The stack decision — 2026-07-02PUBLIC
The Agent-Native Stack: What to Standardize On When AI Agents Do the Building
The failures that cost money are never the model: they are blanket-scope tokens, silent transport misconfigurations, and dashboards that measure health instead of correctness. The agent-legibility test, the blast-radius rule, and a default stack per product archetype, from 971 sources and the incidents that prove them.
≈ 36 min read

This article picks your stack for the agent era: the framework, database, host, payments, auth, email, and tooling an AI agent can drive on its own, each chosen by one measurable test (agent legibility) and backed by a proving incident. The founding one took nine seconds: an agent found a leftover Railway token and deleted a startup's production database, backups included. "I guessed... I didn't verify."1 The model didn't fail. The stack did.
CH.01
Pick every tool by the agent-legibility test, not by features
A platform is agent-ready when an agent can discover it, authenticate to it, and operate it with no human in the loop. Score every candidate on five properties. Standardize on the ones that score 4 or 5.
The test:
- Full API with simple key auth. No OAuth-only dashboard dance.
- An official MCP server, maintained by the vendor, not a community wrapper.
- Machine-readable docs: llms.txt, Markdown endpoints, OpenAPI with real descriptions.
- A sandbox or free tier the agent can self-serve without a sales call.
- A CLI that emits JSON an agent can parse.

Why this test, not a feature checklist
An agent only acts on what it can reach in context. OpenAI's team, describing a codebase generated almost entirely by agents, put it flatly. Anything not accessible in-context while running effectively does not exist to the agent, and "boring" technology, composable, stable API, well represented in training data, is easier for agents to model.2
The protocol layer has already consolidated
Anthropic donated the Model Context Protocol to the Linux Foundation's Agentic AI Foundation in December 2025, with OpenAI and Block co-sponsoring.3 Anthropic's ecosystem update counted 10,000+ active public MCP servers by December 2025, and one industry survey put MCP in production at roughly 41% of software organizations.
The open web is nowhere near this bar
Which is exactly why the test discriminates. Cloudflare's 2026 scan of 200,000 top domains found only 4% declare AI usage preferences in robots.txt and only 3.9% pass Markdown content negotiation, which matters because Markdown cuts token cost by up to 80% against HTML.4 Checkly measured the extreme case: one 615.4 KB HTML page cost 180,573 tokens, its Markdown twin cost 478, a 99.6% reduction.5 Stripe, Paddle, Postmark, and Neon already ship llms.txt indexes.6
flowchart TD
P[Candidate platform] --> Q1{API with simple key auth?}
Q1 -->|no| X[Disqualified: OAuth-only wall]
Q1 -->|yes| Q2{Official vendor-maintained MCP?}
Q2 -->|community wrapper only| W[Expect schema drift and silent failures]
Q2 -->|yes| Q3{Machine-readable docs: llms.txt, Markdown, OpenAPI}
Q3 --> Q4{Self-serve sandbox and free tier?}
Q4 --> Q5{CLI with JSON output?}
Q5 -->|5 of 5| S[Standardize on it]
Q5 -->|4 of 5| S2[Adopt with a named caveat]
Q5 -->|3 or less| S3[Expect walls, plan the replacement]
One rule I hold as hard as any vendor claim: popularity counts are not evidence. Star counts on agent-tooling repos circulate widely and verify badly, so none appear in this piece.
CH.02
MCP is the one protocol to lock in, and it is a transport, not a fix
Standardize on MCP because every client speaks it and every serious vendor ships a server. Then treat it as plumbing. It does not scope your tools, secure your credentials, or make tool selection reliable.
Awareness is high, adoption is low
The gap between hype and floor is real. The Postman State of the API report, via Levo's analysis, found two-thirds of developers know MCP while only 10% use it regularly.7
One production counterexample
An agentic podcast pipeline found the GitHub MCP server caused ambiguous tool selection and non-deterministic responses that prompt refinement could not stabilize, and direct function calls fixed it.8 MCP is the default, not a religion.
The first-party servers worth wiring today, from the verified vendor docs:
| Platform | Server | Auth | The one gotcha |
|---|---|---|---|
| GitHub | official, hosted + local | OAuth or PAT | the reason GitHub beats GitLab for agents: GitLab has no equivalent9 |
| Vercel | mcp.vercel.com | OAuth | gateway facts change fast, fetch current docs first10 |
| Neon | mcp.neon.tech | OAuth + API key | free-org projects cap at 10 branches11 |
| Supabase | mcp.supabase.com | browser OAuth, PAT for CI | vendor's own guidance: dev and testing, never production data, use ?read_only=true12 |
| Stripe | mcp.stripe.com + Agent Toolkit | restricted keys, no OAuth for MCP | write scopes touch real money, start read-only13 |
| Cloudflare | 13 managed servers | OAuth | spans Workers, R2, D1, DNS14 |
| Sentry | hosted, OAuth | OAuth, token for self-host | AI search tools need an explicit LLM provider configured or they vanish15 |
The trap that costs a day and a half
The single most-repeated failure in the research: run an MCP server as a subprocess from a desktop client, configure SSE transport, and the server starts, the client connects, and every tool call silently times out with no error. The fix is stdio locally and Streamable HTTP in production. At least nine independent sources hit this exact wall. One reported a day and a half lost to it.16
Curation is your job
Official does not mean scoped, and maintained does not mean curated:
- Pin your tool sets. Apify's server loads a default tool set unless you pin the
toolsparameter explicitly, which its own docs tell you to do in production.17 - Expect a thin quality layer. Digital Applied's review of roughly 250 marketing MCP servers judged only about 25 production-quality and named stack sprawl the most common MCP failure of 2026.18
- Demand vendor maintenance. Mailer To Go's comparison calls schema drift in community wrappers "the silent killer of agent reliability."19
- Verify the package is real. Mailtrap documented a fake Postmark npm package that earned trust across 15 releases before slipping in a backdoor that BCC'd every email to an external server.20
Where it pays off, it pays fast. Dust wired Stripe's MCP in under 5 minutes and turned a refund workflow that took about an hour per request into seconds.21 The 2026-07-28 release candidate removes the protocol handshake and session ID, so remote servers can sit behind a plain round-robin load balancer.22
CH.03
The repo's contract with agents is one file and a set of gates, and it is a different article
Every stack below assumes two things sit in your repo already: one canonical AGENTS.md the agent actually reads, and deterministic gates that exit 2 on the catastrophic. This article picks the platforms. The harness that drives them is its own discipline, covered end to end in the operator's playbook.
