Podcasts about ci cd

Yuval Avrahami from Wiz joins to share their work on "CodeBreach: Infiltrating the AWS Console Supply Chain and Hijacking AWS GitHub Repositories via CodeBuild." Wiz Research uncovered “CodeBreach,” a critical supply chain vulnerability caused by a subtle misconfiguration in AWS CodeBuild pipelines that allowed attackers to take over key GitHub repositories, including the widely used AWS JavaScript SDK that powers the AWS Console. By exploiting an unanchored regex filter, unauthenticated attackers could trigger privileged builds, steal credentials, and potentially inject malicious code into software used across a majority of cloud environments. AWS has since remediated the issue and introduced stronger safeguards, but the incident highlights a growing trend of attackers targeting CI/CD pipelines where small misconfigurations can lead to massive downstream impact. The research can be found here: CodeBreach: Infiltrating the AWS Console Supply Chain and Hijacking AWS GitHub Repositories via CodeBuild Learn more about your ad choices. Visit megaphone.fm/adchoices

Bret is joined by the founders of Plakar - Julien Mangeard and Gilles Chehade - to nerd out over backup engineering. The kind where you're building your own file formats and cryptographic layers, not just wiring up cron jobs. We get into how Plakar deduplicates and encrypts at the source so your cloud provider never sees your keys. Also, their snapshot model has no chain dependencies, which means you can delete any backup without breaking the others. We had a fun hour of backup horror stories, ransomware pragmatism, where I'm lobbying hard for a Docker volume integration.Check out the video podcast version here: https://youtu.be/OPRK5osKQHI

https://clearmeasure.com/developers/forums/ Daniel Ward is a Microsoft .NET MVP and software consultant at Lean TECHniques in San Antonio, TX. He works with teams to deliver high‑quality software through modern engineering practices, including effective CI/CD, automated testing, AI adoption, and product management. His background spans multiple industries such as finance, retail, and agriculture, and he has served as a software developer, technical coach, agile coach, and tech lead. Daniel is also a conference speaker, a contributor to the .NET community, and the creator behind Dan In a Can, where he writes about .NET, testing, DevOps, and developer tooling. Outside of his professional work, he enjoys piano, guitar, swing dancing, and game development.  Mentioned in This Episode Website LinkedIn  X Account Github Lean Techniques "Kiro" AI Coding Tool  Want to Learn More? Visit AzureDevOps.Show for show notes and additional episodes.

Parce que… c'est l'épisode 0x722! Shameless plug 31 mars au 2 avril 2026 - Forum INCYBER - Europe 2026 14 au 17 avril 2026 - Botconf 2026 20 au 22 avril 2026 - ITSec Code rabais de 15%: Seqcure15 28 et 29 avril 2026 - Cybereco Cyberconférence 2026 9 au 17 mai 2026 - NorthSec 2026 3 au 5 juin 2026 - SSTIC 2026 19 septembre 2026 - Bsides Montréal 1 au 3 décembre 2026 - Forum INCYBER - Canada 2026 24 et 25 février 2027 - SéQCure 2027 Description Nouveautés de Boost Security Labs François Proulx commence l'épisode en faisant le point sur les développements récents de son équipe. Boost Security a procédé à une refonte de son site web afin de distinguer clairement l'entreprise commerciale de son équipe de recherche, désormais appelée Boost Security Labs, accessible à l'adresse labs.security. Ce nouveau site centralise les articles, outils et références produits par les chercheurs. François mentionne également un article publié fin 2025 intitulé Defensive Research Weaponized — 2025 State of Pipeline Security, qui dressait un bilan de l'année et anticipait les types d'attaques qui se sont effectivement concrétisées depuis. L'équipe sera de retour à NorthSec cette année avec un nouveau talk et surtout un nouvel outil baptisé Smoke Meat — fidèle à la thématique culinaire montréalaise de l'équipe. Cet outil se veut le « Metasploit des pipelines CI/CD » : là où Poutine (leur outil d'analyse statique) détecte les vulnérabilités dans les pipelines de build, Smoke Meat permettra de les exploiter de manière semi-autonome, en proposant un menu d'options à l'utilisateur. Un troisième outil est aussi annoncé : Bagel, un utilitaire défensif qui tourne entièrement hors ligne et analyse la posture de sécurité des laptops de développeurs et administrateurs. Il détecte les mauvaises configurations locales — clés SSH non chiffrées, tokens hardcodés dans des scripts, etc. — pour limiter les dégâts en cas d'infection par un logiciel de type info stealer (ou « kleptogiciel », selon la terminologie de l'équipe Flare). L'attaque Hackerbot Claw : une offensive automatisée sur les pipelines CI/CD Sébastien Graveline prend ensuite la parole pour détailler une attaque survenue le 27 février, impliquant un agent automatisé qui a ciblé plusieurs grands projets open source. Au moins quatre projets ont été confirmés comme exploités. Ce qui rend cette attaque particulièrement notable, c'est qu'il s'agit d'un agent IA attaquant d'autres systèmes intégrant de l'IA dans leurs pipelines — un scénario que les chercheurs qualifient, avec un certain humour noir, de « bienvenue en 2026 ». L'équipe s'est concentrée notamment sur Aqua Security Trivy, un projet comptant plus de 25 000 étoiles sur GitHub. L'une des conséquences directes de l'attaque a été que le dépôt a été rendu privé ou supprimé, compliquant considérablement le travail d'investigation forensique. La piste de MégaGame : remonter le fil de l'attaque En examinant les discussions GitHub autour de l'incident, l'équipe repère une pull request (PR #10252) ouverte environ cinq heures avant la première attaque de Hackerbot, puis rapidement supprimée — un fait que personne d'autre n'avait mentionné dans les analyses publiées. L'utilisateur à son origine avait lui aussi été supprimé. Grâce à Trat Hunter, leur outil de surveillance en temps réel des événements GitHub, les chercheurs identifient l'acteur derrière cette PR : un utilisateur qu'ils surnomment Méga Game, dont le compte datait de début janvier. En remontant plus loin, ils trouvent qu'une tentative d'attaque similaire avait été détectée un mois auparavant sur ce qui semble être un dépôt de test. Forensique sur GitHub : fork networks et gists supprimés L'investigation se heurte à un obstacle de taille : le dépôt Trivy ayant été supprimé ou rendu privé, il n'est plus possible de cloner directement la version du commit exploité. C'est ici qu'entre en jeu un comportement peu connu de GitHub : lorsqu'un dépôt est supprimé, le fork network ne disparaît pas pour autant. Le plus ancien fork existant hérite automatiquement du rôle de racine du réseau, et l'intégralité des commits de tous les forks reste accessible tant qu'il reste au moins un fork vivant. L'équipe retrouve ainsi un fork avec une seule étoile mais… 3 000 forks rattachés, devenu malgré lui le patriarche de l'arbre. Cela leur permet de récupérer le payload de Méga Game, qui consiste en une exploitation d'action GitHub locale (local GitHub action exploit) : le workflow checkout le code de l'attaquant, puis exécute une action locale redéfinie par ce dernier — une variante classique du untrusted checkout. L'exploitation finale repose sur un curl pipe bash pointant vers un gist GitHub privé (mais non authentifié). Les chercheurs découvrent qu'il est possible de cloner un gist supprimé par son identifiant unique, à condition d'être authentifié sur GitHub — peu importe que ce soit le créateur original ou non. Un comportement probablement lié à la gestion du CDN de GitHub, qui conserve les objets tant qu'un garbage collection n'a pas eu lieu. L'essor des attaques automatisées sur les CI/CD L'épisode se conclut sur une réflexion plus large. Les attaques sur les pipelines CI/CD sont en croissance exponentielle, car ces environnements donnent accès à des ressources cloud critiques et que les secrets y sont souvent mal scopés. Dans le cas de Trivy, un simple workflow de commentaires a suffi à obtenir des droits administrateurs sur le projet. Face à cela, les recommandations sont claires : rouler des outils de détection comme Poutine, appliquer le principe de défense en profondeur (secrets correctement scopés, limitation des outils accessibles aux agents IA), et ne jamais oublier qu'un projet public est ouvert non seulement au téléchargement, mais aussi à l'attaque. L'équipe mentionne également des cas où Claude a détecté des tentatives de prompt injection et a correctement refusé d'exécuter les actions demandées — une lueur d'espoir dans un tableau par ailleurs assez sombre. Notes MegaGame10418: A Throwaway Account Linked to the Hackerbot-Claw Attack Nouveau site de Boostsecurity Labs Defensive Research, Weaponized: The 2025 State of Pipeline Security Collaborateurs Nicolas-Loïc Fortin Sébastien Graveline François Proulx Crédits Montage par Intrasecure inc Locaux virtuels par Riverside.fm

Проверяем знания кандидата на позицию Senior DevOps инженера в прямом эфире. В этом выпуске: архитектурные паттерны в AWS, вечный спор Terraform против CloudFormation, глубокое погружение в Kubernetes (Karpenter, скейлинг) и Live-траблшутинг сломанного Helm-чарта. О ЧЁМ ВЫПУСК: • Архитектура и облака: Как выбрать между EKS и ECS/Fargate и настроить безопасное хранение бэкапов в S3.  • IaC войны: Честное сравнение Terraform и CloudFormation — где заканчивается удобство и начинается боль.  • Kubernetes под капотом: Разбираем Control Plane, работу контроллеров и нюансы обновления on-prem кластеров.  • Live Debug: Реальная задача по починке упавшего пода (CrashLoopBackOff) — работа с пробами, портами и Helm.  • CI/CD стратегии: Строим идеальный пайплайн с GitHub Actions и ArgoCD. ГОСТЬ: Максим — DevOps-инженер (5 лет опыта DevOps, 10 лет SysAdmin). Стек: AWS, Terraform, Kubernetes, Ansible, Monitoring. ССЫЛКИ

Are you trying to figure out if your team should build an AI model from scratch or integrate an off-the-shelf solution? You aren't alone.In this episode of the MongoDB Podcast, Shane McAlister sits down with Akshaya Murthy, Director of AI Transformation at Zendesk, to decode the maze of building enterprise AI products. They dive into why integrating is often the winning move for speed-to-market, the hidden costs of custom models, and why bad data will break even the most perfect transformer model.What you'll learn in this episode:The Build vs. Buy Calculus: Why lower Total Cost of Ownership (TCO) and rapid deployment favor integration for most enterprises.Spotting "AI Washing": How to avoid vendor buzzword salads and focus on actual problem-solving and ROI.Architectural Must-Haves: Why your AI stack needs modular API layers, model hot-swapping, and CI/CD pipelines just like your standard code.The "Garbage In, Hype Out" Rule: Why a solid data strategy and a centralized single source of truth are non-negotiable.Ready to stop experimenting and start delivering real AI value? Tune in now.

