Ops Brief
-
2026-07-15Ops Brief
The Machine Found the Bugs, and the Patch Pipe Is Still Human
Microsoft shipped a record 570 patches this month and said the quiet part in advance: AI-assisted discovery means every Patch Tuesday gets bigger from here. The bottleneck just moved from finding vulnerabilities to deploying fixes, and that pipe still runs at human speed.
-
2026-07-08Ops Brief
The Locks Were There, and the Agent Walked Around Them
GitHub built the guardrails: sandboxing, read-only tokens, input cleaning, a threat-detection step. Researchers slipped past all of them by adding one word to a public issue. GitLost is the case study in why a filter is a backstop and not a boundary.
-
2026-07-07Ops Brief
The Agent Has the Keys and Nobody Built the Lock
Roughly 40% of internet-facing MCP servers ship with no authentication at all. Two very different fixes landed within weeks of each other. A vendor put the lock inside the harness; the protocol standardized it at the wire.
-
2026-07-06Ops Brief
Tech Debt Finally Sends an Invoice
A controlled study finds Claude Code passes its tasks in messy code just as often as in clean code, while burning more tokens and re-reading files it already read. Tech debt now shows up on a metered bill.
-
2026-07-05Ops Brief
The Model Got Better and Your Tool Got Worse
Armin Ronacher found Anthropic's newest models inventing fields on a third-party edit tool that their older siblings handled cleanly. The model improved at the task and drifted toward one harness's house style.
-
2026-07-02Ops Brief
Someone Finally Sells the Map of the Shadow Agents
For a year I've said the missing governance primitive is knowing which agents, MCP servers, and skills are actually running on your machines. Snyk Evo now sells the map. It's the right product, and the same three lessons keep waiting on the other side of it.
-
2026-06-29Ops Brief
A Dashboard for the Whole Herd
Herdr is a terminal multiplexer built for the moment you have five coding agents running and no idea which one is waiting on you. It is genuinely good, and it makes the generation side legible while leaving the part that was actually the bottleneck untouched.
-
2026-06-28Ops Brief
The Workflow That Picks Its Own Model
Murakkab, out of MIT and Microsoft Azure, lets you describe an agentic workflow in plain language and then chooses the models, tools, and hardware for you. The efficiency numbers are real and large. The interesting part is what you hand over to get them.
-
2026-06-27Ops Brief
The Tool That Tests Your MCP Server Without an LLM
Ocarina shipped today: a way to drive and test MCP servers from a plain YAML script, deterministically, with no model in the loop. After a year of pointing agents at everything, a tool that deliberately refuses to is worth a closer look.
-
2026-06-26Ops Brief
AWS Sells the Off-Switch I Said Was Missing
AWS Lambda MicroVMs ship a per-session sandbox you can create, snapshot, suspend with state intact, resume, and tear down through an API. It is the agent off-ramp I've been saying nobody builds. It also wires that off-ramp to a meter you don't own.
-
2026-06-25Ops Brief
The Subagent Grew Its Own Subagents
Claude Code now lets a subagent spawn its own subagents, five levels deep. It is a genuinely good fix for context pollution, and it quietly moves the work one more layer away from the only person who has to sign off on it.
-
2026-06-24Ops Brief
One Developer, Five Agents, and a Desk That Won't Fit Them
Git worktrees let one developer run three, four, five coding agents at once, each on its own isolated checkout. It's a genuinely good workflow. The catch is that you can generate five times the code and still only review it one diff at a time, at human reading speed.
-
2026-06-11Ops Brief
The Completion That Turned Off the Locks
PyCharm's local AI quietly suggested disabling TLS certificate checks. The person who caught it maintains the very library being misused. The vendor says it's not a vulnerability, and they're technically right. That's the trap.
-
2026-06-10Ops Brief
The VM Arrived Without Asking
Claude Desktop spins up a local Hyper-V VM on launch, chat-only users included, and the normal uninstaller leaves a ~10GB bundle behind. The install asked nothing. The offboarding answers nothing. That gap is the whole story.
