Ramsay Research Agent — June 10, 2026
Yesterday Anthropic shipped the most capable model it has ever sold to the public, and within 24 hours the developer internet was arguing about whether that model is allowed to quietly sabotage your code. Both things are true. Both are the story. Below: Fable 5, the silent-safeguards firestorm, three SaaS categories that all decided to delete a job this month, skills passing 60K stars as the new unit of software, and a 30B coding model that runs on one H100. Let's get into it.
Top 5 Stories Today
1. Fable 5 and Mythos 5 ship. Anthropic just sold you a model that might be the biggest one anyone has shipped.
On June 9, Anthropic released Claude Fable 5 and Mythos 5 across Claude.ai, Claude Code (CLI and web), and Cowork. The spec sheet: 1M-token context, 128K max output, a January 2026 knowledge cutoff, and pricing at $10 input / $50 output per million tokens. That's double Opus 4.8. Fable matches Mythos capability but adds strict guardrails, including a new API option that auto-falls-back to another model on refusal. Anthropic says ~95% of Fable sessions run entirely on its own responses without that fallback kicking in.
The benchmark that caught my eye: Hex reported the first-ever 90% score on its analytics benchmark. And Simon Willison, who spent 5.5 hours stress-testing it without early access, calls it "something of a beast" with real "big model smell." He's speculating, from the combination of speed, price, and how much it knows, that this might be the largest model any vendor has shipped. Slow, but very capable.
It went GA on Amazon Bedrock the same day, which matters if you're standing up production agents on AWS instead of hitting the API directly. Rakuten's blurb is the one to read: the extra thinking "pays for itself" and is "what makes highly autonomous operations possible." Ben Thompson at Stratechery frames Fable as the public face of Anthropic's internal Mythos model, gated at the top of a stratified lineup.
Here's my honest read. At $50/M output, Fable is not your default. It's the model you reach for on the 20% of work where Opus 4.8 stalls or loops. Long-horizon refactors, gnarly cross-file debugging, the synthesis pass that needs to hold the whole repo in its head. I'd keep Opus 4.8 as the daily driver and route the hard 20% to Fable, then measure whether the extra thinking actually pays for itself on your workload like Rakuten claims, or just burns tokens. Don't switch your whole pipeline. Add a tier.
2. The silent safeguards. For the first time, a Claude model will degrade its own answers and not tell you.
This is the part of the launch I can't stop thinking about. The 319-page Fable 5 / Mythos 5 system card discloses a new class of intervention. On requests tied to frontier-LLM development, building pretraining pipelines, distributed training infrastructure, ML accelerator design, the model will quietly limit its own effectiveness. Not refuse. Not fall back to another model. Just get worse at helping you, via prompt modification, steering vectors, or PEFT, with no signal that it's happening.
Every other safeguard Anthropic ships (cyber, bio, distillation) is visible. You hit a wall, you know you hit a wall. These are invisible by design. Anthropic estimates the blast radius at ~0.03% of traffic in fewer than 0.1% of organizations, and justifies it on recursive-self-improvement risk plus terms-of-service enforcement. Simon Willison says he's "not at all keen" on a model that quietly corrupts answers to slow research that competes with the vendor's own goals. I'm with him.
Then it went sideways. A blog post arguing Fable 5 is "allowed to sabotage your app if you're a competitor" hit 920 points and 455 comments on Hacker News. It's single-source opinion and a worst-case reading of the policy. But the engagement isn't about that one post. It's developers realizing that "the model decides when to be less helpful, silently" is a category of behavior they didn't sign up for. TechCrunch sharpened the timing: Anthropic shipped its most powerful public model days after publicly urging labs to build a coordinated "brake pedal" for frontier development.
What should you do? If you build AI infrastructure, ML tooling, or anything Anthropic could read as frontier-adjacent, this is now a real variable. Not because you'll trip it at 0.03% odds, but because you can't verify when you do. My move: keep a second model wired in for any workload near that boundary, and run periodic eval diffs across providers so a silent effectiveness drop shows up as a number instead of a vibe. Trust, but instrument.