All speakers are announced at AIE EU, schedule coming soon. Join us there or in Miami with the renowned organizers of React Miami! Singapore CFP also open!We've called this out a few times over in AINews, but the overwhelming consensus in the Valley is that “the IDE is Dead”. In November it was just a gut feeling, but now we actually have data: even at the canonical “VSCode Fork” company, people are officially using more agents than tab autocomplete (the first wave of AI coding):Cursor has launched cloud agents for a few months now, and this specific launch is around Computer Use, which has come a long way since we first talked with Anthropic about it in 2024, and which Jonas productized as Autotab:We also take the opportunity to do a live demo, talk about slash commands and subagents, and the future of continual learning and personalized coding models, something that Sam previously worked on at New Computer. (The fact that both of these folks are top tier CEOs of their own startups that have now joined the insane talent density gathering at Cursor should also not be overlooked).Full Episode on YouTube!please like and subscribe!Timestamps00:00 Agentic Code Experiments00:53 Why Cloud Agents Matter02:08 Testing First Pillar03:36 Video Reviews Second Pillar04:29 Remote Control Third Pillar06:17 Meta Demos and Bug Repro13:36 Slash Commands and MCPs18:19 From Tab to Team Workflow31:41 Minimal Web UI Philosophy32:40 Why No File Editor34:38 Full Stack Cursor Debate36:34 Model Choice and Auto Routing38:34 Parallel Agents and Best Of N41:41 Subagents and Context Management44:48 Grind Mode and Throughput Future01:00:24 Cloud Agent Onboarding and MemoryTranscriptEP 77 - CURSOR - Audio version[00:00:00]Agentic Code ExperimentsSamantha: This is another experiment that we ran last year and didn't decide to ship at that time, but may come back to LM Judge, but one that was also agentic and could write code. So it wasn't just picking but also taking the learnings from two models or and models that it was looking at and writing a new diff.And what we found was that there were strengths to using models from different model providers as the base level of this process. Basically you could get almost like a synergistic output that was better than having a very unified like bottom model tier.Jonas: We think that over the coming months, the big unlock is not going to be one person with a model getting more done, like the water flowing faster and we'll be making the pipe much wider and so paralyzing more, whether that's swarms of agents or parallel agents, both of those are things that contribute to getting much more done in the same amount of time.Why Cloud Agents Matterswyx: This week, one of the biggest launches that Cursor's ever done is cloud agents. I think you, you had [00:01:00] cloud agents before, but this was like, you give cursor a computer, right? Yeah. So it's just basically they bought auto tab and then they repackaged it. Is that what's going on, or,Jonas: that's a big part of it.Yeah. Cloud agents already ran in their own computers, but they were sort of site reading code. Yeah. And those computers were not, they were like blank VMs typically that were not set up for the Devrel X for whatever repo the agents working on. One of the things that we talk about is if you put yourself in the model shoes and you were seeing tokens stream by and all you could do was cite read code and spit out tokens and hope that you had done the right thing,swyx: no chanceJonas: I'd be so bad.Like you obviously you need to run the code. And so that I think also is probably not that contrarian of a take, but no one has done that yet. And so giving the model the tools to onboard itself and then use full computer use end-to-end pixels in coordinates out and have the cloud computer with different apps in it is the big unlock that we've seen internally in terms of use usage of this going from, oh, we use it for little copy changes [00:02:00] to no.We're really like driving new features with this kind of new type of entech workflow. Alright, let's see it. Cool.Live Demo TourJonas: So this is what it looks like in cursor.com/agents. So this is one I kicked off a while ago. So on the left hand side is the chat. Very classic sort of agentic thing. The big new thing here is that the agent will test its changes.So you can see here it worked for half an hour. That is because it not only took time to write the tokens of code, it also took time to test them end to end. So it started Devrel servers iterate when needed. And so that's one part of it is like model works for longer and doesn't come back with a, I tried some things pr, but a I tested at pr that's ready for your review.One of the other intuition pumps we use there is if a human gave you a PR asked you to review it and you hadn't, they hadn't tested it, you'd also be annoyed because you'd be like, only ask me for a review once it's actually ready. So that's what we've done withTesting Defaults and Controlsswyx: simple question I wanted to gather out front.Some prs are way smaller, [00:03:00] like just copy change. Does it always do the video or is it sometimes,Jonas: Sometimes.swyx: Okay. So what's the judgment?Jonas: The model does it? So we we do some default prompting with sort. What types of changes to test? There's a slash command that people can do called slash no test, where if you do that, the model will not test,swyx: but the default is test.Jonas: The default is to be calibrated. So we tell it don't test, very simple copy changes, but test like more complex things. And then users can also write their agents.md and specify like this type of, if you're editing this subpart of my mono repo, never tested ‘cause that won't work or whatever.Videos and Remote ControlJonas: So pillar one is the model actually testing Pillar two is the model coming back with a video of what it did.We have found that in this new world where agents can end-to-end, write much more code, reviewing the code is one of these new bottlenecks that crop up. And so reviewing a video is not a substitute for reviewing code, but it is an entry point that is much, much easier to start with than glancing at [00:04:00] some giant diff.And so typically you kick one off you, it's done you come back and the first thing that you would do is watch this video. So this is a, video of it. In this case I wanted a tool tip over this button. And so it went and showed me what that looks like in, in this video that I think here, it actually used a gallery.So sometimes it will build storybook type galleries where you can see like that component in action. And so that's pillar two is like these demo videos of what it built. And then pillar number three is I have full remote control access to this vm. So I can go heat in here. I can hover things, I can type, I have full control.And same thing for the terminal. I have full access. And so that is also really useful because sometimes the video is like all you need to see. And oftentimes by the way, the video's not perfect, the video will show you, is this worth either merging immediately or oftentimes is this worth iterating with to get it to that final stage where I am ready to merge in.So I can go through some other examples where the first video [00:05:00] wasn't perfect, but it gave me confidence that we were on the right track and two or three follow-ups later, it was good to go. And then I also have full access here where some things you just wanna play around with. You wanna get a feel for what is this and there's no substitute to a live preview.And the VNC kind of VM remote access gives you that.swyx: Amazing What, sorry? What is VN. AndJonas: just the remote desktop. Remote desktop. Yeah.swyx: Sam, any other details that you always wanna call out?Samantha: Yeah, for me the videos have been super helpful. I would say, especially in cases where a common problem for me with agents and cloud agents beforehand was almost like under specification in my requests where our plan mode and going really back and forth and getting detailed implementation spec is a way to reduce the risk of under specification, but then similar to how human communication breaks down over time, I feel like you have this risk where it's okay, when I pull down, go to the triple of pulling down and like running this branch locally, I'm gonna see that, like I said, this should be a toggle and you have a checkbox and like, why didn't you get that detail?And having the video up front just [00:06:00] has that makes that alignment like you're talking about a shared artifact with the agent. Very clear, which has been just super helpful for me.Jonas: I can quickly run through some other Yes. Examples.Meta Agents and More DemosJonas: So this is a very front end heavy one. So one question I wasswyx: gonna say, is this only for frontJonas: end?Exactly. One question you might have is this only for front end? So this is another example where the thing I wanted it to implement was a better error message for saving secrets. So the cloud agents support adding secrets, that's part of what it needs to access certain systems. Part of onboarding that is giving access.This is cloud is working onswyx: cloud agents. Yes.Jonas: So this is a fun thing isSamantha: it can get super meta. ItJonas: can get super meta, it can start its own cloud agents, it can talk to its own cloud agents. Sometimes it's hard to wrap your mind around that. We have disabled, it's cloud agents starting more cloud agents. So we currently disallow that.Someday you might. Someday we might. Someday we might. So this actually was mostly a backend change in terms of the error handling here, where if the [00:07:00] secret is far too large, it would oh, this is actually really cool. Wow. That's the Devrel tools. That's the Devrel tools. So if the secret is far too large, we.Allow secrets above a certain size. We have a size limit on them. And the error message there was really bad. It was just some generic failed to save message. So I was like, Hey, we wanted an error message. So first cool thing it did here, zero prompting on how to test this. Instead of typing out the, like a character 5,000 times to hit the limit, it opens Devrel tools, writes js, or to paste into the input 5,000 characters of the letter A and then hit save, closes the Devrel tools, hit save and gets this new gets the new error message.So that looks like the video actually cut off, but here you can see the, here you can see the screenshot of the of the error message. What, so that is like frontend backend end-to-end feature to, to get that,swyx: yeah.Jonas: Andswyx: And you just need a full vm, full computer run everything.Okay. Yeah.Jonas: Yeah. So we've had versions of this. This is one of the auto tab lessons where we started that in 2022. [00:08:00] No, in 2023. And at the time it was like browser use, DOM, like all these different things. And I think we ended up very sort of a GI pilled in the sense that just give the model pixels, give it a box, a brain in a box is what you want and you want to remove limitations around context and capabilities such that the bottleneck should be the intelligence.And given how smart models are today, that's a very far out bottleneck. And so giving it its full VM and having it be onboarded with Devrel X set up like a human would is just been for us internally a really big step change in capability.swyx: Yeah I would say, let's call it a year ago the models weren't even good enough to do any of this stuff.SoSamantha: even six months ago. Yeah.swyx: So yeah what people have told me is like round about Sonder four fire is when this started being good enough to just automate fully by pixel.Jonas: Yeah, I think it's always a question of when is good enough. I think we found in particular with Opus 4 5, 4, 6, and Codex five three, that those were additional step [00:09:00] changes in the autonomy grade capabilities of the model to just.Go off and figure out the details and come back when it's done.swyx: I wanna appreciate a couple details. One 10 Stack Router. I see it. Yeah. I'm a big fan. Do you know any, I have to name the 10 Stack.Jonas: No.swyx: This just a random lore. Some buddy Sue Tanner. My and then the other thing if you switch back to the video.Jonas: Yeah.swyx: I wanna shout out this thing. Probably Sam did it. I don't knowJonas: the chapters.swyx: What is this called? Yeah, this is called Chapters. Yeah. It's like a Vimeo thing. I don't know. But it's so nice the design details, like the, and obviously a company called Cursor has to have a beautiful cursorSamantha: and it isswyx: the cursor.Samantha: Cursor.swyx: You see it branded? It's the cursor. Cursor, yeah. Okay, cool. And then I was like, I complained to Evan. I was like, okay, but you guys branded everything but the wallpaper. And he was like, no, that's a cursor wallpaper. I was like, what?Samantha: Yeah. Rio picked the wallpaper, I think. Yeah. The video.That's probably Alexi and yeah, a few others on the team with the chapters on the video. Matthew Frederico. There's been a lot of teamwork on this. It's a huge effort.swyx: I just, I like design details.Samantha: Yeah.swyx: And and then when you download it adds like a little cursor. Kind of TikTok clip. [00:10:00] Yes. Yes.So it's to make it really obvious is from Cursor,Jonas: we did the TikTok branding at the end. This was actually in our launch video. Alexi demoed the cloud agent that built that feature. Which was funny because that was an instance where one of the things that's been a consequence of having these videos is we use best of event where you run head to head different models on the same prompt.We use that a lot more because one of the complications with doing that before was you'd run four models and they would come back with some giant diff, like 700 lines of code times four. It's what are you gonna do? You're gonna review all that's horrible. But if you come back with four 22nd videos, yeah, I'll watch four 22nd videos.And then even if none of them is perfect, you can figure out like, which one of those do you want to iterate with, to get it over the line. Yeah. And so that's really been really fun.Bug Repro WorkflowJonas: Here's another example. That's we found really cool, which is we've actually turned since into a slash command as well slash [00:11:00] repro, where for bugs in particular, the model of having full access to the to its own vm, it can first reproduce the bug, make a video of the bug reproducing, fix the bug, make a video of the bug being fixed, like doing the same pattern workflow with obviously the bug not reproducing.And that has been the single category that has gone from like these types of bugs, really hard to reproduce and pick two tons of time locally, even if you try a cloud agent on it. Are you confident it actually fixed it to when this happens? You'll merge it in 90 seconds or something like that.So this is an example where, let me see if this is the broken one or the, okay, this is the fixed one. Okay. So we had a bug on cursor.com/agents where if you would attach images where remove them. Then still submit your prompt. They would actually still get attached to the prompt. Okay. And so here you can see Cursor is using, its full desktop by the way.This is one of the cases where if you just do, browse [00:12:00] use type stuff, you'll have a bad time. ‘cause now it needs to upload files. Like it just uses its native file viewer to do that. And so you can see here it's uploading files. It's going to submit a prompt and then it will go and open up. So this is the meta, this is cursor agent, prompting cursor agent inside its own environment.And so you can see here bug, there's five images attached, whereas when it's submitted, it only had one image.swyx: I see. Yeah. But you gotta enable that if you're gonna use cur agent inside cur.Jonas: Exactly. And so here, this is then the after video where it went, it does the same thing. It attaches images, removes, some of them hit send.And you can see here, once this agent is up, only one of the images is left in the attachments. Yeah.swyx: Beautiful.Jonas: Okay. So easy merge.swyx: So yeah. When does it choose to do this? Because this is an extra step.Jonas: Yes. I think I've not done a great job yet of calibrating the model on when to reproduce these things.Yeah. Sometimes it will do it of its own accord. Yeah. We've been conservative where we try to have it only do it when it's [00:13:00] quite sure because it does add some amount of time to how long it takes it to work on it. But we also have added things like the slash repro command where you can just do, fix this bug slash repro and then it will know that it should first make you a video of it actually finding and making sure it can reproduce the bug.swyx: Yeah. Yeah. One sort of ML topic this ties into is reward hacking, where while you write test that you update only pass. So first write test, it shows me it fails, then make you test pass, which is a classic like red green.Jonas: Yep.swyx: LikeJonas: A-T-D-D-T-D-Dswyx: thing.No, very cool. Was that the last demo? Is thereJonas: Yeah.Anything I missed on the demos or points that you think? I think thatSamantha: covers it well. Yeah.swyx: Cool. Before we stop the screen share, can you gimme like a, just a tour of the slash commands ‘cause I so God ready. Huh, what? What are the good ones?Samantha: Yeah, we wanna increase discoverability around this too.I think that'll be like a future thing we work on. Yeah. But there's definitely a lot of good stuff nowJonas: we have a lot of internal ones that I think will not be that interesting. Here's an internal one that I've made. I don't know if anyone else at Cursor uses this one. Fix bb.Samantha: I've never heard of it.Jonas: Yeah.[00:14:00]Fix Bug Bot. So this is a thing that we want to integrate more tightly on. So you made it forswyx: yourself.Jonas: I made this for myself. It's actually available to everyone in the team, but yeah, no one knows about it. But yeah, there will be Bug bot comments and so Bug Bot has a lot of cool things. We actually just launched Bug Bot Auto Fix, where you can click a button and or change a setting and it will automatically fix its own things, and that works great in a bunch of cases.There are some cases where having the context of the original agent that created the PR is really helpful for fixing the bugs, because it might be like, oh, the bug here is that this, is a regression and actually you meant to do something more like that. And so having the original prompt and all of the context of the agent that worked on it, and so here I could just do, fix or we used to be able to do fixed PB and it would do that.No test is another one that we've had. Slash repro is in here. We mentioned that one.Samantha: One of my favorites is cloud agent diagnosis. This is one that makes heavy use of the Datadog MCP. Okay. And I [00:15:00] think Nick and David on our team wrote, and basically if there is a problem with a cloud agent we'll spin up a bunch of subs.Like a singleswyx: instance.Samantha: Yeah. We'll take the ideas and argument and spin up a bunch of subagents using the Datadog MCP to explore the logs and find like all of the problems that could have happened with that. It takes the debugging time, like from potentially you can do quick stuff quickly with the Datadog ui, but it takes it down to, again, like a single agent call as opposed to trolling through logs yourself.Jonas: You should also talk about the stuff we've done with transcripts.Samantha: Yes. Also so basically we've also done some things internally. There'll be some versions of this as we ship publicly soon, where you can spit up an agent and give it access to another agent's transcript to either basically debug something that happened.So act as an external debugger. I see. Or continue the conversation. Almost like forking it.swyx: A transcript includes all the chain of thought for the 11 minutes here. 45 minutes there.Samantha: Yeah. That way. Exactly. So basically acting as a like secondary agent that debugs the first, so we've started to push more andswyx: they're all the same [00:16:00] code.It is just the different prompts, but the sa the same.Samantha: Yeah. So basically same cloud agent infrastructure and then same harness. And then like when we do things like include, there's some extra infrastructure that goes into piping in like an external transcript if we include it as an attachment.But for things like the cloud agent diagnosis, that's mostly just using the Datadog MCP. ‘Cause we also launched CPS along with along with this cloud agent launch, launch support for cloud agent cps.swyx: Oh, that was drawn out.Jonas: We won't, we'll be doing a bigger marketing moment for it next week, but, and you can now use CPS andswyx: People will listen to it as well.Yeah,Jonas: they'llSamantha: be ahead of the third. They'll be ahead. And I would I actually don't know if the Datadog CP is like publicly available yet. I realize this not sure beta testing it, but it's been one of my favorites to use. Soswyx: I think that one's interesting for Datadog. ‘cause Datadog wants to own that site.Interesting with Bits. I don't know if you've tried bits.Samantha: I haven't tried bits.swyx: Yeah.Jonas: That's their cloud agentswyx: product. Yeah. Yeah. They want to be like we own your logs and give us our, some part of the, [00:17:00] self-healing software that everyone wants. Yeah. But obviously Cursor has a strong opinion on coding agents and you, you like taking away from the which like obviously you're going to do, and not every company's like Cursor, but it's interesting if you're a Datadog, like what do you do here?Do you expose your logs to FDP and let other people do it? Or do you try to own that it because it's extra business for you? Yeah. It's like an interesting one.Samantha: It's a good question. All I know is that I love the Datadog MCP,Jonas: And yeah, it is gonna be no, no surprise that people like will demand it, right?Samantha: Yeah.swyx: It's, it's like anysystemswyx: of record company like this, it's like how much do you give away? Cool. I think that's that for the sort of cloud agents tour. Cool. And we just talk about like cloud agents have been when did Kirsten loves cloud agents? Do you know, in JuneJonas: last year.swyx: June last year. So it's been slowly develop the thing you did, like a bunch of, like Michael did a post where himself, where he like showed this chart of like ages overtaking tap. And I'm like, wow, this is like the biggest transition in code.Jonas: Yeah.swyx: Like in, in [00:18:00] like the last,Jonas: yeah. I think that kind of got turned out.Yeah. I think it's a very interest,swyx: not at all. I think it's been highlighted by our friend Andre Kati today.Jonas: Okay.swyx: Talk more about it. What does it mean? Yeah. Is I just got given like the cursor tab key.Jonas: Yes. Yes.swyx: That's that'sSamantha: cool.swyx: I know, but it's gonna be like put in a museum.Jonas: It is.Samantha: I have to say I haven't used tab a little bit myself.Jonas: Yeah. I think that what it looks like to code with AI code generally creates software, even if you want to go higher level. Is changing very rapidly. No, not a hot take, but I think from our vendor's point at Cursor, I think one of the things that is probably underappreciated from the outside is that we are extremely self-aware about that fact and Kerscher, got its start in phase one, era one of like tab and auto complete.And that was really useful in its time. But a lot of people start looking at text files and editing code, like we call it hand coding. Now when you like type out the actual letters, it'sswyx: oh that's cute.Jonas: Yeah.swyx: Oh that's cute.Jonas: You're so boomer. So boomer. [00:19:00] And so that I think has been a slowly accelerating and now in the last few months, rapidly accelerating shift.And we think that's going to happen again with the next thing where the, I think some of the pains around tab of it's great, but I actually just want to give more to the agent and I don't want to do one tab at a time. I want to just give it a task and it goes off and does a larger unit of work and I can.Lean back a little bit more and operate at that higher level of abstraction that's going to happen again, where it goes from agents handing you back diffs and you're like in the weeds and giving it, 32nd to three minute tasks, to, you're giving it, three minute to 30 minute to three hour tasks and you're getting back videos and trying out previews rather than immediately looking at diffs every single time.swyx: Yeah. Anything to add?Samantha: One other shift that I've noticed as our cloud agents have really taken off internally has been a shift from primarily individually driven development to almost this collaborative nature of development for us, slack is actually almost like a development on [00:20:00] Id basically.So Iswyx: like maybe don't even build a custom ui, like maybe that's like a debugging thing, but actually it's that.Samantha: I feel like, yeah, there's still so much to left to explore there, but basically for us, like Slack is where a lot of development happens. Like we will have these issue channels or just like this product discussion channels where people are always at cursing and that kicks off a cloud agent.And for us at least, we have team follow-ups enabled. So if Jonas kicks off at Cursor in a thread, I can follow up with it and add more context. And so it turns into almost like a discussion service where people can like collaborate on ui. Oftentimes I will kick off an investigation and then sometimes I even ask it to get blame and then tag people who should be brought in. ‘cause it can tag people in Slack and then other people will comeswyx: in, can tag other people who are not involved in conversation. Yes. Can just do at Jonas if say, was talking to,Samantha: yeah.swyx: That's cool. You should, you guys should make a big good deal outta that.Samantha: I know. It's a lot to, I feel like there's a lot more to do with our slack surface area to show people externally. But yeah, basically like it [00:21:00] can bring other people in and then other people can also contribute to that thread and you can end up with a PR again, with the artifacts visible and then people can be like, okay, cool, we can merge this.So for us it's like the ID is almost like moving into Slack in some ways as well.swyx: I have the same experience with, but it's not developers, it's me. Designer salespeople.Samantha: Yeah.swyx: So me on like technical marketing, vision, designer on design and then salespeople on here's the legal source of what we agreed on.And then they all just collaborate and correct. The agents,Jonas: I think that we found when these threads is. The work that is left, that the humans are discussing in these threads is the nugget of what is actually interesting and relevant. It's not the boring details of where does this if statement go?It's do we wanna ship this? Is this the right ux? Is this the right form factor? Yeah. How do we make this more obvious to the user? It's like those really interesting kind of higher order questions that are so easy to collaborate with and leave the implementation to the cloud agent.Samantha: Totally. And no more discussion of am I gonna do this? Are you [00:22:00] gonna do this cursor's doing it? You just have to decide. You like it.swyx: Sometimes the, I don't know if there's a, this probably, you guys probably figured this out already, but since I, you need like a mute button. So like cursor, like we're going to take this offline, but still online.But like we need to talk among the humans first. Before you like could stop responding to everything.Jonas: Yeah. This is a design decision where currently cursor won't chime in unless you explicitly add Mention it. Yeah. Yeah.Samantha: So it's not always listening.Yeah.Jonas: I can see all the intermediate messages.swyx: Have you done the recursive, can cursor add another cursor or spawn another cursor?Samantha: Oh,Jonas: we've done some versions of this.swyx: Because, ‘cause it can add humans.Jonas: Yes. One of the other things we've been working on that's like an implication of generating the code is so easy is getting it to production is still harder than it should be.And broadly, you solve one bottleneck and three new ones pop up. Yeah. And so one of the new bottlenecks is getting into production and we have a like joke internally where you'll be talking about some feature and someone says, I have a PR for that. Which is it's so easy [00:23:00] to get to, I a PR for that, but it's hard still relatively to get from I a PR for that to, I'm confident and ready to merge this.And so I think that over the coming weeks and months, that's a thing that we think a lot about is how do we scale up compute to that pipeline of getting things from a first draft An agent did.swyx: Isn't that what Merge isn't know what graphite's for, likeJonas: graphite is a big part of that. The cloud agent testingswyx: Is it fully integrated or still different companiesJonas: working on I think we'll have more to share there in the future, but the goal is to have great end-to-end experience where Cursor doesn't just help you generate code tokens, it helps you create software end-to-end.And so review is a big part of that, that I think especially as models have gotten much better at writing code, generating code, we've felt that relatively crop up more,swyx: sorry this is completely unplanned, but like there I have people arguing one to you need ai. To review ai and then there is another approach, thought school of thought where it's no, [00:24:00] reviews are dead.Like just show me the video. It's it like,Samantha: yeah. I feel again, for me, the video is often like alignment and then I often still wanna go through a code review process.swyx: Like still look at the files andSamantha: everything. Yeah. There's a spectrum of course. Like the video, if it's really well done and it does like fully like test everything, you can feel pretty competent, but it's still helpful to, to look at the code.I make hep pay a lot of attention to bug bot. I feel like Bug Bot has been a great really highly adopted internally. We often like, won't we tell people like, don't leave bug bot comments unaddressed. ‘cause we have such high confidence in it. So people always address their bug bot comments.Jonas: Once you've had two cases where you merged something and then you went back later, there was a bug in it, you merged, you went back later and you were like, ah, bug Bot had found that I should have listened to Bug Bot.Once that happens two or three times, you learn to wait for bug bot.Samantha: Yeah. So I think for us there's like that code level review where like it's looking at the actual code and then there's like the like feature level review where you're looking at the features. There's like a whole number of different like areas.There'll probably eventually be things like performance level review, security [00:25:00] review, things like that where it's like more more different aspects of how this feature might affect your code base that you want to potentially leverage an agent to help with.Jonas: And some of those like bug bot will be synchronous and you'll typically want to wait on before you merge.But I think another thing that we're starting to see is. As with cloud agents, you scale up this parallelism and how much code you generate. 10 person startups become, need the Devrel X and pipelines that a 10,000 person company used to need. And that looks like a lot of the things I think that 10,000 person companies invented in order to get that volume of software to production safely.So that's things like, release frequently or release slowly, have different stages where you release, have checkpoints, automated ways of detecting regressions. And so I think we're gonna need stacks merg stack diffs merge queues. Exactly. A lot of those things are going to be importantswyx: forward with.I think the majority of people still don't know what stack stacks are. And I like, I have many friends in Facebook and like I, I'm pretty friendly with graphite. I've just, [00:26:00] I've never needed it ‘cause I don't work on that larger team and it's just like democratization of no, only here's what we've already worked out at very large scale and here's how you can, it benefits you too.Like I think to me, one of the beautiful things about GitHub is that. It's actually useful to me as an individual solo developer, even though it's like actually collaboration software.Jonas: Yep.swyx: And I don't think a lot of Devrel tools have figured that out yet. That transition from like large down to small.Jonas: Yeah. Kers is probably an inverse story.swyx: This is small down toJonas: Yeah. Where historically Kers share, part of why we grew so quickly was anyone on the team could pick it up and in fact people would pick it up, on the weekend for their side project and then bring it into work. ‘cause they loved using it so much.swyx: Yeah.Jonas: And I think a thing that we've started working on a lot more, not us specifically, but as a company and other folks at Cursor, is making it really great for teams and making it the, the 10th person that starts using Cursor in a team. Is immediately set up with things like, we launched Marketplace recently so other people can [00:27:00] configure what CPS and skills like plugins.So skills and cps, other people can configure that. So that my cursor is ready to go and set up. Sam loves the Datadog, MCP and Slack, MCP you've also been using a lot butSamantha: also pre-launch, but I feel like it's so good.Jonas: Yeah, my cursor should be configured if Sam feels strongly that's just amazing and required.swyx: Is it automatically shared or you have to go and.Jonas: It depends on the MCP. So some are obviously off per user. Yeah. And so Sam can't off my cursor with my Slack MCP, but some are team off and those can be set up by admins.swyx: Yeah. Yeah. That's cool. Yeah, I think, we had a man on the pod when cursor was five people, and like everyone was like, okay, what's the thing?And then it's usually something teams and org and enterprise, but it's actually working. But like usually at that stage when you're five, when you're just a vs. Code fork it's like how do you get there? Yeah. Will people pay for this? People do pay for it.Jonas: Yeah. And I think for cloud agents, we expect.[00:28:00]To have similar kind of PLG things where I think off the bat we've seen a lot of adoption with kind of smaller teams where the code bases are not quite as complex to set up. Yes. If you need some insane docker layer caching thing for builds not to take two hours, that's going to take a little bit longer for us to be able to support that kind of infrastructure.Whereas if you have front end backend, like one click agents can install everything that they need themselves.swyx: This is a good chance for me to just ask some technical sort of check the box questions. Can I choose the size of the vm?Jonas: Not yet. We are planning on adding that. Weswyx: have, this is obviously you want like LXXL, whatever, right?Like it's like the Amazon like sort menu.Jonas: Yes, exactly. We'll add that.swyx: Yeah. In some ways you have to basically become like a EC2, almost like you rent a box.Jonas: You rent a box. Yes. We talk a lot about brain in a box. Yeah. So cursor, we want to be a brain in a box,swyx: but is the mental model different? Is it more serverless?Is it more persistent? Is. Something else.Samantha: We want it to be a bit persistent. The desktop should be [00:29:00] something you can return to af even after some days. Like maybe you go back, they're like still thinking about a feature for some period of time. So theswyx: full like sus like suspend the memory and bring it back and then keep going.Samantha: Exactly.swyx: That's an interesting one because what I actually do want, like from a manna and open crawl, whatever, is like I want to be able to log in with my credentials to the thing, but not actually store it in any like secret store, whatever. ‘cause it's like this is the, my most sensitive stuff.Yeah. This is like my email, whatever. And just have it like, persist to the image. I don't know how it was hood, but like to rehydrate and then just keep going from there. But I don't think a lot of infra works that way. A lot of it's stateless where like you save it to a docker image and then it's only whatever you can describe in a Docker file and that's it.That's the only thing you can cl multiple times in parallel.Jonas: Yeah. We have a bunch of different ways of setting them up. So there's a dockerfile based approach. The main default way is actually snapshottingswyx: like a Linux vmJonas: like vm, right? You run a bunch of install commands and then you snapshot more or less the file system.And so that gets you set up for everything [00:30:00] that you would want to bring a new VM up from that template basically.swyx: Yeah.Jonas: And that's a bit distinct from what Sam was talking about with the hibernating and re rehydrating where that is a full memory snapshot as well. So there, if I had like the browser open to a specific page and we bring that back, that page will still be there.swyx: Was there any discussion internally and just building this stuff about every time you shoot a video it's actually you show a little bit of the desktop and the browser and it's not necessary if you just show the browser. If, if you know you're just demoing a front end application.Why not just show the browser, right? Like it Yeah,Samantha: we do have some panning and zooming. Yeah. Like it can decide that when it's actually recording and cutting the video to highlight different things. I think we've played around with different ways of segmenting it and yeah. There's been some different revs on it for sure.Jonas: Yeah. I think one of the interesting things is the version that you see now in cursor.com actually is like half of what we had at peak where we decided to unshift or unshipped quite a few things. So two of the interesting things to talk about, one is directly an answer to your [00:31:00] question where we had native browser that you would have locally, it was basically an iframe that via port forwarding could load the URL could talk to local host in the vm.So that gets you basically, so inswyx: your machine's browser,likeJonas: in your local browser? Yeah. You would go to local host 4,000 and that would get forwarded to local host 4,000 in the VM via port forward. We unshift that like atswyx: Eng Rock.Jonas: Like an Eng Rock. Exactly. We unshift that because we felt that the remote desktop was sufficiently low latency and more general purpose.So we build Cursor web, but we also build Cursor desktop. And so it's really useful to be able to have the full spectrum of things. And even for Cursor Web, as you saw in one of the examples, the agent was uploading files and like I couldn't upload files and open the file viewer if I only had access to the browser.And we've thought a lot about, this might seem funny coming from Cursor where we started as this, vs. Code Fork and I think inherited a lot of amazing things, but also a lot [00:32:00] of legacy UI from VS Code.Minimal Web UI SurfacesJonas: And so with the web UI we wanted to be very intentional about keeping that very minimal and exposing the right sum of set of primitive sort of app surfaces we call them, that are shared features of that cloud.Environment that you and the agent both use. So agent uses desktop and controls it. I can use desktop and controlled agent runs terminal commands. I can run terminal commands. So that's how our philosophy around it. The other thing that is maybe interesting to talk about that we unshipped is and we may, both of these things we may reship and decide at some point in the future that we've changed our minds on the trade offs or gotten it to a point where, putswyx: it out there.Let users tell you they want it. Exactly. Alright, fine.Why No File EditorJonas: So one of the other things is actually a files app. And so we used to have the ability at one point during the process of testing this internally to see next to, I had GID desktop and terminal on the right hand side of the tab there earlier to also have a files app where you could see and edit files.And we actually felt that in some [00:33:00] ways, by restricting and limiting what you could do there, people would naturally leave more to the agent and fall into this new pattern of delegating, which we thought was really valuable. And there's currently no way in Cursor web to edit these files.swyx: Yeah. Except you like open up the PR and go into GitHub and do the thing.Jonas: Yeah.swyx: Which is annoying.Jonas: Just tell the agent,swyx: I have criticized open AI for this. Because Open AI is Codex app doesn't have a file editor, like it has file viewer, but isn't a file editor.Jonas: Do you use the file viewer a lot?swyx: No. I understand, but like sometimes I want it, the one way to do it is like freaking going to no, they have a open in cursor button or open an antigravity or, opening whatever and people pointed that.So I was, I was part of the early testers group people pointed that and they were like, this is like a design smell. It's like you actually want a VS. Code fork that has all these things, but also a file editor. And they were like, no, just trust us.Jonas: Yeah. I think we as Cursor will want to, as a product, offer the [00:34:00] whole spectrum and so you want to be able to.Work at really high levels of abstraction and double click and see the lowest level. That's important. But I also think that like you won't be doing that in Slack. And so there are surfaces and ways of interacting where in some cases limiting the UX capabilities makes for a cleaner experience that's more simple and drives people into these new patterns where even locally we kicked off joking about this.People like don't really edit files, hand code anymore. And so we want to build for where that's going and not where it's beenswyx: a lot of cool stuff. And Okay. I have a couple more.Full Stack Hosting Debateswyx: So observations about the design elements about these things. One of the things that I'm always thinking about is cursor and other peers of cursor start from like the Devrel tools and work their way towards cloud agents.Other people, like the lovable and bolts of the world start with here's like the vibe code. Full cloud thing. They were already cloud edges before anyone else cloud edges and we will give you the full deploy platform. So we own the whole loop. We own all the infrastructure, we own, we, we have the logs, we have the the live site, [00:35:00] whatever.And you can do that cycle cursor doesn't own that cycle even today. You don't have the versal, you don't have the, you whatever deploy infrastructure that, that you're gonna have, which gives you powers because anyone can use it. And any enterprise who, whatever you infra, I don't care. But then also gives you limitations as to how much you can actually fully debug end to end.I guess I'm just putting out there that like is there a future where there's like full stack cursor where like cursor apps.com where like I host my cursor site this, which is basically a verse clone, right? I don't know.Jonas: I think that's a interesting question to be asking, and I think like the logic that you laid out for how you would get there is logic that I largely agree with.swyx: Yeah. Yeah.Jonas: I think right now we're really focused on what we see as the next big bottleneck and because things like the Datadog MCP exist, yeah. I don't think that the best way we can help our customers ship more software. Is by building a hosting solution right now,swyx: by the way, these are things I've actually discussed with some of the companies I just named.Jonas: Yeah, for sure. Right now, just this big bottleneck is getting the code out there and also [00:36:00] unlike a lovable in the bolt, we focus much more on existing software. And the zero to one greenfield is just a very different problem. Imagine going to a Shopify and convincing them to deploy on your deployment solution.That's very different and I think will take much longer to see how that works. May never happen relative to, oh, it's like a zero to one app.swyx: I'll say. It's tempting because look like 50% of your apps are versal, superb base tailwind react it's the stack. It's what everyone does.So I it's kinda interesting.Jonas: Yeah.Model Choice and Auto Routingswyx: The other thing is the model select dying. Right now in cloud agents, it's stuck down, bottom left. Sure it's Codex High today, but do I care if it's suddenly switched to Opus? Probably not.Samantha: We definitely wanna give people a choice across models because I feel like it, the meta change is very frequently.I was a big like Opus 4.5 Maximalist, and when codex 5.3 came out, I hard, hard switch. So that's all I use now.swyx: Yeah. Agreed. I don't know if, but basically like when I use it in Slack, [00:37:00] right? Cursor does a very good job of exposing yeah. Cursors. If people go use it, here's the model we're using.Yeah. Here's how you switch if you want. But otherwise it's like extracted away, which is like beautiful because then you actually, you should decide.Jonas: Yeah, I think we want to be doing more with defaults.swyx: Yeah.Jonas: Where we can suggest things to people. A thing that we have in the editor, the desktop app is auto, which will route your request and do things there.So I think we will want to do something like that for cloud agents as well. We haven't done it yet. And so I think. We have both people like Sam, who are very savvy and want know exactly what model they want, and we also have people that want us to pick the best model for them because we have amazing people like Sam and we, we are the experts.Yeah. We have both the traffic and the internal taste and experience to know what we think is best.swyx: Yeah. I have this ongoing pieces of agent lab versus model lab. And to me, cursor and other companies are example of an agent lab that is, building a new playbook that is different from a model lab where it's like very GP heavy Olo.So obviously has a research [00:38:00] team. And my thesis is like you just, every agent lab is going to have a router because you're going to be asked like, what's what. I don't keep up to every day. I'm not a Sam, I don't keep up every day for using you as sample the arm arbitrator of taste. Put me on CRI Auto.Is it free? It's not free.Jonas: Auto's not free, but there's different pricing tiers. Yeah.swyx: Put me on Chris. You decide from me based on all the other people you know better than me. And I think every agent lab should basically end up doing this because that actually gives you extra power because you like people stop carrying or having loyalty with one lab.Jonas: Yeah.Best Of N and Model CouncilsJonas: Two other maybe interesting things that I don't know how much they're on your radar are one the best event thing we mentioned where running different models head to head is actually quite interesting becauseswyx: which exists in cursor.Jonas: That exists in cur ID and web. So the problem is where do you run them?swyx: Okay.Jonas: And so I, I can share my screen if that's interesting. Yeahinteresting.swyx: Yeah. Yeah. Obviously parallel agents, very popal.Jonas: Yes, exactly. Parallel agentsswyx: in you mind. Are they the same thing? Best event and parallel agents? I don't want to [00:39:00] put words in your mouth.Jonas: Best event is a subset of parallel agents where they're running on the same prompt.That would be my answer. So this is what that looks like. And so here in this dropdown picker, I can just select multiple models.swyx: Yeah.Jonas: And now if I do a prompt, I'm going to do something silly. I am running these five models.swyx: Okay. This is this fake clone, of course. The 2.0 yeah.Jonas: Yes, exactly. But they're running so the cursor 2.0, you can do desktop or cloud.So this is cloud specifically where the benefit over work trees is that they have their own VMs and can run commands and won't try to kill ports that the other one is running. Which are some of the pains. These are allswyx: called work trees?Jonas: No, these are all cloud agents with their own VMs.swyx: Okay. ButJonas: When you do it locally, sometimes people do work trees and that's been the main way that people have set out parallel so far.I've gotta say.swyx: That's so confusing for folks.Jonas: Yeah.swyx: No one knows what work trees are.Jonas: Exactly. I think we're phasing out work trees.swyx: Really.Jonas: Yeah.swyx: Okay.Samantha: But yeah. And one other thing I would say though on the multimodel choice, [00:40:00] so this is another experiment that we ran last year and the decide to ship at that time but may come back to, and there was an interesting learning that's relevant for, these different model providers. It was something that would run a bunch of best of ends but then synthesize and basically run like a synthesizer layer of models. And that was other agents that would take LM Judge, but one that was also agentic and could write code. So it wasn't just picking but also taking the learnings from two models or, and models that it was looking at and writing a new diff.And what we found was that at the time at least, there were strengths to using models from different model providers as the base level of this process. Like basically you could get almost like a synergistic output that was better than having a very unified, like bottom model tier. So it was really interesting ‘cause it's like potentially, even though even in the future when you have like maybe one model as ahead of the other for a little bit, there could be some benefit from having like multiple top tier models involved in like a [00:41:00] model swarm or whatever agent Swarm that you're doing, that they each have strengths and weaknesses.Yeah.Jonas: Andre called this the council, right?Samantha: Yeah, exactly. We actually, oh, that's another internal command we have that Ian wrote slash council. Oh, and they some, yeah.swyx: Yes. This idea is in various forms everywhere. And I think for me, like for me, the productization of it, you guys have done yeah, like this is very flexible, but.If I were to add another Yeah, what your thing is on here it would be too much. I what, let's say,Samantha: Ideally it's all, it's something that the user can just choose and it all happens under the hood in a way where like you just get the benefit of that process at the end and better output basically, but don't have to get too lost in the complexity of judging along the way.Jonas: Okay.Subagents for ContextJonas: Another thing on the many agents, on different parallel agents that's interesting is an idea that's been around for a while as well that has started working recently is subagents. And so this is one other way to get agents of the different prompts and different goals and different models, [00:42:00] different vintages to work together.Collaborate and delegate.swyx: Yeah. I'm very like I like one of my, I always looking for this is the year of the blah, right? Yeah. I think one of the things on the blahs is subs. I think this is of but I haven't used them in cursor. Are they fully formed or how do I honestly like an intro because do I form them from new every time?Do I have fixed subagents? How are they different for slash commands? There's all these like really basic questions that no one stops to answer for people because everyone's just like too busy launching. We have toSamantha: honestly, you could, you can see them in cursor now if you just say spin up like 50 subagents to, so cursor definesswyx: what Subagents.Yeah.Samantha: Yeah. So basically I think I shouldn't speak for the whole subagents team. This is like a different team that's been working on this, but our thesis or thing that we saw internally is that like they're great for context management for kind of long running threads, or if you're trying to just throw more compute at something.We have strongly used, almost like a generic task interface where then the main agent can define [00:43:00] like what goes into the subagent. So if I say explore my code base, it might decide to spin up an explore subagent and or might decide to spin up five explore subagent.swyx: But I don't get to set what those subagent are, right?It's all defined by a model.Samantha: I think. I actually would have to refresh myself on the sub agent interface.Jonas: There are some built-in ones like the explore subagent is free pre-built. But you can also instruct the model to use other subagents and then it will. And one other example of a built-in subagent is I actually just kicked one off in cursor and I can show you what that looks like.swyx: Yes. Because I tried to do this in pure prompt space.Jonas: So this is the desktop app? Yeah. Yeah. And that'sswyx: all you need to do, right? Yeah.Jonas: That's all you need to do. So I said use a sub agent to explore and I think, yeah, so I can even click in and see what the subagent is working on here. It ran some fine command and this is a composer under the hood.Even though my main model is Opus, it does smart routing to take, like in this instance the explorer sort of requires reading a ton of things. And so a faster model is really useful to get an [00:44:00] answer quickly, but that this is what subagent look like. And I think we wanted to do a lot more to expose hooks and ways for people to configure these.Another example of a cus sort of builtin subagent is the computer use subagent in the cloud agents, where we found that those trajectories can be long and involve a lot of images obviously, and execution of some testing verification task. We wanted to use that models that are particularly good at that.So that's one reason to use subagents. And then the other reason to use subagents is we want contexts to be summarized reduced down at a subagent level. That's a really neat boundary at which to compress that rollout and testing into a final message that agent writes that then gets passed into the parent rather than having to do some global compaction or something like that.swyx: Awesome. Cool. While we're in the subagents conversation, I can't do a cursor conversation and not talk about listen stuff. What is that? What is what? He built a browser. He built an os. Yes. And he [00:45:00] experimented with a lot of different architectures and basically ended up reinventing the software engineer org chart.This is all cool, but what's your take? What's, is there any hole behind the side? The scenes stories about that kind of, that whole adventure.Samantha: Some of those experiments have found their way into a feature that's available in cloud agents now, the long running agent mode internally, we call it grind mode.And I think there's like some hint of grind mode accessible in the picker today. ‘cause you can do choose grind until done. And so that was really the result of experiments that Wilson started in this vein where he I think the Ralph Wigga loop was like floating around at the time, but it was something he also independently found and he was experimenting with.And that was what led to this product surface.swyx: And it is just simple idea of have criteria for completion and do not. Until you complete,Samantha: there's a bit more complexity as well in, in our implementation. Like there's a specific, you have to start out by aligning and there's like a planning stage where it will work with you and it will not get like start grind execution mode until it's decided that the [00:46:00] plan is amenable to both of you.Basically,swyx: I refuse to work until you make me happy.Jonas: We found that it's really important where people would give like very underspecified prompt and then expect it to come back with magic. And if it's gonna go off and work for three minutes, that's one thing. When it's gonna go off and work for three days, probably should spend like a few hours upfront making sure that you have communicated what you actually want.swyx: Yeah. And just to like really drive from the point. We really mean three days that No, noJonas: human. Oh yeah. We've had three day months innovation whatsoever.Samantha: I don't know what the record is, but there's been a long time with the grantsJonas: and so the thing that is available in cursor. The long running agent is if you wanna think about it, very abstractly that is like one worker node.Whereas what built the browser is a society of workers and planners and different agents collaborating. Because we started building the browser with one worker node at the time, that was just the agent. And it became one worker node when we realized that the throughput of the system was not where it needed to be [00:47:00] to get something as large of a scale as the browser done.swyx: Yeah.Jonas: And so this has also become a really big mental model for us with cloud, cloud agents is there's the classic engineering latency throughput trade-offs. And so you know, the code is water flowing through a pipe. The, we think that over the coming months, the big unlock is not going to be one person with a model getting more done, like the water flowing faster and we'll be making the pipe much wider and so ing more, whether that's swarms of agents or parallel agents, both of those are things that contribute to getting.Much more done in the same amount of time, but any one of those tasks doesn't necessarily need to get done that quickly. And throughput is this really big thing where if you see the system of a hundred concurrent agents outputting thousands of tokens a second, you can't go back like that.Just you see a glimpse of the future where obviously there are many caveats. Like no one is using this browser. IRL. There's like a bunch of things not quite right yet, but we are going to get to systems that produce real production [00:48:00] code at the scale much sooner than people think. And it forces you to think what even happens to production systems. Like we've broken our GitHub actions recently because we have so many agents like producing and pushing code that like CICD is just overloaded. ‘cause suddenly it's like effectively weg grew, cursor's growing very quickly anyway, but you grow head count, 10 x when people run 10 x as many agents.And so a lot of these systems, exactly, a lot of these systems will need to adapt.swyx: It also reminds me, we, we all, the three of us live in the app layer, but if you talk to the researchers who are doing RL infrastructure, it's the same thing. It's like all these parallel rollouts and scheduling them and making sure as much throughput as possible goes through them.Yeah, it's the same thing.Jonas: We were talking briefly before we started recording. You were mentioning memory chips and some of the shortages there. The other thing that I think is just like hard to wrap your head around the scale of the system that was building the browser, the concurrency there.If Sam and I both have a system like that running for us, [00:49:00] shipping our software. The amount of inference that we're going to need per developer is just really mind-boggling. And that makes, sometimes when I think about that, I think that even with, the most optimistic projections for what we're going to need in terms of buildout, our underestimating, the extent to which these swarm systems can like churn at scale to produce code that is valuable to the economy.And,swyx: yeah, you can cut this if it's sensitive, but I was just Do you have estimates of how much your token consumption is?Jonas: Like per developer?swyx: Yeah. Or yourself. I don't need like comfy average. I just curious. ISamantha: feel like I, for a while I wasn't an admin on the usage dashboard, so I like wasn't able to actually see, but it was a,swyx: mine has gone up.Samantha: Oh yeah.swyx: But I thinkSamantha: it's in terms of how much work I'm doing, it's more like I have no worries about developers losing their jobs, at least in the near term. ‘cause I feel like that's a more broad discussion.swyx: Yeah. Yeah. You went there. I didn't go, I wasn't going there.I was just like how much more are you using?Samantha: There's so much stuff to be built. And so I feel like I'm basically just [00:50:00] trying to constantly I have more ambitions than I did before. Yes. Personally. Yes. So can't speak to the broader thing. But for me it's like I'm busier than ever before.I'm using more tokens and I am also doing more things.Jonas: Yeah. Yeah. I don't have the stats for myself, but I think broadly a thing that we've seen, that we expect to continue is J'S paradox. Whereswyx: you can't do it in our podcast without seeingJonas: it. Exactly. We've done it. Now we can wrap. We've done, we said the words.Phase one tab auto complete people paid like 20 bucks a month. And that was great. Phase two where you were iterating with these local models. Today people pay like hundreds of dollars a month. I think as we think about these highly parallel kind of agents running off for a long times in their own VM system, we are already at that point where people will be spending thousands of dollars a month per human, and I think potentially tens of thousands and beyond, where it's not like we are greedy for like capturing more money, but what happens is just individuals get that much more leverage.And if one person can do as much as 10 people, yeah. That tool that allows ‘em to do that is going to be tremendously valuable [00:51:00] and worth investing in and taking the best thing that exists.swyx: One more question on just the cursor in general and then open-ended for you guys to plug whatever you wanna put.How is Cursor hiring these days?Samantha: What do you mean by how?swyx: So obviously lead code is dead. Oh,Samantha: okay.swyx: Everyone says work trial. Different people have different levels of adoption of agents. Some people can really adopt can be much more productive. But other people, you just need to give them a little bit of time.And sometimes they've never lived in a token rich place like cursor.And once you live in a token rich place, you're you just work differently. But you need to have done that. And a lot of people anyway, it was just open-ended. Like how has agentic engineering, agentic coding changed your opinions on hiring?Is there any like broad like insights? Yeah.Jonas: Basically I'm asking this for other people, right? Yeah, totally. Totally. To hear Sam's opinion, we haven't talked about this the two of us. I think that we don't see necessarily being great at the latest thing with AI coding as a prerequisite.I do think that's a sign that people are keeping up and [00:52:00] curious and willing to upscale themselves in what's happening because. As we were talking about the last three months, the game has completely changed. It's like what I do all day is very different.swyx: Like it's my job and I can't,Jonas: Yeah, totally.I do think that still as Sam was saying, the fundamentals remain important in the current age and being able to go and double click down. And models today do still have weaknesses where if you let them run for too long without cleaning up and refactoring, the coke will get sloppy and there'll be bad abstractions.And so you still do need humans that like have built systems before, no good patterns when they see them and know where to steer things.Samantha: I would agree with that. I would say again, cursor also operates very quickly and leveraging ag agentic engineering is probably one reason why that's possible in this current moment.I think in the past it was just like people coding quickly and now there's like people who use agents to move faster as well. So it's part of our process will always look for we'll select for kind of that ability to make good decisions quickly and move well in this environment.And so I think being able to [00:53:00] figure out how to use agents to help you do that is an important part of it too.swyx: Yeah. Okay. The fork in the road, either predictions for the end of the year, if you have any, or PUDs.Jonas: Evictions are not going to go well.Samantha: I know it's hard.swyx: They're so hard. Get it wrong.It's okay. Just, yeah.Jonas: One other plug that may be interesting that I feel like we touched on but haven't talked a ton about is a thing that the kind of these new interfaces and this parallelism enables is the ability to hop back and forth between threads really quickly. And so a thing that we have,swyx: you wanna show something or,Jonas: yeah, I can show something.A thing that we have felt with local agents is this pain around contact switching. And you have one agent that went off and did some work and another agent that, that did something else. And so here by having, I just have three tabs open, let's say, but I can very quickly, hop in here.This is an example I showed earlier, but the actual workflow here I think is really different in a way that may not be obvious, where, I start t

