields) or models break on real input. "Researchers don't want your broken RL environments" is the bluntest framing of harness quality I've seen.

Infrastructure & Architecture

Google will pay SpaceX $920M a month to rent compute from a rival's data centers. Roughly $32B over three years (Oct 2026–June 2029) for ~110,000 NVIDIA GPUs housed at xAI data centers SpaceX absorbed (TechCrunch). Google called it bridge capacity for surging Gemini Enterprise agent demand, with termination rights if SpaceX misses a Sept 30 delivery milestone. One frontier lab renting compute from a rival's infrastructure tells you the compute crunch is real enough to override competitive instinct.

Apollo and Blackstone are structuring a record $36B private credit package for Anthropic's TPU deal. Split into ~$6B A1, $25B A2, and $4.5B B notes to let Anthropic buy and lease back Google TPUs across New York, Texas, Louisiana, and Indiana, with Broadcom backstopping the largest tranches (Private Equity Wire). Largest chip-financing debt transaction in history. The frontier-lab compute buildout is now being financed like infrastructure, because at this scale it is.

Firecrawl v2.0.0 ships request caching on by default. The new v2 API caches with maxAge defaulting to 2 days, plus endpoints for markdown, HTML, and structured JSON (GitHub). For agent and RAG pipelines that re-scrape the same sources, that default meaningfully cuts cost and latency without you doing anything. If you pinned an older version, the upgrade is close to free money.

Tools & Developer Experience

Moonshot AI open-sourced Kimi Code CLI, MIT-licensed, with isolated subagents. Released June 6, a TypeScript terminal coding agent on npm succeeding the older kimi-cli, with built-in coder, explore, and plan subagents running in isolated contexts and MCP configured conversationally via /mcp-config (GitHub). Works with Kimi models out of the box, supports other providers. A direct open competitor to Claude Code and Codex CLI, and the isolated-subagent design is the right pattern.

cc-switch hit 93.2K stars as a unified control surface for six coding agents. The Rust desktop switcher lets you jump between Claude Code, Codex, OpenCode, OpenClaw, Gemini CLI, and Hermes Agent from one interface (GitHub). Its rise is the real signal: builders now run multiple coding agents and need a single control plane. The multi-harness reality is here, and tooling is racing to catch up.

Bad MCP design costs your agent 5x more tokens. An HN analysis quantified how bloated tool schemas and redundant context inflate agent token consumption roughly 5x (Hacker News). The fix is trimming tool definitions and lazy-loading schemas. With the June 15 metering change bearing down, MCP schema hygiene moves from nice-to-have to direct cost control. Audit your tool definitions the same week you audit your cache hit rate.

Models

Mistral Medium 3.5 became the Le Chat default at 77.6% on SWE-Bench Verified. It posts strong agentic numbers (91.4 on τ³-Telecom) and replaces Devstral 2 in the Vibe CLI (Releasebot). Companion model Mistral Small 4 matches or beats GPT-OSS 120B on AA LCR and LiveCodeBench while generating ~20% less output, which is the genuinely interesting line for cost-sensitive local and agentic deployments. Less output at equal quality is a real lever.

Where are the American open-weight models? Jamin Ball examines the conspicuous absence of competitive U.S. open models as DeepSeek, Qwen, and GLM dominate the open-source frontier (Clouded Judgement). Meanwhile the WSJ reports Meta keeps delaying its Llama-successor to developers (WSJ). If you're betting on open weights, the leading Western option is wobbling and the strong options are Chinese. Plan your model strategy with that reality, not the one from a year ago.

Vibe Coding

DeepSeek-Reasonix is a coding agent engineered around prefix-cache stability. The Go-based terminal agent (18,730 stars) is built specifically for DeepSeek and tuned so it can run continuously without cache thrash (GitHub). Most harnesses target Claude or GPT, so a model-specific agent optimized for cache economics is a distinct emerging pattern, and it's the same cache-hit-rate insight from story five baked into an entire tool. Watch for more harnesses designed around the cost curve, not just the capability.

A founder deliberately nerfed their coding agents and got better results. The argument: maximal agent autonomy produced worse, harder-to-review outcomes than scoped, guard-railed tasks (Hacker News). It's a clean counter-narrative to the "more agency is always better" marketing. My experience agrees, constrained agents with tight acceptance criteria beat free-roaming ones on anything I have to maintain. The 80% problem is exactly why.

Understand-Anything turns any codebase into a queryable knowledge graph for agents. 53,317 stars, integrates with Claude Code, Codex, Cursor, and Copilot, pitched as "graphs that teach > graphs that impress" (GitHub). It's a direct play at the 80% problem: feed an agent a graph of cross-cutting relationships and it can surface the dependencies it would otherwise silently skip. Comprehension layers for agents are becoming their own category.

Hot Projects & OSS

n8n crossed 191K stars as the most-starred way to wire LLMs into real workflows. The fair-code automation platform pairs 400+ integrations with native AI and self-host or cloud deployment (GitHub). For solo builders, it's the path of least resistance to multi-step agentic automations without building orchestration from scratch. The star count reflects that it's become default plumbing for "wire a model into a business process."

browser-use sits at 97K stars as the default browser-automation layer. It exposes web pages to agents so they can complete tasks on live UIs rather than APIs (GitHub). Sustained growth tracks the shift toward agents acting on real web interfaces. If you're building computer-use-style automation, it's a near-default dependency, and given this week's prompt-injection news, one you sandbox carefully.

graphify packages knowledge-graph generation as a portable Claude Code skill. 60.3K stars, turns folders of code, SQL, R, and shell into a navigable graph across Claude Code, Codex, OpenCode, Cursor, and Gemini (GitHub). Distributing capability as a portable skill rather than a standalone app is the rising pattern, and it's the same skills-distribution model Anthropic's auto-loaded .claude/skills change leans into. Skills are becoming the unit of agent capability.

