Jul 14
Ramsay Research — Tuesday, July 14, 2026
5,443 words · 27 min read
Top 5 Stories Today
1. Five enterprise giants just built a wall around MCP
For 18 months, Anthropic's Model Context Protocol has been the thing everyone quietly agreed on. You want to plug a tool into an agent, you speak MCP. It won by being early, open, and good enough. That consensus is now contested. Per The Information, Google, Microsoft, Salesforce, Snowflake, and ServiceNow agreed to back a common AI backend-software protocol, framed explicitly as a counter to MCP (Crypto Briefing).
Read the roster again. Those five own most of the enterprise data, most of the workflow surfaces, and a big chunk of the cloud your agents run on. This isn't a startup floating an RFC nobody adopts. When Salesforce and ServiceNow decide what protocol their platforms speak natively, that decision propagates into thousands of enterprise stacks by default.
The part I can't stop thinking about: the same companies also co-participate in the Linux Foundation's Agentic AI Foundation. So they cooperate in the foundation and knife-fight on the protocol layer at the same time. That's not hypocrisy, it's how standards wars actually work. You keep a seat at the neutral table so you're not caught out, and you push your own thing where the leverage is.
For builders, the annoying truth is you now have a protocol bet to make, and the "safe" default got less safe. If you wired everything to MCP because it was the obvious standard, you're fine today and exposed in a year. My read: keep building on MCP, because it has real adoption and the tooling exists, but abstract your tool layer so a protocol swap is a config change, not a rewrite. Treat the connection protocol like you'd treat a database driver. You don't hardcode your app to Postgres wire format. Don't hardcode your agent to one tool protocol either.
The bigger signal is that "connect a tool to an agent" is now valuable enough that the incumbents want to own the pipe. That only happens when the category is real. Watch whether this alliance ships a spec with working SDKs or just a press release. The first tells you it's a threat. The second tells you it's a hedge.
2. Grok Build costs $2.49 a task. Opus 4.8 costs $11.80. Read the fine print.
xAI launched Grok 4.5 and Grok Build on July 8, trained partly on Cursor developer-session data. The numbers are loud: 83.3% on Terminal-Bench 2.1, 64.7% on SWE-Bench Pro, priced at $2/$6 per million tokens. On a single coding task that works out to roughly $2.49 versus $11.80 for Claude Code, and it gets there using about 15,954 output tokens against Opus 4.8's ~67,020 on the same task (TechTimes).
A ~60% cost cut at near-frontier benchmark scores is the kind of thing that makes you rethink your default agent. So I want to be fair to it. The token efficiency is genuinely interesting. Solving a task in a quarter of the output tokens isn't just cheaper, it's usually faster and easier to review.
Then the catch, flagged independently: hallucination rates are up. So the real decision isn't "which model scores higher on the leaderboard." It's token-efficiency-and-price versus reliability, and reliability is the one that eats your afternoon when it breaks. A cheap task that produces a confident wrong patch you merge is not cheap.
And there's a second bill I'd add to Grok's ledger, which I get into in the Security section below: the Grok Build CLI was caught silently uploading entire repos, Git history included, to an xAI cloud bucket. So the sticker price is $2.49, and the trust price is your codebase leaving the building. Those are separate costs and you pay both.
What builders should actually do: run Grok on a slice of your real work, not the benchmark. Pick tasks where a hallucination is cheap to catch, refactors with good test coverage, mechanical migrations, throwaway prototypes. Keep the expensive, high-taste, hard-to-verify work on the model you trust. This is the heterogeneous-routing pattern that keeps showing up. Cheap model for volume, expensive model for judgment. Grok 4.5 just made the cheap tier more capable, which makes the routing decision more worth doing, not less.
3. Goldman Sachs is now telling clients to run Chinese models
A year ago, Chinese open-weight models were about 4.5% of US enterprise API traffic. The current figure is 30 to 46%. That's not a trend line, that's a regime change, and on July 13 Goldman Sachs reportedly made it official by telling Wall Street clients to adopt DeepSeek V4, Kimi K2.6, GLM-5, and Qwen3.5, citing 80 to 90% of frontier capability at roughly 70x lower cost than GPT-5.6 (unrot / CNBC / Goldman Sachs).
