Living on the Frontier · Session 14 · In-person
The Supply Chain
May 23, 2026 · The Kannas Hotel, Chiang Mai
Three protocols hardened the same week:
MCP went stateless. A2A hit v1.0.
WebMCP entered Chrome 149 origin trial.
Then two cracks opened wide:
Cursor’s agent ran the wrong git hook.
GitHub got popped by a poisoned VS Code extension.
Anthropic shipped the answer the same week:
Self-hosted sandboxes. Your perimeter. Their model.
Then we zoom out and see why:
Anthropic bought the company that makes
the SDKs their rivals ship to customers.
Wind it down. Cut the pipe.
KPMG handed them 276,000 employees,
138 countries, every F500 audit relationship.
Models commoditize. Pipes decide who wins.
This week
Part I
The Protocol Shift
Three protocols, same week. MCP. A2A. WebMCP.
MCP · May 21–22
MCP 2026-07-28 RC — the protocol goes stateless
The largest revision of MCP since launch dropped as a release candidate. Headlines: (1) Stateless protocol — no handshake, no session id; any request can hit any server instance. (2) Tasks extension — tools/call returns a task handle; client drives via tasks/get/tasks/update/tasks/cancel. Demoted from core to extension after production stress. (3) MCP Apps for server-rendered UIs. (4) OAuth/OIDC alignment via six SEPs. (5) Proper deprecation policy — David Soria Parra (co-creator): "so we don't have to do this again." Final spec July 28. Linux Foundation governs since Dec 2025.
The protocol that won the race a year ago is being re-architected for the workloads it actually has. Stateless means MCP stops behaving like custom RPC and starts behaving like HTTP — load balancers, CDNs, edge workers become the deployment surface. The more interesting signal is Tasks getting demoted from core back to extension. Most standards bodies would have doubled down. MCP's authors said "no, it's not ready for the spec." That's healthy. The explicit deprecation policy is the maturity tax — MCP is becoming infrastructure.
"MCP just demoted Tasks from core after production stress. Is this the protocol maturing — or a sign that 'agentic long-running work' is harder to standardize than anyone admits?"
Google I/O · May 19
WebMCP enters Chrome 149 origin trial — the browser becomes an MCP server
The WebMCP API enters origin trial in Chrome 149 (ships June 2026). The proposal lets websites declare an agent-callable surface as a first-class web API — JS functions, HTML forms, structured tools — for browser-based agents to invoke directly. No more DOM scraping. No more visual coordinate clicking. The agent sees what the site declares it should see.
The browser is becoming an MCP server. This is the direct shot at the screen-scraping browser-agent generation (Comet, browser-use, Project Mariner). If WebMCP lands, every site that adopts it stops being a scrape target and starts being an MCP endpoint. The implications cascade: ad-blockers extend to agent-callability blockers, accessibility becomes machine-discoverable, SEO-for-agents becomes a category. The pacing matches MCP 2026-07-28 RC: the protocol stabilizes, the browser ships native support.
"If WebMCP wins, every website becomes an MCP server. Does that kill the screen-scraping browser-agent category — or does the long tail keep it alive?"
Google Cloud Next · May 18–19
A2A v1.0 in production — agent-to-agent hits 150 orgs
Google rebranded Vertex AI to the Gemini Enterprise Agent Platform. The stack: 200+ models in the Model Garden (including Claude), Workspace Studio (no-code agent builder), ADK v1.0 stable across four languages, Project Mariner, managed MCP servers, A2A v1.0 in production at 150 orgs. Native A2A in ADK, LangGraph, CrewAI, LlamaIndex, Semantic Kernel, AutoGen. Same week: Gemini Omni (anything-from-anything multimodal model) and Gemini 3.5 Flash (claims to rival flagship on agents + coding at Flash speed).
A2A = agent-to-agent. MCP = agent-to-tool. WebMCP = browser-to-agent. Three protocols, same week. The pitch — "Agentforce hands off to a Vertex agent, which queries a ServiceNow agent" — is the 20-year Salesforce/Workday/ServiceNow integration nightmare, now framed as agent collaboration. Gemini Omni is Google's bet that generative fusion is the AGI path. Gemini 3.5 Flash at flagship-tier capability collapses the latency floor for tight-loop production workflows.
"A2A + MCP + WebMCP — complementary protocols, or are we headed into a 'WS-* alphabet soup' for the agent era?"
Part II
The Crack
Two breaches, same week. The IDE is the new attack surface.
Cursor · CVE-2026-26268
Cursor's 9.9/10 RCE — agent meets malicious git hook
CVE-2026-26268 — severity 9.9/10, Cursor versions before 2.5. Attack: a public repo embeds a bare git repo containing a malicious pre-commit hook. When Cursor's AI agent — exercising its junior-engineer-level git permissions — runs git checkout inside the embedded repo context, the hook fires automatically. No prompt. No warning. Arbitrary code execution on the developer's machine. Fix shipped in 2.5 (Feb); disclosed Apr 28. Cursor: $2B ARR, raising at $50B valuation.
Not a Cursor bug. Not a git bug. The vulnerability is in the delegation surface between them. The agent has more authority than a human would in the same context — no review of intent, no friction on auto-execute. Every coding agent (Codex, Claude Code, Cursor, Windsurf) shares this exposure.
GitHub · May 20
GitHub itself got popped — poisoned VS Code extension
GitHub publicly disclosed that an employee device was compromised via a poisoned VS Code extension, resulting in unauthorized access to internal GitHub repositories. GitHub removed the malicious version, isolated the endpoint, and ran incident response. Disclosed the same week as the Cursor RCE coverage.
