“Just trust the vibes” became 2025’s unofficial motto for working with AI agents. And it worked—until it didn’t.

This week’s stories capture a field learning where vibes end and production begins. MCP hit its one-year anniversary with 97 million monthly SDK downloads; three new tools landed to fill gaps in the agent integration stack. A provocative piece argues that tool-calling should eat RAG for most enterprise use cases—part of the “Context Engineering” conversation that dominated the back half of 2025. Armin Ronacher reflects on a year of agentic coding, but security researchers found 30+ vulnerabilities in the tools powering that workflow—and practitioners are asking hard questions about sandboxing. And a critical LangChain vulnerability (CVSS 9.3) validates years of criticism about abstraction-heavy framework design.

The common thread: the gap between shipping fast with agents and building systems that hold up. This week, both sides of that gap got clearer.

The Plumbing Arrives

If vibes are the frontend of agentic development, this week showed us what the backend looks like—and it’s consolidating fast.

MCP turned one year old in November. The numbers tell the story: 97 million monthly SDK downloads, adoption from OpenAI, Google, and Microsoft, and OpenAI deprecating its Assistants API in favor of the protocol. Anthropic donated MCP to the Linux Foundation this month. The “USB-C for AI” pitch is actually landing.

Three releases this week filled adjacent gaps in the stack. Microsoft’s Agent Framework unifies Semantic Kernel and AutoGen into a single system for graph-based orchestration—explicit routing, checkpointing, and human-in-the-loop patterns baked in. Toad, from Will McGugan (creator of Rich and Textual), provides a unified terminal UI for agent CLIs. It uses the ACP protocol, which merged with Google’s A2A standard under the Linux Foundation back in September. And Vibium, from Selenium’s creator, ships browser automation as an MCP server: one Go binary, zero setup.

The pattern: protocols are standardizing, CLIs are unifying, and the primitives for production agents are settling into place. The caveat, as one widely-shared article noted: “the S in MCP stands for security.” The plumbing is arriving—but so are the attack surfaces.

Maybe You Don’t Need Those Embeddings

The RAG playbook has become reflex: chunk your documents, embed them, build a vector store, retrieve and synthesize. The market agrees—RAG is valued at $1.85 billion in 2025 and projected to hit $67 billion by 2034.

But a provocative piece this week argues that for many enterprise use cases, this is overengineered. The thesis: agentic LLMs with tool-calling can query existing systems—CRM, billing, data warehouse—directly. For structured queries and aggregations, RAG struggles with freshness and precision. Orchestrated API calls plus LLM synthesis often work better.

This aligns with what practitioners are calling “Context Engineering”—the hot topic in the latter half of 2025. The insight is counterintuitive: bluntly cramming all potentially relevant data into the context window actually impairs reasoning and tool-calling. More context isn’t always better context.

The emerging pattern is “Agentic RAG”—combining retrieval with tool use rather than treating them as alternatives. But the starting point matters. Teams already running MCP servers against their data layer are finding that tool-calling alone handles more than they expected. Embeddings become optional infrastructure you add when specific use cases justify it, not the default architecture.

The Limits of Letting Go

Armin Ronacher’s year-end reflection captures where many practitioners landed in 2025. He moved from manual IDE work to largely hands-off CLI agents—Claude Code, Amp, Pi—with LLM code generation, filesystem context, and skill-based actions becoming the default workflow. The vibes, he reports, are good.

The numbers back him up. JetBrains found that 85% of developers now use AI tools for coding. Google’s year-end review put it bluntly: “Three things defined 2025: agents got jobs, evaluation became architecture, and trust became the bottleneck.”

Trust, it turns out, isn’t free. The “IDEsaster” security research published this month found over 30 vulnerabilities across major AI coding platforms—Cursor, Windsurf, GitHub Copilot, Zed, Roo Code, Cline—resulting in 24 CVEs. The worst, CamoLeak (CVSS 9.6), enabled silent exfiltration of secrets and source code from private repositories. The advice from researchers: treat AI agents as untrusted third parties with the same controls you’d apply to external contractors.

A Hacker News thread this week asked the practical question: how are you actually sandboxing coding agents? Answers ranged from git worktrees in devcontainers to Firecracker microVMs to Linux sandboxes like firejail. On December 9th, OWASP released its first Top 10 for Agentic Applications—the industry’s attempt to standardize what “secure enough” means.

The paradox is sharp: moving fast requires trust, but building trust takes time. The vibes are good—but production means defining explicit boundaries for what agents can touch, where they can reach, and how much autonomy they get before a human checks in.

LangChain’s Long-Warned Reckoning

LangChain has faced persistent criticism since 2023. Max Woolf’s “The Problem With LangChain” called out abstraction complexity early. A 2024 Hacker News thread on ditching LangChain drew hundreds of comments about debugging difficulties and “black box” behavior. As recently as this month, developers were posting “Why I’m avoiding LangChain in 2025.”

The recurring complaint: layers of abstractions—chains, runnables, agents, tools, callbacks—that obscure what’s actually happening. One developer summarized it as needing five layers of abstraction just to change a minute detail. Another called debugging an archeological dig.

This week, that criticism got a CVE number. CVE-2025-68664 is a critical deserialization vulnerability (CVSS 9.3) where user or LLM-controlled dicts containing a reserved lc key could be deserialized into arbitrary LangChain objects. The result: secret exfiltration and possible remote code execution. Common flows at risk include event streaming, logging, message history, and caches.

The fix is straightforward: upgrade to langchain-core 0.3.81. But the pattern is instructive. The same abstractions that made LangChain easy to adopt created implicit code paths where data becomes executable. When you can’t easily trace what your framework is doing, you can’t easily secure it either.

The Thread

The gap between vibes and production isn’t closing—it’s getting mapped.

This week showed both sides of that work. The infrastructure layer is maturing: MCP as the integration standard, ACP unifying agent CLIs, frameworks adding the checkpointing and human-in-the-loop patterns that “trust the model” glosses over. At the same time, practitioners are learning where trust breaks down—30+ CVEs in coding tools, abstractions that hide attack surfaces, and the hard question of how much autonomy to grant before a human checks in.

The takeaway for data product builders: the question isn’t whether to use agents. It’s how much of the gap you’re willing to bridge yourself versus waiting for the tooling to catch up. The plumbing is arriving fast. But so is the understanding of what happens when you ship without it.

2025 was the year agents went from demo to daily driver. 2026 will be the year we find out which teams built on solid ground.