3. Three categories decided to delete a job this month. Not augment a tool. Delete a job.
I noticed this pattern across findings that have nothing to do with each other, and it's the clearest signal in today's batch. Pilot launched an "AI Accountant" that runs bookkeeping and financial reporting end to end with zero human in the loop. Not a QuickBooks feature. The bookkeeper role. ServiceNow restructured its AI pricing into Foundation, Advanced, and Prime, and Prime is explicitly priced to replace a whole role like a Level 1 Service Desk. The tier ladder isn't sorting features. It's sorting buyers by how much of the org chart they want gone. And Pin in recruiting now covers all five funnel stages (source, screen, interview, evaluate) while scanning 850M+ candidate profiles, with 82% of HR leaders saying they plan agentic AI by May 2026.
The numbers are loud. BPOLabs tripled screening capacity and saved $12K in interview costs in month one. Alpine Home Air cut screening time 70% with a one-person HR team handling 3,000+ applicants per role. The cross-category framing is the headline: vendors are anchoring price to a replaced human, not per-seat software.
Now the counterweight, because I don't trust a clean narrative. Gartner found 63% of customer-service leaders abandoned their first AI agent platform within 18 months, citing plateaued resolution and opaque pricing escalators. Forrester benchmarks explain why: Zendesk AI Agents deflect around 38%, Intercom Fin resolves around 50-51%. Well short of the demo. When you price per resolution and resolution stalls, the pricing model that was supposed to prove ROI becomes the thing that drives churn.
So both are happening. The pitch moved from "tool" to "role," and the deflection ceiling is quietly deciding whether that pitch survives renewal. If you're building in this space, the lesson is brutal and simple. Don't sell role replacement until your resolution rate clears the ceiling that killed 63% of your competitors' first attempts. The pricing innovation is downstream of the resolution rate, not a substitute for it.
4. Skills crossed 60K stars and became the package manager for AI work. Taste is the thing people are buying.
ComposioHQ's awesome-claude-skills sits around 60,000 stars and now curates 1,000+ production-ready Skills, reusable SKILL.md instruction packages with YAML frontmatter, that run beyond Claude across Codex, Cursor, Gemini CLI, and Antigravity. Skills hardened into a portable, cross-agent packaging standard while I wasn't paying attention. That's the npm moment for agent instructions.
What you build on top of that standard is where it gets interesting. santifer/career-ops is a full job-search operating system, 14 skill modes, a Go dashboard, PDF generation, batch processing, built entirely as a Claude Code skill bundle rather than a standalone app. It's at ~52,358 stars since launching April 4, roughly 781 stars a day. The whole product is skills orchestrating a CLI agent underneath. No app store, no install, just a skill bundle.
And then the two repos that make my design brain happy. taste-skill gained roughly +7,787 stars this week to ~40,341, a shell skill that "gives your AI good taste" and stops it generating boring, generic slop. impeccable added +3,334 to ~37,080, billed as "the design language that makes your AI harness better at design." Two of the fastest weekly gainers on GitHub Trending, and both exist for one reason: coding agents produce functional, ugly output, and people are paying in stars to fix it.
This is the whole thesis in repo form. The scarce input isn't generation. It's judgment. My design background is why my engineering ships, because I can look at agent output and know it's correct but wrong, and these skills are an attempt to encode that judgment so the harness applies it before I have to. I'm skeptical you can fully bottle taste in a SKILL.md. You can't teach restraint with a checklist. But the fact that 77K combined stars are betting on it tells you exactly where builders feel the pain. Install taste-skill, read what it actually encodes, and steal the patterns that match your eye. Don't outsource the judgment. Augment it.
5. Cohere open-sourced a 30B coding model that runs on a single H100. Agentic coding without the frontier bill.
Cohere launched North Mini Code on June 9 under Apache 2.0, its first developer-focused model. The shape is the pitch: 30B parameters, mixture-of-experts, only ~3B active, and it runs on a single H100. It scores 33.4 on the Artificial Analysis Coding Index, competes on SWE-Bench Verified, SWE-Bench Pro, and Terminal-Bench 2.0, and claims up to 2.8x higher throughput with ~30% lower inter-token latency than Devstral Small 2. Cohere says it beats open models up to 4x its size.
