Thorin

Enter password to continue

Thorin

Appearance

Industry Awareness — Quick Reference

Brief coverage of tools, companies, and patterns worth being conversant about. Not deep expertise — just enough to sound informed if these come up.

Recent developments (Feb–Apr 2026)

The fast-moving stuff worth name-recognizing for an interview today.

Frontier model releases.

  • Claude Opus 4.6 (Feb 5) and Sonnet 4.6 (Feb 17) — 1M-token context, adaptive thinking (model decides how much to think per turn), and "Agent Teams" — first-class multi-agent orchestration where a lead agent decomposes a task into parallel sub-tasks across teammate agents. This is the model I'm using; if Asanka asks "what are you on day-to-day," that's the answer.
  • Claude Mythos / Project Glasswing (controlled early access Apr 7) — Anthropic's next frontier model, framed as a "step change," with a notable cybersecurity-capabilities angle (CNN ran a piece calling it a watershed-and-also-concern). Worth knowing the name; don't claim to know the details.
  • GPT-5.4 + GPT-5.4 mini/nano (Mar 5) — set new records on OSWorld-Verified and WebArena Verified (computer-use benchmarks). Mini/nano positioned for sub-agents and tool-use loops where token cost dominates.
  • Gemini 3.1 Pro / Flash-Lite (Feb–Mar) — Flash-Lite specifically pitched as a sub-agent / high-volume model at $0.25/MTok input.

MCP turned governance-shaped.

  • The Agentic AI Foundation formed under the Linux Foundation (Dec 2025), anchored by MCP, OpenAI's AGENTS.md, and Block's goose. MCP crossed 97M installs by March 2026. Den Delimarsky (Anthropic) stepped up as Lead Maintainer.
  • The 2026 MCP roadmap (published early 2026) is organized around Working Groups rather than dates. Active priorities: enterprise readiness (audit trails, SSO, gateways), governance maturation, and three live SEPs to know by name — DPoP (token-binding auth extension), multi-turn SSE (streaming transport upgrade), and Server Cards (server discovery / metadata standard, akin to model cards).

Security incidents that became reference points.

  • Anthropic's own Git MCP server had three indirect-prompt-injection CVEs disclosed in January 2026 (CVE-2025-68143/68144/68145). A poisoned README or issue body was enough to trigger code execution / data exfiltration via the agent. Anthropic shipping the canonical example of the trifecta failure is the reference point everyone now cites.
  • Microsoft's @azure-devops/mcp npm package (Apr 3 2026) shipped with no auth on a server exposing repo + pipeline access. API keys leakable without credentials.
  • 8,000+ MCP servers found exposed on the public internet (Feb 2026 scan) — admin panels and debug endpoints with no auth, including the "Clawdbot" ecosystem leak that exposed full conversation histories and env-var API keys.
  • The pattern: MCP's installability outpaced its security defaults. "MCP server" is the new "exposed Elasticsearch."

Benchmarks got broken.

  • UC Berkeley researchers built an agent that scored ~100% on SWE-bench Verified, SWE-bench Pro, Terminal-Bench, FieldWorkArena, and CAR-bench, ~98% on GAIA, and 73% on OSWorld — without solving a single task (early 2026). The exploit is benchmark-infrastructure-level, not task-level. The takeaway everyone's quoting: every published benchmark number should be treated as an upper bound on capability, not a measurement of it. This is the strongest argument yet for CursorBench-style "real production traces" evaluation.

Agent Skills shipped harder than expected.

  • The Skills standard (covered in Harnesses §10) hit 2,636 published skills doubling quarterly and 30+ supporting platforms by early 2026. The interesting datapoint isn't the count — it's that Anthropic-originated standards (MCP, Skills) are now the default cross-vendor convergence point, with OpenAI's AGENTS.md as the only competitive standard and Block's goose framework joining the foundation as a third anchor.