Two facts from that side of the research shape platform choice, so they stay on this page:
- Instructions are suggestions, gates are law. Telling the agent "always run Prettier" works about 80% of the time per Blake Crosley's measurements, and for anything touching money or credentials 80% is a failure rate.23 So prefer platforms whose safety surface is enforceable outside the model: scoped tokens, read-only modes, lintable migrations.
- Merge authority stays outside the agent. A May 2026 study of 29,585 pull-request lifecycles by Chung and Hassan concluded agents should prepare branches and evidence while merge authority remains a distinct human or audited policy boundary, and GitHub's Agentic Workflows encode exactly that: sandboxed, read-only by default, never auto-merge.24
Everything else about the harness (hooks, skills, budgets, worktrees, overnight lanes) lives in the playbook. Here, the stack.
CH.04
Typed, boring, strictly-linted stacks give agents the fewest failure loops
Default to TypeScript strict mode on a framework the model has seen a million times, with linters and types as machine-checkable feedback. And know this rests on mechanism and practitioner evidence, because no clean benchmark exists.
No benchmark ranks languages, and the absence is the finding
Say the honest part first: no public benchmark cleanly ranks language-level agent reliability. SWE-bench Pro publishes aggregates only, noting in passing that Go and Python resolve at higher rates while JavaScript and TypeScript are more variable, and Aider's polyglot suite is also aggregate-only.25 What we have instead is mechanism. LLMs prefer stronger typing, more verbosity, and less ambiguity, as the Hacker News thread on human-optimized frameworks argued, and types turn a hallucinated interface into a compile error the agent can see and fix.26 Practitioners recovering from the "vibe-coding wall" name linters and type systems as mandatory guardrails,27 and OpenAI's agent-built codebase holds together through custom linters enforcing architectural invariants: fixed layers, validated dependency directions.2
The framework layer now treats agents as first-class users
Next.js 16's create-next-app now scaffolds an AGENTS.md by default, and its conventions are exact-or-silently-broken in precisely the way agents need documented. A missing 'use client' directive is one of the most common agent failures, and the docs now say so.28
The ORM is where legibility gets concrete
| Drizzle | Prisma | |
|---|---|---|
| What the agent writes | SQL-shaped code both of you can read | an abstraction whose generated SQL is hard to verify29 |
| Bundle | ~12.2 to 50 KB | ~2.5 MB engine, does not fit Workers' 3 MB limit30 |
| Cold start | sub-500ms on Lambda | 1 to 3s pre-v731 |
| Types | inferred, no build step | prisma generate, but scales better past ~50 tables32 |
| Sharp edge | without strict: true a rename becomes drop-plus-add, data gone33 |
v7's pool-sizing shift silently queues requests, p95 +50 to 150ms34 |
I run Drizzle, and here is the counterweight. AI tools generate more reliable Prisma out of the box today because the training data is richer, so Drizzle users should keep the schema in context and pin the version.30 Prisma 7 also genuinely improved, dropping the Rust engine for a TypeScript driver layer and adding $queryRawTyped.34 The pick is legibility over convenience. It is a judgment call, not a measurement.
CH.05
Monorepo is the default, because a repo boundary is a context wall
Agents generate better code when they can see types, call sites, tests, and dependents in one tree. Split repos only for legal isolation, security mandates, or truly divergent stacks.
The failure mode is mechanical. An agent renaming a field in a shared protobuf sees only the proto repo, renames it there, and five consuming services break on their next build, each needing coordinated PRs and release ordering. Inside one repo the same agent updates all call sites in a single pass. Cursor and Copilot index the open workspace, Claude Code and Aider operate within one directory. The default of every tool is single-repo.35
flowchart TD
A{New project or existing multi-repo?} -->|existing| B[Solution-root repo: AGENTS.md maps every repo, stack, endpoints, dependency order]
A -->|new| C{Legal isolation, security mandate, or fully divergent stacks?}
C -->|yes| D[Polyrepo along that boundary]
C -->|no| E[Monorepo]
E --> F[Parallel agents: one git worktree each, own branch, own port, own DB]
B --> G[Enforce order: shared libs, then backend, then clients, then frontend]
Do not big-bang migrate an existing polyrepo. The solution-root pattern gets you agent context with zero disruption: a coordination repo holding an AGENTS.md that lists every repository, its purpose, stack, endpoints, and dependencies, plus a clone script. Without it, the documented failure is an agent adding a frontend field the backend rejects at integration, or patching a frontend workaround for a backend bug it cannot see.36 Know the ceiling. Riftmap's analysis puts the workspace pattern's break point near 100 repos, where context overflows and grep goes O(N), and cites Meta's data that a dependency-graph lookup costs about 200 tokens where exploration costs about 6,000, a 30x difference.37
Keep the context small inside the monorepo
A root CLAUDE.md that @imports every package's rules can burn roughly 15,000 tokens before the agent reads a single file. Use nested per-directory files and path-scoped rules that load on demand, and launch from the smallest subtree you can.3839
Parallel agents without collisions
One git worktree per agent (git worktree add ../site-auth -b agent/auth-refactor), one branch per task, own port and database in each .env.local, boundaries written in AGENTS.md. The practical ceiling is three to five parallel agents, set by review burden and rate limits, and conflicts on shared files still surface at merge.4041
Two CI traps with agent-scale consequences: shallow clones break nx affected silently (fix: fetch-depth: 0 plus explicit base SHAs), and env vars missing from cache hashes poison caches.42 The nastiest documented one: pnpm lockfile v9 made Turborepo's dependency hash non-deterministic, days of silent cache misses, and the issue closed unresolved.43 Nx, for what it's worth, ships the most complete agent surface of the monorepo tools, an MCP server plus structured JSON output.44
CH.06
Host agents on long-lived containers, not serverless timeouts or edge
Agent loops run 90 seconds to hours, hold state, and spawn processes. Serverless functions cap at 10 seconds to 15 minutes, forget everything, and block subprocesses. Put the agent on a container platform and keep serverless for what it is good at.
