Anthropic flies safeguards to Lutnick
— Codex stable ships /import the same day.
Forty-eight hours before the Évian AI working lunch sits down, the harness war found its sharpest weekend yet. On Monday Jun 15, Anthropic chief compute officer Tom Brown, head of public policy Sarah Heck, and the technical safeguards triad of Nicholas Carlini, Logan Graham and Dave Orr arrived in Washington to sit across from Commerce Secretary Howard Lutnick and National Cyber Director Sean Cairncross — the first in-person session in a daily virtual cadence that has run since Friday's 5:21 PM ET letter pulled Fable 5 and Mythos 5 off the global menu. The trigger Anthropic is negotiating against turned out to be three words. According to Luta Security CEO Katie Moussouris — whom Anthropic itself had asked to review the safeguards report — the "jailbreak" was a researcher pasting vulnerable open-source code and writing "fix this code", with the planted bug found inside the normal defensive- security workflow. Over Sunday and Monday, 80+ cybersecurity executives including Moussouris signed an open letter to Lutnick and Cairncross calling the curb actively harmful to US cyber defense. David Sacks — the same PCAST chair who wrote "Dario refused" on Friday — shifted on Sunday to "the Admin wants all of this to happen as soon as possible" and confirmed the "ball is in Anthropic's court"; senior administration officials briefed reporters that the curb is not being extended to OpenAI or other frontier labs. Polymarket has US-customer restoration at ~82% by Jul 1 and ~61% by Jun 22 on roughly $120k traded, with at least four independent "Is Fable Back?" live trackers already up. While that delegation was in the building, the harness train shipped the sharpest defection-day cuts of the cycle: at 21:06 UTC, openai/codex rust-v0.140.0 went stable — twenty-two alphas resolved at the worst possible moment for Claude, with /import migrating Claude Code skills, hooks, MCP servers, subagents, instruction files and 30 days of session history in a single command, plus Amazon Bedrock API- key auth from the same Amazon whose CEO routed the original jailbreak to Treasury. Twenty-nine minutes later, Anthropic cut Claude Code v2.1.178 with new Tool(param:value) permission-rule syntax and classifier-vetted auto-mode subagent spawns — the answer to the question "can the harness be the safeguard?". Underneath: Google's Jun 18 cutover flips every Pro / free gemini-cli user to Antigravity CLI, Alibaba ships Qwen Code v0.18.1 stable plus Qwen Code Desktop v0.0.4 on the same Monday, and on the diplomatic plane the G7 leaders' working dinner happened tonight in Évian, with the Altman / Hassabis / Amodei AI lunch on Wednesday Jun 17 and Carney arriving with a Jun 12 Canada–France GSOIA AI-and-aerospace classified-intelligence pact already in his pocket. The throughline: the availability of Claude's flagship is being relitigated at the rate of three days, while every rival's runtime — Codex, Claude Code itself, Antigravity, Qwen — ships a harder permission edge on the same Monday.
The lede — Brown, Heck and the safeguards triad land in Washington as the open letter and the prediction market converge
Anthropic flies its safeguards delegation to Lutnick and Cairncross — Tom Brown, Sarah Heck, Nicholas Carlini, Logan Graham, Dave Orr meet at Commerce Monday Jun 15, after daily virtual sessions since Friday's 5:21 PM ET letter
Jun 15The first concrete shape of how a deployed US frontier model gets brought back from an export-controls suspension — and the cleanest read yet on which Anthropic players hold the pen on the safeguards question. Reuters via Investing.com and Yahoo/Quartz: Anthropic chief compute officer Tom Brown (co-founder), head of public policy Sarah Heck, senior security researcher Nicholas Carlini, model-risk lead Logan Graham and head of safeguards Dave Orr sat across from Commerce Secretary Howard Lutnick, National Cyber Director Sean Cairncross and their staffs at Commerce on Monday Jun 15, the first in-person session in a virtual cadence that has run every day since Friday's letter. The proposal on Anthropic's side per WSJ: tighter narrow-domain classifiers covering the cyber pathway that triggered the curb, in exchange for a modified "safeguards" letter that lets Fable 5 and Mythos 5 re-open to compliant customers without Anthropic having to identify every foreign national at the API edge. Two reads. (1) The technical-staff-as-negotiators shape is the structural tell. The names in the room are the people who could actually ship a classifier update inside hours, not lobbyists — that is the "give us a fix and we'll lift it" posture Sacks publicly described Sunday. Anthropic is treating the suspension as a safeguards engineering sprint, not a litigation sprint, which is the cheapest path back to a lifted curb and the most expensive admission that the original classifier missed. (2) The Cairncross-at-the-table appearance is the part the next "export-control-on-a-model" precedent inherits. Commerce normally writes BIS letters alone; pulling National Cyber Director into a bilateral safeguards review means the next lab above the cyber threshold also has to hand its classifier story to two authorities, not one — a structural pre- regulatory regime the Évian lunch on Wednesday will be told about in present tense.