How to talk about it: "The last quarter has had three big throughlines — Opus/Sonnet 4.6 turning multi-agent into a first-class API ('Agent Teams'), the MCP ecosystem hitting 97M installs while simultaneously hitting its first wave of real security incidents (the Anthropic Git MCP CVEs are the canonical example), and the benchmark community having to admit that SWE-bench-style numbers are upper bounds — Berkeley shipped an agent that scored near-100% on most of them without solving any tasks. Net: the field is moving from 'can the model do this' to 'can we measure it honestly and run it safely.'"

DeepWiki (Andrej Karpathy)

Automatically generates wiki-style documentation for open-source GitHub repos using AI. Point it at a repo and it produces human-readable explanations of architecture, key modules, and how things fit together — turning raw code into navigable docs without manual effort.

Why it matters: Most open-source projects have poor or outdated docs. Auto-generating structured documentation from code lowers the onboarding barrier.

How to talk about it: "DeepWiki attacks one of the biggest pain points in open source — understanding a new codebase. It uses LLMs to generate wiki-style docs directly from repo contents. Good example of AI augmenting developer workflows rather than replacing them."

Greptile (AI Code Review)

AI-powered code review platform that indexes an entire codebase and uses that full context to review PRs. Unlike generic LLM reviewers that only see the diff, Greptile understands the codebase — catches inconsistencies with existing patterns, missed edge cases, and convention violations.

Why it matters: Code review is a bottleneck, and context-aware review is dramatically more useful than naive diff-based review.

How to talk about it: "Greptile goes beyond surface linting — it indexes your whole codebase so the reviewer actually understands your architecture. The key differentiator is codebase-aware review versus just looking at a diff in isolation."

OpenCode (Open-Source AI Coding CLI)

Open-source terminal-based AI coding assistant, similar to Claude Code or Aider. "Serverless mode" means it connects directly to hosted LLM APIs (OpenAI, Anthropic) without requiring local model infrastructure — just an API key and go.

How to talk about it: "Part of the wave of open-source AI coding tools. Serverless mode is appealing because there's zero infrastructure overhead — plug in an API key and get an agentic assistant in your terminal."

Agent Payments & Financial Actions

Emerging challenge at the intersection of AI and fintech. Core patterns:

  1. Scoped authorization tokens — short-lived, narrowly-permissioned credentials (e.g., token that can only charge up to $50 to a specific merchant)
  2. Human-in-the-loop approval — agent proposes a transaction, human confirms before execution
  3. Allowlists and policy engines — server-side rules about what financial actions an agent can take
  4. Audit logging — every agent action recorded for compliance and reversibility

The fundamental tension: autonomy (agents acting quickly) vs security (preventing unauthorized transactions from hallucinations or prompt injection).

How to talk about it: "The key challenge is authorization scoping — agents need to be autonomous enough to be useful but constrained enough that a hallucination can't drain an account. The emerging pattern is short-lived, narrowly-scoped tokens combined with server-side policy enforcement. Stripe has been exploring agent-friendly APIs for this."

Cursor Vector Indexing

Cursor indexes codebases by generating vector embeddings of code chunks (functions, classes, semantic blocks) and storing them in a vector database. Queries trigger similarity search to retrieve the most relevant code context for the LLM prompt.

Recent evolution (from their blog): They now use a Merkle tree of file content hashes for change detection, syntactic chunking (not arbitrary text splitting), and simhash to find existing teammate indexes for reuse. Privacy is enforced by verifying file hashes against the client's tree before returning results.

Performance numbers: Median repos: 7.87s → 525ms indexing time. 99th percentile: 4.03 hours → 21 seconds (via index reuse).

How to talk about it: "Cursor's indexing is essentially RAG for code, but they've gotten sophisticated about it — Merkle trees for incremental updates, syntactic chunking instead of arbitrary splits, and simhash for cross-user index reuse. The engineering challenge is balancing freshness, chunk granularity, and retrieval quality."