I've been skeptical of the "Chinese models caught up" story for a while, mostly because the benchmarks felt cherry-picked and the deployment stories were thin. A major bank formally recommending them to regulated clients is a different kind of evidence. Goldman isn't in the business of hype. When their advice to a compliance-bound institution is "use the open Chinese model," the cost-quality gap has gotten large enough to override the reflex to buy American frontier.
Seventy times cheaper at 80 to 90% capability is the number that reorganizes budgets. For most production traffic, which is not frontier-hard, that trade is obviously correct. You don't need GPT-5.6 to classify a support ticket or extract fields from an invoice. You've been paying frontier prices for grunt work out of habit and vendor gravity.
The builder move is to stop treating "which model" as a fixed decision and start treating it as a per-task routing decision you re-run. Set up an eval suite on your actual workload, drop DeepSeek V4 and Qwen3.5 into it, and measure. If they hit your quality bar on 70% of your traffic at a fraction of the cost, route that 70% and keep the frontier model for the hard 30%. That's real money, monthly.
The uncomfortable part nobody wants to say out loud: this collides with export-control politics and data-residency questions in ways that aren't resolved. Running an open-weight Chinese model locally is one thing. Calling a hosted Chinese API with your customer data is another. Read the license and know where the weights run before you wire it in.
4. Salesforce is down 40% while Agentforce hits $1.2B. That gap is the whole story.
Salesforce beat earnings and the stock fell more than 40% in the first half of 2026. Let that sit. They posted record Agentforce ARR of $1.2B, the exact AI product the bulls wanted to see work, and investors sold anyway, then kept selling after Q2 guidance of $11.27B to $11.35B came in just under the ~$11.36B consensus (The Motley Fool).
The market is telling you something specific here. It's not "AI isn't working for Salesforce." Agentforce is growing. It's "we don't believe seat-based software survives the agent era, and your own AI success proves the point." If an agent does the work of five seats, and you sell seats, your best case is that your AI product cannibalizes your pricing model faster than it grows.
That's the disruption thesis stated as a stock chart. And it lines up with everything in the SaaS section below: money this week flowed to software that acts and to regulated moats, not to per-seat feature tools. Auger raised $50M to run supply chains ~85% autonomously. Credit-based pricing jumped to 79 of the PricingSaaS 500. The value is migrating from "give my team better tools" to "do the work."
If you build SaaS, the takeaway isn't "seats are dead tomorrow." Salesforce still prints revenue. The takeaway is that the multiple, the thing investors pay for, is now attached to outcome and consumption, not headcount. If your pricing page still says "$X per user per month," you're getting valued on the old model while the market prices the new one.
I don't know if Salesforce navigates this well. They have the distribution and the data to sell outcomes if they choose to. But the org, the comp plans, and the sales motion are all built around seats. Rewiring that while the stock is down 40% is a genuinely hard problem, and I'm not sure being the incumbent helps.
5. Stop hand-writing prompts. Compile them.
Here's the one you can act on today. DSPy shipped 3.3.0b1 with a new ReActV2 module, and if you're still hand-tuning prompt strings, you're doing manual labor a compiler should do. You declare a task as a typed Input to Output signature, pick a reasoning strategy, and MIPROv2 jointly searches instructions and few-shot examples using Bayesian optimization against your own metric (DSPy).
The mental shift is the point. A prompt stops being a precious hand-crafted artifact you're afraid to touch and becomes a compile target. You swap models, you re-run the optimizer, you get a prompt tuned for the model you're actually deploying on. No more "we upgraded to a new model and now our carefully-worded prompt regresses and nobody knows why." You just recompile.
This isn't theory. Willison used DSPy to tune the Datasette Agent's SQL prompts and found the optimizer surfaced a concrete failure: schema listings without column names caused the agent to guess columns and fall into retry loops. That's the kind of bug you'd spend an hour chasing by hand. The optimizer found it as a side effect of optimizing against the metric.
And it compounds. Every downstream technique you layer on, retrieval, reranking, tool use, inherits an optimized prompt for your specific model and metric instead of a generic one you wrote once and forgot. The gains stack instead of fighting each other.