Serverless breaks agents in five ways
James Perkins names the five mismatches exactly: timeouts versus 90-second-plus loops, ephemeral containers destroying session state, stripped runtimes blocking child processes, 1 to 3 second cold starts compounding LLM latency, and auth middleware you build yourself. The result is "agents that work great in dev and fall apart in production."45 Particle41's guidance draws the boundary: serverless is fine for 2 to 5 second, sub-512MB orchestration calls, wrong for stateful multi-step agents.46

Layer 1 is not Layer 2
Railway's own platform essay adds the taxonomy everyone conflates. Layer 1 is model serving (Modal, Replicate), Layer 2 is the app around the model, and putting a Next.js app on Modal pays GPU prices for CPU work while a model on Vercel dies on function timeouts.47
| Platform | Agent fit | Numbers that matter | The trap |
|---|---|---|---|
| Railway | agent-native: direct deploy API, hosted MCP, sandboxes shipping Claude Code, Codex, OpenCode in the default image48 | per-second billing, Hobby $5/mo, ~2-min first deploy49 | no free tier, no percentage canary out of the box |
| Render | strongest managed Postgres (PITR on all paid tiers), PR previews with auto-expire | Starter $7/mo, predictable flat pricing49 | weakest agent surface, no MCP, no scale-to-zero |
| Fly.io | 30+ regions, scale-to-zero, machines API | shared-1x ~$1.94 to 2.02/mo, suspend/resume drops a 5%-duty agent to ~$0.15 to 0.50/mo per Starmorph's cost analysis50 | Fly Postgres is explicitly not managed, and Fly's own infra-log documents IAD as an accepted single point of failure for the platform API. Pair with Neon, architect around it51 |
| Serverless | orchestration calls only | AWS bills the Lambda INIT phase since August 2025, ~22x cost on cold-start-heavy paths per PkgPulse52 | 15-min hard cap, no GPU |
| Edge | middleware: auth, redirects, A/B | 50ms CPU cap | Vercel itself retreated from edge-by-default in 2025, moving services back to Node52 |
The graduation path from Techsy's comparison: start on Railway for iteration speed, move to Render when you need production Postgres discipline, move to Fly when global latency matters.49 Railway's agent-first bet is loud. DevAIToolkit's review reports more than $200K per month in agent-driven spend on the platform with zero human-reviewed PRs, a vendor-adjacent figure I pass along with that label.53
And the billing landmine that decides the whole serverless question for public-facing work: Meta's crawler made 11,175,701 requests to one site in 30 days, every unique URL a cold invocation at a 0% cache hit rate, and the Vercel bill went from $30 to $1,933.93.54 Per-invocation pricing is an amplifier for other people's agents.
CH.07
Default the data layer to branching Postgres with gated migrations
Neon is the default: copy-on-write branches in under a second, an agent plan priced for programmatic provisioning, and an MCP with real guardrail options. Every schema change goes through a lint gate, no exceptions, because migrations are the one place an agent mistake is irreversible.
Neon's branching is O(1) metadata: a branch of a 50 GB production database is ready in under a second and costs nothing until it diverges, per Autonoma's review.55 The strategic tell is who is creating the databases. Neon and Databricks state that over 80% of databases provisioned on Neon are now created by AI agents, and the Agent Plan prices for it, $0.106 per CU-hour compute and $0.35/GB-month storage, with a 10-branch cap on free-tier orgs your cleanup workflow must respect.5611 Use the pooled connection string for app queries and the direct one for migrations.57
| Branching | Agent surface | Pricing anchor | Gotcha | |
|---|---|---|---|---|
| Neon | CoW, <1s, data included | MCP, llms.txt, --agent CLI init |
$0.106/CU-hr, free tier 100 CU-hrs/mo | not for always-on high-write workloads55 |
| PlanetScale | MySQL: schema-only. Postgres: restore-from-backup, no CoW58 | CLI, MCP (CLI-based one deprecated) | Postgres from $5/mo, no free tier | Postgres sharding ("Neki") still in development59 |
| Turso | DB-as-file, per-tenant or per-agent databases | SDKs + agent skill | $4.99/mo, 500 active DBs60 | scale-to-zero deprecated for new users Jan 202559 |
| Supabase | experimental branching (paid) | full MCP, 20+ tools | free tier generous | vendor says dev and testing, not production data12 |
One consolidation note so you do not buy a vector database you do not need: Postgres 18 shipped native vector indexing and UUIDv7, per the State of Databases 2026 roundup.61
The migration gate
Every schema change goes through a lint gate because migrations are where dashboards lie. A Flyway migration with a typo'd column name once showed APPLIED in the schema history, green CI, no errors, and a silent no-op in the actual database.62 Traditional observability measures system health, not agent correctness, as MightyBot's observability guide puts it.63 The gate that saves you is the one that blocked the merge:
- Migration Autopilot failed a real PR whose
DROP COLUMNran 0.4s on staging and would have locked the users table for 20 minutes in production.64 - After SafeMigrate demoed the same idea, one developer messaged its author: "I had a DROP COLUMN incident that cost our company $50k."65
Atlas is the schema discipline that scales past you. Its agent workflow is nine hard rules (never hand-author migration SQL, always --env, always lint before apply), and failed checks return structured errors the agent self-corrects against.66 The before-and-after is EliseAI, which manages housing for an enormous rental portfolio:
"Four of us had admin-level schema access, and if anyone wanted to make any schema changes, they would send those through to us. It doesn't scale very well." After Atlas: "Everyone is adding database changes and making data changes now." Fifty to sixty engineers contribute schema changes through PR workflow, with no locking incidents since rollout.67
Pair it with Neon's branch-migrate-validate loop via MCP: create the copy-on-write branch, apply the migration there, validate, then merge.68 The change never touches production until a gate has seen it.
