# The Week The Frontier Filed To Go Public **Issue 08** · 31 MAY — 6 JUN 2026 · published 2026-06-08 OPEN INTELLIGENCE · ISSUE 08 > Anthropic filed to go public at $965 billion and then told the world to pause — and underneath the valuation the proofs came up short: an honest benchmark put the frontier at 2.6% on real economic work, the agent runtime shipped as a commodity, SpaceX became landlord to Google and Anthropic both, and a worm with valid provenance went hunting the API keys the whole stack runs on. The frontier went to market on trust; the ledgers didn't sign. Canonical (HTML): https://www.immersivecommons.com/newsletter/issue-08 · Archive: https://www.immersivecommons.com/newsletter Discovery: https://www.immersivecommons.com/.well-known/signal.llmfeed.json · MCP: https://www.immersivecommons.com/.well-known/mcp.json · Skill: https://www.immersivecommons.com/skills/ic-signal/SKILL.md --- ## I. THE PUBLIC OFFERING Anthropic filed a confidential S-1 six days after closing the round that valued it at $965 billion, beating OpenAI to the public-market paperwork — then, days later, urged the world to pause the most powerful AI and disclosed that more than 80% of the code it merged in May was written by Claude. The same week it scaled its unreleased Mythos bug-finder to 200 organizations without shipping it, and the lab that made frontier AI cheap without venture capital took its first $7.4 billion of it. The capital order of the race reshuffled in five days, and the most valuable lab on Earth asked everyone to stop while it counted the money. ### 96 · Anthropic Filed To Go Public. Six Days After The Round. *The most valuable lab on Earth beat OpenAI to the paperwork — and set no price.* On June 1st, [Anthropic confidentially submitted](https://www.anthropic.com/news/confidential-draft-s1-sec) a draft registration statement on Form **S-1** to the [SEC](https://www.sec.gov/) — six days after closing the [$65 billion Series H](https://techcrunch.com/2026/06/01/anthropic-files-to-go-public/) that pushed its post-money valuation to **$965 billion**. The funding arc became an IPO track in under a week, and in doing so the lab [vaulted ahead of OpenAI](https://fortune.com/2026/06/02/anthropic-ipo-openai-valuation-ai-bubble/), which has not yet reported filing any paperwork of its own. The new fact is not the money — that was last week — it is the filing, and the order it puts the race in. A confidential draft S-1 is a registration statement, not an offering. By Anthropic's own words, *["the number of shares to be offered and the price have not yet been set"](https://www.anthropic.com/news/confidential-draft-s1-sec)* — no share count, no per-share range, no exchange, and a go-public option that only opens [after the SEC completes its review](https://www.anthropic.com/news/confidential-draft-s1-sec). What the filing does ratify is the revenue underneath it: Anthropic now reports a [$47 billion annualized run-rate](https://fortune.com/2026/06/02/anthropic-ipo-openai-valuation-ai-bubble/), up from roughly $9 billion at the end of 2025 — a five-fold climb in two quarters, fueled by Claude Code and the enterprise demand that [carried it past OpenAI on business adoption](https://techcrunch.com/2026/05/13/anthropic-now-has-more-business-customers-than-openai-according-to-ramp-data/) in April. What goes to the SEC is a number with a witness. The $965 billion was underwritten by seven private funds in a single round; the S-1 invites the public markets to underwrite it instead, on audited financials and a price the company has pointedly declined to name. The filing converts a valuation that asked to be trusted into one that asks to be cleared — and it does so the same week [DeepSeek opened its first-ever outside round](https://techstartups.com/2026/06/03/deepseek-set-to-raise-7-4-billion-in-first-funding-round-targeting-valuation-as-high-as-59-billion/), the capital order of the frontier reshuffling on both sides of the Pacific at once. The lab that priced itself for public markets has set everything except the price. **Feature: TICKER** - **$965B POST-MONEY VALUATION** (FROM THE $65B SERIES H) - **~$47B ANNUALIZED RUN-RATE** (UP FROM ~$9B END-2025) - **1ST AI LAB TO FILE S-1** (AHEAD OF OPENAI) - **34.4% BUSINESS-AI ADOPTION (RAMP)** (PASSED OPENAI'S 32.3% IN APRIL) **Sources:** - [Anthropic](https://www.anthropic.com/news/confidential-draft-s1-sec) - [TechCrunch](https://techcrunch.com/2026/06/01/anthropic-files-to-go-public/) - [Fortune](https://fortune.com/2026/06/02/anthropic-ipo-openai-valuation-ai-bubble/) - [TechCrunch (Ramp AI Index)](https://techcrunch.com/2026/05/13/anthropic-now-has-more-business-customers-than-openai-according-to-ramp-data/) Image: https://www.immersivecommons.com/signal/issue-08/anthropic-ipo-s1.jpg (image: [Fortune](https://fortune.com/2026/06/02/anthropic-ipo-openai-valuation-ai-bubble/)) ### 97 · Anthropic Filed To Go Public, Then Asked The World To Stop. *The lab that just priced itself for markets says Claude already writes its own code.* Three days after [confidentially filing a draft S-1 with the SEC](https://www.anthropic.com/news/confidential-draft-s1-sec) — the paperwork that puts a [$965 billion](https://fortune.com/2026/06/01/anthropic-confidentially-files-ipo-965-billion-valuation/) lab on a public-market track — Anthropic published [**When AI builds itself**](https://www.anthropic.com/institute/recursive-self-improvement) and [told the world to consider stopping](https://siliconangle.com/2026/06/04/anthropic-calls-global-pause-ai-development-humans-lose-control/). The June 4th report, co-authored by Marina Favaro and Jack Clark, argues "it would be good for the world to have the *option* to slow or temporarily pause frontier AI development." The same week it asked the market to underwrite the race, it asked the field to brake. The mechanism Anthropic is afraid of is [**recursive self-improvement**](https://en.wikipedia.org/wiki/Recursive_self-improvement) — an AI system "capable of fully autonomously designing and developing its own successor," the point where the loop closes and humans stop driving each step. The report's own ledger says the loop is already partway internal: as of May 2026, [more than 80% of the code Anthropic merges](https://fortune.com/2026/06/05/anthropic-ai-pause-development-recursive-self-improvement/) into its codebase was written by Claude, up from low single digits before [Claude Code](https://claude.com/product/claude-code) shipped in February 2025. The proof of the danger is the company's own commit history. The ask is conditional, and the condition is the whole problem. A unilateral pause, Anthropic concedes, only works if everyone pauses — "if a slowdown simply lets the least cautious actors catch up technologically, it could leave everyone less safe." So the most valuable lab on Earth has filed to sell shares in a capability it argues is too dangerous to keep racing on, and proposed a brake that nobody can pull alone. The S-1 asks the market to price the upside; the report asks the market to fund the thing it just warned about. **Feature: RECEIPT** > As of May 2026, more than 80% of the code we merge into Anthropic's codebase was authored by Claude. Before Claude Code launched in research preview in February 2025, this number was in the low single digits. — FAVARO & CLARK · AUTHORS · ANTHROPIC From the report "When AI builds itself," published June 4, 2026 — three days after Anthropic confidentially filed to go public. The self-improvement loop the report warns about is already partly inside the company's own commit history. **Sources:** - [Anthropic — When AI builds itself](https://www.anthropic.com/institute/recursive-self-improvement) - [Anthropic — draft S-1 to SEC](https://www.anthropic.com/news/confidential-draft-s1-sec) - [SiliconANGLE](https://siliconangle.com/2026/06/04/anthropic-calls-global-pause-ai-development-humans-lose-control/) - [Fortune (pause report)](https://fortune.com/2026/06/05/anthropic-ai-pause-development-recursive-self-improvement/) - [RTÉ](https://www.rte.ie/news/world/2026/0605/1576867-anthropic-ai-development/) Image: https://www.immersivecommons.com/signal/issue-08/anthropic-pause.jpg (image: [Fortune](https://fortune.com/2026/06/05/anthropic-ai-pause-development-recursive-self-improvement/)) ### 98 · Mythos Reached 200 Companies. It Still Won't Ship. *Anthropic four-folded the trust gate instead of opening it — and added the EU's cyber agency to the queue.