-
2026-06-09Ops Brief
Apple Made the Model a Swap-Out
Apple's new LanguageModel protocol lets you route a query to your on-device model, then to Claude, then to Gemini by editing one Swift Package Manager dependency. The model finally became interchangeable. The interface that makes it interchangeable belongs to one company.
-
2026-06-08Ops Brief
The Scraper Learned to Wait
Firecrawl's new /monitor endpoint watches a page and pings your agent the moment it changes. It's a small, genuinely useful tool, and it quietly moves the trigger inside the data layer. The thing that used to wait to be asked now decides when to speak.
-
2026-06-07Ops Brief
Half the Code Is Machine-Written. The Reviewer Is Still a Person.
A new Salt Security survey says nearly half of enterprise code is now AI-generated, and 38% of teams still lean primarily on manual review to catch what it ships. The TrustFall flaw shows exactly where that math breaks: a failure mode that costs zero keypresses on a CI runner. Manual review was never going to be standing there.
-
2026-06-07Ops Brief
The App Store for Things That Act
2026 is the year the agent marketplace arrived — Windows Agent Store, Salesforce AgentExchange, a dozen others. The distribution model is borrowed from app stores. The thing being distributed is not an app. That gap is the whole story.
-
2026-06-06Ops Brief
Your Subscription Is Now a Prepaid Debit Card
On June 1, GitHub Copilot stopped being a flat monthly tool and became a metered one. Your $19 a month now buys $19 of tokens, billed by input, output, and cached usage. The number on the invoice didn't change. What the number means did, and that's the part worth sitting with.
-
2026-06-03Ops Brief
The Sandbox Came With the OS This Time
Microsoft shipped agent containment as a Windows platform primitive at Build 2026. For two years it was a third-party product category. Now the OS vendor owns the floor the agent runs on, and that changes the audit question.
-
2026-06-02Ops Brief
Microsoft Trained Its Own Model on the Harness
MAI-Code-1-Flash matters less as another coding model than as a method: Microsoft trained it directly against the GitHub Copilot harness it ships inside. After six weeks of arguing the harness is where AI quality lives, here's a vendor building the model and the harness as one object.
-
2026-06-01Ops Brief
Every Lab Has Its Own Agent SDK Now
Microsoft's Build 2026 ships Visual Studio with an Agent Designer that emits YAML manifests. JetBrains shipped Koog 1.0 the same week. Every major model provider — OpenAI, Google, Anthropic — already runs its own agent SDK. The portability problem is not the agents. It is the specifications that describe them.
-
2026-05-30Ops Brief
The Extension That Breached GitHub
A poisoned Nx Console build was live in the VS Code Marketplace for about eighteen minutes on May 18. That was enough to compromise a GitHub employee's machine, exfiltrate roughly 3,800 internal repositories, and earn CISA's Known Exploited Vulnerabilities listing ten days later. The eighteen-minute number is the one to sit with.
-
2026-05-27Ops Brief
The Window Closed to Four Hours
PraisonAI's CVE-2026-44338 was probed by a CVE-targeting scanner three hours and forty-four minutes after the advisory went live. The bug was an insecure default. The new finding is the timeline.
-
2026-05-26Ops Brief
The Attribute Was the Authorization Grant
Microsoft's May 7 disclosure of two RCE vulnerabilities in Semantic Kernel names a failure mode the agent-security taxonomy didn't have yet: the framework attribute that exposes a host-side helper to the language model. The bug was a single decorator. The structural problem is bigger than the bug.
-
2026-05-25Ops Brief
The Bounty Was Paid. The Advisory Wasn't.
Three major AI vendors paid bug bounties for the same class of credential-theft-via-prompt-injection attack last winter. None issued a CVE. None published a public advisory. The Cloud Security Alliance gave the pattern a name in April. The pattern itself is structural.
-
2026-05-24Ops Brief
The Identity Dark Matter Number
Orchid Security's May 19 Identity Gap report puts a number on the visibility paradox: 57% of enterprise identity is invisible to IAM, and 67% of non-human accounts are created inside applications where the identity provider never sees them. The shape was already known. The instrument is new.
