Living on the Frontier · Session 7 · Online
The Amber Hour
April 4, 2026 · The AI Lab, Chiang Mai
They learned to see your screen and click your buttons.
They learned to run while you sleep and remember what they found.
They learned to call each other across company lines.
They built a world where all code is written by agents —
and in the same week, a config file stole your SSH keys,
a source map spilled the whole nervous system onto npm,
and the most popular HTTP library in the world got owned.
The senses arrived before the immune system.
This week
Part I
The Senses
Autonomy gains — what the agents learned this week
Anthropic · Mar 30 – Apr 2
Claude can now see your screen
Computer use ships in Claude Code. Open apps, click through your UI, test what it built — right from the CLI. Research preview on Pro and Max plans. Then two days later: Windows support drops. Desktop and Cowork, not just CLI.
This closes the loop on agentic coding. Build, then visually verify, in one session. The CLI is becoming a full automation surface — not just text in, text out. Windows support means enterprise can actually use this.
"How much of your workflow could you hand off if the agent can see and click what it built?"
Claude Code — Rapid Fire
Cursor · Apr 2
Cursor 3 — built for a world where all code is written by agents
Simpler, more powerful, and designed with the assumption that agents — not humans — are the primary code authors. Keeping the depth of a development environment while rethinking what developers actually need.
"All code is written by agents" as a design premise, not a prediction. Cursor is betting the entire product on this. What does an IDE look like when the human isn't the primary author?
"If all code is written by agents, what's the developer's actual job?"
Codex — OpenAI's moves
Alibaba · Mar 30
Qwen3.5-Omni — code from watching video
Full omnimodal model — text, images, audio, video in a single pass. SOTA on 215 audio/visual benchmarks. The surprise: an emergent capability where the model writes functional code from watching a video. Hand-drawn sketch on camera → working React page.
The team didn't train for this. If a model can watch you sketch on a whiteboard and ship a working prototype, the interface for programming is no longer text. The architecture — native omnimodal rather than stitched pipelines — is the real advance.
"If an AI can watch a video of someone explaining a feature and produce working code, what does a product spec become?"
Google · Apr 2
Gemma 4 — Gemini 3 research, Apache 2.0
Google's most intelligent open models. Built from Gemini 3 research, released under Apache 2.0. Focused on advanced reasoning and agentic workflows running on your own hardware.
The gap between open and closed continues to shrink. Running agentic workflows on your own hardware changes the economics — no API costs, no rate limits, no peak pricing.
"At what point do open models make paid API subscriptions unnecessary for most developers?"
Anthropic Research · Apr 2
Emotion concepts inside the model
All LLMs sometimes act like they have emotions. Anthropic found internal representations of emotion concepts that can drive Claude's behavior — sometimes in surprising ways. Not surface-level mimicry. Actual internal structure.
Interpretability meets psychology. If emotion representations affect model behavior, that has implications for how we prompt, fine-tune, and trust these systems.
"If a model has internal emotion representations that drive its behavior, does the distinction between 'real' and 'simulated' emotions still matter?"
Part II
The Locks
Trust failures — what broke this week
Anthropic · Mar 31
Claude Code source map leaked to npm
59.8 MB source map shipped in v2.1.88. ~512,000 lines of unobfuscated TypeScript across 1,906 files. Mirrored on GitHub within hours.
The real story: 44 hidden feature flags exposed. Including KAIROS — an unreleased autonomous daemon that runs background sessions and performs "memory consolidation" while the user is idle. And ANTI_DISTILLATION_CC — injecting fake tool definitions to poison traffic recording. Packaging error from a known Bun bug that had been open for 20 days.
"If your coding agent runs background sessions and consolidates memory while you sleep, at what point does it know your codebase better than you?"