Katie Moussouris reveals the trigger was "fix this code" — 80+ cybersecurity executives sign open letter Sunday Jun 14 telling Lutnick and Cairncross the Fable 5 curb actively harms US cyber defense
Jun 14–15The capability story the federal letter rests on dissolved this weekend into a routine-defensive-prompt story, told by the external reviewer Anthropic itself asked to look at the report. Luta Security CEO Katie Moussouris — former Microsoft cyber pro, two government cyber advisory roles — published a blog Sunday disclosing she had been asked by Anthropic to review the safeguards memo and found no guardrail bypass and no jailbreak: the Amazon researchers pasted a public open-source codebase carrying both known CVEs and "deliberately planted vulnerabilities" and prompted "fix this code"; after Fable's classifier initially refused "review the code for security issues", the same three-word prompt returned a patch — the "detailed exploit code" the federal letter cited. The same day, Moussouris and 80+ security executives signed an open letter to Lutnick and Cairncross — covered by TechCrunch, Fortune, The Register and PYMNTS — arguing the curb removes the defender's tool while leaving the attacker's, and that "defenders should be able to ask AI systems to find and fix bugs and write tests to validate the patch". Two reads. (1) The standard Sacks invoked as cleanly-applicable — pull a model when an external party shows a cyber-capable jailbreak — collapses if the "jailbreak" is a prompt indistinguishable from a Tier-1 SOC's Tuesday. The "narrow-potential-jailbreak" language Anthropic has been using since Saturday turns out to be Moussouris's technical language carried forward. (2) The signatories include the people who warned about the cyber risk in April — the same expert pool — which is the line the Eastern Herald reporting flags as politically lethal. The administration cannot point at the cyber experts for license to pull Fable on Friday and then wave them away when they sign a letter on Sunday saying the pull harms US defense.
Polymarket prices ~82% Fable 5 restored for US customers by Jul 1, ~61% by Jun 22 on ~$120k traded — at least four independent "Is Fable Back?" status trackers spawn in 72 hours
Jun 13–15The first time a deployed US frontier model has its own prediction market and its own downdetector infrastructure inside the same weekend, and the cleanest external read on how long the harness war thinks the suspension lasts. Polymarket's "Claude Fable 5 restored for US customers by …" event, opened Jun 13 19:37 UTC, sat at ~82% probability of by Jul 1, ~61% by Jun 22, on roughly $120k in trading volume by Monday — earlier readouts (61% by Jun 22, 82% by Jul 1) tracked the Sacks tone-shift in real time. Parallel: independent live status pages — isfableback.org, isfablebackyet.com, isfableback.com, isfableback.online — each polling the API and showing the running outage clock, the way downforeveryoneorjustme did for cloud outages a decade ago. Two reads. (1) The prediction-market-as- policy-clock is the under-the-radar governance signal. The same Polymarket series that turned Trump-vs-Biden into a ticker now ticks on a Commerce letter — and the implied ~16-day mean restore window tells administration negotiators exactly how much patience the public stack has before "export-controls-on-the-model" gets priced as a recurring regulatory state. (2) The tracker-as-infrastructure pattern says Fable 5 matters to enough builders that a $10/$50-per- million model warrants its own status-page ecosystem within 72 hours of going dark. It also gives every G7 lunch attendee a live URL to point at "the model the US government revoked", which is the exact metaphor Carney's 2008-frame benefits from.