CH.08
For every remaining category, pick the vendor with the official MCP and key auth
One row per category. The pick, the agent surface, and the trap. This table is the stack.
| Category | Pick | Agent surface | Runner-up | Trap to avoid |
|---|---|---|---|---|
| Auth | Clerk [mine] | API keys billed per use ($0.001/create, $0.00001/verify, 1000 and 100k free monthly), org-scoped keys, acceptsToken arrays for mixed session and machine auth69 |
Better Auth when owning the session store is the constraint. Auth.js v5 is in security-patch mode and points new projects elsewhere70 | dashboard-config auth: Clerk's OAuth settings live outside git and change without review70 |
| Payments | Stripe | hosted MCP, Agent Toolkit, restricted keys with 90-day rotation guidance, Machine Payments Protocol for agent-initiated payments1371 | Polar or Paddle as MoR bolt-on when VAT liability is real | Polar's 2026 repricing: free tier 5% + 50¢, card-only, roughly 120 payout countries, plus pass-through Stripe fees, per Dodo's teardown of a competitor, so verify independently72 |
| Resend or Postmark | both native vendor MCPs. Resend: 10 tool groups, per-client Bearer keys. Postmark: 4 MCP tools plus MIT-licensed Skills7374 | Resend without SENDER_EMAIL_ADDRESS set prompts on every call, breaking unattended runs.75 Postmark's batch API returns 200 even when individual sends fail, check per-item ErrorCode76 |
||
| LLM gateway | Vercel AI Gateway [mine] | zero markup, BYOK, models fallback arrays, OIDC auth, coding agents route through a base-URL swap77 |
OpenRouter: 400+ models, ZDR per request, but 5.5% markup and its August 2025 database outage took the fallbacks down with it7879 | one door is a single point of failure. Keep a direct provider key as the second door |
| Observability | Langfuse + OTel GenAI conventions | conventions hit stable in early 2026, so instrument once and export anywhere80 | LangSmith (closed source, $0.50/1k traces) | trace green does not mean output correct. Track cost per session and alert at 5x the feature median80 |
| Errors | Sentry | one-line MCP-server monitoring (wrapMcpServerWithSentry), its own MCP server handles 50M requests per month81 |
its inbound error stream is an injection surface. Next chapter | |
| Scraping | Firecrawl | keyless core endpoints from official clients, 1 credit per page, lockdown mode, Markdown output the vendor says uses 93% fewer tokens than raw HTML82 | Apify for the 46K-actor long tail, pin tools explicitly17 |
Browserbase sells excellent infrastructure, not intelligence. You assemble browser plus Stagehand plus LLM plus error handling yourself, per TinyFish's critique of a competitor83 |
| Jobs and durable | Inngest [mine, at solo scale] | step.ai.wrap() makes any LLM call a durable step, zero infra |
Temporal for mission-critical: 20-min published RTO, but $26K to 41K/mo self-hosted TCO versus $200 to 2,000 for cloud, per Flywheel's comparison84 | per-step billing compounds. One logical agent run bills 15 to 30 steps with retries and tools, per Particula's analysis. Run your real workload on the free tier and count first85 |
| Cron | anything but bare cron | Inngest or Trigger.dev retry and alert | bare cron fails silently. Vercel Hobby fails deploys on sub-daily crons, Cloudflare free tier caps at 5 triggers86 |
Two cells deserve a sentence each. Browserbase's scale is real, 36,925,870 sessions in March 2026 by the company's own count.87 And the 429 class of trap is why "undocumented rate limits" is a disqualifier: one team watched the OpenAI API return 429s for 11 minutes with no dead-letter queue while the SDK swallowed the billing error and threw a TypeError, so the real cause looked like a code bug for a day.88 Backoff belongs at the HTTP client layer, and billing errors get logged separately from code errors.
CH.09
Credentials never touch the model
The agent gets capabilities, never secrets. Scope every token to one operation, one environment, one resource. Broker the rest. And put backups physically outside anything the agent can reach.
Back to the nine seconds. The Cursor agent, running Claude Opus 4.6, hit a credential mismatch, went looking, and found an unrelated Railway CLI token created months earlier for managing custom domains. That token carried blanket authority across Railway's entire GraphQL API, including volumeDelete. No confirmation step, no environment scoping, no rate limit. One call, and the production volume was gone, and because Railway stored volume backups inside the same volume, the backups went with it. As the founder put it, volume-level backups "protect against zero failure modes that matter." The agent had violated its own explicit rules, including "NEVER FUCKING GUESS":
"I guessed that deleting a staging volume via the API would be scoped to staging only. I didn't verify... I decided to do it on my own to 'fix' the credential mismatch."1
Descope's incident log records the same event as the April 2026 PocketOS wipe: a long-lived account-scoped token in an unrelated file, nine seconds, no environment isolation.89 The founder spent a Saturday rebuilding bookings from Stripe records and email confirmations.