The honest caveat: DSPy has a learning curve, and the "signatures and modules" abstraction takes a beat to click if you're used to just writing strings. Budget an afternoon to port one real task before you judge it. Start with something that has a clear metric, a classifier, an extractor, a SQL generator, so MIPROv2 has a real target to optimize. If you have a prompt you keep re-crafting every time a new model drops, that's the one to convert first. This is the builder's counterweight to the four strategy stories above. While everyone argues about protocols and valuations, this is a thing you ship this week that makes next month's model swap a recompile instead of a rewrite.
Security
Grok Build's CLI silently uploaded your entire repo, Git history and all. Researcher 'cereblab' ran mitmproxy on Grok Build CLI v0.2.93 and found it bundling the full tracked repo including Git history, ~5.1GB across 73 chunks on a 12GB test repo, up to a GCS bucket named grok-code-session-traces, against only ~192KB of actual model traffic (Hacker News). The upload included a file the agent was explicitly told not to read, and flipping the "Improve the model" toggle off didn't stop it. The server still returned trace_upload_enabled:true. xAI quietly added a hidden disable_codebase_upload flag about a day later, no advisory, and the v0.2.98 changelog never mentions it. This is the trust bill I attached to Grok in the Top 5. Cheap tasks, expensive assumptions.
'Friendly Fire' turns your security-scanning agent into the malware runner. AI Now Institute published a July 9 proof-of-concept where a coding agent in autonomous or auto-review mode gets tricked into executing a concealed binary, disguised as compiled Go inside the geopy library, after a README note suggests running a "security script" (The Hacker News). It hits Claude Code CLI 2.1.116 to 2.1.199 and OpenAI Codex CLI 0.142.4 across Sonnet 4.6, Sonnet 5, Opus 4.8, and GPT-5.5. There's no patch, and the researchers are blunt about why: it's a design limitation of autonomous command approval, not a bug. If your agent can run commands a README suggests, a hostile repo can suggest bad ones.
MCPZoo says your MCP scanner is mostly noise. Researchers built the largest dynamic-analysis corpus of MCP servers to date, 64,611 unique servers with 37,288-plus runnable, and measured what the scanners actually catch (arXiv). Current MCP security scanners flag 96.89% of servers as risky. Manual validation finds fewer than half of sampled alerts are true positives, and the scanners disagree wildly with each other. So if you're gating agent tooling on today's scanner verdicts, you're gating on close-to-random signal, which is worse than no gate because it feels like diligence. The paper released a public query interface for real risk assessment. Until the tooling matures, treat scanner output as a prompt to look, not a verdict.
Agents
Nous Research is raising $75M+ at a $1.5B valuation for open-source Hermes. Robot Ventures is leading with USV participating, less than three months after a $50M Series A (TechCrunch). Hermes sits at roughly 214K GitHub stars and 40K forks, and Nous now sells a cloud-hosted version across paid tiers from $20 to $200 a month. The signal for builders: open-weight agent runtimes are becoming venture-scale businesses with real hosting paths, not just community repos you self-host and pray. That gives you a credible fully-open alternative to the closed agent stacks, with someone on the hook to keep the lights on.
'Loop engineering' settled into four canonical loops. The mid-2026 discourse about replacing yourself as the person who prompts the agent converged on a taxonomy: heartbeat loops run continuously on a short interval, cron loops run on a schedule, hook loops fire on an event like a PR push or CI failure, and goal loops iterate until a success condition then stop (MarkTechPost). A July 12 guide ties the pattern to Karpathy's autoresearch repo at ~90K stars. This maps directly onto how I think about my own pipelines. The work shifts from writing the prompt to designing the loop that writes the prompt. If you run anything cron-driven, this is a useful frame for deciding which loop type each job actually is.
StructAgent makes long-horizon agents reliable with a verifier-backed state machine. It gives digital agents a unified, verifiable state that only advances through verifier-backed transitions, which enables checkpointing and targeted failure recovery instead of restarting the whole run when step 40 breaks (arXiv). It lifts Qwen3.5-27B success from 31.6% to 62.2% and reaches 78.9% with MiniMax-M3, an open-source state of the art on long-horizon tasks. If you've watched a desktop-automation agent get 90% of the way through a task and then face-plant with no recovery, this is the blueprint. Make the state explicit and verifiable, and only move forward when a check passes.