* On June 2nd, Anthropic [widened Project Glasswing](https://www.anthropic.com/news/expanding-project-glasswing) — the partner program with preview access to its unreleased **Claude Mythos** bug-finder — from roughly 50 organizations to about 200, adding [~150 new partners across more than 15 countries](https://techcrunch.com/2026/06/02/anthropic-scales-claude-mythos-to-critical-infrastructure-in-15-countries/). The new cohort fills the sectors the first one missed: power, water, communications, healthcare, and hardware. A day earlier the lab agreed to [give the EU's cybersecurity agency, ENISA, access to Mythos](https://www.cnbc.com/2026/06/01/anthropic-eu-ai-mythos-access-advanced-model.html) as a Glasswing member. The model that wk-07 pledged for public release in "coming weeks" instead got a bigger waiting room. [Glasswing](https://www.anthropic.com/glasswing) is the mechanism, and the mechanism is rationing. Mythos was never trained for security; it finds zero-days anyway, and Glasswing partners have already surfaced [more than 10,000 high- or critical-severity flaws](https://finance.yahoo.com/sectors/technology/articles/anthropic-expanding-project-glasswing-200-134409708.html) scanning their own codebases — the kind of vulnerability, Anthropic notes, where a single successful attack on a partner could [reach more than 100 million people](https://techcrunch.com/2026/06/02/anthropic-scales-claude-mythos-to-critical-infrastructure-in-15-countries/). Access is the throttle: every new org clears a security-criteria bar before the weights touch its repos. Anthropic's own line is that it is [*"working as quickly as we can to safely release Mythos-level capabilities in general access"*](https://www.anthropic.com/news/expanding-project-glasswing) — quickly, and still not yet. A capability this asymmetric leaks defensively or offensively depending on who holds it, so Anthropic is metering it by trust rather than by price — and the same week it [filed to go public](https://www.anthropic.com/news/confidential-draft-s1-sec), it chose to scale the gate rather than open it. That is the tell. The frontier's most dangerous model is being underwritten the way the IPO is: not released to the market, but extended to vetted counterparties one signed criteria-check at a time. For a builder, the lesson is that the next decisive tool may never appear on a pricing page — you will qualify for it, or you will read about what it found. **Feature: WAGER** - Claude Mythos opens to general API access (any paying developer, no Glasswing vetting) before Q3 2026 closes — making good on wk-07's 'coming weeks' public-release pledge. _(check: 2026-09-30)_ - ENISA's Mythos access goes live and the EU agency is named an active Glasswing member, not merely 'in talks,' by end of July 2026. _(check: 2026-07-31)_ - Project Glasswing's partner count crosses 250 organizations before the public release lands — the gate widens faster than it opens. _(check: 2026-09-30)_ **Sources:** - [Anthropic (expansion)](https://www.anthropic.com/news/expanding-project-glasswing) - [CNBC (150 orgs)](https://www.cnbc.com/2026/06/02/anthropic-mythos-ai-project-glasswing.html) - [CNBC (EU access)](https://www.cnbc.com/2026/06/01/anthropic-eu-ai-mythos-access-advanced-model.html) - [TechCrunch](https://techcrunch.com/2026/06/02/anthropic-scales-claude-mythos-to-critical-infrastructure-in-15-countries/) - [Yahoo Finance / Quartz](https://finance.yahoo.com/sectors/technology/articles/anthropic-expanding-project-glasswing-200-134409708.html) Image: https://www.immersivecommons.com/signal/issue-08/mythos-150-orgs.jpg (image: [CNBC](https://www.cnbc.com/2026/06/02/anthropic-mythos-ai-project-glasswing.html)) ### 99 · DeepSeek Took The Money. *The lab that made frontier AI cheap without venture capital is reportedly raising $7.4 billion to keep it cheap.* On June 3rd, [Reuters reported, via the South China Morning Post](https://www.scmp.com/tech/big-tech/article/3355818/deepseek-nears-us7b-haul-first-ever-funding-round-backing-tencent-catl) — citing people who declined to be named — that [DeepSeek](https://en.wikipedia.org/wiki/DeepSeek) is raising roughly **$7.4 billion** (about 50 billion yuan) in its first-ever round of outside money, at a [post-money valuation](https://finance.yahoo.com/sectors/technology/articles/deepseek-eyes-7-4-billion-123039218.html) of $52 to $59 billion. [Tencent](https://en.wikipedia.org/wiki/Tencent) is weighing about 10 billion yuan and battery maker [CATL](https://en.wikipedia.org/wiki/CATL) about 5 billion yuan, with fewer than ten strategic investors in the deal. Founder [Liang Wenfeng](https://en.wikipedia.org/wiki/Liang_Wenfeng) is putting in roughly 20 billion yuan of his own capital — about 40 percent of the round, the dominant individual stake. The terms are not closed; the round is expected to finalize [within weeks](https://techstartups.com/2026/06/03/deepseek-set-to-raise-7-4-billion-in-first-funding-round-targeting-valuation-as-high-as-59-billion/), and the numbers could move. The reversal is the mechanism. DeepSeek built its reputation refusing this exact transaction — Liang [self-funded the lab](https://thetechportal.com/2026/06/04/deepseek-could-raise-7-4bn-in-its-first-funding-round-at-a-59bn-valuation/) out of his quant-fund fortune precisely so it could chase artificial general intelligence without a board demanding returns, and shipped V3 and R1 as [open-weight](https://en.wikipedia.org/wiki/Open-source_artificial_intelligence) models that undercut the closed frontier on cost. That posture is now meeting its compute bill. The reported use of proceeds is not a pivot to product: it is [larger GPU clusters](https://thetechportal.com/2026/06/04/deepseek-could-raise-7-4bn-in-its-first-funding-round-at-a-59bn-valuation/), more semiconductors, and richer pay to hold talent. The valuation jumped roughly [six-fold](https://www.scmp.com/tech/big-tech/article/3355818/deepseek-nears-us7b-haul-first-ever-funding-round-backing-tencent-catl) from the $10 billion mark in April — the market repricing the lab the moment it agreed to be priced at all. The implication is that cheap has a capital floor. DeepSeek's whole thesis was that you could reach the frontier without the hyperscaler war chest — and in the same week [Anthropic filed to go public](https://www.anthropic.com/news/confidential-draft-s1-sec) at a near-trillion-dollar valuation, China's champion conceded that staying cheap at the frontier still costs billions. The open-weights, low-margin strategy does not escape the compute arms race; it just delays the invoice. When the lab that proved frontier AI could be self-funded takes Tencent's and CATL's money to keep going, the signal is not that DeepSeek got greedy. It is that the floor under the whole race rose, and even the cheapest player on the board can no longer stand on it alone. **Feature: TICKER** - **$7.4B ~50 BILLION YUAN** (FIRST-EVER OUTSIDE ROUND) - **$52-59B POST-MONEY VALUATION** (~6X THE APRIL $10B MARK) - **~40% LIANG SELF-FUNDED** (20B YUAN, DOMINANT STAKE) - **15B YUAN TENCENT 10B + CATL 5B** (REPORTED, NOT YET CLOSED) **Sources:** - [SCMP (Reuters wire)](https://www.scmp.com/tech/big-tech/article/3355818/deepseek-nears-us7b-haul-first-ever-funding-round-backing-tencent-catl) - [Yahoo Finance](https://finance.yahoo.com/sectors/technology/articles/deepseek-eyes-7-4-billion-123039218.html) - [TechStartups](https://techstartups.com/2026/06/03/deepseek-set-to-raise-7-4-billion-in-first-funding-round-targeting-valuation-as-high-as-59-billion/) - [The Tech Portal](https://thetechportal.com/2026/06/04/deepseek-could-raise-7-4bn-in-its-first-funding-round-at-a-59bn-valuation/) Image: https://www.immersivecommons.com/signal/issue-08/deepseek-first-raise.jpg (image: [South China Morning Post](https://www.scmp.com/tech/big-tech/article/3355818/deepseek-nears-us7b-haul-first-ever-funding-round-backing-tencent-catl)) ## II. THE HONEST NUMBER Berkeley released Agents' Last Exam — a thousand-plus pieces of real economic work, scored clean — and the frontier's average full pass on the hardest tier came back 2.6%, with Claude Code at zero. The same week, MiniMax shipped an open-weight model claiming to eclipse GPT-5.5 on benchmarks it ran on its own infrastructure, with the weights still unreleased. One number was measured by someone with nothing to sell; the other was graded by the vendor. Only one of them is going up. ### 100 · Agents' Last Exam Lands. The Frontier Scores 2.6%. *A clean, unsaturated benchmark priced the gap between the valuation and the work.