SaaS Disruption

$200M+ flooded into AI-native CRMs in a single quarter to unbundle Salesforce. Within weeks, Lightfield ($81M/$300M val), Reevo ($80M from Khosla and Kleiner Perkins), and Monaco ($35M) all raised to rebuild CRM as memory-first, agent-driven systems, while Attio became the quiet default for AI-native startups (SaaStr). When the same blueprint (no manual data entry, full-fidelity interaction memory, agents that run pipeline) shows up across three-plus independent raises at once, the incumbents' system-of-record moat is the next thing to get cannibalized.

Software now trades at a discount to the S&P 500 for the first time ever. SaaStr documents the 2026 rout as a structural re-rating, not a dip (SaaStr). CNBC adds that 75 SaaS companies now sit on PitchBook's fallen-unicorns list, double the fintech count (CNBC). The market is openly pricing in agentic substitution. Capital rewards ARR-per-head now, which is the through-line connecting this to the Lovable and SaaStr stories up top.

The pricing cliff: sub-$50 AI tools retain at 32% NRR, $250+ plans hold 85%. 2026 benchmarks show cheap AI point tools are structurally substitutable and churn fast, while enterprise-priced plans hold (Digital Applied). This is the warning for every indie builder shipping a $20/month "SaaS killer": you face the exact disposability you inflict on incumbents. Defensibility comes from pricing for enterprise value, not volume. Build the agent that replaces a $20K line item, not the one that shaves $20 off a subscription.

Policy & Governance

New York passed a first-in-nation one-year data center moratorium. On June 5, lawmakers sent Governor Hochul a bill pausing new permits for data centers drawing 20+ megawatts (The Verge). At least 11 states introduced similar restrictions this session. Hochul, up for re-election, has voiced reservations and has until December to decide. Backed by projections that AI water use could equal 1.3 billion people's annual consumption by 2030 (El País), the buildout is hitting political and physical limits at once.

Big AI's lobbying is regulatory capture, per Andrew Ng. Meta spent $26.29M, more than any company in any industry, with Amazon ($17.89M), Alphabet ($13.1M), Microsoft ($9.36M), and Nvidia (up 7x to $4.9M) close behind (The Batch). Ng's argument: escalating lab lobbying is engineering a regulatory environment that consolidates incumbent power and suppresses open source. If you're betting on open weights, treat this as a builder-side warning that the rules may get written against you.

An employee won a religious exemption from being required to use AI at work. Business Insider reports an early legal-precedent signal as AI mandates spread (Business Insider). It raises genuinely new questions about how accommodation law applies when AI usage becomes non-optional. A small case, but an emerging fault line worth tracking as more employers make AI adoption mandatory.


Skills of the Day

  1. Move your static prompt prefix to the front and measure cache hit rate before June 15. Pull dynamic per-request context out of the system prompt and put it at the start of the user turn. One team went 23% to 71% hit rate with zero API changes. With Agent SDK metering arriving, this is a direct cut on your biggest cost line.

  2. Add explicit cache_control breakpoints, don't rely on automatic caching alone. Cache the system prompt separately from tool definitions, cache long reference docs, leave dynamic user context uncached. That's a 2-5x hit-rate gain for one to two hours of work, and it survives prompt edits better than implicit prefix caching.

  3. Assert a minimum cache hit rate in CI. Treat the system prompt as a versioned artifact and fail the build if hit rate drops below a floor. Otherwise it silently rots back toward zero as your prompt grows, and you won't notice until the bill arrives.

  4. Configure up to three fallback models in every autonomous Claude Code config. Use the new fallback-models setting in 2.1.166: frontier primary, cheaper fallbacks. Your overnight cron run survives a single overloaded endpoint instead of dying at 3 AM with nothing to show for it.

  5. Build a default-deny tool posture with glob deny rules. A * deny rule now blocks all tools in Claude Code; allow back only what a task needs. Given repo-as-trigger worms like Miasma, least-privilege agent configs are the cheap defense that actually works.

  6. Sandbox MCP servers before granting shell, filesystem, or DB access. Roughly 40% of remote MCP servers expose tools with no auth. Pick gVisor for low-overhead syscall filtering or Firecracker microVMs for untrusted third-party servers needing hardware-grade isolation. Never run a broad-scope server on a trusted host bare.

  7. Enforce NVIDIA's three agent sandbox controls: egress allowlist, workspace write limits, config-file lockdown. Allow only permitted outbound APIs and alert on the rest, exclude dotfiles and auto-executing config dirs from writes, and block all agent modification of hooks and MCP defs regardless of approval level. Manual user edits only.

  8. Isolate each coding subagent in its own git worktree and require automated verification before merge. Concurrent agent edits don't collide when each runs in a separate worktree, and a dedicated test-runner subagent catches failures in parallel while the main session keeps writing. This is the 2026 production pattern for parallel agentic coding.

  9. Gate launch decisions on a three-judge ensemble across three model families. A defensible May 2026 panel is Claude Sonnet 4.5, GPT-5.1, and Gemini 2.5 Pro, aggregated by vote. Cross-family diversity directly counters self-enhancement bias, where a model over-rates its own family's outputs by 5-7%. Don't trust a single judge for high-stakes evals.

  10. Only fine-tune your embedding model when nDCG@10 drops below 0.70 and a reranker hasn't closed the gap. Measure first. When you do fine-tune, contrastive loss on (question, context) pairs with Matryoshka Representation Learning yields ~7% gains from 6.3K samples in about three minutes on a consumer GPU, with 99%+ performance retained at 6x storage reduction. Try the reranker before you reach for training.