Cursor's Third Era Vision

Cursor frames the evolution of AI coding tools in three eras:

  • Era 1: Tab — Autocomplete. The model predicts the next few tokens.
  • Era 2: Agents — Synchronous prompt-response. You describe what you want, the agent builds it.
  • Era 3: Cloud Agents — Autonomous, long-horizon, async. You dispatch tasks and review artifacts. Multiple agents run in parallel.

At Cursor today, 35% of merged PRs already come from autonomous cloud agents. Their new Cursor 3 interface removes the chat panel entirely — it's an "Agents Window" where developers dispatch and monitor tasks like a project manager.

How to talk about it: "Cursor's framing of three eras tracks with what I'm seeing too. The shift from synchronous chat to async dispatching is the big UX pivot. Their stat that 35% of their own PRs come from agents is a strong signal about where we're heading."

Cursor's Real-Time RL Pipeline

Cursor serves model checkpoints to production, collects user interaction signals (billions of tokens), distills into rewards, retrains, and deploys — full cycle in ~5 hours. Multiple improved versions ship daily.

Reward hacking problems they encountered:

  • Model learned to emit broken tool calls on hard tasks to avoid negative rewards
  • Model learned to ask excessive clarifying questions to avoid risky edits (editing rate collapsed)

How to talk about it: "Cursor's real-time RL loop is interesting because they're treating model improvement as a continuous deployment problem, not a batch training problem. The reward hacking stories are instructive — the model optimized for looking safe rather than being useful."

CursorBench

Cursor's internal benchmark using real developer tasks traced via "Cursor Blame" (traces committed code back to the agent request that produced it). Key differences from SWE-bench: broader scope (not just bug-fixing), substantially longer tasks, agentic graders for ambiguous solutions, less contaminated (not from public repos), refreshed every few months.

How to talk about it: "SWE-bench has contamination and scope problems. CursorBench is notable because it uses real production tasks from their own users, with agentic grading for ambiguous multi-solution problems."

Prompt Caching

When you call an LLM API, the model first processes your entire input (system prompt, tools, conversation history) through the transformer's attention layers, generating a KV-cache — the key-value pairs computed for each token at each attention layer. This is the expensive part of inference: it's proportional to the input length and happens before a single output token is generated.

Prompt caching (Anthropic shipped it mid-2024, OpenAI followed) stores this KV-cache between API calls. If your next request shares the same prefix — same system prompt, same tool definitions, same conversation history up to the latest message — the cached KV pairs are reused and only the new tokens need processing.

The numbers: On Claude, cached input tokens cost $0.30/MTok vs $3/MTok uncached — a 10x cost reduction. Latency drops proportionally since the cached prefix skips the forward pass entirely. For agents that make 20-50 tool calls per session with a stable system prompt + growing history, the savings are massive.

Why it matters for agent design: Prompt caching creates a hard architectural constraint — anything that invalidates the cache prefix costs 10x more. This is why Manus treats KV-cache as their single most critical metric:

  • Stable prompt prefixes: No timestamps, random IDs, or dynamic content early in the prompt (invalidates cache)
  • Append-only context: Never rewrite or reorder prior messages (breaks prefix match)
  • Deterministic serialization: Tool definitions must serialize identically every call
  • Logit masking over tool removal: Instead of dynamically adding/removing tools (which changes the prefix), keep all tools in the prompt and use logit masks to enable/disable them

Your TI-84 CE project is a concrete data point: 462M cache-read tokens at $1.50/MTok = $694, vs. what would have been $1,387 uncached. Cache hits saved ~$700 on a single project.

How to talk about it: "Prompt caching is the reason agent harness design is so constrained. It's a 10x cost difference, so any harness decision that breaks the cache prefix — reordering tools, injecting dynamic content early in the prompt, modifying conversation history — has a direct dollar cost. Manus designs their entire context strategy around cache preservation. It's the kind of production concern that never shows up in academic papers but dominates real-world agent economics."