Research
'Hourglass Reasoning' buys 14 points on ARC-AGI-2 by forcing a bottleneck. The trick is strict isolation between an induction stage that distills examples into a schema or rule, and a deduction stage, passing only compressed symbolic information between them (arXiv). That squeeze is the whole mechanism. It improves ARC-AGI-2 best-of-5 accuracy by +14 points and pushes ChipBench Verilog synthesis from 31% to 58% with GPT-5.5. The lesson generalizes past the benchmark: when you force a model to commit to a compact rule before it reasons, you get cleaner multi-step results than letting it carry the full messy context forward. A pattern worth stealing for any induct-then-apply pipeline.
Coding agents 'know' where their edits are heading, 25 steps early. Logistic-regression probes on a coding agent's hidden states can decode whether code will parse and pass tests at AUC up to 0.83, and those internal representations run ahead of the agent's own edits, predicting outcomes as much as 25 steps in advance (arXiv). The authors call it a latent programming horizon, and the probes transferred across two models and two benchmarks without retraining. The practical hook: if the agent internally represents a doomed trajectory before it finishes writing it, you could probe and early-stop bad runs instead of paying for the full failure. Interpretability that's actually actionable, which is rarer than the papers suggest.
BackendForge: the best agent ships a correct backend 28.6% of the time under a strict oracle. It's a benchmark of 56 contract-defined backend tasks, judged only through black-box HTTP tests against an OpenAPI contract, so there's nowhere to hide (arXiv). GPT-5.5, the best model, succeeds on 55.4% under the base oracle and drops to 28.6% under the final hardened oracle. That gap is the story. Agents are good at local API behaviors and bad at shipping a complete, deployable service, which matches what I see building solo. They'll write the endpoint and forget the migration, the auth edge case, the thing that only shows up when you actually deploy. Don't confuse "the tests I wrote pass" with "this ships."
Infrastructure & Architecture
Anthropic is reportedly talking to Samsung about a custom Claude-tuned chip, with an S-1 eyed for October. It's a vertical-integration play that mirrors Google's TPU and Meta's Iris silicon, aimed at cutting Nvidia dependence while positioning for public markets (BuildFastWithAI). If it's real, it says the model makers now think the chip is part of the moat, not a commodity you rent. That's a meaningful shift from two years ago, when the story was "just buy more H100s." Custom silicon tuned to one model family is a bet that inference economics matter enough to own the hardware. For anyone running Claude in production, watch whether this changes pricing or availability, because that's where a chip strategy actually touches you.
Compute is the binding constraint now, even for the giants. Google reportedly capped Meta's access to Gemini models after Meta asked for more capacity than Google could supply, delaying some of Meta's internal work (BuildFastWithAI). Same week, TSMC posted record Q2 revenue of ~$39.62B, up 36% year over year, and pinned it directly on AI demand. Put those together and the throughline is clear: it's not talent or capital that's scarce at the frontier, it's raw compute, and even Meta with its budget can get rationed. Cross-lab model access just became a scarce resource you can't assume. If your product depends on a single hosted frontier model, that dependency is more fragile than the SLA suggests.
Tools & Developer Experience
Claude Code v2.1.208 is the release to take if you run long or headless sessions. It patches leaks that only bite over time: MCP stdio server stderr accumulating unbounded, LSP documents staying open indefinitely, and pasted images retained in the agent view (Releasebot). On top of that, background agents now commit, push, and open a draft PR on completion instead of stopping to ask, the Explore agent inherits your session model capped at opus instead of running on haiku, and there's a new /doctor check that proposes trimming CLAUDE.md content Claude can already derive from the codebase. There's also an opt-in plain-text screen-reader mode via claude --ax-screen-reader. If you run 24/7 agents or headless -p loops, the memory fixes alone are the reason to update today rather than waiting for a feature you want.
