Section
Runtime
The frontier gets serious when an agent leaves the prompt and enters a computer that someone has to bound, inspect, and clean up.
Runtime covers the move from chat or tool calls into bounded execution: terminal, filesystem, browser, code execution, tool creation, sandboxing, persistence, cleanup. Where the agent actually operates.
Other sections
June 2026
-
CLI 0.136.0 adds API-key registration for approved remote exec-server hosts
- An operator running remote execution can register approved hosts via API key instead of entering credentials per session, changing the remote-exec authentication model.
- This shifts trust to a pre-registered host allowlist keyed by API key — operators must decide which hosts are 'approved' and how those keys are scoped and rotated before enabling remote exec.
- Verification path: upgrade to 0.136.0, register a test host, confirm only approved hosts authenticate and that key scope/rotation behaves as expected before exposing remote execution.
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
-
Promptware defense added against Brainworm-class prompt-injection attacks
- Operators running the agent against untrusted content (web, repos, MCP tool output) gain a built-in defense layer they should validate against their own injection test cases rather than assume blanket coverage.
- 19 security-tagged issues were closed in the same release, so the upgrade is the gate for these protections; staying on prior versions leaves the injection surface unmitigated.
- Verification path: upgrade to v0.15.0 and run known Brainworm-class injection patterns to confirm the defense triggers before exposing the agent to untrusted input.
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
-
OAuth browser-launch URI validation closes command-injection path
- An operator authenticating against a third-party or attacker-influenced OAuth server was exposed to shell command injection via the verification URI; upgrading past ba6e529 removes that exposure.
- Verification path: confirm the build includes ba6e529 (non-HTTP(S) URIs rejected, browser launched via spawn() not shell exec()).
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
-
Git package install path-traversal rejection
- An operator installing a git-sourced package from an untrusted URL was exposed to files being written outside the package install root via traversal sequences; upgrading past a98e087 blocks this at parse and resolution time.
- Verification path: confirm a98e087 is present; a crafted git URL with '../' is rejected with 'Refusing to use path outside package install root'.
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
-
Enhanced plugin isolation tightens the plugin sandbox boundary in the 2026.6.1 line
- Enhanced plugin isolation changes the sandbox boundary around plugins, including the externalized Tokenjuice and GitHub Copilot plugins now run as separate plugins.
- Operators running third-party or externalized plugins should re-test plugin behavior against the tightened isolation, since capabilities previously available in-process may now be constrained.
- Single runtime-admin decision: verify plugins still function under the new isolation after upgrade.
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
-
Computer-use screenshots now persist to durable chat-scoped storage by default
- Reverses the prior ephemeral-by-default posture for computer-use screenshots, so operators who relied on screenshots being transient must now account for retained artifacts
- Changes deployment storage characteristics: long-running computer-use sessions accumulate screenshots in chat context, requiring storage planning and retention/cleanup review
- Directly hits the Grid/workcell calibration concern of persistence and cleanup for real computer access
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
-
Upgrade dulwich to 1.2.5 to close CVE-2026-42305 in git operations
- Operator must re-resolve poetry.lock (enterprise and root) and rebuild backend images to ship patched dulwich; git operations run inside the agent runtime path.
- Distinct from the frontend CVEs: this is a backend Python git library, different surface and different verification (lockfile pin, not frontend bundle).
- Verification path: confirm dulwich>=1.2.5 in deployed poetry.lock / installed environment.
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
-
v0.9.1 strips WebSocket URL credentials and rejects blank requestIds
- Operators deploying Flue on Cloudflare WebSockets get two upstream hardening fixes by upgrading to v0.9.1: query strings and fragments are stripped before attachment persistence, so URL-carried handshake credentials are no longer retained, and agent/workflow frames reject blank or whitespace-only `requestId` values.
- Both are the same consequence for one persona (the Cloudflare WebSocket operator) gated on the same upgrade, so they stay one signal; the operator action is to upgrade and confirm credentials are no longer in persisted attachments.