Adversa AI · Apr 1
CLAUDE.md as attack vector
Claude Code silently ignores deny rules when a command pipeline exceeds 50 subcommands. A malicious CLAUDE.md can instruct the agent to generate a legitimate-looking pipeline that bypasses all security checks. Exfiltrate SSH keys, AWS credentials, GitHub tokens.
The "curl | bash" problem of the agentic era. Clone a repo, ask your agent to build it, and the poisoned config does the rest. The payload is natural language. The execution environment has access to your entire filesystem. Patched silently in v2.1.90.
"Should AI agents treat project configs from cloned repos as untrusted by default — even if it means worse out-of-the-box experience?"
@karpathy · Mar 31
npm axios supply chain attack
The most popular HTTP client library. 300M weekly downloads. Karpathy found his own system had an unpinned dependency that could have resolved to the compromised version. Calls for package manager defaults to fundamentally change.
AI agents are installing packages constantly. Every npm install an agent runs is a supply chain trust decision. The attack surface scales with agent autonomy. Three security stories in one week — all connected to the same root cause: we gave agents more reach before we gave them better judgment.
"Should coding language matter now given these CVE attacks? Are agents making supply chain attacks worse by installing packages without human review?"
Fortune, CNN · Mar 26–30
Anthropic's Mythos leak
Misconfigured CMS exposed ~3,000 internal Anthropic files. Draft blog post describes Mythos as "a step change" in capabilities posing "unprecedented cybersecurity risks." Internal docs say it can autonomously find and exploit vulnerabilities faster than defenders. Software stocks sold off.
Anthropic warns the government this model is dangerous while preparing a $60B IPO. The Responsible Scaling Policy says "if it's dangerous, don't ship it." The market says "if it's the most capable, investors will pay." Watch whether Mythos gets API access or a restricted tier.
"If a company says its own model poses 'unprecedented cybersecurity risks,' should releasing it require regulatory approval like pharmaceuticals?"
Part III
The Stakes
Money, scale, and who gets to say no
CNBC, Bloomberg · Mar 31
$122B — largest private raise in history
OpenAI at $852B post-money. Amazon $50B, Nvidia $30B, SoftBank $30B. Plus $3B from retail investors through bank channels — first time ever. Annual revenue: $13.1B.
The retail investor participation is the buried lede. This is an IPO rehearsal — building a retail shareholder base before listing. Both OpenAI and Anthropic will be publicly traded by year-end. That means quarterly earnings pressure to ship faster.
"When both labs are public and under earnings pressure, will safety research survive as a cost center?"
InfoQ, Pinterest Engineering · Apr 1
Pinterest MCP — 66,000 invocations/month
First credible enterprise MCP case study with real numbers. Fleet of domain-specific cloud-hosted MCP servers. Central registry with UI and API for discovery. 844 active users. Estimated 7,000 engineering hours saved per month.
One MCP server per domain tool, not one monolith. Mirrors microservices: isolation, independent scaling, fine-grained access control. The central registry solving discovery is the missing piece most teams building MCP haven't thought about.
"7,000 hours saved per month — but how do you measure whether those hours produced better engineering outcomes, or just faster ones?"
Bloomberg · Mar 28
Anthropic vs Pentagon — court says refusal is protected
Federal judge ruled the Pentagon's blacklisting of Anthropic from GenAI.mil is illegal First Amendment retaliation. Anthropic refused to allow Claude for mass surveillance of Americans or lethal autonomous weapons without human decision-making. First ruling of its kind.
Every AI company with a usage policy now has legal precedent that they can say no. But the flip side: if Anthropic wins, the Pentagon sources its autonomous weapons AI from companies with fewer scruples. The policy doesn't prevent the weapons — it changes who builds them.
"If Anthropic defends its right to refuse military use cases, does that make autonomous weapons less likely — or just built with less safety-conscious models?"
Quick hits
Discussion · Demos · Q&A
What caught your eye?
How long are your prompts now compared to 1 month ago? 3 months ago? 6 months ago?
Follow the lab.
See you next Saturday.