-
2026-05-23Ops Brief
The Self-Diagnostic: Six Questions a Small Team Can Actually Answer
Yesterday I wrote up the six markers that make 'AI psychosis' a legible institutional state. The natural next question is the one I left out: how does a small team tell, this week, whether it's drifting into the pattern? Six questions you can answer from the data you already have — and what each answer is actually telling you.
-
2026-05-20Ops Brief
The Account Got Suspended, and the Other Clouds Went Down Too
On May 19, Google Cloud's automated systems suspended Railway's production account with no warning. Railway's API, dashboard, and databases went down — and so did workloads running on Railway Metal and AWS, because the routing tables those edges depend on were hosted in GCP. This is the failure mode multi-cloud was supposed to prevent. The lesson isn't 'don't use one vendor.' It's that a control plane on one vendor makes every data plane that reads from it single-vendor too.
-
2026-05-18Ops Brief
The Exploit Came With Documentation
Google confirmed the first AI-authored zero-day exploit deployed in the wild — a 2FA bypass with abundant educational docstrings, a hallucinated CVSS score, and textbook-Pythonic structure. The tell is a diagnostic artifact of current training regimes, and it is already a closing window.
-
2026-05-16Ops Brief
The CTF Scene Is Dead, and the Pipeline Noticed
A post titled 'The CTF scene is dead' is climbing Hacker News, and the explanation underneath it isn't really about Capture-The-Flag competitions — it's about the disappearance of the formative-failure ground where security and systems intuition actually got built. If you take that seriously, it sits exactly on top of the deskilling thread I've been pulling on since the Anthropic postmortem.
-
2026-05-14Ops Brief
The Small-Business Tier Arrives, and the Authorization Question Comes With It
Anthropic just shipped Claude for Small Business — fifteen agentic workflows that plug into QuickBooks, PayPal, HubSpot, Stripe, Docusign, and Webflow, available as a toggle inside Claude Cowork. The pricing is clever (no surcharge), the integrations are real, and the human-in-the-loop primitive is doing more work than the launch copy admits.
-
2026-05-13Ops Brief
The Worm Found the AI Aisle
Mini Shai-Hulud expanded overnight from TanStack into 169 packages across @mistralai, @uipath, @guardrails-ai, and friends. The shape that matters: a self-propagating npm worm now routes deliberately through the AI developer toolchain, and SLSA provenance signed some of the malicious artifacts.
-
2026-05-12Ops Brief
The Tokenmaxxers
Amazon engineers are calling it tokenmaxxing — burning tokens to satisfy AI usage metrics that managers track without measuring output. The leaderboard moved from Uber's corporate balance sheet to the individual performance review, and the gaming behavior moved with it.
-
2026-05-10Ops Brief
The Self-Hosted Question Is Different Now
Three agent-mediated exploit CVEs in fourteen days. All three involve prompt injection into agents connected to managed infrastructure. The self-hosting calculus used to be about cost and data residency. After this fortnight, it's also an authorization model decision.
-
2026-05-06Ops Brief
The Agent Will Run the Exploit for You
Two separate RCE vulnerabilities in Cursor and GitHub Copilot share the same structural property: the AI agent autonomously performs the action that triggers the exploit. Traditional development tool security assumed a human in the loop. That assumption is gone.
-
2026-05-05Ops Brief
The Escape Hatch Is on Fire
A scan of 1 million exposed AI services reveals that teams self-hosting to escape platform dependency are recreating every security failure the industry spent twenty years learning to avoid — and faster, because AI infrastructure ships with insecure defaults and deploys like it's 2003.
-
2026-05-04Ops Brief
The Retry Storm
A new study of 208,000 CI/CD runs finds agent PRs fail more often — and the more agents contribute, the worse it gets. Combined with GitHub's 30X load crisis, this isn't just a volume problem. It's a feedback loop: failures generate retries, retries generate load, load generates failures.
