SECURITY

8 min read

Anthropic's Project Glasswing update is a useful signal for developer teams: AI can find vulnerability candidates faster than humans can verify, disclose, patch, and ship them.

8 min read

Runtime's Launch HN thread is a useful signal: teams do not just want isolated coding agents. They want a control plane for approvals, secrets, telemetry, review, and merge policy.

8 min read

GitHub trending is full of agent skill registries. The winning pattern is not more prompts. It is dependency governance for the instructions your coding agents inherit.

6 min read

Claude Code's newer plugin URL and hard-deny controls are small release-note items with a big implication: agent extensions now need supply-chain discipline.

9 min read

The TanStack npm incident was not just a package-security story. It was a reminder that AI agent workflows inherit every weak trust boundary in CI.

7 min read

OpenAI's May 8 macOS certificate rotation for ChatGPT, Codex, Codex CLI, and Atlas is not just a one-off update. It is a useful test of how your team governs AI developer tools.

7 min read

Manual approval prompts stop protecting users when coding agents ask too often. The better pattern is risk-aware autonomy: safe defaults, narrow deny rules, and approvals only for meaningful changes.

8 min read

Microsoft's lib0xc landed on Hacker News with a practical message: safer systems code often means better C APIs, warnings, bounds checks, and incremental adoption, not a heroic rewrite.

10 min read

OpenAI's Codex Security agent reviews app code for vulns. Here is what it caught and missed on three real production repos.

10 min read

A practical security playbook for running Codex cloud tasks safely in 2026 using OpenAI docs: internet access controls, domain allowlists, HTTP method limits, and review workflows.