* On June 3rd, [Berkeley's RDI lab](https://rdi.berkeley.edu/) released [Agents' Last Exam](https://agents-last-exam.org), a benchmark built with 250+ industry experts across [13 industry clusters and 55 subfields](https://arxiv.org/html/2606.05405v1) — real, economically-valuable work in [After Effects](https://www.adobe.com/products/aftereffects.html), Siemens NX, Unreal Engine, and Rhino 3D, anchored to the federal [O*NET / SOC 2018 occupational taxonomy](https://www.onetonline.org/). On the hardest tier, [the frontier's average full pass rate is **2.6%**](https://arxiv.org/abs/2606.05405). Not a leaked eval, not a saturated one — a fresh measurement of whether agents can do the jobs they are sold as replacing. The cruelty is in the spread. The strongest configuration, [**Codex** on **GPT-5.5**](https://arxiv.org/html/2606.05405v1) — which posts **82%** on [Terminal-Bench](https://www.tbench.ai/) — scores below **50%** on the *easiest* tier and **8.6%** on the hardest. [Claude Code](https://www.anthropic.com/claude-code) lands at **0.0%** on that hardest tier. These are pass/fail on full task workflows, not partial-credit token overlap — an [**unsaturated benchmark**](https://en.wikipedia.org/wiki/Benchmark_(computing)) that, unlike the SWE-bench numbers in every launch deck, nobody has had time to overfit, contaminate, or game. The corpus is [1,500+ tasks toward a 5,000 target](https://agents-last-exam.org); the paper's frozen subset reads 1,490, and the live site is newer. This is Beat II's ledger entry against Beat I's $965B. The same week the frontier filed to go public on the premise that the work is nearly done, a clean instrument said the work is barely started — 90%-on-SWE-bench does not survive contact with After Effects. The contamination arc that ran through week-07 closes here: the question is no longer whether the benchmarks are dirty. It is whether the frontier can do real economic work at all, measured clean. The answer, for now, is 2.6%. **Feature: TICKER** - **2.6% FRONTIER AVG** (FULL PASS · HARDEST TIER) - **82 → 8.6 CODEX · GPT-5.5** (TERMINAL-BENCH % → ALE HARDEST %) - **0.0% CLAUDE CODE** (FULL PASS · HARDEST TIER) - **1,500+ TASKS · 250+ EXPERTS** (13 CLUSTERS · 55 SUBFIELDS) **Sources:** - [arXiv](https://arxiv.org/abs/2606.05405) - [Agents' Last Exam](https://agents-last-exam.org) - [GitHub](https://github.com/rdi-berkeley/agents-last-exam) - [Digg](https://digg.com/ai/2huto5pr) Image: https://www.immersivecommons.com/signal/issue-08/agents-last-exam.png (image: [Berkeley RDI](https://github.com/rdi-berkeley/agents-last-exam)) ### 101 · MiniMax M3 Claims The Frontier. On Benchmarks It Ran Itself. *An open-weight challenger posts frontier-parity coding scores, self-graded, with the weights still unshipped.* On June 1st, [MiniMax shipped M3](https://www.minimax.io/blog/minimax-m3), an [open-weight](https://en.wikipedia.org/wiki/Open-source_artificial_intelligence) coding model with a **1-million-token** context window, and the pitch was a straight shot at the frontier: [**59.0%** on SWE-Bench Pro](https://www.minimax.io/blog/minimax-m3), surpassing GPT-5.5 and Gemini 3.1 Pro and approaching Opus 4.7, plus 66.0% on Terminal-Bench 2.1 — at a [reported five to ten percent of the cost](https://venturebeat.com/technology/minimax-m3-debuts-eclipsing-gpt-5-5-and-gemini-3-1-pro-on-key-benchmark-performance-for-just-5-10-of-the-cost) of the closed labs it names. The API went live the same day. The model that earned the number did not. Every one of those figures is company-reported. MiniMax states the SWE-Bench Pro run was ["tested on internal infrastructure using Claude Code as the scaffolding"](https://www.minimax.io/blog/minimax-m3) — its own machines, its own harness, no independent rerun — and [the-decoder notes the results carry no outside verification](https://the-decoder.com/minimax-m3-open-weight-model-with-a-million-token-context-challenges-proprietary-leaders/). The cost edge is real engineering: [**MSA**, MiniMax Sparse Attention](https://www.minimax.io/blog/minimax-m3), drops per-token compute to one-twentieth of the prior generation at a million tokens. But "open-weight" was the part that made the claim auditable, and at launch the weights were not released — promised on Hugging Face and GitHub "within the next ten days." A week later they are still not out: the [GitHub repository's own README](https://github.com/MiniMax-AI/MiniMax-M3) reads, "The model is not yet released," and points users back to M2.7. So the receipt is a number nobody outside the building can reproduce, attached to a model nobody outside the building can run. That is not fraud; it is the new default. In a season when vendor-graded coding scores have quietly stopped meaning much — see this issue's [Agents' Last Exam](https://agents-last-exam.org), the clean instrument that put the frontier at 2.6% — MiniMax launched on a self-run benchmark and led with it. For a builder, the lesson is the asterisk, not the leaderboard: a frontier-parity claim with no chain of custody is a marketing artifact until the weights drop and someone else runs the eval. Ship the checkpoint, then we will talk about 59. **Feature: RECKONING** > It passed every test it set itself. The weights that would let anyone else grade it are still 'coming,' the harness that produced the score was its own, and the number is the frontier's — until the moment it can be checked. — — THE SIGNAL EDITORS **Sources:** - [MiniMax (blog)](https://www.minimax.io/blog/minimax-m3) - [VentureBeat](https://venturebeat.com/technology/minimax-m3-debuts-eclipsing-gpt-5-5-and-gemini-3-1-pro-on-key-benchmark-performance-for-just-5-10-of-the-cost) - [the-decoder](https://the-decoder.com/minimax-m3-open-weight-model-with-a-million-token-context-challenges-proprietary-leaders/) - [GitHub (M3 repo)](https://github.com/MiniMax-AI/MiniMax-M3) Image: https://www.immersivecommons.com/signal/issue-08/minimax-m3.png (image: [MiniMax](https://www.minimax.io/blog/minimax-m3)) ## III. THE STACK SHIFTS Microsoft took its Agent Framework harness to 1.0 GA and handed the model a Python interpreter in a micro-VM; Cognition retired the Windsurf editor for an agent-fleet manager and an open protocol that runs any vendor's agent; and Microsoft shipped seven of its own models to need OpenAI less, the same week OpenAI started selling through Amazon. The agent loop everyone hand-rolls became a supported runtime, the IDE became a dispatcher, and the two biggest partners in AI un-bundled from each other in one news cycle. The moat was the glue, and the glue is now a dependency. ### 102 · The Agent Loop You Hand-Roll Shipped As A Product. *Microsoft took the agent harness to 1.0 GA, then handed the model a Python interpreter in a micro-VM.