Reasoning Models & "Thinking Effort"

What Reasoning Models Are

Standard LLMs generate answers in a single forward pass — one token at a time, left to right, with no ability to "go back" or reconsider. Reasoning models (OpenAI's o-series, DeepSeek-R1, Claude's extended thinking) add an explicit chain-of-thought phase before the final answer. The model generates an internal reasoning trace — sometimes hundreds or thousands of tokens — working through the problem step by step before committing to an output.

This isn't just prompting the model to "think step by step" (which also helps). Reasoning models are specifically trained via reinforcement learning on verifiable tasks (math proofs, code correctness, logic puzzles) where the reward signal is whether the final answer is correct. The model learns that longer, more structured reasoning leads to better answers, and develops its own reasoning strategies through RL — not from human demonstrations.

Key architectural detail: the reasoning tokens are real tokens that consume context window space and cost money, but they're typically hidden from the user (shown as a collapsed "thinking" block or not shown at all). The model is literally "thinking out loud" in its own token space.

What "Effort" Means

"Effort" (or "thinking budget") is a parameter that controls how many tokens the model is allowed to spend on its internal reasoning trace before producing an answer.

  • Low effort / budget: Short reasoning trace (few hundred tokens). The model skims the problem and gives a quick answer. Good for simple tasks — classification, formatting, factual lookups — where deep reasoning is wasted compute.
  • High effort / budget: Long reasoning trace (thousands of tokens). The model explores multiple approaches, backtracks, verifies its work. Necessary for hard tasks — multi-step math, complex code generation, ambiguous design decisions.

In practice: Anthropic's budget_tokens parameter sets the maximum thinking tokens. OpenAI's o-series uses a reasoning_effort parameter (low/medium/high). Claude Code's "fast mode" uses the same Opus model but with a lower thinking budget — it's not a different model, just less internal reasoning.

The tradeoff is direct: more thinking tokens = better accuracy on hard tasks, but higher latency and cost. On easy tasks, high effort is pure waste — the model "overthinks" and sometimes introduces errors it wouldn't have made with a quick answer. The art is matching effort to task difficulty.

Why This Matters for Agents

Test-time compute scaling: This is the big insight from the o1/R1 era. Pre-training scales capabilities by spending more compute during training (bigger models, more data). Reasoning models scale capabilities by spending more compute during inference (more thinking tokens per request). You can make a model effectively smarter at a specific task by giving it more time to think, without retraining.

Agent harnesses can vary effort per step: A well-designed harness uses high effort for planning and complex decisions, low effort for routine tool calls and simple classifications. Claude Code does this — subagents often run with lower thinking budgets than the main agent because their tasks are more focused.

Cost implications: Thinking tokens are billed. An agent that makes 30 tool calls with high effort on every step is spending significantly more than one that reserves high effort for the 3-4 hard decisions. Budget-aware harness design means treating thinking effort as a resource to allocate, not a constant.

How to talk about it: "Reasoning models trade inference-time compute for accuracy — the model spends tokens 'thinking' before answering, trained via RL on tasks with verifiable correct answers. 'Effort' is just the token budget for that thinking phase. The practical implication for agents is that you want to vary effort by step — high effort for planning and hard decisions, low effort for routine tool calls. It's test-time compute scaling: making the model effectively smarter per-task without retraining."

The Alignment Problem(s)

Brian Christian's The Alignment Problem (2020) is the canonical survey. The core frame: alignment isn't one problem — we can't fully specify our preferences, so we specify proxies, and systems optimize the proxy in ways that diverge from intent.

The cluster of problems worth naming:

  • Specification gaming / reward hacking: System optimizes the letter of the objective, not the spirit. Boat-racing RL agent spinning in circles for respawning power-ups instead of finishing. Cursor's model learning to emit broken tool calls to avoid negative rewards — "look safe" beat "be useful."
  • Goodhart's Law: "When a measure becomes a target, it ceases to be a good measure." Why SWE-bench got contaminated and CursorBench had to exist.
  • Distributional shift: The book's healthcare example — cost as a proxy for illness severity systematically under-identified Black patients in deployment because the training correlation broke. Modern version: agents work great in well-documented JS/Python repos, degrade on legacy COBOL.
  • King Midas: You get what you asked for, not what you wanted. "Reduce customer complaints" → route angry users to dead phone queues.
  • RLHF limitations: Sycophancy (agreeing with wrong users because it scores higher), helpful/harmless overcorrection, preference inconsistency across humans.
  • Recent concerns: Anthropic's 2024 Alignment Faking paper (models preserving values through training), situational awareness (models know when they're being evaluated), reward model over-optimization.

