--- title: "Agent Stack — June 8, 2026" description: "Amazon Bedrock AgentCore Runtime adds interactive shells for live terminal access into agent sessions; Microsoft Foundry ships production memory stack f…" canonical_url: "https://artificialcuriositylabs.ai/daily/agent-stack/2026-06-08/" md_url: "https://artificialcuriositylabs.ai/daily/agent-stack/2026-06-08.md" published_at: "2026-06-08T00:00:00.000Z" beat: "agent-stack" topics: - "AWS" - "Bedrock AgentCore" - "agent runtime" - "debugging" - "API" - "Microsoft" --- ## The read The harness, tool surface, and delegation topology are commoditizing together. When every vendor ships MCP and orchestration, the moat is how humans wire judgment, guardrails, and institutional context into the agent loop — not whether agents can run. ## What moved - **Amazon Bedrock AgentCore Runtime adds interactive shells for live terminal access into agent sessions** — [AWS What's New](https://aws.amazon.com/about-aws/whats-new/2026/06/amazon-bedrock-agentcore-runtime/) AWS shipped a new InvokeAgentRuntimeCommandShell API that opens a persistent, PTY-backed terminal over WebSocket directly into a running agent's microVM — preserving env vars, working directory, and history across reconnects (up to 10 concurrent shells per runtime, sessions resumable via shell ID). It complements the existing stateless InvokeAgentRuntimeCommand for one-shot calls. **Builder angle:** Gives builders an SSH-like debug path into live agent runtimes (inspecting generated files, checking package versions, completing device-code logins) without redeploying or instrumenting the agent. - **Microsoft Foundry ships production memory stack for agents: procedural memory, TTL, CRUD UI, multimodal recall** — [Microsoft Foundry Blog](https://devblogs.microsoft.com/foundry/memory-build2026/) Foundry's Build 2026 memory update adds procedural memory that captures and reuses successful action sequences (~5% gain on STATE-Bench/Tau-Bench), a portal UI for direct CRUD on stored memories, configurable time-to-live to auto-retire low-value entries, multimodal (image) memory, and explicit remember/forget commands. Agent Framework also gains a local file-based MemoryFileStore/MemoryContextProvider pattern for inspectable markdown memory before scaling to managed stores. **Builder angle:** Turns agent memory from an opaque black box into something you can inspect, version, cap with TTL, and unit-test locally before promoting to a managed store — directly changes how memory gets debugged and governed in production harnesses. - **Azure SRE Agent launches Plugin Marketplace with git-commit-pinned, hash-verified skill installs** — [Microsoft Learn / Azure Docs](https://learn.microsoft.com/en-us/azure/sre-agent/plugin-marketplace) Azure SRE Agent now lets teams register curated GitHub-hosted marketplaces (via marketplace.json manifests, including the official Azure SRE Agent Plugins and Anthropic's Claude Plugins repos) and install bundled skills + MCP server configs. Each install pins to an exact git commit, with one-click update checks via SHA-256 hash comparison, recorded provenance (source/version/hash), and supports private repos/GitHub Enterprise with shared per-marketplace credentials. **Builder angle:** Makes skill distribution reproducible and auditable — version pinning plus hash diffing means upstream changes can't silently alter agent behavior, cutting per-skill setup from ~10-15 minutes to ~30 seconds. ## Also tracking - **NetFoundry launches zero-trust MCP and LLM gateways with no shared API keys** — [source](https://www.prnewswire.com/news-releases/netfoundry-launches-enterprise-class-mcp-and-llm-gateways-bringing-zero-trust-to-ai-deployments-302789053.html) — Replaces runtime allow/deny checks with registry-level tool removal and identity-based (not key-based) agent auth — a different default for teams wiring agents to MCP servers in regulated or air-gapped environments. - **Critical RCE in Flowise lets attackers hijack MCP stdio transport config to run OS commands** — [source](https://www.penligent.ai/hackinglabs/cve-2026-40933/) — A concrete deployment blocker for anyone wiring stdio-transport MCP servers into agent platforms — validate/sandbox subprocess launch configs rather than trusting schema checks alone, and patch Flowise to 3.1.0 immediately.