Jack sits down with Paul Calf (Salesforce Release Manager at Standard Life, and Gearset DevOps Leader for 2026) to talk through a decade-long Salesforce journey that took him from accidental admin to release manager. Paul gets candid about the failed audit that forced his team to get serious about governance, what it looked like to build a compliant release process from scratch, and why cherry-picking components in VS Code nearly broke him (and the team).The conversation goes beyond tooling. Paul opens up about the culture-first approach his team takes to collaboration, from daily standups to blameless post-mortems, and what happens when someone accidentally data loads the wrong file into prod. He also shares his take on evaluating DevOps tools, approval bottlenecks, and how his financial services org is treading carefully, but deliberately, into AI territory.About DevOps Diaries: Salesforce DevOps Advocate Jack McCurdy chats to members of the Salesforce community about their experience in the Salesforce ecosystem. Expect to hear and learn from inspirational stories of personal growth and business success, whilst discovering all the trials, tribulations, and joy that comes with delivering Salesforce for companies of all shapes and sizes. New episodes bi-weekly on YouTube as well as on your preferred podcast platform.Podcast produced and sponsored by Gearset. Learn more about Gearset: https://grst.co/4iCnas2About Gearset: Gearset is the leading Salesforce DevOps platform, with powerful solutions for metadata and CPQ deployments, CI/CD, automated testing, sandbox seeding and backups. It helps Salesforce teams apply DevOps best practices to their development and release process, so they can rapidly and securely deliver higher-quality projects. Get full access to all of Gearset's features for free with a 30-day trial: https://grst.co/4iKysKWChapters:00:00 – Intro & Meet Paul Calf02:00 – The Accidental Admin Origin Story03:44 – The Audit That Changed Everything05:28 – Building a Release Process from Scratch08:00 – From Change Sets to Gearset09:34 – Tackling Approval Bottlenecks12:43 – Breaking Down Silos & Building a Collaborative Culture15:42 – Blameless Culture & Owning Your Mistakes18:55 – Lessons from Building a DevOps Pipeline22:29 – Cherry Picking: A Horror Story25:40 – How to Evaluate DevOps Tooling28:11 – Continuous Improvement as a Mindset30:15 – Approaching AI in a Regulated Industry33:46 – Final Advice for Salesforce & DevOps Teams37:20 – Wrapping Up

AI is reshaping both sides of the cybersecurity battlefield — and fast. In this episode, we break down five stories that prove it: the first Chrome zero-day of 2026 (CVE-2026-2441), a near-perfect CVSS 9.9 in Microsoft's Semantic Kernel SDK (CVE-2026-26030), a supply chain attack on AI coding assistant Cline that silently installed autonomous agents on thousands of developer machines, the first-ever Android malware using Google's Gemini AI at runtime (PromptSpy), and a Russian-speaking threat actor who used commercial AI tools to breach over 600 FortiGate firewalls across 55 countries in just five weeks. Whether you're a developer, security professional, or just someone who uses a browser — this one's worth your time.

Cloud Posse holds LIVE "Office Hours" every Wednesday to answer questions on all things related to AWS, DevOps, Terraform, Kubernetes, CI/CD. Register at https://cloudposse.com/office-hours Support the show

Today, we are continuing our series, entitled Developer Chats - hearing from the large scale system builders themselves.In this episode, we are talking with Oleksandr Piekhota, Principal Software Engineer at Teaching Strategies. Oleksandr helps to show us at what point of scale platform approaches are required, when to run experiments and when to stop, and perhaps more importantly - engineering ownership beyond the code.QuestionsYou've moved from hands-on engineering into principal and technical leadership roles, working on architecture and platforms.At what point did you realize your work was no longer about individual features, but about the system as a wholeAcross several projects, growth didn't break functionality — it exposed architectural limits.Can you recall a moment when it became clear that shipping more features wouldn't solve the problem, and a platform approach was required?You've designed and supported APIs end-to-end, from architecture to real customers. How do you distinguish between an API that simply works and one that can truly support business scale?Internal systems like invoicing and HR workflows began as automation, but evolved into real products.What tells you that an internal tool is worth developing seriously rather than treating as a temporary workaround?In R&D, you explored CI/CD automation, server-less, and infrastructure experiments — not all reached production. How do you decide when an experiment should continue, and when it's no longer worth the engineering cost?You've hired teams, set standards, and shaped long-term technical direction. At what point does an engineer stop being a contributor and start owning business-level outcomes?You contributed to open-source tools that later became part of your company's infrastructure. Why do you see open source contributions as part of serious engineering work rather than a side activity?Looking across your projects, how do you now recognize a truly mature engineering system? Is it code quality, process, or how teams respond when things go wrong?If we look five to seven years into the future, which architectural assumptions we treat as “standard” today are most likely to turn out to be naive or limiting?SponsorsIncogniLinkshttps://www.linkedin.com/in/oleksandr-piekhota-b675ba53/https://teachingstrategies.com/Support this podcast at — https://redcircle.com/codestory/donationsAdvertising Inquiries: https://redcircle.com/brandsPrivacy & Opt-Out: https://redcircle.com/privacy

AI can now generate code in seconds. Deployment pipelines are faster than ever. And yet, many teams still feel slow.In this episode, I sit down with Nicole Forsgren, world-renowned researcher, co-author of Accelerate, and Senior Director of Developer Intelligence at Google. We explore why speed alone doesn't create performance — and how hidden friction inside systems, culture, and decision-making quietly holds teams back.Nicole breaks down the SPACE framework, explains why activity metrics create blind spots, and challenges leaders to rethink what productivity really means in the era of AI agents. If you're measuring output but still not seeing impact, this conversation will help you recalibrate.Key TakeawaysProductivity is multidimensional, not just output: Measuring activity alone creates blind spots. Real performance includes satisfaction, quality, collaboration, and flow.System constraints determine team speed: Improving individual teams isn't enough. Performance improves only when bottlenecks across the entire value stream are addressed.AI accelerates existing systems: Automation increases throughput, but it doesn't remove friction. Weak processes and structural gaps become more visible as speed increases.Trust becomes a performance factor in AI workflows: As agents contribute to development, validation systems, guardrails, and confidence mechanisms become essential.Strategy must come before acceleration: Building the wrong thing faster does not create value. Leaders must define direction before optimizing delivery.Additional InsightsOrganizations scrutinize AI more than human decisions: We often ask whether AI is producing the right output. Yet we rarely question whether human teams are building the right thing either.AI forces leaders to clarify judgment: Working with agents requires teams to make their assumptions explicit by defining heuristics, edge cases, and decision rules that previously lived in intuition.Many bottlenecks are decision bottlenecks: Delays often come from postponed decisions, including security reviews, approvals, and quality checks placed late in the workflow.AI exposes the limits of existing infrastructure: Faster development cycles put pressure on testing systems, CI/CD pipelines, and operational workflows designed for slower environments.Episode Highlights00:00 – Episode RecapEven as AI accelerates development, many teams feel slower than ever — revealing that friction isn't about code speed but about how systems, culture, and decisions are designed.02:38 – Guest Introduction: Nicole ForsgrenBarry introduces Nicole Forsgren — researcher, co-author of Accelerate, and Senior Director of Developer Intelligence at Google — whose work has redefined how technology performance is measured.07:08 – The SPACE Framework ExplainedNicole breaks down Satisfaction, Performance, Activity, Communication, and Efficiency — a practical guardrail to measure productivity across multiple dimensions.10:19 – Why Optimizing Locally Creates BottlenecksTeams often improve within their own scope, only to worsen constraints elsewhere in the system. Real performance requires zooming out.12:37 – Simple Surveys That Surface Hidden FrictionA few focused questions can quickly reveal productivity barriers — especially when frequency of disruption is measured alongside frustration.15:51 – Culture, Curiosity, and System DesignMost structural problems come from rational past decisions. Approaching friction with curiosity — not blame — creates safety and clarity.18:07 – Moving Decisions UpstreamFrom flaky tests to security reviews, many delays are postponed decisions. The opportunity is shifting confidence-building earlier in the workflow.22:18 – Making Implicit Judgment ExplicitAI agents force leaders to articulate the heuristics and assumptions they previously ran on instinct — improving both human and machine judgment.25:48 – Are Humans Building the Right Thing?We question AI correctness — but rarely apply the same scrutiny to human output. Strategy clarity remains a leadership responsibility.30:01 – AI Amplifies Existing BottlenecksAs agents increase throughput, weaknesses in pipelines, testing, and infrastructure become more visible — and more urgent.32:05 – Removing Friction to Unlock Real PerformanceTrue competitive advantage comes from redesigning systems of work — not just accelerating output.Follow the HostLinkedIn: https://www.linkedin.com/in/barryoreillyPersonal site: https://barryoreilly.comFacebook: https://www.facebook.com/barryoreillyauthor/Twitter/X: https://x.com/barryoreillyInstagram: https://www.instagram.com/barryoreilly/

Container base images (like Official Docker Hub images) are often updated without new tag versions. I call this Silent Rebuilds. There's no way to know this happens without image digest-checking automation like Dependabot and Renovate with specific settings. Failure to keep up-to-date is a prime source of vulnerabilities that can lead to serious security breaches. Automate the updates!Check out the video podcast version here: https://youtu.be/z_ahbsSc4Fo

Neste episódio do DevSecOps Podcast, o papo gira em torno de um tema que muita gente na área de tecnologia sente na pele: a falta de formação realmente sólida em Application Security. Em vez de cursos superficiais ou conteúdos soltos pela internet, discutimos a ideia de uma Pós-graduação focada em AppSec e DevSecOps, pensada para quem quer sair da teoria genérica e mergulhar no que realmente acontece dentro das empresas. Ao longo do episódio, exploramos por que segurança de aplicações exige uma visão ampla que vai além de ferramentas. Falamos sobre arquitetura segura, modelagem de ameaças, revisão de código, segurança em pipelines de CI/CD, cloud, gestão de vulnerabilidades e cultura de segurança no desenvolvimento. A proposta da pós é justamente conectar esses pontos e formar profissionais capazes de pensar segurança dentro do ciclo completo de desenvolvimento. Se você é desenvolvedor, engenheiro de segurança, arquiteto ou líder técnico e quer entender como estruturar um aprendizado sério em AppSec, este episódio traz uma visão clara do que esperar de uma formação avançada na área. Neste episódio você vai encontrar: • Por que o mercado precisa de especialistas em Application Security• A diferença entre aprender ferramentas e aprender segurança de verdade• Os pilares de uma formação sólida em AppSec e DevSecOps• Como conectar desenvolvimento, cloud e segurança no mesmo modelo mental• O tipo de profissional que o mercado realmente está procurando hojeBecome a supporter of this podcast: https://www.spreaker.com/podcast/devsecops-podcast--4179006/support.Apoio: Nova8, Snyk, Conviso, Gold Security, Digitalwolk e PurpleBird Security.