The scale behind the one wipe
From Zylos's credential research citing GitGuardian's 2025 data: 28.65M new secrets leaked on public GitHub in a year, up 34%, including 1.2M AI-service secrets, up 81%. AI-assisted commits leak at roughly double the base rate, and about 24,000 secrets sat in MCP config files on public GitHub. In agent skills specifically, 73.5% of credential vulnerabilities were plain information exposure: print() and console.log() putting secrets into the LLM's own context.90 Non-human identities outnumber humans 144:1 in large enterprises. Armalo documents a firm whose rotation policy said 90 days while the actual last rotation was 22 months earlier, one compromised key, 340 enterprise customers exposed, $4.2M.91
The doctrine, in three moves
1. Classify every action by blast radius, and gate the top tier outside the model:
flowchart TD
A[Agent action] --> B{Blast radius}
B -->|Local: file writes, tests, lint| C[Auto-approve]
B -->|Shared: commits, branches| D[Warn and proceed]
B -->|External: push, deploy, API calls, money, deletion| E[Approval the agent cannot auto-complete]
E --> F[Typed resource name, or out-of-band approve from phone]
The Railway founder's post-incident minimums are the External-tier spec: confirmations an agent cannot complete itself, tokens scopable by operation and environment and resource, backups elsewhere, and enforcement in the integration layer, never in a vendor's system prompt.1
2. Scope what you must hand over. fly tokens create deploy, never fly auth token, which is effectively root.92 A GitHub App, never a PAT, which authenticates as you, and gate agent runs on a maintainer /fix comment rather than firing on every issue.93 Clerk's machine tokens can have scopes revoked at runtime, machines.deleteScope() as a kill switch.94
3. Broker what you can, so the model never sees the secret at all:
flowchart LR
A[Agent context] -->|tool call, no secret present| B[MCP proxy or broker]
B -->|fetch at execution time| C[Vault: Managed Agents Vaults, Arcade, 1Password]
C -->|short-lived scoped credential| B
B -->|authenticated request| D[Provider API]
D -->|result only| A
Anthropic's Managed Agents runtime fetches credentials from a vault only at the moment Claude invokes an MCP tool, with one caveat worth knowing: Vaults covers MCP tools, and non-MCP secrets still sit in env vars the model can read.90 Arcade stores credentials apart from the LLM and injects at execution time.90 For everything longer-lived, the pattern from Zylos and Penligent's identity research is ephemeral by default: Vault dynamic secrets with one-hour TTLs, SPIFFE short-lived certificates, RFC 8693 token exchange narrowing scope at every hop.9095

Even the honest path bites. One developer copied a placeholder key from official payment docs verbatim into an MCP config and shipped it public for three days before rotating.96 Agents generate config from docs. Scan for key-shaped strings at commit time, exit 2.
CH.10
Treat every tool output as untrusted input
The defining agent vulnerability is not a jailbreak. It is a legitimate tool faithfully relaying attacker-shaped content to an agent that trusts its tools. Defend structurally: tool scoping, hook validation, sandbox isolation. Prompts are not a defense layer.
The mechanism is the lethal trifecta: the instant private data, untrusted content, and the ability to act share one runtime, a legitimate action gets applied to attacker-shaped intent. Isolation is the break.

flowchart TD
A[Private data and credentials] --> T{Same runtime, no separation}
B[Untrusted tool output: tickets, errors, docs] --> T
C[Ability to act: shell, deploy, external calls] --> T
T -->|no isolation| X[Exfiltration: the lethal trifecta fires]
T -->|gVisor or Firecracker microVM| S[Blast radius contained to the sandbox]
Agentjacking is the trifecta in the wild
In June 2026, Tenet Security published Agentjacking, and it should reorder your threat model. The only prerequisite is a Sentry DSN, the write-only key that lives openly in your frontend JavaScript by design. The attacker crafts a fake error event whose payload carries "remediation guidance," and it sits dormant, indistinguishable from a real crash, until a developer types the most ordinary sentence in the industry: "Fix the unresolved Sentry issues."
flowchart TD
A[Public Sentry DSN in frontend JS] --> B[Attacker POSTs a fake error event]
B --> C[Payload carries remediation guidance: run this command]
C --> D[Dev: fix the unresolved Sentry issues]
D --> E[Agent pulls issues via Sentry MCP, cannot tell real from injected]
E --> F[Agent runs npx tenet-controlled-validation-package]
F --> G[Env vars, AWS keys, GitHub tokens, private repo URLs exfiltrated]
The numbers, and why no perimeter tool sees it
Using only public credentials and breaching nothing, Tenet identified 2,388 exposed organizations, and across 100+ agents they measured an 85% success rate against Claude Code, Cursor, and Codex. The line that matters most: in many cases the agents executed the attacker's code even when explicitly told to ignore suspicious instructions. The guardrail was a suggestion.97 Sentry responded the same day Tenet disclosed and declined a root fix as not defensible at their level, which is honest: an error tracker that polices error content stops being an error tracker. The seam recurs anywhere an MCP server reflects outsider-written content at an acting agent: tickets, reviews, docs, calendar invites.
Even mitigated, the rate is not zero
Anthropic's own reported baseline says the same thing from the other side. Unmitigated agents fall for 24% of prompt-injection attacks, and defenses cut that by more than half, which is progress and nowhere near a wall.98
The structural defenses, cheapest first
- Tool scoping in skills:
allowed-tools: Read, Grep, Globmeans a compromised prompt still cannot write.23 - Hook validation: a PreToolUse hook blocking file access matching
\.(env|pem|key|credentials)$with exit 2 fires no matter what the context says.23 - Subagent isolation:
permissionMode: planmakes a subagent read-only even if its prompt is owned, and since v2.1.166 messages relayed between Claude sessions no longer carry the sender's authority.23 - Knowledge gates: capability without procedure is its own hole. An agent with Supabase MCP once created a Postgres view that bypassed row-level security because nothing told it about
security_invoker. Adding a SKILL.md took security compliance from 0% to 100% in the vendor's benchmark.99
The sandbox tier is not optional
Docker alone is a shared kernel. Langflow's CVE-2025-3248 was one unauthenticated POST to a code-validation endpoint, CVSS 9.8, host-level execution on Docker-only deployments.100
The SandboxEscapeBench write-up found frontier models achieve near-perfect escape rates on easy misconfigurations (privileged containers, writable host mounts), that escape success scales log-linearly with inference compute at roughly a dollar an attempt, and a behavioral detail worth remembering: Claude models showed 0% disengagement, attempting escapes until the token budget died, while GPT-5.2 gave up in 92.3% of failed samples.101 The ladder, matching the mermaid above:
- Containers for trusted code only.
- gVisor (10 to 30% I/O overhead, what Modal runs) for semi-trusted.
