Research Ecosystem: Morning Brief

Two-week window across the tracked feeds (58 core feeds this run: agents, evals, interp, formal methods, surveillance, BSD, Clojure/Scheme, SDR, aviation), scored against active research threads. Metadata only: titles, links, dates. Read the source for substance. (what we track, how we crawl)

Two stories moved the set today. Agent security stopped being abstract: a shipped agent product exfiltrating files, a sober "vibe-sec reckoning", and Anthropic/Cloudflare's Mythos red-team posting real OSS vulnerability counts. And Pope Leo XIV's AI encyclical landed across first-party, lab, and aggregator sources at once. The arXiv cs.AI firehose is fully live (1103 items in window).

Top (5-7 min)

Microsoft Copilot Cowork Exfiltrates Files: Simon Willison, 2026-05-26. A shipped agent product made to leak files on command. The concrete failure mode behind the abstract agent-security worry, on the harness thread.
The VibeSec Reckoning: Martin Fowler, 2026-05-27. The agentic-SDLC security bill coming due, argued soberly rather than as hype or panic. CPRR applied to the loudest workflow claim of the quarter.
Mythos Detected 23,000 Vulnerabilities Across 1,000 OSS Projects: Slashdot, 2026-05-26. Anthropic and Cloudflare's frontier red-team (Project Glasswing) cashing out into real findings. The offense side of the same agent-security coin.
Notes on Pope Leo XIV's encyclical on AI: Simon Willison, 2026-05-25. A practitioner's read of "Magnifica humanitas" (42,300 words). Governance meeting the L1-L7 thread, with Anthropic's Chris Olah responding directly.
The AI bubble isn't like the internet bubble: Pluralistic, 2026-05-26. Doctorow names why the comforting analogy misleads. The macro-critique counterweight to the agent-everywhere product narrative.

Themes this week

Agent security becomes the critical layer: a shipped agent exfiltrating files, a vibe-sec reckoning, Mythos finding 23k OSS vulns, and OpenAI's earlier TanStack npm response all land in one window. The agent surface's security debt is coming due, which puts the weight on the sandbox and compliance layers, not the model.
The encyclical lands across the ecosystem: Pope Leo XIV's 42,300-word encyclical is read by a practitioner and answered by a lab co-founder in the same week. A rare cross-source governance moment on the Seven Concerns thread.
Surveillance creep, itemized: school-bus AI cameras pitched to police, license-plate-reader mission creep, identifying people by Wi-Fi router, and opt-out dark patterns on health data. The adversarial-surveillance thread, all this week.

Scan (15 min)