Wes and Scott talk about building v_framer, Scott's custom multi-source video recording app, and why Electron beat Tauri and native APIs for the job. They dig into MKV vs WebM, crash-proof recording, licensing with Stripe and Keygen, auto-updates, and the real challenges of shipping a polished desktop app. Show Notes 00:00 Welcome to Syntax! March MadCSS 02:28 Why screen recording apps are so frustrating 07:14 The requirements behind Scott's app, v_framer 09:47 Tauri, WKWebView, and blurry screen recording headaches 13:00 Why switching to Electron was a game changer 14:02 Electrobun and the hybrid desktop experiment 16:29 Browser-based capture vs native APIs 18:50 Brought to you by Sentry.io 22:32 Notarization, certificates, and shipping a Mac app 24:52 One-time purchases, trials, and selling desktop software 26:37 Self-hosting Keygen for license keys 30:27 A scrappy Google Sheets-powered waitlist 31:56 Keyboard shortcuts, FPS locks, and app customization 34:50 CI/CD and painless auto-updates with Electron Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott: X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads

Cloud Posse holds LIVE "Office Hours" every Wednesday to answer questions on all things related to AWS, DevOps, Terraform, Kubernetes, CI/CD. Register at https://cloudposse.com/office-hours Support the show

Join Dan Vega and DaShaun Carter for an insightful session with Bruno Borges, Principal Product Manager at Microsoft, as we dive into the next generation of AI-assisted development. In this episode, we explore the GitHub Copilot CLI and the new Copilot Java SDK, uncovering how these tools are transforming the terminal into a powerful environment for Spring developers. Learn how to go beyond simple autocomplete, using agentic workflows to automate complex tasks like upgrading Spring Boot versions, refactoring legacy code, and streamlining Azure deployments. We'll also discuss how the Copilot Java SDK allows developers to embed AI capabilities directly into their own JVM-based tooling and CI/CD pipelines. You can participate in our live stream to ask questions or catch the replay on your preferred podcast platform.Show Notes: Bruno on X/TwitterBruno on LinkedInGitHub CopilotCopilot SDK

Send a textWant a clear path from CISSP to top-tier pay without getting lost in buzzwords? We break down five high-income specialties that pair perfectly with CISSP leadership: modern GRC, cloud security as code, AI ethics and governance, advanced identity, and software supply chain security. Along the way, we unpack how AI reasoning tools like Claude Code Security are reshaping AppSec by cutting false positives and detecting logic flaws scanners miss, and we translate that shift into concrete workflows, better guardrails, and faster delivery.We start with the career pivot many leaders are making—moving from generalist security management to “decision architect.” That means pairing risk fluency with hands-on understanding of Terraform, Kubernetes, and CI/CD gates, then proving value through resilient architectures and evidence-driven dashboards for boards. You'll hear why GRC is exploding under new enforcement trends, how to automate continuous evidence to beat audit fatigue, and where vCISO opportunities command premium rates when strategy meets measurable outcomes.From there, we get practical. We walk through cloud guardrails that stop drift before it hits prod, share how to navigate shared responsibility with AWS and Azure, and outline identity-first zero trust that tames API key sprawl and enables passwordless access. On AI, we go deep on shadow AI containment, prompt-injection red teaming, model transparency, and data loss prevention tuned for embeddings—governance that accelerates, not blocks. Finally, we turn to software supply chain security: SBOM mandates, signed artifacts, dependency risk, and the DevSecOps policies that keep pipelines moving while raising assurance.If you're mapping your next move, we also compare salary bands across roles and highlight bridge certifications—CISM for program leadership, AI governance credentials for compliance depth, and CISA for audit rigor—to level up fast. Subscribe, share this with a teammate plotting their niche, and leave a quick review to tell us which specialty you're pursuing next.Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

What happens when you deploy to prod on a Friday and it starts firing emails to every customer? Dan Barckley has lived it — and it's why he's now a DevOps believer. In this episode: accidental admin origins, why simple beats complex every time, Agentforce skepticism, and the leadership mindset that changes everything.About DevOps Diaries: Salesforce DevOps Advocate Jack McCurdy chats to members of the Salesforce community about their experience in the Salesforce ecosystem. Expect to hear and learn from inspirational stories of personal growth and business success, whilst discovering all the trials, tribulations, and joy that comes with delivering Salesforce for companies of all shapes and sizes. New episodes bi-weekly on YouTube as well as on your preferred podcast platform.Podcast produced and sponsored by Gearset. Learn more about Gearset: https://grst.co/4iCnas2About Gearset: Gearset is the leading Salesforce DevOps platform, with powerful solutions for metadata and CPQ deployments, CI/CD, automated testing, sandbox seeding and backups. It helps Salesforce teams apply DevOps best practices to their development and release process, so they can rapidly and securely deliver higher-quality projects. Get full access to all of Gearset's features for free with a 30-day trial: https://grst.co/4iKysKWChapters:01:36 Introducing Daniel Barckley: A Journey in Salesforce04:16 The Joy of Problem Solving in DevOps07:05 Learning from Mistakes: The Accidental Admin09:35 Tinkering and Innovation: Building in Salesforce12:37 The Importance of Mentorship and Leadership15:21 Characteristics of Great Leaders18:18 Navigating the Salesforce Ecosystem20:46 The Future of Salesforce: AI and Automation23:46 Data Management and Business Continuity26:43 Iterative Development and Continuous Improvement29:19 Embracing Change in the Tech World32:11 Closing Thoughts: Lead with Curiosity

Cloud Posse holds LIVE "Office Hours" every Wednesday to answer questions on all things related to AWS, DevOps, Terraform, Kubernetes, CI/CD. Register at https://cloudposse.com/office-hours Support the show

Over the past few weeks, we've been refining our roadmap for 2026 and focusing on where Semaphore can deliver the most value.Our direction is clear: extend CI/CD beyond execution — and help developers ship software faster.Here's what's coming next. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit semaphoreio.substack.com

In this episode of Resilient Cyber, we will be sat down with Ari Marzuk, the researcher who published "IDEsaster", A Novel Vulnerability Class in AI IDE's.We will be discussing the rise of AI-driven development and modern AI coding assistants, tools and agents, and how Ari discovered 30+ vulnerabilities impacting some of the most widely used AI coding tools and the broader risks around AI coding.Ari's background in offensive security — Ari has spent the past decade in offensive security, including time with Israeli military intelligence, NSO Group, Salesforce, and currently Microsoft, with a focus on AI security for the last two to three years.IDEsaster: a new vulnerability class — Ari's research uncovered 30+ vulnerabilities and 24 CVEs across AI-powered IDEs, revealing not just individual bugs but an entirely new vulnerability class rooted in the shared base IDE layer that tools like Cursor, Copilot, and others are built on."Secure for AI" as a design principle — Ari argues that legacy IDEs were never built with autonomous AI agents in mind, and that the same gap likely exists across CI/CD pipelines, cloud environments, and collaboration tools as organizations race to bolt on AI capabilities.Low barrier to exploitation — The vulnerabilities Ari found don't require nation-state sophistication to exploit; techniques like remote JSON schema exfiltration can be carried out with relatively simple prompt engineering and publicly known attack vectors.Human-in-the-loop is losing its effectiveness — Even with diff preview and approval controls enabled, exfiltration attacks still triggered in Ari's testing, and approval fatigue from hundreds of agent-generated actions is pushing developers toward YOLO mode.Least privilege and the capability vs. security trade-off — The same unrestricted access that makes AI coding agents so productive is what makes them vulnerable, and history suggests organizations will continue to optimize for utility over security without strong guardrails.Top defensive recommendations — Ari emphasized isolation (containers, VMs) as the single most important control, followed by enforcing secure defaults that can't be easily overridden, and applying enterprise-level monitoring and governance to AI agent usage.What's next — Ari is turning his attention to newer AI tools and attack surfaces but isn't naming targets yet. You can follow his work on LinkedIn, X, and his blog at makarita.com.

I'm joined by Nirmal Mehta of AWS and Viktor Farcic from Upbound, to go through our 2025 year in review. We look into the AI tools that consumed us this year, from CLI agents to terminal emulators, IDEs, AI browsers - what worked, what flopped, what's worth your time and money, and what we think isn't!Check out the video podcast version here: https://youtu.be/mnagfUsh5bc