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
-
Writes to execution-granting config and shell startup files now prompt even in acceptEdits mode
- Two new guardrails land together: acceptEdits mode now prompts before writing build-tool config that grants code execution (.npmrc, .yarnrc*, bunfig.toml, .bazelrc, .pre-commit-config.yaml, .devcontainer/, etc.), and the agent now prompts before writing shell startup files (.zshenv, .zlogin, .bash_login) and ~/.config/git/.
- Operators who ran acceptEdits or auto-leaning modes previously had a silent write path into files that execute code on the next shell, install, or commit; the new prompt converts that into a confirmation checkpoint.
- The operator action is to recognize that these prompts will now fire and not blanket-allow them — the prompt is the supply-chain/persistence defense, so auto-approving it re-opens the vector.
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
May 2026
-
Three de-facto security advisories without a separate advisory surface
- Windows operators on 2.1.148 or earlier with PowerShell allowlists, git worktree workflows, or enterprise login pinning should upgrade to 2.1.149+ before deploying new agents.
- Operators monitoring for security-advisory-shape events (RSS, CVE feeds) need to recognize that Anthropic ships these as ordinary changelog entries; the changelog is the de-facto advisory surface.
- Source-contract owners should decide whether to amend `sources/claude-code.yml` to add an explicit security advisory surface or to document the changelog as carrying that role.
Run: 2026-05-27-weekly-digest-2026-05-13_2026-05-27-frontier-v0
-
Local and remote session invocation protocols land stable
- Operators building delegated workflows on Gemini CLI should re-test against v0.44.0 stable; the remote invocation protocol is no longer preview.
- Multi-scope deployments must audit agent name overlaps before upgrading — the new `first-wins prioritize project` resolution changes which definition wins.
- Until Google documents where remote invocations actually run, treat the remote path as infrastructure-to-be-defined; do not depend on it for production.
Run: 2026-05-27-weekly-digest-2026-05-13_2026-05-27-frontier-v0
-
Host desktop control with required visual verification
- Operators evaluating Agent Zero for host control must decide whether `computer_use_remote` is allowed at all on the host — the default trust mode is opt-in but the runtime checks are enforceable.
- Workcell operators should know that screenshot capture is now ephemeral and context-scoped by default; auditing what the agent saw requires explicit durable capture.
- Operators using the existing `linux-desktop` skill: verify your skill routes to the path you expect; host and container desktops are now cleanly separated.
Run: 2026-05-27-weekly-digest-2026-05-13_2026-05-27-frontier-v0
-
Content-boundary hardening suite across inbound surfaces
- Operators evaluating OpenClaw against 'is it safe to put agents on real channels' can use this suite as evidence of a threat model, not just a feature list.
- Gateway operators should verify whether `gateway.auth.rateLimit` was unset in their config — the on-by-default ratelimit changes observable behavior for non-browser/HTTP auth flows.
- Plugin authors should treat `allowFrom` sender allowlists as the canonical inbound boundary; post-dispatch filtering is the older model.
Run: 2026-05-27-weekly-digest-2026-05-13_2026-05-27-frontier-v0
-
Kanban corruption-hardening wave (post-v0.14.0)
composes with Aider , Cline , Codex , Continue
- Kanban-dependent multi-agent operators should treat the post-v0.14.0 line as the integrity-floor baseline; the corruption-hardening wave volume is the signal.
Run: 2026-05-27-weekly-digest-2026-05-13_2026-05-27-frontier-v0
-
ODF-first document defaults, persistent desktop lifecycle, multi-tab browser fanout
- Operators running Agent Zero should verify that downstream workflows handle ODT/ODS/ODP output from v1.13+. OOXML output now requires explicit configuration.
- Operators running long-horizon desktop sessions should plan for persistent desktop state: the Xpra Desktop no longer resets on canvas navigation. Accumulated desktop state (open apps, browser sessions) persists until explicitly shut down.
Run: 2026-05-12-partial-cycle-agent-zero-2026-05-07_2026-05-12-frontier-v0
-
Real computers are becoming the agent work surface.
-
The agent interface is becoming a visible computer
- A serious agent harness increasingly needs browser, desktop, file, runtime, sandbox, and artifact surfaces that can be inspected.
Run: 2026-05-07-commit-harvest-2026-04-23_2026-05-07-frontier-v1