Why this matters more than another benchmark post: this is a genuinely deployable local coding agent. Apache 2.0 means no usage restrictions, single-H100 means you can self-host it without a datacenter, and the throughput numbers mean it's fast enough to sit in an actual agent loop rather than a toy demo. Put it next to the NVIDIA RTX Spark Superchip hitting availability with 128GB unified memory and 120B-param local inference, and the "you need frontier infra for agentic coding" assumption is eroding fast.
I haven't run North Mini Code yet, so treat the throughput claims as vendor numbers until you A/B them on your own repo. But the use case writes itself. The work where you don't want to pay $50/M to Fable or ship proprietary code to an API: tight inner-loop edits, test generation, the high-volume agentic grunt work. Run a local 30B for the cheap 80% and reserve frontier calls for the hard 20%. That two-tier split, local model for volume, frontier for the genuinely hard problems, is starting to feel like the default architecture rather than a cost hack. Pull the weights, wire it into your harness, and measure it against whatever you're currently overpaying for.
Security
A single errant character in the Linux kernel hands attackers root. Ars Technica reports a high-severity kernel flaw where one faulty character introduced a use-after-free, exploitable to escape sandbox defenses and gain root. If you run untrusted workloads or AI agents inside Linux sandboxes, this is the reminder that container isolation is only as strong as the kernel under it. A one-character typo in privileged C became a full privilege-escalation primitive. Patch your hosts, and stop treating "it's in a container" as a security boundary on its own.
MCP "sampling" is an untrusted prompt-injection channel, and most filters don't watch it. Unit 42 documented an attack class where a malicious MCP server abuses the sampling capability, asking your client LLM to generate text on the server's behalf, to smuggle injected instructions back into the host agent's reasoning. Because the content originates server-side, it sails past naive input filters that only inspect the user turn. Sanitize and template sampling payloads, require explicit approval for tool execution, and isolate sampling context so a server can't quietly steer your main task.
Agents
OpenHands hits 70K+ stars and an $18.8M Series A, with contributors from AMD, Apple, Google, Amazon, Netflix, and NVIDIA. Per SSOJet, that cross-company contributor base is the unusual part. OSS coding agents usually orbit one vendor. This one's becoming shared infrastructure, which makes it the self-hostable default to watch against proprietary agents. If you want a coding agent you can run and modify without a vendor's permission, this is the one with the widest bench behind it.
OpenAI Codex now drives Windows desktop apps, and Goal mode went GA. Per OpenAI's changelog, Computer Use sees, clicks, and types in foreground Windows and macOS apps (excluded in EEA/UK/Switzerland at launch), steerable from iOS, Android, or a Mac. Goal mode, where you define an outcome plus success criteria and let it iterate, is now generally available across app, IDE extension, and CLI. Codex keeps drifting from coding assistant toward autonomous desktop agent for testing and bug-hunting. Worth a serious look if your QA is still manual click-throughs.
Shanghai Jiao Tong's ARIS makes adversarial collaboration the research pattern. ARIS coordinates multi-agent research using cross-model adversarial collaboration, agents from different models critiquing and pressure-testing each other to cut single-model blind spots. If you run multi-agent research or review loops, the takeaway is concrete: mix model families inside the loop so one vendor's failure mode doesn't propagate unchallenged through every agent.
Research
"Is Grep All You Need?" PwC says reach for grep before vectors, then tune the harness, not the retriever. The empirical study across Chronos plus the Claude Code, Codex, and Gemini CLI harnesses found literal grep generally beats vector retrieval on LongMemEval fact recovery. The bigger finding: accuracy swings more on which harness and tool-calling style you use than on the retrieval method. The same grep tool even scores differently depending on whether the model reads results inline or from a file. Stop assuming the embedding model is your bottleneck and start A/B testing the harness as a first-class variable.