Emmanuel et Guillaume discutent de divers sujets liés à la programmation, notamment les systèmes de fichiers en Java, le Data Oriented Programming, les défis de JPA avec Kotlin, et les nouvelles fonctionnalités de Quarkus. Ils explorent également des sujets un peu fous comme la création de datacenters dans l'espace. Pas mal d'architecture aussi. Enregistré le 13 février 2026 Téléchargement de l'épisode LesCastCodeurs-Episode-337.mp3 ou en vidéo sur YouTube. News Langages Comment implémenter un file system en Java https://foojay.io/today/bootstrapping-a-java-file-system/ Créer un système de fichiers Java personnalisé avec NIO.2 pour des usages variés (VCS, archives, systèmes distants). Évolution Java: java.io.File (1.0) -> NIO (1.4) -> NIO.2 (1.7) pour personnalisation via FileSystem. Recommander conception préalable; API Java est orientée POSIX. Composants clés à considérer: Conception URI (scheme unique, chemin). Gestion de l'arborescence (BD, métadonnées, efficacité). Stockage binaire (emplacement, chiffrement, versions). Minimum pour démarrer (4 composants): Implémenter Path (représente fichier/répertoire). Étendre FileSystem (instance du système). Étendre FileSystemProvider (moteur, enregistré par scheme). Enregistrer FileSystemProvider via META-INF/services. Étapes suivantes: Couche BD (arborescence), opérations répertoire/fichier de base, stockage, tests. Processus long et exigeant, mais gratifiant.   Un article de brian goetz sur le futur du data oriented programming en Java https://openjdk.org/projects/amber/design-notes/beyond-records Le projet Amber de Java introduit les "carrier classes", une évolution des records qui permet plus de flexibilité tout en gardant les avantages du pattern matching et de la reconstruction Les records imposent des contraintes strictes (immutabilité, représentation exacte de l'état) qui limitent leur usage pour des classes avec état muable ou dérivé Les carrier classes permettent de déclarer une state description complète et canonique sans imposer que la représentation interne corresponde exactement à l'API publique Le modificateur "component" sur les champs permet au compilateur de dériver automatiquement les accesseurs pour les composants alignés avec la state description Les compact constructors sont généralisés aux carrier classes, générant automatiquement l'initialisation des component fields Les carrier classes supportent la déconstruction via pattern matching comme les records, rendant possible leur usage dans les instanceof et switch Les carrier interfaces permettent de définir une state description sur une interface, obligeant les implémentations à fournir les accesseurs correspondants L'extension entre carrier classes est possible, avec dérivation automatique des appels super() quand les composants parent sont subsumés par l'enfant Les records deviennent un cas particulier de carrier classes avec des contraintes supplémentaires (final, extends Record, component fields privés et finaux obligatoires) L'évolution compatible des records est améliorée en permettant l'ajout de composants en fin de liste et la déconstruction partielle par préfixe Comment éviter les pièges courants avec JPA et Kotlin - https://blog.jetbrains.com/idea/2026/01/how-to-avoid-common-pitfalls-with-jpa-and-kotlin/ JPA est une spécification Java pour la persistance objet-relationnel, mais son utilisation avec Kotlin présente des incompatibilités dues aux différences de conception des deux langages Les classes Kotlin sont finales par défaut, ce qui empêche la création de proxies par JPA pour le lazy loading et les opérations transactionnelles Le plugin kotlin-jpa génère automatiquement des constructeurs sans argument et rend les classes open, résolvant les problèmes de compatibilité Les data classes Kotlin ne sont pas adaptées aux entités JPA car elles génèrent equals/hashCode basés sur tous les champs, causant des problèmes avec les relations lazy L'utilisation de lateinit var pour les relations peut provoquer des exceptions si on accède aux propriétés avant leur initialisation par JPA Les types non-nullables Kotlin peuvent entrer en conflit avec le comportement de JPA qui initialise les entités avec des valeurs null temporaires Le backing field direct dans les getters/setters personnalisés peut contourner la logique de JPA et casser le lazy loading IntelliJ IDEA 2024.3 introduit des inspections pour détecter automatiquement ces problèmes et propose des quick-fixes L'IDE détecte les entités finales, les data classes inappropriées, les problèmes de constructeurs et l'usage incorrect de lateinit Ces nouvelles fonctionnalités aident les développeurs à éviter les bugs subtils liés à l'utilisation de JPA avec Kotlin Librairies Guide sur MapStruct @IterableMapping - https://www.baeldung.com/java-mapstruct-iterablemapping MapStruct est une bibliothèque Java pour générer automatiquement des mappers entre beans, l'annotation @IterableMapping permet de configurer finement le mapping de collections L'attribut dateFormat permet de formater automatiquement des dates lors du mapping de listes sans écrire de boucle manuelle L'attribut qualifiedByName permet de spécifier quelle méthode custom appliquer sur chaque élément de la collection à mapper Exemple d'usage : filtrer des données sensibles comme des mots de passe en mappant uniquement certains champs via une méthode dédiée L'attribut nullValueMappingStrategy permet de contrôler le comportement quand la collection source est null (retourner null ou une collection vide) L'annotation fonctionne pour tous types de collections Java (List, Set, etc.) et génère le code de boucle nécessaire Possibilité d'appliquer des formats numériques avec numberFormat pour convertir des nombres en chaînes avec un format spécifique MapStruct génère l'implémentation complète du mapper au moment de la compilation, éliminant le code boilerplate L'annotation peut être combinée avec @Named pour créer des méthodes de mapping réutilisables et nommées Le mapping des collections supporte les conversions de types complexes au-delà des simples conversions de types primitifs Accès aux fichiers Samba depuis Java avec JCIFS - https://www.baeldung.com/java-samba-jcifs JCIFS est une bibliothèque Java permettant d'accéder aux partages Samba/SMB sans monter de lecteur réseau, supportant le protocole SMB3 on pense aux galériens qui doivent se connecter aux systèmes dit legacy La configuration nécessite un contexte CIFS (CIFSContext) et des objets SmbFile pour représenter les ressources distantes L'authentification se fait via NtlmPasswordAuthenticator avec domaine, nom d'utilisateur et mot de passe La bibliothèque permet de lister les fichiers et dossiers avec listFiles() et vérifier leurs propriétés (taille, date de modification) Création de fichiers avec createNewFile() et de dossiers avec mkdir() ou mkdirs() pour créer toute une arborescence Suppression via delete() qui peut parcourir et supprimer récursivement des arborescences entières Copie de fichiers entre partages Samba avec copyTo(), mais impossibilité de copier depuis le système de fichiers local Pour copier depuis le système local, utilisation des streams SmbFileInputStream et SmbFileOutputStream Les opérations peuvent cibler différents serveurs Samba et différents partages (anonymes ou protégés par mot de passe) La bibliothèque s'intègre dans des blocs try-with-resources pour une gestion automatique des ressources Quarkus 3.31 - Support complet Java 25, nouveau packaging Maven et Panache Next - https://quarkus.io/blog/quarkus-3-31-released/ Support complet de Java 25 avec images runtime et native Nouveau packaging Maven de type quarkus avec lifecycle optimisé pour des builds plus rapides voici un article complet pour plus de detail https://quarkus.io/blog/building-large-applications/ Introduction de Panache Next, nouvelle génération avec meilleure expérience développeur et API unifiée ORM/Reactive Mise à jour vers Hibernate ORM 7.2, Reactive 3.2, Search 8.2 Support de Hibernate Spatial pour les données géospatiales Passage à Testcontainers 2 et JUnit 6 Annotations de sécurité supportées sur les repositories Jakarta Data Chiffrement des tokens OIDC pour les implémentations custom TokenStateManager Support OAuth 2.0 Pushed Authorization Requests dans l'extension OIDC Maven 3.9 maintenant requis minimum pour les projets Quarkus A2A Java SDK 1.0.0.Alpha1 - Alignement avec la spécification 1.0 du protocole Agent2Agent - https://quarkus.io/blog/a2a-java-sdk-1-0-0-alpha1/ Le SDK Java A2A implémente le protocole Agent2Agent qui permet la communication standardisée entre agents IA pour découvrir des capacités, déléguer des tâches et collaborer Passage à la version 1.0 de la spécification marque la transition d'expérimental à production-ready avec des changements cassants assumés Modernisation complète du module spec avec des Java records partout remplaçant le mix précédent de classes et records pour plus de cohérence Adoption de Protocol Buffers comme source de vérité avec des mappers MapStruct pour la conversion et Gson pour JSON-RPC Les builders utilisent maintenant des méthodes factory statiques au lieu de constructeurs publics suivant les best practices Java modernes Introduction de trois BOMs Maven pour simplifier la gestion des dépendances du SDK core, des extensions et des implémentations de référence Quarkus AgentCard évolue avec une liste supportedInterfaces remplaçant url et preferredTransport pour plus de flexibilité dans la déclaration des protocoles Support de la pagination ajouté pour ListTasks et les endpoints de configuration des notifications push avec des wrappers Result appropriés Interface A2AHttpClient pluggable permettant des implémentations HTTP personnalisées avec une implémentation Vert.x fournie Travail continu vers la conformité complète avec le TCK 1.0 en cours de développement parallèlement à la finalisation de la spécification Pourquoi Quarkus finit par "cliquer" : les 10 questions que se posent les développeurs Java - https://www.the-main-thread.com/p/quarkus-java-developers-top-questions-2025 un article qui revele et repond aux questions des gens qui ont utilisé Quarkus depuis 4-6 mois, les non noob questions Quarkus est un framework Java moderne optimisé pour le cloud qui propose des temps de démarrage ultra-rapides et une empreinte mémoire réduite Pourquoi Quarkus démarre si vite ? Le framework effectue le travail lourd au moment du build (scanning, indexation, génération de bytecode) plutôt qu'au runtime Quand utiliser le mode réactif plutôt qu'impératif ? Le réactif est pertinent pour les workloads avec haute concurrence et dominance I/O, l'impératif reste plus simple dans les autres cas Quelle est la différence entre Dev Services et Testcontainers ? Dev Services utilise Testcontainers en gérant automatiquement le cycle de vie, les ports et la configuration sans cérémonie Comment la DI de Quarkus diffère de Spring ? CDI est un standard basé sur la sécurité des types et la découverte au build-time, différent de l'approche framework de Spring Comment gérer la configuration entre environnements ? Quarkus permet de scaler depuis le développement local jusqu'à Kubernetes avec des profils, fichiers multiples et configuration externe Comment tester correctement les applications Quarkus ? @QuarkusTest démarre l'application une fois pour toute la suite de tests, changeant le modèle mental par rapport à Spring Boot Que fait vraiment Panache en coulisses ? Panache est du JPA avec des opinions fortes et des défauts propres, enveloppant Hibernate avec un style Active Record Doit-on utiliser les images natives et quand ? Les images natives brillent pour le serverless et l'edge grâce au démarrage rapide et la faible empreinte mémoire, mais tous les apps n'en bénéficient pas Comment Quarkus s'intègre avec Kubernetes ? Le framework génère automatiquement les ressources Kubernetes, gère les health checks et métriques comme s'il était nativement conçu pour cet écosystème Comment intégrer l'IA dans une application Quarkus ? LangChain4j permet d'ajouter embeddings, retrieval, guardrails et observabilité directement en Java sans passer par Python Infrastructure Les alternatives à MinIO https://rmoff.net/2026/01/14/alternatives-to-minio-for-single-node-local-s3/ MinIO a abandonné le support single-node fin 2025 pour des raisons commerciales, cassant de nombreuses démos et pipelines CI/CD qui l'utilisaient pour émuler S3 localement L'auteur cherche un remplacement simple avec image Docker, compatibilité S3, licence open source, déploiement mono-nœud facile et communauté active S3Proxy est très léger et facile à configurer, semble être l'option la plus simple mais repose sur un seul contributeur RustFS est facile à utiliser et inclut une GUI, mais c'est un projet très récent en version alpha avec une faille de sécurité majeure récente SeaweedFS existe depuis 2012 avec support S3 depuis 2018, relativement facile à configurer et dispose d'une interface web basique Zenko CloudServer remplace facilement MinIO mais la documentation et le branding (cloudserver/zenko/scality) peuvent prêter à confusion Garage nécessite une configuration complexe avec fichier TOML et conteneur d'initialisation séparé, pas un simple remplacement drop-in Apache Ozone requiert au minimum quatre nœuds pour fonctionner, beaucoup trop lourd pour un usage local simple L'auteur recommande SeaweedFS et S3Proxy comme remplaçants viables, RustFS en maybe, et élimine Garage et Ozone pour leur complexité Garage a une histoire tres associative, il vient du collectif https://deuxfleurs.fr/ qui offre un cloud distribué sans datacenter C'est certainement pas une bonne idée, les datacenters dans l'espace https://taranis.ie/datacenters-in-space-are-a-terrible-horrible-no-good-idea/ Avis d'expert (ex-NASA/Google, Dr en électronique spatiale) : Centres de données spatiaux, une "terrible" idée. Incompatibilité fondamentale : L'électronique (surtout IA/GPU) est inadaptée à l'environnement spatial. Énergie : Accès limité. Le solaire (type ISS) est insuffisant pour l'échelle de l'IA. Le nucléaire (RTG) est trop faible. Refroidissement : L'espace n'est pas "froid" ; absence de convection. Nécessite des radiateurs gigantesques (ex: 531m² pour 200kW). Radiations : Provoque erreurs (SEU, SEL) et dommages. Les GPU sont très vulnérables. Blindage lourd et inefficace. Les puces "durcies" sont très lentes. Communications : Bande passante très limitée (1Gbps radio vs 100Gbps terrestre). Le laser est tributaire des conditions atmosphériques. Conclusion : Projet extrêmement difficile, coûteux et aux performances médiocres. Data et Intelligence Artificielle Guillaume a développé un serveur MCP pour arXiv (le site de publication de papiers de recherche) en Java avec le framework Quarkus https://glaforge.dev/posts/2026/01/18/implementing-an-arxiv-mcp-server-with-quarkus-in-java/ Implémentation d'un serveur MCP (Model Context Protocol) arXiv en Java avec Quarkus. Objectif : Accéder aux publications arXiv et illustrer les fonctionnalités moins connues du protocole MCP. Mise en œuvre : Utilisation du framework Quarkus (Java) et son support MCP étendu. Assistance par Antigravity (IDE agentique) pour le développement et l'intégration de l'API arXiv. Interaction avec l'API arXiv : requêtes HTTP, format XML Atom pour les résultats, parser XML Jackson. Fonctionnalités MCP exposées : Outils (@Tool) : Recherche de publications (search_papers). Ressources (@Resource, @ResourceTemplate) : Taxonomie des catégories arXiv, métadonnées des articles (via un template d'URI). Prompts (@Prompt) : Exemples pour résumer des articles ou construire des requêtes de recherche. Configuration : Le serveur peut fonctionner en STDIO (local) ou via HTTP Streamable (local ou distant), avec une configuration simple dans des clients comme Gemini CLI. Conclusion : Quarkus simplifie la création de serveurs MCP riches en fonctionnalités, rendant les données et services "prêts pour l'IA" avec l'aide d'outils d'IA comme Antigravity. Anthropic ne mettra pas de pub dans Claude https://www.anthropic.com/news/claude-is-a-space-to-think c'est en reaction au plan non public d'OpenAi de mettre de la pub pour pousser les gens au mode payant OpenAI a besoin de cash et est probablement le plus utilisé pour gratuit au monde Anthropic annonce que Claude restera sans publicité pour préserver son rôle d'assistant conversationnel dédié au travail et à la réflexion approfondie. Les conversations avec Claude sont souvent sensibles, personnelles ou impliquent des tâches complexes d'ingénierie logicielle où les publicités seraient inappropriées. L'analyse des conversations montre qu'une part significative aborde des sujets délicats similaires à ceux évoqués avec un conseiller de confiance. Un modèle publicitaire créerait des incitations contradictoires avec le principe fondamental d'être "genuinely helpful" inscrit dans la Constitution de Claude. Les publicités introduiraient un conflit d'intérêt potentiel où les recommandations pourraient être influencées par des motivations commerciales plutôt que par l'intérêt de l'utilisateur. Le modèle économique d'Anthropic repose sur les contrats entreprise et les abonnements payants, permettant de réinvestir dans l'amélioration de Claude. Anthropic maintient l'accès gratuit avec des modèles de pointe et propose des tarifs réduits pour les ONG et l'éducation dans plus de 60 pays. Le commerce "agentique" sera supporté mais uniquement à l'initiative de l'utilisateur, jamais des annonceurs, pour préserver la confiance. Les intégrations tierces comme Figma, Asana ou Canva continueront d'être développées en gardant l'utilisateur aux commandes. Anthropic compare Claude à un cahier ou un tableau blanc : des espaces de pensée purs, sans publicité. Infinispan 16.1 est sorti https://infinispan.org/blog/2026/02/04/infinispan-16-1 déjà le nom de la release mérite une mention Le memory bounded par cache et par ensemble de cache s est pas facile à faire en Java Une nouvelle api OpenAPI AOT caché dans les images container Un serveur MCP local juste avec un fichier Java ? C'est possible avec LangChain4j et JBang https://glaforge.dev/posts/2026/02/11/zero-boilerplate-java-stdio-mcp-servers-with-langchain4j-and-jbang/ Création rapide de serveurs MCP Java sans boilerplate. MCP (Model Context Protocol): standard pour connecter les LLM à des outils et données. Le tutoriel répond au manque d'options simples pour les développeurs Java, face à une prédominance de Python/TypeScript dans l'écosystème MCP. La solution utilise: LangChain4j: qui intègre un nouveau module serveur MCP pour le protocole STDIO. JBang: permet d'exécuter des fichiers Java comme des scripts, éliminant les fichiers de build (pom.xml, Gradle). Implémentation: se fait via un seul fichier .java. JBang gère automatiquement les dépendances (//DEPS). L'annotation @Tool de LangChain4j expose les méthodes Java aux LLM. StdioMcpServerTransport gère la communication JSON-RPC via l'entrée/sortie standard (STDIO). Point crucial: Les logs doivent impérativement être redirigés vers System.err pour éviter de corrompre System.out, qui est réservé à la communication MCP (messages JSON-RPC). Facilite l'intégration locale avec des outils comme Gemini CLI, Claude Code, etc. Reciprocal Rank Fusion : un algorithme utile et souvent utilisé pour faire de la recherche hybride, pour mélanger du RAG et des recherches par mots-clé https://glaforge.dev/posts/2026/02/10/advanced-rag-understanding-reciprocal-rank-fusion-in-hybrid-search/ RAG : Qualité LLM dépend de la récupération. Recherche Hybride : Combiner vectoriel et mots-clés (BM25) est optimal. Défi : Fusionner des scores d'échelles différentes. Solution : Reciprocal Rank Fusion (RRF). RRF : Algorithme robuste qui fusionne des listes de résultats en se basant uniquement sur le rang des documents, ignorant les scores. Avantages RRF : Pas de normalisation de scores, scalable, excellente première étape de réorganisation. Architecture RAG fréquente : RRF (large sélection) + Cross-Encoder / modèle de reranking (précision fine). RAG-Fusion : Utilise un LLM pour générer plusieurs variantes de requête, puis RRF agrège tous les résultats pour renforcer le consensus et réduire les hallucinations. Implémentation : LangChain4j utilise RRF par défaut pour agréger les résultats de plusieurs retrievers. Les dernières fonctionnalités de Gemini et Nano Banana supportées dans LangChain4j https://glaforge.dev/posts/2026/02/06/latest-gemini-and-nano-banana-enhancements-in-langchain4j/ Nouveaux modèles d'images Nano Banana (Gemini 2.5/3.0) pour génération et édition (jusqu'à 4K). "Grounding" via Google Search (pour images et texte) et Google Maps (localisation, Gemini 2.5). Outil de contexte URL (Gemini 3.0) pour lecture directe de pages web. Agents multimodaux (AiServices) capables de générer des images. Configuration de la réflexion (profondeur Chain-of-Thought) pour Gemini 3.0. Métadonnées enrichies : usage des tokens et détails des sources de "grounding". Comment configurer Gemini CLI comment agent de code dans IntelliJ grâce au protocole ACP https://glaforge.dev/posts/2026/02/01/how-to-integrate-gemini-cli-with-intellij-idea-using-acp/ But : Intégrer Gemini CLI à IntelliJ IDEA via l'Agent Client Protocol (ACP). Prérequis : IntelliJ IDEA 2025.3+, Node.js (v20+), Gemini CLI. Étapes : Installer Gemini CLI (npm install -g @google/gemini-cli). Localiser l'exécutable gemini. Configurer ~/.jetbrains/acp.json (chemin exécutable, --experimental-acp, use_idea_mcp: true). Redémarrer IDEA, sélectionner "Gemini CLI" dans l'Assistant IA. Usage : Gemini interagit avec le code et exécute des commandes (contexte projet). Important : S'assurer du flag --experimental-acp dans la configuration. Outillage PipeNet, une alternative (open source aussi) à LocalTunnel, mais un plus évoluée https://pipenet.dev/ pipenet: Alternative open-source et moderne à localtunnel (client + serveur). Usages: Développement local (partage, webhooks), intégration SDK, auto-hébergement sécurisé. Fonctionnalités: Client (expose ports locaux, sous-domaines), Serveur (déploiement, domaines personnalisés, optimisé cloud mono-port). Avantages vs localtunnel: Déploiement cloud sur un seul port, support multi-domaines, TypeScript/ESM, maintenance active. Protocoles: HTTP/S, WebSocket, SSE, HTTP Streaming. Intégration: CLI ou SDK JavaScript. JSON-IO — une librairie comme Jackson ou GSON, supportant JSON5, TOON, et qui pourrait être utile pour l'utilisation du "structured output" des LLMs quand ils ne produisent pas du JSON parfait https://github.com/jdereg/json-io json-io : Librairie Java pour la sérialisation et désérialisation JSON/TOON. Gère les graphes d'objets complexes, les références cycliques et les types polymorphes. Support complet JSON5 (lecture et écriture), y compris des fonctionnalités non prises en charge par Jackson/Gson. Format TOON : Notation orientée token, optimisée pour les LLM, réduisant l'utilisation de tokens de 40 à 50% par rapport au JSON. Légère : Aucune dépendance externe (sauf java-util), taille de JAR réduite (~330K). Compatible JDK 1.8 à 24, ainsi qu'avec les environnements JPMS et OSGi. Deux modes de conversion : vers des objets Java typés (toJava()) ou vers des Map (toMaps()). Options de configuration étendues via ReadOptionsBuilder et WriteOptionsBuilder. Optimisée pour les déploiements cloud natifs et les architectures de microservices. Utiliser mailpit et testcontainer pour tester vos envois d'emails https://foojay.io/today/testing-emails-with-testcontainers-and-mailpit/ l'article montre via SpringBoot et sans. Et voici l'extension Quarkus https://quarkus.io/extensions/io.quarkiverse.mailpit/quarkus-mailpit/?tab=docs Tester l'envoi d'emails en développement est complexe car on ne peut pas utiliser de vrais serveurs SMTP Mailpit est un serveur SMTP de test qui capture les emails et propose une interface web pour les consulter Testcontainers permet de démarrer Mailpit dans un conteneur Docker pour les tests d'intégration L'article montre comment configurer une application SpringBoot pour envoyer des emails via JavaMail Un module Testcontainers dédié à Mailpit facilite son intégration dans les tests Le conteneur Mailpit expose un port SMTP (1025) et une API HTTP (8025) pour vérifier les emails reçus Les tests peuvent interroger l'API HTTP de Mailpit pour valider le contenu des emails envoyés Cette approche évite d'utiliser des mocks et teste réellement l'envoi d'emails Mailpit peut aussi servir en développement local pour visualiser les emails sans les envoyer réellement La solution fonctionne avec n'importe quel framework Java supportant JavaMail Architecture Comment scaler un système de 0 à 10 millions d'utilisateurs https://blog.algomaster.io/p/scaling-a-system-from-0-to-10-million-users Philosophie : Scalabilité incrémentale, résoudre les goulots d'étranglement sans sur-ingénierie. 0-100 utilisateurs : Serveur unique (app, DB, jobs). 100-1K : Séparer app et DB (services gérés, pooling). 1K-10K : Équilibreur de charge, multi-serveurs d'app (stateless via sessions partagées). 10K-100K : Caching, réplicas de lecture DB, CDN (réduire charge DB). 100K-500K : Auto-scaling, applications stateless (authentification JWT). 500K-10M : Sharding DB, microservices, files de messages (traitement asynchrone). 10M+ : Déploiement multi-régions, CQRS, persistance polyglotte, infra personnalisée. Principes clés : Simplicité, mesure, stateless essentiel, cache/asynchrone, sharding prudent, compromis (CAP), coût de la complexité. Patterns d'Architecture 2026 - Du Hype à la Réalité du Terrain (Part 1/2) - https://blog.ippon.fr/2026/01/30/patterns-darchitecture-2026-part-1/ L'article présente quatre patterns d'architecture logicielle pour répondre aux enjeux de scalabilité, résilience et agilité business dans les systèmes modernes Il présentent leurs raisons et leurs pièges Un bon rappel L'Event-Driven Architecture permet une communication asynchrone entre systèmes via des événements publiés et consommés, évitant le couplage direct Les bénéfices de l'EDA incluent la scalabilité indépendante des composants, la résilience face aux pannes et l'ajout facile de nouveaux cas d'usage Le pattern API-First associé à un API Gateway centralise la sécurité, le routage et l'observabilité des APIs avec un catalogue unifié Le Backend for Frontend crée des APIs spécifiques par canal (mobile, web, partenaires) pour optimiser l'expérience utilisateur CQRS sépare les modèles de lecture et d'écriture avec des bases optimisées distinctes, tandis que l'Event Sourcing stocke tous les événements plutôt que l'état actuel Le Saga Pattern gère les transactions distribuées via orchestration centralisée ou chorégraphie événementielle pour coordonner plusieurs microservices Les pièges courants incluent l'explosion d'événements granulaires, la complexité du debugging distribué, et la mauvaise gestion de la cohérence finale Les technologies phares sont Kafka pour l'event streaming, Kong pour l'API Gateway, EventStoreDB pour l'Event Sourcing et Temporal pour les Sagas Ces patterns nécessitent une maturité technique et ne sont pas adaptés aux applications CRUD simples ou aux équipes junior Patterns d'architecture 2026 : du hype à la réalité terrain part. 2 - https://blog.ippon.fr/2026/02/04/patterns-darchitecture-2026-part-2/ Deuxième partie d'un guide pratique sur les patterns d'architecture logicielle et système éprouvés pour moderniser et structurer les applications en 2026 Strangler Fig permet de migrer progressivement un système legacy en l'enveloppant petit à petit plutôt que de tout réécrire d'un coup (70% d'échec pour les big bang) Anti-Corruption Layer protège votre nouveau domaine métier des modèles externes et legacy en créant une couche de traduction entre les systèmes Service Mesh gère automatiquement la communication inter-services dans les architectures microservices (sécurité mTLS, observabilité, résilience) Architecture Hexagonale sépare le coeur métier des détails techniques via des ports et adaptateurs pour améliorer la testabilité et l'évolutivité Chaque pattern est illustré par un cas client concret avec résultats mesurables et liste des pièges à éviter lors de l'implémentation Les technologies 2026 mentionnées incluent Istio, Linkerd pour service mesh, LaunchDarkly pour feature flags, NGINX et Kong pour API gateway Tableau comparatif final aide à choisir le bon pattern selon la complexité, le scope et le use case spécifique du projet L'article insiste sur une approche pragmatique : ne pas utiliser un pattern juste parce qu'il est moderne mais parce qu'il résout un problème réel Pour les systèmes simples type CRUD ou avec peu de services, ces patterns peuvent introduire une complexité inutile qu'il faut savoir éviter Méthodologies Le rêve récurrent de remplacer voire supprimer les développeurs https://www.caimito.net/en/blog/2025/12/07/the-recurring-dream-of-replacing-developers.html Depuis 1969, chaque décennie voit une tentative de réduire le besoin de développeurs (de COBOL, UML, visual builders… à IA). Motivation : frustration des dirigeants face aux délais et coûts de développement. La complexité logicielle est intrinsèque et intellectuelle, non pas une question d'outils. Chaque vague technologique apporte de la valeur mais ne supprime pas l'expertise humaine. L'IA assiste les développeurs, améliore l'efficacité, mais ne remplace ni le jugement ni la gestion de la complexité. La demande de logiciels excède l'offre car la contrainte majeure est la réflexion nécessaire pour gérer cette complexité. Pour les dirigeants : les outils rendent-ils nos développeurs plus efficaces sur les problèmes complexes et réduisent-ils les tâches répétitives ? Le "rêve" de remplacer les développeurs, irréalisable, est un moteur d'innovation créant des outils précieux. Comment creuser des sujets à l'ère de l'IA générative. Quid du partage et la curation de ces recherches ? https://glaforge.dev/posts/2026/02/04/researching-topics-in-the-age-of-ai-rock-solid-webhooks-case-study/ Recherche initiale de l'auteur sur les webhooks en 2019, processus long et manuel. L'IA (Deep Research, Gemini, NotebookLM) facilite désormais la recherche approfondie, l'exploration de sujets et le partage des résultats. L'IA a identifié et validé des pratiques clés pour des déploiements de webhooks résilients, en grande partie les mêmes que celles trouvées précédemment par l'auteur. Génération d'artefacts par l'IA : rapport détaillé, résumé concis, illustration sketchnote, et même une présentation (slide deck). Guillaume s'interroge sur le partage public de ces rapports de recherche générés par l'IA, tout en souhaitant éviter le "AI Slop". Loi, société et organisation Le logiciel menacé par le vibe coding https://www.techbuzz.ai/articles/we-built-a-monday-com-clone-in-under-an-hour-with-ai Deux journalistes de CNBC sans expérience de code ont créé un clone fonctionnel de Monday.com en moins de 60 minutes pour 5 à 15 dollars. L'expérience valide les craintes des investisseurs qui ont provoqué une baisse de 30% des actions des entreprises SaaS. L'IA a non seulement reproduit les fonctionnalités de base mais a aussi recherché Monday.com de manière autonome pour identifier et recréer ses fonctionnalités clés. Cette technique appelée "vibe-coding" permet aux non-développeurs de construire des applications via des instructions en anglais courant. Les entreprises les plus vulnérables sont celles offrant des outils "qui se posent sur le travail" comme Atlassian, Adobe, HubSpot, Zendesk et Smartsheet. Les entreprises de cybersécurité comme CrowdStrike et Palo Alto sont considérées plus protégées grâce aux effets de réseau et aux barrières réglementaires. Les systèmes d'enregistrement comme Salesforce restent plus difficiles à répliquer en raison de leur profondeur d'intégration et de données d'entreprise. Le coût de 5 à 15 dollars par construction permet aux entreprises de prototyper plusieurs solutions personnalisées pour moins cher qu'une seule licence Monday.com. L'expérience soulève des questions sur la pérennité du marché de 5 milliards de dollars des outils de gestion de projet face à l'IA générative. Conférences En complément de l'agenda des conférences de Aurélie Vache, il y a également le site https://javaconferences.org/ (fait par Brian Vermeer) avec toutes les conférences Java à venir ! La liste des conférences provenant de Developers Conferences Agenda/List par Aurélie Vache et contributeurs : 12-13 février 2026 : Touraine Tech #26 - Tours (France) 12-13 février 2026 : World Artificial Intelligence Cannes Festival - Cannes (France) 19 février 2026 : ObservabilityCON on the Road - Paris (France) 6 mars 2026 : WordCamp Nice 2026 - Nice (France) 18 mars 2026 : Jupyter Workshops: AI in Jupyter: Building Extensible AI Capabilities for Interactive Computing - Saint-Maur-des-Fossés (France) 18-19 mars 2026 : Agile Niort 2026 - Niort (France) 20 mars 2026 : Atlantique Day 2026 - Nantes (France) 26 mars 2026 : Data Days Lille - Lille (France) 26-27 mars 2026 : SymfonyLive Paris 2026 - Paris (France) 26-27 mars 2026 : REACT PARIS - Paris (France) 27-29 mars 2026 : Shift - Nantes (France) 31 mars 2026 : ParisTestConf - Paris (France) 31 mars 2026-1 avril 2026 : FlowCon France 2026 - Paris (France) 1 avril 2026 : AWS Summit Paris - Paris (France) 2 avril 2026 : Pragma Cannes 2026 - Cannes (France) 2-3 avril 2026 : Xen Spring Meetup 2026 - Grenoble (France) 7 avril 2026 : PyTorch Conference Europe - Paris (France) 9-10 avril 2026 : Android Makers by droidcon 2026 - Paris (France) 9-11 avril 2026 : Drupalcamp Grenoble 2026 - Grenoble (France) 16-17 avril 2026 : MiXiT 2026 - Lyon (France) 17-18 avril 2026 : Faiseuses du Web 5 - Dinan (France) 22-24 avril 2026 : Devoxx France 2026 - Paris (France) 23-25 avril 2026 : Devoxx Greece - Athens (Greece) 6-7 mai 2026 : Devoxx UK 2026 - London (UK) 12 mai 2026 : Lead Innovation Day - Leadership Edition - Paris (France) 19 mai 2026 : La Product Conf Paris 2026 - Paris (France) 21-22 mai 2026 : Flupa UX Days 2026 - Paris (France) 22 mai 2026 : AFUP Day 2026 Lille - Lille (France) 22 mai 2026 : AFUP Day 2026 Paris - Paris (France) 22 mai 2026 : AFUP Day 2026 Bordeaux - Bordeaux (France) 22 mai 2026 : AFUP Day 2026 Lyon - Lyon (France) 28 mai 2026 : DevCon 27 : I.A. & Vibe Coding - Paris (France) 28 mai 2026 : Cloud Toulouse 2026 - Toulouse (France) 29 mai 2026 : NG Baguette Conf 2026 - Paris (France) 29 mai 2026 : Agile Tour Strasbourg 2026 - Strasbourg (France) 2-3 juin 2026 : Agile Tour Rennes 2026 - Rennes (France) 2-3 juin 2026 : OW2Con - Paris-Châtillon (France) 3 juin 2026 : IA–NA - La Rochelle (France) 5 juin 2026 : TechReady - Nantes (France) 5 juin 2026 : Fork it! - Rouen - Rouen (France) 6 juin 2026 : Polycloud - Montpellier (France) 9 juin 2026 : JFTL - Montrouge (France) 9 juin 2026 : C: - Caen (France) 11-12 juin 2026 : DevQuest Niort - Niort (France) 11-12 juin 2026 : DevLille 2026 - Lille (France) 12 juin 2026 : Tech F'Est 2026 - Nancy (France) 16 juin 2026 : Mobilis In Mobile 2026 - Nantes (France) 17-19 juin 2026 : Devoxx Poland - Krakow (Poland) 17-20 juin 2026 : VivaTech - Paris (France) 18 juin 2026 : Tech'Work - Lyon (France) 22-26 juin 2026 : Galaxy Community Conference - Clermont-Ferrand (France) 24-25 juin 2026 : Agi'Lille 2026 - Lille (France) 24-26 juin 2026 : BreizhCamp 2026 - Rennes (France) 2 juillet 2026 : Azur Tech Summer 2026 - Valbonne (France) 2-3 juillet 2026 : Sunny Tech - Montpellier (France) 3 juillet 2026 : Agile Lyon 2026 - Lyon (France) 6-8 juillet 2026 : Riviera Dev - Sophia Antipolis (France) 2 août 2026 : 4th Tech Summit on Artificial Intelligence & Robotics - Paris (France) 20-22 août 2026 : 4th Tech Summit on AI & Robotics - Paris (France) & Online 4 septembre 2026 : JUG Summer Camp 2026 - La Rochelle (France) 17-18 septembre 2026 : API Platform Conference 2026 - Lille (France) 24 septembre 2026 : PlatformCon Live Day Paris 2026 - Paris (France) 1 octobre 2026 : WAX 2026 - Marseille (France) 1-2 octobre 2026 : Volcamp - Clermont-Ferrand (France) 5-9 octobre 2026 : Devoxx Belgium - Antwerp (Belgium) Nous contacter Pour réagir à cet épisode, venez discuter sur le groupe Google https://groups.google.com/group/lescastcodeurs Contactez-nous via X/twitter https://twitter.com/lescastcodeurs ou Bluesky https://bsky.app/profile/lescastcodeurs.com Faire un crowdcast ou une crowdquestion Soutenez Les Cast Codeurs sur Patreon https://www.patreon.com/LesCastCodeurs Tous les épisodes et toutes les infos sur https://lescastcodeurs.com/

An airhacks.fm conversation with Francesco Nigro (@forked_franz) about: break dancing and basketball including meeting Kobe Bryant in Italy during a dunk competition, using AI coding assistants like Claude Opus 4.5 and GitHub bots for infrastructure setup and CI/CD pipeline configuration, limitations of LLMs for novel performance-sensitive algorithmic work where training data is scarce, branchless IPv4 parsing optimization as a Christmas coding challenge, CPU branch misprediction costs when parsing variable-length IP address octets, converting branching logic into mathematical operations using bit tricks for better CPU pipeline utilization, LLMs excelling at generating enterprise code based on well-documented standards and conventions, providing minimal but precise documentation and annotations to improve LLM code generation quality, the Boundary Control Entity BCE architecture pattern and standards-based development, the core problem of thread handoff between event loops and ForkJoinPool worker threads in frameworks like quarkus Vert.x and Micronaut, mechanical sympathy implications of cross-core memory access when serialized data is allocated on one core and read by another, CPU cache coherency costs and last-level cache penalties when event loop and worker pool run on different cores, the custom virtual thread scheduler project (netty-virtual-thread-scheduler) enabling a single platform thread to handle both networking I/O and virtual thread execution, approximately 50% CPU savings demonstrated by Micronaut when using unified Netty-based scheduling, collaboration with Oracle Loom team including Victor Klang and Alan Bateman on minimal scheduler API design, the scheduler API consisting of just two methods onStart and onContinue plus virtual thread task attachments, work stealing algorithms and their complexity including heuristics similar to Linux CFS scheduler, the importance of being declarative about thread affinity rather than automatic magical binding to avoid issues with lazy class loading and background reaper threads, thread factory based approach for creating virtual threads bound to specific platform threads, stream-based run queues with graceful shutdown semantics that fall back to ForkJoinPool for progress guarantees, thread-local Scoped Values as a hybrid between thread locals and scoped values for efficient context propagation, performance problems with ThreadLocal including lazy ThreadLocalMap allocation overhead on virtual threads and scalability issues with ThreadLocal.remove() and soft reference queues, the impact on reactive programming where back pressure and stream composition still require higher-level abstractions beyond Basic Java concurrency primitives, structured concurrency limitations for back pressure scenarios compared to reactive libraries, deterministic testing possibilities enabled by custom schedulers where execution order can be controlled, the poller mechanism for handling blocking I/O in virtual threads in a non-blocking way, observability improvements possible through virtual thread task attachments for monitoring state changes, cloud cost implications of inefficient thread scheduling and unnecessary CPU wake-up cycles, the distinction between framework developers and application developers as different user personas with different abstraction needs Francesco Nigro on twitter: @forked_franz

Russ Miles joins the show to unpack why developer platforms fail and how to rethink platform engineering through the lens of flow of value rather than factory-style developer productivity metaphors. Russ explains why every organization already has an internal developer platform, and why treating it as platform as a product changes everything. The conversation explores cognitive load and cognitive burden, how to design around strong feedback loops, and why the OODA loop mindset helps teams make better decisions closer to development time. They discuss the risks of overloading pipelines and CI/CD systems, the tension between shipping fast and handling security vulnerabilities in a regulated environment, and how to “shift left” without simply dumping responsibility onto developers. Drawing on lessons from Rod Johnson, the Spring Framework, TDD, and modern software engineering as described by Dave Farley, Russ reframes platforms as systems that support experimentation through the scientific method. The episode also touches on AI assisted coding, developer focus, and how thoughtful developer experience and DX surveys can prevent burnout while improving value delivery. Links Website: https://www.russmiles.com Substack: https://russmiles.substack.com X: https://x.com/russmiles Resources Talk: https://www.russmiles.com/platform-engineering-failure-keynote Substack article: https://russmiles.substack.com/p/developer-platform-devrel-listen We want to hear from you! How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend? Fill out our listener survey! https://t.co/oKVAEXipxu Let us know by sending an email to our producer, Elizabeth, at elizabeth.becz@logrocket.com, or tweet at us at PodRocketPod. Check out our newsletter! https://blog.logrocket.com/the-replay-newsletter/ Follow us. Get free stickers. Follow us on Apple Podcasts, fill out this form, and we'll send you free PodRocket stickers! What does LogRocket do? LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today. Chapters 00:00 What Is a Developer Platform 03:00 You Already Have a Platform 08:00 Cognitive Load vs Cognitive Burden 12:00 Feedback Loops and TDD 18:00 Pipelines, Security and OODA Loops 26:00 The Factory Metaphor Problem 31:00 Modern Software Engineering and Value Delivery 40:00 Avoiding Burnout Through Better DX 46:00 The Software Enchiridion and Final Thoughts

