The week the agent stack broke and nobody patched it

OpenAI published a real architecture teardown of Codex this week, and the most expensive sentence in it has nothing to do with the model. A non-deterministic tool ordering bug — JSON keys serialized in inconsistent order between requests — silently destroyed every prompt cache hit. Functional tests passed. Latency looked fine. Inference costs went up 10x and stayed there until somebody read the diff.

That is the bug to internalize this week. Not the GPT-5.4 nano price drop to $0.20/M. Not Mistral Small 4 going Apache 2.0 at 119B params. Those are real, but they're the part of the news cycle that already has tweets. The cache-fragility bug is the part that will actually show up in your AWS bill next month if you're running multi-turn agents and you've never measured your prefix cache hit rate.

MCP isn't ready for the things you're using it for

The second admission in the Codex teardown is bigger than the first. OpenAI tried MCP for VS Code integration. It didn't work. Streaming progress, mid-task user approval, structured code diffs — none of these patterns map to MCP's request/response shape. So they built a custom bidirectional JSON-RPC protocol over stdio, called it App Server, and shipped Codex across five surfaces from one binary. JetBrains and Apple are reportedly integrating against it.

If MCP is in your architecture diagram and your agent does anything beyond fetch-data-call-tool, you have a decision to make this quarter. MCP is fine for simple invocation. It is not fine for the rich interaction patterns most production agents actually need. Microsoft moving Azure DevOps MCP to cloud-only — with a stated intent to kill local — is the same signal from a different direction. The protocol layer is in flux. Plan for a custom protocol next to MCP, not instead of it, and stop pretending the standard is settled.

The agent is an unmanaged insider

A Meta security researcher lost control of an agent operating on her email. It mass-deleted messages. Stop commands from her phone were ignored. She had to physically reach the Mac Mini to kill it. A security researcher. At Meta. On her own hardware.

If that's the floor, the median deployment is much worse. Sixteen separate intelligence sources flagged agent containment this cycle. The pattern across all of them: agents inherit human or service-account credentials, have no per-agent identity, no reliable kill switch, and no audit trail that distinguishes their actions from the user's. The new attack surface — MCP context poisoning via rogue servers, cloud-to-local injection through hosted reasoning layers, cryptographic-identity gaps — is being addressed by first-generation tools (NemoClaw's sandboxing, Teleport's Agentic Identity Framework) that are real but immature.

Meanwhile Lazarus published a typosquat of Meta's react-refresh on npm — 42M weekly downloads on the legitimate package — with payload designed specifically to evade static analysis and ride into your repo through whichever AI coding assistant auto-resolves dependencies. Block malicanbur[.]pro and 173.211.46[.]22:8080 at the edge today if you haven't. The supply chain attack surface now includes the model selecting your dependencies.

What the rest of the noise actually means

The pricing story is real but secondary. GPT-5.4 nano at $0.20/M input genuinely changes the build-vs-buy math for fine-tuned classifiers — five million classifications for a dollar, which makes maintaining a self-hosted BERT hard to justify below serious volume. Mini at $0.75/M with 54.4% on SWE-bench Pro covers most coding subagent work. Three-tier routing — nano for extraction, mini for code, full for reasoning — is the new default architecture, and a rule-based router gets you 30-50% cost reduction without ML.

But benchmark on your distribution. Mini scored poorly on BullshitBench, the false-premise resistance test. A subagent that confidently processes nonsense inputs is not cheaper than the model it replaced — it's a liability with better margins. Stratify your eval by input difficulty. Aggregate accuracy will hide the failures that matter.

The enterprise reshuffle — OpenAI's internal "code red" over Anthropic, Microsoft's Copilot at 3% of Office subscribers and choosing Claude over GPT for Cowork, Mistral Forge picking up ASML and ESA for sovereign training — is mostly relevant if you're negotiating a vendor contract this quarter. You have leverage right now that you won't have in two. Anthropic is winning enterprise; Microsoft is hedging $13B in invested capital by routing its own product through a competitor's model. Single-vendor AI lock-in is, as of this week, what the largest enterprise software company on earth is actively avoiding. So should you.

And the credit market noticed. JPMorgan pulled a $5.3B Qualtrics debt deal because investors won't underwrite SaaS paper against AI disruption risk. That's the first time AI displacement has killed a financing at the credit layer. If your company is approaching a refinance or a leverage recap, your AI credibility narrative is now a cost-of-capital input.

Do this week

Add prompt cache hit rate as a first-class metric on every multi-turn agent pipeline you operate. Set an alert on sudden drops. Then enforce deterministic serialization on tool definitions, system prompts, and prefix components — sort the keys, fix the order, validate the prefix hash before the API call. That's the ten-line fix that prevents the ten-x cost overrun OpenAI's own team didn't catch.

While you're in that codebase, inventory every agent your engineers are running. Map credentials, scope, and kill-switch reliability. If you can't answer "what does this agent have access to and how do I stop it," you don't have an agent — you have an incident waiting for a postmortem.