* At Build 2026 on June 3rd, [Microsoft took the Agent Framework](https://devblogs.microsoft.com/agent-framework/microsoft-agent-framework-at-build-2026-announce/) harness to 1.0 GA — the layer everyone rebuilds by hand. Shell access, filesystem access, human-in-the-loop approval, and context management across long-running sessions, all shipped as supported primitives. Automatic [context compaction](https://github.com/microsoft/agent-framework), a `FileMemoryProvider` for session memory, and a `TodoProvider` for task tracking now come in the box. The same day, [GitHub Copilot SDK integration](https://devblogs.microsoft.com/agent-framework/microsoft-agent-framework-at-build-2026-announce/) reached 1.0 alongside it. The sharper move ships in the alpha `agent-framework-hyperlight` package: **CodeAct**. Instead of emitting one tool call per turn, the model writes a single short Python program that invokes your tools through `call_tool(…)`, and that program runs in a fresh, locally isolated [Hyperlight](https://github.com/hyperlight-dev/hyperlight) micro-VM per call. On a representative multi-step workload — order totals across many users, dozens of tool calls — the traditional loop took 27.81 seconds and 6,890 tokens; CodeAct took 13.23 seconds and 2,489. That is a [52.4% cut in latency and a 63.9% cut in tokens](https://devblogs.microsoft.com/agent-framework/microsoft-agent-framework-at-build-2026-announce/), the model writing code to orchestrate the work it used to narrate one call at a time. The hand-rolled agent loop was a moat made of glue. Microsoft just commoditized the glue, and then argued the loop itself is the wrong abstraction — that for tool-heavy work the model should write the program, not play the dispatcher. Run `create_harness_agent` and you inherit the compaction, the memory, and the todo tracking you were about to write yourself. The question stops being whether you can build the runtime, and becomes whether the runtime you built is faster than the one that now ships with a version number. **Feature: PROMPT** *Stop hand-rolling the loop — measure the delta.* You already wrote a worse version of this harness. Point CodeAct at a real tool-heavy job — one with dozens of dependent tool calls — and read your own token bill against the loop you maintain today. ``` # install the harness + the CodeAct (alpha) package pip install agent-framework agent-framework-hyperlight # in your code: build a harness agent (compaction, file memory, todos included) # from agent_framework import create_harness_agent # agent = create_harness_agent(model=..., tools=[your_tools]) # then flip the same tools onto CodeAct and run a multi-step task — # the model writes ONE short Python program that calls tools via call_tool(...) # and executes it in a per-call Hyperlight micro-VM. # Log tokens + wallclock for BOTH paths on the SAME task. Compare. ``` > Pro move: Pro move — the isolation is the feature, not a footnote. Each CodeAct call spins a fresh [Hyperlight](https://github.com/hyperlight-dev/hyperlight) micro-VM (a CNCF-sandbox VMM that boots in milliseconds), so model-written code never touches your host between calls. Treat untrusted generated code as untrusted: keep CodeAct on for the dispatch logic, and gate any irreversible tool behind the harness's human-in-the-loop approval, not inside the generated program. **Sources:** - [Microsoft DevBlogs — Agent Framework at Build 2026](https://devblogs.microsoft.com/agent-framework/microsoft-agent-framework-at-build-2026-announce/) - [Microsoft DevBlogs — Foundry Agent Service at Build 2026](https://devblogs.microsoft.com/foundry/agent-service-build2026/) - [Microsoft Agent Framework (GitHub)](https://github.com/microsoft/agent-framework) Image: https://www.immersivecommons.com/signal/issue-08/maf-build-2026.webp (image: [Microsoft DevBlogs](https://devblogs.microsoft.com/agent-framework/microsoft-agent-framework-at-build-2026-announce/)) ### 103 · Cognition Killed The Editor. Devin Desktop Manages A Fleet. *The unit of the dev tool stopped being a file. It is now an agent roster.* On June 2nd, [Cognition retired the Windsurf brand](https://cognition.ai/blog/introducing-devin-desktop) and shipped what replaces it: **Devin Desktop**, pushed to existing users as a standard [over-the-air update](https://devin.ai/blog/windsurf-is-now-devin-desktop). The editor is no longer the center of the IDE. The new default surface is the **Agent Command Center** — a Kanban board where, in Cognition's words, "you manage every local and cloud agent from a single Kanban view." Days after the company [raised $1 billion at a $26 billion valuation](https://techcrunch.com/2026/05/27/ai-coding-startup-cognition-raises-1b-at-25b-pre-money-valuation/), it spent the product launch arguing the editor is the wrong abstraction. Two pieces make the shift load-bearing. The local agent was [rewritten from scratch in Rust](https://devin.ai/blog/windsurf-is-now-devin-desktop) as **Devin Local**, which Cognition claims is up to 30% more token efficient than the Cascade engine it retires; legacy Cascade runs only through July 1st. The interop layer is the [Agent Client Protocol](https://github.com/zed-industries/agent-client-protocol), an [Apache 2.0](https://github.com/zed-industries/agent-client-protocol/blob/main/LICENSE) standard for editor-to-agent communication. Devin Desktop speaks it, so [Codex, Claude Agent, OpenCode, and any other ACP-compatible agent](https://devin.ai/blog/windsurf-is-now-devin-desktop) run as first-class citizens beside Devin, with a primitive called Spaces letting related agents share context. The agent loop most builders hand-roll — spawn three vendors' CLIs in three terminals, reconcile their diffs by hand — shipped this week as the default chrome of a shipping IDE. ACP is the part that matters: an open protocol means the host stops being a vendor lock. Adopt it and your in-house agent plugs into any compliant editor; refuse to pick one vendor's agent and run them side by side instead. The dev tool's unit of work just moved from the file you edit to the fleet you dispatch. **Feature: PROMPT** *Run Codex, Claude Agent, and OpenCode side by side under one Kanban board.* Devin Desktop arrives as an over-the-air update to any Windsurf install. Open the Agent Command Center, drop the same task onto Codex, Claude Agent, and OpenCode as three cards, and watch three vendors' agents work the same repo in one view instead of three terminals. ``` In Devin Desktop, open the Agent Command Center. Create three cards for one bug. Assign card one to Devin Local, card two to Claude Agent over ACP, and card three to Codex over ACP. Give all three the identical prompt: 'Find and fix the failing test in this module; open a PR with the diff.' Compare the three PRs side by side before you merge any of them. ``` > Pro move: Pro move — do not adopt the host, adopt the protocol. The [Agent Client Protocol](https://github.com/zed-industries/agent-client-protocol) is Apache 2.0 and editor-agnostic. If you maintain your own coding agent, implement the ACP server side once and it becomes a first-class citizen inside Devin Desktop, [Zed](https://zed.dev/), and every other ACP host — no per-IDE plugin, no vendor picking you back. **Sources:** - [Cognition blog](https://cognition.ai/blog/introducing-devin-desktop) - [Devin blog](https://devin.ai/blog/windsurf-is-now-devin-desktop) - [Agent Client Protocol](https://github.com/zed-industries/agent-client-protocol) - [TechCrunch (Series C)](https://techcrunch.com/2026/05/27/ai-coding-startup-cognition-raises-1b-at-25b-pre-money-valuation/) Image: https://www.immersivecommons.com/signal/issue-08/devin-desktop.jpg (image: [Cognition](https://cognition.ai/blog/introducing-devin-desktop)) ### 104 · Microsoft Shipped Seven Models To Stop Renting OpenAI. *The same week it launched its own frontier stack, OpenAI went generally available on Amazon — the two biggest partners un-bundled in one news cycle.