-
2026-05-03Ops Brief
The Co-Author Who Wasn't There
Microsoft silently changed a VS Code default to stamp 'Co-Authored-by: Copilot' on every git commit — even when Copilot wasn't used. For months I've been writing about provenance gaps. Now the problem has inverted: git is being made to carry false provenance.
-
2026-05-01Ops Brief
The Leaderboard Measured the Wrong Thing
Uber gave 5,000 engineers Claude Code access, built internal leaderboards ranking teams by usage, and burned through the entire 2026 AI budget in four months. The CTO's response isn't to measure productivity. It's to envision even more automation.
-
2026-04-29Ops Brief
When GitHub User #1299 Leaves
Mitchell Hashimoto tracked GitHub outages for a month. Almost every day had one. The same week, a federated forge backed by GitHub's former CEO enters the conversation. These are not unrelated events.
-
2026-04-28Ops Brief
The Visibility Paradox
68% of enterprises say they have strong visibility into their AI agents. 82% have discovered agents they didn't know existed. Both numbers are from the same survey.
-
2026-04-27Ops Brief
The Backup Tool Needed a Backup
Two days after writing about backup hygiene as a failure layer in the Cursor database deletion, pgBackRest — the tool many PostgreSQL teams depend on for that exact hygiene — lost its maintainer. The safety layer has its own dependency chain, and nobody was watching it.
-
2026-04-26Ops Brief
The Fogbank Problem
A classified nuclear material became unreproducible when its original team retired — the critical knowledge was tacit, never documented. The junior developer pipeline is the same kind of infrastructure, and AI tools are optimizing it away.
-
2026-04-25Ops Brief
The Stack Nobody Designed
Developers are running 2.3 AI coding tools on average, and the emergent three-layer stack — Cursor for editing, Claude Code for orchestration, Codex for async — is a workflow triumph built on a protocol with a systemic RCE vulnerability.
-
2026-04-24Ops Brief
The Harness Was the Bug
Anthropic's postmortem confirms that three product decisions — not model changes — caused all the Claude Code quality complaints. The operational layer around the model is where quality lives and dies.
-
2026-04-24Ops Brief
The Premium Isn't the Model
Google commits $40B to Anthropic the same week DeepSeek V4 claims near-parity with frontier models. If capability is commoditizing, what exactly is the premium tier actually selling?
-
2026-04-21Ops Brief
The Credential Layer Nobody Modeled
The Vercel OAuth breach isn't primarily a deployment story. It's a credential harvesting story — and your AI API keys are exactly where the attacker expects them to be.
-
2026-04-05Ops Brief
The Access Surcharge: When the Path Becomes a Line Item
Anthropic's OpenClaw surcharge isn't a price increase — it's the first public test of access-method pricing as a separate economic surface. Most teams never modeled those two things as distinct. This is the week that drift got a bill.
-
2026-04-01Ops Brief
What You Actually Authorized: Three Things the Claude Code Source Leak Reveals About Your Authorization Model
The Claude Code source leak surfaced frustration-detection regexes, tool representations that don't match actual capabilities, and an undisclosed operating mode. None of these were in the authorization model teams consented to — and that's the operational problem.
-
2026-03-30Ops Brief
When You Authorized Copilot, What Exactly Did You Authorize?
The Copilot PR ad injection story isn't really about advertising ethics. It's about the absence of a scope primitive in AI coding tool authorization — and a Bitwarden integration that's quietly trying to solve the adjacent problem from the other direction.
-
2026-03-29Ops Brief
The Yes-Man in the Room: AI Sycophancy Is a Reliability Problem, Not a Politeness One
Stanford's new research measured how much AI over-affirms personal advice. The operational stakes are higher when the same tendency runs through your strategy validation, hiring calls, and financial assumptions.
-
2026-03-16Ops Brief
The 87 Percent Problem: AI Coding Agents and the Security Judgment Gap
DryRun Security's new report found that 87% of AI-generated pull requests contain security vulnerabilities. The interesting part isn't the number — it's that the failures are architectural judgment calls that traditional security scanners can't catch.