Sacks softens, the administration confirms the curb stays Anthropic-specific
Update — David Sacks shifts from "Dario refused" to "the Admin wants this lifted as soon as possible after the Fable 5 fix"; says the export control was issued "reluctantly" and "the ball is in Anthropic's court"
Jun 14–15The 72-hour tone-shift inside the same administration spokesman that gives the weekend its real read on intent — and the first time the federal side has framed the pull as a technical engineering bug rather than a safety governance bug. Friday Jun 12, on X: "a highly credible trusted partner" surfaced a jailbreak, Commerce "requested Anthropic either fix the vulnerability or remove the model", and "Dario refused". Sunday Jun 14, per Benzinga, The Tribune, ANI: "The Admin's hope now is that Anthropic remediates the safety issue, the export control is lifted, and Fable goes back into general release." "The Admin wants all of this to happen as soon as possible." The export control was issued "reluctantly"; the "ball is in Anthropic's court"; the issue "should be easily resolved". Two reads. (1) The "reluctantly" framing is the exit-ramp language. If the administration positions the curb as a technical-fix prerequisite — not a permanent national-security determination — the precedent the BIS letter sets is much smaller than the 2008-systemic-AI-risk reading Carney imported into G7 week. (2) The "ball is in Anthropic's court" line ties Sacks's tone-shift directly to the Monday meeting in Item 01 — the administration is publicly handing the resolution timeline to the safeguards delegation that just walked into the building. The Polymarket ~82%-by-Jul 1 price is reading exactly that text.
Trump administration confirms it is unlikely to extend the curb to OpenAI or other frontier labs — the export-controls-on-the-model precedent is being scoped Anthropic-specific, not industry-wide
Jun 15The under-the-radar political read that changes the structural implication of last week's BIS letter — and the one piece of administration framing that materially de-risks the "every-frontier-lab-now-lives-under-Commerce" read the cycle imported on Friday. Benzinga, via Bloomberg reporting Monday: the Trump administration is "unlikely to expand" the AI export curbs to OpenAI or other rivals; the action is being scoped to the specific Fable 5 / Mythos 5 cyber capability and the specific classifier shape that missed it. Stocktwits's former-US- AI-adviser reporting from the same day adds that the focus is the Anthropic-specific safeguards posture, not a new industry-wide pre-deployment regime. Two reads. (1) The cap-on-the-precedent shape is the argument Mistral's ~€20B capital-stack and open-weights-as-export-control-immune positioning rely on most. If the curb is Anthropic-specific not capability-class, European sovereign-AI demand has to be explicitly priced — not assumed — into the "diversification hedge" argument Carney brings to Évian. (2) The OpenAI competitive-asymmetry read is the under-the-radar accelerant on the same Monday Codex stable cut shipped (Item 06). The administration's signal that the curb stops at Anthropic explicitly leaves Codex's enterprise pipeline untouched and pairs neatly with the /import migration tool — which is a defection ramp the administration just declined to close.
The harness war ships the same Monday — stable cuts inside the same half-hour
Update — openai/codex rust-v0.140.0 GOES STABLE Jun 15 21:06 UTC, ending the 22-alpha buffer: /import migrates Claude Code skills, hooks, MCP servers, subagents, instruction files and 30 days of session history; Amazon Bedrock API-key auth lands; /usage exposes daily/weekly/cumulative token meters
Jun 15 21:06 UTCThe single sharpest competitive move of the cycle and the cleanest answer to the "why did Codex buffer twenty-two alphas under the lid" question yesterday's brief asked. openai/codex rust-v0.140.0 shipped to the stable channel at 21:06 UTC on Monday Jun 15 — promoting through alphas 1 → 22 in six days with a final alpha.22 earlier that morning. The marquee feature: /import, which scans the local machine for Claude Code configuration — skills, hooks, MCP servers, subagents, instruction files, 30 days of session history — and migrates what it can automatically, opening an AI-assisted follow-up thread for the rest. Bundled with that: Amazon Bedrock API-key authentication with encrypted credential storage (the same Amazon whose CEO routed the Fable 5 jailbreak to Treasury on Friday is now a first-class auth target inside Codex stable); a token-usage /usage view surfacing daily, weekly and cumulative consumption; session deletion via codex delete, /delete and app-server APIs; SQLite-corruption auto-recovery with backup + rebuild; MCP transient-failure retries; Ctrl-C-during-background-command preserved output; a unified @-mentions menu over files, plugins and skills. Two reads. (1) The timing-as-message is the point. Anthropic's Agent SDK billing split landed Monday and the Washington meeting started Monday; Codex stable shipped that night with the "move your config in one command" feature explicitly named. The harness war no longer ships at the same cadence; it ships at the same moment. (2) The Bedrock-auth detail is the one Anthropic strategists will notice most. ~100,000+ of Anthropic's ~300,000 business customers reach Claude via Bedrock; the same auth surface now opens directly into Codex stable without changing IAM. The path of least resistance for a Bedrock-shop builder under the Fable 5 outage is one codex /import away.