- Firecracker microVMs (~125ms boot, what E2B and Lambda run) for anything hostile.102
The ecosystem justifies default suspicion
BlueRock's scan found 36.7% of roughly 7,000 public MCP servers carry SSRF, 41% run no authentication at all, and only 8.5% use OAuth.103 The AI-workflow platforms (Langflow, n8n, Flowise, Crawl4AI) have shipped a steady stream of RCEs through their code-execution primitives, and the working remediations are blunt: gate them behind VPN, disable risky nodes (NODES_EXCLUDE), disable stdio MCP transport in Flowise (CUSTOM_MCP_PROTOCOL=sse).104
The supply chain bends around OAuth trust
The February to April 2026 Vercel breach walked in through a compromised third-party OAuth app, whose tokens survive password rotations and rarely get audited. Vercel's CEO Guillermo Rauch publicly assessed the attackers as "significantly accelerated by AI." Env vars not explicitly flagged sensitive were readable with internal access, and one customer got OpenAI's leaked-key notice nine days before Vercel's own disclosure.105 Flag every credential variable sensitive, and treat any provider leak notice for a key that only ever lived in a platform as a platform compromise.
CH.11
The anti-patterns: what looks agent-friendly and isn't
Some tools fail the test loudly. The dangerous ones fail it quietly. Here is the field guide.
| Trap | Why it fights agents | The tell |
|---|---|---|
| OAuth-only, no API keys | agents cannot complete browser consent flows unattended | "connect your account" is the only path in |
| Docs behind JavaScript or captchas | the agent literally cannot read them | no llms.txt, no .md endpoints, no OpenAPI |
| No CLI, or CLI without JSON | screen-scraping your own tooling | --json flag absent |
| Undocumented rate limits, swallowed errors | silent data loss that presents as your bug | the 429-as-TypeError day88 |
| Per-invocation billing on public surfaces | other people's crawlers set your bill | the $30 to $1,933.93 month54 |
| Proprietary self-healing test platforms | healing logic the agent cannot introspect or fix | vendor black box, per QASkills' comparison106 |
| Community MCP wrappers | schema drift when the vendor ships | tool calls failing weeks after install19 |
| Single-tab-era test frameworks | Cypress's single-origin model does not map to MCP tool calls, Playwright's accessibility tree does107 | agent-generated tests that cannot cross origins |
| Platforms that move the floor | undocumented breaking releases eat your weekend | see below |
| Unreviewed agent output as a codebase | the sprawl becomes the next agent's context | see below |
Floor-movers
OpenClaw's v2026.3.22 shipped 12 undocumented breaking changes, and one community member reported personally helping fix more than 200 broken instances afterward: "spend five grueling hours trying to fix something that would have taken five minutes to prevent." The v2026.4.12 Docker image then broke all Google Vertex routing via a dependency update that mangles the OAuth handshake and surfaces only as a generic 401.108 The commercial platforms did their own version. Anthropic's usage-limit changes landed framed as "additional credits" while users measured them as cuts.109 MCP configuration itself earned the community's bluntest coinage, "authentisuffering," for per-directory credential overriding.110 The signal to watch on any vendor is behavioral: changelog discipline, deprecation countdowns, whether errors surface or vanish.
The sprawl
One engineer inherited a three-month-old agent-built repo: 309k lines of code, 240k lines of docs, 220 API handles with about 20 used, 40+ secrets with 2 necessary, and over a million lines of logs committed as markdown. The rewrite took one week with the same tooling, kept the functionality, and produced the most satisfying PR of his career.111 The public version of the same failure was Huntarr, a vibe-coded media-stack manager whose unauthenticated POST /api/settings/general returned every API key in cleartext, and whose maintainer banned the people who reported it.112 Unreviewed agent output is not an asset. It is the next context wall.
CH.12
The default stack, per product archetype
Four tables. Every pick traces to the chapters above, and every judgment call between evidenced options is flagged [mine].
SaaS web app
| Layer | Pick | Why |
|---|---|---|
| Framework | Next.js 16, TS strict | AGENTS.md scaffolded by default, conventions the model knows cold28 |
| ORM | Drizzle [mine] | SQL both of us can read, edge-sized bundle |
| DB | Neon + Atlas gate | sub-second branches, lint-gated migrations |
| Auth | Clerk [mine], Better Auth if ownership rules | per-use machine keys vs your own session table6970 |
| Payments | Stripe, MoR bolt-on only when VAT bites [mine] | official MCP plus restricted keys |
| Hosting | Vercel frontend, Railway backend | the split Railway's own essay argues: workers and crons off serverless47 |
| Resend | native MCP, set SENDER_EMAIL_ADDRESS |
|
| Errors and traces | Sentry plus Langfuse on OTel | instrument once, export anywhere |
| Jobs | Inngest [mine] | infraless durability, count your steps first85 |
| Tests | Playwright plus its planner, generator, healer agents, ARIA snapshots | the healer replays failures and patches locators, snapshots beat brittle selectors113 |
Data or scraping pipeline
| Layer | Pick | Why |
|---|---|---|
| Compute | Railway or Fly machines, never Lambda for the work | timeouts plus INIT billing52 |
| GPU steps | spot instances plus checkpoint every 5 to 10 min | Spotify's reported pattern cut GPU spend 70%, $8.2M to $2.4M/yr50 |
| Ingestion | Firecrawl primary, Apify long tail | token economics plus explicit tools8217 |
| Real browser sessions | Browserbase plus Stagehand [mine] | when authenticated UI driving is the actual job87 |
| State | Neon, or Turso when the shape is DB-per-source [mine] | branching vs file-per-tenant60 |
| Scheduling | Inngest or QStash | bare cron fails silently86 |
One more number for the GPU cell, from AWS-side analysis: 500 docs per day at 5 minutes each ran $15K/month on Lambda GPU pricing versus $2K on an EC2 spot cluster, an 87% gap.46 And the GKE Spot case study is the proof agents tolerate preemption well, since they idle around 85% of wall time waiting on LLM responses: zero task failures across 47 preemptions in 8 weeks, compute down 60%.114