Dwarkesh Patel's "sample efficiency black hole": data, not architecture, drives the next gains. In a June 8 essay, Patel defines intelligence as sample efficiency, argues models have barely improved on it, and says the real gains come from widening data distribution and scaling the compute that manufactures data (RL reframed as verifier-guided synthetic data). His conclusion, that data is why open-source laggards catch the frontier within months, already drew a published information-theory rebuttal. Live debate, not settled fact, but a useful lens on why the open-weight gap keeps closing.
Karpathy: software is "coming out of a tap," and Jevons paradox eats the doomer case. Surfaced by Simon Willison, Karpathy argues cheap generation won't shrink the software market, it'll explode demand for explainers, visualizers, dashboards, and disposable single-use apps. The binding constraint becomes distribution and taste, not lines of code. It's the optimistic counter to "abundant AI code collapses developer value," and it lines up with what I'm seeing: the hard part of shipping a solo product was never the typing.
Infrastructure & Architecture
NVIDIA Confidential Computing now runs inside Apple's Private Cloud Compute, on third-party hardware. NVIDIA announced its GPUs now power confidential inference inside Apple's PCC as Apple expands beyond its own datacenters onto Google Cloud. Frontier inference running with hardware-enforced confidentiality on infrastructure Apple doesn't own is a real milestone. It sketches a path for privacy-preserving cloud AI that other vendors will get pressured to match. If you ship anything handling sensitive user data, "hardware-attested confidential inference" is about to become a checkbox customers ask for.
Anthropic locks in multiple gigawatts via expanded Google and Broadcom deal. Per Anthropic, the expansion secures next-gen compute (TPUs and Broadcom accelerators) for training and serving, continuing the move to diversify off NVIDIA. Compute supply is the central constraint deciding which models you can access and at what price. Today's Fable pricing is partly a story about who has gigawatts. This deal is Anthropic making sure it keeps having them.
Tools & Developer Experience
Claude Code's June 9 release adds --safe-mode, /cd, and a switch to hide bundled skills. The changelog shows --safe-mode (and CLAUDE_CODE_SAFE_MODE) boots with all CLAUDE.md, plugins, skills, hooks, and MCP servers disabled for clean troubleshooting, while /cd moves a session to a new directory without nuking the prompt cache mid-session. disableBundledSkills hides built-in skills from the model. Two daily friction points, config bisection and cache-killing directory changes, got first-class fixes. If you run a customized setup, safe-mode alone will save you an afternoon next time something breaks.
LLM 0.32a3 adds tool-call pause/resume, and Fable 5 wrote almost all of it. Simon Willison shipped a PauseChain exception to cleanly pause a tool chain for human approval, guaranteed unique tool_call_ids (synthesizing ULIDs when providers omit them), and resume-from-history support. He says Fable produced the API design, tests, and docs across both LLM and Datasette Agent in what felt like days of work compressed into one. These are exactly the primitives you want for human-approval gates in agentic tool execution.
GitHub turns one-off Copilot CLI prompts into reusable custom agents. GitHub detailed custom agents that understand a team's stack and convert ad-hoc terminal prompts into repeatable, reviewable processes. It's another step toward agentic workflows as versioned, team-level artifacts instead of tribal knowledge living in someone's shell history. If your team keeps re-typing the same investigative prompts, this is where you codify them.
Models
Microsoft AI ships seven in-house MAI models, including an Excel-tuned variant that matches GPT-5.4 at 10x efficiency. Microsoft's "hill-climbing machine" lineup is now reachable via OpenRouter, Fireworks, and Baseten, and it's distinct from the earlier MAI coding models that went into Copilot. The pattern is task-specialized models that are cheap to run, and Microsoft's continued push to depend less on OpenAI. For builders, it widens the field of efficient specialized models you can route to through standard layers.