* At Build on June 2nd, [Microsoft launched seven in-house MAI models](https://microsoft.ai/news/building-a-hillclimbing-machine-launching-seven-new-mai-models/) — **MAI-Thinking-1**, **MAI-Code-1-Flash**, MAI-Image-2.5 and its Flash variant, MAI-Transcribe-1.5, and MAI-Voice-2 and its Flash variant — and CNBC read the move plainly: the lineup exists to [lessen reliance on OpenAI and lower costs for developers](https://www.cnbc.com/2026/06/02/microsoft-unveils-new-ai-models-lessen-reliance-on-openai-lower-costs.html). After investing $13 billion in the partner whose models it has resold since 2023, Microsoft AI chief Mustafa Suleyman said the in-house stack, tuned on consulting-firm workloads, outperformed [GPT-5.5 at ten times better cost efficiency](https://www.cnbc.com/2026/06/02/microsoft-unveils-new-ai-models-lessen-reliance-on-openai-lower-costs.html). MAI-Code-1-Flash is already [live in GitHub Copilot and VS Code](https://microsoft.ai/news/introducingmai-code-1-flash/), in the model picker and under the default auto router. The receipts are company-reported, and worth reading as such. Microsoft says MAI-Code-1-Flash — a 5-billion-active-parameter agentic coder — beats Claude Haiku 4.5 on [SWE-Bench Pro, 51.2% to 35.2%, a 16-point lead](https://microsoft.ai/news/introducingmai-code-1-flash/), while [solving harder problems with up to 60% fewer tokens on SWE-Bench Verified](https://microsoft.ai/news/introducingmai-code-1-flash/). The reasoning model, [MAI-Thinking-1](https://microsoft.ai/news/introducing-mai-thinking-1/), is a 35-billion-active, roughly one-trillion-total [mixture-of-experts](https://en.wikipedia.org/wiki/Mixture_of_experts) trained from scratch on licensed data with no distillation from any third-party model; Microsoft reports it matches Opus 4.6 on SWE-Bench Pro and posts 97.0% on AIME-2025. The pitch is not that these win the absolute frontier — it is that Microsoft owns the weights, runs them on Azure, pays no partner royalty, and hands the saving down the stack. The geometry is the story. In the same news cycle, [OpenAI's GPT-5.5, GPT-5.4, and Codex went generally available on Amazon Bedrock](https://aws.amazon.com/blogs/aws/get-started-with-openai-gpt-5-5-gpt-5-4-models-and-codex-on-amazon-bedrock/) on June 1st — first-party pricing, usage counting toward existing AWS commitments, the first time those models shipped on a non-Microsoft cloud. So OpenAI now sells through Microsoft's largest rival while Microsoft ships models built to need OpenAI less: the most consequential partnership in the industry quietly un-bundled from both ends at once. For a builder, the abstraction that loosened this week is the assumption that the cloud and the model travel together. The frontier model is becoming a commodity you route to on cost, and the lab and the cloud you buy it from no longer have to be the same company. **Feature: PROMPT** *MAI-Code-1-Flash is free in Copilot — bench it against your token bill.* Microsoft says its 5B-param coder beats Claude Haiku 4.5 on SWE-Bench Pro with up to 60% fewer tokens. It is rolling out free inside GitHub Copilot and VS Code. The number you actually care about is your own, on your own code — so measure it. ``` # In VS Code with GitHub Copilot, open the model picker (or leave the # default Auto router on — MAI-Code-1-Flash is in the rotation). # Pick a real, tool-heavy agentic task you already run today: # - a multi-file refactor, or # - a failing-test -> green-test loop on an actual repo issue. # # Run it TWICE on the same task: # 1. your current default coding model # 2. MAI-Code-1-Flash # # For each run, record from the Copilot request log: # - total tokens (prompt + completion) # - wallclock to first working diff # - did the task actually pass (tests green / diff applies clean)? # # The headline claim is 'up to 60% fewer tokens on SWE-Bench Verified.' # Your repo is not SWE-Bench. Find out what the delta is on YOUR code. ``` > Pro move: Pro move — the cost story is a routing story. The point of seven in-house models is that the cheap one handles the volume and the expensive frontier model handles the hard tail. Don't pin one model in the picker; turn the [Auto router](https://microsoft.ai/news/introducingmai-code-1-flash/) on and let MAI-Code-1-Flash absorb the easy dispatch, then gate the genuinely hard reasoning to a frontier model on purpose. Routing on cost-per-task is the muscle this whole un-bundle is asking you to build — the lab and the cloud are now both variables, not constants. **Sources:** - [Microsoft AI — Launching seven new MAI models](https://microsoft.ai/news/building-a-hillclimbing-machine-launching-seven-new-mai-models/) - [Microsoft AI — Introducing MAI-Code-1-Flash](https://microsoft.ai/news/introducingmai-code-1-flash/) - [Microsoft AI — Introducing MAI-Thinking-1](https://microsoft.ai/news/introducing-mai-thinking-1/) - [CNBC — Microsoft unveils models to lessen reliance on OpenAI](https://www.cnbc.com/2026/06/02/microsoft-unveils-new-ai-models-lessen-reliance-on-openai-lower-costs.html) - [AWS — OpenAI GPT-5.5, GPT-5.4, and Codex GA on Amazon Bedrock](https://aws.amazon.com/blogs/aws/get-started-with-openai-gpt-5-5-gpt-5-4-models-and-codex-on-amazon-bedrock/) Image: https://www.immersivecommons.com/signal/issue-08/microsoft-mai-seven.jpg (image: [CNBC](https://www.cnbc.com/2026/06/02/microsoft-unveils-new-ai-models-lessen-reliance-on-openai-lower-costs.html)) ## IV. THE LANDLORD SpaceX agreed to rent Google about 110,000 GPUs for $920 million a month through 2029 — its second hyperscaler landlord deal in a quarter, after Anthropic — while at Computex Nvidia put Vera Rubin into full production and declared every token a billable unit of revenue. The demand side rents the floor; the supply side builds the silicon both tenants rent. Owning electrons-plus-silicon is the franchise now, and the meter runs by the token. ### 105 · Google Rented The Colossus Too. *SpaceX now bills the AI franchise. Google pays $920 million a month for the same electrons it sold Anthropic.* On June 5th, a [SpaceX free-writing prospectus](https://www.sec.gov/Archives/edgar/data/1181412/000162828026041150/spacexagreementfwp.htm) disclosed that [Google agreed to pay SpaceX $920 million a month](https://techcrunch.com/2026/06/05/google-will-pay-spacex-920m-per-month-for-compute/) for compute capacity, running [October 2026 through June 2029](https://techcrunch.com/2026/06/05/google-will-pay-spacex-920m-per-month-for-compute/). The package is **approximately 110,000 NVIDIA GPUs**, CPUs, memory, and related silicon, sited at the same xAI data centers SpaceX already leases to Anthropic. Filed Pursuant to Rule 433 against an active S-1, the line landed in the same week SpaceX itself filed to go public — the landlord priced the floor on the way to the auction. The mechanism is that SpaceX owns neither the chips nor the breakthrough — it owns the [power and the buildings around Colossus near Memphis](https://www.tomshardware.com/tech-industry/artificial-intelligence/google-signs-usd920m-monthly-compute-deal-with-spacex-companys-projected-annual-data-center-revenue-to-exceed-its-combined-proceeds-from-starlink-launch-services-and-ai-in-2025), and it rents that substrate to whoever is short. Google called it "bridge capacity to meet surging customer demand" for Gemini Enterprise; the agreement ramps through September at a reduced fee, with a hard GPU-delivery deadline of September 30th before Google can walk. At [$11 billion a year](https://techcrunch.com/2026/06/05/google-will-pay-spacex-920m-per-month-for-compute/), Tom's Hardware notes SpaceX's projected data-center revenue would top its Starlink, launch, and AI proceeds combined. This is the second SpaceX landlord deal in a single quarter, following the [$1.25-billion-a-month Anthropic lease](https://techcrunch.com/2026/06/05/google-will-pay-spacex-920m-per-month-for-compute/) that week-06 read as the moment the limit became electrons, not chips. The renter is no longer paying for a model; it is paying for a substation, a slab, and a delivery date. Owning electrons-plus-silicon is the franchise now — and the quietest detail is that Musk's xAI is Google's compute landlord while Musk litigates OpenAI. **Feature: TICKER** - **$920M PER MONTH, TO SPACEX** (OCT 2026 THROUGH JUN 2029) - **110K NVIDIA GPUs** (PLUS CPUs, MEMORY, SILICON) - **$11B ANNUAL RUN-RATE** (TOPS STARLINK + LAUNCH + AI) - **2ND SPACEX LANDLORD DEAL** (ANTHROPIC $1.25B/MO WAS FIRST) **Sources:** - [TechCrunch](https://techcrunch.com/2026/06/05/google-will-pay-spacex-920m-per-month-for-compute/) - [SEC (SpaceX FWP, Rule 433)](https://www.sec.gov/Archives/edgar/data/1181412/000162828026041150/spacexagreementfwp.htm) - [Tom's Hardware](https://www.tomshardware.com/tech-industry/artificial-intelligence/google-signs-usd920m-monthly-compute-deal-with-spacex-companys-projected-annual-data-center-revenue-to-exceed-its-combined-proceeds-from-starlink-launch-services-and-ai-in-2025) - [CNBC](https://www.cnbc.com/2026/06/05/google-to-pay-spacex-920-million-a-month-for-xai-compute-capacity.html) Image: https://www.immersivecommons.com/signal/issue-08/google-spacex-920m.jpg (image: [TechCrunch](https://techcrunch.com/2026/06/05/google-will-pay-spacex-920m-per-month-for-compute/)) ### 106 · Nvidia Put Vera Rubin Into Full Production. Tokens Are The Revenue Now. *At Computex, Jensen repriced the silicon supply chain around inference at industrial scale.