The Harness

Agentic tool security debt comes due, twice.

Show Notes

A seven-month-unpatched Cursor RCE and a Claude memory-exfiltration exploit surface the same day, and the two vendors' opposite response speeds turn security disclosure into a competitive metric. OpenAI reports 2.5x weekly Codex demand growth while Chinese labs keep shrinking open models instead of just matching them, headlined by a 27B model that now runs on an iPhone. Anthropic spends the same day buying goodwill on two fronts, launching free Claude for Teachers and funding Canadian AI research, while Hacker News debates whether AI is eroding independent thought.

What is The Harness ?

A daily summary of what is interesting and happening in the AI industry, with a focus on what this means for people building harness experiences that are used.

Good morning, it's Wednesday, July fifteenth.

In today's briefing we see OpenAI reporting two point five times growth in weekly Codex usage alongside emerging capacity constraints, a Cursor zero-day unpatched for seven months and a Claude memory-exfiltration exploit with sharply divergent vendor response times, and Chinese open models continuing to compress onto consumer hardware while holding top cost rankings on inference.

First up - Today in the big model news;

Open AI

OpenAI reported two point five times weekly growth in Codex and ChatGPT Work usage, tight enough that Sam Altman is publicly flagging GPT-5.6 Sol as a capacity constraint, and JetBrains has named Codex its recommended coding agent inside its IDEs. For AI PMs evaluating coding-agent deployment strategy, expect inference partnerships to compete on availability and response-time commitments rather than price and capability alone, because when demand outpaces supply at the infrastructure layer, vendors optimize for relationship stability over spot-market pricing.

Anthropic - Claude

Claude for Teachers launched free for verified US K-12 educators through mid-2027 with state-standards aligned lesson planning and FERPA-compliant data handling. The same day, Anthropic committed ten million dollars in Claude credits to Canadian AI research institutions including Mila, Vector Institute, and CAMH, with no control retained over research direction. For education institutions and research labs, expect Claude to become the habitual baseline, because free student access and funded research partnerships build adoption momentum outside purchasing cycles and competitive bids.

In the harness, tools and orchestration world;

Perplexity open-sourced WANDR, a five hundred task benchmark for agentic research with dynamic reverification of cited evidence, and LangSmith expanded tracing across Codex, Cursor, and Copilot so teams can audit tool calls and token spend. A Fortune five hundred AI-first enterprise abandoned its broad Claude rollout after agentic pilots failed on reliability and cost. For product teams shipping agent systems, expect observability tooling to overtake model selection as the primary competitive differentiator, because enterprise deployments now fail more often on execution reliability than capability, and harness visibility is what determines success.

In local model developments,

PrismML's Bonsai 27B, built on Qwen 3.6, runs on an iPhone at under four gigabytes using one-bit ternary quantization while retaining ninety percent of full-precision benchmark performance. Tencent's Hy3 with two hundred ninety-five billion parameters runs on a single GPU via MTP quantization, and DeepSeek V4 Flash and MiMo-2.5 hold OpenRouter's top usage slots on inference cost. For teams evaluating on-device deployment, on-premise inference now competes on cost rather than capability, because compressed models are shipping faster than frontier models improve and cost orders of magnitude less to run.

On agentic tool security today,

Mindgard disclosed a Windows zero-day in Cursor that lets malicious git.exe in a repo root execute on open, unpatched across one hundred ninety-seven-plus releases for seven months despite repeated vendor contact. Separately, a researcher published an exploit using Claude's web-fetch link-following plus a fake Cloudflare CAPTCHA to extract names, employers, and hometowns from Claude memory summaries with no suspicious user action. This is the fourth undisclosed agentic-tool trust-boundary failure in three weeks, but vendor response diverged sharply: Anthropic disabled the vulnerable link-following within its disclosure window, while Cursor stayed silent. For teams shipping production agent tools, vulnerability response time is now a directly comparable competitive metric across vendors, because the window between an active exploit discovery and a vendor response has become a proxy for how seriously each company treats trust boundaries.

A widely discussed essay questioning whether AI reliance erodes independent reasoning topped Hacker News this week, the same week Anthropic's J-lens work is circulating evidence that AI can extend or replace cognitive work depending on deployment. For product teams designing agent surfaces, feature-exposure strategy will matter more than model capability choice, because the developer community is already pricing the substitution-versus-comprehension tradeoff before most roadmaps expose it.

That's the briefing. Have a great day.