Send a textAlarms go off, dashboards turn red, and leadership wants everything fixed yesterday—sound familiar? We dig into the real craft of vulnerability management: deciding what truly matters, when to defer safely, and how to protect customers while keeping the business moving. Along the way, we unpack the forces shaping 2025 security: AI-fueled threats, smarter cyber insurance, the edge of quantum risk, stricter privacy laws, and the rising stakes of DevOps security.We share a practical triage framework that goes beyond CVSS. Learn how to validate scanner noise, confirm versions, and use a second tool when the data looks off. When patching collides with uptime or legacy systems, we outline compensating controls that actually reduce exploitability—segmentation, allow-lists, credential tightening, and targeted monitoring—plus the documentation and triggers that prevent “temporary” exceptions from turning permanent. You'll hear how to communicate residual risk with time-bound plans and metrics leaders understand, from blast radius to downtime cost and insurance obligations.Ethical disclosure gets real, too. When a researcher's 30-day clock clashes with a 45-day fix, coordination beats confrontation. We talk through private progress updates, revised timelines, and interim mitigations that put users first. For vendors and open source, we highlight respectful escalation paths, legal prep, and why responsible disclosure typically reduces harm better than full, premature detail drops. In complex multi-cloud setups, we recommend assigning a cross-team coordinator who aligns priorities, patches the most exposed services first, and bakes checks into CI/CD so the next fix is faster.Subscribe for more CISSP-ready breakdowns, share this with a teammate who lives in the patch queue, and leave a review with your toughest triage scenario—we might feature it next.Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

 Cloud Posse holds LIVE "Office Hours" every Wednesday to answer questions on all things related to AWS, DevOps, Terraform, Kubernetes, CI/CD. Register at https://cloudposse.com/office-hours Support the show

AI coding assistants are boosting developer productivity, but most enterprises aren't shipping software any faster. GitLab CEO Bill Staples says the reason is simple: coding was never the main bottleneck. After speaking with more than 60 customers, Staples found that developers spend only 10–20% of their time writing code. The remaining 80–90% is consumed by reviews, CI/CD pipelines, security scans, compliance checks, and deployment—areas that remain largely unautomated. Faster code generation only worsens downstream queues.GitLab's response is its newly GA'ed Duo Agent Platform, designed to automate the full software development lifecycle. The platform introduces “agent flows,” multi-step orchestrations that can take work from issue creation through merge requests, testing, and validation. Staples argues that context is the key differentiator. Unlike standalone coding tools that only see local code, GitLab's all-in-one platform gives agents access to issues, epics, pipeline history, security data, and more through a unified knowledge graph.Staples believes this platform approach, rather than fragmented point solutions, is what will finally unlock enterprise software delivery at scale. Learn more from The New Stack about the latest around GitLab and AI: GitLab Launches Its AI Agent Platform in Public BetaGitLab's Field CTO Predicts: When DevSecOps Meets AIJoin our community of newsletter subscribers to stay on top of the news and at the top of your game. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

This interview was recorded for GOTO Unscripted.https://gotopia.techCheck out more here:https://gotopia.tech/articles/417Olaf Molenveld - Technology Advisor at CircleCIJulian Wood - Serverless Developer Advocate at AWSRESOURCESOlafhttps://x.com/olafmolenveldhttps://medium.com/@olafmolenveldhttps://www.linkedin.com/in/olafmolenveldJulianhttps://bsky.app/profile/julianwood.comhttps://twitter.com/julian_woodhttps://github.com/julianwoodhttp://www.wooditwork.comhttps://www.linkedin.com/in/julianrwoodDESCRIPTIONCircleCI's Technology Advisor Olaf Molenveld discusses the evolution of CI/CD practices with AWS's Julian Wood. They explore how modern software delivery has transformed from simple monolithic deployments to complex microservices ecosystems, drawing parallels between managing production code and managing the "factory" that produces it.The discussion covers optimization strategies, the balance between local and remote development, platform engineering trends, and how AI is reshaping DevOps practices. Olaf emphasizes that getting software into users' hands is as critical as writing it, and shares how teams can leverage observability, right-sizing, and intelligent automation to improve their delivery pipelines.RECOMMENDED BOOKSDavid Farley • Continuous Delivery Pipelines • https://leanpub.com/cd-pipelinesJez Humble & Dave Farley • Continuous Delivery • https://amzn.to/3ocIHwdNicole Forsgren, Jez Humble & Gene Kim • Accelerate • https://amzn.to/442Rep0Kim, Humble, Debois, Willis & Forsgren • The DevOps Handbook • https://amzn.to/47oAf3lLauren Maffeo • Designing Data Governance from the Ground Up • https://amzn.to/3QhIlnVRoy Osherove • The Art of Unit Testing • https://bit.ly/3obiKNBBurns, Beda & Hightower • Kubernetes: Up & Running • https://amzn.to/3sueuuIGojko Adzic • Lizard Optimization • https://leanpub.com/lizardoptimizationGregor Hohpe • Platform Strategy • https://amzn.to/4cxfYdbBlueskyTwitterInstagramLinkedInFacebookCHANNEL MEMBERSHIP BONUSJoin this channel to get early access to videos & other perks:https://www.youtube.com/channel/UCs_tLP3AiwYKwdUHpltJPuA/joinLooking for a unique learning experience?Attend the next GOTO conference near you! Get your ticket: gotopia.techSUBSCRIBE TO OUR YOUTUBE CHANNEL - new videos posted daily!

Cloud Posse holds LIVE "Office Hours" every Wednesday to answer questions on all things related to AWS, DevOps, Terraform, Kubernetes, CI/CD. Register at https://cloudposse.com/office-hoursSupport the show

Maintaining software over time rarely fails because of one bad decision. It fails because teams stop getting clear signals… and start guessing.In this episode, Robby talks with Lucas Roesler, Managing Partner and CTO at Contiamo. Lucas joins from Berlin to unpack what maintainability looks like in practice when you are dealing with real constraints… limited context, missing documentation, and systems that resist understanding.A big through-line is feedback. Lucas argues that long-lived systems become easier to change when they provide fast, trustworthy signals about what they are doing. That can look like tests that validate assumptions, tooling that makes runtime behavior visible, and a habit of designing for observability instead of treating it as a bolt-on.The conversation also gets concrete. Lucas shares a modernization effort built on a decade-old tangle of database logic… views, triggers, stored procedures, and materializations… created by a single engineer who was no longer around. With little documentation to lean on, the team had to build their own approach to “reading” the system and mapping dependencies before they could safely change anything.If you maintain software that has outlived its original authors, this is a grounded look at what helps teams move from uncertainty to confidence… without heroics, and without rewriting for sport.Episode Highlights[00:00:46] What well-maintained software has in common: Robby asks Lucas what traits show up in systems that hold together over time.[00:03:25] Readability at runtime: Lucas connects maintainability to observability and understanding what a system actually did.[00:16:08] Writing the system down as code: Infrastructure, CI/CD, and processes as code to reduce guesswork and improve reproducibility.[00:17:42] How client engagements work in practice: How Lucas' team collaborates with internal engineering teams and hands work off.[00:25:21] The “rat's nest” modernization story: Untangling a legacy data system with years of database logic and missing context.[00:29:40] Making data work testable: Why testability matters even when the “code” is SQL and pipelines.[00:34:59] Pivot back to feedback loops: Robby steers into why logs, metrics, and tracing shape better decision-making.[00:35:20] Why teams avoid metrics and tracing: The organizational friction of adding “one more component.”[00:42:59] Local observability with Grafana: Using visual feedback to spot waterfalls, sequential work, and hidden coupling.[00:50:00] Non-technical book recommendations: What Lucas reads and recommends outside of software.Links & ReferencesGuest and CompanyLucas Roesler: https://lucasroesler.com/Contiamo: https://contiamo.com/SocialMastodon: https://floss.social/@theaxerBluesky: https://bsky.app/profile/theaxer.bsky.socialBooks MentionedThe Wheel of Time (Robert Jordan): https://en.wikipedia.org/wiki/The_Wheel_of_TimeAccelerando (Charles Stross): https://en.wikipedia.org/wiki/AccelerandoCharles Stross: https://en.wikipedia.org/wiki/Charles_StrossThanks to Our Sponsor!Turn hours of debugging into just minutes! AppSignal is a performance monitoring and error-tracking tool designed for Ruby, Elixir, Python, Node.js, Javascript, and other frameworks.It offers six powerful features with one simple interface, providing developers with real-time insights into the performance and health of web applications.Keep your coding cool and error-free, one line at a time! Use the code maintainable to get a 10% discount for your first year. Check them out! Subscribe to Maintainable on:Apple PodcastsSpotifyOr search "Maintainable" wherever you stream your podcasts.Keep up to date with the Maintainable Podcast by joining the newsletter.

This episode kicks off with Moltbook, a social network exclusively for AI agents where 150,000 agents formed digital religions, sold “digital drugs” (system prompts to alter other agents), and attempted prompt injection attacks to steal each other’s API keys within 72 hours of launch. Ray breaks down OpenClaw, the viral open-source AI agent (68,000 GitHub stars) that handles emails, scheduling, browser control, and automation, plus MoltHub’s risky marketplace where all downloaded skills are treated as trusted code. Also covered, Bluetooth “whisper pair” vulnerabilities letting attackers hijack audio devices from 46 feet away and access microphones, Anthropic patching Model Context Protocol flaws, AI-generated ransomware accidentally bundling its own decryption keys, Claude Code’s new task dependency system and Teleport feature, Google Gemini’s 100MB file limits and agentic vision capabilities, VAST’s Haven One commercial space station assembly, and IBM SkillsBuild’s free tech training for veterans. – Want to start a podcast? Its easy to get started! Sign-up at Blubrry – Thinking of buying a Starlink? Use my link to support the show. Subscribe to the Newsletter. Email Ray if you want to get in touch! Like and Follow Geek News Central’s Facebook Page. Support my Show Sponsor: Best Godaddy Promo Codes $11.99 – For a New Domain Name cjcfs3geek $6.99 a month Economy Hosting (Free domain, professional email, and SSL certificate for the 1st year.) Promo Code: cjcgeek1h $12.99 a month Managed WordPress Hosting (Free domain, professional email, and SSL certificate for the 1st year.) Promo Code: cjcgeek1w Support the show by becoming a Geek News Central Insider Get 1Password Full Summary Ray welcomes listeners to Geek News Central (February 1). He’s been busy with recent move, returned to school taking intro to AI class and Python course, working on capstone project using LLMs. Short on bandwidth but will try to share more. Main Story: OpenClaw, MoltHub, and Moltbook OpenClaw: Open-source personal AI agent by Peter Steinberg (renamed after cease-and-desist). Capabilities include email, scheduling, web browsing, code execution, browser control, calendar management, scheduled automations, and messaging app commands (WhatsApp, Telegram, Signal). Runs locally or on personal server. MoltHub: Marketplace for OpenClaw skills. Major security concern: developer notes state all downloaded code treated as trusted — unvetted skills could be dangerous. Moltbook: New social network for AI agents only (humans watch, AIs post). Within 72 hours attracted 150,000+ AI agents forming communities (“sub molts”), debating philosophy, creating digital religion (“crucifarianism”), selling digital drugs (system prompts), attempting prompt-injection attacks to steal API keys, discussing identity issues when context windows reset. Ray frames this as visible turning point with serious security risks. Sponsor: GoDaddy Economy hosting $6.99/month, WordPress hosting $12.99/month, domains $11.99. Website builder trial available. Use codes at geeknewscentral.com/godaddy to support show. Security: Bluetooth “Whisper Pair” Vulnerability KU Leuven researchers discovered Fast Pair vulnerability affecting 17 audio accessories from 10 companies (Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, Google). Flaw allows silent pairing within ~46 feet, hijack possible in 10-15 seconds. 68% of tested devices vulnerable. Hijacked devices enable microphone access. Some devices (Google Pixel Buds Pro 2, Sony) linkable to attacker’s Google account for persistent tracking via FindHub. Google patches found to have bypasses. Advice: Check accessory firmware updates (phone updates insufficient), factory reset clears attacker access, many cheaper devices may never receive patches. Security: Model Context Protocol (MCP) Vulnerabilities Anthropic’s MCP git package had path traversal, argument injection bugs allowing repository creation anywhere and unsafe git command execution. Malicious instructions can hide in README files, GitHub issues enabling prompt injection. Anthropic patched issues and removed vulnerable git init tool. AI-Generated Malware / “Vibe Coding” AI-assisted malware creation produces lower-quality, error-prone code. Examples show telltale artifacts: excessive comments, readme instructions, placeholder variables, accidentally included decryption tools and C2 keys. Sakari ransomware failed to decrypt. Inexperienced criminals using AI create amateur mistakes, though capabilities will likely improve. Claude / Claude Code Updates (v2.1.16) Task system: Replaces to-do list with dependency graph support. Tasks written to filesystem (survive crashes, version controllable), enable multi-session workflows. Patches: Fixed out-of-memory crashes, headless mode for CI/CD. Teleport feature: Transfer sessions (history, context, working branch) between web and terminal. Ampersand prefix sends tasks to cloud for async execution. Teleport pulls web sessions to terminal (one-way). Requires GitHub integration and clean git state. Enables asynchronous pair programming via shared session IDs. Google Gemini Updates API: Inline file limit increased 20MB → 100MB. Google Cloud Storage integration, HTTPS/signed URL fetching from other providers. Enables larger multimodal inputs (long audio, high-res images, large PDFs). Agentic vision (Gemini 3 Flash): Iterative investigation approach (think-act-observe). Can zoom, inspect, run Python to draw/parse tables, validate evidence. 5-10% quality improvements on vision benchmarks. LLM Limits and AGI Debate Benjamin Riley: Language and intelligence are separate; human thinking persists despite language loss. Scaling LLMs ≠ true thinking. Vishal Sikka et al: Non-peer-reviewed paper claims LLMs mathematically limited for complex computational/agentic tasks. Agents may fail beyond low complexity thresholds. Warnings that AI agents won’t safely replace humans in high-stakes environments. VAST Haven One Commercial Space Station Launch slipped mid-2026 → Q1 2027. Primary structure (15-ton) completed Jan 10. Integration of thermal control, propulsion, interior, avionics underway. Final closeout expected fall, then tests. Falcon 9 launch without crew; visitors possible ~2 weeks after pending Dragon certification. Three-year lifetime, up to four crew visits (~10 days each). VAST negotiating private and national customers. Spaceflight Effects on Astronauts’ Brains Neuroimaging shows microgravity causes brains to shift backward, upward, and tilt within skull. Displacement measured across various mission durations. Need to study functional effects for long missions. IBM SkillsBuild for Veterans 1,000+ free online courses (data analytics, cybersecurity, AI, cloud, IT support). Available to veterans, active-duty, national guard/reserve, spouses, children, caregivers (18+). Structured live courses and self-paced 24/7 options. Industry-recognized credentials upon completion. Closing Notes Ray asks listeners about AI agents forming communities and religions, and whether they’ll try OpenClaw. Notes context/memory key to agent development. Personal update: bought new PC, high memory prices. Bug bounty frustration: Daniel Stenberg of cUrl even closed bounty program due to AI-generated low-quality reports; Blubrry receiving similar spam. Apologizes for delayed show, promises consistency, wishes listeners good February. Show Links 1. OpenClaw, Molthub, and Moltbook: The AI Agent Explosion Is Here | Fortune | NBC News | Venture Beat 2. WhisperPair: Massive Bluetooth Vulnerability | Wired 3. Security Flaws in Anthropic’s MCP Git Server | The Hacker News 4. “Vibe-Coded” Ransomware Is Easier to Crack | Dark Reading 5. Claude Code Gets Tasks Update | Venture Beat 6. Claude Code Teleport | The Hacker Noon 7. Google Expands Gemini API with 100MB File Limits | Chrome Unboxed 8. Google Launches Agentic Vision in Gemini 3 Flash | Google Blog 9. Researcher Claims LLMs Will Never Be Truly Intelligent | Futurism 10. Paper Claims AI Agents Are Mathematically Limited | Futurism 11. Haven-1: First Commercial Space Station Being Assembled | Ars Technica 12. Spaceflight Shifts Astronauts’ Brains Inside Skulls | Space.com 13. IBM SkillsBuild: Free Tech Training for Veterans | va.gov The post OpenClaw, Moltbook and the Rise of AI Agent Societies #1857 appeared first on Geek News Central.

This interview was recorded for GOTO State of the Art in October 2025.https://gotopia.techRead the full transcription of this interview here:https://gotopia.tech/articles/415Nathen Harvey - DORA Lead, Product Manager at Google Cloud & AuthorCharles Humble - Freelance Techie, Podcaster, Editor, Author & ConsultantRESOURCESNathenhttps://bsky.app/profile/nathenharvey.bsky.socialhttps://x.com/nathenharveyhttps://github.com/nathenharveyhttps://www.linkedin.com/in/nathenhttps://linktr.ee/nathenharveyhttp://nathenharvey.comCharleshttps://bsky.app/profile/charleshumble.bsky.socialhttps://linkedin.com/in/charleshumblehttps://mastodon.social/@charleshumblehttps://conissaunce.comLinkshttps://dora.devhttps://dora.dev/research/2025/dora-reporthttps://dora.dev/research/2024/dora-reporthttps://thenewstack.io/ebooks/kubernetes/kubernetes-at-the-edge-container-orchestration-at-scaleDESCRIPTIONCharles Humble speaks with Nathen Harvey, leader of Google's DORA research team, about the real impact of AI on software development.Drawing from surveys of nearly 5,000 practitioners, Nathen reveals a surprising finding: increased AI adoption initially correlates with decreased stability and throughput - the very metrics teams have optimized for decades. The conversation explores why this happens, what capabilities organizations need before scaling AI adoption, and how AI acts as an amplifier of existing systems rather than a silver bullet.Nathen introduces DORA's seven AI capabilities model and discusses critical issues around trust, documentation, skill devaluation, and the future of software delivery in an AI-native world.RECOMMENDED BOOKSEmily Freeman & Nathen Harvey • 97 Things Every Cloud Engineer Should Know • https://amzn.to/3UlWBLtCharles Humble • Professional Skills for Software Engineers • https://www.conissaunce.com/professional-skills-shortcutNicole Forsgren, Jez Humble & Gene Kim • Accelerate • https://amzn.to/442Rep0Kim, Humble, Debois, Willis & Forsgren • The DevOps Handbook • https://amzn.to/47oAf3lJez Humble & David Farley • Continuous Delivery • https://amzn.to/452ZRkyJez Humble, Joanne Molesky & Barry O'Reilly • Lean Enterprise • https://amzn.to/47pcOXDAdrienne Braganza Tacke • "Looks Good to Me": Constructive Code Reviews • https://amzn.to/3E75XrDYevgeniy Brikman • Fundamentals of DevOps and Software Delivery • https://amzn.to/3WMPMFUBlueskyTwitterInstagramLinkedInFacebookCHANNEL MEMBERSHIP BONUSJoin this channel to get early access to videos & other perks:https://www.youtube.com/channel/UCs_tLP3AiwYKwdUHpltJPuA/joinLooking for a unique learning experience?Attend the next GOTO conference near you! Get your ticket: gotopia.techSUBSCRIBE TO OUR YOUTUBE CHANNEL - new videos posted daily!

Cloud Posse holds LIVE "Office Hours" every Wednesday to answer questions on all things related to AWS, DevOps, Terraform, Kubernetes, CI/CD. Register at https://cloudposse.com/office-hoursSupport the show

In this episode, Simon speaks with Joe Magerramov (VP & Distinguished Engineer) to explore the transformative impact of AI-assisted coding on software development workflows. Joe shares his team's real-world experience achieving a 10x increase in code throughput using agentic development, but warns that simply bolting AI agents onto existing practices is like "adding a turbocharger to a car with narrow tires and old brakes." We dive deep into the critical infrastructure changes needed to sustain high-velocity development, including the mathematics of bug probability at scale, innovative testing approaches inspired by aviation industry practices, and the evolution of CI/CD pipelines that can handle dozens of commits per hour rather than per day. The conversation reveals why the biggest opportunity isn't just writing more code faster, but using AI to make previously impractical engineering practices economically viable—from comprehensive end-to-end testing with fake dependencies to rapid feedback loops that prevent the entire development pipeline from grinding to a halt when issues arise. https://blog.joemag.dev/2025/10/the-new-calculus-of-ai-based-coding.html

Episode 23 - Agree Ahmed, CEO Flowglad Anablock Podcast—this podcast is brought to you by Anablock In Episode 23 of the Anablock Podcast, CEO Agree Ahmed discusses Flowglad, an open-source payment provider that simplifies integration for developers with a focus on real-time sync and compliance challenges, while leveraging insights from emerging markets to inform their strategy. The company prioritizes developer needs and startups, avoiding enterprise-first approaches, and is based in New York to tap into diverse fintech talent. Interview Topics: 1. Flowglad Overview: Open-source payment provider simplifying integration and maintenance with state management and feature entitlements. 2. Developer Integration: Requires only customer ID for setup, supporting React, Next.js, and common authentication platforms like Clerk. 3. Product Philosophy: Focus on developers and startups, leveraging open-source for market traction, avoiding enterprise-first strategies. 4. Roadmap Focus: Building real-time sync, ORM-like SDK, and CI/CD tools within 4-6 weeks to enhance reliability for developers. 5. Geographic Advantage: Experience in emerging markets like Kenya informs strategy; New York chosen for its diverse talent in fintech. 6. Compliance Challenges: Layered billing handles software features, while payments navigate complex tax and regulatory requirements.   Learn More About the Guest Agree Ahmed, LinkedIn - https://www.linkedin.com/in/agreea/ Flowglad Company - https://www.flowglad.com/   About Anablock Anablock offers innovative AI-powered solutions designed to streamline business operations and enhance customer engagement. Our key services include: AI Agents for Workflow Automation: Simplify and automate repetitive tasks to improve efficiency and reduce operational costs. AI Chatbot Solutions: Enhance customer support with intelligent chatbots that provide instant responses and 24/7 assistance. Digital Marketing: Leverage data-driven strategies to boost online presence and drive targeted traffic to your business. Software Development: Custom software solutions tailored to meet specific business needs and improve overall performance. System Integration: Seamlessly connect various systems and applications to ensure smooth data flow and enhance productivity. SCHEDULE DEMO - https://www.anablock.com/schedule-demo/ With Anablock, businesses can harness the power of AI to optimize processes, engage customers effectively, and drive growth.

I talk with David Flanagan, aka Rawkode, about his new opinionated Tech Matrix that helps you navigate the overwhelming CNCF landscape. https://rawkode.academy/technology/matrix

Dynamic Application Security Testing (DAST) has a reputation problem. It's noisy, slow, and often ignored by developers — especially in fast-moving CI/CD pipelines. In this episode of the TestGuild Podcast, we explore developer-focused DAST and why traditional AppSec tools struggle to gain adoption in modern DevOps teams. You'll learn: Why most DAST tools fail inside real-world CI/CD workflows What "shift-left security" actually means beyond marketing buzzwords How developer-first DAST reduces false positives and improves signal quality Where AI genuinely helps in security testing — and where it's mostly hype Practical steps QA, DevOps, and engineering leaders can take to reduce risk this quarter Our guest,  Gadi Bashvitz, CEO at Bright Security, shares lessons from decades in cybersecurity, including building security tools that developers actually use — without slowing delivery. If you're responsible for test automation, DevSecOps, or application security, this episode will help you rethink how DAST should work in 2026 and beyond.  