Update — Claude Code v2.1.178 ships Jun 15 21:35 UTC, 29 minutes after Codex stable: Tool(param:value) permission-rule syntax with wildcards (e.g., Agent(model:opus)), nested .claude/skills load with directory-qualified names, classifier-vetted auto-mode subagent spawns
Jun 15 21:35 UTCThe Anthropic answer to the 21:06 UTC Codex cut, shipped from the same release pipeline that pushed v2.1.177 on Jun 13 and signalling that "can the harness be the safeguard" is now the design question Claude Code is building around. anthropics/claude-code v2.1.178 shipped at 21:35 UTC — 29 minutes after Codex stable — with: a new Tool(param:value) permission-rule syntax that matches a tool's input parameters with * wildcards (the worked example in the notes is Agent(model:opus) to block Opus subagents); nested .claude/skills directories now loading when the agent works on files there, with name-clash collisions surfaced as <dir>:<name>; directory-closest-wins for nested .claude/ agent / workflow / output-style resolution; auto mode subagent spawns now evaluated by the classifier before launch, closing the gap where a subagent could request a blocked action without review; a flat-tree /doctor redesign; skill-listing truncation warnings. Two reads. (1) The Tool(param:value) primitive is the under-the-radar safeguard story. Anthropic spent the weekend negotiating with Commerce over a missing capability-classifier on the Mythos cyber pathway; the same Monday it shipped a parameter-level permission edge inside its own harness. The safeguards-as-runtime-feature pitch the Washington delegation is making is also being shipped — by Anthropic — to every Claude Code installation. (2) The 29-minute-gap against Codex stable is no longer accidental. The release feed has been parallel for the Jun 5 → Jun 15 window and the gap has been compressing; from Monday onward, neither side ships at a separate cadence from the other on the same news day. The Évian AI lunch on Wednesday will meet a harness war that synchronised its release timing inside half an hour.
The runtime takeovers underneath — Google flips Gemini CLI to Antigravity in three days, Alibaba stables Qwen Code Desktop the same Monday
Google flips every Pro / free Gemini CLI user onto Antigravity CLI on Jun 18 — the Go-rewritten runtime ships with multi-agent orchestration, a built-in Chromium browser, an SDK, and a Managed Agents API; Code Assist Standard / Enterprise license holders keep Gemini CLI access
Jun 18 cutoverThe third runtime takeover of the same week, and the one whose timing — exactly three days after Évian closes — is the calendar tell. Per the Google Developers Blog "An important update: Transitioning Gemini CLI to Antigravity CLI": on Jun 18, gemini-cli and the Gemini Code Assist IDE extensions stop serving requests for Google AI Pro and free tier users. Those users must migrate to Antigravity CLI, the Go rewrite Google shipped as part of Antigravity 2.0 at I/O — a full agent-first stack: rebuilt desktop app, CLI in Go for faster execution, async multi-agent workflows, a Managed Agents API, and an embedded Chromium browser for real-time web interaction. Organisations on Code Assist Standard or Enterprise licenses keep gemini-cli access unchanged. Two reads. (1) The forced-runtime-migration shape is what Google has been signalling for two months and what most builders kept hoping was a longer runway. The actual cutover lands one day after Wednesday's G7 AI lunch closes — the fastest-growing free-tier coding-agent surface on Google's platform changes brand, binary and primitives on the same week the Évian communiqué hits the press. (2) The licensed-customers-exempt carve-out is the under-the-radar enterprise signal. Google is willing to flip Pro and free users overnight but is unwilling to breach an existing Code Assist Standard / Enterprise seat agreement — a polite acknowledgement that the integrator-and-contract layer (DXC / TCS / EPAM territory) is the one part of the agent stack the labs cannot churn at runtime cadence.
