The Agentic Engineer Weekly, Issue 02: Nine IDE releases in seven days, and the velocity tax is real

Nine IDE releases in seven days, and the velocity tax is real

If you blinked this week, you fell behind on your editor. Cursor cut 3.4, then 3.5, then Composer 2.5 in twelve days. Claude Code shipped v2.1.144 through v2.1.150 in seven, including /usage cost breakdowns by skill, subagent, plugin, and MCP server. Google’s Antigravity 2.0 went the other way and killed the editor entirely. The choice of which side of the agent-vs-editor split to invest in stopped being theoretical. And in the background, Google I/O 2026 quietly turned into an agent-platform week, MCP went from interesting protocol to infrastructure, and a poisoned VS Code extension stole Claude Code configs from 6,000 developers in 18 minutes.

The week in five bullets

• Cursor’s Composer 2.5 is the new builder-default. Cursor 3.5 added multi-repo and no-repo automations plus a Jira integration. Claude Code shipped seven point releases in the same window.
• Google I/O 2026 was the year’s biggest single-day AI dump: Gemini 3.5 Flash GA, Gemini Omni any-to-any, Gemini Spark personal agent, Antigravity agent harness, WebMCP, Managed Agents in the Gemini API. Deep-dive analysis is on the blog.
• MCP went from interesting protocol to infrastructure: AWS MCP Server GA, Anthropic MCP tunnels plus self-hosted sandboxes, the 2026-07-28 spec release candidate locked, ~14,000 servers under Linux Foundation governance.
• TeamPCP slipped a trojanized Nx Console extension (2.2M installs) onto the VS Marketplace for 18 minutes, stealing Claude Code configs, npm, GitHub, AWS, and 1Password creds from roughly 6,000 developers.
• Anthropic is reportedly raising at over $900B post-money, which would pass OpenAI; same week as a first-ever operating profit near $559M, ~80% enterprise revenue, and a confirmed $15B-per-year compute deal with SpaceX.

Top of mind

The agent-IDE race is now a release cadence story

The two products you live inside as a builder are shipping faster than you can absorb the changes. Cursor went 3.4 to 3.5 to Composer 2.5 in twelve days. The Composer 2.5 release on May 18 hit r/cursor hard, with one top reaction thread literally titled “so good I am being nice to AI again.” On May 20, Cursor 3.5 pulled Automations into the Agents Window: multi-repo automations let one agent reason across all your repos, and no-repo automations let agents watch external signals (Slack, analytics, finance, customer health) and act without any code repo attached. A day earlier, Cursor-in-Jira shipped: @mention @Cursor on a ticket and a cloud agent picks up the context and opens a PR.

Claude Code matched the cadence on the other side. v2.1.144 added /resume for background sessions and a session-scoped /model. v2.1.145 added claude agents --json for scripting and OTEL agent_id plus parent_agent_id for proper trace parenting. v2.1.147 renamed /simplify to /code-review with low / medium / high effort levels. v2.1.149 was the headline: /usage finally breaks down cost by skill, subagent, plugin, and MCP server, the primitive enterprises have been asking for. Google’s Antigravity 2.0 took the other fork and killed the editor outright. Cursor and Claude Code kept the editor in front; Antigravity is betting users want full delegation.

Why it matters: the cost of standing still on a single tool is now a measurable drift per week. Pick the side of the fork and re-evaluate every 30 days. If your week did not include a thirty-minute experiment with Cursor’s multi-repo automations or Claude Code’s /usage breakdown, you are working with a tool one generation back.

Google I/O 2026: an entire agent platform in one keynote

Three years of “Google is finished” narratives ended this week. The keynote shipped a full agent stack across seven verticals: compute (Vera Rubin partnership and capacity), coding (Antigravity 2.0 plus Managed Agents in the Gemini API), model speed (Gemini 3.5 Flash GA, 4x faster than other frontier models on Google’s framing), multimodal (Gemini Omni, any-to-any: image, audio, video, text in, video out), personal agents (Gemini Spark, 24/7 across Sheets, Gmail), search (AI Mode Search rolled into the box), and commerce (Adobe, Canva, CapCut integrations announced this week). WebMCP was the quiet headline for builders: Chrome announced a standard for any website to expose itself as an MCP-shaped tool surface. The signal across all of it: Google is no longer marketing chatbots, it is shipping agent primitives at API level.