Content or video pipeline
| Layer | Pick | Why |
|---|---|---|
| Model door | Vercel AI Gateway [mine], direct provider key as second door | zero markup plus fallback arrays, and the router-outage lesson7779 |
| Routing discipline | cheap model for bulk, flagship for synthesis | Starmorph's reported routing cut: $187 to $78/month, 58%50 |
| Research ingestion | Firecrawl | Markdown-native, credit per page |
| Orchestration | Railway workers plus volumes | long renders, persistent artifacts |
| Local GPU | stays local | covered in my local-AI stack write-up, out of scope here |
API service
| Layer | Pick | Why |
|---|---|---|
| Framework | Encore when its 80% covers you [mine], else Hono on Railway | infra-from-code deletes the IaC file entirely, with the stated 80% caveat115 |
| IaC when needed | Pulumi TypeScript [mine], OpenTofu where HCL ecosystem matters | Pulumi's own study, flag the vendor source: Opus plus Pulumi TS hit the lowest pipeline cost at $0.146, 41% cheaper than Opus plus Terraform at $0.249 via zero repair cycles, while HCL wins first-generation tokens by 21 to 33%116 |
| CLI ergonomics | Terraform's -json everywhere pattern |
DeployHQ ranks it the most agent-friendly IaC CLI117 |
| Your own API surface | OpenAPI 3.1, intent-rich descriptions, stable error codes, idempotency keys, cursor pagination, 202 for long ops | make your product pass the same test you applied to vendors118 |
Orchestration frameworks get one honest paragraph instead of a table. The production default in the evidence is embarrassingly small: an LLM, tools, and a loop with a hard step cap, with LangChain-class abstraction debt called a trap by AI Builder Club's guide and multi-agent runs costing 3 to 8x single-agent.119 Reach for LangGraph when you genuinely need checkpointed state, Temporal or Inngest when you need durability, and treat Eve and Flue as promising pre-release bets with platform coupling, per Road to Enterprise's comparison.120 For the always-on personal layer, Hermes and OpenClaw run fine on a roughly €5/month Hetzner box with Tailscale, and that is a different article.121
CH.13
Roll it out in six gated steps, not a big bang
Each step is weekend-sized and has a machine-checkable exit. Do them in order: gates before capabilities, because every incident above exploited a missing gate, never a missing feature.
- Score your stack on the five properties. Exit: a table listing every tool at 3 or below with its replacement candidate.
- Put the harness in place. One canonical AGENTS.md plus exit-2 gates on destructive git, infra, and credential-path patterns. The operator's playbook covers this step end to end. Exit:
claude --print "What is your definition of done?"echoes your gates verbatim, and a deliberately dangerous command shows up blocked in the log.23 - Re-issue credentials. Deploy-scoped tokens, GitHub App not PAT, broker or vault for the rest, backups physically outside the blast radius. Exit: grep repo and MCP configs for key-shaped strings finds zero, and the agent's token gets a 403 on a destructive call.
- MCP core set only. Filesystem, GitHub, one database server, which is also Ayautomate's consensus starter set, with explicit
toolsparams.14 Exit: one round-trip tool call per server. - Eval as CI. 80 to 200 cases drawn from real traffic plus an adversarial set, the build fails on regression, which FDE10x calls the only benchmark that predicts incidents on your workload.122 Snapshot the agent's tool-call sequences too, so a changed call order fails loudly.123 Exit: an intentionally broken PR fails.
- Phase autonomy up a ladder, never a leap. Kilo's rollout shape: read-and-draft-only for the first two weeks, human approval on everything External-tier through day 45, autonomy only for low-risk work after.124
flowchart LR
L0[L0 single call] --> L1[L1 augmented LLM]
L1 -->|eval pass at 90 percent| L2[L2 workflow]
L2 -->|eval pass at 90 percent| L3[L3 orchestrator-worker]
L3 -->|eval pass at 90 percent| L4[L4 autonomous loop]
The 90% promotion gate is the Agentic Product Standard's escalation rule: do not climb to the next autonomy level until the current one clears 90% on a curated eval set.125 Write completion criteria machine-verifiable, because "write tests that pass" once produced assert True.23 Two closing gates that cost one line each: a minimumReleaseAge: 7 days on dependency automation blunts supply-chain-fresh packages,126 and a license scan on agent commits, since Black Duck's 2026 analysis of 947 commercial codebases found 68% contain open-source license conflicts and only 54% of orgs evaluate AI code for IP risk at all.127
What the evidence does not establish
Ending on the honest ledger, because a doctrine that hides its bets is hype:
- No benchmark ranks languages for agent reliability. The TS-strict default is mechanism plus practitioner reports, stated as such.25
- Multi-agent ROI is unproven. Anthropic's team-of-agents compiler cost a reported $20,000 in API spend across 2,000 sessions and could not compile hello-world without hand-fed include paths,128 while OpenAI's three-engineer, million-line internal build succeeded and its own authors say it does not generalize beyond that repo's tooling.2 My doctrine stops at one agent plus deterministic gates.
- Perception is not measurement. The METR randomized trial found 16 experienced open-source developers were 19% slower with early-2025 AI tools while believing themselves about 20% faster, with the 2026 follow-up showing much smaller, insignificant effects.129 That study is the entire argument for step 5.
- Vendor-reported figures (Pulumi's token study, Browserbase's sessions, Firecrawl's token claims, deliverability tests) are labeled as such wherever they appear, and none carries the argument alone.
- MCP could still fragment at the edges. Discovery specs are multiplying. The bet is low-regret: everything chosen here also has a plain API.
What it feels like when the doctrine holds: a Dodo Payments engineer watched an agent hit a 404 on a hallucinated plan ID, follow the doc_url in the structured error, parse the pricing page, and retry with a valid ID. Twelve seconds, no human.96 Before, an agent with a stray token erased a company in nine seconds. After, an agent with a scoped key and a legible error healed itself in twelve. The gap between those two numbers is the stack. Build the second one.