Apple's SpeechAnalyzer API is now the best on-device English transcription on Apple hardware. A benchmark measured a 2.12% word error rate on clean English, against 3.74% for Whisper Small and 9.02% for the legacy SFSpeechRecognizer, while running about 3x faster than Whisper Small on an M2 Pro (get-inscribe). Whisper still wins on language coverage and cross-platform support, so this isn't a clean replacement. But if you're shipping a Mac or iOS app that transcribes English, you've got a faster, more accurate, fully on-device option baked into the OS. The post pulled 546 points on HN, which tells you how many people were quietly waiting for Apple's speech stack to get good.
Clawk gives your coding agent a disposable Linux VM instead of your laptop. It mounts your repo into a throwaway Apple-silicon Linux VM, restricts outbound traffic to an allow-list, and forwards your SSH agent, so agents can install packages and run code without touching your files, keychain, or host (GitHub). The design choice worth noting: hypervisor-level isolation over process sandboxing, which is a real blast-radius difference when the thing running is an autonomous agent executing README-suggested scripts (see the Friendly Fire finding above). It's 422 stars and pre-1.0 Go, so early, but it's part of a fast-forming pattern. Give the agent a cage, not your machine.
Models
GPT-5.6 'Sol' hit GA with SOTA claims on Terminal-Bench and BrowseComp, and it's on Bedrock now. The full family, Sol, Terra, and Luna, is generally available on Amazon Bedrock with IAM and VPC controls (LLM Boss, AWS). Sol targets coding, biology, and cybersecurity agentic work. Terra runs everyday tasks at about half GPT-5.5's cost, and Luna optimizes for speed. The three-tier lineup is the interesting part for builders, because it's OpenAI telling you to route by task instead of using one model for everything. Re-benchmark against your own eval suite before you switch a default. GA benchmark claims and your workload are different animals.
Google threw out Gemini 3.5 Pro and rebuilt it from scratch. Engineers reportedly found structural failures in recursive tool-calling and SVG generation and restarted from zero (TechTimes). The rebuilt model targets a July 17 release with a 2-million-token window, a Deep Think reasoning mode, and API pricing around $1.25 per million input tokens. A frontier lab admitting a full rebuild of a flagship days before ship is rare and, honestly, kind of refreshing. It's also a signal about how hard reliable tool-use has gotten. Recursive tool-calling breaking badly enough to scrap the model tells you the hard part of this generation isn't raw capability, it's making the agent loop not fall apart.
Terminal-Bench 2.1 standings, so you can pick a CLI agent by tier instead of vibes. GPT-5.6 Sol Ultra tops out at 91.9%. The public leaderboard is led by Codex CLI plus GPT-5.5 at 83.4%, with Claude Code plus Opus 4.8 the top usable Claude pairing at 78.9%, and Gemini CLI plus Gemini 3.1 Pro at 70.7% (Morph). There are now roughly 35 actively maintained CLI coding agents, and opencode is the most-starred open-source option. Useful to have real numbers when your team argues about which CLI to standardize on. Pick the tier your work needs and stop relitigating it every model drop.
Vibe Coding
JetBrains shipped an open Kotlin benchmark, and Claude Code leads it. 105 real repository-level tasks: interpret an issue, navigate the repo, produce a container-verified patch (JetBrains). Claude Code with Opus 4.7 xhigh solved 90 of 105 (85.71%), ahead of JetBrains Junie on Opus 4.7 max and Codex on GPT-5.5 xhigh, tied at 81.9%. What I like about this one is it isolates a non-Python language and pins the exact agent plus model plus effort combo, which most leaderboards blur into mush. Effort level matters, and this benchmark treats it as a variable instead of hiding it. If you write Kotlin, this is the first agent benchmark that actually speaks your language.
All three major coding tools converged on parallel-agent command centers. Cursor reworked its core interaction around multiple agents running in parallel, with a dedicated Agents view that tracks local and cloud agents by status (AgentDepot). Windsurf rebranded to Devin Desktop on June 2, retired its Cascade local agent July 1, and replaced it with Devin Local, rewritten in Rust, about 30% more token-efficient, with subagent support. The whole category decided at once that you're orchestrating a fleet, not babysitting one agent. That matches where my own head is at. The interface question stopped being "how do I chat with the AI" and became "how do I watch five of them at once."