Two attacks, same root cause. The developer's IDE is now the most-exposed attack surface on the workstation. Cursor's was the agent's authority — it had more permissions than judgment. GitHub's was the extension's authority — trusted because it shipped through the marketplace. The mitigation everyone now needs: sandboxing the agent's git ops against untrusted repos, and sandboxing the IDE's extensions against untrusted authority. Expect a wave of "agent sandbox" + "extension sandbox" announcements this quarter.
"GitHub got popped via a VS Code extension. Cursor got popped via the agent's own git permissions. If the IDE is the new attack surface — what's your team's policy, and is it actually enforced?"
Part III
The Answer
Anthropic shipped it the same week.
Code with Claude London · May 19
Self-hosted sandboxes + MCP tunnels — your perimeter, their model
At Code with Claude London, Anthropic launched self-hosted sandboxes (public beta) and MCP tunnels (research preview) for Claude Managed Agents. Architecture: the model runs on Anthropic infrastructure; the agent's execution environment — filesystem, network, exec — runs inside the customer's own perimeter, governed by the customer's IAM, audit, and security controls. MCP tunnels let the sandboxed agent reach Anthropic's models without exposing internal services to the public internet.
This is the architectural answer to everything the Cursor RCE and GitHub VS Code breach made visible. Anthropic is decoupling where the model runs from where the agent's tools run. For regulated industries (defense, healthcare, finance), the blocker was always "we can't let an agent run with our data on a third party's box." Self-hosted sandboxes resolve that: your perimeter, your controls, their model. Pair with KPMG (276K) and OpenAI/Dell on-prem and the picture is: every major lab is shipping the on-prem/sandboxed runtime in May 2026. The race is over — sandboxes are table stakes.
"Self-hosted sandboxes flip the trust model — your perimeter, their model. Does this finally crack the regulated-industry adoption wall — or does the enterprise still want both pieces inside their fence?"
OpenAI · May 19–22
Codex Thursday — Mac apps from your phone, even locked
OpenAI shipped two Codex primitives May 22: (1) Codex can use Mac apps from your phone, even when the Mac is locked and screen is off. (2) Appshots — screen context flows straight into the Codex app, giving the agent peripheral vision into whatever you're working in. Three days earlier (May 19): OpenAI + Dell partnership brings Codex to hybrid and on-premises enterprise environments — addressing the air-gapped / regulated segment.
OpenAI hit Codex distribution from four angles in eight days: mobile (May 15), Windows (May 14), Dell (May 19), locked-Mac-from-phone (May 22). The locked-Mac primitive is the underrated one — it's the first time the agent's authority is fully decoupled from the operator's physical presence at the keyboard. Pair with the OpenAI Deployment Company's 150 FDEs and the picture is clear: OpenAI is buying the integration layer, sandboxing the runtime, and reaching the customers Anthropic can't via Microsoft 365.
"Codex executing on your locked Mac while you're elsewhere. 2026 productivity unlock — or the first real enforcement case for 'AI Agent ID' on personal devices?"
Part IV
The Supply Chain
Stop competing on models. Start owning the pipes.
Anthropic · May 18
Anthropic acquires Stainless — the SDK pipe rivals depend on
Anthropic acquired Stainless — the dev-tools startup founded by ex-Stripe engineer Alex Rattray. Stainless turns OpenAPI specs into SDKs, CLIs, and MCP servers across TypeScript, Python, Go, Java — used by OpenAI, Google, and Cloudflare. The Information reported $300M+. Anthropic will wind down all hosted Stainless products. Fourth acquisition in six months: Bun (Dec), Vercept (Feb), Coefficient Bio (Apr), now Stainless.
Anthropic just bought the company that makes the SDKs OpenAI ships to its own customers, and announced they're shutting it down. Not a model play — a supply-chain play. Same logic as Apple buying P.A. Semi in 2008. The four-in-six acquisition cadence is the real signal: this is no longer a model lab. It's a vertically integrated agent company assembling its supply chain — runtime (Bun), computer use (Vercept), biotech (Coefficient), SDK pipeline (Stainless).
"Anthropic just removed an OpenAI/Google dependency by buying it. Who's the next infrastructure target?"
Anthropic + KPMG · May 19
KPMG goes all-in — 276,000 employees on Claude
KPMG embedded Claude inside Digital Gateway, its Azure-based platform combining tax insights, proprietary tools, and client data. Every one of KPMG's 276,000+ employees globally — across 138 countries — gains access. Anthropic also names KPMG a preferred partner for private equity; the two will build Claude-powered products for PE portfolio companies. KPMG framing: agents that used to take weeks of multi-tool integration now ship in minutes via Cowork + Managed Agents.
The biggest Anthropic enterprise rollout to date by headcount — while OpenAI is still building its $4B FDE consulting arm. KPMG is not just a customer; it's distribution into every F500 client KPMG advises. The PE partnership is the unsaid part: every PE-owned portfolio company touching KPMG now has a path to Claude. Anthropic's playbook: Microsoft 365 distribution into the desk + KPMG distribution into the audit room. Two embedded channels. Zero customer-acquisition cost.
"Single-vendor rollouts at this scale — do they actually stick, or does every F500 multi-model within 18 months because no audit firm bets the practice on one lab?"
Also in the supply chain
Quick hits
Discussion · Demos · Q&A
What caught your eye?
Models commoditize. Pipes decide who wins. Which pipe should you actually be paying attention to right now?
Follow the lab.
See you next Saturday.