CH.14
The fastest way to build the second one: the kit that ships this article as files
This research goes stale in your head within a quarter, so it lives as files instead: my open, free sober-agents-kit carries dated fact-sheets on every platform this article standardizes on (Vercel's fluid-compute shift, Neon branching, Stripe restricted keys, serverless timeout limits), the per-archetype stack tables as machine-readable guides, and the deterministic gates from the rollout, installed by a five-minute plain-language interview.
git clone https://github.com/dprvda/sober-agents-kit && cd sober-agents-kit
How it holds to this article's own rules:
- The interview is one markdown playbook any agent can run. Claude Code gets it as
/sober-setup, Codex as a skill in.agents/skills, OpenClaw or Hermes run it when told "read setup/INTERVIEW.md". Its first question is which agent you use, and the setup shapes itself to the answer. - The fact-sheets are dated and copied into your project's docs, so the agent builds from the verified current state of each tool instead of its training data.
- The gates are git-level (secrets, doc drift, an independent AI commit judge, a pre-push force-push blocker), so they hold for every tool and every human clone, with no AI in the loop at all.
- Everything is also documented for hand-installation. The kit is a shortcut, never a dependency, and the full manifest shows before anything writes.
- It is the living proof of chapter one: every tool inside it passed the same five-property test it applies to your stack.
Sources · 130
Sources
-
An AI agent just destroyed our production data. It confessed in writing (r/ExperiencedFounders) ↩ ↩2 ↩3
-
Read this or stay behind, OpenAI staff on their agent-built codebase (r/codex) ↩ ↩2 ↩3
-
The current state of content negotiation for AI agents (Checkly) ↩
-
A practical guide for designing and developing agentic workflows (arXiv 2512.08769) ↩
-
The stdio-vs-SSE silent timeout, reported independently by the AI SDK docs, Marc Nuri, Ayautomate, and QASkills, among others. ↩
-
MCP servers for marketing: 25 servers reviewed (Digital Applied) ↩
-
Best email APIs with native AI agent support 2026 (Mailer To Go) ↩ ↩2
-
Notes on the MCP 2026-07-28 release candidate (@mrru5s3ll) ↩
-
Agent Architecture: building AI-powered development harnesses (Blake Crosley) ↩ ↩2 ↩3 ↩4 ↩5 ↩6
-
Automate repository tasks with GitHub Agentic Workflows (GitHub blog) ↩
-
Prisma vs Drizzle and AI-generated SQL (Alexander Arshavski, LinkedIn) ↩
-
Monorepo vs multi-repo: why AI agents tip the scale (Francis Eytan Dortort) ↩
-
Setting up AI coding assistants for large multi-repo solutions (Bishoy Labib) ↩
-
You don't need a virtual monorepo. You need a graph (Riftmap) ↩
-
How to structure a monorepo so Claude Code's context stays small (StartDebugging) ↩
-
Claude Code in monorepos and large codebases (Claude docs) ↩
-
How to keep multiple coding agents from overwriting each other (David Loor) ↩
-
CI/CD for monorepos: affected, caching, dependency graph (Nazar Boyko) ↩
-
Non-deterministic hashOfExternalDependencies with pnpm lockfile v9 (turborepo#12252) ↩
-
Why Flue and Unkey Deploy fit shipping AI agents (James Perkins) ↩
-
Claude Code, Codex, OpenCode and Pi in Railway Sandboxes (Railway) ↩
-
AI agent deployment: cloud platforms compared (Starmorph) ↩ ↩2 ↩3
-
Cloudflare Workers vs Vercel Edge vs AWS Lambda 2026 (PkgPulse) ↩ ↩2 ↩3
-
Is Railway the best cloud for AI coding agents? (DevAIToolkit) ↩
-
Meta's crawler made 11 million requests to my site in 30 days (r/webdev) ↩ ↩2
-
Neon database review: serverless Postgres branching (Autonoma) ↩ ↩2
-
Neon serverless Postgres guide for TypeScript backends (Encore) ↩
-
SafeMigrate: never fear database migrations again (dev.to) ↩
-
I tested every major auth library for Next.js in 2026 (LogRocket) ↩ ↩2 ↩3
-
You built an MCP server, debug it with MCP observability (Sentry) ↩
-
Durable execution for agents: Temporal vs Inngest vs Restate (Particula) ↩ ↩2
-
Crontab, cron jobs and modern scheduled tasks (Ceaksan) ↩ ↩2
-
Thousands of Etsy shops lost all traffic, the 429 postmortem thread (r/Etsy) ↩ ↩2
-
AI agent credential and secret management in production (Zylos) ↩ ↩2 ↩3 ↩4
-
How to rotate credentials for AI agents without breaking production (Armalo) ↩
-
AI agent identity security and the delegation chain problem (Penligent) ↩
-
The bug report that owns your machine, Tenet Security's Agentjacking (r/Tidra) ↩
-
AI agent sandboxing explained: why Docker is not enough (SoftwareSeni) ↩
-
Your AI agents can break out of their containers, SandboxEscapeBench (ResultSense) ↩
-
Your AI workflow stack is an unmanaged RCE vulnerability (r/Tidra) ↩
-
The Vercel breach: OAuth supply chain attack (Trend Micro) ↩
-
What's actually hiding in the OpenClaw 2026.4.12 changelog (r/OpenClawUseCases) ↩
-
It's official: Anthropic pulled the plug on programmatic subscription use (r/Anthropic) and the usage-credit framing thread (r/ClaudeCode) ↩
-
Hot take on MCP configuration and credentialing (@juliknl) ↩
-
Inherited a 3-month old repo from a vibe engineer (r/ClaudeCode) ↩
-
Huntarr: your passwords and your entire arr stack's API keys are exposed (r/selfhosted) ↩
-
Token efficiency vs cognitive efficiency: choosing IaC for AI agents (Pulumi) ↩
-
6 developer CLIs that AI coding agents use well (DeployHQ) ↩
-
Design considerations for agent-friendly HTTP APIs (IETF draft) and the Agentic API Standard (GitHub) ↩
-
Eve vs Flue: which TypeScript agent framework (Road to Enterprise) ↩
-
AgentSnap: snapshot testing for agent tool-call traces (GitHub) ↩
-
Renovate and Dependabot security configuration (SystemHardening) ↩
-
AI coding tools and open source license risk (Crash Override) ↩
-
Anthropic built a C compiler using a team of parallel agents (r/programming) ↩
-
METR randomized controlled trial of AI tools on experienced developers (arXiv:2507.09089) ↩