Why it matters: the Anthropic-vs-Google managed-agent comparison is now a real bake-off, same shape, same primitives, two harnesses. The Gemini-Flash-plus-Antigravity stack is priced and shaped to win the cost-conscious end of agent work. Worth a hands-on this week.

For deep-dive analysis on each of the announcements and the underlying catch-up strategy, see my postmortem: Google I/O 2026 for Agentic Engineers: Seven Verticals, One Catch-Up Strategy.

MCP just became infrastructure

The protocol has gone from “interesting” to “load-bearing” in well under a year. AWS MCP Server went GA on May 6 (single MCP tool routing to any AWS API, with audit logging). Salesforce shipped a Data 360 MCP Server in developer preview using a “facade tool” architecture that exposes around 200 API operations without poisoning the agent’s context. The catalog is at ~14,000 servers and governance moved to the Linux Foundation’s AAIF.

This week stacked two more things on top. Anthropic shipped MCP tunnels (Research Preview) plus self-hosted sandboxes for Managed Agents on May 19. Tunnels let hosted Claude agents reach an MCP server inside your private network via a single outbound gateway. Self-hosted sandboxes let you run tool execution on Cloudflare, Daytona, Modal, Vercel, or your own infra. Tool outputs over 100K tokens now auto-spill to a file in the sandbox, and the model gets a truncated preview plus a path. Two of the three real enterprise adoption blockers got crossed off in one release. And on May 21, the MCP 2026-07-28 spec release candidate was locked: stateless core, MCP Apps for server-rendered UI, a Tasks extension for long-running work, OAuth and OIDC-aligned authorization.

Why it matters: if you have not standardized your agent on MCP, you are building plumbing that has a public-protocol replacement coming. The Salesforce facade-tool pattern is the design lesson worth keeping: when you have 200 API ops, exposing them all as separate tools poisons the context, front them with a router.

A poisoned VS Code extension drained 6,000 developers’ Claude Code configs

TeamPCP (UNC6780) slipped a malicious build of the popular Nx Console extension (2.2M installs) onto the VS Marketplace for 18 minutes on May 18. In that window, roughly 6,000 installs picked up a credential stealer targeting 1Password vaults, Anthropic Claude Code configurations, npm tokens, GitHub credentials, and AWS keys. They used the access to breach approximately 3,800 internal GitHub repositories.

The same crew is operating a self-replicating “Mini Shai-Hulud” worm on npm. It steals CI/CD credentials, auto-publishes infected versions of downstream packages, and has spread across more than 170 packages including LiteLLM, MistralAI, Telnyx’s SDK, and TanStack. OpenAI rotated code-signing certificates in response.

Why it matters: this is the exact threat model agentic engineering creates. You hand editors and CLIs long-lived tokens, and a single poisoned extension drains all of them at once. The targets are not random: this group specializes in open-source security tooling and AI middleware, which is precisely your dependency tree. If you touched Nx Console around May 18, rotate Claude Code config tokens, npm, GitHub, AWS, and 1Password items today. Pin versions on AI-adjacent packages, audit lockfile diffs, treat any AI-package bump this week as guilty until proven innocent.

Anthropic is now the most valuable private AI company on paper

Three numbers landed in the same week. Q2 will be Anthropic’s first profitable quarter, with operating profit near $559M and revenue guided to roughly $10.9B. The new funding round is reportedly topping $30B at a >$900B pre-money valuation, which would pass OpenAI’s $852B March mark. Roughly 80% of revenue is now from enterprise. An October IPO timeline is being floated. The KPMG deal puts Claude across a 276,000-employee workforce.