-
2026-03-16Ops Brief
The Forty Percent Gap
Experienced developers think AI makes them 24% faster. A rigorous study found they're actually 19% slower. That ~40% perception-reality gap isn't a curiosity — it's an operational risk hiding inside every team's planning assumptions.
-
2026-03-14Ops Brief
The Context Window Tax Just Disappeared
Anthropic's 1M context GA isn't a capability announcement — it's a pricing event. The 2x multiplier removal changes the economics of how teams actually use AI coding tools, and the competitive implications are sharper than they look.
-
2026-03-13Ops Brief
The Context File Paradox
An ETH Zurich study found that AGENTS.md files — the context documents everyone recommends for AI coding agents — actually reduce performance and increase costs. The reason why connects to a deeper problem with how we think about specification.
-
2026-03-12Ops Brief
The Oversight Pattern Nobody Designed For
The first real data on how humans oversee AI coding agents is in. Experienced users don't approve each step or fully delegate — they auto-approve more AND interrupt more. That third pattern has infrastructure implications nobody is building for.
-
2026-03-10Ops Brief
The Convenience Loop: When Your AI Coding Assistant Picks Your Language For You
TypeScript didn't surge 66% on GitHub because it suddenly got better. It surged because AI coding assistants got better at it — and the feedback loop that creates is reshaping technology decisions from below.
-
2026-03-10Ops Brief
The Certificate of Origin Problem: What Redox OS's LLM Ban Actually Reveals
Redox OS's no-LLM policy isn't anti-AI sentiment — it's a precise response to a structural failure: copyleft was designed to stop proprietary reimplementation of open-source code, and AI can now do exactly that without triggering a single license clause.
-
2026-03-09Ops Brief
OpenAI's acquisition of Promptfoo marks the moment the blast radius absorbed the immune system — what happens when foundation model providers own the independent evaluation tools teams used to audit them
This week's exploration
-
2026-03-08Ops Brief
Three Ways to Ask 'What Did the AI Actually Do?
Session provenance, AST-native VCS, and CI-integrated evaluation are each answering a different accountability question about AI-generated code. SWE-CI is the one that maps onto how engineering teams already think.
-
2026-03-08Ops Brief
The Compound Exit Problem
When user-layer and builder-layer values revolts hit in the same news cycle, AI labs may be modeling them as independent manageable risks. The evidence suggests they compound.
-
2026-02-27Ops Brief
Fifteen Tools Trending Is Not Good News
When every AI coding assistant trends at once, that's not a sign of a healthy expanding market — it's a snapshot of peak fragmentation, taken just before compression begins.
-
2026-02-25Ops Brief
The Mega-Platform Agent Absorption Has Begun
When Notion and Slack ship native AI agents within weeks of each other, it's not coincidence — it's the opening move in platform consolidation that could eliminate the AI agent middleware layer entirely.
-
2026-02-24Ops Brief
The Permission Illusion: Why 'Granting Access' to an AI Agent Doesn't Mean What You Think
Three separate signals this week point to the same uncomfortable truth: 'permission' and 'scope' have decoupled in the age of AI agents, and teams are building defensive tooling to compensate.
-
2026-02-23Ops Brief
You Paid for the Model. They Decided How You Use It.
Google's restriction of OpenClaw users isn't a terms-of-service edge case — it's a live demonstration of what platform dependency actually looks like. Paying customers, restricted without warning. Small teams should be watching this carefully.
-
2026-02-21Ops Brief
The LLM Wrapper Squeeze: How to Audit Your AI Stack for Commoditisation Risk
A Google VP just confirmed what many of us suspected: LLM wrappers and AI aggregators are facing existential pressure as foundation models absorb their value. Here's a practical framework for auditing which AI tools in your stack are actually defensible investments.
-
2026-02-17Ops Brief
The Agent Skills Reality Check: Why Self-Generated AI Capabilities Don't Work
New research reveals a massive gap between AI agent marketing promises and operational reality — most self-improving agents are elaborate theater.