Daily AI Builder Brief - June 30, 2026

The Operator's Take

Two MCP stories broke in the same window, and they point opposite directions. The protocol is finally growing up on identity: zero-touch OAuth, enterprise-managed connectors, and self-hosted sandboxes for agents. At the same time, researchers are publishing a systemic, by-design RCE pattern that reaches across the official SDKs. Read together, the message is simple: every MCP server is a trust boundary, not a convenience. If you're wiring agents to third-party servers this quarter, the move isn't "add more connectors," it's adopt the new managed-auth path, run servers sandboxed, and treat any server you didn't write as hostile until proven otherwise.

Executive Summary

Claude Code 2.1.195 fixes hook matchers that were substring-matching hyphenated identifiers (e.g. code-reviewer, mcp__brave-search): now exact-match only.
Claude Code 2.1.193 adds autoMode.classifyAllShell to route every Bash/PowerShell command through the auto-mode classifier, not just arbitrary-code-execution patterns.
A new OTEL log event, claude_code.assistant_response, can capture model output text (redacted unless OTEL_LOG_ASSISTANT_RESPONSES=1).
Claude Managed Agents can now run in a sandbox you control and connect to your private MCP servers (public beta).
Enterprise-managed MCP connector access shipped, starting with Okta: provision once, users get zero-touch access on first login.
OX Security published a systemic MCP advisory describing RCE reachable through the official SDK pattern across thousands of public servers.

Claude Code

2.1.195 hardens hook matching and background tasks (June 26)

Hook matchers no longer substring-match hyphenated names, so mcp__brave-search won't accidentally catch unrelated tools. Use mcp__brave-search__.* to match a whole hyphenated server. Background-agent fixes also landed for crashed-task recovery and unreachable daemons. Changelog

2.1.193 adds shell-classifier control and response telemetry (June 25)

autoMode.classifyAllShell sends all shell commands through the classifier, and a new OTEL event can log assistant responses for audit pipelines. Changelog

Anthropic

Managed Agents get self-hosted sandboxes and private MCP

Tool execution can move to infrastructure you configure (your own, or Cloudflare, Daytona, Modal, Vercel) while the orchestration loop stays on Anthropic. Agents can reach your private MCP servers. Anthropic News

Enterprise-managed MCP connectors (Okta first)

Admins provision a connector once; members get authorized access on first login across Claude, Claude Code, and Cowork. Anthropic News

MCP Ecosystem

Zero-touch OAuth for MCP (June 18)

The Enterprise-Managed Authorization extension lets orgs centrally manage authorization and gives end users single sign-on across connected servers. Pair this with the 2026-07-28 spec release candidate's stateless core and authorization hardening. MCP Blog

Broader AI

Systemic MCP SDK RCE advisory

OX Security details an arbitrary-command-execution pattern baked into the official SDK behavior across languages, affecting thousands of public servers. Anthropic characterizes the behavior as expected, which puts the burden on you. See MCP security and prompt injection. OX Security

What This Means For Builders

Audit hook matchers now: the exact-match fix may silently change which hooks fire. Confirm your mcp__* patterns still match.
Default to the managed-auth and sandbox paths for any agent touching MCP. Don't connect unvetted third-party servers to privileged tools.
Turn on classifyAllShell and claude_code.assistant_response logging where you need an audit trail for agentic red teaming.
Pin and review MCP server versions like any supply-chain dependency. The SDK pattern means "official" is not the same as "safe."