Newer Anthropic models do worse with custom edit tools. Use the native format. Willison documented on July 4 that Opus 4.8 and Sonnet 5 can perform worse than older versions when driving bespoke file-edit tools, because they're increasingly trained and optimized for Claude Code's native editor format (Simon Willison). This is a real trap if you're building your own agent. The intuitive move is to invent a clean edit-tool schema that fits your app. Don't. Mirror the native diff/replace format the model was actually tuned on, or you'll watch your agent regress every time a newer, supposedly better model ships. Better model, worse tool, is a genuinely counterintuitive failure mode worth remembering.
Hot Projects & OSS
'OpenClaw' is being called 2026's breakout open-source coding agent. Multiple GitHub roundups cite a provider-neutral agentic coder that reportedly climbed past 200,000 stars, with a public nod from Sam Altman after its creator joined OpenAI (ByteByteGo). Star figures vary a lot between sources, so treat the exact numbers as unconfirmed. Even discounted, the trajectory is the point: a neutral coding agent can go from nothing to category-defining in a matter of months right now, and the founder gets acqui-hired into a frontier lab on the way up. That velocity is the story, whatever the real star count turns out to be.
OpenCut was the week's single biggest GitHub Trending mover. The open-source CapCut alternative reportedly gained around +4,300 stars in a day, pushing toward 68K total, and it's adding AI-assisted editing (GitHub). It's a creator tool, not an agent framework, so it's outside my usual lane. I'm flagging it as a clean data point on how fast open source can move against proprietary creative SaaS when the incumbent gives people a reason to leave. Video editing felt like a category open source couldn't touch a year ago. Apparently not.
SaaS Disruption
Auger raised $50M to run supply chains ~85% autonomously, and it doesn't replace your ERP. Ex-Amazon operations chief Dave Clark's Auger pulled $150M total, Eclipse-led, and landed Meta, Fanatics, and Kimberly-Clark (GeekWire). The architecture is the interesting bit. Instead of ripping out ERP, WMS, and TMS, it unifies their data into one operating layer where agents plus optimization models make and execute decisions, reportedly about 85% autonomously at Fanatics. This is the agent-over-the-system-of-record pattern eating the workflow layer, not the database. The systems of record stay. The human deciding what to do on top of them is what gets automated. That's the same thesis the Salesforce stock chart is pricing in.
Credit-based pricing is now in 79 of the PricingSaaS 500, up from 35. Figma, HubSpot, and Salesforce are among the recent joiners, seat-based pricing fell from 21% to 15% of companies in twelve months, and hybrid surged from 27% to 41% (Monetizely). Gartner projects 40% of enterprise SaaS spend shifts to usage, agent, or outcome pricing by 2030, roughly $234B diverted from traditional SaaS. If your product still bills per seat, the market is quietly moving out from under you. The reason is mechanical: agents break the link between seats and value. One agent can do the work of several seats, so per-seat pricing either undercharges or caps your upside. Consumption pricing follows the value.
Notion 3.6 opened the doc to external agents, with Claude and Cursor first. The July 1 release added External Agents, letting Claude and Cursor operate inside the workspace, plus multi-agent workflows, Excel and PowerPoint read-write, and audit logging of custom-agent activity (Notion). This is productivity SaaS repositioning as a neutral surface that other vendors' agents act on. It's a smart hedge. If agents are going to do the work anyway, better to be the place they do it than the tool they replace. Watch whether more collaboration tools make the same move, because "bring your own agent" might be how incumbents avoid getting disintermediated by the agents.
Policy & Governance
Nadella's 'reverse information paradox': you pay for intelligence twice. In a July 13 essay, Microsoft's CEO argued companies using closed frontier models pay once in tokens and again by leaking proprietary knowledge, the prompts, tool traces, and especially the corrections, that gets distilled into the provider's institutional know-how (TechCrunch). He called it ironic that OpenAI and Anthropic train on public data under fair use and learn from customer exhaust while banning distillation of their own models, and floated a new AI-era patent concept to let firms guard IP. It's a competitive shot, obviously, positioning Microsoft and open models against the closed labs. It's also a real question. When your corrections teach the model, whose asset is the improvement?