Alibaba ships Qwen Code v0.18.1 stable and Qwen Code Desktop v0.0.4 on Jun 15 — the open-weights coding agent gets a desktop the same Monday Codex stable cuts /import and Claude Code ships Tool(param:value)
Jun 15The under-the-radar runtime cut from the only frontier-class lab that cannot have its model placed under a Commerce export-controls letter. Jun 15: QwenLM/qwen-code v0.18.1 shipped to the stable channel, capping a v0.18.0-preview.0 → preview.2 → v0.18.0 → v0.18.1 sprint across Jun 9 → Jun 15. The same day, QwenLM/qwen-code's desktop fork published desktop-v0.0.4 — Qwen Code Desktop's first numbered shipping cut. The CLI continues to run against Qwen3-Coder (480B-parameter MoE with 35B active) and remains forkable from Gemini Code CLI's upstream — but Monday's release pairs the terminal binary with a desktop surface that competes directly for the same hands-on workflow as Codex Desktop and Claude Code. Two reads. (1) The open-weights-as-availability-hedge argument from yesterday's Mistral item generalises east. Whatever the Évian communiqué says on Wednesday about "trusted ally" model availability, an open-weights coding stack with a desktop surface and a permissive license cannot be put under an export-controls-on-the-model letter — there is no "the company" to write a letter to. (2) The Gemini-Code-CLI-derived codebase continues to be the under-the-radar supply-chain detail. Google's own Jun 18 deprecation of gemini-cli for Pro / free users leaves Qwen Code's upstream parent on a wind-down trajectory inside Google's own product line — which only sharpens the argument for the fork to become its own project rather than track upstream.
The G7 lunch walks in Wednesday with the dispute live — Carney lands in Évian with a Jun 12 bilateral in his pocket
G7 Évian leaders' working dinner happened tonight Jun 15 — Trump arrived through the day; the AI working lunch with Altman, Hassabis and Amodei still scheduled Wed Jun 17 with the Fable 5 dispute live and unresolved
Jun 15–17The summit landed exactly the way the weekend telegraphed it would: the lab dispute survived intact into the room. Trump arrived in France through Monday Jun 15; the leaders' working dinner hosted by Macron at Évian opened the summit hours after the Anthropic delegation concluded its day at Commerce, per the Hill Times and YourNews. The Wednesday Jun 17 AI working lunch — three CEOs (Altman, Hassabis, Amodei) at the same G7 table for the first time on record — remains scheduled with no concrete restoration of Fable 5 on the calendar; Polymarket's implied Jun 22 probability is still under two-thirds. The Council on Foreign Relations framing read the summit as Macron's-vs-Trump's-agenda, with AI now displacing trade and Iran as the one topic with a live policy incident attached. Two reads. (1) The CEO-at-the-table-during-an-active- action-on-the-CEO's-product shape is a first. Amodei walks into Wednesday's lunch while his company is mid-negotiation with Lutnick; whatever the lunch communiqué says about "international cooperation" is going to be read in the present tense against the export-controls letter sitting on his negotiator's desk. (2) The Évian-as-rehearsal-for-the-2027- forum shape is the structural part the summit ships regardless of the communiqué — a precedent for a phone tree with sitting heads of state on it when the next safeguards dispute breaks. The "who do you call" question that has lived in ad-hoc letters since 2023 now has a working seat.
Carney lands in Évian with a Canada–France GSOIA AI-and-aerospace classified-intelligence pact signed Jun 12 in Paris — sixth such bilateral Canada has signed since Dec 2024, explicitly covers defence, space, AI and aerospace sectors
Jun 12The bilateral signal that backstops Carney's "never a good idea to have one option" framing with an actual signed instrument — and the one piece of infrastructure G7 week added that does not depend on Wednesday's communiqué surviving. Paris, Jun 12: Canadian PM Mark Carney and French President Emmanuel Macron announced a General Security of Information Agreement (GSOIA) that facilitates the exchange of classified intelligence in defence, space, artificial intelligence and aerospace sectors; per CBC, Globe and Mail and the Refdesk aerospace-and-defence guide, it is the sixth such GSOIA Canada has signed since December 2024, positioning AI explicitly alongside traditional aerospace and defence classified categories for the first time in Canadian bilateral practice. Two reads. (1) The AI-as-classified-category shape inside a bilateral intelligence agreement is the structural lift. Until Jun 12, the AI-policy plane lived in voluntary commitments and AI-Act preambles; GSOIA imports it into the same framework that governs satellite imagery and signals intelligence sharing. The next time a frontier-lab disclosure surfaces in Europe, Canadian and French ministers can route it under a classified bilateral channel rather than a press release — which is the exact opposite of the "export controls in a Friday X post" pattern the Anthropic episode just set. (2) The Carney-bilateral-stack going into Évian is now visibly built. Six GSOIAs, plus the AI-for-All $2.3B sovereign-AI strategy, plus the 2008-shape framing en route. The "diversification hedge" is no longer a slogan; it is a paperwork position the PM can table inside the room without waiting for the communiqué to legitimise it.
← Back to all Spotlight editions
