Vercel's Agent Push: What Founders Should Watch

Vercel shipped agent tooling, Docker sandboxes, and OIDC upgrades today. Here's what founders running AI-built apps on Vercel need to check.

Barret5 min read

Today wasn't an incident day. It was a platform day. Vercel shipped a stack of changes that push its agents further into your infrastructure — merging pull requests, running Docker containers, sending WhatsApp and SMS messages, holding blob storage. None of this is a vulnerability. But it does move the trust boundary, and founders who shipped with Lovable, Bolt, v0, or a custom Vercel stack should know where the new levers are.

TL;DR

  • AI SDK 7 and GitHub Tools give agents write access (merging PRs, calling APIs) — check that approval gates are actually on.
  • Vercel Sandbox now runs custom Docker images and pulls from a new Container Registry (VCR) — treat sandbox images like production dependencies.
  • Credential handling got better by default: custom OIDC audiences, Vercel Connect, and Private Blob's OIDC auth all reduce the number of long-lived tokens sitting in your project.
  • Audit Log and Activity Log coverage expanded — use it, because your agents can now take real actions on your behalf.

Agents that can act, not just suggest

Vercel's GitHub Tools for eve ships a toolset that can call mergePullRequest and other write actions from nine lines of code. It's built "safe by default" — every write tool requires approval unless you opt out. AI SDK 7 formalizes this pattern platform-wide, adding tool approvals and a durable WorkflowAgent for running agents that take actions over time, not just single-turn chat.

The risk here isn't a bug. It's a config choice. If you or a coding agent you're using turned off approval requirements to move faster, an agent now has standing permission to merge code or call external APIs without a human in the loop. If you've wired up eve, Chat SDK, or the AI SDK Harness (which now runs Deep Agents and OpenCode inside a Vercel Sandbox), go check what's set to auto-approve.

Chat SDK also picked up a wave of new channels this cycle — Dial for SMS/iMessage, Photon for iMessage, Kapso for WhatsApp, plus a general-purpose Chat SDK channel for eve. Each of these is a new inbound surface for your bot. Webhooks are HMAC-verified by default across these adapters — but if you're rolling your own handler, verify that signature check is actually wired in, not assumed.

Sandboxes are becoming real infrastructure

Vercel Sandbox now supports custom root filesystem images, pulled from the new Vercel Container Registry. You can also bring a Dockerfile straight to Vercel Functions. This is good news for flexibility — but it means the sandbox your coding agent runs in is no longer a disposable, locked-down box. It's whatever image you (or an agent) pushed.

If you're using custom images, treat them like any other production dependency: know what's in them, keep them updated, and don't let an agent build and push an image with baked-in secrets. Sandbox snapshots now expire based on last use rather than creation time, which is a small but real improvement — long-idle sandboxes with stale credentials won't linger indefinitely.

Credential plumbing gets quietly better

A few changes today reduce the number of static secrets floating around your project. Custom OIDC Token Audiences let you scope tokens to a specific third-party provider, so a token stolen from one integration can't be replayed against another. Vercel Connect now manages credentials for Chat SDK bots with short-lived tokens instead of stored signing secrets. Vercel Private Blob is now GA, with OIDC-based authentication instead of static keys for reading private files like user uploads and invoices.

Separately, Vercel is acquiring Better Auth, the open source TypeScript auth library used widely in the Lovable/Bolt/v0 ecosystem. No action needed if you're already using it, but expect tighter integration with Vercel's platform going forward — worth watching if auth is core to your app.

None of this fixes a bad app. It just means the default plumbing is safer than it used to be. If your app still stores API keys directly in environment variables and passes them around by hand, these tools are the upgrade path.

Audit trails catch up

Audit Log coverage expanded to 400+ team activity events, exportable to S3 or a custom endpoint. Project Settings also got its own project-level Activity Log. If your agents can now merge PRs and deploy containers, this is where you'd actually notice if one did something you didn't expect. It's worth turning on if you haven't.

On the other side of the ecosystem, Claudable showed up on Hacker News — an open-source, locally-run alternative to Lovable built on Claude Code. Running locally means no vendor-managed database rules to misconfigure, but it also means you own every part of the security story yourself: secrets, deployment, access control. There's no free lunch either way.

FAQ

Do I need to change anything because of these Vercel updates?

Only if you're using agent tooling (eve, AI SDK Harness, GitHub Tools) or custom Sandbox images. Check that write-action approvals are on and that any custom Docker images don't bake in secrets.

Is Vercel Private Blob a security fix I need to apply?

No — it's a new storage option for private files with OIDC-based auth instead of static keys. If you're storing sensitive uploads, it's worth adopting, but it's not remediation for an existing bug.

Should I worry about the new Chat SDK integrations (WhatsApp, SMS, iMessage)?

Only if you're adding them. The official adapters use HMAC-verified webhooks by default. If you build your own handler for a new channel, confirm signature verification is actually implemented, not skipped.

The bottom line

Nothing here is a breach. It's a platform giving agents more reach — into your repos, your containers, your messaging channels — while also giving you better tools to scope and audit that reach. The gap between the two is where risk lives. If your app uses any of these agent frameworks, spend ten minutes checking approval settings and turning on the audit log before you spend it on the next feature.

Find your gaps before an attacker does.

Is My Site Hackable? scans your deployed app for the exact issues in this article — exposed keys, missing RLS, open buckets — and tells you what's real and what's a false alarm.

Run a free scan →