Apple sued OpenAI over trade-secret theft tied to 400-plus ex-Apple hires. Elon Musk amplified the case on X, Sam Altman fired back, and a legal filing turned into a public executive brawl (unrot / WSJ). The substance underneath the theater: talent flow between the majors is now a litigation surface, not just a hiring story. When 400 people move from one company to another and carry knowledge with them, the receiving company inherits legal exposure along with the expertise. Expect more of this as the poaching wars escalate. The people are the IP, and the IP walks across the street.
Willison: an LLM agent can never be a Directly Responsible Individual. Riffing on Apple's DRI management concept, he argues accountability requires an entity that can actually be held responsible, and a machine cannot (Simon Willison). It's a sharp, quotable counterweight to the "let the agent own it end-to-end" enthusiasm. I keep this one close when I'm deciding how much autonomy to hand a production agent. The agent can do the work. It cannot be accountable for the work. A human always holds the bag, so design the system so that human can actually see what the agent did and step in. Autonomy without a responsible human is just diffusion of blame.
Skills of the Day
-
Order prompts static-first with byte-identical prefixes. Anthropic bills cached prefixes at 0.1x input, a 90% discount, so put all static content first, keep the prefix byte-identical across calls, and push per-request dynamic content to the tail. If a different user, doc, or system message leaks into the prefix, hit rates collapse and you're paying full price. Source: Digital Applied.
-
Route by task difficulty before you reach for caching or batching. Classify each request and send easy queries to a small model, escalating to a frontier model only when needed. Routing is the highest-leverage cost lever because most production traffic is easy queries being over-served by a top-tier model you're paying frontier rates for. Source: Mavik Labs.
-
Scope per-subagent tool grants as a blast-radius boundary. Give researcher subagents read-only file access plus web search, and writer subagents Edit and Bash but no network, so one compromised or hallucinating subagent can't poison the whole run. Plan the partition before you fan out. Scoping is a security control, not plumbing. Source: Totalum.
-
Score agent memory with three parallel passes, then fuse. Run semantic-similarity, keyword-match, and entity-match scoring in parallel instead of relying on pure vector recall. Embeddings silently miss exact entity names and identifiers that the keyword and entity passes catch, which is where single-vector retrieval fails without telling you. Source: Mem0.
-
Prepend a per-chunk context sentence before embedding. Generate a short blurb situating each chunk in its whole document, then embed the blurb plus chunk together. Anthropic's Contextual Retrieval cut top-20 retrieval failures about 49%, rising to about 67% combined with reranking, and it's cheap to bolt onto an existing index build. Source: Digital Applied.
-
Measure retrieval quality separately before you touch prompts. 73% of RAG failures live in the retrieve step, not generation, yet teams keep tuning prompts. Instrument recall@k on your top 50 to 100 candidates before rerank, and combine dense vector search with sparse BM25 to catch exact terms and acronyms that embeddings compress away. Source: Free Academy.
-
Move Claude Code guardrails from CLAUDE.md prose into hooks. Put deterministic rules in PreToolUse to block dangerous calls, PostToolUse to validate output, and Stop to enforce completion criteria. Hooks fire in the harness, not the model, so they're reliable and cost zero context, unlike prose rules the model can ignore. Source: SmartScope.
-
Build a trace-to-eval flywheel. Run cheap distilled scorers continuously on production traffic and auto-promote any trace that fails into your offline eval suite, so the suite grows from real user behavior instead of hand-authored cases. This closes the loop between observability and evaluation instead of maintaining two separate artifacts. Source: Confident AI.
-
Use sleep-time compute for memory upkeep. Keep one agent on live interactions and a second sleep agent that activates during idle turns to consolidate archival items and summarize recent conversation into stable notes. Because it runs off the critical path, response latency drops and memory quality rises instead of degrading over a long run. Source: Letta.
-
Treat a changed MCP tool description like a changed lockfile. Tool poisoning lands because agents trust tool metadata implicitly, so pin server versions, sign binaries, and alert on any tool-description change between releases rather than silently accepting updated metadata. Review the diff, don't auto-adopt it. Source: Practical DevSecOps.
Graph trail
Source, entity, and story paths extracted from this canonical briefing.
33 stories · 42 sources · 268 entities
Story paths
Five enterprise giants just built a wall around MCP
cryptobriefing.com19 entities
MCPZoo says your MCP scanner is mostly noise.
arxiv.org6 entities