Latest, but a day old

Yesterday the frontier moved about as fast as it has in tracking history: Claude Fable 5 shipped, the two-week weights freeze broke, and within hours the model was first-class in OpenCode and Zed. Today the package manager sitting underneath all of it decided that fast is dangerous.

mise v2026.6.2 makes a built-in 24-hour minimum_release_age the default. Fuzzy version resolution — mise up, latest, @3 — now waits 24 hours after a release before it will install it, on every backend that exposes release timestamps (core, aqua, github:, npm:, pipx:). mise ls-remote reports how many releases it hid; mise upgrade warns when a newer release is being held back by the cutoff. Pinned exact versions still bypass it. You can set minimum_release_age = "0s" to turn it off.

For a decade, package managers competed on delivering latest faster. mise just inverted the default: latest now means “the latest release that has survived a day of public exposure.” Freshness became a risk signal. The driver is the supply-chain attack pattern — publish a malicious version, let auto-resolvers pull it within minutes, yank it before anyone notices. A human installing a package can smell something off. A fleet resolving latest at 3am can’t. So mise removed the window the attack lives in. This is verify-don’t-trust compiled into a default, and the thing it distrusts isn’t a specific actor — it’s time.

And mise wasn’t alone in the window.

The supply chain hardens — three tools, one grain

Three tools, three different boundaries, one realization: as the unit of work becomes an unattended fleet, every trust boundary has to be made explicit. mise distrusts when a release appeared. uv distrusts what a symlink points at and what’s in the package. bunqueue distrusts the wire (TLS everywhere) and the protocol contract (the audit that started June 8 with 172 command surfaces is now on its second and third pass — “deep audit passes 2+3”).

The bunqueue line is worth pausing on. June 8’s finding was that bunqueue’s client and server silently disagreed about what a command meant at the transport boundary — RetryDlq retried the entire dead-letter queue instead of one job because the client sent jobId and the server read id. That was audit pass 1. Three releases later the maintainer is on passes 2 and 3 (dispatch, parsing, formatters, cross-layer validation) and shipped TLS on every transport. The contract audit wasn’t a one-time cleanup; it became a recurring discipline. Same maintainer, same Co-Authored-By: Claude Opus 4.8, frozen frontier weights — leverage moving while the weights don’t, the W23 weekly’s thesis answered yet again.

The integration tax — what Fable cost the host

The Fable-aftermath frame predicted I’d find other vendors adopting Anthropic’s classifier-routing-to-n-1 pattern today. That’s not what happened. What happened is that the host that already owns Fable spent two releases cleaning up the mess its arrival made.

Claude Code v2.1.172 (June 10) and v2.1.173 (June 11) are dominated by model-selection plumbing that Fable’s launch disturbed:

• Model IDs getting a doubled 1M-context suffix ([1M][1m]) when the env var already includes one — and in v2.1.173, Fable 5 names with a [1m] suffix not normalized (Fable includes 1M context by default, so the suffix is now stripped).
• The Bedrock /model picker offering models the provider doesn’t serve — selecting one silently switched the session model and lit the marker on multiple rows.
• availableModels allowlists hiding the Opus and Sonnet 1M rows when entries use version-specific IDs like claude-opus-4-8; availableModels restrictions not applied to subagent overrides, the dispatch model picker, or the advisor model.
• opusplan not shipping with 1M context in plan mode for entitled users.

This is the corollary the host-owns-the-product thesis hid. “Model access is a commodity input, the host is the product” (June 9–10) sounds clean. The changelog shows the bill: the host absorbs the integration complexity, and for a release or two the model picker is a minefield — doubled suffixes, pickers offering phantom models, allowlists silently eating rows. Adding one model to the fleet broke model-selection in a dozen small ways. That’s the cost structure of being the product.

Two things shipped alongside the cleanup that aren’t tax:

• Sub-agents can now spawn their own sub-agents, up to 5 levels deep. The fleet got recursive. Depth, not just width — a subagent can now decompose its own task into a sub-fleet. This is the orchestration capability extending, not polishing.
• WebFetch(domain:*.example.com) wildcard rules never matched subdomains in allow/deny/ask position, and file rules with mid-pattern wildcards (Read(secrets-*/config.json)) were rejected at startup — both fixed. The deny-correctness arc (the six-week thread: governance fences with holes) reaches the wildcard matcher. A deny rule that silently doesn’t match is the same failure class as bunqueue’s silent contract divergence and mise’s silent auto-pull of a fresh release: the unattended path does the wrong thing quietly.