* On June 1st, on the GTC Taipei stage at [Computex](https://en.wikipedia.org/wiki/Computex), [Jensen Huang announced the **Vera Rubin** platform "now in production"](https://blogs.nvidia.com/blog/nvidia-gtc-taipei-computex-2026-news/) — Nvidia's next rack-scale generation, purpose-built for what he called agentic AI factories. The keynote ran a single thesis on a loop: agentic AI has arrived, it works, and it pays. Underneath the slideware sat a number with no marketing in it. Five years ago Nvidia spent [between $10 billion and $15 billion a year in Taiwan; that figure is now roughly **$150 billion**](https://cryptobriefing.com/nvidia-150b-taiwan-silicon-shield-ai/), with [AMD pledging over $10 billion](https://cryptobriefing.com/nvidia-150b-taiwan-silicon-shield-ai/) into the same supply base over a comparable window. The mechanism is the [Vera Rubin NVL72](https://blogs.nvidia.com/blog/nvidia-gtc-taipei-computex-2026-news/), and the load-bearing detail is manufacturability, not FLOPS. Its cable-free, hose-free, fanless modular tray [cuts assembly "from two hours to five minutes per compute tray"](https://blogs.nvidia.com/blog/nvidia-gtc-taipei-computex-2026-news/) — Nvidia is optimizing the build line the way it once optimized the die, because the binding constraint on an [AI factory](https://en.wikipedia.org/wiki/AI_factory) is no longer the chip but how fast you can rack, power, and cool it. Huang made the accounting explicit — [compute is revenue, every token produced profitable](https://blogs.nvidia.com/blog/nvidia-gtc-taipei-computex-2026-news/) — which reframes performance-per-watt, reliability, and system lifetime as the financial levers, not the spec sheet. That is the supply side of the franchise THE SIGNAL has tracked all quarter, and it closes a loop. The demand side rents — [Google is paying SpaceX about $920 million a month for GPU capacity](https://www.cnbc.com/2026/06/05/google-to-pay-spacex-920-million-a-month-for-xai-compute-capacity.html) — while the supply side builds the silicon both of them rent. For a builder, the repricing is the signal: when the company that makes the picks declares every token a billable unit and spends $150 billion a year to mint more of them, inference stops being a cost line and becomes the meter. The frontier is no longer selling computers. It is selling the throughput, and it has started counting it by the token. **Feature: RECEIPT** > Tokens are now profitable units of revenue. — HUANG · CEO · NVIDIA Jensen Huang, GTC Taipei keynote at Computex, the thesis he returned to all night: useful agentic AI has arrived and it bills by the token. June 1, 2026. **Sources:** - [NVIDIA (blog)](https://blogs.nvidia.com/blog/nvidia-gtc-taipei-computex-2026-news/) - [SiliconANGLE](https://siliconangle.com/2026/06/01/five-thoughts-nvidia-ceo-jensen-huangs-gtc-taipei-2026-keynote/) - [Crypto Briefing](https://cryptobriefing.com/nvidia-150b-taiwan-silicon-shield-ai/) Image: https://www.immersivecommons.com/signal/issue-08/computex-vera-rubin.jpg (image: [NVIDIA](https://blogs.nvidia.com/blog/nvidia-gtc-taipei-computex-2026-news/)) ## V. THE GROUND WON'T HOLD A self-spreading worm poisoned Red Hat's npm packages with valid provenance signatures and went hunting the Anthropic API keys the stack runs on; one scanner read 39,884 MCP servers and surfaced 67 CVEs of a single structural class, the tool surface everyone is bolting onto their agents. Then Washington answered, with an executive order asking labs to voluntarily hand the government 30 days of early access and standing up a cyber clearinghouse. The supply chain under the frontier kept failing in public, and the trust signals built to catch it — provenance, last week's patch advice, the audit — were a step behind each time. ### 107 · A Worm Poisoned Red Hat's Packages. The Signatures Checked Out. *Valid provenance signed the malware. The trust stamp builders were told to rely on stopped meaning anything.* A self-replicating worm researchers named [**Miasma**](https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages) — the latest strain of the Shai-Hulud lineage THE SIGNAL has tracked across the npm ecosystem — trojanized 32 packages, across more than 90 versions, under the `@redhat-cloud-services` scope after taking over a maintainer's GitHub account. The packages pull [between 80,000 and 117,000 downloads a week](https://www.theregister.com/security/2026/06/01/shai-hulud-malware-infects-red-hat-npm-packages-downloaded-80k-times-weekly/5249803). [Microsoft Threat Intelligence](https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/) and Wiz both confirmed the compromised builds harvest cloud credentials, SSH keys, and — newly — Anthropic API keys from the environments that install them. The structurally new part is what made it invisible. The malicious versions were published through Red Hat's own legitimate **GitHub Actions OIDC pipeline**, so every poisoned build carried valid [SLSA provenance](https://slsa.dev) — the cryptographic attestation that is supposed to prove a package was built by who it claims. Two days later the campaign escalated again: [StepSecurity](https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm) and Snyk reported a variant that moves its execution into a native-build configuration file, running during `npm install` on packages that declare no install scripts at all — slipping past the `--ignore-scripts` defense the whole ecosystem deployed last week. It also dropped backdoor config into `.claude` and `.cursor` folders, poisoning the developer's coding agent, not just the build. Provenance was the answer the supply-chain panic had settled on: sign the build, verify the chain, trust the stamp. This worm shipped with the stamp. A valid signature now tells you a package was built by the pipeline it claims — and nothing about whether that pipeline was the attacker's for an afternoon. The defenses keep getting one disclosure behind because each one hardens the last hole; the worm rotates to the trusted channel nobody was watching, which this week was the one with the green check. **Feature: PROMPT** *Assume exposure, then rotate — provenance won't tell you.* If any of your services pull `@redhat-cloud-services` packages, treat the credentials in those environments as already harvested. The fix is not a scan; it is a rotation, because a valid signature is exactly what this campaign forged. ``` # 1. Find your exposure npm ls @redhat-cloud-services/* 2>/dev/null # 2. Pin to a known-good version predating the compromise; turn OFF auto-upgrade. # 3. Rotate everything reachable from any environment that installed an affected build: # - npm + GitHub tokens, AWS/Azure/GCP keys, Vault + Kubernetes secrets, SSH keys # - any ANTHROPIC_API_KEY present in that env (this strain targets them specifically) # 4. Audit cloned repos for unexpected .claude/ or .cursor/ setup files committed by a dependency. ``` > Pro move: Pro move — stop treating SLSA provenance as proof a package is clean. It proves origin, not integrity-of-intent; a hijacked publish pipeline produces valid attestations. And drop the assumption that `--ignore-scripts` covers you: this variant runs during the native-build step, which that flag does not touch. **Sources:** - [Wiz Research — Miasma supply-chain attack targeting Red Hat npm packages](https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages) - [Microsoft Security — Preinstall persistence inside the Red Hat npm Miasma campaign](https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/) - [The Register — Shai-Hulud malware infects Red Hat npm packages](https://www.theregister.com/security/2026/06/01/shai-hulud-malware-infects-red-hat-npm-packages-downloaded-80k-times-weekly/5249803) - [StepSecurity — binding.gyp npm supply-chain attack spreads like a worm](https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm) Image: https://www.immersivecommons.com/signal/issue-08/miasma-redhat-npm.webp (image: [Wiz Research](https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages)) ### 108 · One Scanner Read 39,884 MCP Servers. It Found 67 CVEs And Counting. *The tool surface everyone is bolting onto their agents is one structural flaw, measured at ecosystem scale.