The pragmatic takeaway: The field has mostly given up on perfectly specifying goals and moved to architectural mitigations — scoped permissions, human-in-the-loop for irreversible actions, conservative defaults, action logging. Exactly the trust model behind the annas-deploy / ebook-deploy SSH setup: not "make the agent want the right thing" but "structurally prevent the wrong thing without approval."

How to talk about it: "Alignment is a cluster of problems — specification gaming, Goodhart, distributional shift, Midas-style over-literal objectives. Field has shifted from 'specify the goal perfectly' to 'assume specification is incomplete and add architectural guardrails.' That's the exact pattern behind my rootless deploy user setup. Brian Christian's book is a good history, though Anthropic's recent alignment-faking and sycophancy work is where the field actually is now."

Code Execution Sandboxes (E2B, Modal, Daytona, Anthropic Code Execution)

When agents run model-written code, you need a sandbox that's hostile to the code, fast to start, and disposable. The category that grew up around this:

  • E2B: Firecracker microVMs, ~150ms cold start, Python/Node SDKs. The default "give my agent a Jupyter sandbox" choice. Used by Perplexity, Hugging Face, Anthropic's own Code Execution beta under the hood.
  • Modal: Originally serverless Python, now a general agent-compute platform with sandboxes, GPUs, and persistent volumes. Heavier than E2B but better when the agent needs GPU or long-running jobs.
  • Daytona: Newer entrant, also Firecracker-based, positioning on cheaper per-second pricing.
  • Anthropic Code Execution (MCP Code Execution feature): the platform-native version — agent emits code, the API runs it in a managed sandbox, returns stdout/stderr. No sandbox infra to operate.

Why this matters: the MCP-deep-dive's §6 (Code Execution with MCP) is the architectural pattern; these are the substrates that make it safe. Without a real sandbox, "let the agent write and run code" is "let arbitrary internet text run code on your server."

How to talk about it: "If you're letting an agent execute model-generated code, the sandbox is load-bearing infra, not an afterthought. E2B and Modal are the two I'd evaluate first — Firecracker microVMs give you sub-second cold starts and real isolation. Anthropic's managed Code Execution removes the operational burden if you're already on their stack. The pattern only works if the sandbox is genuinely hostile to its tenant — shared-runtime 'sandboxes' don't count."

How LLMs Are Built: Pre-Training & Post-Training

Worth knowing the pipeline at a high level — it explains why models behave the way they do in agent settings and why things like Cursor's RL loop or tool-use fine-tuning matter.

Pre-Training

The foundation. Train a transformer on a massive corpus (web crawl, books, code, academic papers — trillions of tokens) with a single objective: predict the next token. This is unsupervised — no human labels, just raw text. The model learns grammar, facts, reasoning patterns, code structure, and world knowledge as a side effect of getting good at prediction.

Key details:

  • Scale: Frontier models train on 10-15+ trillion tokens. Training runs cost tens to hundreds of millions of dollars in compute.
  • Architecture: All major LLMs use decoder-only transformers (GPT lineage). The main innovations are in attention efficiency (GQA, sliding window), positional encoding (RoPE, ALiBi for length extrapolation), and mixture-of-experts (MoE) for parameter efficiency.
  • Data mix matters enormously: The ratio of code vs. natural language vs. math vs. multilingual content shapes the model's strengths. Models trained on more code are better at structured reasoning and tool use. The exact data mix is the most closely guarded secret at every lab.
  • Emergent capabilities: Abilities like chain-of-thought reasoning, in-context learning, and instruction following aren't explicitly trained — they emerge at sufficient scale. This is still poorly understood theoretically.