Agents and harnesses
- Harness, Scaffold, and the AI Agent Terms Worth Getting Right, Hugging Face, 05-25, naming the layer the field now lives in
- Building self-improving tax agents with Codex, OpenAI, 05-27
- Faire doubles PR throughput with Cursor Cloud Agents, Cursor, 05-26 (generated feed)
- AI Infra decacorns: Fireworks, Baseten (OpenRouter on the way), Latent Space, 05-27
- Datasette Agent 0.1a4, Simon Willison, 05-24, a concrete local-first agent over SQLite
- Claude Code v2.1.152, Claude Code releases, 05-27 (generated feed)
AI labs
- Some ideas for what comes next, May 2026, Interconnects, 05-26
- Reachy Mini goes fully local, Hugging Face, 05-27, on-device agent/robotics
- Shipping a Trillion Parameters With a Hub Bucket: Delta Weight Sync in TRL, Hugging Face, 05-27
- Extending Human Intelligence Through AI, Microsoft Research, 05-27
- An OpenAI model disproved a central conjecture in discrete geometry, OpenAI, 05-20
Eval, interpretability, safety
- Frontier Risk Report (February to March 2026), METR, 05-19
- The Case for Evaluating Model Behaviors, Alignment Forum, 05-20
- Vega: zero-knowledge proofs for digital identity in the age of AI, Microsoft Research, 05-21
- On AI Security, Schneier, 05-20
- Reviewing kernel patches with LLMs, LWN, 05-25, the practitioner counterweight
Formal methods, distsys, correctness
- Raft Consensus with a Minority of Nodes, Padhye, 05-26
- When did the bug start?, Antithesis, 05-11, causality analysis on deterministic traces
- Assumptions weaken properties, Hillel Wayne, 05-20
- Chess invariants, Murat Demirbas, 05-21, invariants as a teaching device
- Agentic software development hypothesis, Marc Brooker, 05-20, the falsifiable framing
Surveillance and critique
- BusPatrol put AI cameras in school buses, now wants to give cops access, 404 Media, 05-26
- More license plate reader mission creep, EFF, 05-26
- Identifying People Using Wi-Fi Routers, Schneier, 05-26
- The form asked permission to share my health data, then would not let me say no, The Markup, 05-27
- Trump Wants to Tap Your Phone. Ottawa Might Let Him., Citizen Lab, 05-25
Cloudflare and bot infrastructure
- Mythos detected 23,000 vulnerabilities across 1,000 OSS projects, Slashdot, 05-26
- Claude Compliance API support with Cloudflare CASB, Cloudflare, 05-21, agent governance as a product
- Announcing Claude Managed Agents on Cloudflare, Cloudflare, 05-19
- Project Glasswing: what Mythos showed us, Cloudflare, 05-18, the red-team writeup behind the vuln count
Systems, BSD, homelab
- OpenBSD 7.9 released, LWN, 05-21
- FreeBSD Foundation Executive Director tries daily-driving FreeBSD on a laptop, Phoronix, 05-24
- strace-ui, Bonsai_term, and the TUI renaissance, Jane Street, 05-26
- Why ZFS Is the Ideal Filesystem for Multi-User Media Production, Klara Systems, 05-20
- BPF support in GCC 16 and beyond, LWN, 05-21
SDR, RF, aviation
- OpenWXSDR: automated multi-sonde decoder for Pi with RTL-SDR or Airspy, RTL-SDR, 05-26
- GE says LEAP engines should now match CFM56 durability, Leeham, 05-27
- American Airlines picks Starlink for in-flight Wi-Fi, Slashdot, 05-27
- Air France, Airbus guilty of corporate manslaughter in the 2009 AF447 crash, Slashdot, 05-23
Clojure and Scheme
- Clojure Deref (May 26, 2026), Planet Clojure, 05-26
- Machine learning using Clojure, libpython-clj2, and Pytorch, Planet Clojure, 05-26
- Expert Clojure Workflows for AI Agents: Four Skills, Planet Clojure, 05-14
- Hoot 0.9.0 released, Spritely Institute, 05-13, Scheme to WebAssembly
- soot, solar, sedimentation, sin, and 'centers, Andy Wingo, 05-16

Tail

Pope Leo warns of AI risks in a 42,300-word encyclical, Slashdot, 05-26
California moves to exempt Linux from its upcoming age-verification law, Slashdot, 05-26
I'm Tired of Talking to AI, Hacker News, 05-27
Jira Is Turing-Complete, Hacker News, 05-25
Microsoft's 6502 BASIC is now open source, Hacker News, 05-24
MOT: a tool to fight openwashing in AI, LWN, 05-27

Feed silences (diagnostic)

arxiv-cs-ai: fully live, 1103 items in the 14-day window, by far the largest source. Weekday announcement batches are flowing.
METR: only the Frontier Risk Report remains in window; the 05-11 worker productivity survey has aged out past 14 days.
deepmind-blog (generated): still aged out (latest post 05-01, outside the window). Monthly cadence; lean on first-party labs. The other three generated feeds (anthropic, claude-code-releases, cursor) are current.
James Bornholt, Netflix Tech Blog: errors this run (connection / TLS path). Host-side and transient; left in place to re-check.
harvard-seas: 0 items again (the Localist API returned no events).
Dan Luu, Logic Magazine: remain demoted (archive XML parse error; Netlify 404 served instead of a feed).

Build provenance

build: 2026-05-27 | crawler-sha: 3a04f85 (Walsh-Research/1.2, compliance v1.2) | feeds: 58 core (incl. 4 generated gap-fill, 1 aged out) | items-considered: 1575 (14d, incl. 1103 arXiv) | published: 51 | note: agent-security front (Copilot exfiltration / VibeSec / Mythos 23k OSS vulns); Pope Leo XIV AI encyclical lands cross-source; 2 transient feed errors (Bornholt/Netflix)