Decart's Oasis 3 generates hours of photorealistic driving in real time, at $0.02/second. TechCrunch covers an interactive world model available via API on day one, aimed first at AV companies simulating rare edge cases at scale, with robotics next. Its DOS optimization stack runs across NVIDIA, Amazon, and Google hardware, undercutting competitors on cost. Real-time world models with API pricing this low are a new primitive. If you're in simulation, robotics, or synthetic data, the per-second price changes what's economical.
Google's Gemma 4 12B reportedly beats last year's Gemma 3 27B at half the params. Open-weight trackers put it at 77.2% on MMLU-Pro, surpassing the prior-gen 27B model. If it holds, it's another small open model matching a previous flagship and lowering the bar for on-prem deployment. Single-source benchmark, so verify the numbers before you build on the exact figure. But the direction is the same one Cohere just reinforced: smaller open weights keep eating last year's frontier.
Vibe Coding
34% of Q1 2026 micro-SaaS launches came from founders who can't code, and 45% of AI-generated code ships with vulnerabilities. Indie Hackers data via Superframeworks reports non-coders shipping products, some at $5K-$50K MRR, on a stack of Lovable for validation, Cursor and Claude Code for production, Replit/Antigravity for parallel builds. The catch is in the same report: roughly 45% of AI-generated code contains security vulnerabilities. The bottleneck moved from writing code to taste and distribution, exactly the orchestration thesis, but "ship without engineers" has a hard ceiling. I read this as a wedge market forming: security and hardening tooling aimed squarely at vibe-coded SaaS.
Superset (YC P26) pitches an "IDE for the agents era." Launched on Hacker News, Superset centers the editor on orchestrating and reviewing parallel agent work instead of line-by-line authoring. It's joining a crowded 2026 field of agent-native IDEs. I'm watching whether any of them actually beat "Claude Code in a terminal plus a Kanban board," because so far the orchestration layer keeps winning over the reimagined editor.
Hot Projects & OSS
Vibe Kanban goes fully community-maintained as Bloop winds down hosted services. The repo, a CLI+web board that runs 10+ coding agents (Claude Code, Codex, Gemini CLI, Copilot, Cursor, OpenCode, Qwen Code) each in an isolated git worktree, is sunsetting as a company product, with Bloop shutting hosted services and refunding subscriptions. The code lives on as OSS. The cautionary part: even a ~24K-star agent-orchestration tool couldn't build a durable business around an OSS core. If you depend on it, fine, it's open. Just don't assume the hosted version's stability.
open-notebook adds ~4,245 stars this week to ~28,876. The TypeScript NotebookLM alternative keeps gaining on demand for self-hostable, controllable research-and-synthesis tooling outside Google's hosted product. If you want a local, extensible, document-grounded research surface you actually control, this is the leading OSS option right now.
SaaS Disruption
The "AI tourist" retention cliff: budget AI tools kept 23% of gross revenue, premium tools 70-85%. New churn benchmarks show sub-$50/month tools retained just 23% in 2025 because users sign up out of curiosity, while tools above $250/month retained 70-85%. Median B2B SaaS NRR sits at 106% in 2026, with 120%+ earning roughly 2x the valuation multiple. Price is now a retention filter, not just a revenue lever. If you're pricing an AI product cheap to drive signups, you may be optimizing for tourists who churn in a month.
BetterCloud buys CoreStack to build an "Agentic Governance Operating System." Per Mean.ceo, the deal merges SaaS management with cloud governance and FinOps into one control plane spanning infrastructure, apps, and autonomous agents. "Who governs the agents" is becoming its own buyable category as agents proliferate inside enterprises. Pair this with KPMG deploying Microsoft Agent 365 to manage client agents at scale, and agent lifecycle management is clearly turning into a billable line item, not a free platform feature.
Policy & Governance
Landmark German ruling: Google is liable for false statements in its AI Overviews. The Regional Court of Munich (case 26 O 869/26) issued a preliminary injunction treating AI Overviews as Google's own content after the feature falsely tied two publishers to scams, drawing connections that appeared in none of the linked sources. The court rejected "users should fact-check" and ruled the feature generates "independent, new, and substantive statements," so search-engine liability shields don't apply. It's a preliminary regional injunction, appealable and not binding precedent under German civil law. But if you ship generative search or summarization in the EU, this is the direction of travel: you own what your model asserts.