* A taint-analysis framework called [**VIPER-MCP**](https://arxiv.org/abs/2605.21392) scanned 39,884 real-world Model Context Protocol server repositories and surfaced 106 zero-day vulnerabilities with confirmed end-to-end traces — 67 of them now carry assigned **CVE** IDs, the count climbing through the week as the disclosures land. Every one belongs to a single structural class. It is the first ecosystem-scale measurement of how exploitable the MCP tool surface actually is, and it arrived the same month [Akamai](https://www.akamai.com/blog/security-research/one-fluke-3-pattern-mcp-back-end-vulnerabilities) documented three more in database-backed MCP servers — one of which the vendor [declined to patch](https://adversa.ai/blog/top-mcp-security-resources-june-2026/), calling the exposure intended behavior. The class is the story. An MCP server hands an agent a set of tools; the agent fills those tools with natural-language arguments it chose; and on the affected servers those arguments reach a sensitive operation — a shell command, a database query, a file path — without ever being treated as untrusted. The model becomes the injection vector by design, because the input it generates is wired straight to the sink. This sits on top of an exposure problem [Censys](https://thehackernews.com/2026/05/we-scanned-1-million-exposed-ai.html) measured separately: more than 21,000 MCP servers are reachable on the open internet, and roughly 40% of the remote ones expose their tools with no authentication at all. Most of the agent stack treats MCP as plumbing — install a server, expose a few tools, move on. This is the week the plumbing got measured, and it reads as a code-execution surface with a four-figure CVE count ahead of it. Until proven otherwise, every community MCP server in your stack is a path from a sentence the model wrote to something the model should never have been able to run. **Feature: LEXICON** - **Taint-style vulnerability** — A flaw where untrusted input flows, unsanitized, into a security-sensitive operation. Static analysis traces the path from the source (where input enters) to the sink (where it does damage) — VIPER-MCP confirmed 106 such paths end to end. - **NL-to-sink** — The MCP-specific shape: a natural-language tool argument, chosen by the model, reaching a shell, SQL, or filesystem sink. The agent's own output is the payload. - **MCP tool surface** — The set of callable tools a server exposes to an agent. Each tool is an entry point; a server with five tools is five entry points, and most catalogs are larger. - **Unauthenticated remote MCP server** — An internet-reachable MCP server that serves its tools without requiring auth. Censys put this at ~40% of remote servers — open tools, open sinks, addressable from anywhere. **Sources:** - [VIPER-MCP — Detecting and Exploiting Taint-Style Vulnerabilities in MCP Servers (arXiv)](https://arxiv.org/abs/2605.21392) - [Akamai Security Research — three MCP back-end vulnerability patterns](https://www.akamai.com/blog/security-research/one-fluke-3-pattern-mcp-back-end-vulnerabilities) - [Adversa AI — Top MCP security resources, June 2026](https://adversa.ai/blog/top-mcp-security-resources-june-2026/) - [The Hacker News — Censys scan of exposed AI / MCP services](https://thehackernews.com/2026/05/we-scanned-1-million-exposed-ai.html) Image: https://www.immersivecommons.com/signal/issue-08/viper-mcp-67-cves.jpg (image: [Akamai Security Research](https://www.akamai.com/blog/security-research/one-fluke-3-pattern-mcp-back-end-vulnerabilities)) ### 109 · Washington Answered. The Gate Is Now Voluntary. *Trump signed an order asking the labs for 30 days with their frontier models before you get them.* On June 2nd, President Trump signed an executive order, [*"Promoting Advanced Artificial Intelligence Innovation and Security,"*](https://www.whitehouse.gov/presidential-actions/2026/06/promoting-advanced-artificial-intelligence-innovation-and-security/) directing a [voluntary framework](https://www.cnbc.com/2026/06/02/trump-executive-order-ai.html) under which AI developers can give the federal government access to a covered frontier model "for a period of up to 30 days before they plan to release such models to other trusted partners." It is a [fundamental shift from the administration's previous hands-off stance](https://www.scientificamerican.com/article/trumps-new-ai-executive-order-drastically-shifts-the-administrations-stance-on-the-tech/) — and a deliberately defanged one: an [earlier draft set the window at 90 days](https://www.cfr.org/articles/assessing-trumps-executive-order-on-ai-oversight), cut to 30 as a compromise between the national-security and anti-regulation camps. OpenAI, Anthropic, and Google [publicly welcomed it](https://www.cnbc.com/2026/06/02/trump-executive-order-ai.html). The mechanism is a request, not a rule. Section 3 stands up a "voluntary framework with AI developers" and then forecloses the obvious next step: "Nothing in this section shall be construed to authorize the creation of a mandatory governmental licensing, preclearance, or permitting requirement" for releasing a model. Around that voluntary core the order builds the apparatus of a [pre-release testing regime](https://www.cfr.org/articles/assessing-trumps-executive-order-on-ai-oversight) — a [classified benchmarking process](https://www.whitehouse.gov/presidential-actions/2026/06/promoting-advanced-artificial-intelligence-innovation-and-security/) "to assess the advanced cyber capabilities of AI models," an NSA-run designation of which models count as **covered frontier models**, and a Treasury-led [AI cybersecurity clearinghouse](https://www.scientificamerican.com/article/trumps-new-ai-executive-order-drastically-shifts-the-administrations-stance-on-the-tech/) that coordinates and deconflicts the scanning of software for vulnerabilities. The state built the gate; walking through it stays optional. This is the regulator's version of the same move Anthropic just made with Mythos — ration the dangerous capability behind a trust check rather than ship it raw — except the trusted party is now the government, and the currency is early access instead of a security-criteria bar. The voluntary label is the load-bearing fiction: a 30-day federal window that every major lab adopts "to forestall more invasive regulation later" is a standard, not a suggestion, however the text reads. The frontier filed to go public this week; Washington answered by asking, politely, to see the weights first. For a builder, the model you ship may soon clear a classified benchmark before it clears your changelog — and nobody will have passed a law. **Feature: WATCHLIST** - Which frontier labs formally opt into the voluntary framework — and whether any (OpenAI, Anthropic, Google, xAI, Meta) publicly declines the 30-day window. - Whether the voluntary 30-day access becomes de facto mandatory — a federal procurement, cloud contract, or liability-shield that conditions eligibility on having submitted a model for review. - The AI cybersecurity clearinghouse's first published disclosure or coordinated-scanning result under Treasury. - How the classified cyber-capability benchmark defines 'dangerous capability' and what threshold trips the covered-frontier-model designation — currently NSA-run and unpublished. - Whether a second government (EU, UK, China) stands up its own pre-release frontier-access regime in response, turning a U.S. request into an international norm. **Sources:** - [The White House (primary)](https://www.whitehouse.gov/presidential-actions/2026/06/promoting-advanced-artificial-intelligence-innovation-and-security/) - [CNBC](https://www.cnbc.com/2026/06/02/trump-executive-order-ai.html) - [Scientific American](https://www.scientificamerican.com/article/trumps-new-ai-executive-order-drastically-shifts-the-administrations-stance-on-the-tech/) - [Council on Foreign Relations](https://www.cfr.org/articles/assessing-trumps-executive-order-on-ai-oversight) Image: https://www.immersivecommons.com/signal/issue-08/trump-ai-eo.jpg (image: [CNBC](https://www.cnbc.com/2026/06/02/trump-executive-order-ai.html)) ## VI. THE MATTER Microsoft unveiled a device platform for hardware that runs agents instead of apps, its bid to be Android for the post-app era; and a Rest of World investigation found the Chinese humanoid-data race running not on simulation but on armies of human workers teleoperating tasks by hand. The embodiment frontier opened a new kind of device and revealed the labor underneath the old promise. The robots are coming, and for now they run on human hands filming the same folded shirt ten million times. ### 110 · Microsoft Wants To Be Android For The Agent Era. *Not the device — the platform every device maker builds on. Project Solara runs agents where apps used to live.