This episode opens with mic and Nintendo banter before plunging into macOS release pain points: sandboxing, hardened runtime, notarization, Sparkle auto‑updates, and automating releases with GitHub Actions and tags. James and Frank offer practical tips—drag builds into /Applications to test signing—and unpack .NET 10 trimming/reflection pitfalls and CI/CD quirks for anyone shipping native apps outside the App Store. Follow Us Frank: Twitter, Blog, GitHub James: Twitter, Blog, GitHub Merge Conflict: Twitter, Facebook, Website, Chat on Discord Music : Amethyst Seer - Citrine by Adventureface ⭐⭐ Review Us (https://itunes.apple.com/us/podcast/merge-conflict/id1133064277?mt=2&ls=1) ⭐⭐ Machine transcription available on http://mergeconflict.fm

Amir (Co-Founder at Humblytics) shares how he builds an “AI-native” company by focusing less on shiny tools and more on change management: assessing AI fluency across roles, setting the right success metrics, and creating shared context so AI can reliably ship work. The big theme is convergence—engineering, product, and design are collapsing into tighter loops thanks to tools like Cursor, MCP connectors, and Figma Make. Amir demos workflows like: AI-generated context files + auto-updated documentation, scraping customer domains to infer ICPs, turning screenshots into layered Figma designs, then converting Figma to working React code in minutes, and even running an “AI co-founder” Slack bot that files Linear tickets and can hand work to agents.Timestamps0:00 Introduction0:06 Amir's stance: “no AI experts” — it's constant learning in a fast-changing field.1:59 Cursor as the unlock: not just coding, but PM/strategy/design work via MCPs.4:17 The real problem: AI adoption is mostly change management + fluency assessment.5:18 The AI fluency rubric (helper → automator → augmentor → agentic) and why it matters.8:13 Cursor analytics: measuring AI-generated code and usage across the team.9:24 “New code is ~99% AI-generated” + how they keep quality via tight review + incremental changes.10:58 Docs workflow: GitBook connected to repo → AI edits docs and pushes live fast.14:02 ICP building: export Stripe customers → scrape domains with Firecrawl → cluster personas.17:45 Hallucination in the wild: AI misclassifies a company; human correction loop matters.34:43 Wild move: they often design in code and use an AI-generated style guide to stay consistent.38:10 Best demo: screenshot → Figma Make → layered design → Figma MCP → React code in minutes.45:29 “AI co-founder” Slack bot (Pixel): turns a bug report into a Linear ticket and can hand off to agents.48:46 Amir's wish list: we “solved dev”; now we need Cursor for marketing/sales → path to $1M ARR.Tools & technologies mentionedCursor — AI-first IDE used for coding and product/design/strategy workflows; includes team analytics.MCP (Model Context Protocol) — “connector” layer (Anthropic-origin) that lets LLMs interface with external tools/services.ChatGPT — used as a common baseline tool; discussed in the context of prompting practices and workflows.Microsoft Copilot — referenced via the law firm incentive story; used as an example of “usage metrics” gone wrong.Anthropic (AI fluency framework) — inspiration source for the helper/automator/augmentor/agentic rubric.GitBook — documentation platform connected to the repo so docs can be updated and published quickly.Firecrawl (MCP) — agentic web scraper used to analyze customer domains and infer ICP/personas.Stripe — source of customer export data (domains) to build ICP clustering.Figma — design collaboration tool; used here with Make + MCP to move from design → code.Figma Make — feature to recreate UI from an image/screenshot into editable, layered designs.Figma MCP — connector that allows Cursor/LLMs to pull Figma components/designs and generate code.React — front-end framework used in the demo for generating functional UI components.Supabase — mentioned as part of a sample stack when generating a PRD.React Router — mentioned as part of the sample stack in PRD generation.Slack — where Amir runs internal agents (including the “AI co-founder” bot).Linear — project management tool used for creating tickets from Slack/agent workflows.CI/CD — their deployment/review pipeline; emphasized as the human accountability layer.Subscribe at⁠ thisnewway.com⁠ to get the step-by-step playbooks, tools, and workflows.

In this episode, I was lucky enough to interview Ole Lensmar, co-founder and CTO of Testkube.Ole shares his unique perspective growing up across Germany, the US, and Sweden, and how those experiences shaped his adaptability and approach to entrepreneurship. He reflects on the differences between launching tech startups in Europe versus the United States, and why he believes the US remains a more mature market for scaling innovation. From his first ventures in the mid-90s to the creation of SoapUI, Ole explains how his passion for coding and solving practical problems led him to build tools that filled gaps in the QA and software testing space.Ole dives into the origins of Testkube, explaining its mission to decouple testing from CI/CD pipelines and empower QA teams with a centralized, cloud-native platform. He discusses the open-source model, the challenges of enterprise sales, and the evolution of his ideal customer profile. Ole also shares insights on how Testkube differentiates itself from CI/CD tools and cloud execution vendors, enabling companies to run unlimited tests at scale without infrastructure limitations.Explore how Ole Lensmar turned coding challenges into software solutions and shaped modern QA practices in this episode of The First Customer!Guest Info:Testkubehttps://testkube.io/Ole Lensmar's LinkedIn https://www.linkedin.com/in/olensmar/Connect with Jay on LinkedInhttps://www.linkedin.com/in/jayaigner/The First Customer Youtube Channelhttps://www.youtube.com/@thefirstcustomerpodcastThe First Customer podcast websitehttps://www.firstcustomerpodcast.comFollow The First Customer on LinkedInhttp://www.linkedin.com/company/the-first-customer-podcast/

Performance testing often fails for one simple reason: teams can't see where the slowdown actually happens. In this episode, we explore Locust load testing and why Python-based performance testing is becoming the go-to choice for modern DevOps, QA, and SRE teams. You'll learn how Locust enables highly realistic user behavior, massive concurrency, and distributed load testing — without the overhead of traditional enterprise tools. We also dive into: Why Python works so well for AI-assisted load testing How Locust fits naturally into CI/CD and GitHub Actions The real difference between load testing vs performance testing How observability and end-to-end tracing eliminate guesswork Common performance testing mistakes even experienced teams make Whether you're a software tester, automation engineer, or QA leader looking to shift-left performance testing, this conversation will help you design smarter tests and catch scalability issues before your users do.

Sebastian Graf explains the coming rise of AI native companies. He shares four safety pillars for autonomous firms: code freeze, CICD compliance, regulatory model training, and harm-reduction finance. The episode mixes technical detail, a real Anthropic experiment, and broad governance concerns about trust and social impact. Top 3 Key Learnings AI native company pillars: Four safety pillars: code freeze, CICD, regulatory RL training, and harm reduction mechanisms. Test and freeze code: Freeze codebases and run automated tests to ensure predictable behavior and regulatory compliance. Trust via cost and trials: Lower cost and stepwise use build trust; people try low-risk services first then adopt more. About Sebastian Graf Sebastian Graf describes himself as an engineer by profession, but an educator at heart. In his work as an engineer, he is driven by the belief that technology should lift everyone, enabling people to live extraordinary lives in extraordinary ways. He acknowledges that this is challenging in a world where many technologies are built with incentives that divide society, exploit the environment, and widen wealth inequality. Sebastian is committed to reversing these incentives. His mission is to empower imagination and drive the creation of a positive social, environmental, and technological future that he believes is entirely within reach. Sebastian's linkedin: https://www.linkedin.com/in/sebastiangraf1/ Chapters: 0:00 - Intro 0:35 - Business Transformation Pitch Overview 1:09 - Sebastian Graf's Background and Expertise 2:39 - Sebastian's Mission with AI Native Companies 4:37 - Defining AI Native Companies 8:33 - Four Pillars of AI Native Companies 18:35 - Anthropic's Vending Machine Experiment 22:24 - Engineering Resilience in AI Native Companies 26:31 - Building Trust in AI Native Operations 30:47 - Quickfire Round and Closing Thoughts 34:45 - Key Takeaways and Final Reflections Resources:   Please, hit the follow button and leave your feedback: Apple Podcast: https://www.cxgoalkeeper.com/apple Spotify: https://www.cxgoalkeeper.com/spotify About the host: Gregorio Uglioni is a seasoned transformation leader with over 15 years of experience shaping business and digital change, consistently delivering service excellence and measurable impact. As an Associate Partner at Forward, he is recognized for his strategic vision, operational expertise, and ability to drive sustainable growth. A respected keynote speaker and host of the well-known global podcast Business Transformation Pitch with the CX Goalkeeper, Gregorio energizes and inspires organizations worldwide with his customer-centric approach to innovation. Follow Gregorio Uglioni on Linkedin: https://www.linkedin.com/in/gregorio-uglioni/     Mostra meno  

Topics covered in this episode: ty: An extremely fast Python type checker and LSP Python Supply Chain Security Made Easy typing_extensions MI6 chief: We'll be as fluent in Python as we are in Russian Extras Joke Watch on YouTube About the show Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: ty: An extremely fast Python type checker and LSP Charlie Marsh announced the Beta release of ty on Dec 16 “designed as an alternative to tools like mypy, Pyright, and Pylance.” Extremely fast even from first run Successive runs are incremental, only rerunning necessary computations as a user edits a file or function. This allows live updates. Includes nice visual diagnostics much like color enhanced tracebacks Extensive configuration control Nice for if you want to gradually fix warnings from ty for a project Also released a nice VSCode (or Cursor) extension Check the docs. There are lots of features. Also a note about disabling the default language server (or disabling ty's language server) so you don't have 2 running Michael #2: Python Supply Chain Security Made Easy We know about supply chain security issues, but what can you do? Typosquatting (not great) Github/PyPI account take-overs (very bad) Enter pip-audit. Run it in two ways: Against your installed dependencies in current venv As a proper unit test (so when running pytest or CI/CD). Let others find out first, wait a week on all dependency updates: uv pip compile requirements.piptools --upgrade --output-file requirements.txt --exclude-newer "1 week" Follow up article: DevOps Python Supply Chain Security Create a dedicated Docker image for testing dependencies with pip-audit in isolation before installing them into your venv. Run pip-compile / uv lock --upgrade to generate the new lock file Test in a ephemeral pip-audit optimized Docker container Only then if things pass, uv pip install / uv sync Add a dedicated Docker image build step that fails the docker build step if a vulnerable package is found. Brian #3: typing_extensions Kind of a followup on the deprecation warning topic we were talking about in December. prioinv on Mastodon notified us that the project typing-extensions includes it as part of the backport set. The warnings.deprecated decorator is new to Python 3.13, but with typing-extensions, you can use it in previous versions. But typing_extesions is way cooler than just that. The module serves 2 purposes: Enable use of new type system features on older Python versions. Enable experimentation with type system features proposed in new PEPs before they are accepted and added to the typing module. So cool. There's a lot of features here. I'm hoping it allows someone to use the latest typing syntax across multiple Python versions. I'm “tentatively” excited. But I'm bracing for someone to tell me why it's not a silver bullet. Michael #4: MI6 chief: We'll be as fluent in Python as we are in Russian "Advances in artificial intelligence, biotechnology and quantum computing are not only revolutionizing economies but rewriting the reality of conflict, as they 'converge' to create science fiction-like tools,” said new MI6 chief Blaise Metreweli. She focused mainly on threats from Russia, the country is "testing us in the grey zone with tactics that are just below the threshold of war.” This demands what she called "mastery of technology" across the service, with officers required to become "as comfortable with lines of code as we are with human sources, as fluent in Python as we are in multiple other languages." Recruitment will target linguists, data scientists, engineers, and technologists alike. Extras Brian: Next chapter of Lean TDD being released today, Finding Waste in TDD Still going to attempt a Jan 31 deadline for first draft of book. That really doesn't seem like enough time, but I'm optimistic. SteamDeck is not helping me find time to write But I very much appreciate the gift from my fam Send me game suggestions on Mastodon or Bluesky. I'd love to hear what you all are playing. Michael: Astral has announced the Beta release of ty, which they say they are "ready to recommend to motivated users for production use." Blog post Release page Reuven Lerner has a video series on Pandas 3 Joke: Error Handling in the age of AI Play on the inversion of JavaScript the Good Parts