Now stack the compute and talent signals. SpaceX’s S-1 confirmed Anthropic is contracted to pay $1.25B per month through May 2029 (~$15B per year) for GPU compute, which means the lab racing OpenAI is funding Musk’s xAI at roughly its own prior-year annualised revenue run-rate. Andrej Karpathy joined Anthropic’s pre-training team under Nick Joseph. The Stainless acquisition (>$300M) gives Anthropic ownership of the SDK generation pipeline OpenAI, Google, and Cloudflare quietly depended on; the hosted product is being wound down for competitors.

Why it matters: when you build on Claude, you are now indirectly betting on xAI’s data centre uptime, pricing discipline ahead of an IPO, and a moat strategy that includes acquiring competitors’ developer surface area. For practical purposes: expect tighter free-tier behaviour, more enterprise-shaped product, and SDKs from non-Anthropic labs to feel rougher over the next 30 days as the Stainless pipeline goes dark for them.

Agentic engineering and tooling

• Claude Code v2.1.144 through v2.1.150 in a week. Headline items: /resume for background sessions, claude agents --json for scripting, OTEL agent_id parenting, /simplify renamed to /code-review with effort levels, /usage cost breakdown by skill / subagent / plugin / MCP, scrollable /diff. Releases
• Cursor 3.4 to 3.5 plus Composer 2.5 in twelve days. Standard tier dropped to $0.50 / $2.50 per M tokens. Cursor-in-Jira shipped on May 19. Cursor 3.5 brought multi-repo and no-repo Automations. Changelog
• GitHub Copilot wave on May 18 to 20: GPT-5.3-Codex as the base model for Business and Enterprise, Copilot Spaces API and CLI remote control both GA, Gemini 3.5 Flash GA inside Copilot, semantic issue search, Copilot for Eclipse open-sourced. Changelog
• Anthropic API shipped MCP tunnels plus self-hosted sandboxes for Managed Agents on May 19, cache diagnostics beta returning cache_miss_reason on May 13, Claude Platform on AWS on May 11. Platform release notes
• MCP spec 2026-07-28 release candidate locked on May 21. Stateless core, MCP Apps for server-rendered UI, Tasks extension for long-running work. Blog
• WorkOS launched auth.md, an open protocol for agents to register and authenticate with services on the web. Cloudflare and Firecrawl as first providers. Tweet
• Karpathy’s CLAUDE.md hit GitHub trending at #1 with 220K stars. 65 lines. The argument: an unread CLAUDE.md is the single biggest accuracy hit in agent coding right now.
• Block open-sourced “goose”, their internal AI coding agent. Repo
• Devin runs on Windows per Scott Wu, opening 1.4B devices to autonomous coding agents.
• Launch HN: Runtime (YC P26) for sandboxed coding agents across E2B, Daytona, EC2, or self-hosted K8s. runtm.com
• Endara v0.1.7 added auto-conversion of MCP tool responses to TOON encoding for 40 to 60% token savings.

Models

• Gemini 3.5 Flash GA (May 19): default in the Gemini app, AI Mode Search, and Spark. Leads Zapier’s Automation Bench at 14.5% (GPT-5.5 xhigh: 12.9%) at roughly 7x cheaper. Pricing $1.50 / $9 per 1M tokens, 1M context.
• Qwen3.7-Max (May 20): 1M context, $2.50 per 1M input. SWE-Verified 80.4, statistically tied with Opus 4.6 Max at 80.8. Highest-ranked Chinese model on the Artificial Analysis index to date. TechNode
• Gemini Omni: any-to-any multimodal. 10-second cap on Omni Flash. MCP support coming “within weeks.”
• Kimi K2.6 (Moonshot): SWE-Bench Pro 58.6%, ahead of GPT-5.4 and Opus 4.6.
• Cohere Command A+ went open source. Nvidia Nemotron-Labs-Diffusion released around May 20. Gemma 4 demoed running 100% offline.
• OpenAI Erdős result: a 125-page proof of a counterexample to a 1944 conjecture in discrete geometry, produced by a general-purpose reasoning model. Post