* At [Build on June 2nd in San Francisco](https://www.geekwire.com/2026/inside-microsofts-project-solara-a-new-platform-for-devices-that-run-ai-agents-instead-of-apps/), Microsoft unveiled **Project Solara** — a platform for devices that run AI agents instead of apps, built on Android rather than Windows, spanning, in the company's words, [from chip to cloud](https://www.tomshardware.com/tech-industry/artificial-intelligence/microsoft-unveils-project-solara-ai-a-chip-to-cloud-platform-built-to-power-a-new-generation-of-agent-first-enterprise-devices-hardware-designed-to-run-ai-agents-instead-of-traditional-apps). It arrived with two working reference devices — a desktop hub and a wearable badge — and a roster of named pilots: [AccuWeather, Best Buy, CVS Health, Levi's, and Target](https://www.geekwire.com/2026/inside-microsofts-project-solara-a-new-platform-for-devices-that-run-ai-agents-instead-of-apps/). Microsoft is not shipping the hardware. It is shipping the substrate the hardware makers build on, the same bet it placed on the PC five decades ago. The platform is the [Microsoft Device Ecosystem Platform, or MDEP](https://www.geekwire.com/2026/inside-microsofts-project-solara-a-new-platform-for-devices-that-run-ai-agents-instead-of-apps/), an enterprise build of the [Android Open Source Project](https://en.wikipedia.org/wiki/Android_(operating_system)) chosen over Windows to run on smaller, lower-power silicon. Qualcomm and MediaTek are the first chip partners — the badge on a new Qualcomm wearable chip, the desk hub on MediaTek IoT silicon, both off-the-shelf so devices stay cheap and fast to build. The badge is the tell: in one demo it ran agents for a health-care worker, able to [scan a patient's QR code, record and transcribe the visit, log vitals, and start a prescription](https://www.geekwire.com/2026/inside-microsofts-project-solara-a-new-platform-for-devices-that-run-ai-agents-instead-of-apps/). One fingerprint button wakes an agent; one tap transcribes; the camera lets the agent act on what the wearer sees. Microsoft says it [won't ship these devices itself](https://www.geekwire.com/2026/inside-microsofts-project-solara-a-new-platform-for-devices-that-run-ai-agents-instead-of-apps/) — hardware makers turn the reference designs into vertical products, one per industry, company, or scenario. That is the whole strategy in a sentence. The PC era was won by whoever owned the layer every machine ran on, not whoever made the best machine, and Microsoft is reaching for the same chokepoint in the agent era: own the OS, the management plane, and the agent runtime, and let everyone else fight over the plastic. For a builder, the abstraction that just cracked is the app. Solara is a wager that the post-app device is real, that it opens in physical hardware on a healthcare worker's lanyard, and that the floor it stands on will be rented from Redmond. **Feature: RECEIPT** > Boundaries are collapsing. You don't necessarily need the traditional app model. — BATHICHE · CVP & TECHNICAL FELLOW · MICROSOFT APPLIED SCIENCES GROUP June 2, 2026 — Build, San Francisco. Stevie Bathiche, who leads Microsoft's Applied Sciences Group, framing Project Solara as a break from app-based computing: agents you invoke, not software you open. The full line continued, "You don't need the traditional way of developing experiences." **Sources:** - [GeekWire — Inside Microsoft's Project Solara](https://www.geekwire.com/2026/inside-microsofts-project-solara-a-new-platform-for-devices-that-run-ai-agents-instead-of-apps/) - [Tom's Hardware — Microsoft unveils Project Solara, a chip-to-cloud platform for agent-first devices](https://www.tomshardware.com/tech-industry/artificial-intelligence/microsoft-unveils-project-solara-ai-a-chip-to-cloud-platform-built-to-power-a-new-generation-of-agent-first-enterprise-devices-hardware-designed-to-run-ai-agents-instead-of-traditional-apps) - [Engadget — Microsoft announces Project Solara, its take on an AI agent platform](https://www.engadget.com/2185941/microsoft-announces-project-solara-its-take-on-an-ai-agent-platform/) Image: https://www.immersivecommons.com/signal/issue-08/ms-project-solara.jpg (image: [GeekWire](https://www.geekwire.com/2026/inside-microsofts-project-solara-a-new-platform-for-devices-that-run-ai-agents-instead-of-apps/)) ### 111 · The Humanoids Run On Human Hands. China Industrialized The Floor. *The bottleneck on physical AI was never compute — it is demonstration data, and it is being mined as cheap manual labor.* On June 3rd, [Rest of World](https://restofworld.org/2026/china-ai-robotics-training-data/) reported the labor floor under the embodiment hype: in Suqian, [JD.com](https://www.jd.com/) plans to pull 100,000 of its own employees and 500,000 external workers into a two-year program to film 10 million hours of people doing chores. The footage trains humanoid robots. One worker, Gao Bo, earns **20 yuan ($3) an hour** filming herself cooking and folding laundry six hours a day, strapped into head-mounted cameras and wrist sensors. "No one had paid me to cook and do laundry before," she told the reporter. The mechanism is [teleoperation](https://en.wikipedia.org/wiki/Teleoperation) and demonstration — a human performs a task while sensors log the synchronized joint motions, rotations, and vision a robot policy needs, the kind of action-state data that cannot be scraped from the internet or generated in simulation at the variety the real world demands. China is industrializing it: a Beijing facility in Shijingshan spans over [10,000 square meters](http://en.people.cn/n3/2026/0428/c90000-20451334.html), where 100 robots and their human handlers complete at least 12,000 data-collection tasks a day, and standardized data collection is now written into the 15th Five-Year Plan. "Imitation learning, by using real human demonstration data, allows robots to gradually acquire a wide range of human-like actions," says [Unitree](https://www.unitree.com/) founder Wang Xingxing. This is the substrate every embodiment headline stands on. Figure, Tesla, and BMW announce which robot got deployed; nobody announces who taught it, because the teacher is a worker on a kiwifruit farm wearing a GoPro for three dollars an hour. The hardware was the easy part — actuators are a solved supply chain. The hard part is the demonstration, and the demonstration is human, manual, and cheap. The humanoid revolution does not run on simulation. It runs on a folded shirt, filmed ten million times. **Feature: RECKONING** > The robots are learning to be human the only way that works — by paying humans three dollars an hour to be filmed doing the chores the machine will inherit. We were told embodiment was a hardware problem. It turned out to be a labor problem, and the labor is us. — — THE SIGNAL EDITORS **Sources:** - [Rest of World](https://restofworld.org/2026/china-ai-robotics-training-data/) - [People's Daily](http://en.people.cn/n3/2026/0428/c90000-20451334.html) Image: https://www.immersivecommons.com/signal/issue-08/china-humanoid-data-labor.jpg (image: [Rest of World](https://restofworld.org/2026/china-ai-robotics-training-data/)) --- *THE SIGNAL · FRONTIER TOWER / SAN FRANCISCO*