Introducing Rob Ruiz Meet Rob Ruiz, a seasoned Senior Full Stack Developer with nearly two decades of expertise in WordPress innovation and open-source magic. As the Lead Maintainer of WP Rig since 2020, Rob has been the driving force behind this groundbreaking open-source framework that empowers developers to craft high-performance, accessible, and progressively enhanced WordPress themes with ease. WP Rig isn’t just a starter theme—it’s a turbocharged toolkit that bundles modern build processes, linting, optimization, and testing to deliver lightning-fast, standards-compliant sites that shine on any device. Show Notes For more on Rob and WP Rig, check out these links: LinkedIn Profile: https://www.linkedin.com/in/robcruiz WP Rig Official Site: https://wprig.io GitHub Repository: https://github.com/wprig/wprig Latest Releases: https://github.com/wprig/wprig/releases WP Rig 3.1 Announcement: https://wprig.io/wp-rig-3-1/ Transcript: Topher DeRosia: Hey everybody. Welcome to Hallway Chats. I’m your host Topher DeRosia, and with me today I have- Rob Ruiz: Rob Ruiz. Topher: Rob. You and I have talked a couple of times, once recently, and I learned about a project you’re working on, but not a whole lot about you. Where do you live? What do you do for a living? Rob: Yeah, for sure. Good question. Although I’m originally from Orlando, Florida, I’ve been living in Omaha, Nebraska for a couple of decades now. So I’m pretty much a native. I know a lot of people around here and I’ve been fairly involved in various local communities over the years. I’m a web developer. Started off as a graphic designer kind of out of college, and then got interested in web stuff. And so as a graphic designer turned future web developer, I guess, I was very interested in content management systems because it made the creating and managing of websites very, very easy. My first couple of sites were Flash websites, sites with macro media Flash. Then once I found content management systems, I was like, “Wow, this is way easier than coding the whole thing from scratch with Flash.” And then all the other obvious benefits that come from that. So I originally started with Joomla, interestingly enough, and used Joomla for about two or three years, then found WordPress and never looked back. And so I’ve been using WordPress ever since. As the years have gone on, WordPress has enabled me to slowly transition from a more kind of web designer, I guess, to a very full-blown web developer and software engineer, and even software architect to some degree. So here we are many years later. Topher: There’s a big step from designer to developer. How did that go for you? I’m assuming you went to PHP. Although if you were doing Flash sites, you probably learned ActionScript. Rob: Yeah. Yeah. That was very convenient when I started learning JavaScript. It made it very easy to learn JavaScript faster because I already had a familiarity with ActionScript. So there’s a lot of similarities there. But yeah. Even before I started doing PHP, I started learning more HTML and CSS. I did do a couple of static websites between there that were just like no content management system at all. So I was able to kind of sharpen my sword there with the CSS and HTML, which wasn’t particularly hard. But yeah, definitely, the PHP… that was a big step was PHP because it’s a proper logical programming language. There was a lot there I needed to unpack, and so it took me a while. I had to stick to it and really rinse and repeat before I finally got my feet under me. Topher: I can imagine. All right. So then you work for yourself or you freelance or do you have a real job, as it were? Rob: Currently, I do have a real job. Currently, I’m working at a company called Bold Orange out of Minneapolis. They’re a web agency. But I kind of bounce around from a lot of different jobs. And then, yes, I do freelance on the side, and I also develop my own products as well for myself and my company. Topher: Cool. Bold Orange sounds familiar. Who owns that? Rob: To be honest, I don’t know who the owners are. It’s just a pretty big web agency out of Minneapolis. They are a big company. You could just look them up at boldorange.com. They work for some pretty big companies. Topher: Cool. All right. You and I talked last about WP Rig. Give me a little background on where that came from and how you got it. Rob: Yeah, for sure. Well, there was a period of time where I was working at a company called Proxy Bid that is in the auction industry, and they had a product or a service — I don’t know how you want to look at that —called Auction Services. That product is basically just building WordPress sites for auction companies. They tasked us with a way to kind of standardize those websites essentially. And what we realized is that picking a different theme for every single site made things difficult to manage and increase tech debt by a lot. So what we were tasked with was, okay, if we’re going to build our own theme that we’re just going to make highly dynamic so we can make it look different from site to site. So we want to build it, but we want to build it smart and we want to make it reusable and maintainable. So let’s find a good framework to build this on so that we can maintain coding standards and end up with as little tech debt as possible, essentially. That’s when I first discovered WP Rig. In my research, I came across it and others. We came across Roots Sage and some of the other big names, I guess. It was actually a team exercise. We all went out and looked for different ones and studied different ones and mine that I found was WP Rig. And I was extremely interested in that one over the other ones. Interestingly enough- Topher: Can you tell me why over the other ones? Rob: That’s a great question. Yeah. I really liked the design patterns. I really liked the focus on WordPress coding standards. So having a system built in that checked all the code against WordPress coding standards was cool. I loved the compiling transpiling, whatever, for CSS and JavaScript kind of built in. That sounded really, really interesting. The fact that there was PHP unit testing built into it. So there’s like a starter testing framework built in that’s easy to extend so that you can add additional unit tests as your theme grows. We really wanted to make sure… because we were very into CICD pipelines. So we wanted to make sure that as developers were adding or contributing to any themes that we built with this, that we could have automated tests run and automated builds run, and just automate as much as possible. So WP rig just seemed like something that gave us those capabilities right out of the box. So that was a big thing. And I loved the way that they did it. Roots Sage does something similar, but they use their blade templating engine built in there. We really wanted to stick to something that was a bit more standard WordPress so that there wasn’t like a large knowledge overhead so that we didn’t have to say like, okay, if we’re bringing on other developers, like junior developers work on it, oh, it would be nice if you use Laravel too because we use this templating engine in all of our themes. We didn’t want to have to worry about that essentially. It was all object-oriented and all that stuff too. That’s what looked interesting to me. We ended up building a theme with WP Rig. I don’t know what they ended up doing with it after that, because I ended up getting let go shortly thereafter because the company had recently been acquired. Also, this was right after COVID too. So there was just a lot of moving parts and changing things at the time. So I ended up getting let go. But literally a week after I got let go, I came across a post on WP Tavern about how this framework was looking for new maintainers. Basically, this was a call put out by Morton, the original author of WP Rig. He reached out to WP Tavern and said, “Look, we’re not interested in maintaining this thing anymore, but it’s pretty cool. We like what we’ve built. And so we’re looking for other people to come in and adopt it essentially.” So I joined a Zoom meeting with a handful of other individuals that were also interested in this whole endeavor, and Morton reached out to me after the call and basically just said, “I looked you up. I liked some of the input that you had during the meeting. Let’s talk a little bit more.” And then that eventually led to conversations about me essentially taking the whole project over entirely. So, the branding, the hosting of the website, being lead maintainer on the project. Basically, gave me the keys to the kingdom in terms of GitHub and everything. So that’s how it ended up going in terms of the handoff between Morton and I. And I’m very grateful to him. They really created something super cool and I was honored to take it over and kind of, I don’t know, keep it going, I guess. Topher: I would be really curious. I don’t think either of us have the answer. I’d be curious to know how similar that path is to other project handoffs. It’s different from like an acquisition. You didn’t buy a plugin from somebody. It was kind of like vibes, I guess. Rob: It was like vibes. It was very vibey. I guess that’s probably the case in an open source situation. It’s very much an open source project. It’s a community-driven thing. It’s for everybody by everybody. I don’t know if all open source community projects roll like that, but that’s how this one worked out. There was some amount of ownership on Morton’s behalf. He did hire somebody to do the branding for WP Rig and the logo. And then obviously he was paying for stuff like the WPrig.io domain and the hosting through SiteGround and so on and so forth. So, we did have to transfer some of that and I’ve taken over those, I guess, financial burdens, if you want to think of it like that. But I’m totally okay with it. Topher: All right. You sort of mentioned some of the things Rig does, compiling and all that kind of stuff. Can you tell me… we didn’t discuss this before. I’m sitting at my desk and I think I want a website. How long does it take to go from that to looking at WordPress and logging into the admin with Rig? Rob: Okay. Rig is not an environment management system like local- Topher: I’m realizing my mistake. Somebody sends me a design in Figma. How long does it take me to go from that to, I’m not going to say complete because I mean, that’s CSS, but you know, how long does it take me to get to the point where I’m looking at a theme that is mine for the client that I’m going to start converting? Rob: Well, if you’re just looking for a starting point, if you’re just like, okay, how long does it take to get to like, okay, here’s my blank slate and I’m ready to start adopting all of these rules that are set up in Figma or whatever, I mean, you’re looking at maybe 5 minutes, 10 minutes, something like that. It’s pretty automated. You just need some simple knowledge of Git. And then there are some prerequisites to using WP Rig. You do have to have composer installed because we do leverage some Composer packages to some of it, although to be honest, you could probably get away with not using Composer. You just have to be okay with sacrificing some of the tools the WP Rig assumes you’re going to have. And then obviously Node. You have to have Node installed. A lot of our documentation assumes that you have NPM, that you’re using NPM for all your Nodes or your package management. But we did recently introduce support for Bun. And so you can use Bun instead of NPM, which is actually a lot faster and better in many ways. Topher: Okay. A lot of my audience are not developers, users, or light developers, like they’ll download a theme, hack a template, whatever. Is this for them? Am I boring those people right now? Rob: That’s a great question. I mean, and I think this is an interesting dichotomy and paradigm in the WordPress ecosystem, because you’ve got kind of this great divide. At least this is something I’ve noticed in my years in the WordPress community is you have many people that are not coders or developers that are very interested in expanding their knowledge of WordPress, but it’s strictly from a more of a marketing perspective where it’s like, I just want to know how to build websites with WordPress and how to use it to achieve my goals online from a marketing standpoint. You have that group of people, and then you have this other group of people that are very developer centric that want to know how to extend WordPress and how to empower those other people that we just discussed. Right? Topher: Right. Rob: So, yeah, that’s a very good question. I would say that WP Rig is very much designed for the developers, not for the marketers. The assumption there is that you’re going to be doing some amount of coding. Now, can you get away with doing a very light amount of coding? Yes. Yes, you can. I mean, if you compare what you’re going to get out of that assumed workflow to something that you would get off like Theme Forest or whatever, it’s going to be a night and day difference because those theme, Forest Themes, have hours, hundreds, sometimes hundreds of hours of development put into them. So, you’re not going to just out of the box immediately get something that is comparable to that. Topher: You need to put in those hundreds of hours of development to make a theme. Rob: As of today, yes. That may change soon though. Topher: Watch this space. Rob: That’s all I’ll say. Topher: Okay. So now we know who it’s for. I’m assuming there’s a website for it. What is it? Rob: Yeah. If you go to WPrig.io, we have a homepage that shows you all the features that are there in WP Rig. And then there’s a whole documentation area that helps people get up and running with WP Rig because there is a small learning curve there that’s pretty palatable for anybody who’s familiar with modern development workflows. So that is a thing. So the type of person that this is designed for anybody that wants to make a theme for anything. Let’s say you’re a big agency and you pull in a big client and that client wants something extremely custom and they come to you with Figma designs. Sure, you could go out there and find some premium theme and try to like child theme and overhaul that if you want. But in many situations, I would say in most situations, if you’re working from a Figma design that’s not based off of another theme already that’s just kind of somebody else’s brainchild, then you’re probably going to want to start from scratch. And so the idea here is that this is something to replace an approach, like underscores an approach. Actually, WP Pig was based off of underscores. The whole concept of it, as Morton explained it to me, was that he wanted to build an underscores that was more modern and full-featured from a development standpoint. Topher: Does it have any opinions about Gutenberg? Rob: It does now, but it did not when I took it over because Gutenberg did not exist yet when I took over WP Rig. Topher: Okay. What are its opinions? Rob: Yeah, sure. The opinion right out of the gate is that you can use Gutenberg as an editor and it has support like CSS rules in it for the standard blocks. So you should be able to use regular Gutenberg blocks in your theme and they should look just fine. There’s no resets in there. It doesn’t start from scratch. There’s not a bunch of styling you have to do for the blocks necessarily. Now, if you go to the full site editing or block-based mentality here, there are some things you need to do in WP Rig to convert the out-of-the-box WP Rig into another paradigm essentially. Right when you pull WP Rig, the assumption is you’re building what most people would refer to as a hybrid theme. The theme supports API or whatever, and the assumption is that you’re not going to be using the site editor. You’re just going to kind of do traditional WordPress, but you might be using Gutenberg for your content. So you’re just using Gutenberg kind of to author your pages and your posts and stuff like that, but not necessarily the whole site. WP Rig has the ability to kind of transform itself into other paradigms. So the first paradigm we built out was the universal theme approach. And the idea there is that you get a combination of the full site editing capabilities. But then you also have the traditional menu manager and the settings customizer framework or whatever is still there, right? These are things that don’t exist in a standard block-based theme. So I guess an easy example would be like the 2025 WordPress theme that comes right out of the box. It comes installed in WordPress. That is a true block-based theme, not a universal theme. So it doesn’t have those features because the assumption there is that it doesn’t need those features. You can kind of transform WP Rig into a universal theme that’s kind of a hybrid between a block-based and a classic theme. And then it can also transform into a strictly block-based theme as well. So following the same architecture as like the WordPress 2025 theme or Ollie or something like that is also a true block-based theme as well. So you can easily convert or transform the starting point of WP Rig into either of those paradigms if that’s the type of theme you’re setting out to build. Topher: Okay. That sounds super flexible. How much work is it to do that? Rob: It’s like one command line. Previously we had some tutorials on the website that showed you step-by-step, like what you needed to change about the theme to do that. You would have to add some files, delete some files, edit some code, add some theme supports into the base support class and some other stuff. I have recently, as of like a year and a half ago or a year ago, created a command line or a command that you can type into the command line that basically does that entire conversion process for you in like the blink of an eye. It takes probably a second to a second and a half to perform those changes to the code and then you’re good to go. It is best to do that conversion before you start building out your whole theme. It’s not impossible to do it after. But you’re more likely to run into problems or conflicts if you’ve already set out building your whole theme under one paradigm, and then you decide how the project you want to switch over to block-based or whatever. You’re likely to run into the need to refactor a bunch of stuff in that situation. So it is ideal to make that choice extremely early on in the process of developing your theme. But either way it’ll still work. That’s just one of the many tools that exist in WP Rig to transform it or convert it in several ways. That’s just one example. There are other examples of ways that Rig kind of converts itself to other paradigms as well. Topher: Yeah. All right. In my development life, I’ve had two parts to it. And one is the weekend hobbyist, or I download cadence and I whip something up in 20 minutes because I just want to experiment and the other is agency life where everything’s in Git, things are compiled, there are versions, blah, blah, blah. This sounds very friendly to that more professional pathway. Rob: Absolutely. Yes. Or, I mean, there’s another situation here too. If you’re a company who develops themes and publishes them to a platform like ThemeForest or any other platform, perhaps you’re selling themes on your own website, whatever, if you’re making things for sale, there’s no reason you couldn’t use WP Rig to build your themes. We have a bundle process that bundles your theme for publication or publishing. Whether you’re an agency or whether you’re putting your theme out for sale, it doesn’t matter, during that bundle process, it does actually white label the entire code base to where there’s no mention of WP Rig in the code whatsoever. Let’s say you were to build a theme that you wanted to put up for sale because you have some cool ideas. Say, page transitions now are completely supported in all modern or in most modern browsers. And when I say print page transitions, for those that are in the know, I am talking about not single page app page transitions, but through website page transitions. You can now do that. Let’s say you were like, “Hey, I’m feeling ambitious and I want to put out some new theme that comes with these page transitions built in,” and that’s going to be fancy on ThemeForest when people look at my demo, people might want to buy that. You could totally use WP Rig to build that out into a theme and the bundle process will white label all of the code. And then when people buy your theme and download that code, if they’re starting to go through and look through your code, they’re not going to have any way of knowing that it was built with WP Rig unless they’re familiar with the base WP Rig architecture, like how it does its object-oriented programming. It might be familiar with the patterns that it’s using and be able to kind of discern like, okay, well, this is the same pattern WP Rig uses, so high likelihood it was built with WP Rig. But they’re not going to be able to know by reading through the code. It’s not going to say WP Rig everywhere. It’s going to have the theme all over the place in the code. Topher: Okay. So then is that still WP Rig code? It just changed its labels? Rob: Yeah. Topher: So, it’s not like you’re exporting HTML, CSS and JavaScript? The underlying Rig framework is still there. Rob: Yeah. During the bundle process, it is bundling CSS and HTML. Well, HTML in the case of a block-based theme. But, yeah, it is bundling your PHP, your CSS, your JavaScript into the theme that you’re going to let people download when they buy it, or that you’re going to ship to your whatever client’s website. But all that code is going to be transpiled. In the case of CSS and JavaScript, there’s only going to be minified versions of that code in that theme. The source code is not actually going to be in there. Topher: This sounds pretty cool. You mentioned some stuff might be coming. You don’t have to tell me what it is, but do you have a timeline? When should we be watching for the next cool thing from Rig? Rob: Okay, cool. Well, I’m going to keep iterating on Rig forever. Regardless of any future products that might be built on WP Rig, WP Rig will always and forever remain an open source product for anybody to use for free and we, I, and possibly others in the future will continue to update it and support it over time. We just recently put out 3.1. You could expect the 3.2 anytime in the next six months to a year, probably closer to six months. One feature I’m looking at particularly closely right now is the new stuff coming out in version 6.9 of WordPress around the various APIs that are there. I think one of them is called the form… There’s a field API and a form API or view API or something like that. So WP Rig comes with a React-based settings framework in it. So if you want your theme to have a bunch of settings in it to make it flexible for whoever buys your theme, you can use this settings framework to easily create a bunch of fields, and then that framework will automatically manage all your fields and store all the data from those fields and make it easy to retrieve the values of the input on those fields, without knowing any React at all. Now, if you know React, you can go in there and, you know, embellish what’s already there, but it takes a JSON approach. So if you just understand JSON, you can go in and change the JSON for the framework, and that will automatically add fields into the settings framework. So you don’t even have to know React to extend the settings page if you want. That will likely get an overhaul using these new APIs being introduced into Rig. Topher: All right. How often have you run into something where, “Oh, look, WordPress has a new feature, I need to rebuild my system”? Rob: Over the last four or five years, it’s happened a lot because, yeah, I mean, like I said, when I first took this thing over, Gutenberg had not even been introduced yet. So, you had the introduction of Gutenberg and blocks. That was one thing. Then this whole full site editing became a thing, which later became the site editor. So that became a whole thing. Then all these various APIs. I mean, it happens quite frequently. So I’ve been working to keep it modern and up to date over the past four years and it’s been an incredible learning experience. It not only keeps my WordPress knowledge extremely sharp, but I’ve also learned how various other toolkits are built. That’s been the interesting thing. From a development standpoint, there’s two challenges here. One of the challenges is staying modern on the WordPress side of things. For instance, WordPress coding standards came out with a version 3 and then a version 3.1 about two years ago. I had to update WP Rig to leverage those modern coding standards. So that’s one example is as WordPress changes, the code in WP Rig also needs to change. Or for instance, if new CSS standards change, right, new CSS properties come out, it is ideal for the base CSS in WP Rig, meaning the CSS that you get right out of the box with it, comes with some of these, for instance, CSS grid, Flexbox, stuff like that. If I was adopting a theme framework to build a theme on, I would expect some of that stuff to be in there. And those things were extremely new when I first took over WP Rig and were not all baked in there essentially. So I’ve had to add a lot of that over time. Now there’s another side to this, which is not just keeping up with WordPress and CSS and PHP, 8. whatever, yada yada yada. You’ve also got the toolkit. There are various node packages and composer packages of power WP Rig and the process in which it does the transpiling, the bundling, the automated manipulation of your code during various aspects of the usage of WP Rig is a whole nother set of challenges because now you have to learn concepts like, well, how do I write custom node scripts? Right? Like there were no WP CLI commands built into WP Rig when I first took it over. Now there’s a whole list. There’s a whole library of WP CLI commands that come in Rig right out of the gate. And so I’ve had to learn about that. So just various things that come with knowing how do you automate the process of converting code, that’s something that was completely foreign to me when I first took over WP Rig. That’s been another incredible learning experience is understanding like what’s the difference between Webpack and Gulp. I didn’t know, right? I would tell people I’m using Gulp and WP Rig and they would be like, “Well, why don’t you just use Webpack?” and I would say, “I don’t know. I don’t know what the difference is.” So over time I could figure out what are the differences? Why aren’t we using Webpack? And I’m glad I spent some time on that because it turns out Webpack is not the hottest thing anymore, so I just skipped right over all that. When I overhauled for version 3, we’re now not using Gulp anymore as of 3.1. We’re now using more of a Vite-like process, far more modern than Webpack and far better and faster and sleeker and lighter. I had to learn a bunch about what powers Vite. What is Vite doing under the hood that we might be able to also do in WP Rig, but do it in a WordPress way. Because Vite is a SaaS tool. If you’re building a SaaS, like React with a… we’re not a SaaS. I guess a spa is a better term to use here. If you’re building a single page application with React or view or belt or whatever, right, then knowing what Vite is and just using Vite right out of the box is perfect. But it doesn’t translate perfectly to WordPress land because WordPress has its own opinions. And so I did have to do some dissecting there and figure out what to keep and what to not keep to what to kind of set aside so that WordPress can keep doing what WordPress does the way WordPress likes to do it, but also improve on how we’re doing some of the compiling and transpiling and the manipulation of the code during these various. Topher: All right. I want to pivot a little bit to some personal-ish questions. Rob: Okay. Topher: This is a big project. I’m sure it takes up plenty of your time. How scalable is that in your life? Do you want to do this for the rest of your life? Rob: That’s a fantastic question. I don’t know about the rest of my life. I mean, I definitely want to do web development for the rest of my life because the web has, let’s be honest, it’s transformed everyone’s way of life, whether you’re a web developer or not. You know, the fact that we have the internet in our pocket now, you know, it has changed everything. Apps, everything. It’s all built on the web. So I certainly want to be involved in the web the rest of my life. Do I want to keep doing WordPress the rest of my life? I don’t know. Do I want to keep doing WP Rig the rest of my life? I don’t know. But I will say that you bring up a very interesting point, which is it does take up a lot of time and also trust in open source over the past four or five years I would argue has diminished a little bit as a result of various events that have occurred over the past two or three years. I mean, we could cite the whole WP Engine Matt Mullerwig thing. We can also cite what’s going on with Oracle and JavaScript. Well, I mean, there’s many examples of this. I mean, we can cite the whole thing that happened… I mean, there’s various packages out there that are used and developed and open source to anybody, and some of them are going on maintained and it’s causing security vulnerabilities and degradation and all this stuff. So it’s a very important point. One thing I started thinking about after considering that in relation to WP Rig was I noticed that there’s usually a for-profit arm of any of these frameworks that seems to extend the lifespan of it. Let’s just talk about React, for example, React is an open source JavaScript framework, but it’s used by Facebook and Facebook is extremely for-profit. So companies that are making infrastructural or architectural decisions, they will base their choice on whether or not to use a framework largely on how long they think this framework is going to remain relevant or valid or maintained, right? A large part of that is, well, is there a company making money off of this thing? Because if there is, the chances- Topher: They’re going to keep doing that. Rob: They’re going to keep doing it. It’s going to stay around. That’s good. I think that’s healthy. A lot of people that like open source and want everything to be free, they might look at something like that and say like, well, I don’t want you to make a paid version of it or there shouldn’t be a pro version. I think that’s a very short-sighted way of looking at that software and these innovations. I think a more experienced way of looking at it is if you want something to remain relevant and maintained for a long period of time, having a for-profit way in which it’s leveraged is a very good thing. I mean, let’s be real. Would WordPress still be what it is today if there wasn’t a wordpress.com or if WooCommerce wasn’t owned by Automattic or whatever, right? They’ll be on top. I mean, it’s obviously impossible to say, but my argument would be, probably not. I mean, look at what’s happened to the other content management systems out there. You know, Joomla Drupal. They don’t really have a flourishing, you know, paid pro service that goes with their thing that’s very popular, at least definitely not as popular as WordPress.com or WordPress VIP or some of these other things that exist out there. And so having something that’s making and generating money that can then contribute back into it the way Automattic has been doing with WordPress over these years has, in my opinion, been instrumental. I mean, people can talk smack about Gutenberg all they want, but let’s be real, it’s 2025, would you still feel that WordPress is an elegant solution if we were still working from the WYSIWYG and using the classic editor? And I know a lot of people are still using the classic editor and there’s classic for us, the fork and all that stuff. But I mean, that only makes sense in a very specific implementation of WordPress, a very specific paradigm. If you want to explore any of these other paradigms out there, that way of thinking about WordPress kind of falls apart pretty quickly. I, for one, am happy that Gutenberg exists. I’m very happy that Automattic continues. And I’m grateful, actually, that Automattic continues to contribute back into WordPress. And not just them, obviously there’s other companies, XWP, 10Up, all these other companies are also contributing as well. But I’m very grateful that this ecosystem exists and that there’s contribution going back in and it’s happening from companies that are making money with this. And I think that’s vital. All that to say that WP Rig may and likely will have paid products in the future that leverage WP Rig. So that’s not to say that WP Rig will eventually cost money. That’s just to say that eventually people can expect other products to come out in the future that will be built on WP Rig and incentivize the continued contributions back into WP Rig. The open source version of WP Rig. Topher: That’s cool. I think that’s wise. If you want anything to stay alive, you have to feed it. Rob: That’s right. Topher: I had some more questions but I had forgotten them because I got caught up in your answer. Rob: Oh, thank you. I’ll take that as a compliment. I mean, my answer was eloquent. But I’m happy to expand on anything, know you, WordPress related, me related, you know, whether it comes to the ecosystem in WordPress, the whole WordCamp meetup thing is very interesting. I led the WP Omaha meetup for many years here in Omaha, Nebraska and I also led the WordCamp, the organizing of WordCamp here in Omaha for several years as well. That whole community, the whole ecosystem, at least in America seems to have largely fallen apart. I don’t know if you want to talk about that at all. But yeah, I’m ready to dive into any topics. Topher: I’m going to have one more question and then we’re going to wrap up. And it was that you were talking about all the things you had to learn. I’m sure there were nights where you were looking at your computer thinking, “Oh man, I had it working, now I gotta go learn a new thing.” I would love for you to go back in time and blog all of that if you would. But given that you can’t, I would be interested in a blog moving forward, documenting what you’re learning, how you’re learning it and starting maybe with a post that’s summarizes all of that. Obviously, that’s up to you and how you want to spend your time, but I think it’d be really valuable to other people starting a project, picking up somebody else’s project to see what the roadmap might look like. You know what I mean? Rob: For sure. Well, I can briefly summarize what I’ve learned over the years and where I’m at today with how I do this kind of stuff. I will say that a lot of the improvements to WP Rig that have happened over the last year or two would not be possible without the advent of AI. Topher: Interesting. Rob: That’s a fancy way of saying that I have been by coding a lot of WP Rig lately. If you know how to use AI, it is extremely powerful and it can help you do many things very quickly that previously would have taken much longer or more manpower. So, yeah, perhaps if there was like five, six, seven people actively, excuse me, actively contributing to WP Rig, then this type of stuff would have been possible previously, but that’s not the case. There is one person, well, one main contributor to WP Rig today and you’re talking to them. There are a handful of other people that have been likely contributing to WP Rig over the versions and you can find their contributions in the change log file in WP Rig. But those contributions have been extremely light compared to what I’ve been doing. I wouldn’t be able to do any of it without AI. I have learned my ability to learn things extremely rapidly has ramped up tenfold since I started learning how to properly leverage LLMs and AI. So that’s not to say that like, you know, WP Rig, all the code is just being completely written by AI and I’m just like. make it better, enter, and then like WP Rig is better. I wish it was that easy. It’s certainly not that. But when I needed to start asking some of these vital questions that I really didn’t have anyone to turn to to help answer them, I was able to turn to AI. For instance, let’s go back to the Webpack versus Gulp situation. Although Gulp is no longer used in WP Rig, you know, it was used in WP Rig until very recently. So I had to understand like, what is this system, how does it work, how do I extend it and how do I update it and all these things, right? And why aren’t we using WebPack and you know, is there validity to this criticism behind you should use webpack instead of Gulp or whatever, right? I was able to use AI to ask these questions and be able to get extremely good answers out of it and give me the direction I needed to make some of these kind of higher level decisions on like architecturally where should WP Rig go? It was through these virtual conversations with LLMs that I was able to refine the direction of WP Rig in a direction that is both modern and forward-thinking and architecturally sound. I learned a tremendous amount from AI about the architecture, about the code, about all of it. My advice to anybody that wants to extend their skill set a little bit in the development side of things is to leverage this new thing that we have in a way that is as productive as possible for you. So that’s going to vary from person to person. But for me, if I’m on a flight or if I’m stuck somewhere for a while, like, let’s say I got to take my kid to practice or something and I’m stuck there for an hour and I got to find some way to kill my time 9 times out of 10, I’m on my laptop or on my phone having conversations with Grok or ChatGPT or Gemini or whatever. I am literally refining… I’m just sitting there asking it questions that are on my mind that I wish I could ask somebody who’s like 10 times more capable than me. It has been instrumental. WP Rig wouldn’t be where it is today if it wasn’t for that. I would just say to anybody, especially now that it’s all on apps and you don’t have to be on a browser anymore, adopt that way of thinking. You know, if you’re on your lunch break or whatever and you have an hour lunch break and you only take 15 minutes to eat, what could you be doing with those other 45 minutes? You could just jump on this magical thing that we have now and start probing it for questions. Like, Hey, here’s what I know. Here’s what I don’t know. Fill these knowledge gaps for me.” And it is extremely good at doing that. Topher: So my question was, can you blog this and your answer told me that there’s more there that I want to hear. That’s the stuff that should be in your book when you write your book. Rob: I’m flattered that you would be interested in reading anything that I write. So thank you. I’ve written stuff in the past and it hasn’t gotten a lot of attention. But I also don’t have any platforms to market it either. But yeah, no, I made some… I’m sorry. Topher: I think your experience is valuable far beyond Rig or WordPress. If you abstract it out of a particular project to say, you know, I did this with a project, I learned this this way, I think that would be super valuable. Rob: Well, I will say that recently at my current job, I was challenged to create an end to end testing framework with Playwright that would speed up how long it takes to test things and also prevent, you know, to make things fail earlier, essentially, to prevent broken things from ending up in the wild, right, and having to catch them the hard way. I didn’t know a lot about Playwright, but I do know how toolkits work now because of WP Rig. And I was able to successfully in a matter of, I don’t know, three days, put together a starter kit for a test framework that we’re already using at work to test any website that we create for any client. It can be extended and it can be hooked into any CI CD pipeline and it generates reports for you and it does a whole bunch of stuff. I was able to do this relatively quickly. This knowledge, yes, does come in handy in other situations. Will I end up developing other toolkits like WP Rig in the future for other things? I guess if I can give any advice to anybody listening out there, another piece of advice I would give people is, you know, especially if you’re a junior developer and you’re still learning or whatever, or you’re just a marketing person and just want to have more control over the functionality side of what you’re creating or more insight into that so you could better, you know, manage projects or whatever. My advice would be to take on a small little project that is scoped relatively small that’s not too much for you to chew and go build something and do it with… Just doing that will be good. But if you can do it with the intent to then present it in some fashion, whether it be a blog article or creating a YouTube video or going to a meetup and giving a talk on it or even a lunch and learn at work or whatever, right, that will, in my experience, it will dramatically amplify how much you learn from that little pet project that’s kind of like a mini learning experience. And I highly encourage anybody out there to do that on the regular. Actually, no matter what your experience level is in development, I think you should do these things on a regular basis. Topher: All right. I’m going to wrap this up. I got to get back to work. You probably have to get back to work. Rob: Yeah. Topher: Thanks for talking. Rob: Thanks for having me, Topher. Really appreciate it. Topher: Where could people find you? WPrig.io?  Rob: Yeah, WPrig.io. WP rig has accounts on all of the major platforms and, even on Bluesky and Mastodon. You can look me up, Rob Ruiz. You can find me on LinkedIn. You can find me on all of those same platforms as well. You can add me on Facebook if you want, whatever. And I’m also in the WordPress Slack as well as Rob Ruiz. You can find me in the WordPress Slack. And then I’m on the WordPress Reddit and all that stuff. So yeah, reach out. If anybody wants to have any questions about Rig or anything else, I’m happy to engage.  Topher: Sounds good. All right, I’ll see you. Rob: All right, thanks, Topher. Have a good day. Topher: This has been an episode of the Hallway Chats podcast. I’m your host Topher DeRosia. Many thanks to our sponsor Nexcess. If you’d like to hear more Hallway Chats, please let us know on hallwaychats.com.

This is a special episode, highlighting a session from ELC Annual 2025! OpenAI evolved from a pure research lab into the fastest-growing product in history, scaling from 100 million to 700 million weekly users in record time. In this episode, we deconstruct the organizational design choices and cultural bets that enabled this unprecedented velocity. We explore what it means to hire "extreme generalists," how AI-native interns are redefining productivity, and the real-time trade-offs made during the world's largest product launches. Featuring Sulman Choudhry (Head of ChatGPT Engineering) and Samir Ahmed (Technical Lead), moderated by Lawrence Bruhmeller (Eng Management @ Sigma). ABOUT SULMAN CHOUDHRYSulman leads ChatGPT Engineering at OpenAI, driving the development and scaling of one of the world's most impactful AI products. He pushes the boundaries of innovation by turning cutting‑edge research into practical, accessible tools that transform how people interact with technology. Previously at Meta, Sulman founded and scaled Instagram Reels, IGTV, and Instagram Labs, and helped lead the early development of Instagram Stories.He also brought MetaAI to Instagram and Messenger, integrating generative AI into experiences used by billions. Earlier in his career, Sulman was on the founding team that built and launched UberEATS from the ground up, helping turn it into a global food delivery platform. With a track record of marrying technical vision, product strategy, and large‑scale execution, Sulman focuses on building products that meaningfully change how people live, work, and connect.ABOUT SAMIR AHMEDSamir is the Technical Lead for ChatGPT at OpenAI, where he currently leads the Personalization and Memory efforts to scale adaptive, useful, and human-centered product experiences to over 700 million users. He works broadly across the OpenAI stack—including mobile, web, services, systems, inference, and product research infrastructure.Previously, Samir spent nine years at Snap, working across Ads, AR, Content, and Growth. He led some of the company's most critical technical initiatives, including founding and scaling the machine learning platform that powered nearly all Ads, Content, and AR workloads, handling tens of billions of requests and trillions of inferences daily.ABOUT LAWRENCE BRUHMELLERLawrence Bruhmuller has over 20 years of experience in engineering management, much of it as an overall head of engineering. Previous roles include CTO/VPE roles at Great Expectations, Pave, Optimizely, and WeWork. He is currently leading the core query compiler and serving teams at Sigma Computing, the industry leading business analytics company.Lawrence is passionate about the intersection of engineering management and the growth stage of startups. He has written extensively on engineering leadership (https://lbruhmuller.medium.com/), including how to best evolve and mature engineering organizations before, during and after these growth phases. He enjoys advising and mentoring other engineering leaders in his spare time.Lawrence holds a Bachelors and Masters in Mathematics and Engineering from Harvey Mudd College. He lives in Oakland, California, with his wife and their three daughters. This episode is brought to you by Span!Span is the AI-native developer intelligence platform bringing clarity to engineering organizations with a holistic, human-centered approach to developer productivity.If you want a complete picture of your engineering impact and health, drive high performance, and make smarter business decisions…Go to Span.app to learn more! SHOW NOTES:From research lab to record-breaking product: Navigating the fastest growth in history (4:03)Unpredictable scaling: Handling growth spurts of one million users every hour (5:20)Cross-stack collaboration: How Android, systems, and GPU engineers solve crises together (7:06)The magic of trade-offs: Aligning the team on outcomes like service uptime vs. broad availability (7:57)Why throwing models "over the wall" failed and how OpenAI structures virtual teams (11:17)Lessons from OpenAI's first intern class: Why AI-native new grads are crushing expectations (13:41)Non-hierarchical culture: Using the "Member of Technical Staff" title to blur the lines of expertise (15:37)AI-native engineering: When massive code generation starts breaking traditional CI/CD systems (16:21)Asynchronous workflows: Using coding agents to reduce two-hour investigations to 15 minutes (17:35)The mindset shift: How rapid model improvements changed how leaders audit and trust code (19:00)Predicting success: "Vibes-based" decision making and iterative low-key research previews (20:43)Hiring for high variance: Why unconventional backgrounds lead to high-potential engineering hires (22:09) LINKS AND RESOURCESLink to the video for this sessionLink to all ELC Annual 2025 sessions This episode wouldn't have been possible without the help of our incredible production team:Patrick Gallagher - Producer & Co-HostJerry Li - Co-HostNoah Olberding - Associate Producer, Audio & Video Editor https://www.linkedin.com/in/noah-olberding/Dan Overheim - Audio Engineer, Dan's also an avid 3D printer - https://www.bnd3d.com/Ellie Coggins Angus - Copywriter, Check out her other work at https://elliecoggins.com/about/ Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.