Foundry adds runtime, memory, grounding for production agents
Microsoft Foundry moves beyond model endpoints to platform-level agent orchestration: procedural memory learns across runs, toolboxes centralize tool discovery, and IQ layer unifies retrieval across enterprise data sources.
Agents move from isolated experiments to observable, governed systems with shared state, enterprise grounding, and built-in evaluation. Teams stop wiring tools into each agent and start managing them centrally with runtime tool selection.
Replaces hand-rolled agent memory, ad-hoc tool registration, and custom observability scaffolding. Requires Azure Foundry account and framework integration (Semantic Kernel, AutoGen, CrewAI supported). Procedural memory and Toolboxes in public preview now; Teams/M365 publishing GA June 2026. Worth evaluating if you're already on Azure and need production observability—the hosted Agent Service removes significant boilerplate.
“the place where AI agents move from experiments to production systems”
“runtime, tools, memory, grounding, models, observability, and governance”
“7 to 14 percent absolute success rate gains at near baseline cost”
“Foundry feels like a real production platform for agents, not just a place to wire up demos”
“You can keep LangChain, Semantic Kernel, or your own code, and still get production grade traces and evaluations in Foundry”
Get issues like this in your inbox — free, every weekday.
Quick Signals
GitHub Agentic Workflows leaks private repos via prompt injection
Unauthenticated attackers exploit trust-boundary failure in GitHub Actions agents by embedding natural-language commands in public issues, triggering silent data exfiltration from org-scoped private repositories.
If you deploy agentic workflows with cross-repo access, any user-controlled content—issues, PRs, comments—becomes executable instruction surface. This breaks the assumption that automation reads data safely.
If using GitHub Agentic Workflows: disable cross-org repo access immediately, scope agent permissions to single repo only, and sanitize issue content before passing to agent context. Not production-ready without these controls. For new deployments: treat agent input with the same threat model as SQL injection—assume every string is potentially malicious.
“any malicious actor can create a GitHub Issue and, in the issue body, hide commands in plain English that GitHub's agent will follow”
“Never treat user-controlled content as trusted instruction input for an AI agent”
“Agents with cross-repository access are especially high-value targets”
“Prompt injection attacks have become, to agentic AI, what SQL injections were to web applications”
Mastra account breach poisons 116 packages in 27 minutes
Attacker hijacked maintainer credentials and injected typosquatted dependency (easy-day-js) into every Mastra package as a single line change, bypassing surface-level scanners.
Diagnostic dataset forces models to request missing facts under budget, then solve—separating information-seeking from computation errors.
Reveals whether reasoning failures stem from not knowing what to ask versus failing downstream integration. Helps target model training on actual bottleneck—fact retrieval or calculation—rather than conflating both.
Not a replacement tool; a diagnostic benchmark. Requires building test harness around model's natural-language requests and fact validation. Worth running now if you're debugging reasoning accuracy on constrained-information problems, but immature for production deployment. Generators and verifiers are open.
“solving mathematical problems whose full latent state has a unique answer, but whose solver-facing view is missing exactly one necessary atomic fact”
“MIRA-Math contains 2,310 generated instances from 22 typed mathematical families spanning algebra, probability, linear systems, discrete structures, signal processing, Markov chains, circuits, interpolation, and numerical boundary-value problems”
“request success and final-answer accuracy are separable: models may ask for the right fact yet fail the downstream computation, or fail before obtaining the canonical hint”
Supply chain compromise at scale: 28 million monthly downloads across poisoned packages means dependency injection likely reached production builds. The attack pattern—clean carrier packages, malicious payload one level down—exposes gaps in automated scanning that only inspects direct package code.
Immediate action required: pin all Mastra packages to last provenance-backed releases before the 2026-06-17 malicious versions. Audit build logs for easy-day-js installs between 01:01–01:37 UTC (typosquat landed 11 minutes before sweep). This replaces trust in maintainer accounts; requires strict dependency pinning, postinstall hook auditing, and consideration of lock-file verification in CI. Not safe to use now without explicit version locks.
“116 packages in under half an hour, ordered roughly by download count”
“the project's components are downloaded more than 28 million times a month”
“easy-day-js is a typosquat”
“disables TLS certificate validation, fetches a second-stage payload from a raw IP address”
“easy-day-js@1.11.21 was published a day earlier with no install hook, a clean decoy”
“All versions below are malicious and were published 2026-06-17”
Replaces self-managed SMTP servers and third-party email services like SendGrid. Requires Vercel team account and domain configuration. Ready now—CLI install is single command, but evaluate pricing against existing provider before switching.
“allowing Vercel teams to send emails from their applications without managing any infrastructure”
“Build email templates as React components with React Email”
“Track opens, clicks, bounces, and deliveries with real-time webhooks”
Val Town now routes Claude, GLM-5.2, and Sonnet 5 through Vercel AI Gateway, letting you swap models without code changes and cut costs by 5x with GLM-5.2.
Multi-model routing abstracts provider lock-in for agent workflows. HTTP analytics and scoped blob storage per val eliminate boilerplate for observability and state management in serverless agents.
Replaces manual model fallback logic and external analytics pipelines. Requires no migration for existing vals; plugin installs via `npx plugins add val-town/plugins` for Claude, Codex, Cursor. Ready now—all three models live in production.
“GLM-5.2 is now available in Townie. It's an open weight model about as smart as Opus 4.8 for about a fifth the cost.”
“Townie is now using the Vercel AI Gateway, so we can freely swap models in and out.”
“Vals with HTTP endpoints now come with lightweight built-in analytics.”
Compiler now infers types from patterns in functions to emit warnings for typos, type mismatches, and invalid operations without requiring type annotations.
Catches bugs at compile-time (misspelled struct fields, invalid comparisons, wrong function calls) without refactoring existing code. Warnings surface in editors immediately, reducing debugging cycles.
Replaces syntax-analysis warnings with type-inference-backed detection. Works within single functions only—cross-function analysis comes later. Ready to adopt now: upgrade to v1.17, enable Erlang/OTP 26+, no code changes needed. Drop Erlang/OTP 24 support.
“This release introduces gradual set-theoretic types to infer types from patterns and use them to type check programs, enabling the Elixir compiler to find faults and bugs in codebases without requiring changes to existing software.”
“At the moment, Elixir developers will interact with set-theoretic types only through warnings found by the type system.”
“The Elixir typechecker only infers types from patterns within the same function at the moment.”
“This release adds support for Erlang/OTP 27 and drops support for Erlang/OTP 24.”