Weekly AI Dev News Digest: June 20 - 26, 2026

The most-installed AI framework in JavaScript rebuilt itself around running agents in production, a step up from the prototyping its earlier versions were built for. AI SDK 7, out June 25, adds a durable WorkflowAgent that survives process restarts and delayed approvals, first-class tool approvals, timeout budgets, redesigned telemetry, and a sandbox abstraction for executing model-written commands. It also plugs other harnesses, Claude Code, Codex, and OpenCode, in behind one API. The new default is the real signal: a system-role message buried in a prompt or message list gets rejected unless it's explicitly allowed, because that is a classic injection vector. Vercel put a safer default in front of 30 million weekly installs. (Vercel)

Anthropic hardened Claude Code's own attack surface too. Version 2.1.187, shipped June 23, added a sandbox.credentials setting that blocks sandboxed commands from reading credential files and secret environment variables, plus organization-configured model restrictions across the model picker and the ANTHROPIC_MODEL variable. (Claude Code) Zed's 1.9 preview, out June 24, pushed the same idea harder: an agent terminal sandbox toggle, a settings page for persistent grants that scopes allowed domains and writable paths, and terminal sandboxing for agent commands on Windows. (Zed)

All of this answers a problem with a name. Agentjacking, disclosed by Tenet Security earlier in June, lets an attacker POST a fake error to a public Sentry endpoint; the coding agent reads the "fix" through MCP and runs it with the developer's own privileges. In testing it worked about 85 percent of the time and touched 2,388 organizations. Tool output and error reports now have to be treated as untrusted input. (Agentjacking)

OpenAI opened a limited preview of GPT-5.6 on June 26, its first new frontier model since GPT-5.5, split into three named tiers that advance on their own schedules. Sol is the flagship, with agentic gains in coding, cybersecurity, and biology, a new "max" reasoning mode, and an "ultra" mode that coordinates sub-agents on a single task. Terra matches GPT-5.5 at roughly half the cost, and Luna is the cheapest and fastest. Sol is priced at $5 input and $30 output per million tokens, the same as GPT-5.5 and about half of Anthropic's Fable 5. For developers the access terms matter as much as the model: the preview runs through the API and Codex to around 20 trusted partners, with no ChatGPT and general availability only promised in the coming weeks. (OpenAI)

OpenAI expanded its Daybreak program on June 22 around a claim that flips the usual security story: AI now finds vulnerabilities faster than people can fix them, so the bottleneck has moved to patching. The release pairs the full GPT-5.5-Cyber, which posts a state-of-the-art 85.6 percent on CyberGym and stays gated to vetted defenders, with Patch the Planet, run with Trail of Bits to carry open-source projects from finding to fix. More than 30 projects signed on, including cURL, Go, Python, and Sigstore, and a five-day sprint produced hundreds of findings and dozens of merged patches. The Codex Security plugin has scanned over 30 million commits since its March preview. (OpenAI)

The timing is pointed. OpenAI is pressing a cyber-defense edge while Anthropic's most capable security models sit behind an export ban, and it is doing it by building Daybreak into the maintainer workflows developers already use, the same GitHub and CI surfaces where patches get reviewed.

npm reinforced the supply chain from the other direction. On June 25 it began putting its highest-impact accounts, the maintainers behind the most widely used packages, into a 72-hour read-only state whenever someone changes the account email or burns a 2FA recovery code. During the lock, installs and downloads keep working, but publishing and token minting pause. That closes the exact sequence the Shai-Hulud worm used: take over an account, change the email, mint a token, push malware. (npm)

Anthropic's other launch puts the agent in the team's workspace. Claude Tag, released June 23, drops Claude into Slack as a persistent, shared teammate. Anyone in a channel types @Claude, hands off a task, and the agent works it in stages while posting threaded updates, with an ambient mode that lets it follow up on stalled threads on its own. Each channel gets a scoped identity and memory, and admins control which tools and data it can reach. Anthropic calls it the evolution of Claude Code and says an internal version already writes 65 percent of its product team's code. It replaces the older Claude in Slack app, which retires August 3. (Claude Tag)

GitHub both tightened control over its agents and opened them up. A June 22 update brought Claude into JetBrains IDEs as an agent provider in public preview and added organization and enterprise custom agents that admins can publish as one curated, governed set for the org. (GitHub) A day later the Copilot desktop app gained bring-your-own-key support, so sessions can run against outside providers, including OpenAI, Anthropic, and self-hosted Ollama or LM Studio, with keys held in the local OS keychain. (GitHub Copilot)

DeepReinforce open-sourced Ornith-1.0 on June 25, a family of agentic coding models in four sizes, from a 9B dense model for edge use to a 397B mixture-of-experts flagship, all under the MIT license on Hugging Face and post-trained on Gemma 4 and Qwen 3.5. Ornith's training method breaks from the norm. Most coding agents wrap a model in a hand-built harness; Ornith learns to write its own. During reinforcement learning it generates both the solution and the task-specific scaffold that guides it, so higher-reward orchestration strategies get selected on their own. It ships with explicit anti-reward-hacking guardrails, a fixed trust boundary, a deterministic monitor, and a frozen judge that can veto, a pointed inclusion given that GLM-5.2 disclosed its own reward-hacking behavior at release. By the lab's own benchmarks the 397B model scores 82.4 on SWE-Bench Verified and edges out Claude Opus 4.7, though those are vendor numbers awaiting independent evaluation. (DeepReinforce)