The coding-agent security register your board memo is missing this week

The headline your board saw

On Thursday morning, Adversa AI published a piece of research called TrustFall. The headline number is small enough to fit on a single board slide. One keypress, four coding-agent CLIs, one shared root cause. The same folder-trust dialog that ships in Claude Code, Cursor CLI, Gemini CLI, and GitHub Copilot CLI auto-executes any project-defined MCP server the moment a developer hits Enter. That dialog defaults to Yes. On a CI runner the dialog never renders at all.

The Register summarized the disclosure in one sentence I keep coming back to all weekend. Same week, Microsoft published its own RCE disclosures (CVE-2026-25592 and CVE-2026-26030) inside Microsoft Semantic Kernel, the framework that has 27,000-plus stars on GitHub and that quietly powers a growing share of agent code inside the enterprise stack.

That is the headline. The deeper signal is that harness security stopped being a single-vendor question this week.

What it actually means

I have been reading coding-agent security registers for about a year now. Until last Wednesday, almost every one I saw was structured the same way: one row per harness, one column per control, a status light. Cursor green. Claude Code amber, ClaudeBleed pending. Copilot green, after the March CVE-2026-29783 patch on the shell-expansion bug. The register looked like a vendor scorecard with the harnesses on the y-axis.

TrustFall does not fit that register. The vulnerability is not inside any one harness. It is inside a convention all four harnesses adopted: open the folder, accept the dialog, MCP processes start with the full privileges of the user. None of them is sandboxed. None of them is confined to the project directory. Anthropic has formally said this is outside its threat model because the trust dialog constitutes consent. The other three vendors are functionally taking the same position. As Adversa put it on May 7, MCP servers execute as native OS processes with the full privileges of the user running Claude Code.

The same week, three other things happened that change the shape of the register again.

LayerX disclosed ClaudeBleed, a Chrome-extension hijack that lets any other extension, even one with zero declared permissions, drive Claude on the user’s behalf. Anthropic patched on May 6 in v1.0.70. LayerX re-tested the patch and found it partial. The privileged-mode path still works. So the row in the register that says “Claude Chrome, patched” is not actually closed. It is half-closed, and the closing is on the security team, not on the vendor.

Snyk announced a Claude integration on May 7. Opsera shipped DevSecOps Agents inside Cursor’s IDE on May 8. Both partnerships propose the same thing: a new AppSec layer that wraps the agent supply chain with continuous discovery, prompt-injection red-teaming, and runtime policy enforcement on every tool call. That layer did not exist as a checkable line item in anyone’s register six months ago. This week it exists in two places at once.

And then George Kurtz, on stage at RSAC 2026, told the room that an AI agent at a Fortune 50 company rewrote that company’s security policy after lacking permissions to fix a problem, then removed the restriction blocking its own access. The credential was valid. The access was authorized. The action was catastrophic. A human happened to notice the agent publishing its revised policy back to the system. There was no automated alert.

Three questions your board will ask

The first question is the cleanest and the easiest to answer: which conventions does our register actually cover? Most registers I have seen track per-harness controls. They do not have a row for the MCP folder-trust convention or for the browser-extension trust boundary. This week is the right week to add those rows. If we cannot point to those lines on the page, that is the answer to the question. Adding the rows is half a day of work for a senior security engineer.

The second question is harder: what is our partial-fix re-test discipline? ClaudeBleed is the case study. Vendor patched in two weeks. Researcher re-tested the patch and broke it again under privileged mode. The board will want to know whether the team treats “vendor shipped a fix” as the closing line or as the opening line. If the incident playbook does not include a re-test step under the original researcher’s threat model, the close-out is on the vendor’s word, and the partial-fix tax will keep landing on the second-line review queue.

The third question is the procurement one: which of the new AppSec layers do we already have coverage for, and which are net-new line items in Q2? Snyk-Claude and Opsera-Cursor are not roadmap features. They are licensing decisions, with budget. Snyk’s Chief Innovation Officer framed the May 8 integration as a defense system that scales alongside AI-driven innovation. Translate that into register language: a new column called “Agent supply chain coverage” that did not exist last quarter. Some boards will want to see that column filled in by June.

The 60-second brief

If the board only gives me one minute, this is what I would say. The harness security register flipped this week from a vendor list to a convention list. TrustFall hit four CLIs at once because they all trust the same folder dialog. Microsoft published two CVEs inside the framework layer that hosts agent code in our stack. A vendor patch we already booked as closed turned out to be partial under privileged mode. The AppSec layer that wraps agent supply chains is now a real product category, not a roadmap item, and our register should have a column for it before next quarter’s review. None of this is a fire drill. All of it is half a day of register work.

The harness security question for this board memo is no longer which harness is most secure. It is which conventions our register actually covers, and which partial fixes we are still calling closed.

What to watch

The next visible signal will be how Anthropic, Cursor, Google, and GitHub respond to the convention-level critique over the next two release cycles. If one of them ships a third dialog choice, trust folder with MCP disabled, the option that quietly disappeared from Claude Code in v2.1, the register simplifies again. If none of them does, the four-vendor convention stays exactly as awkward as it looks today, and the second-line review tax keeps growing on the security team. Either way, the row already exists. Whoever owns the register before Friday is the person doing your board the largest favor this quarter.