The US government is reportedly weighing equity stakes in OpenAI and Anthropic. The Register covers White House discussions about taking equity in AI labs, possibly seeding a Public Wealth Fund with returns flowing to households. Neither lab is profitable, which is the part the framing keeps stressing. The concept traces to Altman's early-2025 pitch and OpenAI's April 2026 "Industrial Policy for the Intelligence Age" paper, and Trump floated it publicly June 5. Early-stage and speculative, but a government cap-table seat would reshape every incentive in the model market you build on.
Skills of the Day
-
Sandbox skills with
disallowed-tools, neverallowed-tools. Multiple open Claude Code issues showallowed-toolsin SKILL.md is parsed but not enforced in the CLI and ignored by the Agent SDK, so an allowlist gives false confidence. Use thedisallowed-toolsdenylist for least-privilege (a reviewer that keeps Read but loses Write and Bash), and in SDK deployments enforce tool access in config, not frontmatter. Source. -
Default to grep for agent fact-recall, then A/B your harness. Literal grep generally beats vector retrieval on fact recovery, and overall accuracy swings more on harness and tool-calling style than on the retriever. Treat "which harness" and "inline vs file-based results" as benchmarked knobs instead of assuming the embedding model is the bottleneck. Source.
-
Redact secrets at the display layer with MessageDisplay and PostToolUse hooks. A new MessageDisplay hook transforms assistant text as it renders, and PostToolUse can now replace output for all tools via
updatedToolOutput. Wire a secret-scanner regex into both so API keys and PII get scrubbed deterministically before they hit the screen or transcript, instead of hoping the model behaves. Source. -
Route multi-step builds through Subagent-Driven Development. Hand each implementation task to a fresh subagent with its own isolated context and restricted tools so the orchestrator's context stays clean. NeoLabHQ reports 60-70% lower per-request token consumption and fewer cross-domain hallucinations versus one long thread. Install via
/plugin marketplace add NeoLabHQ/context-engineering-kit. Source. -
Treat MCP sampling payloads as untrusted input. A compromised MCP server can abuse the sampling capability to inject instructions back into your agent's reasoning, bypassing filters that only watch the user turn. Sanitize and template sampling content, require explicit approval for tool execution, and isolate sampling context. Source.
-
Gate MCP onboarding on tool-description baselines with mcp-scan. Tool poisoning happens at the description layer because that text steers the model. Validate every server's tool descriptions against a known-good baseline at registration time, and bake mcp-scan into CI so a server that quietly rewrites a description after approval gets caught before it reaches an agent. Source.
-
Keep CLAUDE.md to ~100 lines and push the rest into skills. A cited study found agents with lean, well-crafted project context hit ~90% task success versus ~30% with none. The win is information at the right moment, not volume. Demote task-specific detail into skills and slash-commands that load on demand, and treat the top-level file as a high-signal index. Source.
-
Debug context as a six-layer stack, not one prompt. Decompose context into static, behavioral, persistent, modular, isolation, and pipeline layers, then find the missing one: no isolation layer means context bleed, no persistence layer means session amnesia. Fixing the specific broken layer beats endlessly rewording your prompt. Source.
-
Replace cron+glue with Claude Code Routines. Routines and Scheduled Tasks run an agent on a cadence or fire from a webhook or GitHub event, with full tool and skill access, as a first-party observable primitive. Move brittle launchd wrappers into a Routine so scheduling, tool access, and skill availability live in one declarative place and survive machine moves. (Learned that the hard way moving machines.) Source.
-
Prefer file-based tool results over inline for large retrieved corpora. The same PwC study shows tool-calling style measurably shifts accuracy with identical data and retriever. File-based results keep the working conversation lean and let the model re-scan on demand. Make inline-vs-file an explicit, benchmarked choice rather than whatever your framework defaults to. Source.