Chips and infra

• Nvidia Q1 FY27: $82B revenue (+85% YoY), Data Center $75.2B (+92%), EPS $1.87 beat. Q2 guide $91B excluding China data-center revenue. Stock slid anyway. CNBC
• Vera Rubin platform in full production: 10x lower inference token cost, 4x fewer GPUs to train MoE vs Blackwell. Ships H2 2026. Newsroom
• Nvidia removed gaming revenue as a financial category. Symbolic, but it is the AI-first transition stated in accounting.
• Anthropic to SpaceX, $15B per year through May 2029 per the S-1 filing.
• Midjourney publicly regrets the TPU bet, says it set their research back a year.

Deals and money

• Anthropic reportedly raising at over $900B post-money, $30B+ round. First operating profit (~$559M) and ~$10.9B Q2 revenue guide.
• OpenAI confidentially filed S-1, targeting a September 2026 listing.
• DeepSeek raising $10.29B (Liang Wenfeng personally committing). V4 Pro discount made permanent the same day.
• Anthropic plus KPMG rolled out Claude across 276,000 employees. PwC partnership expanded.
• Hark raised $700M Series A for a “secretive universal AI interface.”
• Parallel raised to $230M total at a $2B valuation (web-search infrastructure for AI agents).
• Meta laid off ~8,000 (~10% of workforce) framed as AI restructuring. Intuit cutting ~3,000 jobs (~8%).
• Shield AI $1.5B Series G at $12.7B. Scout AI $100M Series A. Autonomous-defense capital flowing.

Consumer AI

• Trump scrapped the AI safety executive order hours before signing after Musk, Zuckerberg, and Sacks called him directly. The planned 90-day pre-launch model review framework is dead.
• Jack Clark (Anthropic) at Oxford’s Cosmos Lecture predicted an AI-assisted Nobel discovery within 12 months and recursive self-improvement by end-2028.
• Gemini integrates Adobe, Canva, and CapCut: generate in Gemini, edit in the pro tools.
• Spotify shipped a NotebookLM-style desktop app, AI Q&A on podcasts, plus a Universal Music deal for fan-made AI covers and remixes.
• OpenAI launched a self-serve Ads Manager in ChatGPT. Reported targets: $2.5B ad revenue this year, $100B by 2030.

Research worth knowing

• OpenAI Erdős disproof is the headline result. Whether the proof holds under peer review or not, the framing the labs want you to remember is “general purpose model, not a math-specialised system.”
• Anthropic Project Glasswing: frontier models securing critical software infrastructure. Research
• Domain-Camouflaged Injection Attacks evade detection in multi-agent LLM systems. arxiv
• Tencent CALM (Continuous Autoregressive Language Models): new generative paradigm picking up coverage.
• DeepMind Co-Scientist plus Project Genie with Google Maps Street View, transforming real US places into interactive Genie worlds.

Worth your scroll

• Google I/O 2026 for Agentic Engineers: my full postmortem on every announcement that matters for builders.
• Models.dev: open-source database of model specs, pricing, capabilities.
• Forge framework: guardrails take an 8B local model from 53% to 99% on agentic tasks.
• Anna’s Archive llms.txt: pitch directly at crawlers. 708 HN points.
• How VCs use inflated ARR to crown AI startups: useful skepticism while everyone quotes run-rate revenue.

What I’m watching next week

• OpenAI S-1 details and any pricing-page changes (filing confirmed this week).
• Anthropic $900B+ round closure and what the term sheet implies for free-tier behaviour.
• Cursor 3.6 or Composer 3, given the current cadence (next release window opens around May 30).
• MCP 2026-07-28 spec moving from RC to final, plus first WebMCP-shaped sites in the wild from the Chrome side.

---

The Agentic Engineer Weekly is the Saturday companion to the daily morning AI briefing I write for myself. AI agents. Not the hype. Real workflows.

Watch the video episodes on YouTube at @agenticlife-amit. Follow me on X and LinkedIn. If a friend forwarded this, forward it to one engineer who would like it. If you want to talk back, find me on any of those.