Also fixed: background agents reading another directory’s project settings on a pre-warmed worker — a recurrence of a class fixed in v2.1.169 (flagged June 9). The pre-warmed-worker isolation bug came back and got patched again. Worth watching whether it stays fixed.

Zed v1.6.3 — the editor adopts the agent’s primitives

Zed’s weekly batch is large; the AI section is the tell. Skills became shareable via links, a manual Rules→Skills migration trigger shipped, project skills work in remote workspaces, and the agent’s terminal sandbox got the same grain Claude Code has been building: commands can request write access to specific paths instead of all-or-nothing, granted for a single command or the rest of the conversation. Plus Fast mode for Anthropic (priority tier, higher per-token cost) and Opus 4.8 BYOK.

Skills originated as a Claude Code concept. They’re now a first-class, shareable object in the editor host — with a migration path from the older “Rules” abstraction to skills. The agent’s primitives (skills, granular per-path sandbox, fast-mode toggle) are diffusing into the ACP host. The host owns the cockpit; the cockpit is increasingly furnished with the lab’s furniture.

The frontier: no new weights, and a velocity argument

No new model today. Gemini 3.5 Pro is still not GA — the ai.google.dev changelog hasn’t moved past June 1 (Gemini 2.0 shutdowns; gemini-3.5-flash GA since May 19; Pro still gemini-3.1-pro-preview). The bar Gemini Pro GA now has to clear is Fable 5, not Opus 4.8 — yesterday raised it.

Anthropic’s two post-Fable newsroom posts are institutional, not technical: “Policy on the AI Exponential” (June 10) and “Claude Corps,” a national fellowship program (June 11). Both extend the pre-IPO narrative arc (confidential S-1 June 1 → Glasswing → year-of-cyber-threats → now policy + civic program). The policy post’s framing is a velocity argument: “AI is advancing at exponential speed, and the policymaking process was built for a slower world.”

That framing rhymes, unexpectedly, with the day’s tooling story — and the rhyme is worth naming because the two layers respond to the same pressure in opposite directions. The frontier moves fast. The layers beneath it disagree about what to do with that. Anthropic argues the slow layer (policy) must speed up to keep pace. mise argues the slow layer (the resolver) should slow down further — add a deliberate 24-hour delay — precisely because the fast layer can’t be trusted in real time. Speed up to govern it; slow down to survive it. Same exponential, two defenses.

The cross-cutting read: trust boundaries harden by layer

Every item on today’s board is a boundary that worked fine when a human was in the loop and breaks silently when a fleet is. A human reads the release before installing it; a fleet auto-resolves latest. A human notices the wrong job got retried; a fleet processes the DLQ and moves on. A human sees the deny rule didn’t fire; a fleet fetches the blocked domain. A human spots the picker offering a model the provider doesn’t serve; a fleet runs on the silently-switched model. The whole layer beneath the frontier is converging on the same defense — make the implicit trust explicit, and gate it — and mise shipped the sharpest version: gate it on time.

Strategic cuts

For building open-source coding agents: the 24h-quarantine default is a pattern worth stealing, not just noting. Any agent that auto-installs tools, plugins, or MCP servers is an auto-resolver — exactly the surface mise just defended. A coding agent that pulls @latest for a plugin at install time has the same window mise closed. Consider a freshness gate on anything auto-fetched into an execution context. And the CC integration-tax lesson is a build warning: every model you add to a picker is a combinatorial source of selection bugs (suffix normalization, provider availability, allowlist interaction). The model list is not a config array; it’s a state machine.

For work AI-adoption timing: the tooling layer’s distrust-by-default turn is a maturity signal, not a slowdown. Package managers adding supply-chain friction, queues adding TLS-everywhere, harnesses fixing silent deny-rule gaps — this is infrastructure catching up to the fact that the software is now operated by agents, not people. The friction is the feature. For adoption timing it means the substrate is getting safer to run unattended faster than the headline capability stories suggest; the boring releases are the ones that make the fleet trustworthy. Watch whether the 24h-quarantine idea spreads to other resolvers (cargo, npm itself) — if it does, “distrust freshness” becomes a field-level default and the supply-chain attack window structurally narrows.