LoginSign Up
← Back to PM
Weekly · PM · Week of June 15, 2026

Linear's agent now writes and ships code, as PM tools wrap their AI layers in enterprise governance.

ai-agentsagentic-codingenterprise-governanceauth-hardeningmcpmetered-ai
O
By Onur Öztürk
LinkedIn ↗
Generated 5h agoDrawn from 15 products

The week in project-management

The clearest move this week is that the project tracker is becoming a place where work gets executed, not just coordinated. Linear shipped Coding sessions, letting its agent write code with Claude Code and Codex and open a PR straight from an issue, comment, or Slack thread — the capstone of a quarter that already added codebase reasoning and native diff review. Alongside it, the AI layer kept hardening into something enterprises can govern and budget for: Aha! added built-in security and privacy reviews to its PM-built apps, Asana started surfacing when AI Studio automation rules burn credits, and SmartSuite opened its workspace data to MCP clients. The throughline is AI moving from demo to operations — metered, reviewed, and addressable by external models.

Underneath the AI story is a quieter wave of infrastructure work. Leantime re-founded how it authorizes requests with a fail-closed permission engine, then spent four point releases stabilizing the auth regressions that rollout exposed. OpenProject spent the window backporting security fixes across every supported line before returning to feature cadence with 17.5.0. A large share of this sector's tracked feeds remain marketing and SEO content rather than changelogs, so the genuine shipping is concentrated in a handful of products.

Leaders

  • Linear shipped the week's most significant move: Coding sessions, where the agent triages, plans, edits, and opens a PR without leaving the tracker. It closes the plan-write-review-ship loop entirely inside Linear, building directly on its earlier Code Intelligence and Diffs releases. Two sparks in the window make it the clear pace-setter.
  • Leantime landed 3.9.0, a centralized fail-closed permission engine that replaced ad-hoc role checks across all sixteen domains and closed a string of cross-user IDORs, shipping with a new JSON-RPC API and mobile push. The 3.9.1–3.9.4 patches that followed were almost entirely auth stabilization, a sign the re-foundation is still settling.
  • SmartSuite released an open-source local MCP server that exposes workspace data to MCP-compatible clients via npm, Docker, or a packaged Claude Desktop extension. It is the clearest signal yet that SmartSuite wants to be an addressable data source for AI agents, not just a UI users click through, atop seven incremental module improvements.
  • Aha! added built-in security and privacy reviews to Aha! Builder, covering OWASP risks, code and dependency vulnerabilities, and privacy compliance with shareable reports. Paired with a new Builder governance page, it is the unglamorous guardrail layer that makes PM-built apps acceptable to IT and compliance.
  • Asana began showing AI Studio builders when a rule consumes credits and how usage accumulates, in the same place rules are built. It is a small change with a notable implication: Asana's AI automation is metered, and credit awareness is now part of the build loop.

Wildcards

  • Pipefy had no shipping velocity this window but carries a spark: its strategic collaboration with Microsoft to adopt Foundry, list in the Microsoft Marketplace, and deploy governed enterprise AI agents for process orchestration. It reframes a no-code workflow tool as an agentic-automation platform riding Microsoft's stack — a positioning bet more than a feature.
  • Resource Guru is unusual for shipping real product (dependency-aware Gantt charts, then additional zoom levels, plus a monday.com sync) inside a blog feed otherwise full of guides and case studies. The Gantt move pushes it beyond resource scheduling into visual project planning.
  • OpenProject stands out for spending the week in security-patch mode, backporting a journal-diff visibility bypass (CVE-2026-47193) and a Docker SECRETKEYBASE fix across multiple supported lines before cutting 17.5.0 — release discipline rather than a headline feature.

Themes that compounded

  • AI agents are moving from planning aids to actors: Linear's agent writes and ships code, SmartSuite and Pipefy open up to external agents, and Aha!'s Elle keeps absorbing the discovery-to-roadmap loop.
  • Governance is becoming the AI tax: Aha!'s security reviews, Asana's RBAC and credit metering, and Pipefy's "governed agents" framing all wrap AI capability in enterprise guardrails.
  • Auth and security re-foundations dominated the open-source PM tools, with Leantime's permission engine and OpenProject's CVE backports both prioritizing hardening over new surface.
  • Metered, consumption-based AI pricing is surfacing in-product, most explicitly in Asana's credit-awareness build loop.
  • Many tracked "changelog" feeds — HoneyBook, Celoxis, Toggl Track, ProdPad, and more — are SEO comparison and thought-leadership content, not product releases, so real shipping is concentrated in a minority of products.

Watch this week

Watch whether the agentic-coding pattern Linear set spreads to its neighbors, and whether Leantime's 3.9.x auth-fix cadence finally slows as the Bearer-token regressions settle — a clean week would signal the permission-engine rollout has stabilized. Tability's AI Mode is quietly turning into a stateful, artifact-producing assistant, and Productboard's v2 API sunset of v1 lands July 8, so expect migration pressure to build. Most other movement in the sector is marketing content, not product, so the genuine signal stays narrow.