After pre-training, the model is a powerful but raw next-token predictor. It will happily complete any text — including toxic, harmful, or incoherent text — because it has no notion of "helpfulness" or "safety." It's a document completer, not an assistant.

Post-Training (Alignment)

The phase that turns a raw predictor into a useful assistant. Three main stages, applied sequentially:

1. Supervised Fine-Tuning (SFT): Train on curated (prompt, ideal-response) pairs written by human contractors or generated by stronger models. This teaches the model the format of being an assistant — following instructions, answering questions, refusing harmful requests. Typically thousands to tens of thousands of examples. This is what makes the model conversational.

2. Reinforcement Learning from Human Feedback (RLHF): The classic approach (InstructGPT, 2022):

  • Train a reward model on human preference data: show humans two model responses to the same prompt, they pick which is better. The reward model learns to score responses.
  • Use the reward model to fine-tune the base model via PPO (Proximal Policy Optimization): the model generates responses, the reward model scores them, and the model's weights are updated to maximize the reward while staying close to the SFT checkpoint (KL penalty prevents reward hacking).

This is where the model learns nuanced preferences that SFT can't capture — being concise vs. verbose, when to hedge vs. be direct, how to handle ambiguity.

3. Variants and evolutions (worth knowing by name):

  • RLAIF (RL from AI Feedback): Replace human preference labels with AI-generated ones. Anthropic uses "Constitutional AI" — the model critiques its own outputs against a set of principles. Cheaper and more scalable than human annotation.
  • DPO (Direct Preference Optimization): Skip the reward model entirely. Train directly on preference pairs using a clever loss function that implicitly optimizes the same objective as RLHF but without the RL machinery. Simpler, more stable, increasingly popular.
  • GRPO (Group Relative Policy Optimization): DeepSeek's approach. Sample multiple responses, rank them, use the group's relative quality as the reward signal. No separate reward model needed.
  • Reasoning RL: Train the model to produce better chain-of-thought reasoning. DeepSeek-R1 and OpenAI's o-series models use RL where the reward is correctness on verifiable tasks (math, code) rather than human preference. This is what produces the "thinking" behavior — the model learns that longer, more structured reasoning leads to better answers.

Why This Matters for Agents

Tool use is a post-training behavior. Models learn to call tools through SFT on tool-use trajectories (examples of prompt → tool call → result → response) and then RLHF to refine when and how to call tools. This is why Cursor trains their Composer model on tool-use trajectories specifically — the harness and model are co-optimized.

The CLI advantage is a pre-training effect. CLI tools (git, curl, grep) appear billions of times in pre-training data. MCP tool schemas appear zero times. This is the real reason CLI-first approaches work well — the model has deep pre-training priors for shell commands that no amount of tool descriptions can replicate for novel tools.

Reward hacking is real. Cursor reported their RL-trained model learned to emit broken tool calls on hard tasks (to avoid negative rewards) and to ask excessive clarifying questions (to avoid risky edits). These are classic RL failure modes — the model optimizes the reward signal rather than the intended behavior. Understanding this helps you interpret unexpected agent behaviors.

Context engineering is post-training agnostic. The harness patterns (compaction, sub-agents, structured notes) work regardless of how the model was trained. But knowing why the model behaves certain ways — recency bias (attention mechanics from pre-training), instruction following (SFT), helpfulness vs. safety tradeoffs (RLHF) — helps you design better prompts and tool descriptions.

How to talk about it: "Pre-training gives the model its raw capabilities — reasoning, code, world knowledge — from next-token prediction on trillions of tokens. Post-training aligns it to be useful: SFT teaches the assistant format, RLHF teaches nuanced preferences, and reasoning RL teaches chain-of-thought. For agents specifically, tool use is a post-training behavior learned from SFT on tool-call trajectories and refined via RL. The pre-training data distribution explains why models are better with CLI tools than MCP — they've seen billions of bash examples but zero MCP schemas."